wolf SSL / wolfSSL-TLS13-Beta

wolfSSL 3.11.1 for TLS1.3 beta

Fork of wolfSSL by wolf SSL

wolfcrypt/src/asn.c@13:80fb167dafdf, 2017-05-30 (annotated)

Committer:
wolfSSL
Date:
Tue May 30 06:16:19 2017 +0000
Revision:
13:80fb167dafdf
wolfSSL 3.11.1: TLS1.3 Beta

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 13:80fb167dafdf 1 /* asn.c
wolfSSL 13:80fb167dafdf 2 *
wolfSSL 13:80fb167dafdf 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 13:80fb167dafdf 4 *
wolfSSL 13:80fb167dafdf 5 * This file is part of wolfSSL.
wolfSSL 13:80fb167dafdf 6 *
wolfSSL 13:80fb167dafdf 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 13:80fb167dafdf 8 * it under the terms of the GNU General Public License as published by
wolfSSL 13:80fb167dafdf 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 13:80fb167dafdf 10 * (at your option) any later version.
wolfSSL 13:80fb167dafdf 11 *
wolfSSL 13:80fb167dafdf 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 13:80fb167dafdf 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 13:80fb167dafdf 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 13:80fb167dafdf 15 * GNU General Public License for more details.
wolfSSL 13:80fb167dafdf 16 *
wolfSSL 13:80fb167dafdf 17 * You should have received a copy of the GNU General Public License
wolfSSL 13:80fb167dafdf 18 * along with this program; if not, write to the Free Software
wolfSSL 13:80fb167dafdf 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 13:80fb167dafdf 20 */
wolfSSL 13:80fb167dafdf 21
wolfSSL 13:80fb167dafdf 22
wolfSSL 13:80fb167dafdf 23 #ifdef HAVE_CONFIG_H
wolfSSL 13:80fb167dafdf 24 #include <config.h>
wolfSSL 13:80fb167dafdf 25 #endif
wolfSSL 13:80fb167dafdf 26
wolfSSL 13:80fb167dafdf 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 13:80fb167dafdf 28
wolfSSL 13:80fb167dafdf 29 /*
wolfSSL 13:80fb167dafdf 30 ASN Options:
wolfSSL 13:80fb167dafdf 31 * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
wolfSSL 13:80fb167dafdf 32 or wishing to save space.
wolfSSL 13:80fb167dafdf 33 * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
wolfSSL 13:80fb167dafdf 34 * ASN_DUMP_OID: Allows dump of OID information for debugging.
wolfSSL 13:80fb167dafdf 35 * RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
wolfSSL 13:80fb167dafdf 36 * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
wolfSSL 13:80fb167dafdf 37 */
wolfSSL 13:80fb167dafdf 38
wolfSSL 13:80fb167dafdf 39 #ifndef NO_ASN
wolfSSL 13:80fb167dafdf 40
wolfSSL 13:80fb167dafdf 41 #ifdef HAVE_RTP_SYS
wolfSSL 13:80fb167dafdf 42 #include "os.h" /* dc_rtc_api needs */
wolfSSL 13:80fb167dafdf 43 #include "dc_rtc_api.h" /* to get current time */
wolfSSL 13:80fb167dafdf 44 #endif
wolfSSL 13:80fb167dafdf 45
wolfSSL 13:80fb167dafdf 46 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 13:80fb167dafdf 47 #include <wolfssl/wolfcrypt/coding.h>
wolfSSL 13:80fb167dafdf 48 #include <wolfssl/wolfcrypt/md2.h>
wolfSSL 13:80fb167dafdf 49 #include <wolfssl/wolfcrypt/hmac.h>
wolfSSL 13:80fb167dafdf 50 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 13:80fb167dafdf 51 #include <wolfssl/wolfcrypt/pwdbased.h>
wolfSSL 13:80fb167dafdf 52 #include <wolfssl/wolfcrypt/des3.h>
wolfSSL 13:80fb167dafdf 53 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 13:80fb167dafdf 54
wolfSSL 13:80fb167dafdf 55 #include <wolfssl/wolfcrypt/random.h>
wolfSSL 13:80fb167dafdf 56 #include <wolfssl/wolfcrypt/hash.h>
wolfSSL 13:80fb167dafdf 57 #ifdef NO_INLINE
wolfSSL 13:80fb167dafdf 58 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 13:80fb167dafdf 59 #else
wolfSSL 13:80fb167dafdf 60 #define WOLFSSL_MISC_INCLUDED
wolfSSL 13:80fb167dafdf 61 #include <wolfcrypt/src/misc.c>
wolfSSL 13:80fb167dafdf 62 #endif
wolfSSL 13:80fb167dafdf 63
wolfSSL 13:80fb167dafdf 64 #ifndef NO_RC4
wolfSSL 13:80fb167dafdf 65 #include <wolfssl/wolfcrypt/arc4.h>
wolfSSL 13:80fb167dafdf 66 #endif
wolfSSL 13:80fb167dafdf 67
wolfSSL 13:80fb167dafdf 68 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 69 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 13:80fb167dafdf 70 #endif
wolfSSL 13:80fb167dafdf 71
wolfSSL 13:80fb167dafdf 72 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
wolfSSL 13:80fb167dafdf 73 #include <wolfssl/wolfcrypt/sha512.h>
wolfSSL 13:80fb167dafdf 74 #endif
wolfSSL 13:80fb167dafdf 75
wolfSSL 13:80fb167dafdf 76 #ifndef NO_SHA256
wolfSSL 13:80fb167dafdf 77 #include <wolfssl/wolfcrypt/sha256.h>
wolfSSL 13:80fb167dafdf 78 #endif
wolfSSL 13:80fb167dafdf 79
wolfSSL 13:80fb167dafdf 80 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 81 #include <wolfssl/wolfcrypt/ecc.h>
wolfSSL 13:80fb167dafdf 82 #endif
wolfSSL 13:80fb167dafdf 83
wolfSSL 13:80fb167dafdf 84 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 85 #include <wolfssl/wolfcrypt/rsa.h>
wolfSSL 13:80fb167dafdf 86 #endif
wolfSSL 13:80fb167dafdf 87
wolfSSL 13:80fb167dafdf 88 #ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL 13:80fb167dafdf 89 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 13:80fb167dafdf 90 #if MQX_USE_IO_OLD
wolfSSL 13:80fb167dafdf 91 #include <fio.h>
wolfSSL 13:80fb167dafdf 92 #else
wolfSSL 13:80fb167dafdf 93 #include <nio.h>
wolfSSL 13:80fb167dafdf 94 #endif
wolfSSL 13:80fb167dafdf 95 #else
wolfSSL 13:80fb167dafdf 96 #include <stdio.h>
wolfSSL 13:80fb167dafdf 97 #endif
wolfSSL 13:80fb167dafdf 98 #endif
wolfSSL 13:80fb167dafdf 99
wolfSSL 13:80fb167dafdf 100 #ifdef _MSC_VER
wolfSSL 13:80fb167dafdf 101 /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
wolfSSL 13:80fb167dafdf 102 #pragma warning(disable: 4996)
wolfSSL 13:80fb167dafdf 103 #endif
wolfSSL 13:80fb167dafdf 104
wolfSSL 13:80fb167dafdf 105 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL 13:80fb167dafdf 106
wolfSSL 13:80fb167dafdf 107 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 108 #if defined(USER_TIME)
wolfSSL 13:80fb167dafdf 109 /* Use our gmtime and time_t/struct tm types.
wolfSSL 13:80fb167dafdf 110 Only needs seconds since EPOCH using XTIME function.
wolfSSL 13:80fb167dafdf 111 time_t XTIME(time_t * timer) {}
wolfSSL 13:80fb167dafdf 112 */
wolfSSL 13:80fb167dafdf 113 #define WOLFSSL_GMTIME
wolfSSL 13:80fb167dafdf 114 #define USE_WOLF_TM
wolfSSL 13:80fb167dafdf 115 #define USE_WOLF_TIME_T
wolfSSL 13:80fb167dafdf 116
wolfSSL 13:80fb167dafdf 117 #elif defined(TIME_OVERRIDES)
wolfSSL 13:80fb167dafdf 118 /* Override XTIME() and XGMTIME() functionality.
wolfSSL 13:80fb167dafdf 119 Requires user to provide these functions:
wolfSSL 13:80fb167dafdf 120 time_t XTIME(time_t * timer) {}
wolfSSL 13:80fb167dafdf 121 struct tm* XGMTIME(const time_t* timer, struct tm* tmp) {}
wolfSSL 13:80fb167dafdf 122 */
wolfSSL 13:80fb167dafdf 123 #ifndef HAVE_TIME_T_TYPE
wolfSSL 13:80fb167dafdf 124 #define USE_WOLF_TIME_T
wolfSSL 13:80fb167dafdf 125 #endif
wolfSSL 13:80fb167dafdf 126 #ifndef HAVE_TM_TYPE
wolfSSL 13:80fb167dafdf 127 #define USE_WOLF_TM
wolfSSL 13:80fb167dafdf 128 #endif
wolfSSL 13:80fb167dafdf 129 #define NEED_TMP_TIME
wolfSSL 13:80fb167dafdf 130
wolfSSL 13:80fb167dafdf 131 #elif defined(HAVE_RTP_SYS)
wolfSSL 13:80fb167dafdf 132 /* uses parital <time.h> structures */
wolfSSL 13:80fb167dafdf 133 #define XTIME(tl) (0)
wolfSSL 13:80fb167dafdf 134 #define XGMTIME(c, t) rtpsys_gmtime((c))
wolfSSL 13:80fb167dafdf 135
wolfSSL 13:80fb167dafdf 136 #elif defined(MICRIUM)
wolfSSL 13:80fb167dafdf 137 #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL 13:80fb167dafdf 138 #define XVALIDATE_DATE(d, f, t) NetSecure_ValidateDateHandler((d), (f), (t))
wolfSSL 13:80fb167dafdf 139 #else
wolfSSL 13:80fb167dafdf 140 #define XVALIDATE_DATE(d, f, t) (0)
wolfSSL 13:80fb167dafdf 141 #endif
wolfSSL 13:80fb167dafdf 142 #define NO_TIME_H
wolfSSL 13:80fb167dafdf 143 /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
wolfSSL 13:80fb167dafdf 144
wolfSSL 13:80fb167dafdf 145 #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 13:80fb167dafdf 146 #include <time.h>
wolfSSL 13:80fb167dafdf 147 #define XTIME(t1) pic32_time((t1))
wolfSSL 13:80fb167dafdf 148 #define XGMTIME(c, t) gmtime((c))
wolfSSL 13:80fb167dafdf 149
wolfSSL 13:80fb167dafdf 150 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 13:80fb167dafdf 151 #define XTIME(t1) mqx_time((t1))
wolfSSL 13:80fb167dafdf 152 #define HAVE_GMTIME_R
wolfSSL 13:80fb167dafdf 153
wolfSSL 13:80fb167dafdf 154 #elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
wolfSSL 13:80fb167dafdf 155 #include <time.h>
wolfSSL 13:80fb167dafdf 156 #ifndef XTIME
wolfSSL 13:80fb167dafdf 157 #define XTIME(t1) ksdk_time((t1))
wolfSSL 13:80fb167dafdf 158 #endif
wolfSSL 13:80fb167dafdf 159 #define XGMTIME(c, t) gmtime((c))
wolfSSL 13:80fb167dafdf 160
wolfSSL 13:80fb167dafdf 161 #elif defined(WOLFSSL_ATMEL)
wolfSSL 13:80fb167dafdf 162 #define XTIME(t1) atmel_get_curr_time_and_date((t1))
wolfSSL 13:80fb167dafdf 163 #define WOLFSSL_GMTIME
wolfSSL 13:80fb167dafdf 164 #define USE_WOLF_TM
wolfSSL 13:80fb167dafdf 165 #define USE_WOLF_TIME_T
wolfSSL 13:80fb167dafdf 166
wolfSSL 13:80fb167dafdf 167 #elif defined(IDIRECT_DEV_TIME)
wolfSSL 13:80fb167dafdf 168 /*Gets the timestamp from cloak software owned by VT iDirect
wolfSSL 13:80fb167dafdf 169 in place of time() from <time.h> */
wolfSSL 13:80fb167dafdf 170 #include <time.h>
wolfSSL 13:80fb167dafdf 171 #define XTIME(t1) idirect_time((t1))
wolfSSL 13:80fb167dafdf 172 #define XGMTIME(c, t) gmtime((c))
wolfSSL 13:80fb167dafdf 173
wolfSSL 13:80fb167dafdf 174 #elif defined(_WIN32_WCE)
wolfSSL 13:80fb167dafdf 175 #include <windows.h>
wolfSSL 13:80fb167dafdf 176 #define XTIME(t1) windows_time((t1))
wolfSSL 13:80fb167dafdf 177 #define WOLFSSL_GMTIME
wolfSSL 13:80fb167dafdf 178
wolfSSL 13:80fb167dafdf 179 #else
wolfSSL 13:80fb167dafdf 180 /* default */
wolfSSL 13:80fb167dafdf 181 /* uses complete <time.h> facility */
wolfSSL 13:80fb167dafdf 182 #include <time.h>
wolfSSL 13:80fb167dafdf 183 #endif
wolfSSL 13:80fb167dafdf 184
wolfSSL 13:80fb167dafdf 185
wolfSSL 13:80fb167dafdf 186 /* Map default time functions */
wolfSSL 13:80fb167dafdf 187 #if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME)
wolfSSL 13:80fb167dafdf 188 #define XTIME(tl) time((tl))
wolfSSL 13:80fb167dafdf 189 #endif
wolfSSL 13:80fb167dafdf 190 #if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
wolfSSL 13:80fb167dafdf 191 #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R)
wolfSSL 13:80fb167dafdf 192 #define XGMTIME(c, t) gmtime((c))
wolfSSL 13:80fb167dafdf 193 #else
wolfSSL 13:80fb167dafdf 194 #define XGMTIME(c, t) gmtime_r((c), (t))
wolfSSL 13:80fb167dafdf 195 #define NEED_TMP_TIME
wolfSSL 13:80fb167dafdf 196 #endif
wolfSSL 13:80fb167dafdf 197 #endif
wolfSSL 13:80fb167dafdf 198 #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE)
wolfSSL 13:80fb167dafdf 199 #define USE_WOLF_VALIDDATE
wolfSSL 13:80fb167dafdf 200 #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL 13:80fb167dafdf 201 #endif
wolfSSL 13:80fb167dafdf 202
wolfSSL 13:80fb167dafdf 203 /* wolf struct tm and time_t */
wolfSSL 13:80fb167dafdf 204 #if defined(USE_WOLF_TM)
wolfSSL 13:80fb167dafdf 205 struct tm {
wolfSSL 13:80fb167dafdf 206 int tm_sec; /* seconds after the minute [0-60] */
wolfSSL 13:80fb167dafdf 207 int tm_min; /* minutes after the hour [0-59] */
wolfSSL 13:80fb167dafdf 208 int tm_hour; /* hours since midnight [0-23] */
wolfSSL 13:80fb167dafdf 209 int tm_mday; /* day of the month [1-31] */
wolfSSL 13:80fb167dafdf 210 int tm_mon; /* months since January [0-11] */
wolfSSL 13:80fb167dafdf 211 int tm_year; /* years since 1900 */
wolfSSL 13:80fb167dafdf 212 int tm_wday; /* days since Sunday [0-6] */
wolfSSL 13:80fb167dafdf 213 int tm_yday; /* days since January 1 [0-365] */
wolfSSL 13:80fb167dafdf 214 int tm_isdst; /* Daylight Savings Time flag */
wolfSSL 13:80fb167dafdf 215 long tm_gmtoff; /* offset from CUT in seconds */
wolfSSL 13:80fb167dafdf 216 char *tm_zone; /* timezone abbreviation */
wolfSSL 13:80fb167dafdf 217 };
wolfSSL 13:80fb167dafdf 218 #endif /* USE_WOLF_TM */
wolfSSL 13:80fb167dafdf 219 #if defined(USE_WOLF_TIME_T)
wolfSSL 13:80fb167dafdf 220 typedef long time_t;
wolfSSL 13:80fb167dafdf 221 #endif
wolfSSL 13:80fb167dafdf 222
wolfSSL 13:80fb167dafdf 223 /* forward declarations */
wolfSSL 13:80fb167dafdf 224 #if defined(USER_TIME)
wolfSSL 13:80fb167dafdf 225 struct tm* gmtime(const time_t* timer);
wolfSSL 13:80fb167dafdf 226 extern time_t XTIME(time_t * timer);
wolfSSL 13:80fb167dafdf 227
wolfSSL 13:80fb167dafdf 228 #ifdef STACK_TRAP
wolfSSL 13:80fb167dafdf 229 /* for stack trap tracking, don't call os gmtime on OS X/linux,
wolfSSL 13:80fb167dafdf 230 uses a lot of stack spce */
wolfSSL 13:80fb167dafdf 231 extern time_t time(time_t * timer);
wolfSSL 13:80fb167dafdf 232 #define XTIME(tl) time((tl))
wolfSSL 13:80fb167dafdf 233 #endif /* STACK_TRAP */
wolfSSL 13:80fb167dafdf 234
wolfSSL 13:80fb167dafdf 235 #elif defined(TIME_OVERRIDES)
wolfSSL 13:80fb167dafdf 236 extern time_t XTIME(time_t * timer);
wolfSSL 13:80fb167dafdf 237 extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp);
wolfSSL 13:80fb167dafdf 238 #elif defined(WOLFSSL_GMTIME)
wolfSSL 13:80fb167dafdf 239 struct tm* gmtime(const time_t* timer);
wolfSSL 13:80fb167dafdf 240 #endif
wolfSSL 13:80fb167dafdf 241
wolfSSL 13:80fb167dafdf 242 #if defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
wolfSSL 13:80fb167dafdf 243 /* extern time_t ksdk_time(time_t* timer); */
wolfSSL 13:80fb167dafdf 244 #endif /* FREESCALE_KSDK_BM || FREESCALE_FREE_RTOS */
wolfSSL 13:80fb167dafdf 245
wolfSSL 13:80fb167dafdf 246
wolfSSL 13:80fb167dafdf 247 #if defined(_WIN32_WCE)
wolfSSL 13:80fb167dafdf 248 time_t windows_time(time_t* timer)
wolfSSL 13:80fb167dafdf 249 {
wolfSSL 13:80fb167dafdf 250 SYSTEMTIME sysTime;
wolfSSL 13:80fb167dafdf 251 FILETIME fTime;
wolfSSL 13:80fb167dafdf 252 ULARGE_INTEGER intTime;
wolfSSL 13:80fb167dafdf 253 time_t localTime;
wolfSSL 13:80fb167dafdf 254
wolfSSL 13:80fb167dafdf 255 if (timer == NULL)
wolfSSL 13:80fb167dafdf 256 timer = &localTime;
wolfSSL 13:80fb167dafdf 257
wolfSSL 13:80fb167dafdf 258 GetSystemTime(&sysTime);
wolfSSL 13:80fb167dafdf 259 SystemTimeToFileTime(&sysTime, &fTime);
wolfSSL 13:80fb167dafdf 260
wolfSSL 13:80fb167dafdf 261 XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
wolfSSL 13:80fb167dafdf 262 /* subtract EPOCH */
wolfSSL 13:80fb167dafdf 263 intTime.QuadPart -= 0x19db1ded53e8000;
wolfSSL 13:80fb167dafdf 264 /* to secs */
wolfSSL 13:80fb167dafdf 265 intTime.QuadPart /= 10000000;
wolfSSL 13:80fb167dafdf 266 *timer = (time_t)intTime.QuadPart;
wolfSSL 13:80fb167dafdf 267
wolfSSL 13:80fb167dafdf 268 return *timer;
wolfSSL 13:80fb167dafdf 269 }
wolfSSL 13:80fb167dafdf 270 #endif /* _WIN32_WCE */
wolfSSL 13:80fb167dafdf 271
wolfSSL 13:80fb167dafdf 272 #if defined(WOLFSSL_GMTIME)
wolfSSL 13:80fb167dafdf 273 struct tm* gmtime(const time_t* timer)
wolfSSL 13:80fb167dafdf 274 {
wolfSSL 13:80fb167dafdf 275 #define YEAR0 1900
wolfSSL 13:80fb167dafdf 276 #define EPOCH_YEAR 1970
wolfSSL 13:80fb167dafdf 277 #define SECS_DAY (24L * 60L * 60L)
wolfSSL 13:80fb167dafdf 278 #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400)))
wolfSSL 13:80fb167dafdf 279 #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
wolfSSL 13:80fb167dafdf 280
wolfSSL 13:80fb167dafdf 281 static const int _ytab[2][12] =
wolfSSL 13:80fb167dafdf 282 {
wolfSSL 13:80fb167dafdf 283 {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
wolfSSL 13:80fb167dafdf 284 {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
wolfSSL 13:80fb167dafdf 285 };
wolfSSL 13:80fb167dafdf 286
wolfSSL 13:80fb167dafdf 287 static struct tm st_time;
wolfSSL 13:80fb167dafdf 288 struct tm* ret = &st_time;
wolfSSL 13:80fb167dafdf 289 time_t secs = *timer;
wolfSSL 13:80fb167dafdf 290 unsigned long dayclock, dayno;
wolfSSL 13:80fb167dafdf 291 int year = EPOCH_YEAR;
wolfSSL 13:80fb167dafdf 292
wolfSSL 13:80fb167dafdf 293 dayclock = (unsigned long)secs % SECS_DAY;
wolfSSL 13:80fb167dafdf 294 dayno = (unsigned long)secs / SECS_DAY;
wolfSSL 13:80fb167dafdf 295
wolfSSL 13:80fb167dafdf 296 ret->tm_sec = (int) dayclock % 60;
wolfSSL 13:80fb167dafdf 297 ret->tm_min = (int)(dayclock % 3600) / 60;
wolfSSL 13:80fb167dafdf 298 ret->tm_hour = (int) dayclock / 3600;
wolfSSL 13:80fb167dafdf 299 ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */
wolfSSL 13:80fb167dafdf 300
wolfSSL 13:80fb167dafdf 301 while(dayno >= (unsigned long)YEARSIZE(year)) {
wolfSSL 13:80fb167dafdf 302 dayno -= YEARSIZE(year);
wolfSSL 13:80fb167dafdf 303 year++;
wolfSSL 13:80fb167dafdf 304 }
wolfSSL 13:80fb167dafdf 305
wolfSSL 13:80fb167dafdf 306 ret->tm_year = year - YEAR0;
wolfSSL 13:80fb167dafdf 307 ret->tm_yday = (int)dayno;
wolfSSL 13:80fb167dafdf 308 ret->tm_mon = 0;
wolfSSL 13:80fb167dafdf 309
wolfSSL 13:80fb167dafdf 310 while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
wolfSSL 13:80fb167dafdf 311 dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
wolfSSL 13:80fb167dafdf 312 ret->tm_mon++;
wolfSSL 13:80fb167dafdf 313 }
wolfSSL 13:80fb167dafdf 314
wolfSSL 13:80fb167dafdf 315 ret->tm_mday = (int)++dayno;
wolfSSL 13:80fb167dafdf 316 ret->tm_isdst = 0;
wolfSSL 13:80fb167dafdf 317
wolfSSL 13:80fb167dafdf 318 return ret;
wolfSSL 13:80fb167dafdf 319 }
wolfSSL 13:80fb167dafdf 320 #endif /* WOLFSSL_GMTIME */
wolfSSL 13:80fb167dafdf 321
wolfSSL 13:80fb167dafdf 322
wolfSSL 13:80fb167dafdf 323 #if defined(HAVE_RTP_SYS)
wolfSSL 13:80fb167dafdf 324 #define YEAR0 1900
wolfSSL 13:80fb167dafdf 325
wolfSSL 13:80fb167dafdf 326 struct tm* rtpsys_gmtime(const time_t* timer) /* has a gmtime() but hangs */
wolfSSL 13:80fb167dafdf 327 {
wolfSSL 13:80fb167dafdf 328 static struct tm st_time;
wolfSSL 13:80fb167dafdf 329 struct tm* ret = &st_time;
wolfSSL 13:80fb167dafdf 330
wolfSSL 13:80fb167dafdf 331 DC_RTC_CALENDAR cal;
wolfSSL 13:80fb167dafdf 332 dc_rtc_time_get(&cal, TRUE);
wolfSSL 13:80fb167dafdf 333
wolfSSL 13:80fb167dafdf 334 ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */
wolfSSL 13:80fb167dafdf 335 ret->tm_mon = cal.month - 1; /* gm starts at 0 */
wolfSSL 13:80fb167dafdf 336 ret->tm_mday = cal.day;
wolfSSL 13:80fb167dafdf 337 ret->tm_hour = cal.hour;
wolfSSL 13:80fb167dafdf 338 ret->tm_min = cal.minute;
wolfSSL 13:80fb167dafdf 339 ret->tm_sec = cal.second;
wolfSSL 13:80fb167dafdf 340
wolfSSL 13:80fb167dafdf 341 return ret;
wolfSSL 13:80fb167dafdf 342 }
wolfSSL 13:80fb167dafdf 343
wolfSSL 13:80fb167dafdf 344 #endif /* HAVE_RTP_SYS */
wolfSSL 13:80fb167dafdf 345
wolfSSL 13:80fb167dafdf 346
wolfSSL 13:80fb167dafdf 347 #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 13:80fb167dafdf 348
wolfSSL 13:80fb167dafdf 349 /*
wolfSSL 13:80fb167dafdf 350 * time() is just a stub in Microchip libraries. We need our own
wolfSSL 13:80fb167dafdf 351 * implementation. Use SNTP client to get seconds since epoch.
wolfSSL 13:80fb167dafdf 352 */
wolfSSL 13:80fb167dafdf 353 time_t pic32_time(time_t* timer)
wolfSSL 13:80fb167dafdf 354 {
wolfSSL 13:80fb167dafdf 355 #ifdef MICROCHIP_TCPIP_V5
wolfSSL 13:80fb167dafdf 356 DWORD sec = 0;
wolfSSL 13:80fb167dafdf 357 #else
wolfSSL 13:80fb167dafdf 358 uint32_t sec = 0;
wolfSSL 13:80fb167dafdf 359 #endif
wolfSSL 13:80fb167dafdf 360 time_t localTime;
wolfSSL 13:80fb167dafdf 361
wolfSSL 13:80fb167dafdf 362 if (timer == NULL)
wolfSSL 13:80fb167dafdf 363 timer = &localTime;
wolfSSL 13:80fb167dafdf 364
wolfSSL 13:80fb167dafdf 365 #ifdef MICROCHIP_MPLAB_HARMONY
wolfSSL 13:80fb167dafdf 366 sec = TCPIP_SNTP_UTCSecondsGet();
wolfSSL 13:80fb167dafdf 367 #else
wolfSSL 13:80fb167dafdf 368 sec = SNTPGetUTCSeconds();
wolfSSL 13:80fb167dafdf 369 #endif
wolfSSL 13:80fb167dafdf 370 *timer = (time_t) sec;
wolfSSL 13:80fb167dafdf 371
wolfSSL 13:80fb167dafdf 372 return *timer;
wolfSSL 13:80fb167dafdf 373 }
wolfSSL 13:80fb167dafdf 374
wolfSSL 13:80fb167dafdf 375 #endif /* MICROCHIP_TCPIP || MICROCHIP_TCPIP_V5 */
wolfSSL 13:80fb167dafdf 376
wolfSSL 13:80fb167dafdf 377
wolfSSL 13:80fb167dafdf 378 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 13:80fb167dafdf 379
wolfSSL 13:80fb167dafdf 380 time_t mqx_time(time_t* timer)
wolfSSL 13:80fb167dafdf 381 {
wolfSSL 13:80fb167dafdf 382 time_t localTime;
wolfSSL 13:80fb167dafdf 383 TIME_STRUCT time_s;
wolfSSL 13:80fb167dafdf 384
wolfSSL 13:80fb167dafdf 385 if (timer == NULL)
wolfSSL 13:80fb167dafdf 386 timer = &localTime;
wolfSSL 13:80fb167dafdf 387
wolfSSL 13:80fb167dafdf 388 _time_get(&time_s);
wolfSSL 13:80fb167dafdf 389 *timer = (time_t) time_s.SECONDS;
wolfSSL 13:80fb167dafdf 390
wolfSSL 13:80fb167dafdf 391 return *timer;
wolfSSL 13:80fb167dafdf 392 }
wolfSSL 13:80fb167dafdf 393
wolfSSL 13:80fb167dafdf 394 #endif /* FREESCALE_MQX || FREESCALE_KSDK_MQX */
wolfSSL 13:80fb167dafdf 395
wolfSSL 13:80fb167dafdf 396
wolfSSL 13:80fb167dafdf 397 #if defined(WOLFSSL_TIRTOS)
wolfSSL 13:80fb167dafdf 398
wolfSSL 13:80fb167dafdf 399 time_t XTIME(time_t * timer)
wolfSSL 13:80fb167dafdf 400 {
wolfSSL 13:80fb167dafdf 401 time_t sec = 0;
wolfSSL 13:80fb167dafdf 402
wolfSSL 13:80fb167dafdf 403 sec = (time_t) Seconds_get();
wolfSSL 13:80fb167dafdf 404
wolfSSL 13:80fb167dafdf 405 if (timer != NULL)
wolfSSL 13:80fb167dafdf 406 *timer = sec;
wolfSSL 13:80fb167dafdf 407
wolfSSL 13:80fb167dafdf 408 return sec;
wolfSSL 13:80fb167dafdf 409 }
wolfSSL 13:80fb167dafdf 410
wolfSSL 13:80fb167dafdf 411 #endif /* WOLFSSL_TIRTOS */
wolfSSL 13:80fb167dafdf 412
wolfSSL 13:80fb167dafdf 413
wolfSSL 13:80fb167dafdf 414 static INLINE word32 btoi(byte b)
wolfSSL 13:80fb167dafdf 415 {
wolfSSL 13:80fb167dafdf 416 return (word32)(b - 0x30);
wolfSSL 13:80fb167dafdf 417 }
wolfSSL 13:80fb167dafdf 418
wolfSSL 13:80fb167dafdf 419
wolfSSL 13:80fb167dafdf 420 /* two byte date/time, add to value */
wolfSSL 13:80fb167dafdf 421 static INLINE void GetTime(int* value, const byte* date, int* idx)
wolfSSL 13:80fb167dafdf 422 {
wolfSSL 13:80fb167dafdf 423 int i = *idx;
wolfSSL 13:80fb167dafdf 424
wolfSSL 13:80fb167dafdf 425 *value += btoi(date[i++]) * 10;
wolfSSL 13:80fb167dafdf 426 *value += btoi(date[i++]);
wolfSSL 13:80fb167dafdf 427
wolfSSL 13:80fb167dafdf 428 *idx = i;
wolfSSL 13:80fb167dafdf 429 }
wolfSSL 13:80fb167dafdf 430
wolfSSL 13:80fb167dafdf 431
wolfSSL 13:80fb167dafdf 432 #if defined(MICRIUM)
wolfSSL 13:80fb167dafdf 433
wolfSSL 13:80fb167dafdf 434 CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
wolfSSL 13:80fb167dafdf 435 CPU_INT08U dateType)
wolfSSL 13:80fb167dafdf 436 {
wolfSSL 13:80fb167dafdf 437 CPU_BOOLEAN rtn_code;
wolfSSL 13:80fb167dafdf 438 CPU_INT32S i;
wolfSSL 13:80fb167dafdf 439 CPU_INT32S val;
wolfSSL 13:80fb167dafdf 440 CPU_INT16U year;
wolfSSL 13:80fb167dafdf 441 CPU_INT08U month;
wolfSSL 13:80fb167dafdf 442 CPU_INT16U day;
wolfSSL 13:80fb167dafdf 443 CPU_INT08U hour;
wolfSSL 13:80fb167dafdf 444 CPU_INT08U min;
wolfSSL 13:80fb167dafdf 445 CPU_INT08U sec;
wolfSSL 13:80fb167dafdf 446
wolfSSL 13:80fb167dafdf 447 i = 0;
wolfSSL 13:80fb167dafdf 448 year = 0u;
wolfSSL 13:80fb167dafdf 449
wolfSSL 13:80fb167dafdf 450 if (format == ASN_UTC_TIME) {
wolfSSL 13:80fb167dafdf 451 if (btoi(date[0]) >= 5)
wolfSSL 13:80fb167dafdf 452 year = 1900;
wolfSSL 13:80fb167dafdf 453 else
wolfSSL 13:80fb167dafdf 454 year = 2000;
wolfSSL 13:80fb167dafdf 455 }
wolfSSL 13:80fb167dafdf 456 else { /* format == GENERALIZED_TIME */
wolfSSL 13:80fb167dafdf 457 year += btoi(date[i++]) * 1000;
wolfSSL 13:80fb167dafdf 458 year += btoi(date[i++]) * 100;
wolfSSL 13:80fb167dafdf 459 }
wolfSSL 13:80fb167dafdf 460
wolfSSL 13:80fb167dafdf 461 val = year;
wolfSSL 13:80fb167dafdf 462 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 463 year = (CPU_INT16U)val;
wolfSSL 13:80fb167dafdf 464
wolfSSL 13:80fb167dafdf 465 val = 0;
wolfSSL 13:80fb167dafdf 466 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 467 month = (CPU_INT08U)val;
wolfSSL 13:80fb167dafdf 468
wolfSSL 13:80fb167dafdf 469 val = 0;
wolfSSL 13:80fb167dafdf 470 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 471 day = (CPU_INT16U)val;
wolfSSL 13:80fb167dafdf 472
wolfSSL 13:80fb167dafdf 473 val = 0;
wolfSSL 13:80fb167dafdf 474 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 475 hour = (CPU_INT08U)val;
wolfSSL 13:80fb167dafdf 476
wolfSSL 13:80fb167dafdf 477 val = 0;
wolfSSL 13:80fb167dafdf 478 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 479 min = (CPU_INT08U)val;
wolfSSL 13:80fb167dafdf 480
wolfSSL 13:80fb167dafdf 481 val = 0;
wolfSSL 13:80fb167dafdf 482 GetTime(&val, date, &i);
wolfSSL 13:80fb167dafdf 483 sec = (CPU_INT08U)val;
wolfSSL 13:80fb167dafdf 484
wolfSSL 13:80fb167dafdf 485 return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType);
wolfSSL 13:80fb167dafdf 486 }
wolfSSL 13:80fb167dafdf 487
wolfSSL 13:80fb167dafdf 488 #endif /* MICRIUM */
wolfSSL 13:80fb167dafdf 489
wolfSSL 13:80fb167dafdf 490
wolfSSL 13:80fb167dafdf 491 #if defined(IDIRECT_DEV_TIME)
wolfSSL 13:80fb167dafdf 492
wolfSSL 13:80fb167dafdf 493 extern time_t getTimestamp();
wolfSSL 13:80fb167dafdf 494
wolfSSL 13:80fb167dafdf 495 time_t idirect_time(time_t * timer)
wolfSSL 13:80fb167dafdf 496 {
wolfSSL 13:80fb167dafdf 497 time_t sec = getTimestamp();
wolfSSL 13:80fb167dafdf 498
wolfSSL 13:80fb167dafdf 499 if (timer != NULL)
wolfSSL 13:80fb167dafdf 500 *timer = sec;
wolfSSL 13:80fb167dafdf 501
wolfSSL 13:80fb167dafdf 502 return sec;
wolfSSL 13:80fb167dafdf 503 }
wolfSSL 13:80fb167dafdf 504
wolfSSL 13:80fb167dafdf 505 #endif /* IDIRECT_DEV_TIME */
wolfSSL 13:80fb167dafdf 506
wolfSSL 13:80fb167dafdf 507 #endif /* !NO_ASN_TIME */
wolfSSL 13:80fb167dafdf 508
wolfSSL 13:80fb167dafdf 509
wolfSSL 13:80fb167dafdf 510 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 511 word32 maxIdx)
wolfSSL 13:80fb167dafdf 512 {
wolfSSL 13:80fb167dafdf 513 int length = 0;
wolfSSL 13:80fb167dafdf 514 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 515 byte b;
wolfSSL 13:80fb167dafdf 516
wolfSSL 13:80fb167dafdf 517 *len = 0; /* default length */
wolfSSL 13:80fb167dafdf 518
wolfSSL 13:80fb167dafdf 519 if ((idx + 1) > maxIdx) { /* for first read */
wolfSSL 13:80fb167dafdf 520 WOLFSSL_MSG("GetLength bad index on input");
wolfSSL 13:80fb167dafdf 521 return BUFFER_E;
wolfSSL 13:80fb167dafdf 522 }
wolfSSL 13:80fb167dafdf 523
wolfSSL 13:80fb167dafdf 524 b = input[idx++];
wolfSSL 13:80fb167dafdf 525 if (b >= ASN_LONG_LENGTH) {
wolfSSL 13:80fb167dafdf 526 word32 bytes = b & 0x7F;
wolfSSL 13:80fb167dafdf 527
wolfSSL 13:80fb167dafdf 528 if ((idx + bytes) > maxIdx) { /* for reading bytes */
wolfSSL 13:80fb167dafdf 529 WOLFSSL_MSG("GetLength bad long length");
wolfSSL 13:80fb167dafdf 530 return BUFFER_E;
wolfSSL 13:80fb167dafdf 531 }
wolfSSL 13:80fb167dafdf 532
wolfSSL 13:80fb167dafdf 533 while (bytes--) {
wolfSSL 13:80fb167dafdf 534 b = input[idx++];
wolfSSL 13:80fb167dafdf 535 length = (length << 8) | b;
wolfSSL 13:80fb167dafdf 536 }
wolfSSL 13:80fb167dafdf 537 }
wolfSSL 13:80fb167dafdf 538 else
wolfSSL 13:80fb167dafdf 539 length = b;
wolfSSL 13:80fb167dafdf 540
wolfSSL 13:80fb167dafdf 541 if ((idx + length) > maxIdx) { /* for user of length */
wolfSSL 13:80fb167dafdf 542 WOLFSSL_MSG("GetLength value exceeds buffer length");
wolfSSL 13:80fb167dafdf 543 return BUFFER_E;
wolfSSL 13:80fb167dafdf 544 }
wolfSSL 13:80fb167dafdf 545
wolfSSL 13:80fb167dafdf 546 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 547 if (length > 0)
wolfSSL 13:80fb167dafdf 548 *len = length;
wolfSSL 13:80fb167dafdf 549
wolfSSL 13:80fb167dafdf 550 return length;
wolfSSL 13:80fb167dafdf 551 }
wolfSSL 13:80fb167dafdf 552
wolfSSL 13:80fb167dafdf 553
wolfSSL 13:80fb167dafdf 554 /* Get the DER/BER encoding of an ASN.1 header.
wolfSSL 13:80fb167dafdf 555 *
wolfSSL 13:80fb167dafdf 556 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 557 * tag ASN.1 tag value expected in header.
wolfSSL 13:80fb167dafdf 558 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 559 * len The number of bytes in the ASN.1 data.
wolfSSL 13:80fb167dafdf 560 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 561 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 562 * ASN_PARSE_E when the expected tag is not found or length is invalid.
wolfSSL 13:80fb167dafdf 563 * Otherwise, the number of bytes in the ASN.1 data.
wolfSSL 13:80fb167dafdf 564 */
wolfSSL 13:80fb167dafdf 565 static int GetASNHeader(const byte* input, byte tag, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 566 word32 maxIdx)
wolfSSL 13:80fb167dafdf 567 {
wolfSSL 13:80fb167dafdf 568 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 569 byte b;
wolfSSL 13:80fb167dafdf 570 int length;
wolfSSL 13:80fb167dafdf 571
wolfSSL 13:80fb167dafdf 572 if ((idx + 1) > maxIdx)
wolfSSL 13:80fb167dafdf 573 return BUFFER_E;
wolfSSL 13:80fb167dafdf 574
wolfSSL 13:80fb167dafdf 575 b = input[idx++];
wolfSSL 13:80fb167dafdf 576 if (b != tag)
wolfSSL 13:80fb167dafdf 577 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 578
wolfSSL 13:80fb167dafdf 579 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 580 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 581
wolfSSL 13:80fb167dafdf 582 *len = length;
wolfSSL 13:80fb167dafdf 583 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 584 return length;
wolfSSL 13:80fb167dafdf 585 }
wolfSSL 13:80fb167dafdf 586
wolfSSL 13:80fb167dafdf 587 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 588 word32 maxIdx)
wolfSSL 13:80fb167dafdf 589 {
wolfSSL 13:80fb167dafdf 590 return GetASNHeader(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len,
wolfSSL 13:80fb167dafdf 591 maxIdx);
wolfSSL 13:80fb167dafdf 592 }
wolfSSL 13:80fb167dafdf 593
wolfSSL 13:80fb167dafdf 594
wolfSSL 13:80fb167dafdf 595 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 596 word32 maxIdx)
wolfSSL 13:80fb167dafdf 597 {
wolfSSL 13:80fb167dafdf 598 return GetASNHeader(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len,
wolfSSL 13:80fb167dafdf 599 maxIdx);
wolfSSL 13:80fb167dafdf 600 }
wolfSSL 13:80fb167dafdf 601
wolfSSL 13:80fb167dafdf 602 /* Get the DER/BER encoded ASN.1 NULL element.
wolfSSL 13:80fb167dafdf 603 * Ensure that the all fields are as expected and move index past the element.
wolfSSL 13:80fb167dafdf 604 *
wolfSSL 13:80fb167dafdf 605 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 606 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 607 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 608 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 609 * ASN_TAG_NULL_E when the NULL tag is not found.
wolfSSL 13:80fb167dafdf 610 * ASN_EXPECT_0_E when the length is not zero.
wolfSSL 13:80fb167dafdf 611 * Otherwise, 0 to indicate success.
wolfSSL 13:80fb167dafdf 612 */
wolfSSL 13:80fb167dafdf 613 static int GetASNNull(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 13:80fb167dafdf 614 {
wolfSSL 13:80fb167dafdf 615 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 616 byte b;
wolfSSL 13:80fb167dafdf 617
wolfSSL 13:80fb167dafdf 618 if ((idx + 2) > maxIdx)
wolfSSL 13:80fb167dafdf 619 return BUFFER_E;
wolfSSL 13:80fb167dafdf 620
wolfSSL 13:80fb167dafdf 621 b = input[idx++];
wolfSSL 13:80fb167dafdf 622 if (b != ASN_TAG_NULL)
wolfSSL 13:80fb167dafdf 623 return ASN_TAG_NULL_E;
wolfSSL 13:80fb167dafdf 624
wolfSSL 13:80fb167dafdf 625 if (input[idx++] != 0)
wolfSSL 13:80fb167dafdf 626 return ASN_EXPECT_0_E;
wolfSSL 13:80fb167dafdf 627
wolfSSL 13:80fb167dafdf 628 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 629 return 0;
wolfSSL 13:80fb167dafdf 630 }
wolfSSL 13:80fb167dafdf 631
wolfSSL 13:80fb167dafdf 632 /* Set the DER/BER encoding of the ASN.1 NULL element.
wolfSSL 13:80fb167dafdf 633 *
wolfSSL 13:80fb167dafdf 634 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 635 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 636 */
wolfSSL 13:80fb167dafdf 637 static int SetASNNull(byte* output)
wolfSSL 13:80fb167dafdf 638 {
wolfSSL 13:80fb167dafdf 639 output[0] = ASN_TAG_NULL;
wolfSSL 13:80fb167dafdf 640 output[1] = 0;
wolfSSL 13:80fb167dafdf 641
wolfSSL 13:80fb167dafdf 642 return 2;
wolfSSL 13:80fb167dafdf 643 }
wolfSSL 13:80fb167dafdf 644
wolfSSL 13:80fb167dafdf 645 /* Get the DER/BER encoding of an ASN.1 BOOLEAN.
wolfSSL 13:80fb167dafdf 646 *
wolfSSL 13:80fb167dafdf 647 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 648 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 649 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 650 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 651 * ASN_PARSE_E when the BOOLEAN tag is not found or length is not 1.
wolfSSL 13:80fb167dafdf 652 * Otherwise, 0 to indicate the value was false and 1 to indicate true.
wolfSSL 13:80fb167dafdf 653 */
wolfSSL 13:80fb167dafdf 654 static int GetBoolean(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 13:80fb167dafdf 655 {
wolfSSL 13:80fb167dafdf 656 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 657 byte b;
wolfSSL 13:80fb167dafdf 658
wolfSSL 13:80fb167dafdf 659 if ((idx + 3) > maxIdx)
wolfSSL 13:80fb167dafdf 660 return BUFFER_E;
wolfSSL 13:80fb167dafdf 661
wolfSSL 13:80fb167dafdf 662 b = input[idx++];
wolfSSL 13:80fb167dafdf 663 if (b != ASN_BOOLEAN)
wolfSSL 13:80fb167dafdf 664 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 665
wolfSSL 13:80fb167dafdf 666 if (input[idx++] != 1)
wolfSSL 13:80fb167dafdf 667 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 668
wolfSSL 13:80fb167dafdf 669 b = input[idx++] != 0;
wolfSSL 13:80fb167dafdf 670
wolfSSL 13:80fb167dafdf 671 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 672 return b;
wolfSSL 13:80fb167dafdf 673 }
wolfSSL 13:80fb167dafdf 674
wolfSSL 13:80fb167dafdf 675 #ifdef ASN1_SET_BOOLEAN
wolfSSL 13:80fb167dafdf 676 /* Set the DER/BER encoding of the ASN.1 NULL element.
wolfSSL 13:80fb167dafdf 677 * Note: Function not required as yet.
wolfSSL 13:80fb167dafdf 678 *
wolfSSL 13:80fb167dafdf 679 * val Boolean value to encode.
wolfSSL 13:80fb167dafdf 680 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 681 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 682 */
wolfSSL 13:80fb167dafdf 683 static int SetBoolean(int val, byte* output)
wolfSSL 13:80fb167dafdf 684 {
wolfSSL 13:80fb167dafdf 685 output[0] = ASN_BOOLEAN;
wolfSSL 13:80fb167dafdf 686 output[1] = 1;
wolfSSL 13:80fb167dafdf 687 output[2] = val ? -1 : 0;
wolfSSL 13:80fb167dafdf 688
wolfSSL 13:80fb167dafdf 689 return 3;
wolfSSL 13:80fb167dafdf 690 }
wolfSSL 13:80fb167dafdf 691 #endif
wolfSSL 13:80fb167dafdf 692
wolfSSL 13:80fb167dafdf 693 /* Get the DER/BER encoding of an ASN.1 OCTET_STRING header.
wolfSSL 13:80fb167dafdf 694 *
wolfSSL 13:80fb167dafdf 695 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 696 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 697 * len The number of bytes in the ASN.1 data.
wolfSSL 13:80fb167dafdf 698 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 699 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 700 * ASN_PARSE_E when the OCTET_STRING tag is not found or length is
wolfSSL 13:80fb167dafdf 701 * invalid.
wolfSSL 13:80fb167dafdf 702 * Otherwise, the number of bytes in the ASN.1 data.
wolfSSL 13:80fb167dafdf 703 */
wolfSSL 13:80fb167dafdf 704 static int GetOctetString(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 705 word32 maxIdx)
wolfSSL 13:80fb167dafdf 706 {
wolfSSL 13:80fb167dafdf 707 return GetASNHeader(input, ASN_OCTET_STRING, inOutIdx, len, maxIdx);
wolfSSL 13:80fb167dafdf 708 }
wolfSSL 13:80fb167dafdf 709
wolfSSL 13:80fb167dafdf 710 /* Get the DER/BER encoding of an ASN.1 INTEGER header.
wolfSSL 13:80fb167dafdf 711 * Removes the leading zero byte when found.
wolfSSL 13:80fb167dafdf 712 *
wolfSSL 13:80fb167dafdf 713 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 714 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 715 * len The number of bytes in the ASN.1 data (excluding any leading zero).
wolfSSL 13:80fb167dafdf 716 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 717 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 718 * ASN_PARSE_E when the INTEGER tag is not found, length is invalid,
wolfSSL 13:80fb167dafdf 719 * or invalid use of or missing leading zero.
wolfSSL 13:80fb167dafdf 720 * Otherwise, 0 to indicate success.
wolfSSL 13:80fb167dafdf 721 */
wolfSSL 13:80fb167dafdf 722 static int GetASNInt(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 723 word32 maxIdx)
wolfSSL 13:80fb167dafdf 724 {
wolfSSL 13:80fb167dafdf 725 int ret;
wolfSSL 13:80fb167dafdf 726
wolfSSL 13:80fb167dafdf 727 ret = GetASNHeader(input, ASN_INTEGER, inOutIdx, len, maxIdx);
wolfSSL 13:80fb167dafdf 728 if (ret < 0)
wolfSSL 13:80fb167dafdf 729 return ret;
wolfSSL 13:80fb167dafdf 730
wolfSSL 13:80fb167dafdf 731 if (*len > 0) {
wolfSSL 13:80fb167dafdf 732 /* remove leading zero, unless there is only one 0x00 byte */
wolfSSL 13:80fb167dafdf 733 if ((input[*inOutIdx] == 0x00) && (*len > 1)) {
wolfSSL 13:80fb167dafdf 734 (*inOutIdx)++;
wolfSSL 13:80fb167dafdf 735 (*len)--;
wolfSSL 13:80fb167dafdf 736
wolfSSL 13:80fb167dafdf 737 if (*len > 0 && (input[*inOutIdx] & 0x80) == 0)
wolfSSL 13:80fb167dafdf 738 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 739 }
wolfSSL 13:80fb167dafdf 740 else if ((input[*inOutIdx] & 0x80) == 0x80)
wolfSSL 13:80fb167dafdf 741 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 742 }
wolfSSL 13:80fb167dafdf 743
wolfSSL 13:80fb167dafdf 744 return 0;
wolfSSL 13:80fb167dafdf 745 }
wolfSSL 13:80fb167dafdf 746
wolfSSL 13:80fb167dafdf 747 /* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than
wolfSSL 13:80fb167dafdf 748 * 7 bits.
wolfSSL 13:80fb167dafdf 749 *
wolfSSL 13:80fb167dafdf 750 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 751 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 752 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 753 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 754 * ASN_PARSE_E when the INTEGER tag is not found or length is invalid.
wolfSSL 13:80fb167dafdf 755 * Otherwise, the 7-bit value.
wolfSSL 13:80fb167dafdf 756 */
wolfSSL 13:80fb167dafdf 757 static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 13:80fb167dafdf 758 {
wolfSSL 13:80fb167dafdf 759 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 760 byte b;
wolfSSL 13:80fb167dafdf 761
wolfSSL 13:80fb167dafdf 762 if ((idx + 3) > maxIdx)
wolfSSL 13:80fb167dafdf 763 return BUFFER_E;
wolfSSL 13:80fb167dafdf 764
wolfSSL 13:80fb167dafdf 765 if (input[idx++] != ASN_INTEGER)
wolfSSL 13:80fb167dafdf 766 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 767 if (input[idx++] != 1)
wolfSSL 13:80fb167dafdf 768 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 769 b = input[idx++];
wolfSSL 13:80fb167dafdf 770
wolfSSL 13:80fb167dafdf 771 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 772 return b;
wolfSSL 13:80fb167dafdf 773 }
wolfSSL 13:80fb167dafdf 774
wolfSSL 13:80fb167dafdf 775 #if !defined(NO_DSA) || defined(HAVE_ECC) || (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))))
wolfSSL 13:80fb167dafdf 776 /* Set the DER/BER encoding of the ASN.1 INTEGER header.
wolfSSL 13:80fb167dafdf 777 *
wolfSSL 13:80fb167dafdf 778 * len Length of data to encode.
wolfSSL 13:80fb167dafdf 779 * firstByte First byte of data, most significant byte of integer, to encode.
wolfSSL 13:80fb167dafdf 780 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 781 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 782 */
wolfSSL 13:80fb167dafdf 783 static int SetASNInt(int len, byte firstByte, byte* output)
wolfSSL 13:80fb167dafdf 784 {
wolfSSL 13:80fb167dafdf 785 word32 idx = 0;
wolfSSL 13:80fb167dafdf 786
wolfSSL 13:80fb167dafdf 787 output[idx++] = ASN_INTEGER;
wolfSSL 13:80fb167dafdf 788 if (firstByte & 0x80)
wolfSSL 13:80fb167dafdf 789 len++;
wolfSSL 13:80fb167dafdf 790 idx += SetLength(len, output + idx);
wolfSSL 13:80fb167dafdf 791 if (firstByte & 0x80)
wolfSSL 13:80fb167dafdf 792 output[idx++] = 0x00;
wolfSSL 13:80fb167dafdf 793
wolfSSL 13:80fb167dafdf 794 return idx;
wolfSSL 13:80fb167dafdf 795 }
wolfSSL 13:80fb167dafdf 796 #endif
wolfSSL 13:80fb167dafdf 797
wolfSSL 13:80fb167dafdf 798 #if !defined(NO_DSA) || defined(HAVE_ECC) || (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
wolfSSL 13:80fb167dafdf 799 /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int.
wolfSSL 13:80fb167dafdf 800 * The number is assumed to be positive.
wolfSSL 13:80fb167dafdf 801 *
wolfSSL 13:80fb167dafdf 802 * n Multi-precision integer to encode.
wolfSSL 13:80fb167dafdf 803 * maxSz Maximum size of the encoded integer.
wolfSSL 13:80fb167dafdf 804 * A negative value indicates no check of length requested.
wolfSSL 13:80fb167dafdf 805 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 806 * returns BUFFER_E when the data is too long for the buffer.
wolfSSL 13:80fb167dafdf 807 * MP_TO_E when encoding the integer fails.
wolfSSL 13:80fb167dafdf 808 * Otherwise, the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 809 */
wolfSSL 13:80fb167dafdf 810 static int SetASNIntMP(mp_int* n, int maxSz, byte* output)
wolfSSL 13:80fb167dafdf 811 {
wolfSSL 13:80fb167dafdf 812 int idx = 0;
wolfSSL 13:80fb167dafdf 813 int leadingBit;
wolfSSL 13:80fb167dafdf 814 int length;
wolfSSL 13:80fb167dafdf 815 int err;
wolfSSL 13:80fb167dafdf 816
wolfSSL 13:80fb167dafdf 817 leadingBit = mp_leading_bit(n);
wolfSSL 13:80fb167dafdf 818 length = mp_unsigned_bin_size(n);
wolfSSL 13:80fb167dafdf 819 idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output);
wolfSSL 13:80fb167dafdf 820 if (maxSz >= 0 && (idx + length) > maxSz)
wolfSSL 13:80fb167dafdf 821 return BUFFER_E;
wolfSSL 13:80fb167dafdf 822
wolfSSL 13:80fb167dafdf 823 err = mp_to_unsigned_bin(n, output + idx);
wolfSSL 13:80fb167dafdf 824 if (err != MP_OKAY)
wolfSSL 13:80fb167dafdf 825 return MP_TO_E;
wolfSSL 13:80fb167dafdf 826 idx += length;
wolfSSL 13:80fb167dafdf 827
wolfSSL 13:80fb167dafdf 828 return idx;
wolfSSL 13:80fb167dafdf 829 }
wolfSSL 13:80fb167dafdf 830 #endif
wolfSSL 13:80fb167dafdf 831
wolfSSL 13:80fb167dafdf 832 #if !defined(NO_RSA) && defined(HAVE_USER_RSA) && defined(WOLFSSL_CERT_GEN)
wolfSSL 13:80fb167dafdf 833 /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int from
wolfSSL 13:80fb167dafdf 834 * an RSA key.
wolfSSL 13:80fb167dafdf 835 * The number is assumed to be positive.
wolfSSL 13:80fb167dafdf 836 *
wolfSSL 13:80fb167dafdf 837 * n Multi-precision integer to encode.
wolfSSL 13:80fb167dafdf 838 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 839 * returns BUFFER_E when the data is too long for the buffer.
wolfSSL 13:80fb167dafdf 840 * MP_TO_E when encoding the integer fails.
wolfSSL 13:80fb167dafdf 841 * Otherwise, the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 842 */
wolfSSL 13:80fb167dafdf 843 static int SetASNIntRSA(mp_int* n, byte* output)
wolfSSL 13:80fb167dafdf 844 {
wolfSSL 13:80fb167dafdf 845 int idx = 0;
wolfSSL 13:80fb167dafdf 846 int leadingBit;
wolfSSL 13:80fb167dafdf 847 int length;
wolfSSL 13:80fb167dafdf 848 int err;
wolfSSL 13:80fb167dafdf 849
wolfSSL 13:80fb167dafdf 850 leadingBit = wc_Rsa_leading_bit(n);
wolfSSL 13:80fb167dafdf 851 length = wc_Rsa_unsigned_bin_size(n);
wolfSSL 13:80fb167dafdf 852 idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output);
wolfSSL 13:80fb167dafdf 853 if ((idx + length) > MAX_RSA_INT_SZ)
wolfSSL 13:80fb167dafdf 854 return BUFFER_E;
wolfSSL 13:80fb167dafdf 855
wolfSSL 13:80fb167dafdf 856 err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
wolfSSL 13:80fb167dafdf 857 if (err != MP_OKAY)
wolfSSL 13:80fb167dafdf 858 return MP_TO_E;
wolfSSL 13:80fb167dafdf 859 idx += length;
wolfSSL 13:80fb167dafdf 860
wolfSSL 13:80fb167dafdf 861 return idx;
wolfSSL 13:80fb167dafdf 862 }
wolfSSL 13:80fb167dafdf 863 #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
wolfSSL 13:80fb167dafdf 864 !HAVE_USER_RSA))) */
wolfSSL 13:80fb167dafdf 865
wolfSSL 13:80fb167dafdf 866 /* Windows header clash for WinCE using GetVersion */
wolfSSL 13:80fb167dafdf 867 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
wolfSSL 13:80fb167dafdf 868 int* version, word32 maxIdx)
wolfSSL 13:80fb167dafdf 869 {
wolfSSL 13:80fb167dafdf 870 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 871
wolfSSL 13:80fb167dafdf 872 if ((idx + MIN_VERSION_SZ) > maxIdx)
wolfSSL 13:80fb167dafdf 873 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 874
wolfSSL 13:80fb167dafdf 875 if (input[idx++] != ASN_INTEGER)
wolfSSL 13:80fb167dafdf 876 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 877
wolfSSL 13:80fb167dafdf 878 if (input[idx++] != 0x01)
wolfSSL 13:80fb167dafdf 879 return ASN_VERSION_E;
wolfSSL 13:80fb167dafdf 880
wolfSSL 13:80fb167dafdf 881 *version = input[idx++];
wolfSSL 13:80fb167dafdf 882 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 883
wolfSSL 13:80fb167dafdf 884 return *version;
wolfSSL 13:80fb167dafdf 885 }
wolfSSL 13:80fb167dafdf 886
wolfSSL 13:80fb167dafdf 887
wolfSSL 13:80fb167dafdf 888 #ifndef NO_PWDBASED
wolfSSL 13:80fb167dafdf 889 /* Get small count integer, 32 bits or less */
wolfSSL 13:80fb167dafdf 890 int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx)
wolfSSL 13:80fb167dafdf 891 {
wolfSSL 13:80fb167dafdf 892 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 893 word32 len;
wolfSSL 13:80fb167dafdf 894
wolfSSL 13:80fb167dafdf 895 *number = 0;
wolfSSL 13:80fb167dafdf 896
wolfSSL 13:80fb167dafdf 897 /* check for type and length bytes */
wolfSSL 13:80fb167dafdf 898 if ((idx + 2) > maxIdx)
wolfSSL 13:80fb167dafdf 899 return BUFFER_E;
wolfSSL 13:80fb167dafdf 900
wolfSSL 13:80fb167dafdf 901 if (input[idx++] != ASN_INTEGER)
wolfSSL 13:80fb167dafdf 902 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 903
wolfSSL 13:80fb167dafdf 904 len = input[idx++];
wolfSSL 13:80fb167dafdf 905 if (len > 4)
wolfSSL 13:80fb167dafdf 906 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 907
wolfSSL 13:80fb167dafdf 908 if (len + idx > maxIdx)
wolfSSL 13:80fb167dafdf 909 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 910
wolfSSL 13:80fb167dafdf 911 while (len--) {
wolfSSL 13:80fb167dafdf 912 *number = *number << 8 | input[idx++];
wolfSSL 13:80fb167dafdf 913 }
wolfSSL 13:80fb167dafdf 914
wolfSSL 13:80fb167dafdf 915 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 916
wolfSSL 13:80fb167dafdf 917 return *number;
wolfSSL 13:80fb167dafdf 918 }
wolfSSL 13:80fb167dafdf 919 #endif /* !NO_PWDBASED */
wolfSSL 13:80fb167dafdf 920
wolfSSL 13:80fb167dafdf 921 /* May not have one, not an error */
wolfSSL 13:80fb167dafdf 922 static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version,
wolfSSL 13:80fb167dafdf 923 word32 maxIdx)
wolfSSL 13:80fb167dafdf 924 {
wolfSSL 13:80fb167dafdf 925 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 926
wolfSSL 13:80fb167dafdf 927 WOLFSSL_ENTER("GetExplicitVersion");
wolfSSL 13:80fb167dafdf 928
wolfSSL 13:80fb167dafdf 929 if ((idx + 1) > maxIdx)
wolfSSL 13:80fb167dafdf 930 return BUFFER_E;
wolfSSL 13:80fb167dafdf 931
wolfSSL 13:80fb167dafdf 932 if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 13:80fb167dafdf 933 *inOutIdx = ++idx; /* skip header */
wolfSSL 13:80fb167dafdf 934 return GetMyVersion(input, inOutIdx, version, maxIdx);
wolfSSL 13:80fb167dafdf 935 }
wolfSSL 13:80fb167dafdf 936
wolfSSL 13:80fb167dafdf 937 /* go back as is */
wolfSSL 13:80fb167dafdf 938 *version = 0;
wolfSSL 13:80fb167dafdf 939
wolfSSL 13:80fb167dafdf 940 return 0;
wolfSSL 13:80fb167dafdf 941 }
wolfSSL 13:80fb167dafdf 942
wolfSSL 13:80fb167dafdf 943 int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 13:80fb167dafdf 944 {
wolfSSL 13:80fb167dafdf 945 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 946 int ret;
wolfSSL 13:80fb167dafdf 947 int length;
wolfSSL 13:80fb167dafdf 948
wolfSSL 13:80fb167dafdf 949 ret = GetASNInt(input, &idx, &length, maxIdx);
wolfSSL 13:80fb167dafdf 950 if (ret != 0)
wolfSSL 13:80fb167dafdf 951 return ret;
wolfSSL 13:80fb167dafdf 952
wolfSSL 13:80fb167dafdf 953 if (mp_init(mpi) != MP_OKAY)
wolfSSL 13:80fb167dafdf 954 return MP_INIT_E;
wolfSSL 13:80fb167dafdf 955
wolfSSL 13:80fb167dafdf 956 if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) {
wolfSSL 13:80fb167dafdf 957 mp_clear(mpi);
wolfSSL 13:80fb167dafdf 958 return ASN_GETINT_E;
wolfSSL 13:80fb167dafdf 959 }
wolfSSL 13:80fb167dafdf 960
wolfSSL 13:80fb167dafdf 961 #ifdef HAVE_WOLF_BIGINT
wolfSSL 13:80fb167dafdf 962 if (wc_bigint_from_unsigned_bin(&mpi->raw, input + idx, length) != 0) {
wolfSSL 13:80fb167dafdf 963 mp_clear(mpi);
wolfSSL 13:80fb167dafdf 964 return ASN_GETINT_E;
wolfSSL 13:80fb167dafdf 965 }
wolfSSL 13:80fb167dafdf 966 #endif /* HAVE_WOLF_BIGINT */
wolfSSL 13:80fb167dafdf 967
wolfSSL 13:80fb167dafdf 968 *inOutIdx = idx + length;
wolfSSL 13:80fb167dafdf 969
wolfSSL 13:80fb167dafdf 970 return 0;
wolfSSL 13:80fb167dafdf 971 }
wolfSSL 13:80fb167dafdf 972
wolfSSL 13:80fb167dafdf 973 static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 974 word32 maxIdx, int zeroBits, byte* unusedBits)
wolfSSL 13:80fb167dafdf 975 {
wolfSSL 13:80fb167dafdf 976 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 977 int length;
wolfSSL 13:80fb167dafdf 978 byte b;
wolfSSL 13:80fb167dafdf 979
wolfSSL 13:80fb167dafdf 980 if ((idx + 1) > maxIdx)
wolfSSL 13:80fb167dafdf 981 return BUFFER_E;
wolfSSL 13:80fb167dafdf 982
wolfSSL 13:80fb167dafdf 983 if (input[idx++] != ASN_BIT_STRING)
wolfSSL 13:80fb167dafdf 984 return ASN_BITSTR_E;
wolfSSL 13:80fb167dafdf 985
wolfSSL 13:80fb167dafdf 986 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 987 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 988
wolfSSL 13:80fb167dafdf 989 /* extra sanity check that length is greater than 0 */
wolfSSL 13:80fb167dafdf 990 if (length <= 0) {
wolfSSL 13:80fb167dafdf 991 WOLFSSL_MSG("Error length was 0 in CheckBitString");
wolfSSL 13:80fb167dafdf 992 return BUFFER_E;
wolfSSL 13:80fb167dafdf 993 }
wolfSSL 13:80fb167dafdf 994
wolfSSL 13:80fb167dafdf 995 if (idx + 1 > maxIdx) {
wolfSSL 13:80fb167dafdf 996 WOLFSSL_MSG("Attempted buffer read larger than input buffer");
wolfSSL 13:80fb167dafdf 997 return BUFFER_E;
wolfSSL 13:80fb167dafdf 998 }
wolfSSL 13:80fb167dafdf 999
wolfSSL 13:80fb167dafdf 1000 b = input[idx];
wolfSSL 13:80fb167dafdf 1001 if (zeroBits && b != 0x00)
wolfSSL 13:80fb167dafdf 1002 return ASN_EXPECT_0_E;
wolfSSL 13:80fb167dafdf 1003 if (b >= 0x08)
wolfSSL 13:80fb167dafdf 1004 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1005 if (b != 0) {
wolfSSL 13:80fb167dafdf 1006 if ((byte)(input[idx + length - 1] << (8 - b)) != 0)
wolfSSL 13:80fb167dafdf 1007 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1008 }
wolfSSL 13:80fb167dafdf 1009 idx++;
wolfSSL 13:80fb167dafdf 1010 length--; /* length has been checked for greater than 0 */
wolfSSL 13:80fb167dafdf 1011
wolfSSL 13:80fb167dafdf 1012 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1013 if (len != NULL)
wolfSSL 13:80fb167dafdf 1014 *len = length;
wolfSSL 13:80fb167dafdf 1015 if (unusedBits != NULL)
wolfSSL 13:80fb167dafdf 1016 *unusedBits = b;
wolfSSL 13:80fb167dafdf 1017
wolfSSL 13:80fb167dafdf 1018 return 0;
wolfSSL 13:80fb167dafdf 1019 }
wolfSSL 13:80fb167dafdf 1020
wolfSSL 13:80fb167dafdf 1021 #if (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \
wolfSSL 13:80fb167dafdf 1022 (defined(WOLFSSL_KEY_GEN) && \
wolfSSL 13:80fb167dafdf 1023 !defined(HAVE_USER_RSA)))) || \
wolfSSL 13:80fb167dafdf 1024 (defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || \
wolfSSL 13:80fb167dafdf 1025 defined(WOLFSSL_KEY_GEN)))
wolfSSL 13:80fb167dafdf 1026 /* Set the DER/BER encoding of the ASN.1 BIT_STRING header.
wolfSSL 13:80fb167dafdf 1027 *
wolfSSL 13:80fb167dafdf 1028 * len Length of data to encode.
wolfSSL 13:80fb167dafdf 1029 * unusedBits The number of unused bits in the last byte of data.
wolfSSL 13:80fb167dafdf 1030 * That is, the number of least significant zero bits before a one.
wolfSSL 13:80fb167dafdf 1031 * The last byte is the most-significant non-zero byte of a number.
wolfSSL 13:80fb167dafdf 1032 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 1033 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 1034 */
wolfSSL 13:80fb167dafdf 1035 static word32 SetBitString(word32 len, byte unusedBits, byte* output)
wolfSSL 13:80fb167dafdf 1036 {
wolfSSL 13:80fb167dafdf 1037 word32 idx = 0;
wolfSSL 13:80fb167dafdf 1038
wolfSSL 13:80fb167dafdf 1039 output[idx++] = ASN_BIT_STRING;
wolfSSL 13:80fb167dafdf 1040 idx += SetLength(len + 1, output + idx);
wolfSSL 13:80fb167dafdf 1041 output[idx++] = unusedBits;
wolfSSL 13:80fb167dafdf 1042
wolfSSL 13:80fb167dafdf 1043 return idx;
wolfSSL 13:80fb167dafdf 1044 }
wolfSSL 13:80fb167dafdf 1045
wolfSSL 13:80fb167dafdf 1046 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 1047 /* Set the DER/BER encoding of the ASN.1 BIT_STRING with a 16-bit value.
wolfSSL 13:80fb167dafdf 1048 *
wolfSSL 13:80fb167dafdf 1049 * val 16-bit value to encode.
wolfSSL 13:80fb167dafdf 1050 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 1051 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 1052 */
wolfSSL 13:80fb167dafdf 1053 static word32 SetBitString16Bit(word16 val, byte* output)
wolfSSL 13:80fb167dafdf 1054 {
wolfSSL 13:80fb167dafdf 1055 word32 idx;
wolfSSL 13:80fb167dafdf 1056 int len;
wolfSSL 13:80fb167dafdf 1057 byte lastByte;
wolfSSL 13:80fb167dafdf 1058 byte unusedBits = 0;
wolfSSL 13:80fb167dafdf 1059
wolfSSL 13:80fb167dafdf 1060 if ((val >> 8) != 0) {
wolfSSL 13:80fb167dafdf 1061 len = 2;
wolfSSL 13:80fb167dafdf 1062 lastByte = (byte)(val >> 8);
wolfSSL 13:80fb167dafdf 1063 }
wolfSSL 13:80fb167dafdf 1064 else {
wolfSSL 13:80fb167dafdf 1065 len = 1;
wolfSSL 13:80fb167dafdf 1066 lastByte = (byte)val;
wolfSSL 13:80fb167dafdf 1067 }
wolfSSL 13:80fb167dafdf 1068
wolfSSL 13:80fb167dafdf 1069 while (((lastByte >> unusedBits) & 0x01) == 0x00)
wolfSSL 13:80fb167dafdf 1070 unusedBits++;
wolfSSL 13:80fb167dafdf 1071
wolfSSL 13:80fb167dafdf 1072 idx = SetBitString(len, unusedBits, output);
wolfSSL 13:80fb167dafdf 1073 output[idx++] = (byte)val;
wolfSSL 13:80fb167dafdf 1074 output[idx++] = (byte)(val >> 8);
wolfSSL 13:80fb167dafdf 1075
wolfSSL 13:80fb167dafdf 1076 return idx;
wolfSSL 13:80fb167dafdf 1077 }
wolfSSL 13:80fb167dafdf 1078 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 1079 #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
wolfSSL 13:80fb167dafdf 1080 !HAVE_USER_RSA)) */
wolfSSL 13:80fb167dafdf 1081
wolfSSL 13:80fb167dafdf 1082
wolfSSL 13:80fb167dafdf 1083
wolfSSL 13:80fb167dafdf 1084 /* hashType */
wolfSSL 13:80fb167dafdf 1085 static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2};
wolfSSL 13:80fb167dafdf 1086 static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5};
wolfSSL 13:80fb167dafdf 1087 static const byte hashSha1hOid[] = {43, 14, 3, 2, 26};
wolfSSL 13:80fb167dafdf 1088 static const byte hashSha224hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 4};
wolfSSL 13:80fb167dafdf 1089 static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1};
wolfSSL 13:80fb167dafdf 1090 static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2};
wolfSSL 13:80fb167dafdf 1091 static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3};
wolfSSL 13:80fb167dafdf 1092
wolfSSL 13:80fb167dafdf 1093 /* sigType */
wolfSSL 13:80fb167dafdf 1094 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 1095 static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3};
wolfSSL 13:80fb167dafdf 1096 #endif /* NO_DSA */
wolfSSL 13:80fb167dafdf 1097 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 1098 static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2};
wolfSSL 13:80fb167dafdf 1099 static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4};
wolfSSL 13:80fb167dafdf 1100 static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5};
wolfSSL 13:80fb167dafdf 1101 static const byte sigSha224wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,14};
wolfSSL 13:80fb167dafdf 1102 static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11};
wolfSSL 13:80fb167dafdf 1103 static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12};
wolfSSL 13:80fb167dafdf 1104 static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13};
wolfSSL 13:80fb167dafdf 1105 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 1106 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1107 static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1};
wolfSSL 13:80fb167dafdf 1108 static const byte sigSha224wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 1};
wolfSSL 13:80fb167dafdf 1109 static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2};
wolfSSL 13:80fb167dafdf 1110 static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3};
wolfSSL 13:80fb167dafdf 1111 static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4};
wolfSSL 13:80fb167dafdf 1112 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1113
wolfSSL 13:80fb167dafdf 1114 /* keyType */
wolfSSL 13:80fb167dafdf 1115 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 1116 static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1};
wolfSSL 13:80fb167dafdf 1117 #endif /* NO_DSA */
wolfSSL 13:80fb167dafdf 1118 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 1119 static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1};
wolfSSL 13:80fb167dafdf 1120 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 1121 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 1122 static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1};
wolfSSL 13:80fb167dafdf 1123 #endif /* HAVE_NTRU */
wolfSSL 13:80fb167dafdf 1124 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1125 static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1};
wolfSSL 13:80fb167dafdf 1126 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1127
wolfSSL 13:80fb167dafdf 1128 /* curveType */
wolfSSL 13:80fb167dafdf 1129 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1130 /* See "ecc_sets" table in ecc.c */
wolfSSL 13:80fb167dafdf 1131 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1132
wolfSSL 13:80fb167dafdf 1133 /* blkType */
wolfSSL 13:80fb167dafdf 1134 static const byte blkAes128CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 2};
wolfSSL 13:80fb167dafdf 1135 static const byte blkAes192CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 22};
wolfSSL 13:80fb167dafdf 1136 static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42};
wolfSSL 13:80fb167dafdf 1137 static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7};
wolfSSL 13:80fb167dafdf 1138 static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7};
wolfSSL 13:80fb167dafdf 1139
wolfSSL 13:80fb167dafdf 1140 /* keyWrapType */
wolfSSL 13:80fb167dafdf 1141 static const byte wrapAes128Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 5};
wolfSSL 13:80fb167dafdf 1142 static const byte wrapAes192Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 25};
wolfSSL 13:80fb167dafdf 1143 static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45};
wolfSSL 13:80fb167dafdf 1144
wolfSSL 13:80fb167dafdf 1145 /* cmsKeyAgreeType */
wolfSSL 13:80fb167dafdf 1146 static const byte dhSinglePass_stdDH_sha1kdf_Oid[] =
wolfSSL 13:80fb167dafdf 1147 {43, 129, 5, 16, 134, 72, 63, 0, 2};
wolfSSL 13:80fb167dafdf 1148 static const byte dhSinglePass_stdDH_sha224kdf_Oid[] = {43, 129, 4, 1, 11, 0};
wolfSSL 13:80fb167dafdf 1149 static const byte dhSinglePass_stdDH_sha256kdf_Oid[] = {43, 129, 4, 1, 11, 1};
wolfSSL 13:80fb167dafdf 1150 static const byte dhSinglePass_stdDH_sha384kdf_Oid[] = {43, 129, 4, 1, 11, 2};
wolfSSL 13:80fb167dafdf 1151 static const byte dhSinglePass_stdDH_sha512kdf_Oid[] = {43, 129, 4, 1, 11, 3};
wolfSSL 13:80fb167dafdf 1152
wolfSSL 13:80fb167dafdf 1153 /* ocspType */
wolfSSL 13:80fb167dafdf 1154 #ifdef HAVE_OCSP
wolfSSL 13:80fb167dafdf 1155 static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
wolfSSL 13:80fb167dafdf 1156 static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
wolfSSL 13:80fb167dafdf 1157 #endif /* HAVE_OCSP */
wolfSSL 13:80fb167dafdf 1158
wolfSSL 13:80fb167dafdf 1159 /* certExtType */
wolfSSL 13:80fb167dafdf 1160 static const byte extBasicCaOid[] = {85, 29, 19};
wolfSSL 13:80fb167dafdf 1161 static const byte extAltNamesOid[] = {85, 29, 17};
wolfSSL 13:80fb167dafdf 1162 static const byte extCrlDistOid[] = {85, 29, 31};
wolfSSL 13:80fb167dafdf 1163 static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1};
wolfSSL 13:80fb167dafdf 1164 static const byte extAuthKeyOid[] = {85, 29, 35};
wolfSSL 13:80fb167dafdf 1165 static const byte extSubjKeyOid[] = {85, 29, 14};
wolfSSL 13:80fb167dafdf 1166 static const byte extCertPolicyOid[] = {85, 29, 32};
wolfSSL 13:80fb167dafdf 1167 static const byte extKeyUsageOid[] = {85, 29, 15};
wolfSSL 13:80fb167dafdf 1168 static const byte extInhibitAnyOid[] = {85, 29, 54};
wolfSSL 13:80fb167dafdf 1169 static const byte extExtKeyUsageOid[] = {85, 29, 37};
wolfSSL 13:80fb167dafdf 1170 static const byte extNameConsOid[] = {85, 29, 30};
wolfSSL 13:80fb167dafdf 1171
wolfSSL 13:80fb167dafdf 1172 /* certAuthInfoType */
wolfSSL 13:80fb167dafdf 1173 static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
wolfSSL 13:80fb167dafdf 1174 static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
wolfSSL 13:80fb167dafdf 1175
wolfSSL 13:80fb167dafdf 1176 /* certPolicyType */
wolfSSL 13:80fb167dafdf 1177 static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
wolfSSL 13:80fb167dafdf 1178
wolfSSL 13:80fb167dafdf 1179 /* certKeyUseType */
wolfSSL 13:80fb167dafdf 1180 static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
wolfSSL 13:80fb167dafdf 1181
wolfSSL 13:80fb167dafdf 1182 /* certKeyUseType */
wolfSSL 13:80fb167dafdf 1183 static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0};
wolfSSL 13:80fb167dafdf 1184 static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1};
wolfSSL 13:80fb167dafdf 1185 static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2};
wolfSSL 13:80fb167dafdf 1186 static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
wolfSSL 13:80fb167dafdf 1187
wolfSSL 13:80fb167dafdf 1188 /* kdfType */
wolfSSL 13:80fb167dafdf 1189 static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
wolfSSL 13:80fb167dafdf 1190
wolfSSL 13:80fb167dafdf 1191 static const byte* OidFromId(word32 id, word32 type, word32* oidSz)
wolfSSL 13:80fb167dafdf 1192 {
wolfSSL 13:80fb167dafdf 1193 const byte* oid = NULL;
wolfSSL 13:80fb167dafdf 1194
wolfSSL 13:80fb167dafdf 1195 *oidSz = 0;
wolfSSL 13:80fb167dafdf 1196
wolfSSL 13:80fb167dafdf 1197 switch (type) {
wolfSSL 13:80fb167dafdf 1198
wolfSSL 13:80fb167dafdf 1199 case oidHashType:
wolfSSL 13:80fb167dafdf 1200 switch (id) {
wolfSSL 13:80fb167dafdf 1201 case MD2h:
wolfSSL 13:80fb167dafdf 1202 oid = hashMd2hOid;
wolfSSL 13:80fb167dafdf 1203 *oidSz = sizeof(hashMd2hOid);
wolfSSL 13:80fb167dafdf 1204 break;
wolfSSL 13:80fb167dafdf 1205 case MD5h:
wolfSSL 13:80fb167dafdf 1206 oid = hashMd5hOid;
wolfSSL 13:80fb167dafdf 1207 *oidSz = sizeof(hashMd5hOid);
wolfSSL 13:80fb167dafdf 1208 break;
wolfSSL 13:80fb167dafdf 1209 case SHAh:
wolfSSL 13:80fb167dafdf 1210 oid = hashSha1hOid;
wolfSSL 13:80fb167dafdf 1211 *oidSz = sizeof(hashSha1hOid);
wolfSSL 13:80fb167dafdf 1212 break;
wolfSSL 13:80fb167dafdf 1213 case SHA224h:
wolfSSL 13:80fb167dafdf 1214 oid = hashSha224hOid;
wolfSSL 13:80fb167dafdf 1215 *oidSz = sizeof(hashSha224hOid);
wolfSSL 13:80fb167dafdf 1216 break;
wolfSSL 13:80fb167dafdf 1217 case SHA256h:
wolfSSL 13:80fb167dafdf 1218 oid = hashSha256hOid;
wolfSSL 13:80fb167dafdf 1219 *oidSz = sizeof(hashSha256hOid);
wolfSSL 13:80fb167dafdf 1220 break;
wolfSSL 13:80fb167dafdf 1221 case SHA384h:
wolfSSL 13:80fb167dafdf 1222 oid = hashSha384hOid;
wolfSSL 13:80fb167dafdf 1223 *oidSz = sizeof(hashSha384hOid);
wolfSSL 13:80fb167dafdf 1224 break;
wolfSSL 13:80fb167dafdf 1225 case SHA512h:
wolfSSL 13:80fb167dafdf 1226 oid = hashSha512hOid;
wolfSSL 13:80fb167dafdf 1227 *oidSz = sizeof(hashSha512hOid);
wolfSSL 13:80fb167dafdf 1228 break;
wolfSSL 13:80fb167dafdf 1229 }
wolfSSL 13:80fb167dafdf 1230 break;
wolfSSL 13:80fb167dafdf 1231
wolfSSL 13:80fb167dafdf 1232 case oidSigType:
wolfSSL 13:80fb167dafdf 1233 switch (id) {
wolfSSL 13:80fb167dafdf 1234 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 1235 case CTC_SHAwDSA:
wolfSSL 13:80fb167dafdf 1236 oid = sigSha1wDsaOid;
wolfSSL 13:80fb167dafdf 1237 *oidSz = sizeof(sigSha1wDsaOid);
wolfSSL 13:80fb167dafdf 1238 break;
wolfSSL 13:80fb167dafdf 1239 #endif /* NO_DSA */
wolfSSL 13:80fb167dafdf 1240 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 1241 case CTC_MD2wRSA:
wolfSSL 13:80fb167dafdf 1242 oid = sigMd2wRsaOid;
wolfSSL 13:80fb167dafdf 1243 *oidSz = sizeof(sigMd2wRsaOid);
wolfSSL 13:80fb167dafdf 1244 break;
wolfSSL 13:80fb167dafdf 1245 case CTC_MD5wRSA:
wolfSSL 13:80fb167dafdf 1246 oid = sigMd5wRsaOid;
wolfSSL 13:80fb167dafdf 1247 *oidSz = sizeof(sigMd5wRsaOid);
wolfSSL 13:80fb167dafdf 1248 break;
wolfSSL 13:80fb167dafdf 1249 case CTC_SHAwRSA:
wolfSSL 13:80fb167dafdf 1250 oid = sigSha1wRsaOid;
wolfSSL 13:80fb167dafdf 1251 *oidSz = sizeof(sigSha1wRsaOid);
wolfSSL 13:80fb167dafdf 1252 break;
wolfSSL 13:80fb167dafdf 1253 case CTC_SHA224wRSA:
wolfSSL 13:80fb167dafdf 1254 oid = sigSha224wRsaOid;
wolfSSL 13:80fb167dafdf 1255 *oidSz = sizeof(sigSha224wRsaOid);
wolfSSL 13:80fb167dafdf 1256 break;
wolfSSL 13:80fb167dafdf 1257 case CTC_SHA256wRSA:
wolfSSL 13:80fb167dafdf 1258 oid = sigSha256wRsaOid;
wolfSSL 13:80fb167dafdf 1259 *oidSz = sizeof(sigSha256wRsaOid);
wolfSSL 13:80fb167dafdf 1260 break;
wolfSSL 13:80fb167dafdf 1261 case CTC_SHA384wRSA:
wolfSSL 13:80fb167dafdf 1262 oid = sigSha384wRsaOid;
wolfSSL 13:80fb167dafdf 1263 *oidSz = sizeof(sigSha384wRsaOid);
wolfSSL 13:80fb167dafdf 1264 break;
wolfSSL 13:80fb167dafdf 1265 case CTC_SHA512wRSA:
wolfSSL 13:80fb167dafdf 1266 oid = sigSha512wRsaOid;
wolfSSL 13:80fb167dafdf 1267 *oidSz = sizeof(sigSha512wRsaOid);
wolfSSL 13:80fb167dafdf 1268 break;
wolfSSL 13:80fb167dafdf 1269 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 1270 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1271 case CTC_SHAwECDSA:
wolfSSL 13:80fb167dafdf 1272 oid = sigSha1wEcdsaOid;
wolfSSL 13:80fb167dafdf 1273 *oidSz = sizeof(sigSha1wEcdsaOid);
wolfSSL 13:80fb167dafdf 1274 break;
wolfSSL 13:80fb167dafdf 1275 case CTC_SHA224wECDSA:
wolfSSL 13:80fb167dafdf 1276 oid = sigSha224wEcdsaOid;
wolfSSL 13:80fb167dafdf 1277 *oidSz = sizeof(sigSha224wEcdsaOid);
wolfSSL 13:80fb167dafdf 1278 break;
wolfSSL 13:80fb167dafdf 1279 case CTC_SHA256wECDSA:
wolfSSL 13:80fb167dafdf 1280 oid = sigSha256wEcdsaOid;
wolfSSL 13:80fb167dafdf 1281 *oidSz = sizeof(sigSha256wEcdsaOid);
wolfSSL 13:80fb167dafdf 1282 break;
wolfSSL 13:80fb167dafdf 1283 case CTC_SHA384wECDSA:
wolfSSL 13:80fb167dafdf 1284 oid = sigSha384wEcdsaOid;
wolfSSL 13:80fb167dafdf 1285 *oidSz = sizeof(sigSha384wEcdsaOid);
wolfSSL 13:80fb167dafdf 1286 break;
wolfSSL 13:80fb167dafdf 1287 case CTC_SHA512wECDSA:
wolfSSL 13:80fb167dafdf 1288 oid = sigSha512wEcdsaOid;
wolfSSL 13:80fb167dafdf 1289 *oidSz = sizeof(sigSha512wEcdsaOid);
wolfSSL 13:80fb167dafdf 1290 break;
wolfSSL 13:80fb167dafdf 1291 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1292 default:
wolfSSL 13:80fb167dafdf 1293 break;
wolfSSL 13:80fb167dafdf 1294 }
wolfSSL 13:80fb167dafdf 1295 break;
wolfSSL 13:80fb167dafdf 1296
wolfSSL 13:80fb167dafdf 1297 case oidKeyType:
wolfSSL 13:80fb167dafdf 1298 switch (id) {
wolfSSL 13:80fb167dafdf 1299 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 1300 case DSAk:
wolfSSL 13:80fb167dafdf 1301 oid = keyDsaOid;
wolfSSL 13:80fb167dafdf 1302 *oidSz = sizeof(keyDsaOid);
wolfSSL 13:80fb167dafdf 1303 break;
wolfSSL 13:80fb167dafdf 1304 #endif /* NO_DSA */
wolfSSL 13:80fb167dafdf 1305 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 1306 case RSAk:
wolfSSL 13:80fb167dafdf 1307 oid = keyRsaOid;
wolfSSL 13:80fb167dafdf 1308 *oidSz = sizeof(keyRsaOid);
wolfSSL 13:80fb167dafdf 1309 break;
wolfSSL 13:80fb167dafdf 1310 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 1311 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 1312 case NTRUk:
wolfSSL 13:80fb167dafdf 1313 oid = keyNtruOid;
wolfSSL 13:80fb167dafdf 1314 *oidSz = sizeof(keyNtruOid);
wolfSSL 13:80fb167dafdf 1315 break;
wolfSSL 13:80fb167dafdf 1316 #endif /* HAVE_NTRU */
wolfSSL 13:80fb167dafdf 1317 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1318 case ECDSAk:
wolfSSL 13:80fb167dafdf 1319 oid = keyEcdsaOid;
wolfSSL 13:80fb167dafdf 1320 *oidSz = sizeof(keyEcdsaOid);
wolfSSL 13:80fb167dafdf 1321 break;
wolfSSL 13:80fb167dafdf 1322 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1323 default:
wolfSSL 13:80fb167dafdf 1324 break;
wolfSSL 13:80fb167dafdf 1325 }
wolfSSL 13:80fb167dafdf 1326 break;
wolfSSL 13:80fb167dafdf 1327
wolfSSL 13:80fb167dafdf 1328 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 1329 case oidCurveType:
wolfSSL 13:80fb167dafdf 1330 if (wc_ecc_get_oid(id, &oid, oidSz) < 0) {
wolfSSL 13:80fb167dafdf 1331 WOLFSSL_MSG("ECC OID not found");
wolfSSL 13:80fb167dafdf 1332 }
wolfSSL 13:80fb167dafdf 1333 break;
wolfSSL 13:80fb167dafdf 1334 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 1335
wolfSSL 13:80fb167dafdf 1336 case oidBlkType:
wolfSSL 13:80fb167dafdf 1337 switch (id) {
wolfSSL 13:80fb167dafdf 1338 case AES128CBCb:
wolfSSL 13:80fb167dafdf 1339 oid = blkAes128CbcOid;
wolfSSL 13:80fb167dafdf 1340 *oidSz = sizeof(blkAes128CbcOid);
wolfSSL 13:80fb167dafdf 1341 break;
wolfSSL 13:80fb167dafdf 1342 case AES192CBCb:
wolfSSL 13:80fb167dafdf 1343 oid = blkAes192CbcOid;
wolfSSL 13:80fb167dafdf 1344 *oidSz = sizeof(blkAes192CbcOid);
wolfSSL 13:80fb167dafdf 1345 break;
wolfSSL 13:80fb167dafdf 1346 case AES256CBCb:
wolfSSL 13:80fb167dafdf 1347 oid = blkAes256CbcOid;
wolfSSL 13:80fb167dafdf 1348 *oidSz = sizeof(blkAes256CbcOid);
wolfSSL 13:80fb167dafdf 1349 break;
wolfSSL 13:80fb167dafdf 1350 case DESb:
wolfSSL 13:80fb167dafdf 1351 oid = blkDesCbcOid;
wolfSSL 13:80fb167dafdf 1352 *oidSz = sizeof(blkDesCbcOid);
wolfSSL 13:80fb167dafdf 1353 break;
wolfSSL 13:80fb167dafdf 1354 case DES3b:
wolfSSL 13:80fb167dafdf 1355 oid = blkDes3CbcOid;
wolfSSL 13:80fb167dafdf 1356 *oidSz = sizeof(blkDes3CbcOid);
wolfSSL 13:80fb167dafdf 1357 break;
wolfSSL 13:80fb167dafdf 1358 }
wolfSSL 13:80fb167dafdf 1359 break;
wolfSSL 13:80fb167dafdf 1360
wolfSSL 13:80fb167dafdf 1361 #ifdef HAVE_OCSP
wolfSSL 13:80fb167dafdf 1362 case oidOcspType:
wolfSSL 13:80fb167dafdf 1363 switch (id) {
wolfSSL 13:80fb167dafdf 1364 case OCSP_BASIC_OID:
wolfSSL 13:80fb167dafdf 1365 oid = ocspBasicOid;
wolfSSL 13:80fb167dafdf 1366 *oidSz = sizeof(ocspBasicOid);
wolfSSL 13:80fb167dafdf 1367 break;
wolfSSL 13:80fb167dafdf 1368 case OCSP_NONCE_OID:
wolfSSL 13:80fb167dafdf 1369 oid = ocspNonceOid;
wolfSSL 13:80fb167dafdf 1370 *oidSz = sizeof(ocspNonceOid);
wolfSSL 13:80fb167dafdf 1371 break;
wolfSSL 13:80fb167dafdf 1372 }
wolfSSL 13:80fb167dafdf 1373 break;
wolfSSL 13:80fb167dafdf 1374 #endif /* HAVE_OCSP */
wolfSSL 13:80fb167dafdf 1375
wolfSSL 13:80fb167dafdf 1376 case oidCertExtType:
wolfSSL 13:80fb167dafdf 1377 switch (id) {
wolfSSL 13:80fb167dafdf 1378 case BASIC_CA_OID:
wolfSSL 13:80fb167dafdf 1379 oid = extBasicCaOid;
wolfSSL 13:80fb167dafdf 1380 *oidSz = sizeof(extBasicCaOid);
wolfSSL 13:80fb167dafdf 1381 break;
wolfSSL 13:80fb167dafdf 1382 case ALT_NAMES_OID:
wolfSSL 13:80fb167dafdf 1383 oid = extAltNamesOid;
wolfSSL 13:80fb167dafdf 1384 *oidSz = sizeof(extAltNamesOid);
wolfSSL 13:80fb167dafdf 1385 break;
wolfSSL 13:80fb167dafdf 1386 case CRL_DIST_OID:
wolfSSL 13:80fb167dafdf 1387 oid = extCrlDistOid;
wolfSSL 13:80fb167dafdf 1388 *oidSz = sizeof(extCrlDistOid);
wolfSSL 13:80fb167dafdf 1389 break;
wolfSSL 13:80fb167dafdf 1390 case AUTH_INFO_OID:
wolfSSL 13:80fb167dafdf 1391 oid = extAuthInfoOid;
wolfSSL 13:80fb167dafdf 1392 *oidSz = sizeof(extAuthInfoOid);
wolfSSL 13:80fb167dafdf 1393 break;
wolfSSL 13:80fb167dafdf 1394 case AUTH_KEY_OID:
wolfSSL 13:80fb167dafdf 1395 oid = extAuthKeyOid;
wolfSSL 13:80fb167dafdf 1396 *oidSz = sizeof(extAuthKeyOid);
wolfSSL 13:80fb167dafdf 1397 break;
wolfSSL 13:80fb167dafdf 1398 case SUBJ_KEY_OID:
wolfSSL 13:80fb167dafdf 1399 oid = extSubjKeyOid;
wolfSSL 13:80fb167dafdf 1400 *oidSz = sizeof(extSubjKeyOid);
wolfSSL 13:80fb167dafdf 1401 break;
wolfSSL 13:80fb167dafdf 1402 case CERT_POLICY_OID:
wolfSSL 13:80fb167dafdf 1403 oid = extCertPolicyOid;
wolfSSL 13:80fb167dafdf 1404 *oidSz = sizeof(extCertPolicyOid);
wolfSSL 13:80fb167dafdf 1405 break;
wolfSSL 13:80fb167dafdf 1406 case KEY_USAGE_OID:
wolfSSL 13:80fb167dafdf 1407 oid = extKeyUsageOid;
wolfSSL 13:80fb167dafdf 1408 *oidSz = sizeof(extKeyUsageOid);
wolfSSL 13:80fb167dafdf 1409 break;
wolfSSL 13:80fb167dafdf 1410 case INHIBIT_ANY_OID:
wolfSSL 13:80fb167dafdf 1411 oid = extInhibitAnyOid;
wolfSSL 13:80fb167dafdf 1412 *oidSz = sizeof(extInhibitAnyOid);
wolfSSL 13:80fb167dafdf 1413 break;
wolfSSL 13:80fb167dafdf 1414 case EXT_KEY_USAGE_OID:
wolfSSL 13:80fb167dafdf 1415 oid = extExtKeyUsageOid;
wolfSSL 13:80fb167dafdf 1416 *oidSz = sizeof(extExtKeyUsageOid);
wolfSSL 13:80fb167dafdf 1417 break;
wolfSSL 13:80fb167dafdf 1418 case NAME_CONS_OID:
wolfSSL 13:80fb167dafdf 1419 oid = extNameConsOid;
wolfSSL 13:80fb167dafdf 1420 *oidSz = sizeof(extNameConsOid);
wolfSSL 13:80fb167dafdf 1421 break;
wolfSSL 13:80fb167dafdf 1422 }
wolfSSL 13:80fb167dafdf 1423 break;
wolfSSL 13:80fb167dafdf 1424
wolfSSL 13:80fb167dafdf 1425 case oidCertAuthInfoType:
wolfSSL 13:80fb167dafdf 1426 switch (id) {
wolfSSL 13:80fb167dafdf 1427 case AIA_OCSP_OID:
wolfSSL 13:80fb167dafdf 1428 oid = extAuthInfoOcspOid;
wolfSSL 13:80fb167dafdf 1429 *oidSz = sizeof(extAuthInfoOcspOid);
wolfSSL 13:80fb167dafdf 1430 break;
wolfSSL 13:80fb167dafdf 1431 case AIA_CA_ISSUER_OID:
wolfSSL 13:80fb167dafdf 1432 oid = extAuthInfoCaIssuerOid;
wolfSSL 13:80fb167dafdf 1433 *oidSz = sizeof(extAuthInfoCaIssuerOid);
wolfSSL 13:80fb167dafdf 1434 break;
wolfSSL 13:80fb167dafdf 1435 }
wolfSSL 13:80fb167dafdf 1436 break;
wolfSSL 13:80fb167dafdf 1437
wolfSSL 13:80fb167dafdf 1438 case oidCertPolicyType:
wolfSSL 13:80fb167dafdf 1439 switch (id) {
wolfSSL 13:80fb167dafdf 1440 case CP_ANY_OID:
wolfSSL 13:80fb167dafdf 1441 oid = extCertPolicyAnyOid;
wolfSSL 13:80fb167dafdf 1442 *oidSz = sizeof(extCertPolicyAnyOid);
wolfSSL 13:80fb167dafdf 1443 break;
wolfSSL 13:80fb167dafdf 1444 }
wolfSSL 13:80fb167dafdf 1445 break;
wolfSSL 13:80fb167dafdf 1446
wolfSSL 13:80fb167dafdf 1447 case oidCertAltNameType:
wolfSSL 13:80fb167dafdf 1448 switch (id) {
wolfSSL 13:80fb167dafdf 1449 case HW_NAME_OID:
wolfSSL 13:80fb167dafdf 1450 oid = extAltNamesHwNameOid;
wolfSSL 13:80fb167dafdf 1451 *oidSz = sizeof(extAltNamesHwNameOid);
wolfSSL 13:80fb167dafdf 1452 break;
wolfSSL 13:80fb167dafdf 1453 }
wolfSSL 13:80fb167dafdf 1454 break;
wolfSSL 13:80fb167dafdf 1455
wolfSSL 13:80fb167dafdf 1456 case oidCertKeyUseType:
wolfSSL 13:80fb167dafdf 1457 switch (id) {
wolfSSL 13:80fb167dafdf 1458 case EKU_ANY_OID:
wolfSSL 13:80fb167dafdf 1459 oid = extExtKeyUsageAnyOid;
wolfSSL 13:80fb167dafdf 1460 *oidSz = sizeof(extExtKeyUsageAnyOid);
wolfSSL 13:80fb167dafdf 1461 break;
wolfSSL 13:80fb167dafdf 1462 case EKU_SERVER_AUTH_OID:
wolfSSL 13:80fb167dafdf 1463 oid = extExtKeyUsageServerAuthOid;
wolfSSL 13:80fb167dafdf 1464 *oidSz = sizeof(extExtKeyUsageServerAuthOid);
wolfSSL 13:80fb167dafdf 1465 break;
wolfSSL 13:80fb167dafdf 1466 case EKU_CLIENT_AUTH_OID:
wolfSSL 13:80fb167dafdf 1467 oid = extExtKeyUsageClientAuthOid;
wolfSSL 13:80fb167dafdf 1468 *oidSz = sizeof(extExtKeyUsageClientAuthOid);
wolfSSL 13:80fb167dafdf 1469 break;
wolfSSL 13:80fb167dafdf 1470 case EKU_OCSP_SIGN_OID:
wolfSSL 13:80fb167dafdf 1471 oid = extExtKeyUsageOcspSignOid;
wolfSSL 13:80fb167dafdf 1472 *oidSz = sizeof(extExtKeyUsageOcspSignOid);
wolfSSL 13:80fb167dafdf 1473 break;
wolfSSL 13:80fb167dafdf 1474 }
wolfSSL 13:80fb167dafdf 1475 break;
wolfSSL 13:80fb167dafdf 1476
wolfSSL 13:80fb167dafdf 1477 case oidKdfType:
wolfSSL 13:80fb167dafdf 1478 switch (id) {
wolfSSL 13:80fb167dafdf 1479 case PBKDF2_OID:
wolfSSL 13:80fb167dafdf 1480 oid = pbkdf2Oid;
wolfSSL 13:80fb167dafdf 1481 *oidSz = sizeof(pbkdf2Oid);
wolfSSL 13:80fb167dafdf 1482 break;
wolfSSL 13:80fb167dafdf 1483 }
wolfSSL 13:80fb167dafdf 1484 break;
wolfSSL 13:80fb167dafdf 1485
wolfSSL 13:80fb167dafdf 1486 case oidKeyWrapType:
wolfSSL 13:80fb167dafdf 1487 switch (id) {
wolfSSL 13:80fb167dafdf 1488 case AES128_WRAP:
wolfSSL 13:80fb167dafdf 1489 oid = wrapAes128Oid;
wolfSSL 13:80fb167dafdf 1490 *oidSz = sizeof(wrapAes128Oid);
wolfSSL 13:80fb167dafdf 1491 break;
wolfSSL 13:80fb167dafdf 1492 case AES192_WRAP:
wolfSSL 13:80fb167dafdf 1493 oid = wrapAes192Oid;
wolfSSL 13:80fb167dafdf 1494 *oidSz = sizeof(wrapAes192Oid);
wolfSSL 13:80fb167dafdf 1495 break;
wolfSSL 13:80fb167dafdf 1496 case AES256_WRAP:
wolfSSL 13:80fb167dafdf 1497 oid = wrapAes256Oid;
wolfSSL 13:80fb167dafdf 1498 *oidSz = sizeof(wrapAes256Oid);
wolfSSL 13:80fb167dafdf 1499 break;
wolfSSL 13:80fb167dafdf 1500 }
wolfSSL 13:80fb167dafdf 1501 break;
wolfSSL 13:80fb167dafdf 1502
wolfSSL 13:80fb167dafdf 1503 case oidCmsKeyAgreeType:
wolfSSL 13:80fb167dafdf 1504 switch (id) {
wolfSSL 13:80fb167dafdf 1505 case dhSinglePass_stdDH_sha1kdf_scheme:
wolfSSL 13:80fb167dafdf 1506 oid = dhSinglePass_stdDH_sha1kdf_Oid;
wolfSSL 13:80fb167dafdf 1507 *oidSz = sizeof(dhSinglePass_stdDH_sha1kdf_Oid);
wolfSSL 13:80fb167dafdf 1508 break;
wolfSSL 13:80fb167dafdf 1509 case dhSinglePass_stdDH_sha224kdf_scheme:
wolfSSL 13:80fb167dafdf 1510 oid = dhSinglePass_stdDH_sha224kdf_Oid;
wolfSSL 13:80fb167dafdf 1511 *oidSz = sizeof(dhSinglePass_stdDH_sha224kdf_Oid);
wolfSSL 13:80fb167dafdf 1512 break;
wolfSSL 13:80fb167dafdf 1513 case dhSinglePass_stdDH_sha256kdf_scheme:
wolfSSL 13:80fb167dafdf 1514 oid = dhSinglePass_stdDH_sha256kdf_Oid;
wolfSSL 13:80fb167dafdf 1515 *oidSz = sizeof(dhSinglePass_stdDH_sha256kdf_Oid);
wolfSSL 13:80fb167dafdf 1516 break;
wolfSSL 13:80fb167dafdf 1517 case dhSinglePass_stdDH_sha384kdf_scheme:
wolfSSL 13:80fb167dafdf 1518 oid = dhSinglePass_stdDH_sha384kdf_Oid;
wolfSSL 13:80fb167dafdf 1519 *oidSz = sizeof(dhSinglePass_stdDH_sha384kdf_Oid);
wolfSSL 13:80fb167dafdf 1520 break;
wolfSSL 13:80fb167dafdf 1521 case dhSinglePass_stdDH_sha512kdf_scheme:
wolfSSL 13:80fb167dafdf 1522 oid = dhSinglePass_stdDH_sha512kdf_Oid;
wolfSSL 13:80fb167dafdf 1523 *oidSz = sizeof(dhSinglePass_stdDH_sha512kdf_Oid);
wolfSSL 13:80fb167dafdf 1524 break;
wolfSSL 13:80fb167dafdf 1525 }
wolfSSL 13:80fb167dafdf 1526 break;
wolfSSL 13:80fb167dafdf 1527
wolfSSL 13:80fb167dafdf 1528 case oidIgnoreType:
wolfSSL 13:80fb167dafdf 1529 default:
wolfSSL 13:80fb167dafdf 1530 break;
wolfSSL 13:80fb167dafdf 1531 }
wolfSSL 13:80fb167dafdf 1532
wolfSSL 13:80fb167dafdf 1533 return oid;
wolfSSL 13:80fb167dafdf 1534 }
wolfSSL 13:80fb167dafdf 1535
wolfSSL 13:80fb167dafdf 1536 #ifdef HAVE_OID_ENCODING
wolfSSL 13:80fb167dafdf 1537 int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
wolfSSL 13:80fb167dafdf 1538 {
wolfSSL 13:80fb167dafdf 1539 int i, x, len;
wolfSSL 13:80fb167dafdf 1540 word32 d, t;
wolfSSL 13:80fb167dafdf 1541
wolfSSL 13:80fb167dafdf 1542 /* check args */
wolfSSL 13:80fb167dafdf 1543 if (in == NULL || outSz == NULL) {
wolfSSL 13:80fb167dafdf 1544 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1545 }
wolfSSL 13:80fb167dafdf 1546
wolfSSL 13:80fb167dafdf 1547 /* compute length of encoded OID */
wolfSSL 13:80fb167dafdf 1548 d = (in[0] * 40) + in[1];
wolfSSL 13:80fb167dafdf 1549 len = 0;
wolfSSL 13:80fb167dafdf 1550 for (i = 1; i < (int)inSz; i++) {
wolfSSL 13:80fb167dafdf 1551 x = 0;
wolfSSL 13:80fb167dafdf 1552 t = d;
wolfSSL 13:80fb167dafdf 1553 while (t) {
wolfSSL 13:80fb167dafdf 1554 x++;
wolfSSL 13:80fb167dafdf 1555 t >>= 1;
wolfSSL 13:80fb167dafdf 1556 }
wolfSSL 13:80fb167dafdf 1557 len += (x / 7) + ((x % 7) ? 1 : 0) + (d == 0 ? 1 : 0);
wolfSSL 13:80fb167dafdf 1558
wolfSSL 13:80fb167dafdf 1559 if (i < (int)inSz - 1) {
wolfSSL 13:80fb167dafdf 1560 d = in[i + 1];
wolfSSL 13:80fb167dafdf 1561 }
wolfSSL 13:80fb167dafdf 1562 }
wolfSSL 13:80fb167dafdf 1563
wolfSSL 13:80fb167dafdf 1564 if (out) {
wolfSSL 13:80fb167dafdf 1565 /* verify length */
wolfSSL 13:80fb167dafdf 1566 if ((int)*outSz < len) {
wolfSSL 13:80fb167dafdf 1567 return BUFFER_E; /* buffer provided is not large enough */
wolfSSL 13:80fb167dafdf 1568 }
wolfSSL 13:80fb167dafdf 1569
wolfSSL 13:80fb167dafdf 1570 /* calc first byte */
wolfSSL 13:80fb167dafdf 1571 d = (in[0] * 40) + in[1];
wolfSSL 13:80fb167dafdf 1572
wolfSSL 13:80fb167dafdf 1573 /* encode bytes */
wolfSSL 13:80fb167dafdf 1574 x = 0;
wolfSSL 13:80fb167dafdf 1575 for (i = 1; i < (int)inSz; i++) {
wolfSSL 13:80fb167dafdf 1576 if (d) {
wolfSSL 13:80fb167dafdf 1577 int y = x, z;
wolfSSL 13:80fb167dafdf 1578 byte mask = 0;
wolfSSL 13:80fb167dafdf 1579 while (d) {
wolfSSL 13:80fb167dafdf 1580 out[x++] = (byte)((d & 0x7F) | mask);
wolfSSL 13:80fb167dafdf 1581 d >>= 7;
wolfSSL 13:80fb167dafdf 1582 mask |= 0x80; /* upper bit is set on all but the last byte */
wolfSSL 13:80fb167dafdf 1583 }
wolfSSL 13:80fb167dafdf 1584 /* now swap bytes y...x-1 */
wolfSSL 13:80fb167dafdf 1585 z = x - 1;
wolfSSL 13:80fb167dafdf 1586 while (y < z) {
wolfSSL 13:80fb167dafdf 1587 mask = out[y];
wolfSSL 13:80fb167dafdf 1588 out[y] = out[z];
wolfSSL 13:80fb167dafdf 1589 out[z] = mask;
wolfSSL 13:80fb167dafdf 1590 ++y;
wolfSSL 13:80fb167dafdf 1591 --z;
wolfSSL 13:80fb167dafdf 1592 }
wolfSSL 13:80fb167dafdf 1593 }
wolfSSL 13:80fb167dafdf 1594 else {
wolfSSL 13:80fb167dafdf 1595 out[x++] = 0x00; /* zero value */
wolfSSL 13:80fb167dafdf 1596 }
wolfSSL 13:80fb167dafdf 1597
wolfSSL 13:80fb167dafdf 1598 /* next word */
wolfSSL 13:80fb167dafdf 1599 if (i < (int)inSz - 1) {
wolfSSL 13:80fb167dafdf 1600 d = in[i + 1];
wolfSSL 13:80fb167dafdf 1601 }
wolfSSL 13:80fb167dafdf 1602 }
wolfSSL 13:80fb167dafdf 1603 }
wolfSSL 13:80fb167dafdf 1604
wolfSSL 13:80fb167dafdf 1605 /* return length */
wolfSSL 13:80fb167dafdf 1606 *outSz = len;
wolfSSL 13:80fb167dafdf 1607
wolfSSL 13:80fb167dafdf 1608 return 0;
wolfSSL 13:80fb167dafdf 1609 }
wolfSSL 13:80fb167dafdf 1610 #endif /* HAVE_OID_ENCODING */
wolfSSL 13:80fb167dafdf 1611
wolfSSL 13:80fb167dafdf 1612 #ifdef HAVE_OID_DECODING
wolfSSL 13:80fb167dafdf 1613 int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
wolfSSL 13:80fb167dafdf 1614 {
wolfSSL 13:80fb167dafdf 1615 int x = 0, y = 0;
wolfSSL 13:80fb167dafdf 1616 word32 t = 0;
wolfSSL 13:80fb167dafdf 1617
wolfSSL 13:80fb167dafdf 1618 /* check args */
wolfSSL 13:80fb167dafdf 1619 if (in == NULL || outSz == NULL) {
wolfSSL 13:80fb167dafdf 1620 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1621 }
wolfSSL 13:80fb167dafdf 1622
wolfSSL 13:80fb167dafdf 1623 /* decode bytes */
wolfSSL 13:80fb167dafdf 1624 while (inSz--) {
wolfSSL 13:80fb167dafdf 1625 t = (t << 7) | (in[x] & 0x7F);
wolfSSL 13:80fb167dafdf 1626 if (!(in[x] & 0x80)) {
wolfSSL 13:80fb167dafdf 1627 if (y >= (int)*outSz) {
wolfSSL 13:80fb167dafdf 1628 return BUFFER_E;
wolfSSL 13:80fb167dafdf 1629 }
wolfSSL 13:80fb167dafdf 1630 if (y == 0) {
wolfSSL 13:80fb167dafdf 1631 out[0] = (t / 40);
wolfSSL 13:80fb167dafdf 1632 out[1] = (t % 40);
wolfSSL 13:80fb167dafdf 1633 y = 2;
wolfSSL 13:80fb167dafdf 1634 }
wolfSSL 13:80fb167dafdf 1635 else {
wolfSSL 13:80fb167dafdf 1636 out[y++] = t;
wolfSSL 13:80fb167dafdf 1637 }
wolfSSL 13:80fb167dafdf 1638 t = 0; /* reset tmp */
wolfSSL 13:80fb167dafdf 1639 }
wolfSSL 13:80fb167dafdf 1640 x++;
wolfSSL 13:80fb167dafdf 1641 }
wolfSSL 13:80fb167dafdf 1642
wolfSSL 13:80fb167dafdf 1643 /* return length */
wolfSSL 13:80fb167dafdf 1644 *outSz = y;
wolfSSL 13:80fb167dafdf 1645
wolfSSL 13:80fb167dafdf 1646 return 0;
wolfSSL 13:80fb167dafdf 1647 }
wolfSSL 13:80fb167dafdf 1648 #endif /* HAVE_OID_DECODING */
wolfSSL 13:80fb167dafdf 1649
wolfSSL 13:80fb167dafdf 1650 /* Get the DER/BER encoding of an ASN.1 OBJECT_ID header.
wolfSSL 13:80fb167dafdf 1651 *
wolfSSL 13:80fb167dafdf 1652 * input Buffer holding DER/BER encoded data.
wolfSSL 13:80fb167dafdf 1653 * inOutIdx Current index into buffer to parse.
wolfSSL 13:80fb167dafdf 1654 * len The number of bytes in the ASN.1 data.
wolfSSL 13:80fb167dafdf 1655 * maxIdx Length of data in buffer.
wolfSSL 13:80fb167dafdf 1656 * returns BUFFER_E when there is not enough data to parse.
wolfSSL 13:80fb167dafdf 1657 * ASN_OBJECt_ID_E when the OBJECT_ID tag is not found.
wolfSSL 13:80fb167dafdf 1658 * ASN_PARSE_E when length is invalid.
wolfSSL 13:80fb167dafdf 1659 * Otherwise, 0 to indicate success.
wolfSSL 13:80fb167dafdf 1660 */
wolfSSL 13:80fb167dafdf 1661 static int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
wolfSSL 13:80fb167dafdf 1662 word32 maxIdx)
wolfSSL 13:80fb167dafdf 1663 {
wolfSSL 13:80fb167dafdf 1664 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 1665 byte b;
wolfSSL 13:80fb167dafdf 1666 int length;
wolfSSL 13:80fb167dafdf 1667
wolfSSL 13:80fb167dafdf 1668 if ((idx + 1) > maxIdx)
wolfSSL 13:80fb167dafdf 1669 return BUFFER_E;
wolfSSL 13:80fb167dafdf 1670
wolfSSL 13:80fb167dafdf 1671 b = input[idx++];
wolfSSL 13:80fb167dafdf 1672 if (b != ASN_OBJECT_ID)
wolfSSL 13:80fb167dafdf 1673 return ASN_OBJECT_ID_E;
wolfSSL 13:80fb167dafdf 1674
wolfSSL 13:80fb167dafdf 1675 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 1676 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1677
wolfSSL 13:80fb167dafdf 1678 *len = length;
wolfSSL 13:80fb167dafdf 1679 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1680 return 0;
wolfSSL 13:80fb167dafdf 1681 }
wolfSSL 13:80fb167dafdf 1682
wolfSSL 13:80fb167dafdf 1683 /* Set the DER/BER encoding of the ASN.1 OBJECT_ID header.
wolfSSL 13:80fb167dafdf 1684 *
wolfSSL 13:80fb167dafdf 1685 * len Length of the OBJECT_ID data.
wolfSSL 13:80fb167dafdf 1686 * output Buffer to write into.
wolfSSL 13:80fb167dafdf 1687 * returns the number of bytes added to the buffer.
wolfSSL 13:80fb167dafdf 1688 */
wolfSSL 13:80fb167dafdf 1689 static int SetObjectId(int len, byte* output)
wolfSSL 13:80fb167dafdf 1690 {
wolfSSL 13:80fb167dafdf 1691 int idx = 0;
wolfSSL 13:80fb167dafdf 1692
wolfSSL 13:80fb167dafdf 1693 output[idx++] = ASN_OBJECT_ID;
wolfSSL 13:80fb167dafdf 1694 idx += SetLength(len, output + idx);
wolfSSL 13:80fb167dafdf 1695
wolfSSL 13:80fb167dafdf 1696 return idx;
wolfSSL 13:80fb167dafdf 1697 }
wolfSSL 13:80fb167dafdf 1698
wolfSSL 13:80fb167dafdf 1699 int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 13:80fb167dafdf 1700 word32 oidType, word32 maxIdx)
wolfSSL 13:80fb167dafdf 1701 {
wolfSSL 13:80fb167dafdf 1702 int ret = 0, length;
wolfSSL 13:80fb167dafdf 1703 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 1704 #ifndef NO_VERIFY_OID
wolfSSL 13:80fb167dafdf 1705 word32 actualOidSz = 0;
wolfSSL 13:80fb167dafdf 1706 const byte* actualOid;
wolfSSL 13:80fb167dafdf 1707 #endif /* NO_VERIFY_OID */
wolfSSL 13:80fb167dafdf 1708
wolfSSL 13:80fb167dafdf 1709 (void)oidType;
wolfSSL 13:80fb167dafdf 1710 WOLFSSL_ENTER("GetObjectId()");
wolfSSL 13:80fb167dafdf 1711 *oid = 0;
wolfSSL 13:80fb167dafdf 1712
wolfSSL 13:80fb167dafdf 1713 ret = GetASNObjectId(input, &idx, &length, maxIdx);
wolfSSL 13:80fb167dafdf 1714 if (ret != 0)
wolfSSL 13:80fb167dafdf 1715 return ret;
wolfSSL 13:80fb167dafdf 1716
wolfSSL 13:80fb167dafdf 1717 #ifndef NO_VERIFY_OID
wolfSSL 13:80fb167dafdf 1718 actualOid = &input[idx];
wolfSSL 13:80fb167dafdf 1719 if (length > 0)
wolfSSL 13:80fb167dafdf 1720 actualOidSz = (word32)length;
wolfSSL 13:80fb167dafdf 1721 #endif /* NO_VERIFY_OID */
wolfSSL 13:80fb167dafdf 1722
wolfSSL 13:80fb167dafdf 1723 while (length--) {
wolfSSL 13:80fb167dafdf 1724 /* odd HC08 compiler behavior here when input[idx++] */
wolfSSL 13:80fb167dafdf 1725 *oid += (word32)input[idx];
wolfSSL 13:80fb167dafdf 1726 idx++;
wolfSSL 13:80fb167dafdf 1727 }
wolfSSL 13:80fb167dafdf 1728 /* just sum it up for now */
wolfSSL 13:80fb167dafdf 1729
wolfSSL 13:80fb167dafdf 1730 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1731
wolfSSL 13:80fb167dafdf 1732 #ifndef NO_VERIFY_OID
wolfSSL 13:80fb167dafdf 1733 {
wolfSSL 13:80fb167dafdf 1734 const byte* checkOid = NULL;
wolfSSL 13:80fb167dafdf 1735 word32 checkOidSz;
wolfSSL 13:80fb167dafdf 1736 #ifdef ASN_DUMP_OID
wolfSSL 13:80fb167dafdf 1737 int i;
wolfSSL 13:80fb167dafdf 1738 #endif
wolfSSL 13:80fb167dafdf 1739
wolfSSL 13:80fb167dafdf 1740 if (oidType != oidIgnoreType) {
wolfSSL 13:80fb167dafdf 1741 checkOid = OidFromId(*oid, oidType, &checkOidSz);
wolfSSL 13:80fb167dafdf 1742
wolfSSL 13:80fb167dafdf 1743 #ifdef ASN_DUMP_OID
wolfSSL 13:80fb167dafdf 1744 /* support for dumping OID information */
wolfSSL 13:80fb167dafdf 1745 printf("OID (Type %d, Sz %d, Sum %d): ", oidType, actualOidSz, *oid);
wolfSSL 13:80fb167dafdf 1746 for (i=0; i<actualOidSz; i++) {
wolfSSL 13:80fb167dafdf 1747 printf("%d, ", actualOid[i]);
wolfSSL 13:80fb167dafdf 1748 }
wolfSSL 13:80fb167dafdf 1749 printf("\n");
wolfSSL 13:80fb167dafdf 1750 #ifdef HAVE_OID_DECODING
wolfSSL 13:80fb167dafdf 1751 {
wolfSSL 13:80fb167dafdf 1752 word16 decOid[16];
wolfSSL 13:80fb167dafdf 1753 word32 decOidSz = sizeof(decOid);
wolfSSL 13:80fb167dafdf 1754 ret = DecodeObjectId(actualOid, actualOidSz, decOid, &decOidSz);
wolfSSL 13:80fb167dafdf 1755 if (ret == 0) {
wolfSSL 13:80fb167dafdf 1756 printf(" Decoded (Sz %d): ", decOidSz);
wolfSSL 13:80fb167dafdf 1757 for (i=0; i<decOidSz; i++) {
wolfSSL 13:80fb167dafdf 1758 printf("%d.", decOid[i]);
wolfSSL 13:80fb167dafdf 1759 }
wolfSSL 13:80fb167dafdf 1760 printf("\n");
wolfSSL 13:80fb167dafdf 1761 }
wolfSSL 13:80fb167dafdf 1762 else {
wolfSSL 13:80fb167dafdf 1763 printf("DecodeObjectId failed: %d\n", ret);
wolfSSL 13:80fb167dafdf 1764 }
wolfSSL 13:80fb167dafdf 1765 }
wolfSSL 13:80fb167dafdf 1766 #endif /* HAVE_OID_DECODING */
wolfSSL 13:80fb167dafdf 1767 #endif /* ASN_DUMP_OID */
wolfSSL 13:80fb167dafdf 1768
wolfSSL 13:80fb167dafdf 1769 if (checkOid != NULL &&
wolfSSL 13:80fb167dafdf 1770 (checkOidSz != actualOidSz ||
wolfSSL 13:80fb167dafdf 1771 XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) {
wolfSSL 13:80fb167dafdf 1772 WOLFSSL_MSG("OID Check Failed");
wolfSSL 13:80fb167dafdf 1773 return ASN_UNKNOWN_OID_E;
wolfSSL 13:80fb167dafdf 1774 }
wolfSSL 13:80fb167dafdf 1775 }
wolfSSL 13:80fb167dafdf 1776 }
wolfSSL 13:80fb167dafdf 1777 #endif /* NO_VERIFY_OID */
wolfSSL 13:80fb167dafdf 1778
wolfSSL 13:80fb167dafdf 1779 return ret;
wolfSSL 13:80fb167dafdf 1780 }
wolfSSL 13:80fb167dafdf 1781
wolfSSL 13:80fb167dafdf 1782
wolfSSL 13:80fb167dafdf 1783 #if defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && (defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)))
wolfSSL 13:80fb167dafdf 1784 static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 13:80fb167dafdf 1785 {
wolfSSL 13:80fb167dafdf 1786 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 1787 int length;
wolfSSL 13:80fb167dafdf 1788 int ret;
wolfSSL 13:80fb167dafdf 1789
wolfSSL 13:80fb167dafdf 1790 ret = GetASNObjectId(input, &idx, &length, maxIdx);
wolfSSL 13:80fb167dafdf 1791 if (ret != 0)
wolfSSL 13:80fb167dafdf 1792 return ret;
wolfSSL 13:80fb167dafdf 1793
wolfSSL 13:80fb167dafdf 1794 idx += length;
wolfSSL 13:80fb167dafdf 1795 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1796
wolfSSL 13:80fb167dafdf 1797 return 0;
wolfSSL 13:80fb167dafdf 1798 }
wolfSSL 13:80fb167dafdf 1799 #endif
wolfSSL 13:80fb167dafdf 1800
wolfSSL 13:80fb167dafdf 1801 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 13:80fb167dafdf 1802 word32 oidType, word32 maxIdx)
wolfSSL 13:80fb167dafdf 1803 {
wolfSSL 13:80fb167dafdf 1804 int length;
wolfSSL 13:80fb167dafdf 1805 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 1806 int ret;
wolfSSL 13:80fb167dafdf 1807 *oid = 0;
wolfSSL 13:80fb167dafdf 1808
wolfSSL 13:80fb167dafdf 1809 WOLFSSL_ENTER("GetAlgoId");
wolfSSL 13:80fb167dafdf 1810
wolfSSL 13:80fb167dafdf 1811 if (GetSequence(input, &idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 1812 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1813
wolfSSL 13:80fb167dafdf 1814 if (GetObjectId(input, &idx, oid, oidType, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 1815 return ASN_OBJECT_ID_E;
wolfSSL 13:80fb167dafdf 1816
wolfSSL 13:80fb167dafdf 1817 /* could have NULL tag and 0 terminator, but may not */
wolfSSL 13:80fb167dafdf 1818 if (input[idx] == ASN_TAG_NULL) {
wolfSSL 13:80fb167dafdf 1819 ret = GetASNNull(input, &idx, maxIdx);
wolfSSL 13:80fb167dafdf 1820 if (ret != 0)
wolfSSL 13:80fb167dafdf 1821 return ret;
wolfSSL 13:80fb167dafdf 1822 }
wolfSSL 13:80fb167dafdf 1823
wolfSSL 13:80fb167dafdf 1824 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1825
wolfSSL 13:80fb167dafdf 1826 return 0;
wolfSSL 13:80fb167dafdf 1827 }
wolfSSL 13:80fb167dafdf 1828
wolfSSL 13:80fb167dafdf 1829 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 1830
wolfSSL 13:80fb167dafdf 1831 #ifndef HAVE_USER_RSA
wolfSSL 13:80fb167dafdf 1832 int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 13:80fb167dafdf 1833 word32 inSz)
wolfSSL 13:80fb167dafdf 1834 {
wolfSSL 13:80fb167dafdf 1835 int version, length;
wolfSSL 13:80fb167dafdf 1836
wolfSSL 13:80fb167dafdf 1837 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 1838 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1839
wolfSSL 13:80fb167dafdf 1840 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 13:80fb167dafdf 1841 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1842
wolfSSL 13:80fb167dafdf 1843 key->type = RSA_PRIVATE;
wolfSSL 13:80fb167dafdf 1844
wolfSSL 13:80fb167dafdf 1845 if (GetInt(&key->n, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1846 GetInt(&key->e, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1847 GetInt(&key->d, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1848 GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1849 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1850 GetInt(&key->dP, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1851 GetInt(&key->dQ, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 1852 GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL 13:80fb167dafdf 1853
wolfSSL 13:80fb167dafdf 1854 return 0;
wolfSSL 13:80fb167dafdf 1855 }
wolfSSL 13:80fb167dafdf 1856 #endif /* HAVE_USER_RSA */
wolfSSL 13:80fb167dafdf 1857 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 1858
wolfSSL 13:80fb167dafdf 1859 /* Remove PKCS8 header, place inOutIdx at beginning of traditional,
wolfSSL 13:80fb167dafdf 1860 * return traditional length on success, negative on error */
wolfSSL 13:80fb167dafdf 1861 int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz)
wolfSSL 13:80fb167dafdf 1862 {
wolfSSL 13:80fb167dafdf 1863 word32 idx, oid;
wolfSSL 13:80fb167dafdf 1864 int version, length;
wolfSSL 13:80fb167dafdf 1865 int ret;
wolfSSL 13:80fb167dafdf 1866
wolfSSL 13:80fb167dafdf 1867 if (input == NULL || inOutIdx == NULL)
wolfSSL 13:80fb167dafdf 1868 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1869
wolfSSL 13:80fb167dafdf 1870 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 1871
wolfSSL 13:80fb167dafdf 1872 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 1873 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1874
wolfSSL 13:80fb167dafdf 1875 if (GetMyVersion(input, &idx, &version, sz) < 0)
wolfSSL 13:80fb167dafdf 1876 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1877
wolfSSL 13:80fb167dafdf 1878 if (GetAlgoId(input, &idx, &oid, oidKeyType, sz) < 0)
wolfSSL 13:80fb167dafdf 1879 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1880
wolfSSL 13:80fb167dafdf 1881 if (input[idx] == ASN_OBJECT_ID) {
wolfSSL 13:80fb167dafdf 1882 if (SkipObjectId(input, &idx, sz) < 0)
wolfSSL 13:80fb167dafdf 1883 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 1884 }
wolfSSL 13:80fb167dafdf 1885
wolfSSL 13:80fb167dafdf 1886 ret = GetOctetString(input, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 1887 if (ret < 0)
wolfSSL 13:80fb167dafdf 1888 return ret;
wolfSSL 13:80fb167dafdf 1889
wolfSSL 13:80fb167dafdf 1890 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 1891
wolfSSL 13:80fb167dafdf 1892 return length;
wolfSSL 13:80fb167dafdf 1893 }
wolfSSL 13:80fb167dafdf 1894
wolfSSL 13:80fb167dafdf 1895 /* Remove PKCS8 header, move beginning of traditional to beginning of input */
wolfSSL 13:80fb167dafdf 1896 int ToTraditional(byte* input, word32 sz)
wolfSSL 13:80fb167dafdf 1897 {
wolfSSL 13:80fb167dafdf 1898 word32 inOutIdx = 0;
wolfSSL 13:80fb167dafdf 1899 int length;
wolfSSL 13:80fb167dafdf 1900
wolfSSL 13:80fb167dafdf 1901 if (input == NULL)
wolfSSL 13:80fb167dafdf 1902 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1903
wolfSSL 13:80fb167dafdf 1904 length = ToTraditionalInline(input, &inOutIdx, sz);
wolfSSL 13:80fb167dafdf 1905 if (length < 0)
wolfSSL 13:80fb167dafdf 1906 return length;
wolfSSL 13:80fb167dafdf 1907
wolfSSL 13:80fb167dafdf 1908 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 13:80fb167dafdf 1909
wolfSSL 13:80fb167dafdf 1910 return length;
wolfSSL 13:80fb167dafdf 1911 }
wolfSSL 13:80fb167dafdf 1912
wolfSSL 13:80fb167dafdf 1913
wolfSSL 13:80fb167dafdf 1914 /* find beginning of traditional key inside PKCS#8 unencrypted buffer
wolfSSL 13:80fb167dafdf 1915 * return traditional length on success, with inOutIdx at beginning of
wolfSSL 13:80fb167dafdf 1916 * traditional
wolfSSL 13:80fb167dafdf 1917 * return negative on failure/error */
wolfSSL 13:80fb167dafdf 1918 int wc_GetPkcs8TraditionalOffset(byte* input, word32* inOutIdx, word32 sz)
wolfSSL 13:80fb167dafdf 1919 {
wolfSSL 13:80fb167dafdf 1920 int length;
wolfSSL 13:80fb167dafdf 1921
wolfSSL 13:80fb167dafdf 1922 if (input == NULL || inOutIdx == NULL || (*inOutIdx > sz))
wolfSSL 13:80fb167dafdf 1923 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1924
wolfSSL 13:80fb167dafdf 1925 length = ToTraditionalInline(input, inOutIdx, sz);
wolfSSL 13:80fb167dafdf 1926
wolfSSL 13:80fb167dafdf 1927 return length;
wolfSSL 13:80fb167dafdf 1928 }
wolfSSL 13:80fb167dafdf 1929
wolfSSL 13:80fb167dafdf 1930
wolfSSL 13:80fb167dafdf 1931 /* PKCS#8 from RFC 5208
wolfSSL 13:80fb167dafdf 1932 * This function takes in a DER key and converts it to PKCS#8 format. Used
wolfSSL 13:80fb167dafdf 1933 * in creating PKCS#12 shrouded key bags.
wolfSSL 13:80fb167dafdf 1934 * Reverse of ToTraditional
wolfSSL 13:80fb167dafdf 1935 *
wolfSSL 13:80fb167dafdf 1936 * PrivateKeyInfo ::= SEQUENCE {
wolfSSL 13:80fb167dafdf 1937 * version Version,
wolfSSL 13:80fb167dafdf 1938 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
wolfSSL 13:80fb167dafdf 1939 * privateKey PrivateKey,
wolfSSL 13:80fb167dafdf 1940 * attributes optional
wolfSSL 13:80fb167dafdf 1941 * }
wolfSSL 13:80fb167dafdf 1942 * Version ::= INTEGER
wolfSSL 13:80fb167dafdf 1943 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
wolfSSL 13:80fb167dafdf 1944 * PrivateKey ::= OCTET STRING
wolfSSL 13:80fb167dafdf 1945 *
wolfSSL 13:80fb167dafdf 1946 * out buffer to place result in
wolfSSL 13:80fb167dafdf 1947 * outSz size of out buffer
wolfSSL 13:80fb167dafdf 1948 * key buffer with DER key
wolfSSL 13:80fb167dafdf 1949 * keySz size of key buffer
wolfSSL 13:80fb167dafdf 1950 * algoID algorithm ID i.e. RSAk
wolfSSL 13:80fb167dafdf 1951 * curveOID ECC curve oid if used. Should be NULL for RSA keys.
wolfSSL 13:80fb167dafdf 1952 * oidSz size of curve oid. Is set to 0 if curveOID is NULL.
wolfSSL 13:80fb167dafdf 1953 *
wolfSSL 13:80fb167dafdf 1954 * Returns the size of PKCS#8 placed into out. In error cases returns negative
wolfSSL 13:80fb167dafdf 1955 * values.
wolfSSL 13:80fb167dafdf 1956 */
wolfSSL 13:80fb167dafdf 1957 int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
wolfSSL 13:80fb167dafdf 1958 int algoID, const byte* curveOID, word32 oidSz)
wolfSSL 13:80fb167dafdf 1959 {
wolfSSL 13:80fb167dafdf 1960 word32 keyIdx = 0;
wolfSSL 13:80fb167dafdf 1961 word32 tmpSz = 0;
wolfSSL 13:80fb167dafdf 1962 word32 sz;
wolfSSL 13:80fb167dafdf 1963
wolfSSL 13:80fb167dafdf 1964
wolfSSL 13:80fb167dafdf 1965 /* If out is NULL then return the max size needed
wolfSSL 13:80fb167dafdf 1966 * + 2 for ASN_OBJECT_ID and ASN_OCTET_STRING tags */
wolfSSL 13:80fb167dafdf 1967 if (out == NULL && outSz != NULL) {
wolfSSL 13:80fb167dafdf 1968 *outSz = keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
wolfSSL 13:80fb167dafdf 1969 + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2;
wolfSSL 13:80fb167dafdf 1970
wolfSSL 13:80fb167dafdf 1971 if (curveOID != NULL)
wolfSSL 13:80fb167dafdf 1972 *outSz += oidSz + MAX_LENGTH_SZ + 1;
wolfSSL 13:80fb167dafdf 1973
wolfSSL 13:80fb167dafdf 1974 WOLFSSL_MSG("Checking size of PKCS8");
wolfSSL 13:80fb167dafdf 1975
wolfSSL 13:80fb167dafdf 1976 return LENGTH_ONLY_E;
wolfSSL 13:80fb167dafdf 1977 }
wolfSSL 13:80fb167dafdf 1978
wolfSSL 13:80fb167dafdf 1979 WOLFSSL_ENTER("wc_CreatePKCS8Key()");
wolfSSL 13:80fb167dafdf 1980
wolfSSL 13:80fb167dafdf 1981 if (key == NULL || out == NULL || outSz == NULL) {
wolfSSL 13:80fb167dafdf 1982 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 1983 }
wolfSSL 13:80fb167dafdf 1984
wolfSSL 13:80fb167dafdf 1985 /* check the buffer has enough room for largest possible size */
wolfSSL 13:80fb167dafdf 1986 if (curveOID != NULL) {
wolfSSL 13:80fb167dafdf 1987 if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
wolfSSL 13:80fb167dafdf 1988 + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 3 + oidSz + MAX_LENGTH_SZ))
wolfSSL 13:80fb167dafdf 1989 return BUFFER_E;
wolfSSL 13:80fb167dafdf 1990 }
wolfSSL 13:80fb167dafdf 1991 else {
wolfSSL 13:80fb167dafdf 1992 oidSz = 0; /* with no curveOID oid size must be 0 */
wolfSSL 13:80fb167dafdf 1993 if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
wolfSSL 13:80fb167dafdf 1994 + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2))
wolfSSL 13:80fb167dafdf 1995 return BUFFER_E;
wolfSSL 13:80fb167dafdf 1996 }
wolfSSL 13:80fb167dafdf 1997
wolfSSL 13:80fb167dafdf 1998 /* PrivateKeyInfo ::= SEQUENCE */
wolfSSL 13:80fb167dafdf 1999 keyIdx += MAX_SEQ_SZ; /* save room for sequence */
wolfSSL 13:80fb167dafdf 2000
wolfSSL 13:80fb167dafdf 2001 /* version Version
wolfSSL 13:80fb167dafdf 2002 * no header information just INTEGER */
wolfSSL 13:80fb167dafdf 2003 sz = SetMyVersion(PKCS8v0, out + keyIdx, 0);
wolfSSL 13:80fb167dafdf 2004 tmpSz += sz; keyIdx += sz;
wolfSSL 13:80fb167dafdf 2005
wolfSSL 13:80fb167dafdf 2006 /* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier */
wolfSSL 13:80fb167dafdf 2007 sz = 0; /* set sz to 0 and get privateKey oid buffer size needed */
wolfSSL 13:80fb167dafdf 2008 if (curveOID != NULL && oidSz > 0) {
wolfSSL 13:80fb167dafdf 2009 byte buf[MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 2010 sz = SetLength(oidSz, buf);
wolfSSL 13:80fb167dafdf 2011 sz += 1; /* plus one for ASN object id */
wolfSSL 13:80fb167dafdf 2012 }
wolfSSL 13:80fb167dafdf 2013 sz = SetAlgoID(algoID, out + keyIdx, oidKeyType, oidSz + sz);
wolfSSL 13:80fb167dafdf 2014 tmpSz += sz; keyIdx += sz;
wolfSSL 13:80fb167dafdf 2015
wolfSSL 13:80fb167dafdf 2016 /* privateKey PrivateKey *
wolfSSL 13:80fb167dafdf 2017 * pkcs8 ecc uses slightly different format. Places curve oid in
wolfSSL 13:80fb167dafdf 2018 * buffer */
wolfSSL 13:80fb167dafdf 2019 if (curveOID != NULL && oidSz > 0) {
wolfSSL 13:80fb167dafdf 2020 sz = SetObjectId(oidSz, out + keyIdx);
wolfSSL 13:80fb167dafdf 2021 keyIdx += sz; tmpSz += sz;
wolfSSL 13:80fb167dafdf 2022 XMEMCPY(out + keyIdx, curveOID, oidSz);
wolfSSL 13:80fb167dafdf 2023 keyIdx += oidSz; tmpSz += oidSz;
wolfSSL 13:80fb167dafdf 2024 }
wolfSSL 13:80fb167dafdf 2025
wolfSSL 13:80fb167dafdf 2026 sz = SetOctetString(keySz, out + keyIdx);
wolfSSL 13:80fb167dafdf 2027 keyIdx += sz; tmpSz += sz;
wolfSSL 13:80fb167dafdf 2028 XMEMCPY(out + keyIdx, key, keySz);
wolfSSL 13:80fb167dafdf 2029 tmpSz += keySz;
wolfSSL 13:80fb167dafdf 2030
wolfSSL 13:80fb167dafdf 2031 /* attributes optional
wolfSSL 13:80fb167dafdf 2032 * No attributes currently added */
wolfSSL 13:80fb167dafdf 2033
wolfSSL 13:80fb167dafdf 2034 /* rewind and add sequence */
wolfSSL 13:80fb167dafdf 2035 sz = SetSequence(tmpSz, out);
wolfSSL 13:80fb167dafdf 2036 XMEMMOVE(out + sz, out + MAX_SEQ_SZ, tmpSz);
wolfSSL 13:80fb167dafdf 2037
wolfSSL 13:80fb167dafdf 2038 return tmpSz + sz;
wolfSSL 13:80fb167dafdf 2039 }
wolfSSL 13:80fb167dafdf 2040
wolfSSL 13:80fb167dafdf 2041
wolfSSL 13:80fb167dafdf 2042 /* check that the private key is a pair for the public key in certificate
wolfSSL 13:80fb167dafdf 2043 * return 1 (true) on match
wolfSSL 13:80fb167dafdf 2044 * return 0 or negative value on failure/error
wolfSSL 13:80fb167dafdf 2045 *
wolfSSL 13:80fb167dafdf 2046 * key : buffer holding DER fromat key
wolfSSL 13:80fb167dafdf 2047 * keySz : size of key buffer
wolfSSL 13:80fb167dafdf 2048 * der : a initialized and parsed DecodedCert holding a certificate */
wolfSSL 13:80fb167dafdf 2049 int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
wolfSSL 13:80fb167dafdf 2050 {
wolfSSL 13:80fb167dafdf 2051 if (key == NULL || der == NULL) {
wolfSSL 13:80fb167dafdf 2052 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2053 }
wolfSSL 13:80fb167dafdf 2054
wolfSSL 13:80fb167dafdf 2055 #if !defined(NO_RSA)
wolfSSL 13:80fb167dafdf 2056 {
wolfSSL 13:80fb167dafdf 2057 RsaKey a, b;
wolfSSL 13:80fb167dafdf 2058 word32 keyIdx = 0;
wolfSSL 13:80fb167dafdf 2059 int ret = 0;
wolfSSL 13:80fb167dafdf 2060
wolfSSL 13:80fb167dafdf 2061 /* test if RSA key */
wolfSSL 13:80fb167dafdf 2062 if (der->keyOID == RSAk) {
wolfSSL 13:80fb167dafdf 2063 if (wc_InitRsaKey(&a, NULL) == 0 &&
wolfSSL 13:80fb167dafdf 2064 wc_RsaPrivateKeyDecode(key, &keyIdx, &a, keySz) == 0) {
wolfSSL 13:80fb167dafdf 2065 WOLFSSL_MSG("Checking RSA key pair");
wolfSSL 13:80fb167dafdf 2066 keyIdx = 0; /* reset to 0 for parsing public key */
wolfSSL 13:80fb167dafdf 2067
wolfSSL 13:80fb167dafdf 2068 if (wc_InitRsaKey(&b, NULL) == 0) {
wolfSSL 13:80fb167dafdf 2069 if ((ret = wc_RsaPublicKeyDecode(der->publicKey, &keyIdx,
wolfSSL 13:80fb167dafdf 2070 &b, der->pubKeySize)) == 0) {
wolfSSL 13:80fb167dafdf 2071 /* limit for user RSA crypto because of RsaKey
wolfSSL 13:80fb167dafdf 2072 * dereference. */
wolfSSL 13:80fb167dafdf 2073 #if defined(HAVE_USER_RSA)
wolfSSL 13:80fb167dafdf 2074 WOLFSSL_MSG("Cannot verify RSA pair with user RSA");
wolfSSL 13:80fb167dafdf 2075 wc_FreeRsaKey(&b);
wolfSSL 13:80fb167dafdf 2076 wc_FreeRsaKey(&a);
wolfSSL 13:80fb167dafdf 2077 return 1; /* return first RSA cert as match */
wolfSSL 13:80fb167dafdf 2078 #else
wolfSSL 13:80fb167dafdf 2079 /* both keys extracted successfully now check n and e
wolfSSL 13:80fb167dafdf 2080 * values are the same. This is dereferencing RsaKey */
wolfSSL 13:80fb167dafdf 2081 if (mp_cmp(&(a.n), &(b.n)) != MP_EQ ||
wolfSSL 13:80fb167dafdf 2082 mp_cmp(&(a.e), &(b.e)) != MP_EQ) {
wolfSSL 13:80fb167dafdf 2083 ret = MP_CMP_E;
wolfSSL 13:80fb167dafdf 2084 }
wolfSSL 13:80fb167dafdf 2085 else {
wolfSSL 13:80fb167dafdf 2086 /* match found, free keys and return success */
wolfSSL 13:80fb167dafdf 2087 wc_FreeRsaKey(&b);
wolfSSL 13:80fb167dafdf 2088 wc_FreeRsaKey(&a);
wolfSSL 13:80fb167dafdf 2089 return 1;
wolfSSL 13:80fb167dafdf 2090 }
wolfSSL 13:80fb167dafdf 2091 #endif
wolfSSL 13:80fb167dafdf 2092 }
wolfSSL 13:80fb167dafdf 2093 wc_FreeRsaKey(&b);
wolfSSL 13:80fb167dafdf 2094 }
wolfSSL 13:80fb167dafdf 2095 }
wolfSSL 13:80fb167dafdf 2096 wc_FreeRsaKey(&a);
wolfSSL 13:80fb167dafdf 2097 }
wolfSSL 13:80fb167dafdf 2098
wolfSSL 13:80fb167dafdf 2099 /* if ret is not 0 then there was a failed comparision attempt */
wolfSSL 13:80fb167dafdf 2100 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2101 return ret;
wolfSSL 13:80fb167dafdf 2102 }
wolfSSL 13:80fb167dafdf 2103 }
wolfSSL 13:80fb167dafdf 2104 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 2105
wolfSSL 13:80fb167dafdf 2106 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 2107 {
wolfSSL 13:80fb167dafdf 2108 int ret = 0;
wolfSSL 13:80fb167dafdf 2109 word32 keyIdx = 0;
wolfSSL 13:80fb167dafdf 2110 ecc_key key_pair;
wolfSSL 13:80fb167dafdf 2111
wolfSSL 13:80fb167dafdf 2112 if (der->keyOID == ECDSAk) {
wolfSSL 13:80fb167dafdf 2113 if ((ret = wc_ecc_init(&key_pair)) == 0 &&
wolfSSL 13:80fb167dafdf 2114 wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, keySz) == 0) {
wolfSSL 13:80fb167dafdf 2115 WOLFSSL_MSG("Checking ECC key pair");
wolfSSL 13:80fb167dafdf 2116 keyIdx = 0;
wolfSSL 13:80fb167dafdf 2117 if ((ret = wc_ecc_import_x963(der->publicKey, der->pubKeySize,
wolfSSL 13:80fb167dafdf 2118 &key_pair)) == 0) {
wolfSSL 13:80fb167dafdf 2119 /* public and private extracted successfuly no check if is
wolfSSL 13:80fb167dafdf 2120 * a pair and also do sanity checks on key. wc_ecc_check_key
wolfSSL 13:80fb167dafdf 2121 * checks that private * base generator equals pubkey */
wolfSSL 13:80fb167dafdf 2122 if ((ret = wc_ecc_check_key(&key_pair)) == 0) {
wolfSSL 13:80fb167dafdf 2123 /* found a match */
wolfSSL 13:80fb167dafdf 2124 wc_ecc_free(&key_pair);
wolfSSL 13:80fb167dafdf 2125 return 1;
wolfSSL 13:80fb167dafdf 2126 }
wolfSSL 13:80fb167dafdf 2127
wolfSSL 13:80fb167dafdf 2128 }
wolfSSL 13:80fb167dafdf 2129 }
wolfSSL 13:80fb167dafdf 2130 wc_ecc_free(&key_pair);
wolfSSL 13:80fb167dafdf 2131 }
wolfSSL 13:80fb167dafdf 2132
wolfSSL 13:80fb167dafdf 2133 /* error on attempt to match */
wolfSSL 13:80fb167dafdf 2134 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2135 return ret;
wolfSSL 13:80fb167dafdf 2136 }
wolfSSL 13:80fb167dafdf 2137 }
wolfSSL 13:80fb167dafdf 2138 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 2139
wolfSSL 13:80fb167dafdf 2140 /* no match found */
wolfSSL 13:80fb167dafdf 2141 return 0;
wolfSSL 13:80fb167dafdf 2142 }
wolfSSL 13:80fb167dafdf 2143
wolfSSL 13:80fb167dafdf 2144 #ifndef NO_PWDBASED
wolfSSL 13:80fb167dafdf 2145
wolfSSL 13:80fb167dafdf 2146 /* Check To see if PKCS version algo is supported, set id if it is return 0
wolfSSL 13:80fb167dafdf 2147 < 0 on error */
wolfSSL 13:80fb167dafdf 2148 static int CheckAlgo(int first, int second, int* id, int* version)
wolfSSL 13:80fb167dafdf 2149 {
wolfSSL 13:80fb167dafdf 2150 *id = ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2151 *version = PKCS5; /* default */
wolfSSL 13:80fb167dafdf 2152
wolfSSL 13:80fb167dafdf 2153 if (first == 1) {
wolfSSL 13:80fb167dafdf 2154 switch (second) {
wolfSSL 13:80fb167dafdf 2155 case 1:
wolfSSL 13:80fb167dafdf 2156 *id = PBE_SHA1_RC4_128;
wolfSSL 13:80fb167dafdf 2157 *version = PKCS12v1;
wolfSSL 13:80fb167dafdf 2158 return 0;
wolfSSL 13:80fb167dafdf 2159 case 3:
wolfSSL 13:80fb167dafdf 2160 *id = PBE_SHA1_DES3;
wolfSSL 13:80fb167dafdf 2161 *version = PKCS12v1;
wolfSSL 13:80fb167dafdf 2162 return 0;
wolfSSL 13:80fb167dafdf 2163 default:
wolfSSL 13:80fb167dafdf 2164 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2165 }
wolfSSL 13:80fb167dafdf 2166 }
wolfSSL 13:80fb167dafdf 2167
wolfSSL 13:80fb167dafdf 2168 if (first != PKCS5)
wolfSSL 13:80fb167dafdf 2169 return ASN_INPUT_E; /* VERSION ERROR */
wolfSSL 13:80fb167dafdf 2170
wolfSSL 13:80fb167dafdf 2171 if (second == PBES2) {
wolfSSL 13:80fb167dafdf 2172 *version = PKCS5v2;
wolfSSL 13:80fb167dafdf 2173 return 0;
wolfSSL 13:80fb167dafdf 2174 }
wolfSSL 13:80fb167dafdf 2175
wolfSSL 13:80fb167dafdf 2176 switch (second) {
wolfSSL 13:80fb167dafdf 2177 case 3: /* see RFC 2898 for ids */
wolfSSL 13:80fb167dafdf 2178 *id = PBE_MD5_DES;
wolfSSL 13:80fb167dafdf 2179 return 0;
wolfSSL 13:80fb167dafdf 2180 case 10:
wolfSSL 13:80fb167dafdf 2181 *id = PBE_SHA1_DES;
wolfSSL 13:80fb167dafdf 2182 return 0;
wolfSSL 13:80fb167dafdf 2183 default:
wolfSSL 13:80fb167dafdf 2184 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2185
wolfSSL 13:80fb167dafdf 2186 }
wolfSSL 13:80fb167dafdf 2187 }
wolfSSL 13:80fb167dafdf 2188
wolfSSL 13:80fb167dafdf 2189
wolfSSL 13:80fb167dafdf 2190 /* Check To see if PKCS v2 algo is supported, set id if it is return 0
wolfSSL 13:80fb167dafdf 2191 < 0 on error */
wolfSSL 13:80fb167dafdf 2192 static int CheckAlgoV2(int oid, int* id)
wolfSSL 13:80fb167dafdf 2193 {
wolfSSL 13:80fb167dafdf 2194 switch (oid) {
wolfSSL 13:80fb167dafdf 2195 case 69:
wolfSSL 13:80fb167dafdf 2196 *id = PBE_SHA1_DES;
wolfSSL 13:80fb167dafdf 2197 return 0;
wolfSSL 13:80fb167dafdf 2198 case 652:
wolfSSL 13:80fb167dafdf 2199 *id = PBE_SHA1_DES3;
wolfSSL 13:80fb167dafdf 2200 return 0;
wolfSSL 13:80fb167dafdf 2201 default:
wolfSSL 13:80fb167dafdf 2202 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2203
wolfSSL 13:80fb167dafdf 2204 }
wolfSSL 13:80fb167dafdf 2205 }
wolfSSL 13:80fb167dafdf 2206
wolfSSL 13:80fb167dafdf 2207
wolfSSL 13:80fb167dafdf 2208 /* Decrypt input in place from parameters based on id */
wolfSSL 13:80fb167dafdf 2209 static int DecryptKey(const char* password, int passwordSz, byte* salt,
wolfSSL 13:80fb167dafdf 2210 int saltSz, int iterations, int id, byte* input,
wolfSSL 13:80fb167dafdf 2211 int length, int version, byte* cbcIv)
wolfSSL 13:80fb167dafdf 2212 {
wolfSSL 13:80fb167dafdf 2213 int typeH;
wolfSSL 13:80fb167dafdf 2214 int derivedLen;
wolfSSL 13:80fb167dafdf 2215 int decryptionType;
wolfSSL 13:80fb167dafdf 2216 int ret = 0;
wolfSSL 13:80fb167dafdf 2217 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2218 byte* key;
wolfSSL 13:80fb167dafdf 2219 #else
wolfSSL 13:80fb167dafdf 2220 byte key[MAX_KEY_SIZE];
wolfSSL 13:80fb167dafdf 2221 #endif
wolfSSL 13:80fb167dafdf 2222
wolfSSL 13:80fb167dafdf 2223 (void)input;
wolfSSL 13:80fb167dafdf 2224 (void)length;
wolfSSL 13:80fb167dafdf 2225
wolfSSL 13:80fb167dafdf 2226 switch (id) {
wolfSSL 13:80fb167dafdf 2227 case PBE_MD5_DES:
wolfSSL 13:80fb167dafdf 2228 typeH = MD5;
wolfSSL 13:80fb167dafdf 2229 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 13:80fb167dafdf 2230 decryptionType = DES_TYPE;
wolfSSL 13:80fb167dafdf 2231 break;
wolfSSL 13:80fb167dafdf 2232
wolfSSL 13:80fb167dafdf 2233 case PBE_SHA1_DES:
wolfSSL 13:80fb167dafdf 2234 typeH = SHA;
wolfSSL 13:80fb167dafdf 2235 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 13:80fb167dafdf 2236 decryptionType = DES_TYPE;
wolfSSL 13:80fb167dafdf 2237 break;
wolfSSL 13:80fb167dafdf 2238
wolfSSL 13:80fb167dafdf 2239 case PBE_SHA1_DES3:
wolfSSL 13:80fb167dafdf 2240 typeH = SHA;
wolfSSL 13:80fb167dafdf 2241 derivedLen = 32; /* may need iv for v1.5 */
wolfSSL 13:80fb167dafdf 2242 decryptionType = DES3_TYPE;
wolfSSL 13:80fb167dafdf 2243 break;
wolfSSL 13:80fb167dafdf 2244
wolfSSL 13:80fb167dafdf 2245 case PBE_SHA1_RC4_128:
wolfSSL 13:80fb167dafdf 2246 typeH = SHA;
wolfSSL 13:80fb167dafdf 2247 derivedLen = 16;
wolfSSL 13:80fb167dafdf 2248 decryptionType = RC4_TYPE;
wolfSSL 13:80fb167dafdf 2249 break;
wolfSSL 13:80fb167dafdf 2250
wolfSSL 13:80fb167dafdf 2251 default:
wolfSSL 13:80fb167dafdf 2252 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2253 }
wolfSSL 13:80fb167dafdf 2254
wolfSSL 13:80fb167dafdf 2255 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2256 key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2257 if (key == NULL)
wolfSSL 13:80fb167dafdf 2258 return MEMORY_E;
wolfSSL 13:80fb167dafdf 2259 #endif
wolfSSL 13:80fb167dafdf 2260
wolfSSL 13:80fb167dafdf 2261 if (version == PKCS5v2)
wolfSSL 13:80fb167dafdf 2262 ret = wc_PBKDF2(key, (byte*)password, passwordSz,
wolfSSL 13:80fb167dafdf 2263 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 13:80fb167dafdf 2264 #ifndef NO_SHA
wolfSSL 13:80fb167dafdf 2265 else if (version == PKCS5)
wolfSSL 13:80fb167dafdf 2266 ret = wc_PBKDF1(key, (byte*)password, passwordSz,
wolfSSL 13:80fb167dafdf 2267 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 13:80fb167dafdf 2268 #endif
wolfSSL 13:80fb167dafdf 2269 else if (version == PKCS12v1) {
wolfSSL 13:80fb167dafdf 2270 int i, idx = 0;
wolfSSL 13:80fb167dafdf 2271 byte unicodePasswd[MAX_UNICODE_SZ];
wolfSSL 13:80fb167dafdf 2272
wolfSSL 13:80fb167dafdf 2273 if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
wolfSSL 13:80fb167dafdf 2274 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2275 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2276 #endif
wolfSSL 13:80fb167dafdf 2277 return UNICODE_SIZE_E;
wolfSSL 13:80fb167dafdf 2278 }
wolfSSL 13:80fb167dafdf 2279
wolfSSL 13:80fb167dafdf 2280 for (i = 0; i < passwordSz; i++) {
wolfSSL 13:80fb167dafdf 2281 unicodePasswd[idx++] = 0x00;
wolfSSL 13:80fb167dafdf 2282 unicodePasswd[idx++] = (byte)password[i];
wolfSSL 13:80fb167dafdf 2283 }
wolfSSL 13:80fb167dafdf 2284 /* add trailing NULL */
wolfSSL 13:80fb167dafdf 2285 unicodePasswd[idx++] = 0x00;
wolfSSL 13:80fb167dafdf 2286 unicodePasswd[idx++] = 0x00;
wolfSSL 13:80fb167dafdf 2287
wolfSSL 13:80fb167dafdf 2288 ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
wolfSSL 13:80fb167dafdf 2289 iterations, derivedLen, typeH, 1);
wolfSSL 13:80fb167dafdf 2290 if (decryptionType != RC4_TYPE)
wolfSSL 13:80fb167dafdf 2291 ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
wolfSSL 13:80fb167dafdf 2292 iterations, 8, typeH, 2);
wolfSSL 13:80fb167dafdf 2293 }
wolfSSL 13:80fb167dafdf 2294 else {
wolfSSL 13:80fb167dafdf 2295 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2296 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2297 #endif
wolfSSL 13:80fb167dafdf 2298 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2299 }
wolfSSL 13:80fb167dafdf 2300
wolfSSL 13:80fb167dafdf 2301 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2302 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2303 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2304 #endif
wolfSSL 13:80fb167dafdf 2305 return ret;
wolfSSL 13:80fb167dafdf 2306 }
wolfSSL 13:80fb167dafdf 2307
wolfSSL 13:80fb167dafdf 2308 switch (decryptionType) {
wolfSSL 13:80fb167dafdf 2309 #ifndef NO_DES3
wolfSSL 13:80fb167dafdf 2310 case DES_TYPE:
wolfSSL 13:80fb167dafdf 2311 {
wolfSSL 13:80fb167dafdf 2312 Des dec;
wolfSSL 13:80fb167dafdf 2313 byte* desIv = key + 8;
wolfSSL 13:80fb167dafdf 2314
wolfSSL 13:80fb167dafdf 2315 if (version == PKCS5v2 || version == PKCS12v1)
wolfSSL 13:80fb167dafdf 2316 desIv = cbcIv;
wolfSSL 13:80fb167dafdf 2317
wolfSSL 13:80fb167dafdf 2318 ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 13:80fb167dafdf 2319 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2320 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2321 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2322 #endif
wolfSSL 13:80fb167dafdf 2323 return ret;
wolfSSL 13:80fb167dafdf 2324 }
wolfSSL 13:80fb167dafdf 2325
wolfSSL 13:80fb167dafdf 2326 wc_Des_CbcDecrypt(&dec, input, input, length);
wolfSSL 13:80fb167dafdf 2327 break;
wolfSSL 13:80fb167dafdf 2328 }
wolfSSL 13:80fb167dafdf 2329
wolfSSL 13:80fb167dafdf 2330 case DES3_TYPE:
wolfSSL 13:80fb167dafdf 2331 {
wolfSSL 13:80fb167dafdf 2332 Des3 dec;
wolfSSL 13:80fb167dafdf 2333 byte* desIv = key + 24;
wolfSSL 13:80fb167dafdf 2334
wolfSSL 13:80fb167dafdf 2335 if (version == PKCS5v2 || version == PKCS12v1)
wolfSSL 13:80fb167dafdf 2336 desIv = cbcIv;
wolfSSL 13:80fb167dafdf 2337 ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 13:80fb167dafdf 2338 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2339 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2340 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2341 #endif
wolfSSL 13:80fb167dafdf 2342 return ret;
wolfSSL 13:80fb167dafdf 2343 }
wolfSSL 13:80fb167dafdf 2344 ret = wc_Des3_CbcDecrypt(&dec, input, input, length);
wolfSSL 13:80fb167dafdf 2345 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2346 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2347 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2348 #endif
wolfSSL 13:80fb167dafdf 2349 return ret;
wolfSSL 13:80fb167dafdf 2350 }
wolfSSL 13:80fb167dafdf 2351 break;
wolfSSL 13:80fb167dafdf 2352 }
wolfSSL 13:80fb167dafdf 2353 #endif
wolfSSL 13:80fb167dafdf 2354 #ifndef NO_RC4
wolfSSL 13:80fb167dafdf 2355 case RC4_TYPE:
wolfSSL 13:80fb167dafdf 2356 {
wolfSSL 13:80fb167dafdf 2357 Arc4 dec;
wolfSSL 13:80fb167dafdf 2358
wolfSSL 13:80fb167dafdf 2359 wc_Arc4SetKey(&dec, key, derivedLen);
wolfSSL 13:80fb167dafdf 2360 wc_Arc4Process(&dec, input, input, length);
wolfSSL 13:80fb167dafdf 2361 break;
wolfSSL 13:80fb167dafdf 2362 }
wolfSSL 13:80fb167dafdf 2363 #endif
wolfSSL 13:80fb167dafdf 2364
wolfSSL 13:80fb167dafdf 2365 default:
wolfSSL 13:80fb167dafdf 2366 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2367 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2368 #endif
wolfSSL 13:80fb167dafdf 2369 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 2370 }
wolfSSL 13:80fb167dafdf 2371
wolfSSL 13:80fb167dafdf 2372 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2373 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2374 #endif
wolfSSL 13:80fb167dafdf 2375
wolfSSL 13:80fb167dafdf 2376 return 0;
wolfSSL 13:80fb167dafdf 2377 }
wolfSSL 13:80fb167dafdf 2378
wolfSSL 13:80fb167dafdf 2379
wolfSSL 13:80fb167dafdf 2380 int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
wolfSSL 13:80fb167dafdf 2381 int* algoID, void* heap)
wolfSSL 13:80fb167dafdf 2382 {
wolfSSL 13:80fb167dafdf 2383 word32 tmpIdx = 0;
wolfSSL 13:80fb167dafdf 2384 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 2385 ecc_key ecc;
wolfSSL 13:80fb167dafdf 2386 #endif
wolfSSL 13:80fb167dafdf 2387 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 2388 RsaKey rsa;
wolfSSL 13:80fb167dafdf 2389 #endif
wolfSSL 13:80fb167dafdf 2390
wolfSSL 13:80fb167dafdf 2391 if (algoID == NULL) {
wolfSSL 13:80fb167dafdf 2392 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2393 }
wolfSSL 13:80fb167dafdf 2394 *algoID = 0;
wolfSSL 13:80fb167dafdf 2395
wolfSSL 13:80fb167dafdf 2396 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 2397 if (wc_InitRsaKey(&rsa, heap) == 0) {
wolfSSL 13:80fb167dafdf 2398 if (wc_RsaPrivateKeyDecode(key, &tmpIdx, &rsa, keySz) == 0) {
wolfSSL 13:80fb167dafdf 2399 *algoID = RSAk;
wolfSSL 13:80fb167dafdf 2400 }
wolfSSL 13:80fb167dafdf 2401 else {
wolfSSL 13:80fb167dafdf 2402 WOLFSSL_MSG("Not RSA DER key");
wolfSSL 13:80fb167dafdf 2403 }
wolfSSL 13:80fb167dafdf 2404 wc_FreeRsaKey(&rsa);
wolfSSL 13:80fb167dafdf 2405 }
wolfSSL 13:80fb167dafdf 2406 else {
wolfSSL 13:80fb167dafdf 2407 WOLFSSL_MSG("GetKeyOID wc_InitRsaKey failed");
wolfSSL 13:80fb167dafdf 2408 }
wolfSSL 13:80fb167dafdf 2409 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 2410 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 2411 if (*algoID != RSAk) {
wolfSSL 13:80fb167dafdf 2412 tmpIdx = 0;
wolfSSL 13:80fb167dafdf 2413 if (wc_ecc_init_ex(&ecc, heap, INVALID_DEVID) == 0) {
wolfSSL 13:80fb167dafdf 2414 if (wc_EccPrivateKeyDecode(key, &tmpIdx, &ecc, keySz) == 0) {
wolfSSL 13:80fb167dafdf 2415 *algoID = ECDSAk;
wolfSSL 13:80fb167dafdf 2416
wolfSSL 13:80fb167dafdf 2417 /* sanity check on arguments */
wolfSSL 13:80fb167dafdf 2418 if (curveOID == NULL || oidSz == NULL) {
wolfSSL 13:80fb167dafdf 2419 WOLFSSL_MSG("Error getting ECC curve OID");
wolfSSL 13:80fb167dafdf 2420 wc_ecc_free(&ecc);
wolfSSL 13:80fb167dafdf 2421 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2422 }
wolfSSL 13:80fb167dafdf 2423
wolfSSL 13:80fb167dafdf 2424 /* now find oid */
wolfSSL 13:80fb167dafdf 2425 if (wc_ecc_get_oid(ecc.dp->oidSum, curveOID, oidSz) < 0) {
wolfSSL 13:80fb167dafdf 2426 WOLFSSL_MSG("Error getting ECC curve OID");
wolfSSL 13:80fb167dafdf 2427 wc_ecc_free(&ecc);
wolfSSL 13:80fb167dafdf 2428 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2429 }
wolfSSL 13:80fb167dafdf 2430 }
wolfSSL 13:80fb167dafdf 2431 else {
wolfSSL 13:80fb167dafdf 2432 WOLFSSL_MSG("Not ECC DER key either");
wolfSSL 13:80fb167dafdf 2433 }
wolfSSL 13:80fb167dafdf 2434 wc_ecc_free(&ecc);
wolfSSL 13:80fb167dafdf 2435 }
wolfSSL 13:80fb167dafdf 2436 else {
wolfSSL 13:80fb167dafdf 2437 WOLFSSL_MSG("GetKeyOID wc_ecc_init_ex failed");
wolfSSL 13:80fb167dafdf 2438 }
wolfSSL 13:80fb167dafdf 2439 }
wolfSSL 13:80fb167dafdf 2440 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 2441
wolfSSL 13:80fb167dafdf 2442 /* if flag is not set then is neither RSA or ECC key that could be
wolfSSL 13:80fb167dafdf 2443 * found */
wolfSSL 13:80fb167dafdf 2444 if (*algoID == 0) {
wolfSSL 13:80fb167dafdf 2445 WOLFSSL_MSG("Bad key DER or compile options");
wolfSSL 13:80fb167dafdf 2446 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2447 }
wolfSSL 13:80fb167dafdf 2448
wolfSSL 13:80fb167dafdf 2449 (void)curveOID;
wolfSSL 13:80fb167dafdf 2450 (void)oidSz;
wolfSSL 13:80fb167dafdf 2451
wolfSSL 13:80fb167dafdf 2452 return 1;
wolfSSL 13:80fb167dafdf 2453 }
wolfSSL 13:80fb167dafdf 2454
wolfSSL 13:80fb167dafdf 2455
wolfSSL 13:80fb167dafdf 2456 /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
wolfSSL 13:80fb167dafdf 2457 of input */
wolfSSL 13:80fb167dafdf 2458 int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL 13:80fb167dafdf 2459 {
wolfSSL 13:80fb167dafdf 2460 word32 inOutIdx = 0, oid;
wolfSSL 13:80fb167dafdf 2461 int ret = 0, first, second, length = 0, version, saltSz, id;
wolfSSL 13:80fb167dafdf 2462 int iterations = 0;
wolfSSL 13:80fb167dafdf 2463 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2464 byte* salt = NULL;
wolfSSL 13:80fb167dafdf 2465 byte* cbcIv = NULL;
wolfSSL 13:80fb167dafdf 2466 #else
wolfSSL 13:80fb167dafdf 2467 byte salt[MAX_SALT_SIZE];
wolfSSL 13:80fb167dafdf 2468 byte cbcIv[MAX_IV_SIZE];
wolfSSL 13:80fb167dafdf 2469 #endif
wolfSSL 13:80fb167dafdf 2470
wolfSSL 13:80fb167dafdf 2471 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 2472 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2473 }
wolfSSL 13:80fb167dafdf 2474
wolfSSL 13:80fb167dafdf 2475 if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2476 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2477 }
wolfSSL 13:80fb167dafdf 2478
wolfSSL 13:80fb167dafdf 2479 first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */
wolfSSL 13:80fb167dafdf 2480 second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL 13:80fb167dafdf 2481
wolfSSL 13:80fb167dafdf 2482 if (CheckAlgo(first, second, &id, &version) < 0) {
wolfSSL 13:80fb167dafdf 2483 ERROR_OUT(ASN_INPUT_E, exit_tte); /* Algo ID error */
wolfSSL 13:80fb167dafdf 2484 }
wolfSSL 13:80fb167dafdf 2485
wolfSSL 13:80fb167dafdf 2486 if (version == PKCS5v2) {
wolfSSL 13:80fb167dafdf 2487 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 2488 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2489 }
wolfSSL 13:80fb167dafdf 2490
wolfSSL 13:80fb167dafdf 2491 if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2492 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2493 }
wolfSSL 13:80fb167dafdf 2494
wolfSSL 13:80fb167dafdf 2495 if (oid != PBKDF2_OID) {
wolfSSL 13:80fb167dafdf 2496 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2497 }
wolfSSL 13:80fb167dafdf 2498 }
wolfSSL 13:80fb167dafdf 2499
wolfSSL 13:80fb167dafdf 2500 if (GetSequence(input, &inOutIdx, &length, sz) <= 0) {
wolfSSL 13:80fb167dafdf 2501 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2502 }
wolfSSL 13:80fb167dafdf 2503
wolfSSL 13:80fb167dafdf 2504 ret = GetOctetString(input, &inOutIdx, &saltSz, sz);
wolfSSL 13:80fb167dafdf 2505 if (ret < 0)
wolfSSL 13:80fb167dafdf 2506 goto exit_tte;
wolfSSL 13:80fb167dafdf 2507
wolfSSL 13:80fb167dafdf 2508 if (saltSz > MAX_SALT_SIZE) {
wolfSSL 13:80fb167dafdf 2509 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2510 }
wolfSSL 13:80fb167dafdf 2511
wolfSSL 13:80fb167dafdf 2512 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2513 salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2514 if (salt == NULL) {
wolfSSL 13:80fb167dafdf 2515 ERROR_OUT(MEMORY_E, exit_tte);
wolfSSL 13:80fb167dafdf 2516 }
wolfSSL 13:80fb167dafdf 2517 #endif
wolfSSL 13:80fb167dafdf 2518
wolfSSL 13:80fb167dafdf 2519 XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL 13:80fb167dafdf 2520 inOutIdx += saltSz;
wolfSSL 13:80fb167dafdf 2521
wolfSSL 13:80fb167dafdf 2522 if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) {
wolfSSL 13:80fb167dafdf 2523 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2524 }
wolfSSL 13:80fb167dafdf 2525
wolfSSL 13:80fb167dafdf 2526 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2527 cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2528 if (cbcIv == NULL) {
wolfSSL 13:80fb167dafdf 2529 ERROR_OUT(MEMORY_E, exit_tte);
wolfSSL 13:80fb167dafdf 2530 }
wolfSSL 13:80fb167dafdf 2531 #endif
wolfSSL 13:80fb167dafdf 2532
wolfSSL 13:80fb167dafdf 2533 if (version == PKCS5v2) {
wolfSSL 13:80fb167dafdf 2534 /* get encryption algo */
wolfSSL 13:80fb167dafdf 2535 /* JOHN: New type. Need a little more research. */
wolfSSL 13:80fb167dafdf 2536 if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2537 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2538 }
wolfSSL 13:80fb167dafdf 2539
wolfSSL 13:80fb167dafdf 2540 if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL 13:80fb167dafdf 2541 ERROR_OUT(ASN_PARSE_E, exit_tte); /* PKCS v2 algo id error */
wolfSSL 13:80fb167dafdf 2542 }
wolfSSL 13:80fb167dafdf 2543
wolfSSL 13:80fb167dafdf 2544 ret = GetOctetString(input, &inOutIdx, &length, sz);
wolfSSL 13:80fb167dafdf 2545 if (ret < 0)
wolfSSL 13:80fb167dafdf 2546 goto exit_tte;
wolfSSL 13:80fb167dafdf 2547
wolfSSL 13:80fb167dafdf 2548 if (length > MAX_IV_SIZE) {
wolfSSL 13:80fb167dafdf 2549 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 13:80fb167dafdf 2550 }
wolfSSL 13:80fb167dafdf 2551
wolfSSL 13:80fb167dafdf 2552 XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL 13:80fb167dafdf 2553 inOutIdx += length;
wolfSSL 13:80fb167dafdf 2554 }
wolfSSL 13:80fb167dafdf 2555
wolfSSL 13:80fb167dafdf 2556 ret = GetOctetString(input, &inOutIdx, &length, sz);
wolfSSL 13:80fb167dafdf 2557 if (ret < 0)
wolfSSL 13:80fb167dafdf 2558 goto exit_tte;
wolfSSL 13:80fb167dafdf 2559
wolfSSL 13:80fb167dafdf 2560 ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL 13:80fb167dafdf 2561 input + inOutIdx, length, version, cbcIv);
wolfSSL 13:80fb167dafdf 2562
wolfSSL 13:80fb167dafdf 2563 exit_tte:
wolfSSL 13:80fb167dafdf 2564 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2565 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2566 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2567 #endif
wolfSSL 13:80fb167dafdf 2568
wolfSSL 13:80fb167dafdf 2569 if (ret == 0) {
wolfSSL 13:80fb167dafdf 2570 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 13:80fb167dafdf 2571 ret = ToTraditional(input, length);
wolfSSL 13:80fb167dafdf 2572 }
wolfSSL 13:80fb167dafdf 2573
wolfSSL 13:80fb167dafdf 2574 return ret;
wolfSSL 13:80fb167dafdf 2575 }
wolfSSL 13:80fb167dafdf 2576
wolfSSL 13:80fb167dafdf 2577 /* decrypt PKCS */
wolfSSL 13:80fb167dafdf 2578 int DecryptContent(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL 13:80fb167dafdf 2579 {
wolfSSL 13:80fb167dafdf 2580 word32 inOutIdx = 0, oid;
wolfSSL 13:80fb167dafdf 2581 int ret = 0;
wolfSSL 13:80fb167dafdf 2582 int first, second, length = 0, version, saltSz, id;
wolfSSL 13:80fb167dafdf 2583 int iterations = 0;
wolfSSL 13:80fb167dafdf 2584 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2585 byte* salt = NULL;
wolfSSL 13:80fb167dafdf 2586 byte* cbcIv = NULL;
wolfSSL 13:80fb167dafdf 2587 #else
wolfSSL 13:80fb167dafdf 2588 byte salt[MAX_SALT_SIZE];
wolfSSL 13:80fb167dafdf 2589 byte cbcIv[MAX_IV_SIZE];
wolfSSL 13:80fb167dafdf 2590 #endif
wolfSSL 13:80fb167dafdf 2591
wolfSSL 13:80fb167dafdf 2592 if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2593 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2594 }
wolfSSL 13:80fb167dafdf 2595
wolfSSL 13:80fb167dafdf 2596 first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */
wolfSSL 13:80fb167dafdf 2597 second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL 13:80fb167dafdf 2598
wolfSSL 13:80fb167dafdf 2599 if (CheckAlgo(first, second, &id, &version) < 0) {
wolfSSL 13:80fb167dafdf 2600 ERROR_OUT(ASN_INPUT_E, exit_dc); /* Algo ID error */
wolfSSL 13:80fb167dafdf 2601 }
wolfSSL 13:80fb167dafdf 2602
wolfSSL 13:80fb167dafdf 2603 if (version == PKCS5v2) {
wolfSSL 13:80fb167dafdf 2604 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 2605 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2606 }
wolfSSL 13:80fb167dafdf 2607
wolfSSL 13:80fb167dafdf 2608 if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2609 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2610 }
wolfSSL 13:80fb167dafdf 2611
wolfSSL 13:80fb167dafdf 2612 if (oid != PBKDF2_OID) {
wolfSSL 13:80fb167dafdf 2613 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2614 }
wolfSSL 13:80fb167dafdf 2615 }
wolfSSL 13:80fb167dafdf 2616
wolfSSL 13:80fb167dafdf 2617 if (GetSequence(input, &inOutIdx, &length, sz) <= 0) {
wolfSSL 13:80fb167dafdf 2618 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2619 }
wolfSSL 13:80fb167dafdf 2620
wolfSSL 13:80fb167dafdf 2621 ret = GetOctetString(input, &inOutIdx, &saltSz, sz);
wolfSSL 13:80fb167dafdf 2622 if (ret < 0)
wolfSSL 13:80fb167dafdf 2623 goto exit_dc;
wolfSSL 13:80fb167dafdf 2624
wolfSSL 13:80fb167dafdf 2625 if (saltSz > MAX_SALT_SIZE) {
wolfSSL 13:80fb167dafdf 2626 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2627 }
wolfSSL 13:80fb167dafdf 2628
wolfSSL 13:80fb167dafdf 2629 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2630 salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2631 if (salt == NULL) {
wolfSSL 13:80fb167dafdf 2632 ERROR_OUT(MEMORY_E, exit_dc);
wolfSSL 13:80fb167dafdf 2633 }
wolfSSL 13:80fb167dafdf 2634 #endif
wolfSSL 13:80fb167dafdf 2635
wolfSSL 13:80fb167dafdf 2636 XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL 13:80fb167dafdf 2637 inOutIdx += saltSz;
wolfSSL 13:80fb167dafdf 2638
wolfSSL 13:80fb167dafdf 2639 if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) {
wolfSSL 13:80fb167dafdf 2640 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2641 }
wolfSSL 13:80fb167dafdf 2642
wolfSSL 13:80fb167dafdf 2643 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2644 cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2645 if (cbcIv == NULL) {
wolfSSL 13:80fb167dafdf 2646 ERROR_OUT(MEMORY_E, exit_dc);
wolfSSL 13:80fb167dafdf 2647 }
wolfSSL 13:80fb167dafdf 2648 #endif
wolfSSL 13:80fb167dafdf 2649
wolfSSL 13:80fb167dafdf 2650 if (version == PKCS5v2) {
wolfSSL 13:80fb167dafdf 2651 /* get encryption algo */
wolfSSL 13:80fb167dafdf 2652 /* JOHN: New type. Need a little more research. */
wolfSSL 13:80fb167dafdf 2653 if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) {
wolfSSL 13:80fb167dafdf 2654 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2655 }
wolfSSL 13:80fb167dafdf 2656
wolfSSL 13:80fb167dafdf 2657 if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL 13:80fb167dafdf 2658 ERROR_OUT(ASN_PARSE_E, exit_dc); /* PKCS v2 algo id error */
wolfSSL 13:80fb167dafdf 2659 }
wolfSSL 13:80fb167dafdf 2660
wolfSSL 13:80fb167dafdf 2661 ret = GetOctetString(input, &inOutIdx, &length, sz);
wolfSSL 13:80fb167dafdf 2662 if (ret < 0)
wolfSSL 13:80fb167dafdf 2663 goto exit_dc;
wolfSSL 13:80fb167dafdf 2664
wolfSSL 13:80fb167dafdf 2665 XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL 13:80fb167dafdf 2666 inOutIdx += length;
wolfSSL 13:80fb167dafdf 2667 }
wolfSSL 13:80fb167dafdf 2668
wolfSSL 13:80fb167dafdf 2669 if (input[inOutIdx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
wolfSSL 13:80fb167dafdf 2670 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2671 }
wolfSSL 13:80fb167dafdf 2672
wolfSSL 13:80fb167dafdf 2673 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 2674 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 13:80fb167dafdf 2675 }
wolfSSL 13:80fb167dafdf 2676
wolfSSL 13:80fb167dafdf 2677 ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL 13:80fb167dafdf 2678 input + inOutIdx, length, version, cbcIv);
wolfSSL 13:80fb167dafdf 2679
wolfSSL 13:80fb167dafdf 2680 exit_dc:
wolfSSL 13:80fb167dafdf 2681
wolfSSL 13:80fb167dafdf 2682 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 2683 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2684 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 2685 #endif
wolfSSL 13:80fb167dafdf 2686
wolfSSL 13:80fb167dafdf 2687 if (ret == 0) {
wolfSSL 13:80fb167dafdf 2688 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 13:80fb167dafdf 2689 ret = length;
wolfSSL 13:80fb167dafdf 2690 }
wolfSSL 13:80fb167dafdf 2691
wolfSSL 13:80fb167dafdf 2692 return ret;
wolfSSL 13:80fb167dafdf 2693 }
wolfSSL 13:80fb167dafdf 2694 #endif /* NO_PWDBASED */
wolfSSL 13:80fb167dafdf 2695
wolfSSL 13:80fb167dafdf 2696 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 2697
wolfSSL 13:80fb167dafdf 2698 #ifndef HAVE_USER_RSA
wolfSSL 13:80fb167dafdf 2699 int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 13:80fb167dafdf 2700 word32 inSz)
wolfSSL 13:80fb167dafdf 2701 {
wolfSSL 13:80fb167dafdf 2702 int length;
wolfSSL 13:80fb167dafdf 2703 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 13:80fb167dafdf 2704 byte b;
wolfSSL 13:80fb167dafdf 2705 #endif
wolfSSL 13:80fb167dafdf 2706 int ret;
wolfSSL 13:80fb167dafdf 2707
wolfSSL 13:80fb167dafdf 2708 if (input == NULL || inOutIdx == NULL || key == NULL)
wolfSSL 13:80fb167dafdf 2709 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2710
wolfSSL 13:80fb167dafdf 2711 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2712 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2713
wolfSSL 13:80fb167dafdf 2714 key->type = RSA_PUBLIC;
wolfSSL 13:80fb167dafdf 2715
wolfSSL 13:80fb167dafdf 2716 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 13:80fb167dafdf 2717 if ((*inOutIdx + 1) > inSz)
wolfSSL 13:80fb167dafdf 2718 return BUFFER_E;
wolfSSL 13:80fb167dafdf 2719
wolfSSL 13:80fb167dafdf 2720 b = input[*inOutIdx];
wolfSSL 13:80fb167dafdf 2721 if (b != ASN_INTEGER) {
wolfSSL 13:80fb167dafdf 2722 /* not from decoded cert, will have algo id, skip past */
wolfSSL 13:80fb167dafdf 2723 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2724 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2725
wolfSSL 13:80fb167dafdf 2726 if (SkipObjectId(input, inOutIdx, inSz) < 0)
wolfSSL 13:80fb167dafdf 2727 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2728
wolfSSL 13:80fb167dafdf 2729 /* Option NULL ASN.1 tag */
wolfSSL 13:80fb167dafdf 2730 if (input[*inOutIdx] == ASN_TAG_NULL) {
wolfSSL 13:80fb167dafdf 2731 ret = GetASNNull(input, inOutIdx, inSz);
wolfSSL 13:80fb167dafdf 2732 if (ret != 0)
wolfSSL 13:80fb167dafdf 2733 return ret;
wolfSSL 13:80fb167dafdf 2734 }
wolfSSL 13:80fb167dafdf 2735
wolfSSL 13:80fb167dafdf 2736 /* should have bit tag length and seq next */
wolfSSL 13:80fb167dafdf 2737 ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
wolfSSL 13:80fb167dafdf 2738 if (ret != 0)
wolfSSL 13:80fb167dafdf 2739 return ret;
wolfSSL 13:80fb167dafdf 2740
wolfSSL 13:80fb167dafdf 2741 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2742 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2743 }
wolfSSL 13:80fb167dafdf 2744 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 2745
wolfSSL 13:80fb167dafdf 2746 if (GetInt(&key->n, input, inOutIdx, inSz) < 0)
wolfSSL 13:80fb167dafdf 2747 return ASN_RSA_KEY_E;
wolfSSL 13:80fb167dafdf 2748 if (GetInt(&key->e, input, inOutIdx, inSz) < 0) {
wolfSSL 13:80fb167dafdf 2749 mp_clear(&key->n);
wolfSSL 13:80fb167dafdf 2750 return ASN_RSA_KEY_E;
wolfSSL 13:80fb167dafdf 2751 }
wolfSSL 13:80fb167dafdf 2752
wolfSSL 13:80fb167dafdf 2753 return 0;
wolfSSL 13:80fb167dafdf 2754 }
wolfSSL 13:80fb167dafdf 2755
wolfSSL 13:80fb167dafdf 2756 /* import RSA public key elements (n, e) into RsaKey structure (key) */
wolfSSL 13:80fb167dafdf 2757 int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
wolfSSL 13:80fb167dafdf 2758 word32 eSz, RsaKey* key)
wolfSSL 13:80fb167dafdf 2759 {
wolfSSL 13:80fb167dafdf 2760 if (n == NULL || e == NULL || key == NULL)
wolfSSL 13:80fb167dafdf 2761 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2762
wolfSSL 13:80fb167dafdf 2763 key->type = RSA_PUBLIC;
wolfSSL 13:80fb167dafdf 2764
wolfSSL 13:80fb167dafdf 2765 if (mp_init(&key->n) != MP_OKAY)
wolfSSL 13:80fb167dafdf 2766 return MP_INIT_E;
wolfSSL 13:80fb167dafdf 2767
wolfSSL 13:80fb167dafdf 2768 if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) {
wolfSSL 13:80fb167dafdf 2769 mp_clear(&key->n);
wolfSSL 13:80fb167dafdf 2770 return ASN_GETINT_E;
wolfSSL 13:80fb167dafdf 2771 }
wolfSSL 13:80fb167dafdf 2772
wolfSSL 13:80fb167dafdf 2773 if (mp_init(&key->e) != MP_OKAY) {
wolfSSL 13:80fb167dafdf 2774 mp_clear(&key->n);
wolfSSL 13:80fb167dafdf 2775 return MP_INIT_E;
wolfSSL 13:80fb167dafdf 2776 }
wolfSSL 13:80fb167dafdf 2777
wolfSSL 13:80fb167dafdf 2778 if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) {
wolfSSL 13:80fb167dafdf 2779 mp_clear(&key->n);
wolfSSL 13:80fb167dafdf 2780 mp_clear(&key->e);
wolfSSL 13:80fb167dafdf 2781 return ASN_GETINT_E;
wolfSSL 13:80fb167dafdf 2782 }
wolfSSL 13:80fb167dafdf 2783
wolfSSL 13:80fb167dafdf 2784 return 0;
wolfSSL 13:80fb167dafdf 2785 }
wolfSSL 13:80fb167dafdf 2786 #endif /* HAVE_USER_RSA */
wolfSSL 13:80fb167dafdf 2787 #endif
wolfSSL 13:80fb167dafdf 2788
wolfSSL 13:80fb167dafdf 2789 #ifndef NO_DH
wolfSSL 13:80fb167dafdf 2790
wolfSSL 13:80fb167dafdf 2791 int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
wolfSSL 13:80fb167dafdf 2792 {
wolfSSL 13:80fb167dafdf 2793 int length;
wolfSSL 13:80fb167dafdf 2794
wolfSSL 13:80fb167dafdf 2795 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2796 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2797
wolfSSL 13:80fb167dafdf 2798 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2799 GetInt(&key->g, input, inOutIdx, inSz) < 0) {
wolfSSL 13:80fb167dafdf 2800 return ASN_DH_KEY_E;
wolfSSL 13:80fb167dafdf 2801 }
wolfSSL 13:80fb167dafdf 2802
wolfSSL 13:80fb167dafdf 2803 return 0;
wolfSSL 13:80fb167dafdf 2804 }
wolfSSL 13:80fb167dafdf 2805
wolfSSL 13:80fb167dafdf 2806
wolfSSL 13:80fb167dafdf 2807 int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
wolfSSL 13:80fb167dafdf 2808 byte* g, word32* gInOutSz)
wolfSSL 13:80fb167dafdf 2809 {
wolfSSL 13:80fb167dafdf 2810 word32 idx = 0;
wolfSSL 13:80fb167dafdf 2811 int ret;
wolfSSL 13:80fb167dafdf 2812 int length;
wolfSSL 13:80fb167dafdf 2813
wolfSSL 13:80fb167dafdf 2814 if (GetSequence(input, &idx, &length, inSz) <= 0)
wolfSSL 13:80fb167dafdf 2815 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2816
wolfSSL 13:80fb167dafdf 2817 ret = GetASNInt(input, &idx, &length, inSz);
wolfSSL 13:80fb167dafdf 2818 if (ret != 0)
wolfSSL 13:80fb167dafdf 2819 return ret;
wolfSSL 13:80fb167dafdf 2820
wolfSSL 13:80fb167dafdf 2821 if (length <= (int)*pInOutSz) {
wolfSSL 13:80fb167dafdf 2822 XMEMCPY(p, &input[idx], length);
wolfSSL 13:80fb167dafdf 2823 *pInOutSz = length;
wolfSSL 13:80fb167dafdf 2824 }
wolfSSL 13:80fb167dafdf 2825 else {
wolfSSL 13:80fb167dafdf 2826 return BUFFER_E;
wolfSSL 13:80fb167dafdf 2827 }
wolfSSL 13:80fb167dafdf 2828 idx += length;
wolfSSL 13:80fb167dafdf 2829
wolfSSL 13:80fb167dafdf 2830 ret = GetASNInt(input, &idx, &length, inSz);
wolfSSL 13:80fb167dafdf 2831 if (ret != 0)
wolfSSL 13:80fb167dafdf 2832 return ret;
wolfSSL 13:80fb167dafdf 2833
wolfSSL 13:80fb167dafdf 2834 if (length <= (int)*gInOutSz) {
wolfSSL 13:80fb167dafdf 2835 XMEMCPY(g, &input[idx], length);
wolfSSL 13:80fb167dafdf 2836 *gInOutSz = length;
wolfSSL 13:80fb167dafdf 2837 }
wolfSSL 13:80fb167dafdf 2838 else {
wolfSSL 13:80fb167dafdf 2839 return BUFFER_E;
wolfSSL 13:80fb167dafdf 2840 }
wolfSSL 13:80fb167dafdf 2841
wolfSSL 13:80fb167dafdf 2842 return 0;
wolfSSL 13:80fb167dafdf 2843 }
wolfSSL 13:80fb167dafdf 2844
wolfSSL 13:80fb167dafdf 2845 #endif /* NO_DH */
wolfSSL 13:80fb167dafdf 2846
wolfSSL 13:80fb167dafdf 2847
wolfSSL 13:80fb167dafdf 2848 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 2849
wolfSSL 13:80fb167dafdf 2850 int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 13:80fb167dafdf 2851 word32 inSz)
wolfSSL 13:80fb167dafdf 2852 {
wolfSSL 13:80fb167dafdf 2853 int length;
wolfSSL 13:80fb167dafdf 2854
wolfSSL 13:80fb167dafdf 2855 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2856 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2857
wolfSSL 13:80fb167dafdf 2858 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2859 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2860 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2861 GetInt(&key->y, input, inOutIdx, inSz) < 0 )
wolfSSL 13:80fb167dafdf 2862 return ASN_DH_KEY_E;
wolfSSL 13:80fb167dafdf 2863
wolfSSL 13:80fb167dafdf 2864 key->type = DSA_PUBLIC;
wolfSSL 13:80fb167dafdf 2865 return 0;
wolfSSL 13:80fb167dafdf 2866 }
wolfSSL 13:80fb167dafdf 2867
wolfSSL 13:80fb167dafdf 2868
wolfSSL 13:80fb167dafdf 2869 int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 13:80fb167dafdf 2870 word32 inSz)
wolfSSL 13:80fb167dafdf 2871 {
wolfSSL 13:80fb167dafdf 2872 int length, version;
wolfSSL 13:80fb167dafdf 2873
wolfSSL 13:80fb167dafdf 2874 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 2875 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2876
wolfSSL 13:80fb167dafdf 2877 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 13:80fb167dafdf 2878 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 2879
wolfSSL 13:80fb167dafdf 2880 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2881 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2882 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2883 GetInt(&key->y, input, inOutIdx, inSz) < 0 ||
wolfSSL 13:80fb167dafdf 2884 GetInt(&key->x, input, inOutIdx, inSz) < 0 )
wolfSSL 13:80fb167dafdf 2885 return ASN_DH_KEY_E;
wolfSSL 13:80fb167dafdf 2886
wolfSSL 13:80fb167dafdf 2887 key->type = DSA_PRIVATE;
wolfSSL 13:80fb167dafdf 2888 return 0;
wolfSSL 13:80fb167dafdf 2889 }
wolfSSL 13:80fb167dafdf 2890
wolfSSL 13:80fb167dafdf 2891 static mp_int* GetDsaInt(DsaKey* key, int idx)
wolfSSL 13:80fb167dafdf 2892 {
wolfSSL 13:80fb167dafdf 2893 if (idx == 0)
wolfSSL 13:80fb167dafdf 2894 return &key->p;
wolfSSL 13:80fb167dafdf 2895 if (idx == 1)
wolfSSL 13:80fb167dafdf 2896 return &key->q;
wolfSSL 13:80fb167dafdf 2897 if (idx == 2)
wolfSSL 13:80fb167dafdf 2898 return &key->g;
wolfSSL 13:80fb167dafdf 2899 if (idx == 3)
wolfSSL 13:80fb167dafdf 2900 return &key->y;
wolfSSL 13:80fb167dafdf 2901 if (idx == 4)
wolfSSL 13:80fb167dafdf 2902 return &key->x;
wolfSSL 13:80fb167dafdf 2903
wolfSSL 13:80fb167dafdf 2904 return NULL;
wolfSSL 13:80fb167dafdf 2905 }
wolfSSL 13:80fb167dafdf 2906
wolfSSL 13:80fb167dafdf 2907 /* Release Tmp DSA resources */
wolfSSL 13:80fb167dafdf 2908 static INLINE void FreeTmpDsas(byte** tmps, void* heap)
wolfSSL 13:80fb167dafdf 2909 {
wolfSSL 13:80fb167dafdf 2910 int i;
wolfSSL 13:80fb167dafdf 2911
wolfSSL 13:80fb167dafdf 2912 for (i = 0; i < DSA_INTS; i++)
wolfSSL 13:80fb167dafdf 2913 XFREE(tmps[i], heap, DYNAMIC_TYPE_DSA);
wolfSSL 13:80fb167dafdf 2914
wolfSSL 13:80fb167dafdf 2915 (void)heap;
wolfSSL 13:80fb167dafdf 2916 }
wolfSSL 13:80fb167dafdf 2917
wolfSSL 13:80fb167dafdf 2918 /* Convert DsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 13:80fb167dafdf 2919 written */
wolfSSL 13:80fb167dafdf 2920 int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
wolfSSL 13:80fb167dafdf 2921 {
wolfSSL 13:80fb167dafdf 2922 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 13:80fb167dafdf 2923 word32 sizes[DSA_INTS];
wolfSSL 13:80fb167dafdf 2924 int i, j, outLen, ret = 0, mpSz;
wolfSSL 13:80fb167dafdf 2925
wolfSSL 13:80fb167dafdf 2926 byte seq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 2927 byte ver[MAX_VERSION_SZ];
wolfSSL 13:80fb167dafdf 2928 byte* tmps[DSA_INTS];
wolfSSL 13:80fb167dafdf 2929
wolfSSL 13:80fb167dafdf 2930 if (!key || !output)
wolfSSL 13:80fb167dafdf 2931 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2932
wolfSSL 13:80fb167dafdf 2933 if (key->type != DSA_PRIVATE)
wolfSSL 13:80fb167dafdf 2934 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2935
wolfSSL 13:80fb167dafdf 2936 for (i = 0; i < DSA_INTS; i++)
wolfSSL 13:80fb167dafdf 2937 tmps[i] = NULL;
wolfSSL 13:80fb167dafdf 2938
wolfSSL 13:80fb167dafdf 2939 /* write all big ints from key to DER tmps */
wolfSSL 13:80fb167dafdf 2940 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 13:80fb167dafdf 2941 mp_int* keyInt = GetDsaInt(key, i);
wolfSSL 13:80fb167dafdf 2942
wolfSSL 13:80fb167dafdf 2943 rawLen = mp_unsigned_bin_size(keyInt) + 1;
wolfSSL 13:80fb167dafdf 2944 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL 13:80fb167dafdf 2945 DYNAMIC_TYPE_DSA);
wolfSSL 13:80fb167dafdf 2946 if (tmps[i] == NULL) {
wolfSSL 13:80fb167dafdf 2947 ret = MEMORY_E;
wolfSSL 13:80fb167dafdf 2948 break;
wolfSSL 13:80fb167dafdf 2949 }
wolfSSL 13:80fb167dafdf 2950
wolfSSL 13:80fb167dafdf 2951 mpSz = SetASNIntMP(keyInt, -1, tmps[i]);
wolfSSL 13:80fb167dafdf 2952 if (mpSz < 0) {
wolfSSL 13:80fb167dafdf 2953 ret = mpSz;
wolfSSL 13:80fb167dafdf 2954 break;
wolfSSL 13:80fb167dafdf 2955 }
wolfSSL 13:80fb167dafdf 2956 intTotalLen += (sizes[i] = mpSz);
wolfSSL 13:80fb167dafdf 2957 }
wolfSSL 13:80fb167dafdf 2958
wolfSSL 13:80fb167dafdf 2959 if (ret != 0) {
wolfSSL 13:80fb167dafdf 2960 FreeTmpDsas(tmps, key->heap);
wolfSSL 13:80fb167dafdf 2961 return ret;
wolfSSL 13:80fb167dafdf 2962 }
wolfSSL 13:80fb167dafdf 2963
wolfSSL 13:80fb167dafdf 2964 /* make headers */
wolfSSL 13:80fb167dafdf 2965 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 13:80fb167dafdf 2966 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 13:80fb167dafdf 2967
wolfSSL 13:80fb167dafdf 2968 outLen = seqSz + verSz + intTotalLen;
wolfSSL 13:80fb167dafdf 2969 if (outLen > (int)inLen)
wolfSSL 13:80fb167dafdf 2970 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 2971
wolfSSL 13:80fb167dafdf 2972 /* write to output */
wolfSSL 13:80fb167dafdf 2973 XMEMCPY(output, seq, seqSz);
wolfSSL 13:80fb167dafdf 2974 j = seqSz;
wolfSSL 13:80fb167dafdf 2975 XMEMCPY(output + j, ver, verSz);
wolfSSL 13:80fb167dafdf 2976 j += verSz;
wolfSSL 13:80fb167dafdf 2977
wolfSSL 13:80fb167dafdf 2978 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 13:80fb167dafdf 2979 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 13:80fb167dafdf 2980 j += sizes[i];
wolfSSL 13:80fb167dafdf 2981 }
wolfSSL 13:80fb167dafdf 2982 FreeTmpDsas(tmps, key->heap);
wolfSSL 13:80fb167dafdf 2983
wolfSSL 13:80fb167dafdf 2984 return outLen;
wolfSSL 13:80fb167dafdf 2985 }
wolfSSL 13:80fb167dafdf 2986
wolfSSL 13:80fb167dafdf 2987 #endif /* NO_DSA */
wolfSSL 13:80fb167dafdf 2988
wolfSSL 13:80fb167dafdf 2989
wolfSSL 13:80fb167dafdf 2990 void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
wolfSSL 13:80fb167dafdf 2991 {
wolfSSL 13:80fb167dafdf 2992 cert->publicKey = 0;
wolfSSL 13:80fb167dafdf 2993 cert->pubKeySize = 0;
wolfSSL 13:80fb167dafdf 2994 cert->pubKeyStored = 0;
wolfSSL 13:80fb167dafdf 2995 cert->keyOID = 0;
wolfSSL 13:80fb167dafdf 2996 cert->version = 0;
wolfSSL 13:80fb167dafdf 2997 cert->signature = 0;
wolfSSL 13:80fb167dafdf 2998 cert->subjectCN = 0;
wolfSSL 13:80fb167dafdf 2999 cert->subjectCNLen = 0;
wolfSSL 13:80fb167dafdf 3000 cert->subjectCNEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3001 cert->subjectCNStored = 0;
wolfSSL 13:80fb167dafdf 3002 cert->weOwnAltNames = 0;
wolfSSL 13:80fb167dafdf 3003 cert->altNames = NULL;
wolfSSL 13:80fb167dafdf 3004 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 3005 cert->altEmailNames = NULL;
wolfSSL 13:80fb167dafdf 3006 cert->permittedNames = NULL;
wolfSSL 13:80fb167dafdf 3007 cert->excludedNames = NULL;
wolfSSL 13:80fb167dafdf 3008 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 3009 cert->issuer[0] = '\0';
wolfSSL 13:80fb167dafdf 3010 cert->subject[0] = '\0';
wolfSSL 13:80fb167dafdf 3011 cert->source = source; /* don't own */
wolfSSL 13:80fb167dafdf 3012 cert->srcIdx = 0;
wolfSSL 13:80fb167dafdf 3013 cert->maxIdx = inSz; /* can't go over this index */
wolfSSL 13:80fb167dafdf 3014 cert->heap = heap;
wolfSSL 13:80fb167dafdf 3015 XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE);
wolfSSL 13:80fb167dafdf 3016 cert->serialSz = 0;
wolfSSL 13:80fb167dafdf 3017 cert->extensions = 0;
wolfSSL 13:80fb167dafdf 3018 cert->extensionsSz = 0;
wolfSSL 13:80fb167dafdf 3019 cert->extensionsIdx = 0;
wolfSSL 13:80fb167dafdf 3020 cert->extAuthInfo = NULL;
wolfSSL 13:80fb167dafdf 3021 cert->extAuthInfoSz = 0;
wolfSSL 13:80fb167dafdf 3022 cert->extCrlInfo = NULL;
wolfSSL 13:80fb167dafdf 3023 cert->extCrlInfoSz = 0;
wolfSSL 13:80fb167dafdf 3024 XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 3025 cert->extSubjKeyIdSet = 0;
wolfSSL 13:80fb167dafdf 3026 XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 3027 cert->extAuthKeyIdSet = 0;
wolfSSL 13:80fb167dafdf 3028 cert->extKeyUsageSet = 0;
wolfSSL 13:80fb167dafdf 3029 cert->extKeyUsage = 0;
wolfSSL 13:80fb167dafdf 3030 cert->extExtKeyUsageSet = 0;
wolfSSL 13:80fb167dafdf 3031 cert->extExtKeyUsage = 0;
wolfSSL 13:80fb167dafdf 3032 cert->isCA = 0;
wolfSSL 13:80fb167dafdf 3033 cert->pathLengthSet = 0;
wolfSSL 13:80fb167dafdf 3034 cert->pathLength = 0;
wolfSSL 13:80fb167dafdf 3035 #ifdef HAVE_PKCS7
wolfSSL 13:80fb167dafdf 3036 cert->issuerRaw = NULL;
wolfSSL 13:80fb167dafdf 3037 cert->issuerRawLen = 0;
wolfSSL 13:80fb167dafdf 3038 #endif
wolfSSL 13:80fb167dafdf 3039 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3040 cert->subjectSN = 0;
wolfSSL 13:80fb167dafdf 3041 cert->subjectSNLen = 0;
wolfSSL 13:80fb167dafdf 3042 cert->subjectSNEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3043 cert->subjectC = 0;
wolfSSL 13:80fb167dafdf 3044 cert->subjectCLen = 0;
wolfSSL 13:80fb167dafdf 3045 cert->subjectCEnc = CTC_PRINTABLE;
wolfSSL 13:80fb167dafdf 3046 cert->subjectL = 0;
wolfSSL 13:80fb167dafdf 3047 cert->subjectLLen = 0;
wolfSSL 13:80fb167dafdf 3048 cert->subjectLEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3049 cert->subjectST = 0;
wolfSSL 13:80fb167dafdf 3050 cert->subjectSTLen = 0;
wolfSSL 13:80fb167dafdf 3051 cert->subjectSTEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3052 cert->subjectO = 0;
wolfSSL 13:80fb167dafdf 3053 cert->subjectOLen = 0;
wolfSSL 13:80fb167dafdf 3054 cert->subjectOEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3055 cert->subjectOU = 0;
wolfSSL 13:80fb167dafdf 3056 cert->subjectOULen = 0;
wolfSSL 13:80fb167dafdf 3057 cert->subjectOUEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 3058 cert->subjectEmail = 0;
wolfSSL 13:80fb167dafdf 3059 cert->subjectEmailLen = 0;
wolfSSL 13:80fb167dafdf 3060 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3061 cert->beforeDate = NULL;
wolfSSL 13:80fb167dafdf 3062 cert->beforeDateLen = 0;
wolfSSL 13:80fb167dafdf 3063 cert->afterDate = NULL;
wolfSSL 13:80fb167dafdf 3064 cert->afterDateLen = 0;
wolfSSL 13:80fb167dafdf 3065 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3066 XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
wolfSSL 13:80fb167dafdf 3067 XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
wolfSSL 13:80fb167dafdf 3068 cert->extCRLdistSet = 0;
wolfSSL 13:80fb167dafdf 3069 cert->extCRLdistCrit = 0;
wolfSSL 13:80fb167dafdf 3070 cert->extAuthInfoSet = 0;
wolfSSL 13:80fb167dafdf 3071 cert->extAuthInfoCrit = 0;
wolfSSL 13:80fb167dafdf 3072 cert->extBasicConstSet = 0;
wolfSSL 13:80fb167dafdf 3073 cert->extBasicConstCrit = 0;
wolfSSL 13:80fb167dafdf 3074 cert->extSubjAltNameSet = 0;
wolfSSL 13:80fb167dafdf 3075 cert->extSubjAltNameCrit = 0;
wolfSSL 13:80fb167dafdf 3076 cert->extAuthKeyIdCrit = 0;
wolfSSL 13:80fb167dafdf 3077 cert->extSubjKeyIdCrit = 0;
wolfSSL 13:80fb167dafdf 3078 cert->extKeyUsageCrit = 0;
wolfSSL 13:80fb167dafdf 3079 cert->extExtKeyUsageCrit = 0;
wolfSSL 13:80fb167dafdf 3080 cert->extExtKeyUsageSrc = NULL;
wolfSSL 13:80fb167dafdf 3081 cert->extExtKeyUsageSz = 0;
wolfSSL 13:80fb167dafdf 3082 cert->extExtKeyUsageCount = 0;
wolfSSL 13:80fb167dafdf 3083 cert->extAuthKeyIdSrc = NULL;
wolfSSL 13:80fb167dafdf 3084 cert->extAuthKeyIdSz = 0;
wolfSSL 13:80fb167dafdf 3085 cert->extSubjKeyIdSrc = NULL;
wolfSSL 13:80fb167dafdf 3086 cert->extSubjKeyIdSz = 0;
wolfSSL 13:80fb167dafdf 3087 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3088 #if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS)
wolfSSL 13:80fb167dafdf 3089 cert->extNameConstraintSet = 0;
wolfSSL 13:80fb167dafdf 3090 #endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 3091 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 3092 cert->pkCurveOID = 0;
wolfSSL 13:80fb167dafdf 3093 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 3094 #ifdef WOLFSSL_SEP
wolfSSL 13:80fb167dafdf 3095 cert->deviceTypeSz = 0;
wolfSSL 13:80fb167dafdf 3096 cert->deviceType = NULL;
wolfSSL 13:80fb167dafdf 3097 cert->hwTypeSz = 0;
wolfSSL 13:80fb167dafdf 3098 cert->hwType = NULL;
wolfSSL 13:80fb167dafdf 3099 cert->hwSerialNumSz = 0;
wolfSSL 13:80fb167dafdf 3100 cert->hwSerialNum = NULL;
wolfSSL 13:80fb167dafdf 3101 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3102 cert->extCertPolicySet = 0;
wolfSSL 13:80fb167dafdf 3103 cert->extCertPolicyCrit = 0;
wolfSSL 13:80fb167dafdf 3104 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3105 #endif /* WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 3106 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 3107 XMEMSET(cert->extCertPolicies, 0, MAX_CERTPOL_NB*MAX_CERTPOL_SZ);
wolfSSL 13:80fb167dafdf 3108 cert->extCertPoliciesNb = 0;
wolfSSL 13:80fb167dafdf 3109 #endif
wolfSSL 13:80fb167dafdf 3110
wolfSSL 13:80fb167dafdf 3111 cert->ca = NULL;
wolfSSL 13:80fb167dafdf 3112 InitSignatureCtx(&cert->sigCtx, heap, INVALID_DEVID);
wolfSSL 13:80fb167dafdf 3113 }
wolfSSL 13:80fb167dafdf 3114
wolfSSL 13:80fb167dafdf 3115
wolfSSL 13:80fb167dafdf 3116 void FreeAltNames(DNS_entry* altNames, void* heap)
wolfSSL 13:80fb167dafdf 3117 {
wolfSSL 13:80fb167dafdf 3118 (void)heap;
wolfSSL 13:80fb167dafdf 3119
wolfSSL 13:80fb167dafdf 3120 while (altNames) {
wolfSSL 13:80fb167dafdf 3121 DNS_entry* tmp = altNames->next;
wolfSSL 13:80fb167dafdf 3122
wolfSSL 13:80fb167dafdf 3123 XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3124 XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3125 altNames = tmp;
wolfSSL 13:80fb167dafdf 3126 }
wolfSSL 13:80fb167dafdf 3127 }
wolfSSL 13:80fb167dafdf 3128
wolfSSL 13:80fb167dafdf 3129 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 3130
wolfSSL 13:80fb167dafdf 3131 void FreeNameSubtrees(Base_entry* names, void* heap)
wolfSSL 13:80fb167dafdf 3132 {
wolfSSL 13:80fb167dafdf 3133 (void)heap;
wolfSSL 13:80fb167dafdf 3134
wolfSSL 13:80fb167dafdf 3135 while (names) {
wolfSSL 13:80fb167dafdf 3136 Base_entry* tmp = names->next;
wolfSSL 13:80fb167dafdf 3137
wolfSSL 13:80fb167dafdf 3138 XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3139 XFREE(names, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3140 names = tmp;
wolfSSL 13:80fb167dafdf 3141 }
wolfSSL 13:80fb167dafdf 3142 }
wolfSSL 13:80fb167dafdf 3143
wolfSSL 13:80fb167dafdf 3144 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 3145
wolfSSL 13:80fb167dafdf 3146 void FreeDecodedCert(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 3147 {
wolfSSL 13:80fb167dafdf 3148 if (cert->subjectCNStored == 1)
wolfSSL 13:80fb167dafdf 3149 XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 13:80fb167dafdf 3150 if (cert->pubKeyStored == 1)
wolfSSL 13:80fb167dafdf 3151 XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 13:80fb167dafdf 3152 if (cert->weOwnAltNames && cert->altNames)
wolfSSL 13:80fb167dafdf 3153 FreeAltNames(cert->altNames, cert->heap);
wolfSSL 13:80fb167dafdf 3154 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 3155 if (cert->altEmailNames)
wolfSSL 13:80fb167dafdf 3156 FreeAltNames(cert->altEmailNames, cert->heap);
wolfSSL 13:80fb167dafdf 3157 if (cert->permittedNames)
wolfSSL 13:80fb167dafdf 3158 FreeNameSubtrees(cert->permittedNames, cert->heap);
wolfSSL 13:80fb167dafdf 3159 if (cert->excludedNames)
wolfSSL 13:80fb167dafdf 3160 FreeNameSubtrees(cert->excludedNames, cert->heap);
wolfSSL 13:80fb167dafdf 3161 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 3162 #ifdef WOLFSSL_SEP
wolfSSL 13:80fb167dafdf 3163 XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 3164 XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 3165 XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 3166 #endif /* WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 3167 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3168 if (cert->issuerName.fullName != NULL)
wolfSSL 13:80fb167dafdf 3169 XFREE(cert->issuerName.fullName, cert->heap, DYNAMIC_TYPE_X509);
wolfSSL 13:80fb167dafdf 3170 if (cert->subjectName.fullName != NULL)
wolfSSL 13:80fb167dafdf 3171 XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);
wolfSSL 13:80fb167dafdf 3172 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3173 FreeSignatureCtx(&cert->sigCtx);
wolfSSL 13:80fb167dafdf 3174 }
wolfSSL 13:80fb167dafdf 3175
wolfSSL 13:80fb167dafdf 3176 static int GetCertHeader(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 3177 {
wolfSSL 13:80fb167dafdf 3178 int ret = 0, len;
wolfSSL 13:80fb167dafdf 3179
wolfSSL 13:80fb167dafdf 3180 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3181 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3182
wolfSSL 13:80fb167dafdf 3183 cert->certBegin = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3184
wolfSSL 13:80fb167dafdf 3185 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3186 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3187 cert->sigIndex = len + cert->srcIdx;
wolfSSL 13:80fb167dafdf 3188
wolfSSL 13:80fb167dafdf 3189 if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version,
wolfSSL 13:80fb167dafdf 3190 cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3191 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3192
wolfSSL 13:80fb167dafdf 3193 if (GetSerialNumber(cert->source, &cert->srcIdx, cert->serial,
wolfSSL 13:80fb167dafdf 3194 &cert->serialSz, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3195 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3196
wolfSSL 13:80fb167dafdf 3197 return ret;
wolfSSL 13:80fb167dafdf 3198 }
wolfSSL 13:80fb167dafdf 3199
wolfSSL 13:80fb167dafdf 3200 #if !defined(NO_RSA)
wolfSSL 13:80fb167dafdf 3201 /* Store Rsa Key, may save later, Dsa could use in future */
wolfSSL 13:80fb167dafdf 3202 static int StoreRsaKey(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 3203 {
wolfSSL 13:80fb167dafdf 3204 int length;
wolfSSL 13:80fb167dafdf 3205 word32 recvd = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3206
wolfSSL 13:80fb167dafdf 3207 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3208 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3209
wolfSSL 13:80fb167dafdf 3210 recvd = cert->srcIdx - recvd;
wolfSSL 13:80fb167dafdf 3211 length += recvd;
wolfSSL 13:80fb167dafdf 3212
wolfSSL 13:80fb167dafdf 3213 while (recvd--)
wolfSSL 13:80fb167dafdf 3214 cert->srcIdx--;
wolfSSL 13:80fb167dafdf 3215
wolfSSL 13:80fb167dafdf 3216 cert->pubKeySize = length;
wolfSSL 13:80fb167dafdf 3217 cert->publicKey = cert->source + cert->srcIdx;
wolfSSL 13:80fb167dafdf 3218 cert->srcIdx += length;
wolfSSL 13:80fb167dafdf 3219
wolfSSL 13:80fb167dafdf 3220 return 0;
wolfSSL 13:80fb167dafdf 3221 }
wolfSSL 13:80fb167dafdf 3222 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 3223
wolfSSL 13:80fb167dafdf 3224 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 3225
wolfSSL 13:80fb167dafdf 3226 /* return 0 on success if the ECC curve oid sum is supported */
wolfSSL 13:80fb167dafdf 3227 static int CheckCurve(word32 oid)
wolfSSL 13:80fb167dafdf 3228 {
wolfSSL 13:80fb167dafdf 3229 int ret = 0;
wolfSSL 13:80fb167dafdf 3230 word32 oidSz = 0;
wolfSSL 13:80fb167dafdf 3231
wolfSSL 13:80fb167dafdf 3232 ret = wc_ecc_get_oid(oid, NULL, &oidSz);
wolfSSL 13:80fb167dafdf 3233 if (ret < 0 || oidSz <= 0) {
wolfSSL 13:80fb167dafdf 3234 WOLFSSL_MSG("CheckCurve not found");
wolfSSL 13:80fb167dafdf 3235 ret = ALGO_ID_E;
wolfSSL 13:80fb167dafdf 3236 }
wolfSSL 13:80fb167dafdf 3237
wolfSSL 13:80fb167dafdf 3238 return ret;
wolfSSL 13:80fb167dafdf 3239 }
wolfSSL 13:80fb167dafdf 3240
wolfSSL 13:80fb167dafdf 3241 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 3242
wolfSSL 13:80fb167dafdf 3243 static int GetKey(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 3244 {
wolfSSL 13:80fb167dafdf 3245 int length;
wolfSSL 13:80fb167dafdf 3246 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 3247 int tmpIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3248 #endif
wolfSSL 13:80fb167dafdf 3249
wolfSSL 13:80fb167dafdf 3250 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3251 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3252
wolfSSL 13:80fb167dafdf 3253 if (GetAlgoId(cert->source, &cert->srcIdx,
wolfSSL 13:80fb167dafdf 3254 &cert->keyOID, oidKeyType, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3255 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3256
wolfSSL 13:80fb167dafdf 3257 switch (cert->keyOID) {
wolfSSL 13:80fb167dafdf 3258 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 3259 case RSAk:
wolfSSL 13:80fb167dafdf 3260 {
wolfSSL 13:80fb167dafdf 3261 int ret;
wolfSSL 13:80fb167dafdf 3262 ret = CheckBitString(cert->source, &cert->srcIdx, NULL,
wolfSSL 13:80fb167dafdf 3263 cert->maxIdx, 1, NULL);
wolfSSL 13:80fb167dafdf 3264 if (ret != 0)
wolfSSL 13:80fb167dafdf 3265 return ret;
wolfSSL 13:80fb167dafdf 3266
wolfSSL 13:80fb167dafdf 3267 return StoreRsaKey(cert);
wolfSSL 13:80fb167dafdf 3268 }
wolfSSL 13:80fb167dafdf 3269
wolfSSL 13:80fb167dafdf 3270 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 3271 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 3272 case NTRUk:
wolfSSL 13:80fb167dafdf 3273 {
wolfSSL 13:80fb167dafdf 3274 const byte* key = &cert->source[tmpIdx];
wolfSSL 13:80fb167dafdf 3275 byte* next = (byte*)key;
wolfSSL 13:80fb167dafdf 3276 word16 keyLen;
wolfSSL 13:80fb167dafdf 3277 word32 rc;
wolfSSL 13:80fb167dafdf 3278 word32 remaining = cert->maxIdx - cert->srcIdx;
wolfSSL 13:80fb167dafdf 3279 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3280 byte* keyBlob = NULL;
wolfSSL 13:80fb167dafdf 3281 #else
wolfSSL 13:80fb167dafdf 3282 byte keyBlob[MAX_NTRU_KEY_SZ];
wolfSSL 13:80fb167dafdf 3283 #endif
wolfSSL 13:80fb167dafdf 3284 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 13:80fb167dafdf 3285 &keyLen, NULL, &next, &remaining);
wolfSSL 13:80fb167dafdf 3286 if (rc != NTRU_OK)
wolfSSL 13:80fb167dafdf 3287 return ASN_NTRU_KEY_E;
wolfSSL 13:80fb167dafdf 3288 if (keyLen > MAX_NTRU_KEY_SZ)
wolfSSL 13:80fb167dafdf 3289 return ASN_NTRU_KEY_E;
wolfSSL 13:80fb167dafdf 3290
wolfSSL 13:80fb167dafdf 3291 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3292 keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL,
wolfSSL 13:80fb167dafdf 3293 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 3294 if (keyBlob == NULL)
wolfSSL 13:80fb167dafdf 3295 return MEMORY_E;
wolfSSL 13:80fb167dafdf 3296 #endif
wolfSSL 13:80fb167dafdf 3297
wolfSSL 13:80fb167dafdf 3298 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 13:80fb167dafdf 3299 &keyLen, keyBlob, &next, &remaining);
wolfSSL 13:80fb167dafdf 3300 if (rc != NTRU_OK) {
wolfSSL 13:80fb167dafdf 3301 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3302 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 3303 #endif
wolfSSL 13:80fb167dafdf 3304 return ASN_NTRU_KEY_E;
wolfSSL 13:80fb167dafdf 3305 }
wolfSSL 13:80fb167dafdf 3306
wolfSSL 13:80fb167dafdf 3307 if ( (next - key) < 0) {
wolfSSL 13:80fb167dafdf 3308 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3309 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 3310 #endif
wolfSSL 13:80fb167dafdf 3311 return ASN_NTRU_KEY_E;
wolfSSL 13:80fb167dafdf 3312 }
wolfSSL 13:80fb167dafdf 3313
wolfSSL 13:80fb167dafdf 3314 cert->srcIdx = tmpIdx + (int)(next - key);
wolfSSL 13:80fb167dafdf 3315
wolfSSL 13:80fb167dafdf 3316 cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap,
wolfSSL 13:80fb167dafdf 3317 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 13:80fb167dafdf 3318 if (cert->publicKey == NULL) {
wolfSSL 13:80fb167dafdf 3319 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3320 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 3321 #endif
wolfSSL 13:80fb167dafdf 3322 return MEMORY_E;
wolfSSL 13:80fb167dafdf 3323 }
wolfSSL 13:80fb167dafdf 3324 XMEMCPY(cert->publicKey, keyBlob, keyLen);
wolfSSL 13:80fb167dafdf 3325 cert->pubKeyStored = 1;
wolfSSL 13:80fb167dafdf 3326 cert->pubKeySize = keyLen;
wolfSSL 13:80fb167dafdf 3327
wolfSSL 13:80fb167dafdf 3328 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 3329 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 3330 #endif
wolfSSL 13:80fb167dafdf 3331
wolfSSL 13:80fb167dafdf 3332 return 0;
wolfSSL 13:80fb167dafdf 3333 }
wolfSSL 13:80fb167dafdf 3334 #endif /* HAVE_NTRU */
wolfSSL 13:80fb167dafdf 3335 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 3336 case ECDSAk:
wolfSSL 13:80fb167dafdf 3337 {
wolfSSL 13:80fb167dafdf 3338 int ret;
wolfSSL 13:80fb167dafdf 3339
wolfSSL 13:80fb167dafdf 3340 if (GetObjectId(cert->source, &cert->srcIdx,
wolfSSL 13:80fb167dafdf 3341 &cert->pkCurveOID, oidCurveType, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3342 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3343
wolfSSL 13:80fb167dafdf 3344 if (CheckCurve(cert->pkCurveOID) < 0)
wolfSSL 13:80fb167dafdf 3345 return ECC_CURVE_OID_E;
wolfSSL 13:80fb167dafdf 3346
wolfSSL 13:80fb167dafdf 3347 /* key header */
wolfSSL 13:80fb167dafdf 3348 ret = CheckBitString(cert->source, &cert->srcIdx, &length,
wolfSSL 13:80fb167dafdf 3349 cert->maxIdx, 1, NULL);
wolfSSL 13:80fb167dafdf 3350 if (ret != 0)
wolfSSL 13:80fb167dafdf 3351 return ret;
wolfSSL 13:80fb167dafdf 3352
wolfSSL 13:80fb167dafdf 3353 cert->publicKey = (byte*) XMALLOC(length, cert->heap,
wolfSSL 13:80fb167dafdf 3354 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 13:80fb167dafdf 3355 if (cert->publicKey == NULL)
wolfSSL 13:80fb167dafdf 3356 return MEMORY_E;
wolfSSL 13:80fb167dafdf 3357 XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
wolfSSL 13:80fb167dafdf 3358 cert->pubKeyStored = 1;
wolfSSL 13:80fb167dafdf 3359 cert->pubKeySize = length;
wolfSSL 13:80fb167dafdf 3360
wolfSSL 13:80fb167dafdf 3361 cert->srcIdx += length;
wolfSSL 13:80fb167dafdf 3362
wolfSSL 13:80fb167dafdf 3363 return 0;
wolfSSL 13:80fb167dafdf 3364 }
wolfSSL 13:80fb167dafdf 3365 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 3366 default:
wolfSSL 13:80fb167dafdf 3367 return ASN_UNKNOWN_OID_E;
wolfSSL 13:80fb167dafdf 3368 }
wolfSSL 13:80fb167dafdf 3369 }
wolfSSL 13:80fb167dafdf 3370
wolfSSL 13:80fb167dafdf 3371 /* process NAME, either issuer or subject */
wolfSSL 13:80fb167dafdf 3372 static int GetName(DecodedCert* cert, int nameType)
wolfSSL 13:80fb167dafdf 3373 {
wolfSSL 13:80fb167dafdf 3374 int length; /* length of all distinguished names */
wolfSSL 13:80fb167dafdf 3375 int dummy;
wolfSSL 13:80fb167dafdf 3376 int ret;
wolfSSL 13:80fb167dafdf 3377 char* full;
wolfSSL 13:80fb167dafdf 3378 byte* hash;
wolfSSL 13:80fb167dafdf 3379 word32 idx;
wolfSSL 13:80fb167dafdf 3380 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3381 DecodedName* dName =
wolfSSL 13:80fb167dafdf 3382 (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
wolfSSL 13:80fb167dafdf 3383 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3384
wolfSSL 13:80fb167dafdf 3385 WOLFSSL_MSG("Getting Cert Name");
wolfSSL 13:80fb167dafdf 3386
wolfSSL 13:80fb167dafdf 3387 if (nameType == ISSUER) {
wolfSSL 13:80fb167dafdf 3388 full = cert->issuer;
wolfSSL 13:80fb167dafdf 3389 hash = cert->issuerHash;
wolfSSL 13:80fb167dafdf 3390 }
wolfSSL 13:80fb167dafdf 3391 else {
wolfSSL 13:80fb167dafdf 3392 full = cert->subject;
wolfSSL 13:80fb167dafdf 3393 hash = cert->subjectHash;
wolfSSL 13:80fb167dafdf 3394 }
wolfSSL 13:80fb167dafdf 3395
wolfSSL 13:80fb167dafdf 3396 if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
wolfSSL 13:80fb167dafdf 3397 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 13:80fb167dafdf 3398
wolfSSL 13:80fb167dafdf 3399 if (SkipObjectId(cert->source, &cert->srcIdx, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3400 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3401 WOLFSSL_MSG("Got optional prefix");
wolfSSL 13:80fb167dafdf 3402 }
wolfSSL 13:80fb167dafdf 3403
wolfSSL 13:80fb167dafdf 3404 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 13:80fb167dafdf 3405 * calculated over the entire DER encoding of the Name field, including
wolfSSL 13:80fb167dafdf 3406 * the tag and length. */
wolfSSL 13:80fb167dafdf 3407 idx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3408 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3409 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3410
wolfSSL 13:80fb167dafdf 3411 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 3412 ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 13:80fb167dafdf 3413 #else
wolfSSL 13:80fb167dafdf 3414 ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 13:80fb167dafdf 3415 #endif
wolfSSL 13:80fb167dafdf 3416 if (ret != 0)
wolfSSL 13:80fb167dafdf 3417 return ret;
wolfSSL 13:80fb167dafdf 3418
wolfSSL 13:80fb167dafdf 3419 length += cert->srcIdx;
wolfSSL 13:80fb167dafdf 3420 idx = 0;
wolfSSL 13:80fb167dafdf 3421
wolfSSL 13:80fb167dafdf 3422 #ifdef HAVE_PKCS7
wolfSSL 13:80fb167dafdf 3423 /* store pointer to raw issuer */
wolfSSL 13:80fb167dafdf 3424 if (nameType == ISSUER) {
wolfSSL 13:80fb167dafdf 3425 cert->issuerRaw = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3426 cert->issuerRawLen = length - cert->srcIdx;
wolfSSL 13:80fb167dafdf 3427 }
wolfSSL 13:80fb167dafdf 3428 #endif
wolfSSL 13:80fb167dafdf 3429 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 3430 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3431 cert->subjectRaw = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3432 cert->subjectRawLen = length - cert->srcIdx;
wolfSSL 13:80fb167dafdf 3433 }
wolfSSL 13:80fb167dafdf 3434 #endif
wolfSSL 13:80fb167dafdf 3435
wolfSSL 13:80fb167dafdf 3436 while (cert->srcIdx < (word32)length) {
wolfSSL 13:80fb167dafdf 3437 byte b;
wolfSSL 13:80fb167dafdf 3438 byte joint[2];
wolfSSL 13:80fb167dafdf 3439 byte tooBig = FALSE;
wolfSSL 13:80fb167dafdf 3440 int oidSz;
wolfSSL 13:80fb167dafdf 3441
wolfSSL 13:80fb167dafdf 3442 if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 3443 WOLFSSL_MSG("Cert name lacks set header, trying sequence");
wolfSSL 13:80fb167dafdf 3444 }
wolfSSL 13:80fb167dafdf 3445
wolfSSL 13:80fb167dafdf 3446 if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) <= 0)
wolfSSL 13:80fb167dafdf 3447 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3448
wolfSSL 13:80fb167dafdf 3449 ret = GetASNObjectId(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx);
wolfSSL 13:80fb167dafdf 3450 if (ret != 0)
wolfSSL 13:80fb167dafdf 3451 return ret;
wolfSSL 13:80fb167dafdf 3452
wolfSSL 13:80fb167dafdf 3453 /* make sure there is room for joint */
wolfSSL 13:80fb167dafdf 3454 if ((cert->srcIdx + sizeof(joint)) > cert->maxIdx)
wolfSSL 13:80fb167dafdf 3455 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3456
wolfSSL 13:80fb167dafdf 3457 XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint));
wolfSSL 13:80fb167dafdf 3458
wolfSSL 13:80fb167dafdf 3459 /* v1 name types */
wolfSSL 13:80fb167dafdf 3460 if (joint[0] == 0x55 && joint[1] == 0x04) {
wolfSSL 13:80fb167dafdf 3461 byte id;
wolfSSL 13:80fb167dafdf 3462 byte copy = FALSE;
wolfSSL 13:80fb167dafdf 3463 int strLen;
wolfSSL 13:80fb167dafdf 3464
wolfSSL 13:80fb167dafdf 3465 cert->srcIdx += 2;
wolfSSL 13:80fb167dafdf 3466 id = cert->source[cert->srcIdx++];
wolfSSL 13:80fb167dafdf 3467 b = cert->source[cert->srcIdx++]; /* encoding */
wolfSSL 13:80fb167dafdf 3468
wolfSSL 13:80fb167dafdf 3469 if (GetLength(cert->source, &cert->srcIdx, &strLen,
wolfSSL 13:80fb167dafdf 3470 cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3471 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3472
wolfSSL 13:80fb167dafdf 3473 if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 13:80fb167dafdf 3474 /* include biggest pre fix header too 4 = "/serialNumber=" */
wolfSSL 13:80fb167dafdf 3475 WOLFSSL_MSG("ASN Name too big, skipping");
wolfSSL 13:80fb167dafdf 3476 tooBig = TRUE;
wolfSSL 13:80fb167dafdf 3477 }
wolfSSL 13:80fb167dafdf 3478
wolfSSL 13:80fb167dafdf 3479 if (id == ASN_COMMON_NAME) {
wolfSSL 13:80fb167dafdf 3480 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3481 cert->subjectCN = (char *)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3482 cert->subjectCNLen = strLen;
wolfSSL 13:80fb167dafdf 3483 cert->subjectCNEnc = b;
wolfSSL 13:80fb167dafdf 3484 }
wolfSSL 13:80fb167dafdf 3485
wolfSSL 13:80fb167dafdf 3486 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3487 XMEMCPY(&full[idx], "/CN=", 4);
wolfSSL 13:80fb167dafdf 3488 idx += 4;
wolfSSL 13:80fb167dafdf 3489 copy = TRUE;
wolfSSL 13:80fb167dafdf 3490 }
wolfSSL 13:80fb167dafdf 3491 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3492 dName->cnIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3493 dName->cnLen = strLen;
wolfSSL 13:80fb167dafdf 3494 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3495 }
wolfSSL 13:80fb167dafdf 3496 else if (id == ASN_SUR_NAME) {
wolfSSL 13:80fb167dafdf 3497 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3498 XMEMCPY(&full[idx], "/SN=", 4);
wolfSSL 13:80fb167dafdf 3499 idx += 4;
wolfSSL 13:80fb167dafdf 3500 copy = TRUE;
wolfSSL 13:80fb167dafdf 3501 }
wolfSSL 13:80fb167dafdf 3502 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3503 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3504 cert->subjectSN = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3505 cert->subjectSNLen = strLen;
wolfSSL 13:80fb167dafdf 3506 cert->subjectSNEnc = b;
wolfSSL 13:80fb167dafdf 3507 }
wolfSSL 13:80fb167dafdf 3508 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3509 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3510 dName->snIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3511 dName->snLen = strLen;
wolfSSL 13:80fb167dafdf 3512 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3513 }
wolfSSL 13:80fb167dafdf 3514 else if (id == ASN_COUNTRY_NAME) {
wolfSSL 13:80fb167dafdf 3515 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3516 XMEMCPY(&full[idx], "/C=", 3);
wolfSSL 13:80fb167dafdf 3517 idx += 3;
wolfSSL 13:80fb167dafdf 3518 copy = TRUE;
wolfSSL 13:80fb167dafdf 3519 }
wolfSSL 13:80fb167dafdf 3520 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3521 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3522 cert->subjectC = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3523 cert->subjectCLen = strLen;
wolfSSL 13:80fb167dafdf 3524 cert->subjectCEnc = b;
wolfSSL 13:80fb167dafdf 3525 }
wolfSSL 13:80fb167dafdf 3526 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3527 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3528 dName->cIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3529 dName->cLen = strLen;
wolfSSL 13:80fb167dafdf 3530 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3531 }
wolfSSL 13:80fb167dafdf 3532 else if (id == ASN_LOCALITY_NAME) {
wolfSSL 13:80fb167dafdf 3533 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3534 XMEMCPY(&full[idx], "/L=", 3);
wolfSSL 13:80fb167dafdf 3535 idx += 3;
wolfSSL 13:80fb167dafdf 3536 copy = TRUE;
wolfSSL 13:80fb167dafdf 3537 }
wolfSSL 13:80fb167dafdf 3538 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3539 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3540 cert->subjectL = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3541 cert->subjectLLen = strLen;
wolfSSL 13:80fb167dafdf 3542 cert->subjectLEnc = b;
wolfSSL 13:80fb167dafdf 3543 }
wolfSSL 13:80fb167dafdf 3544 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3545 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3546 dName->lIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3547 dName->lLen = strLen;
wolfSSL 13:80fb167dafdf 3548 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3549 }
wolfSSL 13:80fb167dafdf 3550 else if (id == ASN_STATE_NAME) {
wolfSSL 13:80fb167dafdf 3551 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3552 XMEMCPY(&full[idx], "/ST=", 4);
wolfSSL 13:80fb167dafdf 3553 idx += 4;
wolfSSL 13:80fb167dafdf 3554 copy = TRUE;
wolfSSL 13:80fb167dafdf 3555 }
wolfSSL 13:80fb167dafdf 3556 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3557 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3558 cert->subjectST = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3559 cert->subjectSTLen = strLen;
wolfSSL 13:80fb167dafdf 3560 cert->subjectSTEnc = b;
wolfSSL 13:80fb167dafdf 3561 }
wolfSSL 13:80fb167dafdf 3562 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3563 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3564 dName->stIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3565 dName->stLen = strLen;
wolfSSL 13:80fb167dafdf 3566 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3567 }
wolfSSL 13:80fb167dafdf 3568 else if (id == ASN_ORG_NAME) {
wolfSSL 13:80fb167dafdf 3569 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3570 XMEMCPY(&full[idx], "/O=", 3);
wolfSSL 13:80fb167dafdf 3571 idx += 3;
wolfSSL 13:80fb167dafdf 3572 copy = TRUE;
wolfSSL 13:80fb167dafdf 3573 }
wolfSSL 13:80fb167dafdf 3574 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3575 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3576 cert->subjectO = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3577 cert->subjectOLen = strLen;
wolfSSL 13:80fb167dafdf 3578 cert->subjectOEnc = b;
wolfSSL 13:80fb167dafdf 3579 }
wolfSSL 13:80fb167dafdf 3580 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3581 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3582 dName->oIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3583 dName->oLen = strLen;
wolfSSL 13:80fb167dafdf 3584 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3585 }
wolfSSL 13:80fb167dafdf 3586 else if (id == ASN_ORGUNIT_NAME) {
wolfSSL 13:80fb167dafdf 3587 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3588 XMEMCPY(&full[idx], "/OU=", 4);
wolfSSL 13:80fb167dafdf 3589 idx += 4;
wolfSSL 13:80fb167dafdf 3590 copy = TRUE;
wolfSSL 13:80fb167dafdf 3591 }
wolfSSL 13:80fb167dafdf 3592 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3593 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3594 cert->subjectOU = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3595 cert->subjectOULen = strLen;
wolfSSL 13:80fb167dafdf 3596 cert->subjectOUEnc = b;
wolfSSL 13:80fb167dafdf 3597 }
wolfSSL 13:80fb167dafdf 3598 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3599 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3600 dName->ouIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3601 dName->ouLen = strLen;
wolfSSL 13:80fb167dafdf 3602 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3603 }
wolfSSL 13:80fb167dafdf 3604 else if (id == ASN_SERIAL_NUMBER) {
wolfSSL 13:80fb167dafdf 3605 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3606 XMEMCPY(&full[idx], "/serialNumber=", 14);
wolfSSL 13:80fb167dafdf 3607 idx += 14;
wolfSSL 13:80fb167dafdf 3608 copy = TRUE;
wolfSSL 13:80fb167dafdf 3609 }
wolfSSL 13:80fb167dafdf 3610 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3611 dName->snIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3612 dName->snLen = strLen;
wolfSSL 13:80fb167dafdf 3613 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3614 }
wolfSSL 13:80fb167dafdf 3615
wolfSSL 13:80fb167dafdf 3616 if (copy && !tooBig) {
wolfSSL 13:80fb167dafdf 3617 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
wolfSSL 13:80fb167dafdf 3618 idx += strLen;
wolfSSL 13:80fb167dafdf 3619 }
wolfSSL 13:80fb167dafdf 3620
wolfSSL 13:80fb167dafdf 3621 cert->srcIdx += strLen;
wolfSSL 13:80fb167dafdf 3622 }
wolfSSL 13:80fb167dafdf 3623 else {
wolfSSL 13:80fb167dafdf 3624 /* skip */
wolfSSL 13:80fb167dafdf 3625 byte email = FALSE;
wolfSSL 13:80fb167dafdf 3626 byte uid = FALSE;
wolfSSL 13:80fb167dafdf 3627 int adv;
wolfSSL 13:80fb167dafdf 3628
wolfSSL 13:80fb167dafdf 3629 if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */
wolfSSL 13:80fb167dafdf 3630 email = TRUE;
wolfSSL 13:80fb167dafdf 3631
wolfSSL 13:80fb167dafdf 3632 if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */
wolfSSL 13:80fb167dafdf 3633 uid = TRUE;
wolfSSL 13:80fb167dafdf 3634
wolfSSL 13:80fb167dafdf 3635 cert->srcIdx += oidSz + 1;
wolfSSL 13:80fb167dafdf 3636
wolfSSL 13:80fb167dafdf 3637 if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 3638 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 3639
wolfSSL 13:80fb167dafdf 3640 if (adv > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 13:80fb167dafdf 3641 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 13:80fb167dafdf 3642 tooBig = TRUE;
wolfSSL 13:80fb167dafdf 3643 }
wolfSSL 13:80fb167dafdf 3644
wolfSSL 13:80fb167dafdf 3645 if (email) {
wolfSSL 13:80fb167dafdf 3646 if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 13:80fb167dafdf 3647 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 13:80fb167dafdf 3648 tooBig = TRUE;
wolfSSL 13:80fb167dafdf 3649 }
wolfSSL 13:80fb167dafdf 3650 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3651 XMEMCPY(&full[idx], "/emailAddress=", 14);
wolfSSL 13:80fb167dafdf 3652 idx += 14;
wolfSSL 13:80fb167dafdf 3653 }
wolfSSL 13:80fb167dafdf 3654
wolfSSL 13:80fb167dafdf 3655 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:80fb167dafdf 3656 if (nameType == SUBJECT) {
wolfSSL 13:80fb167dafdf 3657 cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 3658 cert->subjectEmailLen = adv;
wolfSSL 13:80fb167dafdf 3659 }
wolfSSL 13:80fb167dafdf 3660 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 3661 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3662 dName->emailIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3663 dName->emailLen = adv;
wolfSSL 13:80fb167dafdf 3664 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3665 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 3666 {
wolfSSL 13:80fb167dafdf 3667 DNS_entry* emailName = NULL;
wolfSSL 13:80fb167dafdf 3668
wolfSSL 13:80fb167dafdf 3669 emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry),
wolfSSL 13:80fb167dafdf 3670 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3671 if (emailName == NULL) {
wolfSSL 13:80fb167dafdf 3672 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 3673 return MEMORY_E;
wolfSSL 13:80fb167dafdf 3674 }
wolfSSL 13:80fb167dafdf 3675 emailName->name = (char*)XMALLOC(adv + 1,
wolfSSL 13:80fb167dafdf 3676 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3677 if (emailName->name == NULL) {
wolfSSL 13:80fb167dafdf 3678 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 3679 XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 3680 return MEMORY_E;
wolfSSL 13:80fb167dafdf 3681 }
wolfSSL 13:80fb167dafdf 3682 XMEMCPY(emailName->name,
wolfSSL 13:80fb167dafdf 3683 &cert->source[cert->srcIdx], adv);
wolfSSL 13:80fb167dafdf 3684 emailName->name[adv] = 0;
wolfSSL 13:80fb167dafdf 3685
wolfSSL 13:80fb167dafdf 3686 emailName->next = cert->altEmailNames;
wolfSSL 13:80fb167dafdf 3687 cert->altEmailNames = emailName;
wolfSSL 13:80fb167dafdf 3688 }
wolfSSL 13:80fb167dafdf 3689 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 3690 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3691 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 13:80fb167dafdf 3692 idx += adv;
wolfSSL 13:80fb167dafdf 3693 }
wolfSSL 13:80fb167dafdf 3694 }
wolfSSL 13:80fb167dafdf 3695
wolfSSL 13:80fb167dafdf 3696 if (uid) {
wolfSSL 13:80fb167dafdf 3697 if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 13:80fb167dafdf 3698 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 13:80fb167dafdf 3699 tooBig = TRUE;
wolfSSL 13:80fb167dafdf 3700 }
wolfSSL 13:80fb167dafdf 3701 if (!tooBig) {
wolfSSL 13:80fb167dafdf 3702 XMEMCPY(&full[idx], "/UID=", 5);
wolfSSL 13:80fb167dafdf 3703 idx += 5;
wolfSSL 13:80fb167dafdf 3704
wolfSSL 13:80fb167dafdf 3705 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 13:80fb167dafdf 3706 idx += adv;
wolfSSL 13:80fb167dafdf 3707 }
wolfSSL 13:80fb167dafdf 3708 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3709 dName->uidIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 3710 dName->uidLen = adv;
wolfSSL 13:80fb167dafdf 3711 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3712 }
wolfSSL 13:80fb167dafdf 3713
wolfSSL 13:80fb167dafdf 3714 cert->srcIdx += adv;
wolfSSL 13:80fb167dafdf 3715 }
wolfSSL 13:80fb167dafdf 3716 }
wolfSSL 13:80fb167dafdf 3717 full[idx++] = 0;
wolfSSL 13:80fb167dafdf 3718
wolfSSL 13:80fb167dafdf 3719 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 3720 {
wolfSSL 13:80fb167dafdf 3721 int totalLen = 0;
wolfSSL 13:80fb167dafdf 3722
wolfSSL 13:80fb167dafdf 3723 if (dName->cnLen != 0)
wolfSSL 13:80fb167dafdf 3724 totalLen += dName->cnLen + 4;
wolfSSL 13:80fb167dafdf 3725 if (dName->snLen != 0)
wolfSSL 13:80fb167dafdf 3726 totalLen += dName->snLen + 4;
wolfSSL 13:80fb167dafdf 3727 if (dName->cLen != 0)
wolfSSL 13:80fb167dafdf 3728 totalLen += dName->cLen + 3;
wolfSSL 13:80fb167dafdf 3729 if (dName->lLen != 0)
wolfSSL 13:80fb167dafdf 3730 totalLen += dName->lLen + 3;
wolfSSL 13:80fb167dafdf 3731 if (dName->stLen != 0)
wolfSSL 13:80fb167dafdf 3732 totalLen += dName->stLen + 4;
wolfSSL 13:80fb167dafdf 3733 if (dName->oLen != 0)
wolfSSL 13:80fb167dafdf 3734 totalLen += dName->oLen + 3;
wolfSSL 13:80fb167dafdf 3735 if (dName->ouLen != 0)
wolfSSL 13:80fb167dafdf 3736 totalLen += dName->ouLen + 4;
wolfSSL 13:80fb167dafdf 3737 if (dName->emailLen != 0)
wolfSSL 13:80fb167dafdf 3738 totalLen += dName->emailLen + 14;
wolfSSL 13:80fb167dafdf 3739 if (dName->uidLen != 0)
wolfSSL 13:80fb167dafdf 3740 totalLen += dName->uidLen + 5;
wolfSSL 13:80fb167dafdf 3741 if (dName->serialLen != 0)
wolfSSL 13:80fb167dafdf 3742 totalLen += dName->serialLen + 14;
wolfSSL 13:80fb167dafdf 3743
wolfSSL 13:80fb167dafdf 3744 dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap,
wolfSSL 13:80fb167dafdf 3745 DYNAMIC_TYPE_X509);
wolfSSL 13:80fb167dafdf 3746 if (dName->fullName != NULL) {
wolfSSL 13:80fb167dafdf 3747 idx = 0;
wolfSSL 13:80fb167dafdf 3748
wolfSSL 13:80fb167dafdf 3749 if (dName->cnLen != 0) {
wolfSSL 13:80fb167dafdf 3750 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3751 XMEMCPY(&dName->fullName[idx], "/CN=", 4);
wolfSSL 13:80fb167dafdf 3752 idx += 4;
wolfSSL 13:80fb167dafdf 3753 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3754 &cert->source[dName->cnIdx], dName->cnLen);
wolfSSL 13:80fb167dafdf 3755 dName->cnIdx = idx;
wolfSSL 13:80fb167dafdf 3756 idx += dName->cnLen;
wolfSSL 13:80fb167dafdf 3757 }
wolfSSL 13:80fb167dafdf 3758 if (dName->snLen != 0) {
wolfSSL 13:80fb167dafdf 3759 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3760 XMEMCPY(&dName->fullName[idx], "/SN=", 4);
wolfSSL 13:80fb167dafdf 3761 idx += 4;
wolfSSL 13:80fb167dafdf 3762 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3763 &cert->source[dName->snIdx], dName->snLen);
wolfSSL 13:80fb167dafdf 3764 dName->snIdx = idx;
wolfSSL 13:80fb167dafdf 3765 idx += dName->snLen;
wolfSSL 13:80fb167dafdf 3766 }
wolfSSL 13:80fb167dafdf 3767 if (dName->cLen != 0) {
wolfSSL 13:80fb167dafdf 3768 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3769 XMEMCPY(&dName->fullName[idx], "/C=", 3);
wolfSSL 13:80fb167dafdf 3770 idx += 3;
wolfSSL 13:80fb167dafdf 3771 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3772 &cert->source[dName->cIdx], dName->cLen);
wolfSSL 13:80fb167dafdf 3773 dName->cIdx = idx;
wolfSSL 13:80fb167dafdf 3774 idx += dName->cLen;
wolfSSL 13:80fb167dafdf 3775 }
wolfSSL 13:80fb167dafdf 3776 if (dName->lLen != 0) {
wolfSSL 13:80fb167dafdf 3777 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3778 XMEMCPY(&dName->fullName[idx], "/L=", 3);
wolfSSL 13:80fb167dafdf 3779 idx += 3;
wolfSSL 13:80fb167dafdf 3780 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3781 &cert->source[dName->lIdx], dName->lLen);
wolfSSL 13:80fb167dafdf 3782 dName->lIdx = idx;
wolfSSL 13:80fb167dafdf 3783 idx += dName->lLen;
wolfSSL 13:80fb167dafdf 3784 }
wolfSSL 13:80fb167dafdf 3785 if (dName->stLen != 0) {
wolfSSL 13:80fb167dafdf 3786 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3787 XMEMCPY(&dName->fullName[idx], "/ST=", 4);
wolfSSL 13:80fb167dafdf 3788 idx += 4;
wolfSSL 13:80fb167dafdf 3789 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3790 &cert->source[dName->stIdx], dName->stLen);
wolfSSL 13:80fb167dafdf 3791 dName->stIdx = idx;
wolfSSL 13:80fb167dafdf 3792 idx += dName->stLen;
wolfSSL 13:80fb167dafdf 3793 }
wolfSSL 13:80fb167dafdf 3794 if (dName->oLen != 0) {
wolfSSL 13:80fb167dafdf 3795 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3796 XMEMCPY(&dName->fullName[idx], "/O=", 3);
wolfSSL 13:80fb167dafdf 3797 idx += 3;
wolfSSL 13:80fb167dafdf 3798 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3799 &cert->source[dName->oIdx], dName->oLen);
wolfSSL 13:80fb167dafdf 3800 dName->oIdx = idx;
wolfSSL 13:80fb167dafdf 3801 idx += dName->oLen;
wolfSSL 13:80fb167dafdf 3802 }
wolfSSL 13:80fb167dafdf 3803 if (dName->ouLen != 0) {
wolfSSL 13:80fb167dafdf 3804 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3805 XMEMCPY(&dName->fullName[idx], "/OU=", 4);
wolfSSL 13:80fb167dafdf 3806 idx += 4;
wolfSSL 13:80fb167dafdf 3807 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3808 &cert->source[dName->ouIdx], dName->ouLen);
wolfSSL 13:80fb167dafdf 3809 dName->ouIdx = idx;
wolfSSL 13:80fb167dafdf 3810 idx += dName->ouLen;
wolfSSL 13:80fb167dafdf 3811 }
wolfSSL 13:80fb167dafdf 3812 if (dName->emailLen != 0) {
wolfSSL 13:80fb167dafdf 3813 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3814 XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
wolfSSL 13:80fb167dafdf 3815 idx += 14;
wolfSSL 13:80fb167dafdf 3816 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3817 &cert->source[dName->emailIdx], dName->emailLen);
wolfSSL 13:80fb167dafdf 3818 dName->emailIdx = idx;
wolfSSL 13:80fb167dafdf 3819 idx += dName->emailLen;
wolfSSL 13:80fb167dafdf 3820 }
wolfSSL 13:80fb167dafdf 3821 if (dName->uidLen != 0) {
wolfSSL 13:80fb167dafdf 3822 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3823 XMEMCPY(&dName->fullName[idx], "/UID=", 5);
wolfSSL 13:80fb167dafdf 3824 idx += 5;
wolfSSL 13:80fb167dafdf 3825 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3826 &cert->source[dName->uidIdx], dName->uidLen);
wolfSSL 13:80fb167dafdf 3827 dName->uidIdx = idx;
wolfSSL 13:80fb167dafdf 3828 idx += dName->uidLen;
wolfSSL 13:80fb167dafdf 3829 }
wolfSSL 13:80fb167dafdf 3830 if (dName->serialLen != 0) {
wolfSSL 13:80fb167dafdf 3831 dName->entryCount++;
wolfSSL 13:80fb167dafdf 3832 XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
wolfSSL 13:80fb167dafdf 3833 idx += 14;
wolfSSL 13:80fb167dafdf 3834 XMEMCPY(&dName->fullName[idx],
wolfSSL 13:80fb167dafdf 3835 &cert->source[dName->serialIdx], dName->serialLen);
wolfSSL 13:80fb167dafdf 3836 dName->serialIdx = idx;
wolfSSL 13:80fb167dafdf 3837 idx += dName->serialLen;
wolfSSL 13:80fb167dafdf 3838 }
wolfSSL 13:80fb167dafdf 3839 dName->fullName[idx] = '\0';
wolfSSL 13:80fb167dafdf 3840 dName->fullNameLen = totalLen;
wolfSSL 13:80fb167dafdf 3841 }
wolfSSL 13:80fb167dafdf 3842 }
wolfSSL 13:80fb167dafdf 3843 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 3844
wolfSSL 13:80fb167dafdf 3845 return 0;
wolfSSL 13:80fb167dafdf 3846 }
wolfSSL 13:80fb167dafdf 3847
wolfSSL 13:80fb167dafdf 3848
wolfSSL 13:80fb167dafdf 3849 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 3850 #if !defined(NO_TIME_H) && defined(USE_WOLF_VALIDDATE)
wolfSSL 13:80fb167dafdf 3851
wolfSSL 13:80fb167dafdf 3852 /* to the second */
wolfSSL 13:80fb167dafdf 3853 static int DateGreaterThan(const struct tm* a, const struct tm* b)
wolfSSL 13:80fb167dafdf 3854 {
wolfSSL 13:80fb167dafdf 3855 if (a->tm_year > b->tm_year)
wolfSSL 13:80fb167dafdf 3856 return 1;
wolfSSL 13:80fb167dafdf 3857
wolfSSL 13:80fb167dafdf 3858 if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon)
wolfSSL 13:80fb167dafdf 3859 return 1;
wolfSSL 13:80fb167dafdf 3860
wolfSSL 13:80fb167dafdf 3861 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 13:80fb167dafdf 3862 a->tm_mday > b->tm_mday)
wolfSSL 13:80fb167dafdf 3863 return 1;
wolfSSL 13:80fb167dafdf 3864
wolfSSL 13:80fb167dafdf 3865 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 13:80fb167dafdf 3866 a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour)
wolfSSL 13:80fb167dafdf 3867 return 1;
wolfSSL 13:80fb167dafdf 3868
wolfSSL 13:80fb167dafdf 3869 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 13:80fb167dafdf 3870 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 13:80fb167dafdf 3871 a->tm_min > b->tm_min)
wolfSSL 13:80fb167dafdf 3872 return 1;
wolfSSL 13:80fb167dafdf 3873
wolfSSL 13:80fb167dafdf 3874 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 13:80fb167dafdf 3875 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 13:80fb167dafdf 3876 a->tm_min == b->tm_min && a->tm_sec > b->tm_sec)
wolfSSL 13:80fb167dafdf 3877 return 1;
wolfSSL 13:80fb167dafdf 3878
wolfSSL 13:80fb167dafdf 3879 return 0; /* false */
wolfSSL 13:80fb167dafdf 3880 }
wolfSSL 13:80fb167dafdf 3881
wolfSSL 13:80fb167dafdf 3882
wolfSSL 13:80fb167dafdf 3883 static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
wolfSSL 13:80fb167dafdf 3884 {
wolfSSL 13:80fb167dafdf 3885 return DateGreaterThan(b,a);
wolfSSL 13:80fb167dafdf 3886 }
wolfSSL 13:80fb167dafdf 3887
wolfSSL 13:80fb167dafdf 3888
wolfSSL 13:80fb167dafdf 3889 #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
wolfSSL 13:80fb167dafdf 3890 int GetTimeString(byte* date, int format, char* buf, int len)
wolfSSL 13:80fb167dafdf 3891 {
wolfSSL 13:80fb167dafdf 3892 struct tm t;
wolfSSL 13:80fb167dafdf 3893 int idx = 0;
wolfSSL 13:80fb167dafdf 3894
wolfSSL 13:80fb167dafdf 3895 if (!ExtractDate(date, format, &t, &idx)) {
wolfSSL 13:80fb167dafdf 3896 return 0;
wolfSSL 13:80fb167dafdf 3897 }
wolfSSL 13:80fb167dafdf 3898
wolfSSL 13:80fb167dafdf 3899 if (date[idx] != 'Z') {
wolfSSL 13:80fb167dafdf 3900 WOLFSSL_MSG("UTCtime, not Zulu") ;
wolfSSL 13:80fb167dafdf 3901 return 0;
wolfSSL 13:80fb167dafdf 3902 }
wolfSSL 13:80fb167dafdf 3903
wolfSSL 13:80fb167dafdf 3904 /* place month in buffer */
wolfSSL 13:80fb167dafdf 3905 buf[0] = '\0';
wolfSSL 13:80fb167dafdf 3906 switch(t.tm_mon) {
wolfSSL 13:80fb167dafdf 3907 case 0: XSTRNCAT(buf, "Jan ", 4); break;
wolfSSL 13:80fb167dafdf 3908 case 1: XSTRNCAT(buf, "Feb ", 4); break;
wolfSSL 13:80fb167dafdf 3909 case 2: XSTRNCAT(buf, "Mar ", 4); break;
wolfSSL 13:80fb167dafdf 3910 case 3: XSTRNCAT(buf, "Apr ", 4); break;
wolfSSL 13:80fb167dafdf 3911 case 4: XSTRNCAT(buf, "May ", 4); break;
wolfSSL 13:80fb167dafdf 3912 case 5: XSTRNCAT(buf, "Jun ", 4); break;
wolfSSL 13:80fb167dafdf 3913 case 6: XSTRNCAT(buf, "Jul ", 4); break;
wolfSSL 13:80fb167dafdf 3914 case 7: XSTRNCAT(buf, "Aug ", 4); break;
wolfSSL 13:80fb167dafdf 3915 case 8: XSTRNCAT(buf, "Sep ", 4); break;
wolfSSL 13:80fb167dafdf 3916 case 9: XSTRNCAT(buf, "Oct ", 4); break;
wolfSSL 13:80fb167dafdf 3917 case 10: XSTRNCAT(buf, "Nov ", 4); break;
wolfSSL 13:80fb167dafdf 3918 case 11: XSTRNCAT(buf, "Dec ", 4); break;
wolfSSL 13:80fb167dafdf 3919 default:
wolfSSL 13:80fb167dafdf 3920 return 0;
wolfSSL 13:80fb167dafdf 3921
wolfSSL 13:80fb167dafdf 3922 }
wolfSSL 13:80fb167dafdf 3923 idx = 4; /* use idx now for char buffer */
wolfSSL 13:80fb167dafdf 3924 buf[idx] = ' ';
wolfSSL 13:80fb167dafdf 3925
wolfSSL 13:80fb167dafdf 3926 XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT",
wolfSSL 13:80fb167dafdf 3927 t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900);
wolfSSL 13:80fb167dafdf 3928
wolfSSL 13:80fb167dafdf 3929 return 1;
wolfSSL 13:80fb167dafdf 3930 }
wolfSSL 13:80fb167dafdf 3931 #endif /* WOLFSSL_MYSQL_COMPATIBLE */
wolfSSL 13:80fb167dafdf 3932
wolfSSL 13:80fb167dafdf 3933 int ExtractDate(const unsigned char* date, unsigned char format,
wolfSSL 13:80fb167dafdf 3934 struct tm* certTime, int* idx)
wolfSSL 13:80fb167dafdf 3935 {
wolfSSL 13:80fb167dafdf 3936 XMEMSET(certTime, 0, sizeof(struct tm));
wolfSSL 13:80fb167dafdf 3937
wolfSSL 13:80fb167dafdf 3938 if (format == ASN_UTC_TIME) {
wolfSSL 13:80fb167dafdf 3939 if (btoi(date[0]) >= 5)
wolfSSL 13:80fb167dafdf 3940 certTime->tm_year = 1900;
wolfSSL 13:80fb167dafdf 3941 else
wolfSSL 13:80fb167dafdf 3942 certTime->tm_year = 2000;
wolfSSL 13:80fb167dafdf 3943 }
wolfSSL 13:80fb167dafdf 3944 else { /* format == GENERALIZED_TIME */
wolfSSL 13:80fb167dafdf 3945 certTime->tm_year += btoi(date[*idx]) * 1000; *idx = *idx + 1;
wolfSSL 13:80fb167dafdf 3946 certTime->tm_year += btoi(date[*idx]) * 100; *idx = *idx + 1;
wolfSSL 13:80fb167dafdf 3947 }
wolfSSL 13:80fb167dafdf 3948
wolfSSL 13:80fb167dafdf 3949 /* adjust tm_year, tm_mon */
wolfSSL 13:80fb167dafdf 3950 GetTime((int*)&certTime->tm_year, date, idx); certTime->tm_year -= 1900;
wolfSSL 13:80fb167dafdf 3951 GetTime((int*)&certTime->tm_mon, date, idx); certTime->tm_mon -= 1;
wolfSSL 13:80fb167dafdf 3952 GetTime((int*)&certTime->tm_mday, date, idx);
wolfSSL 13:80fb167dafdf 3953 GetTime((int*)&certTime->tm_hour, date, idx);
wolfSSL 13:80fb167dafdf 3954 GetTime((int*)&certTime->tm_min, date, idx);
wolfSSL 13:80fb167dafdf 3955 GetTime((int*)&certTime->tm_sec, date, idx);
wolfSSL 13:80fb167dafdf 3956
wolfSSL 13:80fb167dafdf 3957 return 1;
wolfSSL 13:80fb167dafdf 3958 }
wolfSSL 13:80fb167dafdf 3959
wolfSSL 13:80fb167dafdf 3960
wolfSSL 13:80fb167dafdf 3961 /* like atoi but only use first byte */
wolfSSL 13:80fb167dafdf 3962 /* Make sure before and after dates are valid */
wolfSSL 13:80fb167dafdf 3963 int ValidateDate(const byte* date, byte format, int dateType)
wolfSSL 13:80fb167dafdf 3964 {
wolfSSL 13:80fb167dafdf 3965 time_t ltime;
wolfSSL 13:80fb167dafdf 3966 struct tm certTime;
wolfSSL 13:80fb167dafdf 3967 struct tm* localTime;
wolfSSL 13:80fb167dafdf 3968 struct tm* tmpTime = NULL;
wolfSSL 13:80fb167dafdf 3969 int i = 0;
wolfSSL 13:80fb167dafdf 3970 int timeDiff = 0 ;
wolfSSL 13:80fb167dafdf 3971 int diffHH = 0 ; int diffMM = 0 ;
wolfSSL 13:80fb167dafdf 3972 int diffSign = 0 ;
wolfSSL 13:80fb167dafdf 3973
wolfSSL 13:80fb167dafdf 3974 #if defined(NEED_TMP_TIME)
wolfSSL 13:80fb167dafdf 3975 struct tm tmpTimeStorage;
wolfSSL 13:80fb167dafdf 3976 tmpTime = &tmpTimeStorage;
wolfSSL 13:80fb167dafdf 3977 #else
wolfSSL 13:80fb167dafdf 3978 (void)tmpTime;
wolfSSL 13:80fb167dafdf 3979 #endif
wolfSSL 13:80fb167dafdf 3980
wolfSSL 13:80fb167dafdf 3981 ltime = XTIME(0);
wolfSSL 13:80fb167dafdf 3982
wolfSSL 13:80fb167dafdf 3983 #ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW
wolfSSL 13:80fb167dafdf 3984 if (dateType == BEFORE) {
wolfSSL 13:80fb167dafdf 3985 WOLFSSL_MSG("Skewing local time for before date check");
wolfSSL 13:80fb167dafdf 3986 ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW;
wolfSSL 13:80fb167dafdf 3987 }
wolfSSL 13:80fb167dafdf 3988 #endif
wolfSSL 13:80fb167dafdf 3989
wolfSSL 13:80fb167dafdf 3990 #ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW
wolfSSL 13:80fb167dafdf 3991 if (dateType == AFTER) {
wolfSSL 13:80fb167dafdf 3992 WOLFSSL_MSG("Skewing local time for after date check");
wolfSSL 13:80fb167dafdf 3993 ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW;
wolfSSL 13:80fb167dafdf 3994 }
wolfSSL 13:80fb167dafdf 3995 #endif
wolfSSL 13:80fb167dafdf 3996
wolfSSL 13:80fb167dafdf 3997 if (!ExtractDate(date, format, &certTime, &i)) {
wolfSSL 13:80fb167dafdf 3998 WOLFSSL_MSG("Error extracting the date");
wolfSSL 13:80fb167dafdf 3999 return 0;
wolfSSL 13:80fb167dafdf 4000 }
wolfSSL 13:80fb167dafdf 4001
wolfSSL 13:80fb167dafdf 4002 if ((date[i] == '+') || (date[i] == '-')) {
wolfSSL 13:80fb167dafdf 4003 WOLFSSL_MSG("Using time differential, not Zulu") ;
wolfSSL 13:80fb167dafdf 4004 diffSign = date[i++] == '+' ? 1 : -1 ;
wolfSSL 13:80fb167dafdf 4005 GetTime(&diffHH, date, &i);
wolfSSL 13:80fb167dafdf 4006 GetTime(&diffMM, date, &i);
wolfSSL 13:80fb167dafdf 4007 timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ;
wolfSSL 13:80fb167dafdf 4008 } else if (date[i] != 'Z') {
wolfSSL 13:80fb167dafdf 4009 WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ;
wolfSSL 13:80fb167dafdf 4010 return 0;
wolfSSL 13:80fb167dafdf 4011 }
wolfSSL 13:80fb167dafdf 4012
wolfSSL 13:80fb167dafdf 4013 ltime -= (time_t)timeDiff ;
wolfSSL 13:80fb167dafdf 4014 localTime = XGMTIME(&ltime, tmpTime);
wolfSSL 13:80fb167dafdf 4015
wolfSSL 13:80fb167dafdf 4016 if (localTime == NULL) {
wolfSSL 13:80fb167dafdf 4017 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 13:80fb167dafdf 4018 return 0;
wolfSSL 13:80fb167dafdf 4019 }
wolfSSL 13:80fb167dafdf 4020
wolfSSL 13:80fb167dafdf 4021 if (dateType == BEFORE) {
wolfSSL 13:80fb167dafdf 4022 if (DateLessThan(localTime, &certTime)) {
wolfSSL 13:80fb167dafdf 4023 WOLFSSL_MSG("Date BEFORE check failed");
wolfSSL 13:80fb167dafdf 4024 return 0;
wolfSSL 13:80fb167dafdf 4025 }
wolfSSL 13:80fb167dafdf 4026 }
wolfSSL 13:80fb167dafdf 4027 else { /* dateType == AFTER */
wolfSSL 13:80fb167dafdf 4028 if (DateGreaterThan(localTime, &certTime)) {
wolfSSL 13:80fb167dafdf 4029 WOLFSSL_MSG("Date AFTER check failed");
wolfSSL 13:80fb167dafdf 4030 return 0;
wolfSSL 13:80fb167dafdf 4031 }
wolfSSL 13:80fb167dafdf 4032 }
wolfSSL 13:80fb167dafdf 4033
wolfSSL 13:80fb167dafdf 4034 return 1;
wolfSSL 13:80fb167dafdf 4035 }
wolfSSL 13:80fb167dafdf 4036 #endif /* !NO_TIME_H && USE_WOLF_VALIDDATE */
wolfSSL 13:80fb167dafdf 4037
wolfSSL 13:80fb167dafdf 4038 int wc_GetTime(void* timePtr, word32 timeSize)
wolfSSL 13:80fb167dafdf 4039 {
wolfSSL 13:80fb167dafdf 4040 time_t* ltime = (time_t*)timePtr;
wolfSSL 13:80fb167dafdf 4041
wolfSSL 13:80fb167dafdf 4042 if (timePtr == NULL) {
wolfSSL 13:80fb167dafdf 4043 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 4044 }
wolfSSL 13:80fb167dafdf 4045
wolfSSL 13:80fb167dafdf 4046 if ((word32)sizeof(time_t) > timeSize) {
wolfSSL 13:80fb167dafdf 4047 return BUFFER_E;
wolfSSL 13:80fb167dafdf 4048 }
wolfSSL 13:80fb167dafdf 4049
wolfSSL 13:80fb167dafdf 4050 *ltime = XTIME(0);
wolfSSL 13:80fb167dafdf 4051
wolfSSL 13:80fb167dafdf 4052 return 0;
wolfSSL 13:80fb167dafdf 4053 }
wolfSSL 13:80fb167dafdf 4054
wolfSSL 13:80fb167dafdf 4055 #endif /* !NO_ASN_TIME */
wolfSSL 13:80fb167dafdf 4056
wolfSSL 13:80fb167dafdf 4057 static int GetDate(DecodedCert* cert, int dateType)
wolfSSL 13:80fb167dafdf 4058 {
wolfSSL 13:80fb167dafdf 4059 int length;
wolfSSL 13:80fb167dafdf 4060 byte date[MAX_DATE_SIZE];
wolfSSL 13:80fb167dafdf 4061 byte b;
wolfSSL 13:80fb167dafdf 4062 word32 startIdx = 0;
wolfSSL 13:80fb167dafdf 4063
wolfSSL 13:80fb167dafdf 4064 XMEMSET(date, 0, MAX_DATE_SIZE);
wolfSSL 13:80fb167dafdf 4065
wolfSSL 13:80fb167dafdf 4066 if (dateType == BEFORE)
wolfSSL 13:80fb167dafdf 4067 cert->beforeDate = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 4068 else
wolfSSL 13:80fb167dafdf 4069 cert->afterDate = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 4070 startIdx = cert->srcIdx;
wolfSSL 13:80fb167dafdf 4071
wolfSSL 13:80fb167dafdf 4072 b = cert->source[cert->srcIdx++];
wolfSSL 13:80fb167dafdf 4073 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
wolfSSL 13:80fb167dafdf 4074 return ASN_TIME_E;
wolfSSL 13:80fb167dafdf 4075
wolfSSL 13:80fb167dafdf 4076 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 4077 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 4078
wolfSSL 13:80fb167dafdf 4079 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 13:80fb167dafdf 4080 return ASN_DATE_SZ_E;
wolfSSL 13:80fb167dafdf 4081
wolfSSL 13:80fb167dafdf 4082 XMEMCPY(date, &cert->source[cert->srcIdx], length);
wolfSSL 13:80fb167dafdf 4083 cert->srcIdx += length;
wolfSSL 13:80fb167dafdf 4084
wolfSSL 13:80fb167dafdf 4085 if (dateType == BEFORE)
wolfSSL 13:80fb167dafdf 4086 cert->beforeDateLen = cert->srcIdx - startIdx;
wolfSSL 13:80fb167dafdf 4087 else
wolfSSL 13:80fb167dafdf 4088 cert->afterDateLen = cert->srcIdx - startIdx;
wolfSSL 13:80fb167dafdf 4089
wolfSSL 13:80fb167dafdf 4090 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 4091 if (!XVALIDATE_DATE(date, b, dateType)) {
wolfSSL 13:80fb167dafdf 4092 if (dateType == BEFORE)
wolfSSL 13:80fb167dafdf 4093 return ASN_BEFORE_DATE_E;
wolfSSL 13:80fb167dafdf 4094 else
wolfSSL 13:80fb167dafdf 4095 return ASN_AFTER_DATE_E;
wolfSSL 13:80fb167dafdf 4096 }
wolfSSL 13:80fb167dafdf 4097 #endif
wolfSSL 13:80fb167dafdf 4098
wolfSSL 13:80fb167dafdf 4099 return 0;
wolfSSL 13:80fb167dafdf 4100 }
wolfSSL 13:80fb167dafdf 4101
wolfSSL 13:80fb167dafdf 4102 static int GetValidity(DecodedCert* cert, int verify)
wolfSSL 13:80fb167dafdf 4103 {
wolfSSL 13:80fb167dafdf 4104 int length;
wolfSSL 13:80fb167dafdf 4105 int badDate = 0;
wolfSSL 13:80fb167dafdf 4106
wolfSSL 13:80fb167dafdf 4107 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 13:80fb167dafdf 4108 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 4109
wolfSSL 13:80fb167dafdf 4110 if (GetDate(cert, BEFORE) < 0 && verify)
wolfSSL 13:80fb167dafdf 4111 badDate = ASN_BEFORE_DATE_E; /* continue parsing */
wolfSSL 13:80fb167dafdf 4112
wolfSSL 13:80fb167dafdf 4113 if (GetDate(cert, AFTER) < 0 && verify)
wolfSSL 13:80fb167dafdf 4114 return ASN_AFTER_DATE_E;
wolfSSL 13:80fb167dafdf 4115
wolfSSL 13:80fb167dafdf 4116 if (badDate != 0)
wolfSSL 13:80fb167dafdf 4117 return badDate;
wolfSSL 13:80fb167dafdf 4118
wolfSSL 13:80fb167dafdf 4119 return 0;
wolfSSL 13:80fb167dafdf 4120 }
wolfSSL 13:80fb167dafdf 4121
wolfSSL 13:80fb167dafdf 4122
wolfSSL 13:80fb167dafdf 4123 int DecodeToKey(DecodedCert* cert, int verify)
wolfSSL 13:80fb167dafdf 4124 {
wolfSSL 13:80fb167dafdf 4125 int badDate = 0;
wolfSSL 13:80fb167dafdf 4126 int ret;
wolfSSL 13:80fb167dafdf 4127
wolfSSL 13:80fb167dafdf 4128 if ( (ret = GetCertHeader(cert)) < 0)
wolfSSL 13:80fb167dafdf 4129 return ret;
wolfSSL 13:80fb167dafdf 4130
wolfSSL 13:80fb167dafdf 4131 WOLFSSL_MSG("Got Cert Header");
wolfSSL 13:80fb167dafdf 4132
wolfSSL 13:80fb167dafdf 4133 if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
wolfSSL 13:80fb167dafdf 4134 oidSigType, cert->maxIdx)) < 0)
wolfSSL 13:80fb167dafdf 4135 return ret;
wolfSSL 13:80fb167dafdf 4136
wolfSSL 13:80fb167dafdf 4137 WOLFSSL_MSG("Got Algo ID");
wolfSSL 13:80fb167dafdf 4138
wolfSSL 13:80fb167dafdf 4139 if ( (ret = GetName(cert, ISSUER)) < 0)
wolfSSL 13:80fb167dafdf 4140 return ret;
wolfSSL 13:80fb167dafdf 4141
wolfSSL 13:80fb167dafdf 4142 if ( (ret = GetValidity(cert, verify)) < 0)
wolfSSL 13:80fb167dafdf 4143 badDate = ret;
wolfSSL 13:80fb167dafdf 4144
wolfSSL 13:80fb167dafdf 4145 if ( (ret = GetName(cert, SUBJECT)) < 0)
wolfSSL 13:80fb167dafdf 4146 return ret;
wolfSSL 13:80fb167dafdf 4147
wolfSSL 13:80fb167dafdf 4148 WOLFSSL_MSG("Got Subject Name");
wolfSSL 13:80fb167dafdf 4149
wolfSSL 13:80fb167dafdf 4150 if ( (ret = GetKey(cert)) < 0)
wolfSSL 13:80fb167dafdf 4151 return ret;
wolfSSL 13:80fb167dafdf 4152
wolfSSL 13:80fb167dafdf 4153 WOLFSSL_MSG("Got Key");
wolfSSL 13:80fb167dafdf 4154
wolfSSL 13:80fb167dafdf 4155 if (badDate != 0)
wolfSSL 13:80fb167dafdf 4156 return badDate;
wolfSSL 13:80fb167dafdf 4157
wolfSSL 13:80fb167dafdf 4158 return ret;
wolfSSL 13:80fb167dafdf 4159 }
wolfSSL 13:80fb167dafdf 4160
wolfSSL 13:80fb167dafdf 4161 static int GetSignature(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 4162 {
wolfSSL 13:80fb167dafdf 4163 int length;
wolfSSL 13:80fb167dafdf 4164 int ret;
wolfSSL 13:80fb167dafdf 4165 ret = CheckBitString(cert->source, &cert->srcIdx, &length, cert->maxIdx, 1,
wolfSSL 13:80fb167dafdf 4166 NULL);
wolfSSL 13:80fb167dafdf 4167 if (ret != 0)
wolfSSL 13:80fb167dafdf 4168 return ret;
wolfSSL 13:80fb167dafdf 4169
wolfSSL 13:80fb167dafdf 4170 cert->sigLength = length;
wolfSSL 13:80fb167dafdf 4171 cert->signature = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 4172 cert->srcIdx += cert->sigLength;
wolfSSL 13:80fb167dafdf 4173
wolfSSL 13:80fb167dafdf 4174 return 0;
wolfSSL 13:80fb167dafdf 4175 }
wolfSSL 13:80fb167dafdf 4176
wolfSSL 13:80fb167dafdf 4177 static word32 SetOctetString8Bit(word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4178 {
wolfSSL 13:80fb167dafdf 4179 output[0] = ASN_OCTET_STRING;
wolfSSL 13:80fb167dafdf 4180 output[1] = (byte)len;
wolfSSL 13:80fb167dafdf 4181 return 2;
wolfSSL 13:80fb167dafdf 4182 }
wolfSSL 13:80fb167dafdf 4183
wolfSSL 13:80fb167dafdf 4184 static word32 SetDigest(const byte* digest, word32 digSz, byte* output)
wolfSSL 13:80fb167dafdf 4185 {
wolfSSL 13:80fb167dafdf 4186 word32 idx = SetOctetString8Bit(digSz, output);
wolfSSL 13:80fb167dafdf 4187 XMEMCPY(&output[idx], digest, digSz);
wolfSSL 13:80fb167dafdf 4188
wolfSSL 13:80fb167dafdf 4189 return idx + digSz;
wolfSSL 13:80fb167dafdf 4190 }
wolfSSL 13:80fb167dafdf 4191
wolfSSL 13:80fb167dafdf 4192
wolfSSL 13:80fb167dafdf 4193 static word32 BytePrecision(word32 value)
wolfSSL 13:80fb167dafdf 4194 {
wolfSSL 13:80fb167dafdf 4195 word32 i;
wolfSSL 13:80fb167dafdf 4196 for (i = sizeof(value); i; --i)
wolfSSL 13:80fb167dafdf 4197 if (value >> ((i - 1) * WOLFSSL_BIT_SIZE))
wolfSSL 13:80fb167dafdf 4198 break;
wolfSSL 13:80fb167dafdf 4199
wolfSSL 13:80fb167dafdf 4200 return i;
wolfSSL 13:80fb167dafdf 4201 }
wolfSSL 13:80fb167dafdf 4202
wolfSSL 13:80fb167dafdf 4203
wolfSSL 13:80fb167dafdf 4204 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
wolfSSL 13:80fb167dafdf 4205 {
wolfSSL 13:80fb167dafdf 4206 word32 i = 0, j;
wolfSSL 13:80fb167dafdf 4207
wolfSSL 13:80fb167dafdf 4208 if (length < ASN_LONG_LENGTH)
wolfSSL 13:80fb167dafdf 4209 output[i++] = (byte)length;
wolfSSL 13:80fb167dafdf 4210 else {
wolfSSL 13:80fb167dafdf 4211 output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
wolfSSL 13:80fb167dafdf 4212
wolfSSL 13:80fb167dafdf 4213 for (j = BytePrecision(length); j; --j) {
wolfSSL 13:80fb167dafdf 4214 output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
wolfSSL 13:80fb167dafdf 4215 i++;
wolfSSL 13:80fb167dafdf 4216 }
wolfSSL 13:80fb167dafdf 4217 }
wolfSSL 13:80fb167dafdf 4218
wolfSSL 13:80fb167dafdf 4219 return i;
wolfSSL 13:80fb167dafdf 4220 }
wolfSSL 13:80fb167dafdf 4221
wolfSSL 13:80fb167dafdf 4222
wolfSSL 13:80fb167dafdf 4223 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4224 {
wolfSSL 13:80fb167dafdf 4225 output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
wolfSSL 13:80fb167dafdf 4226 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 4227 }
wolfSSL 13:80fb167dafdf 4228
wolfSSL 13:80fb167dafdf 4229 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4230 {
wolfSSL 13:80fb167dafdf 4231 output[0] = ASN_OCTET_STRING;
wolfSSL 13:80fb167dafdf 4232 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 4233 }
wolfSSL 13:80fb167dafdf 4234
wolfSSL 13:80fb167dafdf 4235 /* Write a set header to output */
wolfSSL 13:80fb167dafdf 4236 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4237 {
wolfSSL 13:80fb167dafdf 4238 output[0] = ASN_SET | ASN_CONSTRUCTED;
wolfSSL 13:80fb167dafdf 4239 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 4240 }
wolfSSL 13:80fb167dafdf 4241
wolfSSL 13:80fb167dafdf 4242 WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4243 {
wolfSSL 13:80fb167dafdf 4244
wolfSSL 13:80fb167dafdf 4245 output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
wolfSSL 13:80fb167dafdf 4246 | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 13:80fb167dafdf 4247 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 4248 }
wolfSSL 13:80fb167dafdf 4249
wolfSSL 13:80fb167dafdf 4250 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
wolfSSL 13:80fb167dafdf 4251 {
wolfSSL 13:80fb167dafdf 4252 output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 13:80fb167dafdf 4253 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 4254 }
wolfSSL 13:80fb167dafdf 4255
wolfSSL 13:80fb167dafdf 4256
wolfSSL 13:80fb167dafdf 4257 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
wolfSSL 13:80fb167dafdf 4258
wolfSSL 13:80fb167dafdf 4259 static int SetCurve(ecc_key* key, byte* output)
wolfSSL 13:80fb167dafdf 4260 {
wolfSSL 13:80fb167dafdf 4261 #ifdef HAVE_OID_ENCODING
wolfSSL 13:80fb167dafdf 4262 int ret;
wolfSSL 13:80fb167dafdf 4263 #endif
wolfSSL 13:80fb167dafdf 4264 int idx = 0;
wolfSSL 13:80fb167dafdf 4265 word32 oidSz = 0;
wolfSSL 13:80fb167dafdf 4266
wolfSSL 13:80fb167dafdf 4267 /* validate key */
wolfSSL 13:80fb167dafdf 4268 if (key == NULL || key->dp == NULL) {
wolfSSL 13:80fb167dafdf 4269 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 4270 }
wolfSSL 13:80fb167dafdf 4271
wolfSSL 13:80fb167dafdf 4272 #ifdef HAVE_OID_ENCODING
wolfSSL 13:80fb167dafdf 4273 ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, NULL, &oidSz);
wolfSSL 13:80fb167dafdf 4274 if (ret != 0) {
wolfSSL 13:80fb167dafdf 4275 return ret;
wolfSSL 13:80fb167dafdf 4276 }
wolfSSL 13:80fb167dafdf 4277 #else
wolfSSL 13:80fb167dafdf 4278 oidSz = key->dp->oidSz;
wolfSSL 13:80fb167dafdf 4279 #endif
wolfSSL 13:80fb167dafdf 4280
wolfSSL 13:80fb167dafdf 4281 idx += SetObjectId(oidSz, output);
wolfSSL 13:80fb167dafdf 4282
wolfSSL 13:80fb167dafdf 4283 #ifdef HAVE_OID_ENCODING
wolfSSL 13:80fb167dafdf 4284 ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
wolfSSL 13:80fb167dafdf 4285 if (ret != 0) {
wolfSSL 13:80fb167dafdf 4286 return ret;
wolfSSL 13:80fb167dafdf 4287 }
wolfSSL 13:80fb167dafdf 4288 #else
wolfSSL 13:80fb167dafdf 4289 XMEMCPY(output+idx, key->dp->oid, oidSz);
wolfSSL 13:80fb167dafdf 4290 #endif
wolfSSL 13:80fb167dafdf 4291 idx += oidSz;
wolfSSL 13:80fb167dafdf 4292
wolfSSL 13:80fb167dafdf 4293 return idx;
wolfSSL 13:80fb167dafdf 4294 }
wolfSSL 13:80fb167dafdf 4295
wolfSSL 13:80fb167dafdf 4296 #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 4297
wolfSSL 13:80fb167dafdf 4298
wolfSSL 13:80fb167dafdf 4299 static INLINE int IsSigAlgoECDSA(int algoOID)
wolfSSL 13:80fb167dafdf 4300 {
wolfSSL 13:80fb167dafdf 4301 /* ECDSA sigAlgo must not have ASN1 NULL parameters */
wolfSSL 13:80fb167dafdf 4302 if (algoOID == CTC_SHAwECDSA || algoOID == CTC_SHA256wECDSA ||
wolfSSL 13:80fb167dafdf 4303 algoOID == CTC_SHA384wECDSA || algoOID == CTC_SHA512wECDSA) {
wolfSSL 13:80fb167dafdf 4304 return 1;
wolfSSL 13:80fb167dafdf 4305 }
wolfSSL 13:80fb167dafdf 4306
wolfSSL 13:80fb167dafdf 4307 return 0;
wolfSSL 13:80fb167dafdf 4308 }
wolfSSL 13:80fb167dafdf 4309
wolfSSL 13:80fb167dafdf 4310 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
wolfSSL 13:80fb167dafdf 4311 {
wolfSSL 13:80fb167dafdf 4312 word32 tagSz, idSz, seqSz, algoSz = 0;
wolfSSL 13:80fb167dafdf 4313 const byte* algoName = 0;
wolfSSL 13:80fb167dafdf 4314 byte ID_Length[1 + MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 4315 byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
wolfSSL 13:80fb167dafdf 4316
wolfSSL 13:80fb167dafdf 4317 tagSz = (type == oidHashType ||
wolfSSL 13:80fb167dafdf 4318 (type == oidSigType && !IsSigAlgoECDSA(algoOID)) ||
wolfSSL 13:80fb167dafdf 4319 (type == oidKeyType && algoOID == RSAk)) ? 2 : 0;
wolfSSL 13:80fb167dafdf 4320
wolfSSL 13:80fb167dafdf 4321 algoName = OidFromId(algoOID, type, &algoSz);
wolfSSL 13:80fb167dafdf 4322
wolfSSL 13:80fb167dafdf 4323 if (algoName == NULL) {
wolfSSL 13:80fb167dafdf 4324 WOLFSSL_MSG("Unknown Algorithm");
wolfSSL 13:80fb167dafdf 4325 return 0;
wolfSSL 13:80fb167dafdf 4326 }
wolfSSL 13:80fb167dafdf 4327
wolfSSL 13:80fb167dafdf 4328 idSz = SetObjectId(algoSz, ID_Length);
wolfSSL 13:80fb167dafdf 4329 seqSz = SetSequence(idSz + algoSz + tagSz + curveSz, seqArray);
wolfSSL 13:80fb167dafdf 4330
wolfSSL 13:80fb167dafdf 4331 XMEMCPY(output, seqArray, seqSz);
wolfSSL 13:80fb167dafdf 4332 XMEMCPY(output + seqSz, ID_Length, idSz);
wolfSSL 13:80fb167dafdf 4333 XMEMCPY(output + seqSz + idSz, algoName, algoSz);
wolfSSL 13:80fb167dafdf 4334 if (tagSz == 2)
wolfSSL 13:80fb167dafdf 4335 SetASNNull(&output[seqSz + idSz + algoSz]);
wolfSSL 13:80fb167dafdf 4336
wolfSSL 13:80fb167dafdf 4337 return seqSz + idSz + algoSz + tagSz;
wolfSSL 13:80fb167dafdf 4338
wolfSSL 13:80fb167dafdf 4339 }
wolfSSL 13:80fb167dafdf 4340
wolfSSL 13:80fb167dafdf 4341
wolfSSL 13:80fb167dafdf 4342 word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
wolfSSL 13:80fb167dafdf 4343 int hashOID)
wolfSSL 13:80fb167dafdf 4344 {
wolfSSL 13:80fb167dafdf 4345 byte digArray[MAX_ENCODED_DIG_SZ];
wolfSSL 13:80fb167dafdf 4346 byte algoArray[MAX_ALGO_SZ];
wolfSSL 13:80fb167dafdf 4347 byte seqArray[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 4348 word32 encDigSz, algoSz, seqSz;
wolfSSL 13:80fb167dafdf 4349
wolfSSL 13:80fb167dafdf 4350 encDigSz = SetDigest(digest, digSz, digArray);
wolfSSL 13:80fb167dafdf 4351 algoSz = SetAlgoID(hashOID, algoArray, oidHashType, 0);
wolfSSL 13:80fb167dafdf 4352 seqSz = SetSequence(encDigSz + algoSz, seqArray);
wolfSSL 13:80fb167dafdf 4353
wolfSSL 13:80fb167dafdf 4354 XMEMCPY(out, seqArray, seqSz);
wolfSSL 13:80fb167dafdf 4355 XMEMCPY(out + seqSz, algoArray, algoSz);
wolfSSL 13:80fb167dafdf 4356 XMEMCPY(out + seqSz + algoSz, digArray, encDigSz);
wolfSSL 13:80fb167dafdf 4357
wolfSSL 13:80fb167dafdf 4358 return encDigSz + algoSz + seqSz;
wolfSSL 13:80fb167dafdf 4359 }
wolfSSL 13:80fb167dafdf 4360
wolfSSL 13:80fb167dafdf 4361
wolfSSL 13:80fb167dafdf 4362 int wc_GetCTC_HashOID(int type)
wolfSSL 13:80fb167dafdf 4363 {
wolfSSL 13:80fb167dafdf 4364 switch (type) {
wolfSSL 13:80fb167dafdf 4365 #ifdef WOLFSSL_MD2
wolfSSL 13:80fb167dafdf 4366 case MD2:
wolfSSL 13:80fb167dafdf 4367 return MD2h;
wolfSSL 13:80fb167dafdf 4368 #endif
wolfSSL 13:80fb167dafdf 4369 #ifndef NO_MD5
wolfSSL 13:80fb167dafdf 4370 case MD5:
wolfSSL 13:80fb167dafdf 4371 return MD5h;
wolfSSL 13:80fb167dafdf 4372 #endif
wolfSSL 13:80fb167dafdf 4373 #ifndef NO_SHA
wolfSSL 13:80fb167dafdf 4374 case SHA:
wolfSSL 13:80fb167dafdf 4375 return SHAh;
wolfSSL 13:80fb167dafdf 4376 #endif
wolfSSL 13:80fb167dafdf 4377 #ifdef WOLFSSL_SHA224
wolfSSL 13:80fb167dafdf 4378 case SHA224:
wolfSSL 13:80fb167dafdf 4379 return SHA224h;
wolfSSL 13:80fb167dafdf 4380 #endif
wolfSSL 13:80fb167dafdf 4381 #ifndef NO_SHA256
wolfSSL 13:80fb167dafdf 4382 case SHA256:
wolfSSL 13:80fb167dafdf 4383 return SHA256h;
wolfSSL 13:80fb167dafdf 4384 #endif
wolfSSL 13:80fb167dafdf 4385 #ifdef WOLFSSL_SHA384
wolfSSL 13:80fb167dafdf 4386 case SHA384:
wolfSSL 13:80fb167dafdf 4387 return SHA384h;
wolfSSL 13:80fb167dafdf 4388 #endif
wolfSSL 13:80fb167dafdf 4389 #ifdef WOLFSSL_SHA512
wolfSSL 13:80fb167dafdf 4390 case SHA512:
wolfSSL 13:80fb167dafdf 4391 return SHA512h;
wolfSSL 13:80fb167dafdf 4392 #endif
wolfSSL 13:80fb167dafdf 4393 default:
wolfSSL 13:80fb167dafdf 4394 return 0;
wolfSSL 13:80fb167dafdf 4395 };
wolfSSL 13:80fb167dafdf 4396 }
wolfSSL 13:80fb167dafdf 4397
wolfSSL 13:80fb167dafdf 4398 void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId)
wolfSSL 13:80fb167dafdf 4399 {
wolfSSL 13:80fb167dafdf 4400 if (sigCtx) {
wolfSSL 13:80fb167dafdf 4401 XMEMSET(sigCtx, 0, sizeof(SignatureCtx));
wolfSSL 13:80fb167dafdf 4402 sigCtx->devId = devId;
wolfSSL 13:80fb167dafdf 4403 sigCtx->heap = heap;
wolfSSL 13:80fb167dafdf 4404 }
wolfSSL 13:80fb167dafdf 4405 }
wolfSSL 13:80fb167dafdf 4406
wolfSSL 13:80fb167dafdf 4407 void FreeSignatureCtx(SignatureCtx* sigCtx)
wolfSSL 13:80fb167dafdf 4408 {
wolfSSL 13:80fb167dafdf 4409 if (sigCtx == NULL)
wolfSSL 13:80fb167dafdf 4410 return;
wolfSSL 13:80fb167dafdf 4411
wolfSSL 13:80fb167dafdf 4412 if (sigCtx->digest) {
wolfSSL 13:80fb167dafdf 4413 XFREE(sigCtx->digest, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4414 sigCtx->digest = NULL;
wolfSSL 13:80fb167dafdf 4415 }
wolfSSL 13:80fb167dafdf 4416 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 4417 if (sigCtx->plain) {
wolfSSL 13:80fb167dafdf 4418 XFREE(sigCtx->plain, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4419 sigCtx->plain = NULL;
wolfSSL 13:80fb167dafdf 4420 }
wolfSSL 13:80fb167dafdf 4421 #endif
wolfSSL 13:80fb167dafdf 4422 if (sigCtx->key.ptr) {
wolfSSL 13:80fb167dafdf 4423 switch (sigCtx->keyOID) {
wolfSSL 13:80fb167dafdf 4424 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 4425 case RSAk:
wolfSSL 13:80fb167dafdf 4426 wc_FreeRsaKey(sigCtx->key.rsa);
wolfSSL 13:80fb167dafdf 4427 XFREE(sigCtx->key.ptr, sigCtx->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 4428 break;
wolfSSL 13:80fb167dafdf 4429 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 4430 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 4431 case ECDSAk:
wolfSSL 13:80fb167dafdf 4432 wc_ecc_free(sigCtx->key.ecc);
wolfSSL 13:80fb167dafdf 4433 XFREE(sigCtx->key.ecc, sigCtx->heap, DYNAMIC_TYPE_ECC);
wolfSSL 13:80fb167dafdf 4434 break;
wolfSSL 13:80fb167dafdf 4435 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 4436 default:
wolfSSL 13:80fb167dafdf 4437 break;
wolfSSL 13:80fb167dafdf 4438 } /* switch (keyOID) */
wolfSSL 13:80fb167dafdf 4439 sigCtx->key.ptr = NULL;
wolfSSL 13:80fb167dafdf 4440 }
wolfSSL 13:80fb167dafdf 4441
wolfSSL 13:80fb167dafdf 4442 /* reset state, we are done */
wolfSSL 13:80fb167dafdf 4443 sigCtx->state = SIG_STATE_BEGIN;
wolfSSL 13:80fb167dafdf 4444 }
wolfSSL 13:80fb167dafdf 4445
wolfSSL 13:80fb167dafdf 4446 /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
wolfSSL 13:80fb167dafdf 4447 static int ConfirmSignature(SignatureCtx* sigCtx,
wolfSSL 13:80fb167dafdf 4448 const byte* buf, word32 bufSz,
wolfSSL 13:80fb167dafdf 4449 const byte* key, word32 keySz, word32 keyOID,
wolfSSL 13:80fb167dafdf 4450 const byte* sig, word32 sigSz, word32 sigOID)
wolfSSL 13:80fb167dafdf 4451 {
wolfSSL 13:80fb167dafdf 4452 int ret = 0;
wolfSSL 13:80fb167dafdf 4453
wolfSSL 13:80fb167dafdf 4454 if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL ||
wolfSSL 13:80fb167dafdf 4455 keySz == 0 || sig == NULL || sigSz == 0) {
wolfSSL 13:80fb167dafdf 4456 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 4457 }
wolfSSL 13:80fb167dafdf 4458
wolfSSL 13:80fb167dafdf 4459 (void)key;
wolfSSL 13:80fb167dafdf 4460 (void)keySz;
wolfSSL 13:80fb167dafdf 4461 (void)sig;
wolfSSL 13:80fb167dafdf 4462 (void)sigSz;
wolfSSL 13:80fb167dafdf 4463
wolfSSL 13:80fb167dafdf 4464 WOLFSSL_ENTER("ConfirmSignature");
wolfSSL 13:80fb167dafdf 4465
wolfSSL 13:80fb167dafdf 4466 switch (sigCtx->state) {
wolfSSL 13:80fb167dafdf 4467 case SIG_STATE_BEGIN:
wolfSSL 13:80fb167dafdf 4468 {
wolfSSL 13:80fb167dafdf 4469 sigCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, sigCtx->heap,
wolfSSL 13:80fb167dafdf 4470 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4471 if (sigCtx->digest == NULL) {
wolfSSL 13:80fb167dafdf 4472 ERROR_OUT(MEMORY_E, exit_cs);
wolfSSL 13:80fb167dafdf 4473 }
wolfSSL 13:80fb167dafdf 4474
wolfSSL 13:80fb167dafdf 4475 /* fall through */
wolfSSL 13:80fb167dafdf 4476 sigCtx->state = SIG_STATE_HASH;
wolfSSL 13:80fb167dafdf 4477 } /* SIG_STATE_BEGIN */
wolfSSL 13:80fb167dafdf 4478
wolfSSL 13:80fb167dafdf 4479 case SIG_STATE_HASH:
wolfSSL 13:80fb167dafdf 4480 {
wolfSSL 13:80fb167dafdf 4481 switch (sigOID) {
wolfSSL 13:80fb167dafdf 4482 #ifndef NO_MD5
wolfSSL 13:80fb167dafdf 4483 case CTC_MD5wRSA:
wolfSSL 13:80fb167dafdf 4484 if ((ret = wc_Md5Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4485 sigCtx->typeH = MD5h;
wolfSSL 13:80fb167dafdf 4486 sigCtx->digestSz = MD5_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4487 }
wolfSSL 13:80fb167dafdf 4488 break;
wolfSSL 13:80fb167dafdf 4489 #endif
wolfSSL 13:80fb167dafdf 4490 #if defined(WOLFSSL_MD2)
wolfSSL 13:80fb167dafdf 4491 case CTC_MD2wRSA:
wolfSSL 13:80fb167dafdf 4492 if ((ret = wc_Md2Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4493 sigCtx->typeH = MD2h;
wolfSSL 13:80fb167dafdf 4494 sigCtx->digestSz = MD2_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4495 }
wolfSSL 13:80fb167dafdf 4496 break;
wolfSSL 13:80fb167dafdf 4497 #endif
wolfSSL 13:80fb167dafdf 4498 #ifndef NO_SHA
wolfSSL 13:80fb167dafdf 4499 case CTC_SHAwRSA:
wolfSSL 13:80fb167dafdf 4500 case CTC_SHAwDSA:
wolfSSL 13:80fb167dafdf 4501 case CTC_SHAwECDSA:
wolfSSL 13:80fb167dafdf 4502 if ((ret = wc_ShaHash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4503 sigCtx->typeH = SHAh;
wolfSSL 13:80fb167dafdf 4504 sigCtx->digestSz = SHA_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4505 }
wolfSSL 13:80fb167dafdf 4506 break;
wolfSSL 13:80fb167dafdf 4507 #endif
wolfSSL 13:80fb167dafdf 4508 #ifdef WOLFSSL_SHA224
wolfSSL 13:80fb167dafdf 4509 case CTC_SHA224wRSA:
wolfSSL 13:80fb167dafdf 4510 case CTC_SHA224wECDSA:
wolfSSL 13:80fb167dafdf 4511 if ((ret = wc_Sha224Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4512 sigCtx->typeH = SHA224h;
wolfSSL 13:80fb167dafdf 4513 sigCtx->digestSz = SHA224_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4514 }
wolfSSL 13:80fb167dafdf 4515 break;
wolfSSL 13:80fb167dafdf 4516 #endif
wolfSSL 13:80fb167dafdf 4517 #ifndef NO_SHA256
wolfSSL 13:80fb167dafdf 4518 case CTC_SHA256wRSA:
wolfSSL 13:80fb167dafdf 4519 case CTC_SHA256wECDSA:
wolfSSL 13:80fb167dafdf 4520 if ((ret = wc_Sha256Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4521 sigCtx->typeH = SHA256h;
wolfSSL 13:80fb167dafdf 4522 sigCtx->digestSz = SHA256_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4523 }
wolfSSL 13:80fb167dafdf 4524 break;
wolfSSL 13:80fb167dafdf 4525 #endif
wolfSSL 13:80fb167dafdf 4526 #ifdef WOLFSSL_SHA512
wolfSSL 13:80fb167dafdf 4527 case CTC_SHA512wRSA:
wolfSSL 13:80fb167dafdf 4528 case CTC_SHA512wECDSA:
wolfSSL 13:80fb167dafdf 4529 if ((ret = wc_Sha512Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4530 sigCtx->typeH = SHA512h;
wolfSSL 13:80fb167dafdf 4531 sigCtx->digestSz = SHA512_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4532 }
wolfSSL 13:80fb167dafdf 4533 break;
wolfSSL 13:80fb167dafdf 4534 #endif
wolfSSL 13:80fb167dafdf 4535 #ifdef WOLFSSL_SHA384
wolfSSL 13:80fb167dafdf 4536 case CTC_SHA384wRSA:
wolfSSL 13:80fb167dafdf 4537 case CTC_SHA384wECDSA:
wolfSSL 13:80fb167dafdf 4538 if ((ret = wc_Sha384Hash(buf, bufSz, sigCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 4539 sigCtx->typeH = SHA384h;
wolfSSL 13:80fb167dafdf 4540 sigCtx->digestSz = SHA384_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 4541 }
wolfSSL 13:80fb167dafdf 4542 break;
wolfSSL 13:80fb167dafdf 4543 #endif
wolfSSL 13:80fb167dafdf 4544 default:
wolfSSL 13:80fb167dafdf 4545 ret = HASH_TYPE_E;
wolfSSL 13:80fb167dafdf 4546 WOLFSSL_MSG("Verify Signature has unsupported type");
wolfSSL 13:80fb167dafdf 4547 }
wolfSSL 13:80fb167dafdf 4548
wolfSSL 13:80fb167dafdf 4549 if (ret != 0) {
wolfSSL 13:80fb167dafdf 4550 goto exit_cs;
wolfSSL 13:80fb167dafdf 4551 }
wolfSSL 13:80fb167dafdf 4552
wolfSSL 13:80fb167dafdf 4553 /* fall through */
wolfSSL 13:80fb167dafdf 4554 sigCtx->state = SIG_STATE_KEY;
wolfSSL 13:80fb167dafdf 4555 } /* SIG_STATE_HASH */
wolfSSL 13:80fb167dafdf 4556
wolfSSL 13:80fb167dafdf 4557 case SIG_STATE_KEY:
wolfSSL 13:80fb167dafdf 4558 {
wolfSSL 13:80fb167dafdf 4559 sigCtx->keyOID = keyOID;
wolfSSL 13:80fb167dafdf 4560
wolfSSL 13:80fb167dafdf 4561 switch (keyOID) {
wolfSSL 13:80fb167dafdf 4562 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 4563 case RSAk:
wolfSSL 13:80fb167dafdf 4564 {
wolfSSL 13:80fb167dafdf 4565 word32 idx = 0;
wolfSSL 13:80fb167dafdf 4566
wolfSSL 13:80fb167dafdf 4567 sigCtx->key.rsa = (RsaKey*)XMALLOC(sizeof(RsaKey),
wolfSSL 13:80fb167dafdf 4568 sigCtx->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 4569 sigCtx->plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
wolfSSL 13:80fb167dafdf 4570 sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4571 if (sigCtx->key.rsa == NULL || sigCtx->plain == NULL) {
wolfSSL 13:80fb167dafdf 4572 ERROR_OUT(MEMORY_E, exit_cs);
wolfSSL 13:80fb167dafdf 4573 }
wolfSSL 13:80fb167dafdf 4574
wolfSSL 13:80fb167dafdf 4575 if ((ret = wc_InitRsaKey_ex(sigCtx->key.rsa, sigCtx->heap,
wolfSSL 13:80fb167dafdf 4576 sigCtx->devId)) != 0) {
wolfSSL 13:80fb167dafdf 4577 goto exit_cs;
wolfSSL 13:80fb167dafdf 4578 }
wolfSSL 13:80fb167dafdf 4579
wolfSSL 13:80fb167dafdf 4580 if (sigSz > MAX_ENCODED_SIG_SZ) {
wolfSSL 13:80fb167dafdf 4581 WOLFSSL_MSG("Verify Signature is too big");
wolfSSL 13:80fb167dafdf 4582 ERROR_OUT(BUFFER_E, exit_cs);
wolfSSL 13:80fb167dafdf 4583 }
wolfSSL 13:80fb167dafdf 4584
wolfSSL 13:80fb167dafdf 4585 if ((ret = wc_RsaPublicKeyDecode(key, &idx, sigCtx->key.rsa,
wolfSSL 13:80fb167dafdf 4586 keySz)) != 0) {
wolfSSL 13:80fb167dafdf 4587 WOLFSSL_MSG("ASN Key decode error RSA");
wolfSSL 13:80fb167dafdf 4588 goto exit_cs;
wolfSSL 13:80fb167dafdf 4589 }
wolfSSL 13:80fb167dafdf 4590
wolfSSL 13:80fb167dafdf 4591 XMEMCPY(sigCtx->plain, sig, sigSz);
wolfSSL 13:80fb167dafdf 4592 sigCtx->out = NULL;
wolfSSL 13:80fb167dafdf 4593 break;
wolfSSL 13:80fb167dafdf 4594 }
wolfSSL 13:80fb167dafdf 4595 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 4596 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 4597 case ECDSAk:
wolfSSL 13:80fb167dafdf 4598 {
wolfSSL 13:80fb167dafdf 4599 sigCtx->verify = 0;
wolfSSL 13:80fb167dafdf 4600 sigCtx->key.ecc = (ecc_key*)XMALLOC(sizeof(ecc_key),
wolfSSL 13:80fb167dafdf 4601 sigCtx->heap, DYNAMIC_TYPE_ECC);
wolfSSL 13:80fb167dafdf 4602 if (sigCtx->key.ecc == NULL) {
wolfSSL 13:80fb167dafdf 4603 ERROR_OUT(MEMORY_E, exit_cs);
wolfSSL 13:80fb167dafdf 4604 }
wolfSSL 13:80fb167dafdf 4605
wolfSSL 13:80fb167dafdf 4606 if ((ret = wc_ecc_init_ex(sigCtx->key.ecc, sigCtx->heap,
wolfSSL 13:80fb167dafdf 4607 sigCtx->devId)) < 0) {
wolfSSL 13:80fb167dafdf 4608 goto exit_cs;
wolfSSL 13:80fb167dafdf 4609 }
wolfSSL 13:80fb167dafdf 4610 if ((ret = wc_ecc_import_x963(key, keySz,
wolfSSL 13:80fb167dafdf 4611 sigCtx->key.ecc)) < 0) {
wolfSSL 13:80fb167dafdf 4612 WOLFSSL_MSG("ASN Key import error ECC");
wolfSSL 13:80fb167dafdf 4613 goto exit_cs;
wolfSSL 13:80fb167dafdf 4614 }
wolfSSL 13:80fb167dafdf 4615 break;
wolfSSL 13:80fb167dafdf 4616 }
wolfSSL 13:80fb167dafdf 4617 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 4618 default:
wolfSSL 13:80fb167dafdf 4619 WOLFSSL_MSG("Verify Key type unknown");
wolfSSL 13:80fb167dafdf 4620 ret = ASN_UNKNOWN_OID_E;
wolfSSL 13:80fb167dafdf 4621 break;
wolfSSL 13:80fb167dafdf 4622 } /* switch (keyOID) */
wolfSSL 13:80fb167dafdf 4623
wolfSSL 13:80fb167dafdf 4624 if (ret != 0) {
wolfSSL 13:80fb167dafdf 4625 goto exit_cs;
wolfSSL 13:80fb167dafdf 4626 }
wolfSSL 13:80fb167dafdf 4627
wolfSSL 13:80fb167dafdf 4628 /* fall through */
wolfSSL 13:80fb167dafdf 4629 sigCtx->state = SIG_STATE_DO;
wolfSSL 13:80fb167dafdf 4630 } /* SIG_STATE_KEY */
wolfSSL 13:80fb167dafdf 4631
wolfSSL 13:80fb167dafdf 4632 case SIG_STATE_DO:
wolfSSL 13:80fb167dafdf 4633 {
wolfSSL 13:80fb167dafdf 4634 switch (keyOID) {
wolfSSL 13:80fb167dafdf 4635 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 4636 case RSAk:
wolfSSL 13:80fb167dafdf 4637 {
wolfSSL 13:80fb167dafdf 4638 ret = wc_RsaSSL_VerifyInline(sigCtx->plain, sigSz,
wolfSSL 13:80fb167dafdf 4639 &sigCtx->out, sigCtx->key.rsa);
wolfSSL 13:80fb167dafdf 4640 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 4641 if (ret == WC_PENDING_E)
wolfSSL 13:80fb167dafdf 4642 sigCtx->asyncDev = &sigCtx->key.rsa->asyncDev;
wolfSSL 13:80fb167dafdf 4643 #endif
wolfSSL 13:80fb167dafdf 4644 break;
wolfSSL 13:80fb167dafdf 4645 }
wolfSSL 13:80fb167dafdf 4646 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 4647 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 4648 case ECDSAk:
wolfSSL 13:80fb167dafdf 4649 {
wolfSSL 13:80fb167dafdf 4650 ret = wc_ecc_verify_hash(sig, sigSz, sigCtx->digest,
wolfSSL 13:80fb167dafdf 4651 sigCtx->digestSz, &sigCtx->verify, sigCtx->key.ecc);
wolfSSL 13:80fb167dafdf 4652 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 4653 if (ret == WC_PENDING_E)
wolfSSL 13:80fb167dafdf 4654 sigCtx->asyncDev = &sigCtx->key.ecc->asyncDev;
wolfSSL 13:80fb167dafdf 4655 #endif
wolfSSL 13:80fb167dafdf 4656 break;
wolfSSL 13:80fb167dafdf 4657 }
wolfSSL 13:80fb167dafdf 4658 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 4659 default:
wolfSSL 13:80fb167dafdf 4660 break;
wolfSSL 13:80fb167dafdf 4661 } /* switch (keyOID) */
wolfSSL 13:80fb167dafdf 4662
wolfSSL 13:80fb167dafdf 4663 if (ret < 0) {
wolfSSL 13:80fb167dafdf 4664 /* treat all non async RSA errors as ASN_SIG_CONFIRM_E */
wolfSSL 13:80fb167dafdf 4665 if (ret != WC_PENDING_E)
wolfSSL 13:80fb167dafdf 4666 ret = ASN_SIG_CONFIRM_E;
wolfSSL 13:80fb167dafdf 4667 goto exit_cs;
wolfSSL 13:80fb167dafdf 4668 }
wolfSSL 13:80fb167dafdf 4669
wolfSSL 13:80fb167dafdf 4670 /* fall through */
wolfSSL 13:80fb167dafdf 4671 sigCtx->state = SIG_STATE_CHECK;
wolfSSL 13:80fb167dafdf 4672 } /* SIG_STATE_DO */
wolfSSL 13:80fb167dafdf 4673
wolfSSL 13:80fb167dafdf 4674 case SIG_STATE_CHECK:
wolfSSL 13:80fb167dafdf 4675 {
wolfSSL 13:80fb167dafdf 4676 switch (keyOID) {
wolfSSL 13:80fb167dafdf 4677 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 4678 case RSAk:
wolfSSL 13:80fb167dafdf 4679 {
wolfSSL 13:80fb167dafdf 4680 int encodedSigSz, verifySz;
wolfSSL 13:80fb167dafdf 4681 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 4682 byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
wolfSSL 13:80fb167dafdf 4683 sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4684 if (encodedSig == NULL) {
wolfSSL 13:80fb167dafdf 4685 ERROR_OUT(MEMORY_E, exit_cs);
wolfSSL 13:80fb167dafdf 4686 }
wolfSSL 13:80fb167dafdf 4687 #else
wolfSSL 13:80fb167dafdf 4688 byte encodedSig[MAX_ENCODED_SIG_SZ];
wolfSSL 13:80fb167dafdf 4689 #endif
wolfSSL 13:80fb167dafdf 4690
wolfSSL 13:80fb167dafdf 4691 verifySz = ret;
wolfSSL 13:80fb167dafdf 4692
wolfSSL 13:80fb167dafdf 4693 /* make sure we're right justified */
wolfSSL 13:80fb167dafdf 4694 encodedSigSz = wc_EncodeSignature(encodedSig,
wolfSSL 13:80fb167dafdf 4695 sigCtx->digest, sigCtx->digestSz, sigCtx->typeH);
wolfSSL 13:80fb167dafdf 4696 if (encodedSigSz == verifySz &&
wolfSSL 13:80fb167dafdf 4697 XMEMCMP(sigCtx->out, encodedSig, encodedSigSz) == 0) {
wolfSSL 13:80fb167dafdf 4698 ret = 0;
wolfSSL 13:80fb167dafdf 4699 }
wolfSSL 13:80fb167dafdf 4700 else {
wolfSSL 13:80fb167dafdf 4701 WOLFSSL_MSG("RSA SSL verify match encode error");
wolfSSL 13:80fb167dafdf 4702 ret = ASN_SIG_CONFIRM_E;
wolfSSL 13:80fb167dafdf 4703 }
wolfSSL 13:80fb167dafdf 4704
wolfSSL 13:80fb167dafdf 4705 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 4706 XFREE(encodedSig, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 4707 #endif
wolfSSL 13:80fb167dafdf 4708 break;
wolfSSL 13:80fb167dafdf 4709 }
wolfSSL 13:80fb167dafdf 4710 #endif /* NO_RSA */
wolfSSL 13:80fb167dafdf 4711 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 4712 case ECDSAk:
wolfSSL 13:80fb167dafdf 4713 {
wolfSSL 13:80fb167dafdf 4714 if (sigCtx->verify == 1) {
wolfSSL 13:80fb167dafdf 4715 ret = 0;
wolfSSL 13:80fb167dafdf 4716 }
wolfSSL 13:80fb167dafdf 4717 else {
wolfSSL 13:80fb167dafdf 4718 WOLFSSL_MSG("ECC Verify didn't match");
wolfSSL 13:80fb167dafdf 4719 ret = ASN_SIG_CONFIRM_E;
wolfSSL 13:80fb167dafdf 4720 }
wolfSSL 13:80fb167dafdf 4721 break;
wolfSSL 13:80fb167dafdf 4722 }
wolfSSL 13:80fb167dafdf 4723 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 4724 default:
wolfSSL 13:80fb167dafdf 4725 break;
wolfSSL 13:80fb167dafdf 4726 } /* switch (keyOID) */
wolfSSL 13:80fb167dafdf 4727
wolfSSL 13:80fb167dafdf 4728 break;
wolfSSL 13:80fb167dafdf 4729 } /* SIG_STATE_CHECK */
wolfSSL 13:80fb167dafdf 4730 } /* switch (sigCtx->state) */
wolfSSL 13:80fb167dafdf 4731
wolfSSL 13:80fb167dafdf 4732 exit_cs:
wolfSSL 13:80fb167dafdf 4733
wolfSSL 13:80fb167dafdf 4734 WOLFSSL_LEAVE("ConfirmSignature", ret);
wolfSSL 13:80fb167dafdf 4735
wolfSSL 13:80fb167dafdf 4736 if (ret != WC_PENDING_E) {
wolfSSL 13:80fb167dafdf 4737 FreeSignatureCtx(sigCtx);
wolfSSL 13:80fb167dafdf 4738 }
wolfSSL 13:80fb167dafdf 4739
wolfSSL 13:80fb167dafdf 4740 return ret;
wolfSSL 13:80fb167dafdf 4741 }
wolfSSL 13:80fb167dafdf 4742
wolfSSL 13:80fb167dafdf 4743
wolfSSL 13:80fb167dafdf 4744 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 4745
wolfSSL 13:80fb167dafdf 4746 static int MatchBaseName(int type, const char* name, int nameSz,
wolfSSL 13:80fb167dafdf 4747 const char* base, int baseSz)
wolfSSL 13:80fb167dafdf 4748 {
wolfSSL 13:80fb167dafdf 4749 if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 ||
wolfSSL 13:80fb167dafdf 4750 name[0] == '.' || nameSz < baseSz ||
wolfSSL 13:80fb167dafdf 4751 (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE))
wolfSSL 13:80fb167dafdf 4752 return 0;
wolfSSL 13:80fb167dafdf 4753
wolfSSL 13:80fb167dafdf 4754 /* If an email type, handle special cases where the base is only
wolfSSL 13:80fb167dafdf 4755 * a domain, or is an email address itself. */
wolfSSL 13:80fb167dafdf 4756 if (type == ASN_RFC822_TYPE) {
wolfSSL 13:80fb167dafdf 4757 const char* p = NULL;
wolfSSL 13:80fb167dafdf 4758 int count = 0;
wolfSSL 13:80fb167dafdf 4759
wolfSSL 13:80fb167dafdf 4760 if (base[0] != '.') {
wolfSSL 13:80fb167dafdf 4761 p = base;
wolfSSL 13:80fb167dafdf 4762 count = 0;
wolfSSL 13:80fb167dafdf 4763
wolfSSL 13:80fb167dafdf 4764 /* find the '@' in the base */
wolfSSL 13:80fb167dafdf 4765 while (*p != '@' && count < baseSz) {
wolfSSL 13:80fb167dafdf 4766 count++;
wolfSSL 13:80fb167dafdf 4767 p++;
wolfSSL 13:80fb167dafdf 4768 }
wolfSSL 13:80fb167dafdf 4769
wolfSSL 13:80fb167dafdf 4770 /* No '@' in base, reset p to NULL */
wolfSSL 13:80fb167dafdf 4771 if (count >= baseSz)
wolfSSL 13:80fb167dafdf 4772 p = NULL;
wolfSSL 13:80fb167dafdf 4773 }
wolfSSL 13:80fb167dafdf 4774
wolfSSL 13:80fb167dafdf 4775 if (p == NULL) {
wolfSSL 13:80fb167dafdf 4776 /* Base isn't an email address, it is a domain name,
wolfSSL 13:80fb167dafdf 4777 * wind the name forward one character past its '@'. */
wolfSSL 13:80fb167dafdf 4778 p = name;
wolfSSL 13:80fb167dafdf 4779 count = 0;
wolfSSL 13:80fb167dafdf 4780 while (*p != '@' && count < baseSz) {
wolfSSL 13:80fb167dafdf 4781 count++;
wolfSSL 13:80fb167dafdf 4782 p++;
wolfSSL 13:80fb167dafdf 4783 }
wolfSSL 13:80fb167dafdf 4784
wolfSSL 13:80fb167dafdf 4785 if (count < baseSz && *p == '@') {
wolfSSL 13:80fb167dafdf 4786 name = p + 1;
wolfSSL 13:80fb167dafdf 4787 nameSz -= count + 1;
wolfSSL 13:80fb167dafdf 4788 }
wolfSSL 13:80fb167dafdf 4789 }
wolfSSL 13:80fb167dafdf 4790 }
wolfSSL 13:80fb167dafdf 4791
wolfSSL 13:80fb167dafdf 4792 if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') {
wolfSSL 13:80fb167dafdf 4793 int szAdjust = nameSz - baseSz;
wolfSSL 13:80fb167dafdf 4794 name += szAdjust;
wolfSSL 13:80fb167dafdf 4795 nameSz -= szAdjust;
wolfSSL 13:80fb167dafdf 4796 }
wolfSSL 13:80fb167dafdf 4797
wolfSSL 13:80fb167dafdf 4798 while (nameSz > 0) {
wolfSSL 13:80fb167dafdf 4799 if (XTOLOWER((unsigned char)*name++) !=
wolfSSL 13:80fb167dafdf 4800 XTOLOWER((unsigned char)*base++))
wolfSSL 13:80fb167dafdf 4801 return 0;
wolfSSL 13:80fb167dafdf 4802 nameSz--;
wolfSSL 13:80fb167dafdf 4803 }
wolfSSL 13:80fb167dafdf 4804
wolfSSL 13:80fb167dafdf 4805 return 1;
wolfSSL 13:80fb167dafdf 4806 }
wolfSSL 13:80fb167dafdf 4807
wolfSSL 13:80fb167dafdf 4808
wolfSSL 13:80fb167dafdf 4809 static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 4810 {
wolfSSL 13:80fb167dafdf 4811 if (signer == NULL || cert == NULL)
wolfSSL 13:80fb167dafdf 4812 return 0;
wolfSSL 13:80fb167dafdf 4813
wolfSSL 13:80fb167dafdf 4814 /* Check against the excluded list */
wolfSSL 13:80fb167dafdf 4815 if (signer->excludedNames) {
wolfSSL 13:80fb167dafdf 4816 Base_entry* base = signer->excludedNames;
wolfSSL 13:80fb167dafdf 4817
wolfSSL 13:80fb167dafdf 4818 while (base != NULL) {
wolfSSL 13:80fb167dafdf 4819 if (base->type == ASN_DNS_TYPE) {
wolfSSL 13:80fb167dafdf 4820 DNS_entry* name = cert->altNames;
wolfSSL 13:80fb167dafdf 4821 while (name != NULL) {
wolfSSL 13:80fb167dafdf 4822 if (MatchBaseName(ASN_DNS_TYPE,
wolfSSL 13:80fb167dafdf 4823 name->name, (int)XSTRLEN(name->name),
wolfSSL 13:80fb167dafdf 4824 base->name, base->nameSz))
wolfSSL 13:80fb167dafdf 4825 return 0;
wolfSSL 13:80fb167dafdf 4826 name = name->next;
wolfSSL 13:80fb167dafdf 4827 }
wolfSSL 13:80fb167dafdf 4828 }
wolfSSL 13:80fb167dafdf 4829 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 13:80fb167dafdf 4830 DNS_entry* name = cert->altEmailNames;
wolfSSL 13:80fb167dafdf 4831 while (name != NULL) {
wolfSSL 13:80fb167dafdf 4832 if (MatchBaseName(ASN_RFC822_TYPE,
wolfSSL 13:80fb167dafdf 4833 name->name, (int)XSTRLEN(name->name),
wolfSSL 13:80fb167dafdf 4834 base->name, base->nameSz))
wolfSSL 13:80fb167dafdf 4835 return 0;
wolfSSL 13:80fb167dafdf 4836
wolfSSL 13:80fb167dafdf 4837 name = name->next;
wolfSSL 13:80fb167dafdf 4838 }
wolfSSL 13:80fb167dafdf 4839 }
wolfSSL 13:80fb167dafdf 4840 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 13:80fb167dafdf 4841 if (cert->subjectRawLen == base->nameSz &&
wolfSSL 13:80fb167dafdf 4842 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 13:80fb167dafdf 4843
wolfSSL 13:80fb167dafdf 4844 return 0;
wolfSSL 13:80fb167dafdf 4845 }
wolfSSL 13:80fb167dafdf 4846 }
wolfSSL 13:80fb167dafdf 4847 base = base->next;
wolfSSL 13:80fb167dafdf 4848 }
wolfSSL 13:80fb167dafdf 4849 }
wolfSSL 13:80fb167dafdf 4850
wolfSSL 13:80fb167dafdf 4851 /* Check against the permitted list */
wolfSSL 13:80fb167dafdf 4852 if (signer->permittedNames != NULL) {
wolfSSL 13:80fb167dafdf 4853 int needDns = 0;
wolfSSL 13:80fb167dafdf 4854 int matchDns = 0;
wolfSSL 13:80fb167dafdf 4855 int needEmail = 0;
wolfSSL 13:80fb167dafdf 4856 int matchEmail = 0;
wolfSSL 13:80fb167dafdf 4857 int needDir = 0;
wolfSSL 13:80fb167dafdf 4858 int matchDir = 0;
wolfSSL 13:80fb167dafdf 4859 Base_entry* base = signer->permittedNames;
wolfSSL 13:80fb167dafdf 4860
wolfSSL 13:80fb167dafdf 4861 while (base != NULL) {
wolfSSL 13:80fb167dafdf 4862 if (base->type == ASN_DNS_TYPE) {
wolfSSL 13:80fb167dafdf 4863 DNS_entry* name = cert->altNames;
wolfSSL 13:80fb167dafdf 4864
wolfSSL 13:80fb167dafdf 4865 if (name != NULL)
wolfSSL 13:80fb167dafdf 4866 needDns = 1;
wolfSSL 13:80fb167dafdf 4867
wolfSSL 13:80fb167dafdf 4868 while (name != NULL) {
wolfSSL 13:80fb167dafdf 4869 matchDns = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 13:80fb167dafdf 4870 name->name, (int)XSTRLEN(name->name),
wolfSSL 13:80fb167dafdf 4871 base->name, base->nameSz);
wolfSSL 13:80fb167dafdf 4872 name = name->next;
wolfSSL 13:80fb167dafdf 4873 }
wolfSSL 13:80fb167dafdf 4874 }
wolfSSL 13:80fb167dafdf 4875 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 13:80fb167dafdf 4876 DNS_entry* name = cert->altEmailNames;
wolfSSL 13:80fb167dafdf 4877
wolfSSL 13:80fb167dafdf 4878 if (name != NULL)
wolfSSL 13:80fb167dafdf 4879 needEmail = 1;
wolfSSL 13:80fb167dafdf 4880
wolfSSL 13:80fb167dafdf 4881 while (name != NULL) {
wolfSSL 13:80fb167dafdf 4882 matchEmail = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 13:80fb167dafdf 4883 name->name, (int)XSTRLEN(name->name),
wolfSSL 13:80fb167dafdf 4884 base->name, base->nameSz);
wolfSSL 13:80fb167dafdf 4885 name = name->next;
wolfSSL 13:80fb167dafdf 4886 }
wolfSSL 13:80fb167dafdf 4887 }
wolfSSL 13:80fb167dafdf 4888 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 13:80fb167dafdf 4889 needDir = 1;
wolfSSL 13:80fb167dafdf 4890 if (cert->subjectRaw != NULL &&
wolfSSL 13:80fb167dafdf 4891 cert->subjectRawLen == base->nameSz &&
wolfSSL 13:80fb167dafdf 4892 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 13:80fb167dafdf 4893
wolfSSL 13:80fb167dafdf 4894 matchDir = 1;
wolfSSL 13:80fb167dafdf 4895 }
wolfSSL 13:80fb167dafdf 4896 }
wolfSSL 13:80fb167dafdf 4897 base = base->next;
wolfSSL 13:80fb167dafdf 4898 }
wolfSSL 13:80fb167dafdf 4899
wolfSSL 13:80fb167dafdf 4900 if ((needDns && !matchDns) || (needEmail && !matchEmail) ||
wolfSSL 13:80fb167dafdf 4901 (needDir && !matchDir)) {
wolfSSL 13:80fb167dafdf 4902
wolfSSL 13:80fb167dafdf 4903 return 0;
wolfSSL 13:80fb167dafdf 4904 }
wolfSSL 13:80fb167dafdf 4905 }
wolfSSL 13:80fb167dafdf 4906
wolfSSL 13:80fb167dafdf 4907 return 1;
wolfSSL 13:80fb167dafdf 4908 }
wolfSSL 13:80fb167dafdf 4909
wolfSSL 13:80fb167dafdf 4910 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 4911
wolfSSL 13:80fb167dafdf 4912 static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 4913 {
wolfSSL 13:80fb167dafdf 4914 word32 idx = 0;
wolfSSL 13:80fb167dafdf 4915 int length = 0;
wolfSSL 13:80fb167dafdf 4916
wolfSSL 13:80fb167dafdf 4917 WOLFSSL_ENTER("DecodeAltNames");
wolfSSL 13:80fb167dafdf 4918
wolfSSL 13:80fb167dafdf 4919 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 4920 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 13:80fb167dafdf 4921 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 4922 }
wolfSSL 13:80fb167dafdf 4923
wolfSSL 13:80fb167dafdf 4924 cert->weOwnAltNames = 1;
wolfSSL 13:80fb167dafdf 4925
wolfSSL 13:80fb167dafdf 4926 while (length > 0) {
wolfSSL 13:80fb167dafdf 4927 byte b = input[idx++];
wolfSSL 13:80fb167dafdf 4928
wolfSSL 13:80fb167dafdf 4929 length--;
wolfSSL 13:80fb167dafdf 4930
wolfSSL 13:80fb167dafdf 4931 /* Save DNS Type names in the altNames list. */
wolfSSL 13:80fb167dafdf 4932 /* Save Other Type names in the cert's OidMap */
wolfSSL 13:80fb167dafdf 4933 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
wolfSSL 13:80fb167dafdf 4934 DNS_entry* dnsEntry;
wolfSSL 13:80fb167dafdf 4935 int strLen;
wolfSSL 13:80fb167dafdf 4936 word32 lenStartIdx = idx;
wolfSSL 13:80fb167dafdf 4937
wolfSSL 13:80fb167dafdf 4938 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 4939 WOLFSSL_MSG("\tfail: str length");
wolfSSL 13:80fb167dafdf 4940 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 4941 }
wolfSSL 13:80fb167dafdf 4942 length -= (idx - lenStartIdx);
wolfSSL 13:80fb167dafdf 4943
wolfSSL 13:80fb167dafdf 4944 dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 13:80fb167dafdf 4945 DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4946 if (dnsEntry == NULL) {
wolfSSL 13:80fb167dafdf 4947 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 4948 return MEMORY_E;
wolfSSL 13:80fb167dafdf 4949 }
wolfSSL 13:80fb167dafdf 4950
wolfSSL 13:80fb167dafdf 4951 dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 13:80fb167dafdf 4952 DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4953 if (dnsEntry->name == NULL) {
wolfSSL 13:80fb167dafdf 4954 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 4955 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4956 return MEMORY_E;
wolfSSL 13:80fb167dafdf 4957 }
wolfSSL 13:80fb167dafdf 4958
wolfSSL 13:80fb167dafdf 4959 XMEMCPY(dnsEntry->name, &input[idx], strLen);
wolfSSL 13:80fb167dafdf 4960 dnsEntry->name[strLen] = '\0';
wolfSSL 13:80fb167dafdf 4961
wolfSSL 13:80fb167dafdf 4962 dnsEntry->next = cert->altNames;
wolfSSL 13:80fb167dafdf 4963 cert->altNames = dnsEntry;
wolfSSL 13:80fb167dafdf 4964
wolfSSL 13:80fb167dafdf 4965 length -= strLen;
wolfSSL 13:80fb167dafdf 4966 idx += strLen;
wolfSSL 13:80fb167dafdf 4967 }
wolfSSL 13:80fb167dafdf 4968 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 4969 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
wolfSSL 13:80fb167dafdf 4970 DNS_entry* emailEntry;
wolfSSL 13:80fb167dafdf 4971 int strLen;
wolfSSL 13:80fb167dafdf 4972 word32 lenStartIdx = idx;
wolfSSL 13:80fb167dafdf 4973
wolfSSL 13:80fb167dafdf 4974 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 4975 WOLFSSL_MSG("\tfail: str length");
wolfSSL 13:80fb167dafdf 4976 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 4977 }
wolfSSL 13:80fb167dafdf 4978 length -= (idx - lenStartIdx);
wolfSSL 13:80fb167dafdf 4979
wolfSSL 13:80fb167dafdf 4980 emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 13:80fb167dafdf 4981 DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4982 if (emailEntry == NULL) {
wolfSSL 13:80fb167dafdf 4983 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 4984 return MEMORY_E;
wolfSSL 13:80fb167dafdf 4985 }
wolfSSL 13:80fb167dafdf 4986
wolfSSL 13:80fb167dafdf 4987 emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 13:80fb167dafdf 4988 DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4989 if (emailEntry->name == NULL) {
wolfSSL 13:80fb167dafdf 4990 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 4991 XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 4992 return MEMORY_E;
wolfSSL 13:80fb167dafdf 4993 }
wolfSSL 13:80fb167dafdf 4994
wolfSSL 13:80fb167dafdf 4995 XMEMCPY(emailEntry->name, &input[idx], strLen);
wolfSSL 13:80fb167dafdf 4996 emailEntry->name[strLen] = '\0';
wolfSSL 13:80fb167dafdf 4997
wolfSSL 13:80fb167dafdf 4998 emailEntry->next = cert->altEmailNames;
wolfSSL 13:80fb167dafdf 4999 cert->altEmailNames = emailEntry;
wolfSSL 13:80fb167dafdf 5000
wolfSSL 13:80fb167dafdf 5001 length -= strLen;
wolfSSL 13:80fb167dafdf 5002 idx += strLen;
wolfSSL 13:80fb167dafdf 5003 }
wolfSSL 13:80fb167dafdf 5004 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 5005 #ifdef WOLFSSL_SEP
wolfSSL 13:80fb167dafdf 5006 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
wolfSSL 13:80fb167dafdf 5007 {
wolfSSL 13:80fb167dafdf 5008 int strLen;
wolfSSL 13:80fb167dafdf 5009 word32 lenStartIdx = idx;
wolfSSL 13:80fb167dafdf 5010 word32 oid = 0;
wolfSSL 13:80fb167dafdf 5011 int ret;
wolfSSL 13:80fb167dafdf 5012
wolfSSL 13:80fb167dafdf 5013 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 5014 WOLFSSL_MSG("\tfail: other name length");
wolfSSL 13:80fb167dafdf 5015 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5016 }
wolfSSL 13:80fb167dafdf 5017 /* Consume the rest of this sequence. */
wolfSSL 13:80fb167dafdf 5018 length -= (strLen + idx - lenStartIdx);
wolfSSL 13:80fb167dafdf 5019
wolfSSL 13:80fb167dafdf 5020 if (GetObjectId(input, &idx, &oid, oidCertAltNameType, sz) < 0) {
wolfSSL 13:80fb167dafdf 5021 WOLFSSL_MSG("\tbad OID");
wolfSSL 13:80fb167dafdf 5022 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5023 }
wolfSSL 13:80fb167dafdf 5024
wolfSSL 13:80fb167dafdf 5025 if (oid != HW_NAME_OID) {
wolfSSL 13:80fb167dafdf 5026 WOLFSSL_MSG("\tincorrect OID");
wolfSSL 13:80fb167dafdf 5027 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5028 }
wolfSSL 13:80fb167dafdf 5029
wolfSSL 13:80fb167dafdf 5030 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 13:80fb167dafdf 5031 WOLFSSL_MSG("\twrong type");
wolfSSL 13:80fb167dafdf 5032 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5033 }
wolfSSL 13:80fb167dafdf 5034
wolfSSL 13:80fb167dafdf 5035 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 5036 WOLFSSL_MSG("\tfail: str len");
wolfSSL 13:80fb167dafdf 5037 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5038 }
wolfSSL 13:80fb167dafdf 5039
wolfSSL 13:80fb167dafdf 5040 if (GetSequence(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 5041 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 13:80fb167dafdf 5042 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5043 }
wolfSSL 13:80fb167dafdf 5044
wolfSSL 13:80fb167dafdf 5045 ret = GetASNObjectId(input, &idx, &strLen, sz);
wolfSSL 13:80fb167dafdf 5046 if (ret != 0) {
wolfSSL 13:80fb167dafdf 5047 WOLFSSL_MSG("\tbad OID");
wolfSSL 13:80fb167dafdf 5048 return ret;
wolfSSL 13:80fb167dafdf 5049 }
wolfSSL 13:80fb167dafdf 5050
wolfSSL 13:80fb167dafdf 5051 cert->hwType = (byte*)XMALLOC(strLen, cert->heap,
wolfSSL 13:80fb167dafdf 5052 DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 5053 if (cert->hwType == NULL) {
wolfSSL 13:80fb167dafdf 5054 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 5055 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5056 }
wolfSSL 13:80fb167dafdf 5057
wolfSSL 13:80fb167dafdf 5058 XMEMCPY(cert->hwType, &input[idx], strLen);
wolfSSL 13:80fb167dafdf 5059 cert->hwTypeSz = strLen;
wolfSSL 13:80fb167dafdf 5060 idx += strLen;
wolfSSL 13:80fb167dafdf 5061
wolfSSL 13:80fb167dafdf 5062 ret = GetOctetString(input, &idx, &strLen, sz);
wolfSSL 13:80fb167dafdf 5063 if (ret < 0)
wolfSSL 13:80fb167dafdf 5064 return ret;
wolfSSL 13:80fb167dafdf 5065
wolfSSL 13:80fb167dafdf 5066 cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 13:80fb167dafdf 5067 DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 5068 if (cert->hwSerialNum == NULL) {
wolfSSL 13:80fb167dafdf 5069 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 13:80fb167dafdf 5070 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5071 }
wolfSSL 13:80fb167dafdf 5072
wolfSSL 13:80fb167dafdf 5073 XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
wolfSSL 13:80fb167dafdf 5074 cert->hwSerialNum[strLen] = '\0';
wolfSSL 13:80fb167dafdf 5075 cert->hwSerialNumSz = strLen;
wolfSSL 13:80fb167dafdf 5076 idx += strLen;
wolfSSL 13:80fb167dafdf 5077 }
wolfSSL 13:80fb167dafdf 5078 #endif /* WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 5079 else {
wolfSSL 13:80fb167dafdf 5080 int strLen;
wolfSSL 13:80fb167dafdf 5081 word32 lenStartIdx = idx;
wolfSSL 13:80fb167dafdf 5082
wolfSSL 13:80fb167dafdf 5083 WOLFSSL_MSG("\tUnsupported name type, skipping");
wolfSSL 13:80fb167dafdf 5084
wolfSSL 13:80fb167dafdf 5085 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 13:80fb167dafdf 5086 WOLFSSL_MSG("\tfail: unsupported name length");
wolfSSL 13:80fb167dafdf 5087 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5088 }
wolfSSL 13:80fb167dafdf 5089 length -= (strLen + idx - lenStartIdx);
wolfSSL 13:80fb167dafdf 5090 idx += strLen;
wolfSSL 13:80fb167dafdf 5091 }
wolfSSL 13:80fb167dafdf 5092 }
wolfSSL 13:80fb167dafdf 5093 return 0;
wolfSSL 13:80fb167dafdf 5094 }
wolfSSL 13:80fb167dafdf 5095
wolfSSL 13:80fb167dafdf 5096 static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5097 {
wolfSSL 13:80fb167dafdf 5098 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5099 int length = 0;
wolfSSL 13:80fb167dafdf 5100 int ret;
wolfSSL 13:80fb167dafdf 5101
wolfSSL 13:80fb167dafdf 5102 WOLFSSL_ENTER("DecodeBasicCaConstraint");
wolfSSL 13:80fb167dafdf 5103
wolfSSL 13:80fb167dafdf 5104 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5105 WOLFSSL_MSG("\tfail: bad SEQUENCE");
wolfSSL 13:80fb167dafdf 5106 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5107 }
wolfSSL 13:80fb167dafdf 5108
wolfSSL 13:80fb167dafdf 5109 if (length == 0)
wolfSSL 13:80fb167dafdf 5110 return 0;
wolfSSL 13:80fb167dafdf 5111
wolfSSL 13:80fb167dafdf 5112 /* If the basic ca constraint is false, this extension may be named, but
wolfSSL 13:80fb167dafdf 5113 * left empty. So, if the length is 0, just return. */
wolfSSL 13:80fb167dafdf 5114
wolfSSL 13:80fb167dafdf 5115 ret = GetBoolean(input, &idx, sz);
wolfSSL 13:80fb167dafdf 5116 if (ret < 0) {
wolfSSL 13:80fb167dafdf 5117 WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN");
wolfSSL 13:80fb167dafdf 5118 return ret;
wolfSSL 13:80fb167dafdf 5119 }
wolfSSL 13:80fb167dafdf 5120
wolfSSL 13:80fb167dafdf 5121 cert->isCA = (byte)ret;
wolfSSL 13:80fb167dafdf 5122
wolfSSL 13:80fb167dafdf 5123 /* If there isn't any more data, return. */
wolfSSL 13:80fb167dafdf 5124 if (idx >= (word32)sz)
wolfSSL 13:80fb167dafdf 5125 return 0;
wolfSSL 13:80fb167dafdf 5126
wolfSSL 13:80fb167dafdf 5127 ret = GetInteger7Bit(input, &idx, sz);
wolfSSL 13:80fb167dafdf 5128 if (ret < 0)
wolfSSL 13:80fb167dafdf 5129 return ret;
wolfSSL 13:80fb167dafdf 5130
wolfSSL 13:80fb167dafdf 5131 cert->pathLength = (byte)ret;
wolfSSL 13:80fb167dafdf 5132 cert->pathLengthSet = 1;
wolfSSL 13:80fb167dafdf 5133
wolfSSL 13:80fb167dafdf 5134 return 0;
wolfSSL 13:80fb167dafdf 5135 }
wolfSSL 13:80fb167dafdf 5136
wolfSSL 13:80fb167dafdf 5137
wolfSSL 13:80fb167dafdf 5138 #define CRLDP_FULL_NAME 0
wolfSSL 13:80fb167dafdf 5139 /* From RFC3280 SS4.2.1.14, Distribution Point Name*/
wolfSSL 13:80fb167dafdf 5140 #define GENERALNAME_URI 6
wolfSSL 13:80fb167dafdf 5141 /* From RFC3280 SS4.2.1.7, GeneralName */
wolfSSL 13:80fb167dafdf 5142
wolfSSL 13:80fb167dafdf 5143 static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5144 {
wolfSSL 13:80fb167dafdf 5145 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5146 int length = 0;
wolfSSL 13:80fb167dafdf 5147
wolfSSL 13:80fb167dafdf 5148 WOLFSSL_ENTER("DecodeCrlDist");
wolfSSL 13:80fb167dafdf 5149
wolfSSL 13:80fb167dafdf 5150 /* Unwrap the list of Distribution Points*/
wolfSSL 13:80fb167dafdf 5151 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5152 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5153
wolfSSL 13:80fb167dafdf 5154 /* Unwrap a single Distribution Point */
wolfSSL 13:80fb167dafdf 5155 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5156 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5157
wolfSSL 13:80fb167dafdf 5158 /* The Distribution Point has three explicit optional members
wolfSSL 13:80fb167dafdf 5159 * First check for a DistributionPointName
wolfSSL 13:80fb167dafdf 5160 */
wolfSSL 13:80fb167dafdf 5161 if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
wolfSSL 13:80fb167dafdf 5162 {
wolfSSL 13:80fb167dafdf 5163 idx++;
wolfSSL 13:80fb167dafdf 5164 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5165 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5166
wolfSSL 13:80fb167dafdf 5167 if (input[idx] ==
wolfSSL 13:80fb167dafdf 5168 (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME))
wolfSSL 13:80fb167dafdf 5169 {
wolfSSL 13:80fb167dafdf 5170 idx++;
wolfSSL 13:80fb167dafdf 5171 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5172 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5173
wolfSSL 13:80fb167dafdf 5174 if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
wolfSSL 13:80fb167dafdf 5175 {
wolfSSL 13:80fb167dafdf 5176 idx++;
wolfSSL 13:80fb167dafdf 5177 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5178 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5179
wolfSSL 13:80fb167dafdf 5180 cert->extCrlInfoSz = length;
wolfSSL 13:80fb167dafdf 5181 cert->extCrlInfo = input + idx;
wolfSSL 13:80fb167dafdf 5182 idx += length;
wolfSSL 13:80fb167dafdf 5183 }
wolfSSL 13:80fb167dafdf 5184 else
wolfSSL 13:80fb167dafdf 5185 /* This isn't a URI, skip it. */
wolfSSL 13:80fb167dafdf 5186 idx += length;
wolfSSL 13:80fb167dafdf 5187 }
wolfSSL 13:80fb167dafdf 5188 else {
wolfSSL 13:80fb167dafdf 5189 /* This isn't a FULLNAME, skip it. */
wolfSSL 13:80fb167dafdf 5190 idx += length;
wolfSSL 13:80fb167dafdf 5191 }
wolfSSL 13:80fb167dafdf 5192 }
wolfSSL 13:80fb167dafdf 5193
wolfSSL 13:80fb167dafdf 5194 /* Check for reasonFlags */
wolfSSL 13:80fb167dafdf 5195 if (idx < (word32)sz &&
wolfSSL 13:80fb167dafdf 5196 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 13:80fb167dafdf 5197 {
wolfSSL 13:80fb167dafdf 5198 idx++;
wolfSSL 13:80fb167dafdf 5199 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5200 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5201 idx += length;
wolfSSL 13:80fb167dafdf 5202 }
wolfSSL 13:80fb167dafdf 5203
wolfSSL 13:80fb167dafdf 5204 /* Check for cRLIssuer */
wolfSSL 13:80fb167dafdf 5205 if (idx < (word32)sz &&
wolfSSL 13:80fb167dafdf 5206 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2))
wolfSSL 13:80fb167dafdf 5207 {
wolfSSL 13:80fb167dafdf 5208 idx++;
wolfSSL 13:80fb167dafdf 5209 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5210 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5211 idx += length;
wolfSSL 13:80fb167dafdf 5212 }
wolfSSL 13:80fb167dafdf 5213
wolfSSL 13:80fb167dafdf 5214 if (idx < (word32)sz)
wolfSSL 13:80fb167dafdf 5215 {
wolfSSL 13:80fb167dafdf 5216 WOLFSSL_MSG("\tThere are more CRL Distribution Point records, "
wolfSSL 13:80fb167dafdf 5217 "but we only use the first one.");
wolfSSL 13:80fb167dafdf 5218 }
wolfSSL 13:80fb167dafdf 5219
wolfSSL 13:80fb167dafdf 5220 return 0;
wolfSSL 13:80fb167dafdf 5221 }
wolfSSL 13:80fb167dafdf 5222
wolfSSL 13:80fb167dafdf 5223
wolfSSL 13:80fb167dafdf 5224 static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5225 /*
wolfSSL 13:80fb167dafdf 5226 * Read the first of the Authority Information Access records. If there are
wolfSSL 13:80fb167dafdf 5227 * any issues, return without saving the record.
wolfSSL 13:80fb167dafdf 5228 */
wolfSSL 13:80fb167dafdf 5229 {
wolfSSL 13:80fb167dafdf 5230 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5231 int length = 0;
wolfSSL 13:80fb167dafdf 5232 byte b;
wolfSSL 13:80fb167dafdf 5233 word32 oid;
wolfSSL 13:80fb167dafdf 5234
wolfSSL 13:80fb167dafdf 5235 WOLFSSL_ENTER("DecodeAuthInfo");
wolfSSL 13:80fb167dafdf 5236
wolfSSL 13:80fb167dafdf 5237 /* Unwrap the list of AIAs */
wolfSSL 13:80fb167dafdf 5238 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5239 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5240
wolfSSL 13:80fb167dafdf 5241 while (idx < (word32)sz) {
wolfSSL 13:80fb167dafdf 5242 /* Unwrap a single AIA */
wolfSSL 13:80fb167dafdf 5243 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5244 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5245
wolfSSL 13:80fb167dafdf 5246 oid = 0;
wolfSSL 13:80fb167dafdf 5247 if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0)
wolfSSL 13:80fb167dafdf 5248 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5249
wolfSSL 13:80fb167dafdf 5250
wolfSSL 13:80fb167dafdf 5251 /* Only supporting URIs right now. */
wolfSSL 13:80fb167dafdf 5252 b = input[idx++];
wolfSSL 13:80fb167dafdf 5253 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 5254 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5255
wolfSSL 13:80fb167dafdf 5256 if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
wolfSSL 13:80fb167dafdf 5257 oid == AIA_OCSP_OID)
wolfSSL 13:80fb167dafdf 5258 {
wolfSSL 13:80fb167dafdf 5259 cert->extAuthInfoSz = length;
wolfSSL 13:80fb167dafdf 5260 cert->extAuthInfo = input + idx;
wolfSSL 13:80fb167dafdf 5261 break;
wolfSSL 13:80fb167dafdf 5262 }
wolfSSL 13:80fb167dafdf 5263 idx += length;
wolfSSL 13:80fb167dafdf 5264 }
wolfSSL 13:80fb167dafdf 5265
wolfSSL 13:80fb167dafdf 5266 return 0;
wolfSSL 13:80fb167dafdf 5267 }
wolfSSL 13:80fb167dafdf 5268
wolfSSL 13:80fb167dafdf 5269
wolfSSL 13:80fb167dafdf 5270 static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5271 {
wolfSSL 13:80fb167dafdf 5272 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5273 int length = 0, ret = 0;
wolfSSL 13:80fb167dafdf 5274
wolfSSL 13:80fb167dafdf 5275 WOLFSSL_ENTER("DecodeAuthKeyId");
wolfSSL 13:80fb167dafdf 5276
wolfSSL 13:80fb167dafdf 5277 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5278 WOLFSSL_MSG("\tfail: should be a SEQUENCE\n");
wolfSSL 13:80fb167dafdf 5279 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5280 }
wolfSSL 13:80fb167dafdf 5281
wolfSSL 13:80fb167dafdf 5282 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
wolfSSL 13:80fb167dafdf 5283 WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
wolfSSL 13:80fb167dafdf 5284 return 0;
wolfSSL 13:80fb167dafdf 5285 }
wolfSSL 13:80fb167dafdf 5286
wolfSSL 13:80fb167dafdf 5287 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 13:80fb167dafdf 5288 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 13:80fb167dafdf 5289 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5290 }
wolfSSL 13:80fb167dafdf 5291
wolfSSL 13:80fb167dafdf 5292 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5293 cert->extAuthKeyIdSrc = &input[idx];
wolfSSL 13:80fb167dafdf 5294 cert->extAuthKeyIdSz = length;
wolfSSL 13:80fb167dafdf 5295 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 5296
wolfSSL 13:80fb167dafdf 5297 if (length == KEYID_SIZE) {
wolfSSL 13:80fb167dafdf 5298 XMEMCPY(cert->extAuthKeyId, input + idx, length);
wolfSSL 13:80fb167dafdf 5299 }
wolfSSL 13:80fb167dafdf 5300 else {
wolfSSL 13:80fb167dafdf 5301 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 5302 ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId);
wolfSSL 13:80fb167dafdf 5303 #else
wolfSSL 13:80fb167dafdf 5304 ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId);
wolfSSL 13:80fb167dafdf 5305 #endif
wolfSSL 13:80fb167dafdf 5306 }
wolfSSL 13:80fb167dafdf 5307
wolfSSL 13:80fb167dafdf 5308 return ret;
wolfSSL 13:80fb167dafdf 5309 }
wolfSSL 13:80fb167dafdf 5310
wolfSSL 13:80fb167dafdf 5311
wolfSSL 13:80fb167dafdf 5312 static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5313 {
wolfSSL 13:80fb167dafdf 5314 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5315 int length = 0, ret = 0;
wolfSSL 13:80fb167dafdf 5316
wolfSSL 13:80fb167dafdf 5317 WOLFSSL_ENTER("DecodeSubjKeyId");
wolfSSL 13:80fb167dafdf 5318
wolfSSL 13:80fb167dafdf 5319 if (sz <= 0)
wolfSSL 13:80fb167dafdf 5320 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5321
wolfSSL 13:80fb167dafdf 5322 ret = GetOctetString(input, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 5323 if (ret < 0)
wolfSSL 13:80fb167dafdf 5324 return ret;
wolfSSL 13:80fb167dafdf 5325
wolfSSL 13:80fb167dafdf 5326 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5327 cert->extSubjKeyIdSrc = &input[idx];
wolfSSL 13:80fb167dafdf 5328 cert->extSubjKeyIdSz = length;
wolfSSL 13:80fb167dafdf 5329 #endif /* OPENSSL_EXTRA */
wolfSSL 13:80fb167dafdf 5330
wolfSSL 13:80fb167dafdf 5331 if (length == SIGNER_DIGEST_SIZE) {
wolfSSL 13:80fb167dafdf 5332 XMEMCPY(cert->extSubjKeyId, input + idx, length);
wolfSSL 13:80fb167dafdf 5333 }
wolfSSL 13:80fb167dafdf 5334 else {
wolfSSL 13:80fb167dafdf 5335 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 5336 ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId);
wolfSSL 13:80fb167dafdf 5337 #else
wolfSSL 13:80fb167dafdf 5338 ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId);
wolfSSL 13:80fb167dafdf 5339 #endif
wolfSSL 13:80fb167dafdf 5340 }
wolfSSL 13:80fb167dafdf 5341
wolfSSL 13:80fb167dafdf 5342 return ret;
wolfSSL 13:80fb167dafdf 5343 }
wolfSSL 13:80fb167dafdf 5344
wolfSSL 13:80fb167dafdf 5345
wolfSSL 13:80fb167dafdf 5346 static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5347 {
wolfSSL 13:80fb167dafdf 5348 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5349 int length;
wolfSSL 13:80fb167dafdf 5350 int ret;
wolfSSL 13:80fb167dafdf 5351 WOLFSSL_ENTER("DecodeKeyUsage");
wolfSSL 13:80fb167dafdf 5352
wolfSSL 13:80fb167dafdf 5353 ret = CheckBitString(input, &idx, &length, sz, 0, NULL);
wolfSSL 13:80fb167dafdf 5354 if (ret != 0)
wolfSSL 13:80fb167dafdf 5355 return ret;
wolfSSL 13:80fb167dafdf 5356
wolfSSL 13:80fb167dafdf 5357 cert->extKeyUsage = (word16)(input[idx]);
wolfSSL 13:80fb167dafdf 5358 if (length == 2)
wolfSSL 13:80fb167dafdf 5359 cert->extKeyUsage |= (word16)(input[idx+1] << 8);
wolfSSL 13:80fb167dafdf 5360
wolfSSL 13:80fb167dafdf 5361 return 0;
wolfSSL 13:80fb167dafdf 5362 }
wolfSSL 13:80fb167dafdf 5363
wolfSSL 13:80fb167dafdf 5364
wolfSSL 13:80fb167dafdf 5365 static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5366 {
wolfSSL 13:80fb167dafdf 5367 word32 idx = 0, oid;
wolfSSL 13:80fb167dafdf 5368 int length;
wolfSSL 13:80fb167dafdf 5369
wolfSSL 13:80fb167dafdf 5370 WOLFSSL_ENTER("DecodeExtKeyUsage");
wolfSSL 13:80fb167dafdf 5371
wolfSSL 13:80fb167dafdf 5372 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5373 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 13:80fb167dafdf 5374 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5375 }
wolfSSL 13:80fb167dafdf 5376
wolfSSL 13:80fb167dafdf 5377 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5378 cert->extExtKeyUsageSrc = input + idx;
wolfSSL 13:80fb167dafdf 5379 cert->extExtKeyUsageSz = length;
wolfSSL 13:80fb167dafdf 5380 #endif
wolfSSL 13:80fb167dafdf 5381
wolfSSL 13:80fb167dafdf 5382 while (idx < (word32)sz) {
wolfSSL 13:80fb167dafdf 5383 if (GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz) < 0)
wolfSSL 13:80fb167dafdf 5384 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5385
wolfSSL 13:80fb167dafdf 5386 switch (oid) {
wolfSSL 13:80fb167dafdf 5387 case EKU_ANY_OID:
wolfSSL 13:80fb167dafdf 5388 cert->extExtKeyUsage |= EXTKEYUSE_ANY;
wolfSSL 13:80fb167dafdf 5389 break;
wolfSSL 13:80fb167dafdf 5390 case EKU_SERVER_AUTH_OID:
wolfSSL 13:80fb167dafdf 5391 cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH;
wolfSSL 13:80fb167dafdf 5392 break;
wolfSSL 13:80fb167dafdf 5393 case EKU_CLIENT_AUTH_OID:
wolfSSL 13:80fb167dafdf 5394 cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
wolfSSL 13:80fb167dafdf 5395 break;
wolfSSL 13:80fb167dafdf 5396 case EKU_OCSP_SIGN_OID:
wolfSSL 13:80fb167dafdf 5397 cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
wolfSSL 13:80fb167dafdf 5398 break;
wolfSSL 13:80fb167dafdf 5399 }
wolfSSL 13:80fb167dafdf 5400
wolfSSL 13:80fb167dafdf 5401 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5402 cert->extExtKeyUsageCount++;
wolfSSL 13:80fb167dafdf 5403 #endif
wolfSSL 13:80fb167dafdf 5404 }
wolfSSL 13:80fb167dafdf 5405
wolfSSL 13:80fb167dafdf 5406 return 0;
wolfSSL 13:80fb167dafdf 5407 }
wolfSSL 13:80fb167dafdf 5408
wolfSSL 13:80fb167dafdf 5409
wolfSSL 13:80fb167dafdf 5410 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 5411 static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
wolfSSL 13:80fb167dafdf 5412 {
wolfSSL 13:80fb167dafdf 5413 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5414
wolfSSL 13:80fb167dafdf 5415 (void)heap;
wolfSSL 13:80fb167dafdf 5416
wolfSSL 13:80fb167dafdf 5417 while (idx < (word32)sz) {
wolfSSL 13:80fb167dafdf 5418 int seqLength, strLength;
wolfSSL 13:80fb167dafdf 5419 word32 nameIdx;
wolfSSL 13:80fb167dafdf 5420 byte b;
wolfSSL 13:80fb167dafdf 5421
wolfSSL 13:80fb167dafdf 5422 if (GetSequence(input, &idx, &seqLength, sz) < 0) {
wolfSSL 13:80fb167dafdf 5423 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 13:80fb167dafdf 5424 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5425 }
wolfSSL 13:80fb167dafdf 5426
wolfSSL 13:80fb167dafdf 5427 nameIdx = idx;
wolfSSL 13:80fb167dafdf 5428 b = input[nameIdx++];
wolfSSL 13:80fb167dafdf 5429 if (GetLength(input, &nameIdx, &strLength, sz) <= 0) {
wolfSSL 13:80fb167dafdf 5430 WOLFSSL_MSG("\tinvalid length");
wolfSSL 13:80fb167dafdf 5431 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5432 }
wolfSSL 13:80fb167dafdf 5433
wolfSSL 13:80fb167dafdf 5434 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
wolfSSL 13:80fb167dafdf 5435 b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) ||
wolfSSL 13:80fb167dafdf 5436 b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
wolfSSL 13:80fb167dafdf 5437
wolfSSL 13:80fb167dafdf 5438 Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
wolfSSL 13:80fb167dafdf 5439 heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 5440
wolfSSL 13:80fb167dafdf 5441 if (entry == NULL) {
wolfSSL 13:80fb167dafdf 5442 WOLFSSL_MSG("allocate error");
wolfSSL 13:80fb167dafdf 5443 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5444 }
wolfSSL 13:80fb167dafdf 5445
wolfSSL 13:80fb167dafdf 5446 entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 5447 if (entry->name == NULL) {
wolfSSL 13:80fb167dafdf 5448 WOLFSSL_MSG("allocate error");
wolfSSL 13:80fb167dafdf 5449 XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 13:80fb167dafdf 5450 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5451 }
wolfSSL 13:80fb167dafdf 5452
wolfSSL 13:80fb167dafdf 5453 XMEMCPY(entry->name, &input[nameIdx], strLength);
wolfSSL 13:80fb167dafdf 5454 entry->nameSz = strLength;
wolfSSL 13:80fb167dafdf 5455 entry->type = b & 0x0F;
wolfSSL 13:80fb167dafdf 5456
wolfSSL 13:80fb167dafdf 5457 entry->next = *head;
wolfSSL 13:80fb167dafdf 5458 *head = entry;
wolfSSL 13:80fb167dafdf 5459 }
wolfSSL 13:80fb167dafdf 5460
wolfSSL 13:80fb167dafdf 5461 idx += seqLength;
wolfSSL 13:80fb167dafdf 5462 }
wolfSSL 13:80fb167dafdf 5463
wolfSSL 13:80fb167dafdf 5464 return 0;
wolfSSL 13:80fb167dafdf 5465 }
wolfSSL 13:80fb167dafdf 5466
wolfSSL 13:80fb167dafdf 5467
wolfSSL 13:80fb167dafdf 5468 static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5469 {
wolfSSL 13:80fb167dafdf 5470 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5471 int length = 0;
wolfSSL 13:80fb167dafdf 5472
wolfSSL 13:80fb167dafdf 5473 WOLFSSL_ENTER("DecodeNameConstraints");
wolfSSL 13:80fb167dafdf 5474
wolfSSL 13:80fb167dafdf 5475 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5476 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 13:80fb167dafdf 5477 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5478 }
wolfSSL 13:80fb167dafdf 5479
wolfSSL 13:80fb167dafdf 5480 while (idx < (word32)sz) {
wolfSSL 13:80fb167dafdf 5481 byte b = input[idx++];
wolfSSL 13:80fb167dafdf 5482 Base_entry** subtree = NULL;
wolfSSL 13:80fb167dafdf 5483
wolfSSL 13:80fb167dafdf 5484 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 13:80fb167dafdf 5485 WOLFSSL_MSG("\tinvalid length");
wolfSSL 13:80fb167dafdf 5486 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5487 }
wolfSSL 13:80fb167dafdf 5488
wolfSSL 13:80fb167dafdf 5489 if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0))
wolfSSL 13:80fb167dafdf 5490 subtree = &cert->permittedNames;
wolfSSL 13:80fb167dafdf 5491 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1))
wolfSSL 13:80fb167dafdf 5492 subtree = &cert->excludedNames;
wolfSSL 13:80fb167dafdf 5493 else {
wolfSSL 13:80fb167dafdf 5494 WOLFSSL_MSG("\tinvalid subtree");
wolfSSL 13:80fb167dafdf 5495 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5496 }
wolfSSL 13:80fb167dafdf 5497
wolfSSL 13:80fb167dafdf 5498 DecodeSubtree(input + idx, length, subtree, cert->heap);
wolfSSL 13:80fb167dafdf 5499
wolfSSL 13:80fb167dafdf 5500 idx += length;
wolfSSL 13:80fb167dafdf 5501 }
wolfSSL 13:80fb167dafdf 5502
wolfSSL 13:80fb167dafdf 5503 return 0;
wolfSSL 13:80fb167dafdf 5504 }
wolfSSL 13:80fb167dafdf 5505 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 5506
wolfSSL 13:80fb167dafdf 5507
wolfSSL 13:80fb167dafdf 5508 #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)
wolfSSL 13:80fb167dafdf 5509
wolfSSL 13:80fb167dafdf 5510 static int Word32ToString(char* d, word32 number)
wolfSSL 13:80fb167dafdf 5511 {
wolfSSL 13:80fb167dafdf 5512 int i = 0;
wolfSSL 13:80fb167dafdf 5513
wolfSSL 13:80fb167dafdf 5514 if (d != NULL) {
wolfSSL 13:80fb167dafdf 5515 word32 order = 1000000000;
wolfSSL 13:80fb167dafdf 5516 word32 digit;
wolfSSL 13:80fb167dafdf 5517
wolfSSL 13:80fb167dafdf 5518 if (number == 0) {
wolfSSL 13:80fb167dafdf 5519 d[i++] = '0';
wolfSSL 13:80fb167dafdf 5520 }
wolfSSL 13:80fb167dafdf 5521 else {
wolfSSL 13:80fb167dafdf 5522 while (order) {
wolfSSL 13:80fb167dafdf 5523 digit = number / order;
wolfSSL 13:80fb167dafdf 5524 if (i > 0 || digit != 0) {
wolfSSL 13:80fb167dafdf 5525 d[i++] = (char)digit + '0';
wolfSSL 13:80fb167dafdf 5526 }
wolfSSL 13:80fb167dafdf 5527 if (digit != 0)
wolfSSL 13:80fb167dafdf 5528 number %= digit * order;
wolfSSL 13:80fb167dafdf 5529 if (order > 1)
wolfSSL 13:80fb167dafdf 5530 order /= 10;
wolfSSL 13:80fb167dafdf 5531 else
wolfSSL 13:80fb167dafdf 5532 order = 0;
wolfSSL 13:80fb167dafdf 5533 }
wolfSSL 13:80fb167dafdf 5534 }
wolfSSL 13:80fb167dafdf 5535 d[i] = 0;
wolfSSL 13:80fb167dafdf 5536 }
wolfSSL 13:80fb167dafdf 5537
wolfSSL 13:80fb167dafdf 5538 return i;
wolfSSL 13:80fb167dafdf 5539 }
wolfSSL 13:80fb167dafdf 5540
wolfSSL 13:80fb167dafdf 5541
wolfSSL 13:80fb167dafdf 5542 /* Decode ITU-T X.690 OID format to a string representation
wolfSSL 13:80fb167dafdf 5543 * return string length */
wolfSSL 13:80fb167dafdf 5544 static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
wolfSSL 13:80fb167dafdf 5545 {
wolfSSL 13:80fb167dafdf 5546 word32 val, idx = 0, nb_bytes;
wolfSSL 13:80fb167dafdf 5547 size_t w_bytes = 0;
wolfSSL 13:80fb167dafdf 5548
wolfSSL 13:80fb167dafdf 5549 if (out == NULL || in == NULL || outSz < 4 || inSz < 2)
wolfSSL 13:80fb167dafdf 5550 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 5551
wolfSSL 13:80fb167dafdf 5552 /* first two byte must be interpreted as : 40 * int1 + int2 */
wolfSSL 13:80fb167dafdf 5553 val = (word16)in[idx++];
wolfSSL 13:80fb167dafdf 5554
wolfSSL 13:80fb167dafdf 5555 w_bytes = Word32ToString(out, val / 40);
wolfSSL 13:80fb167dafdf 5556 out[w_bytes++] = '.';
wolfSSL 13:80fb167dafdf 5557 w_bytes += Word32ToString(out+w_bytes, val % 40);
wolfSSL 13:80fb167dafdf 5558
wolfSSL 13:80fb167dafdf 5559 while (idx < inSz) {
wolfSSL 13:80fb167dafdf 5560 /* init value */
wolfSSL 13:80fb167dafdf 5561 val = 0;
wolfSSL 13:80fb167dafdf 5562 nb_bytes = 0;
wolfSSL 13:80fb167dafdf 5563
wolfSSL 13:80fb167dafdf 5564 /* check that output size is ok */
wolfSSL 13:80fb167dafdf 5565 if (w_bytes > (outSz - 3))
wolfSSL 13:80fb167dafdf 5566 return BUFFER_E;
wolfSSL 13:80fb167dafdf 5567
wolfSSL 13:80fb167dafdf 5568 /* first bit is used to set if value is coded on 1 or multiple bytes */
wolfSSL 13:80fb167dafdf 5569 while ((in[idx+nb_bytes] & 0x80))
wolfSSL 13:80fb167dafdf 5570 nb_bytes++;
wolfSSL 13:80fb167dafdf 5571
wolfSSL 13:80fb167dafdf 5572 if (!nb_bytes)
wolfSSL 13:80fb167dafdf 5573 val = (word32)(in[idx++] & 0x7f);
wolfSSL 13:80fb167dafdf 5574 else {
wolfSSL 13:80fb167dafdf 5575 word32 base = 1, tmp = nb_bytes;
wolfSSL 13:80fb167dafdf 5576
wolfSSL 13:80fb167dafdf 5577 while (tmp != 0) {
wolfSSL 13:80fb167dafdf 5578 val += (word32)(in[idx+tmp] & 0x7f) * base;
wolfSSL 13:80fb167dafdf 5579 base *= 128;
wolfSSL 13:80fb167dafdf 5580 tmp--;
wolfSSL 13:80fb167dafdf 5581 }
wolfSSL 13:80fb167dafdf 5582 val += (word32)(in[idx++] & 0x7f) * base;
wolfSSL 13:80fb167dafdf 5583
wolfSSL 13:80fb167dafdf 5584 idx += nb_bytes;
wolfSSL 13:80fb167dafdf 5585 }
wolfSSL 13:80fb167dafdf 5586
wolfSSL 13:80fb167dafdf 5587 out[w_bytes++] = '.';
wolfSSL 13:80fb167dafdf 5588 w_bytes += Word32ToString(out+w_bytes, val);
wolfSSL 13:80fb167dafdf 5589 }
wolfSSL 13:80fb167dafdf 5590
wolfSSL 13:80fb167dafdf 5591 return 0;
wolfSSL 13:80fb167dafdf 5592 }
wolfSSL 13:80fb167dafdf 5593 #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 5594
wolfSSL 13:80fb167dafdf 5595 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 13:80fb167dafdf 5596 /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
wolfSSL 13:80fb167dafdf 5597 static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5598 {
wolfSSL 13:80fb167dafdf 5599 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5600 word32 oldIdx;
wolfSSL 13:80fb167dafdf 5601 int ret;
wolfSSL 13:80fb167dafdf 5602 int total_length = 0, policy_length = 0, length = 0;
wolfSSL 13:80fb167dafdf 5603 #if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \
wolfSSL 13:80fb167dafdf 5604 !defined(WOLFSSL_DUP_CERTPOL)
wolfSSL 13:80fb167dafdf 5605 int i;
wolfSSL 13:80fb167dafdf 5606 #endif
wolfSSL 13:80fb167dafdf 5607
wolfSSL 13:80fb167dafdf 5608 WOLFSSL_ENTER("DecodeCertPolicy");
wolfSSL 13:80fb167dafdf 5609
wolfSSL 13:80fb167dafdf 5610 if (GetSequence(input, &idx, &total_length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5611 WOLFSSL_MSG("\tGet CertPolicy total seq failed");
wolfSSL 13:80fb167dafdf 5612 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5613 }
wolfSSL 13:80fb167dafdf 5614
wolfSSL 13:80fb167dafdf 5615 /* Validate total length (2 is the CERT_POLICY_OID+SEQ) */
wolfSSL 13:80fb167dafdf 5616 if ((total_length + 2) != sz) {
wolfSSL 13:80fb167dafdf 5617 WOLFSSL_MSG("\tCertPolicy length mismatch");
wolfSSL 13:80fb167dafdf 5618 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5619 }
wolfSSL 13:80fb167dafdf 5620
wolfSSL 13:80fb167dafdf 5621 /* Unwrap certificatePolicies */
wolfSSL 13:80fb167dafdf 5622 do {
wolfSSL 13:80fb167dafdf 5623 if (GetSequence(input, &idx, &policy_length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5624 WOLFSSL_MSG("\tGet CertPolicy seq failed");
wolfSSL 13:80fb167dafdf 5625 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5626 }
wolfSSL 13:80fb167dafdf 5627
wolfSSL 13:80fb167dafdf 5628 oldIdx = idx;
wolfSSL 13:80fb167dafdf 5629 ret = GetASNObjectId(input, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 5630 if (ret != 0)
wolfSSL 13:80fb167dafdf 5631 return ret;
wolfSSL 13:80fb167dafdf 5632 policy_length -= idx - oldIdx;
wolfSSL 13:80fb167dafdf 5633
wolfSSL 13:80fb167dafdf 5634 if (length > 0) {
wolfSSL 13:80fb167dafdf 5635 /* Verify length won't overrun buffer */
wolfSSL 13:80fb167dafdf 5636 if (length > (sz - (int)idx)) {
wolfSSL 13:80fb167dafdf 5637 WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
wolfSSL 13:80fb167dafdf 5638 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5639 }
wolfSSL 13:80fb167dafdf 5640
wolfSSL 13:80fb167dafdf 5641 #if defined(WOLFSSL_SEP)
wolfSSL 13:80fb167dafdf 5642 cert->deviceType = (byte*)XMALLOC(length, cert->heap,
wolfSSL 13:80fb167dafdf 5643 DYNAMIC_TYPE_X509_EXT);
wolfSSL 13:80fb167dafdf 5644 if (cert->deviceType == NULL) {
wolfSSL 13:80fb167dafdf 5645 WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
wolfSSL 13:80fb167dafdf 5646 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5647 }
wolfSSL 13:80fb167dafdf 5648 cert->deviceTypeSz = length;
wolfSSL 13:80fb167dafdf 5649 XMEMCPY(cert->deviceType, input + idx, length);
wolfSSL 13:80fb167dafdf 5650 break;
wolfSSL 13:80fb167dafdf 5651 #elif defined(WOLFSSL_CERT_EXT)
wolfSSL 13:80fb167dafdf 5652 /* decode cert policy */
wolfSSL 13:80fb167dafdf 5653 if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
wolfSSL 13:80fb167dafdf 5654 input + idx, length) != 0) {
wolfSSL 13:80fb167dafdf 5655 WOLFSSL_MSG("\tCouldn't decode CertPolicy");
wolfSSL 13:80fb167dafdf 5656 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5657 }
wolfSSL 13:80fb167dafdf 5658 #ifndef WOLFSSL_DUP_CERTPOL
wolfSSL 13:80fb167dafdf 5659 /* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST
wolfSSL 13:80fb167dafdf 5660 * NOT appear more than once in a certificate policies
wolfSSL 13:80fb167dafdf 5661 * extension". This is a sanity check for duplicates.
wolfSSL 13:80fb167dafdf 5662 * extCertPolicies should only have OID values, additional
wolfSSL 13:80fb167dafdf 5663 * qualifiers need to be stored in a seperate array. */
wolfSSL 13:80fb167dafdf 5664 for (i = 0; i < cert->extCertPoliciesNb; i++) {
wolfSSL 13:80fb167dafdf 5665 if (XMEMCMP(cert->extCertPolicies[i],
wolfSSL 13:80fb167dafdf 5666 cert->extCertPolicies[cert->extCertPoliciesNb],
wolfSSL 13:80fb167dafdf 5667 MAX_CERTPOL_SZ) == 0) {
wolfSSL 13:80fb167dafdf 5668 WOLFSSL_MSG("Duplicate policy OIDs not allowed");
wolfSSL 13:80fb167dafdf 5669 WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted");
wolfSSL 13:80fb167dafdf 5670 return CERTPOLICIES_E;
wolfSSL 13:80fb167dafdf 5671 }
wolfSSL 13:80fb167dafdf 5672 }
wolfSSL 13:80fb167dafdf 5673 #endif /* !defined(WOLFSSL_DUP_CERTPOL) */
wolfSSL 13:80fb167dafdf 5674 cert->extCertPoliciesNb++;
wolfSSL 13:80fb167dafdf 5675 #else
wolfSSL 13:80fb167dafdf 5676 WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
wolfSSL 13:80fb167dafdf 5677 return 0;
wolfSSL 13:80fb167dafdf 5678 #endif
wolfSSL 13:80fb167dafdf 5679 }
wolfSSL 13:80fb167dafdf 5680 idx += policy_length;
wolfSSL 13:80fb167dafdf 5681 } while((int)idx < total_length
wolfSSL 13:80fb167dafdf 5682 #if defined(WOLFSSL_CERT_EXT)
wolfSSL 13:80fb167dafdf 5683 && cert->extCertPoliciesNb < MAX_CERTPOL_NB
wolfSSL 13:80fb167dafdf 5684 #endif
wolfSSL 13:80fb167dafdf 5685 );
wolfSSL 13:80fb167dafdf 5686
wolfSSL 13:80fb167dafdf 5687 WOLFSSL_LEAVE("DecodeCertPolicy", 0);
wolfSSL 13:80fb167dafdf 5688 return 0;
wolfSSL 13:80fb167dafdf 5689 }
wolfSSL 13:80fb167dafdf 5690 #endif /* WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 5691
wolfSSL 13:80fb167dafdf 5692 static int DecodeCertExtensions(DecodedCert* cert)
wolfSSL 13:80fb167dafdf 5693 /*
wolfSSL 13:80fb167dafdf 5694 * Processing the Certificate Extensions. This does not modify the current
wolfSSL 13:80fb167dafdf 5695 * index. It is works starting with the recorded extensions pointer.
wolfSSL 13:80fb167dafdf 5696 */
wolfSSL 13:80fb167dafdf 5697 {
wolfSSL 13:80fb167dafdf 5698 int ret;
wolfSSL 13:80fb167dafdf 5699 word32 idx = 0;
wolfSSL 13:80fb167dafdf 5700 int sz = cert->extensionsSz;
wolfSSL 13:80fb167dafdf 5701 byte* input = cert->extensions;
wolfSSL 13:80fb167dafdf 5702 int length;
wolfSSL 13:80fb167dafdf 5703 word32 oid;
wolfSSL 13:80fb167dafdf 5704 byte critical = 0;
wolfSSL 13:80fb167dafdf 5705 byte criticalFail = 0;
wolfSSL 13:80fb167dafdf 5706
wolfSSL 13:80fb167dafdf 5707 WOLFSSL_ENTER("DecodeCertExtensions");
wolfSSL 13:80fb167dafdf 5708
wolfSSL 13:80fb167dafdf 5709 if (input == NULL || sz == 0)
wolfSSL 13:80fb167dafdf 5710 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 5711
wolfSSL 13:80fb167dafdf 5712 if (input[idx++] != ASN_EXTENSIONS) {
wolfSSL 13:80fb167dafdf 5713 WOLFSSL_MSG("\tfail: should be an EXTENSIONS");
wolfSSL 13:80fb167dafdf 5714 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5715 }
wolfSSL 13:80fb167dafdf 5716
wolfSSL 13:80fb167dafdf 5717 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5718 WOLFSSL_MSG("\tfail: invalid length");
wolfSSL 13:80fb167dafdf 5719 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5720 }
wolfSSL 13:80fb167dafdf 5721
wolfSSL 13:80fb167dafdf 5722 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5723 WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)");
wolfSSL 13:80fb167dafdf 5724 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5725 }
wolfSSL 13:80fb167dafdf 5726
wolfSSL 13:80fb167dafdf 5727 while (idx < (word32)sz) {
wolfSSL 13:80fb167dafdf 5728 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 5729 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 13:80fb167dafdf 5730 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5731 }
wolfSSL 13:80fb167dafdf 5732
wolfSSL 13:80fb167dafdf 5733 oid = 0;
wolfSSL 13:80fb167dafdf 5734 if ((ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz)) < 0) {
wolfSSL 13:80fb167dafdf 5735 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 13:80fb167dafdf 5736 return ret;
wolfSSL 13:80fb167dafdf 5737 }
wolfSSL 13:80fb167dafdf 5738
wolfSSL 13:80fb167dafdf 5739 /* check for critical flag */
wolfSSL 13:80fb167dafdf 5740 critical = 0;
wolfSSL 13:80fb167dafdf 5741 if (input[idx] == ASN_BOOLEAN) {
wolfSSL 13:80fb167dafdf 5742 ret = GetBoolean(input, &idx, sz);
wolfSSL 13:80fb167dafdf 5743 if (ret < 0) {
wolfSSL 13:80fb167dafdf 5744 WOLFSSL_MSG("\tfail: critical boolean");
wolfSSL 13:80fb167dafdf 5745 return ret;
wolfSSL 13:80fb167dafdf 5746 }
wolfSSL 13:80fb167dafdf 5747
wolfSSL 13:80fb167dafdf 5748 critical = (byte)ret;
wolfSSL 13:80fb167dafdf 5749 }
wolfSSL 13:80fb167dafdf 5750
wolfSSL 13:80fb167dafdf 5751 /* process the extension based on the OID */
wolfSSL 13:80fb167dafdf 5752 ret = GetOctetString(input, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 5753 if (ret < 0) {
wolfSSL 13:80fb167dafdf 5754 WOLFSSL_MSG("\tfail: bad OCTET STRING");
wolfSSL 13:80fb167dafdf 5755 return ret;
wolfSSL 13:80fb167dafdf 5756 }
wolfSSL 13:80fb167dafdf 5757
wolfSSL 13:80fb167dafdf 5758 switch (oid) {
wolfSSL 13:80fb167dafdf 5759 case BASIC_CA_OID:
wolfSSL 13:80fb167dafdf 5760 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5761 cert->extBasicConstSet = 1;
wolfSSL 13:80fb167dafdf 5762 cert->extBasicConstCrit = critical;
wolfSSL 13:80fb167dafdf 5763 #endif
wolfSSL 13:80fb167dafdf 5764 if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5765 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5766 break;
wolfSSL 13:80fb167dafdf 5767
wolfSSL 13:80fb167dafdf 5768 case CRL_DIST_OID:
wolfSSL 13:80fb167dafdf 5769 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5770 cert->extCRLdistSet = 1;
wolfSSL 13:80fb167dafdf 5771 cert->extCRLdistCrit = critical;
wolfSSL 13:80fb167dafdf 5772 #endif
wolfSSL 13:80fb167dafdf 5773 if (DecodeCrlDist(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5774 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5775 break;
wolfSSL 13:80fb167dafdf 5776
wolfSSL 13:80fb167dafdf 5777 case AUTH_INFO_OID:
wolfSSL 13:80fb167dafdf 5778 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5779 cert->extAuthInfoSet = 1;
wolfSSL 13:80fb167dafdf 5780 cert->extAuthInfoCrit = critical;
wolfSSL 13:80fb167dafdf 5781 #endif
wolfSSL 13:80fb167dafdf 5782 if (DecodeAuthInfo(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5783 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5784 break;
wolfSSL 13:80fb167dafdf 5785
wolfSSL 13:80fb167dafdf 5786 case ALT_NAMES_OID:
wolfSSL 13:80fb167dafdf 5787 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5788 cert->extSubjAltNameSet = 1;
wolfSSL 13:80fb167dafdf 5789 cert->extSubjAltNameCrit = critical;
wolfSSL 13:80fb167dafdf 5790 #endif
wolfSSL 13:80fb167dafdf 5791 if (DecodeAltNames(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5792 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5793 break;
wolfSSL 13:80fb167dafdf 5794
wolfSSL 13:80fb167dafdf 5795 case AUTH_KEY_OID:
wolfSSL 13:80fb167dafdf 5796 cert->extAuthKeyIdSet = 1;
wolfSSL 13:80fb167dafdf 5797 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5798 cert->extAuthKeyIdCrit = critical;
wolfSSL 13:80fb167dafdf 5799 #endif
wolfSSL 13:80fb167dafdf 5800 if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5801 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5802 break;
wolfSSL 13:80fb167dafdf 5803
wolfSSL 13:80fb167dafdf 5804 case SUBJ_KEY_OID:
wolfSSL 13:80fb167dafdf 5805 cert->extSubjKeyIdSet = 1;
wolfSSL 13:80fb167dafdf 5806 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5807 cert->extSubjKeyIdCrit = critical;
wolfSSL 13:80fb167dafdf 5808 #endif
wolfSSL 13:80fb167dafdf 5809 #ifndef WOLFSSL_ALLOW_CRIT_SKID
wolfSSL 13:80fb167dafdf 5810 /* This check is added due to RFC 5280 section 4.2.1.2
wolfSSL 13:80fb167dafdf 5811 * stating that conforming CA's must mark this extension
wolfSSL 13:80fb167dafdf 5812 * as non-critical. When parsing extensions check that
wolfSSL 13:80fb167dafdf 5813 * certificate was made in compliance with this. */
wolfSSL 13:80fb167dafdf 5814 if (critical) {
wolfSSL 13:80fb167dafdf 5815 WOLFSSL_MSG("Critical Subject Key ID is not allowed");
wolfSSL 13:80fb167dafdf 5816 WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
wolfSSL 13:80fb167dafdf 5817 return ASN_CRIT_EXT_E;
wolfSSL 13:80fb167dafdf 5818 }
wolfSSL 13:80fb167dafdf 5819 #endif
wolfSSL 13:80fb167dafdf 5820
wolfSSL 13:80fb167dafdf 5821 if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5822 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5823 break;
wolfSSL 13:80fb167dafdf 5824
wolfSSL 13:80fb167dafdf 5825 case CERT_POLICY_OID:
wolfSSL 13:80fb167dafdf 5826 #ifdef WOLFSSL_SEP
wolfSSL 13:80fb167dafdf 5827 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5828 cert->extCertPolicySet = 1;
wolfSSL 13:80fb167dafdf 5829 cert->extCertPolicyCrit = critical;
wolfSSL 13:80fb167dafdf 5830 #endif
wolfSSL 13:80fb167dafdf 5831 #endif
wolfSSL 13:80fb167dafdf 5832 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 13:80fb167dafdf 5833 if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
wolfSSL 13:80fb167dafdf 5834 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5835 }
wolfSSL 13:80fb167dafdf 5836 #else
wolfSSL 13:80fb167dafdf 5837 WOLFSSL_MSG("Certificate Policy extension not supported yet.");
wolfSSL 13:80fb167dafdf 5838 #endif
wolfSSL 13:80fb167dafdf 5839 break;
wolfSSL 13:80fb167dafdf 5840
wolfSSL 13:80fb167dafdf 5841 case KEY_USAGE_OID:
wolfSSL 13:80fb167dafdf 5842 cert->extKeyUsageSet = 1;
wolfSSL 13:80fb167dafdf 5843 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5844 cert->extKeyUsageCrit = critical;
wolfSSL 13:80fb167dafdf 5845 #endif
wolfSSL 13:80fb167dafdf 5846 if (DecodeKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5847 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5848 break;
wolfSSL 13:80fb167dafdf 5849
wolfSSL 13:80fb167dafdf 5850 case EXT_KEY_USAGE_OID:
wolfSSL 13:80fb167dafdf 5851 cert->extExtKeyUsageSet = 1;
wolfSSL 13:80fb167dafdf 5852 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5853 cert->extExtKeyUsageCrit = critical;
wolfSSL 13:80fb167dafdf 5854 #endif
wolfSSL 13:80fb167dafdf 5855 if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5856 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5857 break;
wolfSSL 13:80fb167dafdf 5858
wolfSSL 13:80fb167dafdf 5859 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 5860 case NAME_CONS_OID:
wolfSSL 13:80fb167dafdf 5861 cert->extNameConstraintSet = 1;
wolfSSL 13:80fb167dafdf 5862 #ifdef OPENSSL_EXTRA
wolfSSL 13:80fb167dafdf 5863 cert->extNameConstraintCrit = critical;
wolfSSL 13:80fb167dafdf 5864 #endif
wolfSSL 13:80fb167dafdf 5865 if (DecodeNameConstraints(&input[idx], length, cert) < 0)
wolfSSL 13:80fb167dafdf 5866 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 5867 break;
wolfSSL 13:80fb167dafdf 5868 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 5869
wolfSSL 13:80fb167dafdf 5870 case INHIBIT_ANY_OID:
wolfSSL 13:80fb167dafdf 5871 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
wolfSSL 13:80fb167dafdf 5872 break;
wolfSSL 13:80fb167dafdf 5873
wolfSSL 13:80fb167dafdf 5874 default:
wolfSSL 13:80fb167dafdf 5875 /* While it is a failure to not support critical extensions,
wolfSSL 13:80fb167dafdf 5876 * still parse the certificate ignoring the unsupported
wolfSSL 13:80fb167dafdf 5877 * extension to allow caller to accept it with the verify
wolfSSL 13:80fb167dafdf 5878 * callback. */
wolfSSL 13:80fb167dafdf 5879 if (critical)
wolfSSL 13:80fb167dafdf 5880 criticalFail = 1;
wolfSSL 13:80fb167dafdf 5881 break;
wolfSSL 13:80fb167dafdf 5882 }
wolfSSL 13:80fb167dafdf 5883 idx += length;
wolfSSL 13:80fb167dafdf 5884 }
wolfSSL 13:80fb167dafdf 5885
wolfSSL 13:80fb167dafdf 5886 return criticalFail ? ASN_CRIT_EXT_E : 0;
wolfSSL 13:80fb167dafdf 5887 }
wolfSSL 13:80fb167dafdf 5888
wolfSSL 13:80fb167dafdf 5889 int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 13:80fb167dafdf 5890 {
wolfSSL 13:80fb167dafdf 5891 int ret;
wolfSSL 13:80fb167dafdf 5892 char* ptr;
wolfSSL 13:80fb167dafdf 5893
wolfSSL 13:80fb167dafdf 5894 ret = ParseCertRelative(cert, type, verify, cm);
wolfSSL 13:80fb167dafdf 5895 if (ret < 0)
wolfSSL 13:80fb167dafdf 5896 return ret;
wolfSSL 13:80fb167dafdf 5897
wolfSSL 13:80fb167dafdf 5898 if (cert->subjectCNLen > 0) {
wolfSSL 13:80fb167dafdf 5899 ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap,
wolfSSL 13:80fb167dafdf 5900 DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 13:80fb167dafdf 5901 if (ptr == NULL)
wolfSSL 13:80fb167dafdf 5902 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5903 XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen);
wolfSSL 13:80fb167dafdf 5904 ptr[cert->subjectCNLen] = '\0';
wolfSSL 13:80fb167dafdf 5905 cert->subjectCN = ptr;
wolfSSL 13:80fb167dafdf 5906 cert->subjectCNStored = 1;
wolfSSL 13:80fb167dafdf 5907 }
wolfSSL 13:80fb167dafdf 5908
wolfSSL 13:80fb167dafdf 5909 if (cert->keyOID == RSAk &&
wolfSSL 13:80fb167dafdf 5910 cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL 13:80fb167dafdf 5911 ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap,
wolfSSL 13:80fb167dafdf 5912 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 13:80fb167dafdf 5913 if (ptr == NULL)
wolfSSL 13:80fb167dafdf 5914 return MEMORY_E;
wolfSSL 13:80fb167dafdf 5915 XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
wolfSSL 13:80fb167dafdf 5916 cert->publicKey = (byte *)ptr;
wolfSSL 13:80fb167dafdf 5917 cert->pubKeyStored = 1;
wolfSSL 13:80fb167dafdf 5918 }
wolfSSL 13:80fb167dafdf 5919
wolfSSL 13:80fb167dafdf 5920 return ret;
wolfSSL 13:80fb167dafdf 5921 }
wolfSSL 13:80fb167dafdf 5922
wolfSSL 13:80fb167dafdf 5923 /* from SSL proper, for locking can't do find here anymore */
wolfSSL 13:80fb167dafdf 5924 #ifdef __cplusplus
wolfSSL 13:80fb167dafdf 5925 extern "C" {
wolfSSL 13:80fb167dafdf 5926 #endif
wolfSSL 13:80fb167dafdf 5927 WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
wolfSSL 13:80fb167dafdf 5928 #ifndef NO_SKID
wolfSSL 13:80fb167dafdf 5929 WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
wolfSSL 13:80fb167dafdf 5930 #endif
wolfSSL 13:80fb167dafdf 5931 #ifdef __cplusplus
wolfSSL 13:80fb167dafdf 5932 }
wolfSSL 13:80fb167dafdf 5933 #endif
wolfSSL 13:80fb167dafdf 5934
wolfSSL 13:80fb167dafdf 5935
wolfSSL 13:80fb167dafdf 5936 #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
wolfSSL 13:80fb167dafdf 5937
wolfSSL 13:80fb167dafdf 5938 /* dummy functions, not using wolfSSL so don't need actual ones */
wolfSSL 13:80fb167dafdf 5939 Signer* GetCA(void* signers, byte* hash)
wolfSSL 13:80fb167dafdf 5940 {
wolfSSL 13:80fb167dafdf 5941 (void)hash;
wolfSSL 13:80fb167dafdf 5942
wolfSSL 13:80fb167dafdf 5943 return (Signer*)signers;
wolfSSL 13:80fb167dafdf 5944 }
wolfSSL 13:80fb167dafdf 5945
wolfSSL 13:80fb167dafdf 5946 #ifndef NO_SKID
wolfSSL 13:80fb167dafdf 5947 Signer* GetCAByName(void* signers, byte* hash)
wolfSSL 13:80fb167dafdf 5948 {
wolfSSL 13:80fb167dafdf 5949 (void)hash;
wolfSSL 13:80fb167dafdf 5950
wolfSSL 13:80fb167dafdf 5951 return (Signer*)signers;
wolfSSL 13:80fb167dafdf 5952 }
wolfSSL 13:80fb167dafdf 5953 #endif /* NO_SKID */
wolfSSL 13:80fb167dafdf 5954
wolfSSL 13:80fb167dafdf 5955 #endif /* WOLFCRYPT_ONLY || NO_CERTS */
wolfSSL 13:80fb167dafdf 5956
wolfSSL 13:80fb167dafdf 5957 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 13:80fb167dafdf 5958 {
wolfSSL 13:80fb167dafdf 5959 int ret = 0;
wolfSSL 13:80fb167dafdf 5960 int badDate = 0;
wolfSSL 13:80fb167dafdf 5961 int criticalExt = 0;
wolfSSL 13:80fb167dafdf 5962 word32 confirmOID;
wolfSSL 13:80fb167dafdf 5963
wolfSSL 13:80fb167dafdf 5964 if (cert == NULL) {
wolfSSL 13:80fb167dafdf 5965 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 5966 }
wolfSSL 13:80fb167dafdf 5967
wolfSSL 13:80fb167dafdf 5968 if (cert->sigCtx.state == SIG_STATE_BEGIN) {
wolfSSL 13:80fb167dafdf 5969 if ((ret = DecodeToKey(cert, verify)) < 0) {
wolfSSL 13:80fb167dafdf 5970 if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)
wolfSSL 13:80fb167dafdf 5971 badDate = ret;
wolfSSL 13:80fb167dafdf 5972 else
wolfSSL 13:80fb167dafdf 5973 return ret;
wolfSSL 13:80fb167dafdf 5974 }
wolfSSL 13:80fb167dafdf 5975
wolfSSL 13:80fb167dafdf 5976 WOLFSSL_MSG("Parsed Past Key");
wolfSSL 13:80fb167dafdf 5977
wolfSSL 13:80fb167dafdf 5978 if (cert->srcIdx < cert->sigIndex) {
wolfSSL 13:80fb167dafdf 5979 #ifndef ALLOW_V1_EXTENSIONS
wolfSSL 13:80fb167dafdf 5980 if (cert->version < 2) {
wolfSSL 13:80fb167dafdf 5981 WOLFSSL_MSG("\tv1 and v2 certs not allowed extensions");
wolfSSL 13:80fb167dafdf 5982 return ASN_VERSION_E;
wolfSSL 13:80fb167dafdf 5983 }
wolfSSL 13:80fb167dafdf 5984 #endif
wolfSSL 13:80fb167dafdf 5985
wolfSSL 13:80fb167dafdf 5986 /* save extensions */
wolfSSL 13:80fb167dafdf 5987 cert->extensions = &cert->source[cert->srcIdx];
wolfSSL 13:80fb167dafdf 5988 cert->extensionsSz = cert->sigIndex - cert->srcIdx;
wolfSSL 13:80fb167dafdf 5989 cert->extensionsIdx = cert->srcIdx; /* for potential later use */
wolfSSL 13:80fb167dafdf 5990
wolfSSL 13:80fb167dafdf 5991 if ((ret = DecodeCertExtensions(cert)) < 0) {
wolfSSL 13:80fb167dafdf 5992 if (ret == ASN_CRIT_EXT_E)
wolfSSL 13:80fb167dafdf 5993 criticalExt = ret;
wolfSSL 13:80fb167dafdf 5994 else
wolfSSL 13:80fb167dafdf 5995 return ret;
wolfSSL 13:80fb167dafdf 5996 }
wolfSSL 13:80fb167dafdf 5997
wolfSSL 13:80fb167dafdf 5998 /* advance past extensions */
wolfSSL 13:80fb167dafdf 5999 cert->srcIdx = cert->sigIndex;
wolfSSL 13:80fb167dafdf 6000 }
wolfSSL 13:80fb167dafdf 6001
wolfSSL 13:80fb167dafdf 6002 if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
wolfSSL 13:80fb167dafdf 6003 oidSigType, cert->maxIdx)) < 0)
wolfSSL 13:80fb167dafdf 6004 return ret;
wolfSSL 13:80fb167dafdf 6005
wolfSSL 13:80fb167dafdf 6006 if ((ret = GetSignature(cert)) < 0)
wolfSSL 13:80fb167dafdf 6007 return ret;
wolfSSL 13:80fb167dafdf 6008
wolfSSL 13:80fb167dafdf 6009 if (confirmOID != cert->signatureOID)
wolfSSL 13:80fb167dafdf 6010 return ASN_SIG_OID_E;
wolfSSL 13:80fb167dafdf 6011
wolfSSL 13:80fb167dafdf 6012 #ifndef NO_SKID
wolfSSL 13:80fb167dafdf 6013 if (cert->extSubjKeyIdSet == 0 && cert->publicKey != NULL &&
wolfSSL 13:80fb167dafdf 6014 cert->pubKeySize > 0) {
wolfSSL 13:80fb167dafdf 6015 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 6016 ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize,
wolfSSL 13:80fb167dafdf 6017 cert->extSubjKeyId);
wolfSSL 13:80fb167dafdf 6018 #else
wolfSSL 13:80fb167dafdf 6019 ret = wc_ShaHash(cert->publicKey, cert->pubKeySize,
wolfSSL 13:80fb167dafdf 6020 cert->extSubjKeyId);
wolfSSL 13:80fb167dafdf 6021 #endif /* NO_SHA */
wolfSSL 13:80fb167dafdf 6022 if (ret != 0)
wolfSSL 13:80fb167dafdf 6023 return ret;
wolfSSL 13:80fb167dafdf 6024 }
wolfSSL 13:80fb167dafdf 6025 #endif /* !NO_SKID */
wolfSSL 13:80fb167dafdf 6026
wolfSSL 13:80fb167dafdf 6027 if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
wolfSSL 13:80fb167dafdf 6028 cert->ca = NULL;
wolfSSL 13:80fb167dafdf 6029 #ifndef NO_SKID
wolfSSL 13:80fb167dafdf 6030 if (cert->extAuthKeyIdSet)
wolfSSL 13:80fb167dafdf 6031 cert->ca = GetCA(cm, cert->extAuthKeyId);
wolfSSL 13:80fb167dafdf 6032 if (cert->ca == NULL)
wolfSSL 13:80fb167dafdf 6033 cert->ca = GetCAByName(cm, cert->issuerHash);
wolfSSL 13:80fb167dafdf 6034 #else
wolfSSL 13:80fb167dafdf 6035 cert->ca = GetCA(cm, cert->issuerHash);
wolfSSL 13:80fb167dafdf 6036 #endif /* !NO_SKID */
wolfSSL 13:80fb167dafdf 6037
wolfSSL 13:80fb167dafdf 6038 WOLFSSL_MSG("About to verify certificate signature");
wolfSSL 13:80fb167dafdf 6039 if (cert->ca) {
wolfSSL 13:80fb167dafdf 6040 if (cert->isCA) {
wolfSSL 13:80fb167dafdf 6041 if (cert->ca->pathLengthSet) {
wolfSSL 13:80fb167dafdf 6042 if (cert->ca->pathLength == 0) {
wolfSSL 13:80fb167dafdf 6043 WOLFSSL_MSG("CA with path length 0 signing a CA");
wolfSSL 13:80fb167dafdf 6044 return ASN_PATHLEN_INV_E;
wolfSSL 13:80fb167dafdf 6045 }
wolfSSL 13:80fb167dafdf 6046 if (cert->pathLengthSet &&
wolfSSL 13:80fb167dafdf 6047 cert->pathLength >= cert->ca->pathLength) {
wolfSSL 13:80fb167dafdf 6048
wolfSSL 13:80fb167dafdf 6049 WOLFSSL_MSG("CA signing CA with longer path length");
wolfSSL 13:80fb167dafdf 6050 return ASN_PATHLEN_INV_E;
wolfSSL 13:80fb167dafdf 6051 }
wolfSSL 13:80fb167dafdf 6052 }
wolfSSL 13:80fb167dafdf 6053 }
wolfSSL 13:80fb167dafdf 6054
wolfSSL 13:80fb167dafdf 6055 #ifdef HAVE_OCSP
wolfSSL 13:80fb167dafdf 6056 /* Need the CA's public key hash for OCSP */
wolfSSL 13:80fb167dafdf 6057 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 6058 ret = wc_Sha256Hash(cert->ca->publicKey, cert->ca->pubKeySize,
wolfSSL 13:80fb167dafdf 6059 cert->issuerKeyHash);
wolfSSL 13:80fb167dafdf 6060 #else
wolfSSL 13:80fb167dafdf 6061 ret = wc_ShaHash(cert->ca->publicKey, cert->ca->pubKeySize,
wolfSSL 13:80fb167dafdf 6062 cert->issuerKeyHash);
wolfSSL 13:80fb167dafdf 6063 #endif /* NO_SHA */
wolfSSL 13:80fb167dafdf 6064 if (ret != 0)
wolfSSL 13:80fb167dafdf 6065 return ret;
wolfSSL 13:80fb167dafdf 6066 #endif /* HAVE_OCSP */
wolfSSL 13:80fb167dafdf 6067 }
wolfSSL 13:80fb167dafdf 6068 }
wolfSSL 13:80fb167dafdf 6069 }
wolfSSL 13:80fb167dafdf 6070
wolfSSL 13:80fb167dafdf 6071 if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
wolfSSL 13:80fb167dafdf 6072 if (cert->ca) {
wolfSSL 13:80fb167dafdf 6073 if (verify == VERIFY) {
wolfSSL 13:80fb167dafdf 6074 /* try to confirm/verify signature */
wolfSSL 13:80fb167dafdf 6075 if ((ret = ConfirmSignature(&cert->sigCtx,
wolfSSL 13:80fb167dafdf 6076 cert->source + cert->certBegin,
wolfSSL 13:80fb167dafdf 6077 cert->sigIndex - cert->certBegin,
wolfSSL 13:80fb167dafdf 6078 cert->ca->publicKey, cert->ca->pubKeySize,
wolfSSL 13:80fb167dafdf 6079 cert->ca->keyOID, cert->signature,
wolfSSL 13:80fb167dafdf 6080 cert->sigLength, cert->signatureOID)) != 0) {
wolfSSL 13:80fb167dafdf 6081 if (ret != WC_PENDING_E) {
wolfSSL 13:80fb167dafdf 6082 WOLFSSL_MSG("Confirm signature failed");
wolfSSL 13:80fb167dafdf 6083 }
wolfSSL 13:80fb167dafdf 6084 return ret;
wolfSSL 13:80fb167dafdf 6085 }
wolfSSL 13:80fb167dafdf 6086 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 6087 /* check that this cert's name is permitted by the signer's
wolfSSL 13:80fb167dafdf 6088 * name constraints */
wolfSSL 13:80fb167dafdf 6089 if (!ConfirmNameConstraints(cert->ca, cert)) {
wolfSSL 13:80fb167dafdf 6090 WOLFSSL_MSG("Confirm name constraint failed");
wolfSSL 13:80fb167dafdf 6091 return ASN_NAME_INVALID_E;
wolfSSL 13:80fb167dafdf 6092 }
wolfSSL 13:80fb167dafdf 6093 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 6094 }
wolfSSL 13:80fb167dafdf 6095 }
wolfSSL 13:80fb167dafdf 6096 else {
wolfSSL 13:80fb167dafdf 6097 /* no signer */
wolfSSL 13:80fb167dafdf 6098 WOLFSSL_MSG("No CA signer to verify with");
wolfSSL 13:80fb167dafdf 6099 return ASN_NO_SIGNER_E;
wolfSSL 13:80fb167dafdf 6100 }
wolfSSL 13:80fb167dafdf 6101 }
wolfSSL 13:80fb167dafdf 6102
wolfSSL 13:80fb167dafdf 6103 if (badDate != 0)
wolfSSL 13:80fb167dafdf 6104 return badDate;
wolfSSL 13:80fb167dafdf 6105
wolfSSL 13:80fb167dafdf 6106 if (criticalExt != 0)
wolfSSL 13:80fb167dafdf 6107 return criticalExt;
wolfSSL 13:80fb167dafdf 6108
wolfSSL 13:80fb167dafdf 6109 return ret;
wolfSSL 13:80fb167dafdf 6110 }
wolfSSL 13:80fb167dafdf 6111
wolfSSL 13:80fb167dafdf 6112 /* Create and init an new signer */
wolfSSL 13:80fb167dafdf 6113 Signer* MakeSigner(void* heap)
wolfSSL 13:80fb167dafdf 6114 {
wolfSSL 13:80fb167dafdf 6115 Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap,
wolfSSL 13:80fb167dafdf 6116 DYNAMIC_TYPE_SIGNER);
wolfSSL 13:80fb167dafdf 6117 if (signer) {
wolfSSL 13:80fb167dafdf 6118 signer->pubKeySize = 0;
wolfSSL 13:80fb167dafdf 6119 signer->keyOID = 0;
wolfSSL 13:80fb167dafdf 6120 signer->publicKey = NULL;
wolfSSL 13:80fb167dafdf 6121 signer->nameLen = 0;
wolfSSL 13:80fb167dafdf 6122 signer->name = NULL;
wolfSSL 13:80fb167dafdf 6123 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 6124 signer->permittedNames = NULL;
wolfSSL 13:80fb167dafdf 6125 signer->excludedNames = NULL;
wolfSSL 13:80fb167dafdf 6126 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 13:80fb167dafdf 6127 signer->pathLengthSet = 0;
wolfSSL 13:80fb167dafdf 6128 signer->pathLength = 0;
wolfSSL 13:80fb167dafdf 6129 signer->next = NULL;
wolfSSL 13:80fb167dafdf 6130 }
wolfSSL 13:80fb167dafdf 6131 (void)heap;
wolfSSL 13:80fb167dafdf 6132
wolfSSL 13:80fb167dafdf 6133 return signer;
wolfSSL 13:80fb167dafdf 6134 }
wolfSSL 13:80fb167dafdf 6135
wolfSSL 13:80fb167dafdf 6136
wolfSSL 13:80fb167dafdf 6137 /* Free an individual signer */
wolfSSL 13:80fb167dafdf 6138 void FreeSigner(Signer* signer, void* heap)
wolfSSL 13:80fb167dafdf 6139 {
wolfSSL 13:80fb167dafdf 6140 XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 13:80fb167dafdf 6141 XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 13:80fb167dafdf 6142 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 6143 if (signer->permittedNames)
wolfSSL 13:80fb167dafdf 6144 FreeNameSubtrees(signer->permittedNames, heap);
wolfSSL 13:80fb167dafdf 6145 if (signer->excludedNames)
wolfSSL 13:80fb167dafdf 6146 FreeNameSubtrees(signer->excludedNames, heap);
wolfSSL 13:80fb167dafdf 6147 #endif
wolfSSL 13:80fb167dafdf 6148 XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
wolfSSL 13:80fb167dafdf 6149
wolfSSL 13:80fb167dafdf 6150 (void)heap;
wolfSSL 13:80fb167dafdf 6151 }
wolfSSL 13:80fb167dafdf 6152
wolfSSL 13:80fb167dafdf 6153
wolfSSL 13:80fb167dafdf 6154 /* Free the whole singer table with number of rows */
wolfSSL 13:80fb167dafdf 6155 void FreeSignerTable(Signer** table, int rows, void* heap)
wolfSSL 13:80fb167dafdf 6156 {
wolfSSL 13:80fb167dafdf 6157 int i;
wolfSSL 13:80fb167dafdf 6158
wolfSSL 13:80fb167dafdf 6159 for (i = 0; i < rows; i++) {
wolfSSL 13:80fb167dafdf 6160 Signer* signer = table[i];
wolfSSL 13:80fb167dafdf 6161 while (signer) {
wolfSSL 13:80fb167dafdf 6162 Signer* next = signer->next;
wolfSSL 13:80fb167dafdf 6163 FreeSigner(signer, heap);
wolfSSL 13:80fb167dafdf 6164 signer = next;
wolfSSL 13:80fb167dafdf 6165 }
wolfSSL 13:80fb167dafdf 6166 table[i] = NULL;
wolfSSL 13:80fb167dafdf 6167 }
wolfSSL 13:80fb167dafdf 6168 }
wolfSSL 13:80fb167dafdf 6169
wolfSSL 13:80fb167dafdf 6170 #ifdef WOLFSSL_TRUST_PEER_CERT
wolfSSL 13:80fb167dafdf 6171 /* Free an individual trusted peer cert */
wolfSSL 13:80fb167dafdf 6172 void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
wolfSSL 13:80fb167dafdf 6173 {
wolfSSL 13:80fb167dafdf 6174 if (tp == NULL) {
wolfSSL 13:80fb167dafdf 6175 return;
wolfSSL 13:80fb167dafdf 6176 }
wolfSSL 13:80fb167dafdf 6177
wolfSSL 13:80fb167dafdf 6178 if (tp->name) {
wolfSSL 13:80fb167dafdf 6179 XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 13:80fb167dafdf 6180 }
wolfSSL 13:80fb167dafdf 6181
wolfSSL 13:80fb167dafdf 6182 if (tp->sig) {
wolfSSL 13:80fb167dafdf 6183 XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 13:80fb167dafdf 6184 }
wolfSSL 13:80fb167dafdf 6185 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 13:80fb167dafdf 6186 if (tp->permittedNames)
wolfSSL 13:80fb167dafdf 6187 FreeNameSubtrees(tp->permittedNames, heap);
wolfSSL 13:80fb167dafdf 6188 if (tp->excludedNames)
wolfSSL 13:80fb167dafdf 6189 FreeNameSubtrees(tp->excludedNames, heap);
wolfSSL 13:80fb167dafdf 6190 #endif
wolfSSL 13:80fb167dafdf 6191 XFREE(tp, heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 6192
wolfSSL 13:80fb167dafdf 6193 (void)heap;
wolfSSL 13:80fb167dafdf 6194 }
wolfSSL 13:80fb167dafdf 6195
wolfSSL 13:80fb167dafdf 6196 /* Free the whole Trusted Peer linked list */
wolfSSL 13:80fb167dafdf 6197 void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
wolfSSL 13:80fb167dafdf 6198 {
wolfSSL 13:80fb167dafdf 6199 int i;
wolfSSL 13:80fb167dafdf 6200
wolfSSL 13:80fb167dafdf 6201 for (i = 0; i < rows; i++) {
wolfSSL 13:80fb167dafdf 6202 TrustedPeerCert* tp = table[i];
wolfSSL 13:80fb167dafdf 6203 while (tp) {
wolfSSL 13:80fb167dafdf 6204 TrustedPeerCert* next = tp->next;
wolfSSL 13:80fb167dafdf 6205 FreeTrustedPeer(tp, heap);
wolfSSL 13:80fb167dafdf 6206 tp = next;
wolfSSL 13:80fb167dafdf 6207 }
wolfSSL 13:80fb167dafdf 6208 table[i] = NULL;
wolfSSL 13:80fb167dafdf 6209 }
wolfSSL 13:80fb167dafdf 6210 }
wolfSSL 13:80fb167dafdf 6211 #endif /* WOLFSSL_TRUST_PEER_CERT */
wolfSSL 13:80fb167dafdf 6212
wolfSSL 13:80fb167dafdf 6213 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
wolfSSL 13:80fb167dafdf 6214 {
wolfSSL 13:80fb167dafdf 6215 int i = 0;
wolfSSL 13:80fb167dafdf 6216
wolfSSL 13:80fb167dafdf 6217 if (output == NULL)
wolfSSL 13:80fb167dafdf 6218 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6219
wolfSSL 13:80fb167dafdf 6220 if (header) {
wolfSSL 13:80fb167dafdf 6221 output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED;
wolfSSL 13:80fb167dafdf 6222 output[i++] = 3;
wolfSSL 13:80fb167dafdf 6223 }
wolfSSL 13:80fb167dafdf 6224 output[i++] = ASN_INTEGER;
wolfSSL 13:80fb167dafdf 6225 output[i++] = 0x01;
wolfSSL 13:80fb167dafdf 6226 output[i++] = (byte)version;
wolfSSL 13:80fb167dafdf 6227
wolfSSL 13:80fb167dafdf 6228 return i;
wolfSSL 13:80fb167dafdf 6229 }
wolfSSL 13:80fb167dafdf 6230
wolfSSL 13:80fb167dafdf 6231
wolfSSL 13:80fb167dafdf 6232 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
wolfSSL 13:80fb167dafdf 6233 {
wolfSSL 13:80fb167dafdf 6234 int result = 0;
wolfSSL 13:80fb167dafdf 6235
wolfSSL 13:80fb167dafdf 6236 WOLFSSL_ENTER("SetSerialNumber");
wolfSSL 13:80fb167dafdf 6237
wolfSSL 13:80fb167dafdf 6238 if (sn == NULL || output == NULL)
wolfSSL 13:80fb167dafdf 6239 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6240
wolfSSL 13:80fb167dafdf 6241 if (snSz <= EXTERNAL_SERIAL_SIZE) {
wolfSSL 13:80fb167dafdf 6242 output[0] = ASN_INTEGER;
wolfSSL 13:80fb167dafdf 6243 /* The serial number is always positive. When encoding the
wolfSSL 13:80fb167dafdf 6244 * INTEGER, if the MSB is 1, add a padding zero to keep the
wolfSSL 13:80fb167dafdf 6245 * number positive. */
wolfSSL 13:80fb167dafdf 6246 if (sn[0] & 0x80) {
wolfSSL 13:80fb167dafdf 6247 output[1] = (byte)snSz + 1;
wolfSSL 13:80fb167dafdf 6248 output[2] = 0;
wolfSSL 13:80fb167dafdf 6249 XMEMCPY(&output[3], sn, snSz);
wolfSSL 13:80fb167dafdf 6250 result = snSz + 3;
wolfSSL 13:80fb167dafdf 6251 }
wolfSSL 13:80fb167dafdf 6252 else {
wolfSSL 13:80fb167dafdf 6253 output[1] = (byte)snSz;
wolfSSL 13:80fb167dafdf 6254 XMEMCPY(&output[2], sn, snSz);
wolfSSL 13:80fb167dafdf 6255 result = snSz + 2;
wolfSSL 13:80fb167dafdf 6256 }
wolfSSL 13:80fb167dafdf 6257 }
wolfSSL 13:80fb167dafdf 6258 return result;
wolfSSL 13:80fb167dafdf 6259 }
wolfSSL 13:80fb167dafdf 6260
wolfSSL 13:80fb167dafdf 6261 WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
wolfSSL 13:80fb167dafdf 6262 byte* serial, int* serialSz, word32 maxIdx)
wolfSSL 13:80fb167dafdf 6263 {
wolfSSL 13:80fb167dafdf 6264 int result = 0;
wolfSSL 13:80fb167dafdf 6265 int ret;
wolfSSL 13:80fb167dafdf 6266
wolfSSL 13:80fb167dafdf 6267 WOLFSSL_ENTER("GetSerialNumber");
wolfSSL 13:80fb167dafdf 6268
wolfSSL 13:80fb167dafdf 6269 if (serial == NULL || input == NULL || serialSz == NULL) {
wolfSSL 13:80fb167dafdf 6270 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6271 }
wolfSSL 13:80fb167dafdf 6272
wolfSSL 13:80fb167dafdf 6273 /* First byte is ASN type */
wolfSSL 13:80fb167dafdf 6274 if ((*inOutIdx+1) > maxIdx) {
wolfSSL 13:80fb167dafdf 6275 WOLFSSL_MSG("Bad idx first");
wolfSSL 13:80fb167dafdf 6276 return BUFFER_E;
wolfSSL 13:80fb167dafdf 6277 }
wolfSSL 13:80fb167dafdf 6278
wolfSSL 13:80fb167dafdf 6279 ret = GetASNInt(input, inOutIdx, serialSz, maxIdx);
wolfSSL 13:80fb167dafdf 6280 if (ret != 0)
wolfSSL 13:80fb167dafdf 6281 return ret;
wolfSSL 13:80fb167dafdf 6282
wolfSSL 13:80fb167dafdf 6283 if (*serialSz > EXTERNAL_SERIAL_SIZE) {
wolfSSL 13:80fb167dafdf 6284 WOLFSSL_MSG("Serial size bad");
wolfSSL 13:80fb167dafdf 6285 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 6286 }
wolfSSL 13:80fb167dafdf 6287
wolfSSL 13:80fb167dafdf 6288 /* return serial */
wolfSSL 13:80fb167dafdf 6289 XMEMCPY(serial, &input[*inOutIdx], *serialSz);
wolfSSL 13:80fb167dafdf 6290 *inOutIdx += *serialSz;
wolfSSL 13:80fb167dafdf 6291
wolfSSL 13:80fb167dafdf 6292 return result;
wolfSSL 13:80fb167dafdf 6293 }
wolfSSL 13:80fb167dafdf 6294
wolfSSL 13:80fb167dafdf 6295
wolfSSL 13:80fb167dafdf 6296
wolfSSL 13:80fb167dafdf 6297 const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
wolfSSL 13:80fb167dafdf 6298 const char* END_CERT = "-----END CERTIFICATE-----";
wolfSSL 13:80fb167dafdf 6299 const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----";
wolfSSL 13:80fb167dafdf 6300 const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----";
wolfSSL 13:80fb167dafdf 6301 const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----";
wolfSSL 13:80fb167dafdf 6302 const char* END_DH_PARAM = "-----END DH PARAMETERS-----";
wolfSSL 13:80fb167dafdf 6303 const char* BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----";
wolfSSL 13:80fb167dafdf 6304 const char* END_DSA_PARAM = "-----END DSA PARAMETERS-----";
wolfSSL 13:80fb167dafdf 6305 const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----";
wolfSSL 13:80fb167dafdf 6306 const char* END_X509_CRL = "-----END X509 CRL-----";
wolfSSL 13:80fb167dafdf 6307 const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6308 const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6309 const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6310 const char* END_PRIV_KEY = "-----END PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6311 const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6312 const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6313 const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6314 const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6315 const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6316 const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----";
wolfSSL 13:80fb167dafdf 6317 const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
wolfSSL 13:80fb167dafdf 6318 const char* END_PUB_KEY = "-----END PUBLIC KEY-----";
wolfSSL 13:80fb167dafdf 6319
wolfSSL 13:80fb167dafdf 6320 #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA)
wolfSSL 13:80fb167dafdf 6321
wolfSSL 13:80fb167dafdf 6322 /* Used for compatibility API */
wolfSSL 13:80fb167dafdf 6323 int wc_DerToPem(const byte* der, word32 derSz,
wolfSSL 13:80fb167dafdf 6324 byte* output, word32 outSz, int type)
wolfSSL 13:80fb167dafdf 6325 {
wolfSSL 13:80fb167dafdf 6326 return wc_DerToPemEx(der, derSz, output, outSz, NULL, type);
wolfSSL 13:80fb167dafdf 6327 }
wolfSSL 13:80fb167dafdf 6328
wolfSSL 13:80fb167dafdf 6329 /* convert der buffer to pem into output, can't do inplace, der and output
wolfSSL 13:80fb167dafdf 6330 need to be different */
wolfSSL 13:80fb167dafdf 6331 int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
wolfSSL 13:80fb167dafdf 6332 byte *cipher_info, int type)
wolfSSL 13:80fb167dafdf 6333 {
wolfSSL 13:80fb167dafdf 6334 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6335 char* header = NULL;
wolfSSL 13:80fb167dafdf 6336 char* footer = NULL;
wolfSSL 13:80fb167dafdf 6337 #else
wolfSSL 13:80fb167dafdf 6338 char header[40 + HEADER_ENCRYPTED_KEY_SIZE];
wolfSSL 13:80fb167dafdf 6339 char footer[40];
wolfSSL 13:80fb167dafdf 6340 #endif
wolfSSL 13:80fb167dafdf 6341
wolfSSL 13:80fb167dafdf 6342 int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE;
wolfSSL 13:80fb167dafdf 6343 int footerLen = 40;
wolfSSL 13:80fb167dafdf 6344 int i;
wolfSSL 13:80fb167dafdf 6345 int err;
wolfSSL 13:80fb167dafdf 6346 int outLen; /* return length or error */
wolfSSL 13:80fb167dafdf 6347
wolfSSL 13:80fb167dafdf 6348 if (der == output) /* no in place conversion */
wolfSSL 13:80fb167dafdf 6349 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6350
wolfSSL 13:80fb167dafdf 6351 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6352 header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6353 if (header == NULL)
wolfSSL 13:80fb167dafdf 6354 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6355
wolfSSL 13:80fb167dafdf 6356 footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6357 if (footer == NULL) {
wolfSSL 13:80fb167dafdf 6358 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6359 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6360 }
wolfSSL 13:80fb167dafdf 6361 #endif
wolfSSL 13:80fb167dafdf 6362 if (type == CERT_TYPE) {
wolfSSL 13:80fb167dafdf 6363 XSTRNCPY(header, BEGIN_CERT, headerLen);
wolfSSL 13:80fb167dafdf 6364 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6365
wolfSSL 13:80fb167dafdf 6366 XSTRNCPY(footer, END_CERT, footerLen);
wolfSSL 13:80fb167dafdf 6367 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6368 }
wolfSSL 13:80fb167dafdf 6369 else if (type == PRIVATEKEY_TYPE) {
wolfSSL 13:80fb167dafdf 6370 XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen);
wolfSSL 13:80fb167dafdf 6371 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6372
wolfSSL 13:80fb167dafdf 6373 XSTRNCPY(footer, END_RSA_PRIV, footerLen);
wolfSSL 13:80fb167dafdf 6374 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6375 }
wolfSSL 13:80fb167dafdf 6376 #ifndef NO_DSA
wolfSSL 13:80fb167dafdf 6377 else if (type == DSA_PRIVATEKEY_TYPE) {
wolfSSL 13:80fb167dafdf 6378 XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen);
wolfSSL 13:80fb167dafdf 6379 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6380
wolfSSL 13:80fb167dafdf 6381 XSTRNCPY(footer, END_DSA_PRIV, footerLen);
wolfSSL 13:80fb167dafdf 6382 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6383 }
wolfSSL 13:80fb167dafdf 6384 #endif
wolfSSL 13:80fb167dafdf 6385 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 6386 else if (type == ECC_PRIVATEKEY_TYPE) {
wolfSSL 13:80fb167dafdf 6387 XSTRNCPY(header, BEGIN_EC_PRIV, headerLen);
wolfSSL 13:80fb167dafdf 6388 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6389
wolfSSL 13:80fb167dafdf 6390 XSTRNCPY(footer, END_EC_PRIV, footerLen);
wolfSSL 13:80fb167dafdf 6391 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6392 }
wolfSSL 13:80fb167dafdf 6393 #endif
wolfSSL 13:80fb167dafdf 6394 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 6395 else if (type == CERTREQ_TYPE)
wolfSSL 13:80fb167dafdf 6396 {
wolfSSL 13:80fb167dafdf 6397 XSTRNCPY(header, BEGIN_CERT_REQ, headerLen);
wolfSSL 13:80fb167dafdf 6398 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6399
wolfSSL 13:80fb167dafdf 6400 XSTRNCPY(footer, END_CERT_REQ, footerLen);
wolfSSL 13:80fb167dafdf 6401 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6402 }
wolfSSL 13:80fb167dafdf 6403 #endif
wolfSSL 13:80fb167dafdf 6404 #ifdef HAVE_CRL
wolfSSL 13:80fb167dafdf 6405 else if (type == CRL_TYPE)
wolfSSL 13:80fb167dafdf 6406 {
wolfSSL 13:80fb167dafdf 6407 XSTRNCPY(header, BEGIN_X509_CRL, headerLen);
wolfSSL 13:80fb167dafdf 6408 XSTRNCAT(header, "\n", 1);
wolfSSL 13:80fb167dafdf 6409
wolfSSL 13:80fb167dafdf 6410 XSTRNCPY(footer, END_X509_CRL, footerLen);
wolfSSL 13:80fb167dafdf 6411 XSTRNCAT(footer, "\n", 1);
wolfSSL 13:80fb167dafdf 6412 }
wolfSSL 13:80fb167dafdf 6413 #endif
wolfSSL 13:80fb167dafdf 6414 else {
wolfSSL 13:80fb167dafdf 6415 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6416 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6417 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6418 #endif
wolfSSL 13:80fb167dafdf 6419 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6420 }
wolfSSL 13:80fb167dafdf 6421
wolfSSL 13:80fb167dafdf 6422 /* extra header information for encrypted key */
wolfSSL 13:80fb167dafdf 6423 if (cipher_info != NULL) {
wolfSSL 13:80fb167dafdf 6424 size_t cipherInfoStrLen = XSTRLEN((char*)cipher_info);
wolfSSL 13:80fb167dafdf 6425 if (cipherInfoStrLen > HEADER_ENCRYPTED_KEY_SIZE - (23+10+2))
wolfSSL 13:80fb167dafdf 6426 cipherInfoStrLen = HEADER_ENCRYPTED_KEY_SIZE - (23+10+2);
wolfSSL 13:80fb167dafdf 6427
wolfSSL 13:80fb167dafdf 6428 XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23);
wolfSSL 13:80fb167dafdf 6429 XSTRNCAT(header, "DEK-Info: ", 10);
wolfSSL 13:80fb167dafdf 6430 XSTRNCAT(header, (char*)cipher_info, cipherInfoStrLen);
wolfSSL 13:80fb167dafdf 6431 XSTRNCAT(header, "\n\n", 2);
wolfSSL 13:80fb167dafdf 6432 }
wolfSSL 13:80fb167dafdf 6433
wolfSSL 13:80fb167dafdf 6434 headerLen = (int)XSTRLEN(header);
wolfSSL 13:80fb167dafdf 6435 footerLen = (int)XSTRLEN(footer);
wolfSSL 13:80fb167dafdf 6436
wolfSSL 13:80fb167dafdf 6437 /* if null output and 0 size passed in then return size needed */
wolfSSL 13:80fb167dafdf 6438 if (!output && outSz == 0) {
wolfSSL 13:80fb167dafdf 6439 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6440 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6441 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6442 #endif
wolfSSL 13:80fb167dafdf 6443 outLen = 0;
wolfSSL 13:80fb167dafdf 6444 if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen))
wolfSSL 13:80fb167dafdf 6445 != LENGTH_ONLY_E) {
wolfSSL 13:80fb167dafdf 6446 return err;
wolfSSL 13:80fb167dafdf 6447 }
wolfSSL 13:80fb167dafdf 6448 return headerLen + footerLen + outLen;
wolfSSL 13:80fb167dafdf 6449 }
wolfSSL 13:80fb167dafdf 6450
wolfSSL 13:80fb167dafdf 6451 if (!der || !output) {
wolfSSL 13:80fb167dafdf 6452 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6453 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6454 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6455 #endif
wolfSSL 13:80fb167dafdf 6456 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6457 }
wolfSSL 13:80fb167dafdf 6458
wolfSSL 13:80fb167dafdf 6459 /* don't even try if outSz too short */
wolfSSL 13:80fb167dafdf 6460 if (outSz < headerLen + footerLen + derSz) {
wolfSSL 13:80fb167dafdf 6461 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6462 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6463 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6464 #endif
wolfSSL 13:80fb167dafdf 6465 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6466 }
wolfSSL 13:80fb167dafdf 6467
wolfSSL 13:80fb167dafdf 6468 /* header */
wolfSSL 13:80fb167dafdf 6469 XMEMCPY(output, header, headerLen);
wolfSSL 13:80fb167dafdf 6470 i = headerLen;
wolfSSL 13:80fb167dafdf 6471
wolfSSL 13:80fb167dafdf 6472 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6473 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6474 #endif
wolfSSL 13:80fb167dafdf 6475
wolfSSL 13:80fb167dafdf 6476 /* body */
wolfSSL 13:80fb167dafdf 6477 outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */
wolfSSL 13:80fb167dafdf 6478 if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) {
wolfSSL 13:80fb167dafdf 6479 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6480 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6481 #endif
wolfSSL 13:80fb167dafdf 6482 return err;
wolfSSL 13:80fb167dafdf 6483 }
wolfSSL 13:80fb167dafdf 6484 i += outLen;
wolfSSL 13:80fb167dafdf 6485
wolfSSL 13:80fb167dafdf 6486 /* footer */
wolfSSL 13:80fb167dafdf 6487 if ( (i + footerLen) > (int)outSz) {
wolfSSL 13:80fb167dafdf 6488 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6489 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6490 #endif
wolfSSL 13:80fb167dafdf 6491 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6492 }
wolfSSL 13:80fb167dafdf 6493 XMEMCPY(output + i, footer, footerLen);
wolfSSL 13:80fb167dafdf 6494
wolfSSL 13:80fb167dafdf 6495 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6496 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6497 #endif
wolfSSL 13:80fb167dafdf 6498
wolfSSL 13:80fb167dafdf 6499 return outLen + headerLen + footerLen;
wolfSSL 13:80fb167dafdf 6500 }
wolfSSL 13:80fb167dafdf 6501
wolfSSL 13:80fb167dafdf 6502 #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 6503
wolfSSL 13:80fb167dafdf 6504 #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
wolfSSL 13:80fb167dafdf 6505 /* USER RSA ifdef portions used instead of refactor in consideration for
wolfSSL 13:80fb167dafdf 6506 possible fips build */
wolfSSL 13:80fb167dafdf 6507 /* Write a public RSA key to output */
wolfSSL 13:80fb167dafdf 6508 static int SetRsaPublicKey(byte* output, RsaKey* key,
wolfSSL 13:80fb167dafdf 6509 int outLen, int with_header)
wolfSSL 13:80fb167dafdf 6510 {
wolfSSL 13:80fb167dafdf 6511 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6512 byte* n = NULL;
wolfSSL 13:80fb167dafdf 6513 byte* e = NULL;
wolfSSL 13:80fb167dafdf 6514 #else
wolfSSL 13:80fb167dafdf 6515 byte n[MAX_RSA_INT_SZ];
wolfSSL 13:80fb167dafdf 6516 byte e[MAX_RSA_E_SZ];
wolfSSL 13:80fb167dafdf 6517 #endif
wolfSSL 13:80fb167dafdf 6518 byte seq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 6519 byte bitString[1 + MAX_LENGTH_SZ + 1];
wolfSSL 13:80fb167dafdf 6520 int nSz;
wolfSSL 13:80fb167dafdf 6521 int eSz;
wolfSSL 13:80fb167dafdf 6522 int seqSz;
wolfSSL 13:80fb167dafdf 6523 int bitStringSz;
wolfSSL 13:80fb167dafdf 6524 int idx;
wolfSSL 13:80fb167dafdf 6525
wolfSSL 13:80fb167dafdf 6526 if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ)
wolfSSL 13:80fb167dafdf 6527 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6528
wolfSSL 13:80fb167dafdf 6529 /* n */
wolfSSL 13:80fb167dafdf 6530 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6531 n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6532 if (n == NULL)
wolfSSL 13:80fb167dafdf 6533 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6534 #endif
wolfSSL 13:80fb167dafdf 6535
wolfSSL 13:80fb167dafdf 6536 #ifdef HAVE_USER_RSA
wolfSSL 13:80fb167dafdf 6537 nSz = SetASNIntRSA(key->n, n);
wolfSSL 13:80fb167dafdf 6538 #else
wolfSSL 13:80fb167dafdf 6539 nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, n);
wolfSSL 13:80fb167dafdf 6540 #endif
wolfSSL 13:80fb167dafdf 6541 if (nSz < 0) {
wolfSSL 13:80fb167dafdf 6542 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6543 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6544 #endif
wolfSSL 13:80fb167dafdf 6545 return nSz;
wolfSSL 13:80fb167dafdf 6546 }
wolfSSL 13:80fb167dafdf 6547
wolfSSL 13:80fb167dafdf 6548 /* e */
wolfSSL 13:80fb167dafdf 6549 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6550 e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6551 if (e == NULL) {
wolfSSL 13:80fb167dafdf 6552 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6553 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6554 #endif
wolfSSL 13:80fb167dafdf 6555 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6556 }
wolfSSL 13:80fb167dafdf 6557 #endif
wolfSSL 13:80fb167dafdf 6558
wolfSSL 13:80fb167dafdf 6559 #ifdef HAVE_USER_RSA
wolfSSL 13:80fb167dafdf 6560 eSz = SetASNIntRSA(key->e, e);
wolfSSL 13:80fb167dafdf 6561 #else
wolfSSL 13:80fb167dafdf 6562 eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, e);
wolfSSL 13:80fb167dafdf 6563 #endif
wolfSSL 13:80fb167dafdf 6564 if (eSz < 0) {
wolfSSL 13:80fb167dafdf 6565 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6566 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6567 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6568 #endif
wolfSSL 13:80fb167dafdf 6569 return eSz;
wolfSSL 13:80fb167dafdf 6570 }
wolfSSL 13:80fb167dafdf 6571
wolfSSL 13:80fb167dafdf 6572 seqSz = SetSequence(nSz + eSz, seq);
wolfSSL 13:80fb167dafdf 6573
wolfSSL 13:80fb167dafdf 6574 /* check output size */
wolfSSL 13:80fb167dafdf 6575 if ( (seqSz + nSz + eSz) > outLen) {
wolfSSL 13:80fb167dafdf 6576 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6577 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6578 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6579 #endif
wolfSSL 13:80fb167dafdf 6580 return BUFFER_E;
wolfSSL 13:80fb167dafdf 6581 }
wolfSSL 13:80fb167dafdf 6582
wolfSSL 13:80fb167dafdf 6583 /* headers */
wolfSSL 13:80fb167dafdf 6584 if (with_header) {
wolfSSL 13:80fb167dafdf 6585 int algoSz;
wolfSSL 13:80fb167dafdf 6586 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6587 byte* algo = NULL;
wolfSSL 13:80fb167dafdf 6588
wolfSSL 13:80fb167dafdf 6589 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6590 if (algo == NULL) {
wolfSSL 13:80fb167dafdf 6591 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6592 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6593 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6594 }
wolfSSL 13:80fb167dafdf 6595 #else
wolfSSL 13:80fb167dafdf 6596 byte algo[MAX_ALGO_SZ];
wolfSSL 13:80fb167dafdf 6597 #endif
wolfSSL 13:80fb167dafdf 6598 algoSz = SetAlgoID(RSAk, algo, oidKeyType, 0);
wolfSSL 13:80fb167dafdf 6599 bitStringSz = SetBitString(seqSz + nSz + eSz, 0, bitString);
wolfSSL 13:80fb167dafdf 6600
wolfSSL 13:80fb167dafdf 6601 idx = SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, output);
wolfSSL 13:80fb167dafdf 6602
wolfSSL 13:80fb167dafdf 6603 /* check output size */
wolfSSL 13:80fb167dafdf 6604 if ( (idx + algoSz + bitStringSz + seqSz + nSz + eSz) > outLen) {
wolfSSL 13:80fb167dafdf 6605 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6606 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6607 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6608 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6609 #endif
wolfSSL 13:80fb167dafdf 6610
wolfSSL 13:80fb167dafdf 6611 return BUFFER_E;
wolfSSL 13:80fb167dafdf 6612 }
wolfSSL 13:80fb167dafdf 6613
wolfSSL 13:80fb167dafdf 6614 /* algo */
wolfSSL 13:80fb167dafdf 6615 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 13:80fb167dafdf 6616 idx += algoSz;
wolfSSL 13:80fb167dafdf 6617 /* bit string */
wolfSSL 13:80fb167dafdf 6618 XMEMCPY(output + idx, bitString, bitStringSz);
wolfSSL 13:80fb167dafdf 6619 idx += bitStringSz;
wolfSSL 13:80fb167dafdf 6620 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6621 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6622 #endif
wolfSSL 13:80fb167dafdf 6623 }
wolfSSL 13:80fb167dafdf 6624 else
wolfSSL 13:80fb167dafdf 6625 idx = 0;
wolfSSL 13:80fb167dafdf 6626
wolfSSL 13:80fb167dafdf 6627 /* seq */
wolfSSL 13:80fb167dafdf 6628 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 13:80fb167dafdf 6629 idx += seqSz;
wolfSSL 13:80fb167dafdf 6630 /* n */
wolfSSL 13:80fb167dafdf 6631 XMEMCPY(output + idx, n, nSz);
wolfSSL 13:80fb167dafdf 6632 idx += nSz;
wolfSSL 13:80fb167dafdf 6633 /* e */
wolfSSL 13:80fb167dafdf 6634 XMEMCPY(output + idx, e, eSz);
wolfSSL 13:80fb167dafdf 6635 idx += eSz;
wolfSSL 13:80fb167dafdf 6636
wolfSSL 13:80fb167dafdf 6637 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6638 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6639 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6640 #endif
wolfSSL 13:80fb167dafdf 6641
wolfSSL 13:80fb167dafdf 6642 return idx;
wolfSSL 13:80fb167dafdf 6643 }
wolfSSL 13:80fb167dafdf 6644 #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
wolfSSL 13:80fb167dafdf 6645 !HAVE_USER_RSA))) */
wolfSSL 13:80fb167dafdf 6646
wolfSSL 13:80fb167dafdf 6647
wolfSSL 13:80fb167dafdf 6648 #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
wolfSSL 13:80fb167dafdf 6649
wolfSSL 13:80fb167dafdf 6650
wolfSSL 13:80fb167dafdf 6651 static mp_int* GetRsaInt(RsaKey* key, int idx)
wolfSSL 13:80fb167dafdf 6652 {
wolfSSL 13:80fb167dafdf 6653 if (idx == 0)
wolfSSL 13:80fb167dafdf 6654 return &key->n;
wolfSSL 13:80fb167dafdf 6655 if (idx == 1)
wolfSSL 13:80fb167dafdf 6656 return &key->e;
wolfSSL 13:80fb167dafdf 6657 if (idx == 2)
wolfSSL 13:80fb167dafdf 6658 return &key->d;
wolfSSL 13:80fb167dafdf 6659 if (idx == 3)
wolfSSL 13:80fb167dafdf 6660 return &key->p;
wolfSSL 13:80fb167dafdf 6661 if (idx == 4)
wolfSSL 13:80fb167dafdf 6662 return &key->q;
wolfSSL 13:80fb167dafdf 6663 if (idx == 5)
wolfSSL 13:80fb167dafdf 6664 return &key->dP;
wolfSSL 13:80fb167dafdf 6665 if (idx == 6)
wolfSSL 13:80fb167dafdf 6666 return &key->dQ;
wolfSSL 13:80fb167dafdf 6667 if (idx == 7)
wolfSSL 13:80fb167dafdf 6668 return &key->u;
wolfSSL 13:80fb167dafdf 6669
wolfSSL 13:80fb167dafdf 6670 return NULL;
wolfSSL 13:80fb167dafdf 6671 }
wolfSSL 13:80fb167dafdf 6672
wolfSSL 13:80fb167dafdf 6673
wolfSSL 13:80fb167dafdf 6674 /* Release Tmp RSA resources */
wolfSSL 13:80fb167dafdf 6675 static INLINE void FreeTmpRsas(byte** tmps, void* heap)
wolfSSL 13:80fb167dafdf 6676 {
wolfSSL 13:80fb167dafdf 6677 int i;
wolfSSL 13:80fb167dafdf 6678
wolfSSL 13:80fb167dafdf 6679 (void)heap;
wolfSSL 13:80fb167dafdf 6680
wolfSSL 13:80fb167dafdf 6681 for (i = 0; i < RSA_INTS; i++)
wolfSSL 13:80fb167dafdf 6682 XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 6683 }
wolfSSL 13:80fb167dafdf 6684
wolfSSL 13:80fb167dafdf 6685
wolfSSL 13:80fb167dafdf 6686 /* Convert RsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 13:80fb167dafdf 6687 written */
wolfSSL 13:80fb167dafdf 6688 int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 13:80fb167dafdf 6689 {
wolfSSL 13:80fb167dafdf 6690 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 13:80fb167dafdf 6691 word32 sizes[RSA_INTS];
wolfSSL 13:80fb167dafdf 6692 int i, j, outLen, ret = 0, mpSz;
wolfSSL 13:80fb167dafdf 6693
wolfSSL 13:80fb167dafdf 6694 byte seq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 6695 byte ver[MAX_VERSION_SZ];
wolfSSL 13:80fb167dafdf 6696 byte* tmps[RSA_INTS];
wolfSSL 13:80fb167dafdf 6697
wolfSSL 13:80fb167dafdf 6698 if (!key || !output)
wolfSSL 13:80fb167dafdf 6699 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6700
wolfSSL 13:80fb167dafdf 6701 if (key->type != RSA_PRIVATE)
wolfSSL 13:80fb167dafdf 6702 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6703
wolfSSL 13:80fb167dafdf 6704 for (i = 0; i < RSA_INTS; i++)
wolfSSL 13:80fb167dafdf 6705 tmps[i] = NULL;
wolfSSL 13:80fb167dafdf 6706
wolfSSL 13:80fb167dafdf 6707 /* write all big ints from key to DER tmps */
wolfSSL 13:80fb167dafdf 6708 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 13:80fb167dafdf 6709 mp_int* keyInt = GetRsaInt(key, i);
wolfSSL 13:80fb167dafdf 6710
wolfSSL 13:80fb167dafdf 6711 rawLen = mp_unsigned_bin_size(keyInt) + 1;
wolfSSL 13:80fb167dafdf 6712 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL 13:80fb167dafdf 6713 DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 6714 if (tmps[i] == NULL) {
wolfSSL 13:80fb167dafdf 6715 ret = MEMORY_E;
wolfSSL 13:80fb167dafdf 6716 break;
wolfSSL 13:80fb167dafdf 6717 }
wolfSSL 13:80fb167dafdf 6718
wolfSSL 13:80fb167dafdf 6719 mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]);
wolfSSL 13:80fb167dafdf 6720 if (mpSz < 0) {
wolfSSL 13:80fb167dafdf 6721 ret = mpSz;
wolfSSL 13:80fb167dafdf 6722 break;
wolfSSL 13:80fb167dafdf 6723 }
wolfSSL 13:80fb167dafdf 6724 intTotalLen += (sizes[i] = mpSz);
wolfSSL 13:80fb167dafdf 6725 }
wolfSSL 13:80fb167dafdf 6726
wolfSSL 13:80fb167dafdf 6727 if (ret != 0) {
wolfSSL 13:80fb167dafdf 6728 FreeTmpRsas(tmps, key->heap);
wolfSSL 13:80fb167dafdf 6729 return ret;
wolfSSL 13:80fb167dafdf 6730 }
wolfSSL 13:80fb167dafdf 6731
wolfSSL 13:80fb167dafdf 6732 /* make headers */
wolfSSL 13:80fb167dafdf 6733 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 13:80fb167dafdf 6734 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 13:80fb167dafdf 6735
wolfSSL 13:80fb167dafdf 6736 outLen = seqSz + verSz + intTotalLen;
wolfSSL 13:80fb167dafdf 6737 if (outLen > (int)inLen)
wolfSSL 13:80fb167dafdf 6738 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 6739
wolfSSL 13:80fb167dafdf 6740 /* write to output */
wolfSSL 13:80fb167dafdf 6741 XMEMCPY(output, seq, seqSz);
wolfSSL 13:80fb167dafdf 6742 j = seqSz;
wolfSSL 13:80fb167dafdf 6743 XMEMCPY(output + j, ver, verSz);
wolfSSL 13:80fb167dafdf 6744 j += verSz;
wolfSSL 13:80fb167dafdf 6745
wolfSSL 13:80fb167dafdf 6746 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 13:80fb167dafdf 6747 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 13:80fb167dafdf 6748 j += sizes[i];
wolfSSL 13:80fb167dafdf 6749 }
wolfSSL 13:80fb167dafdf 6750 FreeTmpRsas(tmps, key->heap);
wolfSSL 13:80fb167dafdf 6751
wolfSSL 13:80fb167dafdf 6752 return outLen;
wolfSSL 13:80fb167dafdf 6753 }
wolfSSL 13:80fb167dafdf 6754
wolfSSL 13:80fb167dafdf 6755
wolfSSL 13:80fb167dafdf 6756 /* Convert Rsa Public key to DER format, write to output (inLen), return bytes
wolfSSL 13:80fb167dafdf 6757 written */
wolfSSL 13:80fb167dafdf 6758 int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 13:80fb167dafdf 6759 {
wolfSSL 13:80fb167dafdf 6760 return SetRsaPublicKey(output, key, inLen, 1);
wolfSSL 13:80fb167dafdf 6761 }
wolfSSL 13:80fb167dafdf 6762
wolfSSL 13:80fb167dafdf 6763 #endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA */
wolfSSL 13:80fb167dafdf 6764
wolfSSL 13:80fb167dafdf 6765
wolfSSL 13:80fb167dafdf 6766 #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL 13:80fb167dafdf 6767
wolfSSL 13:80fb167dafdf 6768 /* Initialize and Set Certificate defaults:
wolfSSL 13:80fb167dafdf 6769 version = 3 (0x2)
wolfSSL 13:80fb167dafdf 6770 serial = 0
wolfSSL 13:80fb167dafdf 6771 sigType = SHA_WITH_RSA
wolfSSL 13:80fb167dafdf 6772 issuer = blank
wolfSSL 13:80fb167dafdf 6773 daysValid = 500
wolfSSL 13:80fb167dafdf 6774 selfSigned = 1 (true) use subject as issuer
wolfSSL 13:80fb167dafdf 6775 subject = blank
wolfSSL 13:80fb167dafdf 6776 */
wolfSSL 13:80fb167dafdf 6777 void wc_InitCert(Cert* cert)
wolfSSL 13:80fb167dafdf 6778 {
wolfSSL 13:80fb167dafdf 6779 cert->version = 2; /* version 3 is hex 2 */
wolfSSL 13:80fb167dafdf 6780 cert->sigType = CTC_SHAwRSA;
wolfSSL 13:80fb167dafdf 6781 cert->daysValid = 500;
wolfSSL 13:80fb167dafdf 6782 cert->selfSigned = 1;
wolfSSL 13:80fb167dafdf 6783 cert->isCA = 0;
wolfSSL 13:80fb167dafdf 6784 cert->bodySz = 0;
wolfSSL 13:80fb167dafdf 6785 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 6786 cert->altNamesSz = 0;
wolfSSL 13:80fb167dafdf 6787 cert->beforeDateSz = 0;
wolfSSL 13:80fb167dafdf 6788 cert->afterDateSz = 0;
wolfSSL 13:80fb167dafdf 6789 #endif
wolfSSL 13:80fb167dafdf 6790 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 6791 cert->skidSz = 0;
wolfSSL 13:80fb167dafdf 6792 cert->akidSz = 0;
wolfSSL 13:80fb167dafdf 6793 cert->keyUsage = 0;
wolfSSL 13:80fb167dafdf 6794 cert->certPoliciesNb = 0;
wolfSSL 13:80fb167dafdf 6795 XMEMSET(cert->akid, 0, CTC_MAX_AKID_SIZE);
wolfSSL 13:80fb167dafdf 6796 XMEMSET(cert->skid, 0, CTC_MAX_SKID_SIZE);
wolfSSL 13:80fb167dafdf 6797 XMEMSET(cert->certPolicies, 0, CTC_MAX_CERTPOL_NB*CTC_MAX_CERTPOL_SZ);
wolfSSL 13:80fb167dafdf 6798 #endif
wolfSSL 13:80fb167dafdf 6799 cert->keyType = RSA_KEY;
wolfSSL 13:80fb167dafdf 6800 XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE);
wolfSSL 13:80fb167dafdf 6801
wolfSSL 13:80fb167dafdf 6802 cert->issuer.country[0] = '\0';
wolfSSL 13:80fb167dafdf 6803 cert->issuer.countryEnc = CTC_PRINTABLE;
wolfSSL 13:80fb167dafdf 6804 cert->issuer.state[0] = '\0';
wolfSSL 13:80fb167dafdf 6805 cert->issuer.stateEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6806 cert->issuer.locality[0] = '\0';
wolfSSL 13:80fb167dafdf 6807 cert->issuer.localityEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6808 cert->issuer.sur[0] = '\0';
wolfSSL 13:80fb167dafdf 6809 cert->issuer.surEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6810 cert->issuer.org[0] = '\0';
wolfSSL 13:80fb167dafdf 6811 cert->issuer.orgEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6812 cert->issuer.unit[0] = '\0';
wolfSSL 13:80fb167dafdf 6813 cert->issuer.unitEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6814 cert->issuer.commonName[0] = '\0';
wolfSSL 13:80fb167dafdf 6815 cert->issuer.commonNameEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6816 cert->issuer.email[0] = '\0';
wolfSSL 13:80fb167dafdf 6817
wolfSSL 13:80fb167dafdf 6818 cert->subject.country[0] = '\0';
wolfSSL 13:80fb167dafdf 6819 cert->subject.countryEnc = CTC_PRINTABLE;
wolfSSL 13:80fb167dafdf 6820 cert->subject.state[0] = '\0';
wolfSSL 13:80fb167dafdf 6821 cert->subject.stateEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6822 cert->subject.locality[0] = '\0';
wolfSSL 13:80fb167dafdf 6823 cert->subject.localityEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6824 cert->subject.sur[0] = '\0';
wolfSSL 13:80fb167dafdf 6825 cert->subject.surEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6826 cert->subject.org[0] = '\0';
wolfSSL 13:80fb167dafdf 6827 cert->subject.orgEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6828 cert->subject.unit[0] = '\0';
wolfSSL 13:80fb167dafdf 6829 cert->subject.unitEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6830 cert->subject.commonName[0] = '\0';
wolfSSL 13:80fb167dafdf 6831 cert->subject.commonNameEnc = CTC_UTF8;
wolfSSL 13:80fb167dafdf 6832 cert->subject.email[0] = '\0';
wolfSSL 13:80fb167dafdf 6833
wolfSSL 13:80fb167dafdf 6834 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 6835 cert->challengePw[0] ='\0';
wolfSSL 13:80fb167dafdf 6836 #endif
wolfSSL 13:80fb167dafdf 6837 #ifdef WOLFSSL_HEAP_TEST
wolfSSL 13:80fb167dafdf 6838 cert->heap = (void*)WOLFSSL_HEAP_TEST;
wolfSSL 13:80fb167dafdf 6839 #else
wolfSSL 13:80fb167dafdf 6840 cert->heap = NULL;
wolfSSL 13:80fb167dafdf 6841 #endif
wolfSSL 13:80fb167dafdf 6842 }
wolfSSL 13:80fb167dafdf 6843
wolfSSL 13:80fb167dafdf 6844
wolfSSL 13:80fb167dafdf 6845 /* DER encoded x509 Certificate */
wolfSSL 13:80fb167dafdf 6846 typedef struct DerCert {
wolfSSL 13:80fb167dafdf 6847 byte size[MAX_LENGTH_SZ]; /* length encoded */
wolfSSL 13:80fb167dafdf 6848 byte version[MAX_VERSION_SZ]; /* version encoded */
wolfSSL 13:80fb167dafdf 6849 byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */
wolfSSL 13:80fb167dafdf 6850 byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */
wolfSSL 13:80fb167dafdf 6851 byte issuer[ASN_NAME_MAX]; /* issuer encoded */
wolfSSL 13:80fb167dafdf 6852 byte subject[ASN_NAME_MAX]; /* subject encoded */
wolfSSL 13:80fb167dafdf 6853 byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */
wolfSSL 13:80fb167dafdf 6854 byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
wolfSSL 13:80fb167dafdf 6855 byte ca[MAX_CA_SZ]; /* basic constraint CA true size */
wolfSSL 13:80fb167dafdf 6856 byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
wolfSSL 13:80fb167dafdf 6857 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 6858 byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */
wolfSSL 13:80fb167dafdf 6859 byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */
wolfSSL 13:80fb167dafdf 6860 byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */
wolfSSL 13:80fb167dafdf 6861 byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */
wolfSSL 13:80fb167dafdf 6862 #endif
wolfSSL 13:80fb167dafdf 6863 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 6864 byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */
wolfSSL 13:80fb167dafdf 6865 #endif
wolfSSL 13:80fb167dafdf 6866 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 6867 byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */
wolfSSL 13:80fb167dafdf 6868 #endif
wolfSSL 13:80fb167dafdf 6869 int sizeSz; /* encoded size length */
wolfSSL 13:80fb167dafdf 6870 int versionSz; /* encoded version length */
wolfSSL 13:80fb167dafdf 6871 int serialSz; /* encoded serial length */
wolfSSL 13:80fb167dafdf 6872 int sigAlgoSz; /* encoded sig alog length */
wolfSSL 13:80fb167dafdf 6873 int issuerSz; /* encoded issuer length */
wolfSSL 13:80fb167dafdf 6874 int subjectSz; /* encoded subject length */
wolfSSL 13:80fb167dafdf 6875 int validitySz; /* encoded validity length */
wolfSSL 13:80fb167dafdf 6876 int publicKeySz; /* encoded public key length */
wolfSSL 13:80fb167dafdf 6877 int caSz; /* encoded CA extension length */
wolfSSL 13:80fb167dafdf 6878 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 6879 int skidSz; /* encoded SKID extension length */
wolfSSL 13:80fb167dafdf 6880 int akidSz; /* encoded SKID extension length */
wolfSSL 13:80fb167dafdf 6881 int keyUsageSz; /* encoded KeyUsage extension length */
wolfSSL 13:80fb167dafdf 6882 int certPoliciesSz; /* encoded CertPolicies extension length*/
wolfSSL 13:80fb167dafdf 6883 #endif
wolfSSL 13:80fb167dafdf 6884 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 6885 int altNamesSz; /* encoded AltNames extension length */
wolfSSL 13:80fb167dafdf 6886 #endif
wolfSSL 13:80fb167dafdf 6887 int extensionsSz; /* encoded extensions total length */
wolfSSL 13:80fb167dafdf 6888 int total; /* total encoded lengths */
wolfSSL 13:80fb167dafdf 6889 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 6890 int attribSz;
wolfSSL 13:80fb167dafdf 6891 #endif
wolfSSL 13:80fb167dafdf 6892 } DerCert;
wolfSSL 13:80fb167dafdf 6893
wolfSSL 13:80fb167dafdf 6894
wolfSSL 13:80fb167dafdf 6895 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 6896
wolfSSL 13:80fb167dafdf 6897 /* Write a set header to output */
wolfSSL 13:80fb167dafdf 6898 static word32 SetUTF8String(word32 len, byte* output)
wolfSSL 13:80fb167dafdf 6899 {
wolfSSL 13:80fb167dafdf 6900 output[0] = ASN_UTF8STRING;
wolfSSL 13:80fb167dafdf 6901 return SetLength(len, output + 1) + 1;
wolfSSL 13:80fb167dafdf 6902 }
wolfSSL 13:80fb167dafdf 6903
wolfSSL 13:80fb167dafdf 6904 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 13:80fb167dafdf 6905
wolfSSL 13:80fb167dafdf 6906
wolfSSL 13:80fb167dafdf 6907 /* Write a serial number to output */
wolfSSL 13:80fb167dafdf 6908 static int SetSerial(const byte* serial, byte* output)
wolfSSL 13:80fb167dafdf 6909 {
wolfSSL 13:80fb167dafdf 6910 int length = 0;
wolfSSL 13:80fb167dafdf 6911
wolfSSL 13:80fb167dafdf 6912 output[length++] = ASN_INTEGER;
wolfSSL 13:80fb167dafdf 6913 length += SetLength(CTC_SERIAL_SIZE, &output[length]);
wolfSSL 13:80fb167dafdf 6914 XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE);
wolfSSL 13:80fb167dafdf 6915
wolfSSL 13:80fb167dafdf 6916 return length + CTC_SERIAL_SIZE;
wolfSSL 13:80fb167dafdf 6917 }
wolfSSL 13:80fb167dafdf 6918
wolfSSL 13:80fb167dafdf 6919 #endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */
wolfSSL 13:80fb167dafdf 6920 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
wolfSSL 13:80fb167dafdf 6921
wolfSSL 13:80fb167dafdf 6922 /* Write a public ECC key to output */
wolfSSL 13:80fb167dafdf 6923 static int SetEccPublicKey(byte* output, ecc_key* key, int with_header)
wolfSSL 13:80fb167dafdf 6924 {
wolfSSL 13:80fb167dafdf 6925 byte bitString[1 + MAX_LENGTH_SZ + 1];
wolfSSL 13:80fb167dafdf 6926 int algoSz;
wolfSSL 13:80fb167dafdf 6927 int curveSz;
wolfSSL 13:80fb167dafdf 6928 int bitStringSz;
wolfSSL 13:80fb167dafdf 6929 int idx;
wolfSSL 13:80fb167dafdf 6930 word32 pubSz = ECC_BUFSIZE;
wolfSSL 13:80fb167dafdf 6931 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6932 byte* algo = NULL;
wolfSSL 13:80fb167dafdf 6933 byte* curve = NULL;
wolfSSL 13:80fb167dafdf 6934 byte* pub = NULL;
wolfSSL 13:80fb167dafdf 6935 #else
wolfSSL 13:80fb167dafdf 6936 byte algo[MAX_ALGO_SZ];
wolfSSL 13:80fb167dafdf 6937 byte curve[MAX_ALGO_SZ];
wolfSSL 13:80fb167dafdf 6938 byte pub[ECC_BUFSIZE];
wolfSSL 13:80fb167dafdf 6939 #endif
wolfSSL 13:80fb167dafdf 6940
wolfSSL 13:80fb167dafdf 6941 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6942 pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6943 if (pub == NULL)
wolfSSL 13:80fb167dafdf 6944 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6945 #endif
wolfSSL 13:80fb167dafdf 6946
wolfSSL 13:80fb167dafdf 6947 int ret = wc_ecc_export_x963(key, pub, &pubSz);
wolfSSL 13:80fb167dafdf 6948 if (ret != 0) {
wolfSSL 13:80fb167dafdf 6949 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6950 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6951 #endif
wolfSSL 13:80fb167dafdf 6952 return ret;
wolfSSL 13:80fb167dafdf 6953 }
wolfSSL 13:80fb167dafdf 6954
wolfSSL 13:80fb167dafdf 6955 /* headers */
wolfSSL 13:80fb167dafdf 6956 if (with_header) {
wolfSSL 13:80fb167dafdf 6957 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6958 curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6959 if (curve == NULL) {
wolfSSL 13:80fb167dafdf 6960 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6961 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6962 }
wolfSSL 13:80fb167dafdf 6963 #endif
wolfSSL 13:80fb167dafdf 6964 curveSz = SetCurve(key, curve);
wolfSSL 13:80fb167dafdf 6965 if (curveSz <= 0) {
wolfSSL 13:80fb167dafdf 6966 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6967 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6968 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6969 #endif
wolfSSL 13:80fb167dafdf 6970 return curveSz;
wolfSSL 13:80fb167dafdf 6971 }
wolfSSL 13:80fb167dafdf 6972
wolfSSL 13:80fb167dafdf 6973 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 6974 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6975 if (algo == NULL) {
wolfSSL 13:80fb167dafdf 6976 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6977 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 6978 return MEMORY_E;
wolfSSL 13:80fb167dafdf 6979 }
wolfSSL 13:80fb167dafdf 6980 #endif
wolfSSL 13:80fb167dafdf 6981 algoSz = SetAlgoID(ECDSAk, algo, oidKeyType, curveSz);
wolfSSL 13:80fb167dafdf 6982
wolfSSL 13:80fb167dafdf 6983 bitStringSz = SetBitString(pubSz, 0, bitString);
wolfSSL 13:80fb167dafdf 6984
wolfSSL 13:80fb167dafdf 6985 idx = SetSequence(pubSz + curveSz + bitStringSz + algoSz, output);
wolfSSL 13:80fb167dafdf 6986 /* algo */
wolfSSL 13:80fb167dafdf 6987 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 13:80fb167dafdf 6988 idx += algoSz;
wolfSSL 13:80fb167dafdf 6989 /* curve */
wolfSSL 13:80fb167dafdf 6990 XMEMCPY(output + idx, curve, curveSz);
wolfSSL 13:80fb167dafdf 6991 idx += curveSz;
wolfSSL 13:80fb167dafdf 6992 /* bit string */
wolfSSL 13:80fb167dafdf 6993 XMEMCPY(output + idx, bitString, bitStringSz);
wolfSSL 13:80fb167dafdf 6994 idx += bitStringSz;
wolfSSL 13:80fb167dafdf 6995 }
wolfSSL 13:80fb167dafdf 6996 else
wolfSSL 13:80fb167dafdf 6997 idx = 0;
wolfSSL 13:80fb167dafdf 6998
wolfSSL 13:80fb167dafdf 6999 /* pub */
wolfSSL 13:80fb167dafdf 7000 XMEMCPY(output + idx, pub, pubSz);
wolfSSL 13:80fb167dafdf 7001 idx += pubSz;
wolfSSL 13:80fb167dafdf 7002
wolfSSL 13:80fb167dafdf 7003 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7004 if (with_header) {
wolfSSL 13:80fb167dafdf 7005 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7006 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7007 }
wolfSSL 13:80fb167dafdf 7008 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7009 #endif
wolfSSL 13:80fb167dafdf 7010
wolfSSL 13:80fb167dafdf 7011 return idx;
wolfSSL 13:80fb167dafdf 7012 }
wolfSSL 13:80fb167dafdf 7013
wolfSSL 13:80fb167dafdf 7014
wolfSSL 13:80fb167dafdf 7015 /* returns the size of buffer used, the public ECC key in DER format is stored
wolfSSL 13:80fb167dafdf 7016 in output buffer
wolfSSL 13:80fb167dafdf 7017 with_AlgCurve is a flag for when to include a header that has the Algorithm
wolfSSL 13:80fb167dafdf 7018 and Curve infromation */
wolfSSL 13:80fb167dafdf 7019 int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
wolfSSL 13:80fb167dafdf 7020 int with_AlgCurve)
wolfSSL 13:80fb167dafdf 7021 {
wolfSSL 13:80fb167dafdf 7022 word32 infoSz = 0;
wolfSSL 13:80fb167dafdf 7023 word32 keySz = 0;
wolfSSL 13:80fb167dafdf 7024 int ret;
wolfSSL 13:80fb167dafdf 7025
wolfSSL 13:80fb167dafdf 7026 if (output == NULL || key == NULL) {
wolfSSL 13:80fb167dafdf 7027 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7028 }
wolfSSL 13:80fb167dafdf 7029
wolfSSL 13:80fb167dafdf 7030 if (with_AlgCurve) {
wolfSSL 13:80fb167dafdf 7031 /* buffer space for algorithm/curve */
wolfSSL 13:80fb167dafdf 7032 infoSz += MAX_SEQ_SZ;
wolfSSL 13:80fb167dafdf 7033 infoSz += 2 * MAX_ALGO_SZ;
wolfSSL 13:80fb167dafdf 7034
wolfSSL 13:80fb167dafdf 7035 /* buffer space for public key sequence */
wolfSSL 13:80fb167dafdf 7036 infoSz += MAX_SEQ_SZ;
wolfSSL 13:80fb167dafdf 7037 infoSz += TRAILING_ZERO;
wolfSSL 13:80fb167dafdf 7038 }
wolfSSL 13:80fb167dafdf 7039
wolfSSL 13:80fb167dafdf 7040 if ((ret = wc_ecc_export_x963(key, NULL, &keySz)) != LENGTH_ONLY_E) {
wolfSSL 13:80fb167dafdf 7041 WOLFSSL_MSG("Error in getting ECC public key size");
wolfSSL 13:80fb167dafdf 7042 return ret;
wolfSSL 13:80fb167dafdf 7043 }
wolfSSL 13:80fb167dafdf 7044
wolfSSL 13:80fb167dafdf 7045 if (inLen < keySz + infoSz) {
wolfSSL 13:80fb167dafdf 7046 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7047 }
wolfSSL 13:80fb167dafdf 7048
wolfSSL 13:80fb167dafdf 7049 return SetEccPublicKey(output, key, with_AlgCurve);
wolfSSL 13:80fb167dafdf 7050 }
wolfSSL 13:80fb167dafdf 7051 #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
wolfSSL 13:80fb167dafdf 7052 #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL 13:80fb167dafdf 7053
wolfSSL 13:80fb167dafdf 7054 static INLINE byte itob(int number)
wolfSSL 13:80fb167dafdf 7055 {
wolfSSL 13:80fb167dafdf 7056 return (byte)number + 0x30;
wolfSSL 13:80fb167dafdf 7057 }
wolfSSL 13:80fb167dafdf 7058
wolfSSL 13:80fb167dafdf 7059
wolfSSL 13:80fb167dafdf 7060 /* write time to output, format */
wolfSSL 13:80fb167dafdf 7061 static void SetTime(struct tm* date, byte* output)
wolfSSL 13:80fb167dafdf 7062 {
wolfSSL 13:80fb167dafdf 7063 int i = 0;
wolfSSL 13:80fb167dafdf 7064
wolfSSL 13:80fb167dafdf 7065 output[i++] = itob((date->tm_year % 10000) / 1000);
wolfSSL 13:80fb167dafdf 7066 output[i++] = itob((date->tm_year % 1000) / 100);
wolfSSL 13:80fb167dafdf 7067 output[i++] = itob((date->tm_year % 100) / 10);
wolfSSL 13:80fb167dafdf 7068 output[i++] = itob( date->tm_year % 10);
wolfSSL 13:80fb167dafdf 7069
wolfSSL 13:80fb167dafdf 7070 output[i++] = itob(date->tm_mon / 10);
wolfSSL 13:80fb167dafdf 7071 output[i++] = itob(date->tm_mon % 10);
wolfSSL 13:80fb167dafdf 7072
wolfSSL 13:80fb167dafdf 7073 output[i++] = itob(date->tm_mday / 10);
wolfSSL 13:80fb167dafdf 7074 output[i++] = itob(date->tm_mday % 10);
wolfSSL 13:80fb167dafdf 7075
wolfSSL 13:80fb167dafdf 7076 output[i++] = itob(date->tm_hour / 10);
wolfSSL 13:80fb167dafdf 7077 output[i++] = itob(date->tm_hour % 10);
wolfSSL 13:80fb167dafdf 7078
wolfSSL 13:80fb167dafdf 7079 output[i++] = itob(date->tm_min / 10);
wolfSSL 13:80fb167dafdf 7080 output[i++] = itob(date->tm_min % 10);
wolfSSL 13:80fb167dafdf 7081
wolfSSL 13:80fb167dafdf 7082 output[i++] = itob(date->tm_sec / 10);
wolfSSL 13:80fb167dafdf 7083 output[i++] = itob(date->tm_sec % 10);
wolfSSL 13:80fb167dafdf 7084
wolfSSL 13:80fb167dafdf 7085 output[i] = 'Z'; /* Zulu profile */
wolfSSL 13:80fb167dafdf 7086 }
wolfSSL 13:80fb167dafdf 7087
wolfSSL 13:80fb167dafdf 7088
wolfSSL 13:80fb167dafdf 7089 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 7090
wolfSSL 13:80fb167dafdf 7091 /* Copy Dates from cert, return bytes written */
wolfSSL 13:80fb167dafdf 7092 static int CopyValidity(byte* output, Cert* cert)
wolfSSL 13:80fb167dafdf 7093 {
wolfSSL 13:80fb167dafdf 7094 int seqSz;
wolfSSL 13:80fb167dafdf 7095
wolfSSL 13:80fb167dafdf 7096 WOLFSSL_ENTER("CopyValidity");
wolfSSL 13:80fb167dafdf 7097
wolfSSL 13:80fb167dafdf 7098 /* headers and output */
wolfSSL 13:80fb167dafdf 7099 seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
wolfSSL 13:80fb167dafdf 7100 XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
wolfSSL 13:80fb167dafdf 7101 XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
wolfSSL 13:80fb167dafdf 7102 cert->afterDateSz);
wolfSSL 13:80fb167dafdf 7103 return seqSz + cert->beforeDateSz + cert->afterDateSz;
wolfSSL 13:80fb167dafdf 7104 }
wolfSSL 13:80fb167dafdf 7105
wolfSSL 13:80fb167dafdf 7106 #endif
wolfSSL 13:80fb167dafdf 7107
wolfSSL 13:80fb167dafdf 7108
wolfSSL 13:80fb167dafdf 7109 /* for systems where mktime() doesn't normalize fully */
wolfSSL 13:80fb167dafdf 7110 static void RebuildTime(time_t* in, struct tm* out)
wolfSSL 13:80fb167dafdf 7111 {
wolfSSL 13:80fb167dafdf 7112 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 13:80fb167dafdf 7113 out = localtime_r(in, out);
wolfSSL 13:80fb167dafdf 7114 #else
wolfSSL 13:80fb167dafdf 7115 (void)in;
wolfSSL 13:80fb167dafdf 7116 (void)out;
wolfSSL 13:80fb167dafdf 7117 #endif
wolfSSL 13:80fb167dafdf 7118 }
wolfSSL 13:80fb167dafdf 7119
wolfSSL 13:80fb167dafdf 7120
wolfSSL 13:80fb167dafdf 7121 /* Set Date validity from now until now + daysValid
wolfSSL 13:80fb167dafdf 7122 * return size in bytes written to output, 0 on error */
wolfSSL 13:80fb167dafdf 7123 static int SetValidity(byte* output, int daysValid)
wolfSSL 13:80fb167dafdf 7124 {
wolfSSL 13:80fb167dafdf 7125 byte before[MAX_DATE_SIZE];
wolfSSL 13:80fb167dafdf 7126 byte after[MAX_DATE_SIZE];
wolfSSL 13:80fb167dafdf 7127
wolfSSL 13:80fb167dafdf 7128 int beforeSz;
wolfSSL 13:80fb167dafdf 7129 int afterSz;
wolfSSL 13:80fb167dafdf 7130 int seqSz;
wolfSSL 13:80fb167dafdf 7131
wolfSSL 13:80fb167dafdf 7132 time_t ticks;
wolfSSL 13:80fb167dafdf 7133 time_t normalTime;
wolfSSL 13:80fb167dafdf 7134 struct tm* now;
wolfSSL 13:80fb167dafdf 7135 struct tm* tmpTime = NULL;
wolfSSL 13:80fb167dafdf 7136 struct tm local;
wolfSSL 13:80fb167dafdf 7137
wolfSSL 13:80fb167dafdf 7138 #if defined(NEED_TMP_TIME)
wolfSSL 13:80fb167dafdf 7139 /* for use with gmtime_r */
wolfSSL 13:80fb167dafdf 7140 struct tm tmpTimeStorage;
wolfSSL 13:80fb167dafdf 7141 tmpTime = &tmpTimeStorage;
wolfSSL 13:80fb167dafdf 7142 #else
wolfSSL 13:80fb167dafdf 7143 (void)tmpTime;
wolfSSL 13:80fb167dafdf 7144 #endif
wolfSSL 13:80fb167dafdf 7145
wolfSSL 13:80fb167dafdf 7146 ticks = XTIME(0);
wolfSSL 13:80fb167dafdf 7147 now = XGMTIME(&ticks, tmpTime);
wolfSSL 13:80fb167dafdf 7148
wolfSSL 13:80fb167dafdf 7149 if (now == NULL) {
wolfSSL 13:80fb167dafdf 7150 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 13:80fb167dafdf 7151 return 0; /* error */
wolfSSL 13:80fb167dafdf 7152 }
wolfSSL 13:80fb167dafdf 7153
wolfSSL 13:80fb167dafdf 7154 /* before now */
wolfSSL 13:80fb167dafdf 7155 local = *now;
wolfSSL 13:80fb167dafdf 7156 before[0] = ASN_GENERALIZED_TIME;
wolfSSL 13:80fb167dafdf 7157 beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */
wolfSSL 13:80fb167dafdf 7158
wolfSSL 13:80fb167dafdf 7159 /* subtract 1 day for more compliance */
wolfSSL 13:80fb167dafdf 7160 local.tm_mday -= 1;
wolfSSL 13:80fb167dafdf 7161 normalTime = mktime(&local);
wolfSSL 13:80fb167dafdf 7162 RebuildTime(&normalTime, &local);
wolfSSL 13:80fb167dafdf 7163
wolfSSL 13:80fb167dafdf 7164 /* adjust */
wolfSSL 13:80fb167dafdf 7165 local.tm_year += 1900;
wolfSSL 13:80fb167dafdf 7166 local.tm_mon += 1;
wolfSSL 13:80fb167dafdf 7167
wolfSSL 13:80fb167dafdf 7168 SetTime(&local, before + beforeSz);
wolfSSL 13:80fb167dafdf 7169 beforeSz += ASN_GEN_TIME_SZ;
wolfSSL 13:80fb167dafdf 7170
wolfSSL 13:80fb167dafdf 7171 /* after now + daysValid */
wolfSSL 13:80fb167dafdf 7172 local = *now;
wolfSSL 13:80fb167dafdf 7173 after[0] = ASN_GENERALIZED_TIME;
wolfSSL 13:80fb167dafdf 7174 afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */
wolfSSL 13:80fb167dafdf 7175
wolfSSL 13:80fb167dafdf 7176 /* add daysValid */
wolfSSL 13:80fb167dafdf 7177 local.tm_mday += daysValid;
wolfSSL 13:80fb167dafdf 7178 normalTime = mktime(&local);
wolfSSL 13:80fb167dafdf 7179 RebuildTime(&normalTime, &local);
wolfSSL 13:80fb167dafdf 7180
wolfSSL 13:80fb167dafdf 7181 /* adjust */
wolfSSL 13:80fb167dafdf 7182 local.tm_year += 1900;
wolfSSL 13:80fb167dafdf 7183 local.tm_mon += 1;
wolfSSL 13:80fb167dafdf 7184
wolfSSL 13:80fb167dafdf 7185 SetTime(&local, after + afterSz);
wolfSSL 13:80fb167dafdf 7186 afterSz += ASN_GEN_TIME_SZ;
wolfSSL 13:80fb167dafdf 7187
wolfSSL 13:80fb167dafdf 7188 /* headers and output */
wolfSSL 13:80fb167dafdf 7189 seqSz = SetSequence(beforeSz + afterSz, output);
wolfSSL 13:80fb167dafdf 7190 XMEMCPY(output + seqSz, before, beforeSz);
wolfSSL 13:80fb167dafdf 7191 XMEMCPY(output + seqSz + beforeSz, after, afterSz);
wolfSSL 13:80fb167dafdf 7192
wolfSSL 13:80fb167dafdf 7193 return seqSz + beforeSz + afterSz;
wolfSSL 13:80fb167dafdf 7194 }
wolfSSL 13:80fb167dafdf 7195
wolfSSL 13:80fb167dafdf 7196
wolfSSL 13:80fb167dafdf 7197 /* ASN Encoded Name field */
wolfSSL 13:80fb167dafdf 7198 typedef struct EncodedName {
wolfSSL 13:80fb167dafdf 7199 int nameLen; /* actual string value length */
wolfSSL 13:80fb167dafdf 7200 int totalLen; /* total encoded length */
wolfSSL 13:80fb167dafdf 7201 int type; /* type of name */
wolfSSL 13:80fb167dafdf 7202 int used; /* are we actually using this one */
wolfSSL 13:80fb167dafdf 7203 byte encoded[CTC_NAME_SIZE * 2]; /* encoding */
wolfSSL 13:80fb167dafdf 7204 } EncodedName;
wolfSSL 13:80fb167dafdf 7205
wolfSSL 13:80fb167dafdf 7206
wolfSSL 13:80fb167dafdf 7207 /* Get Which Name from index */
wolfSSL 13:80fb167dafdf 7208 static const char* GetOneName(CertName* name, int idx)
wolfSSL 13:80fb167dafdf 7209 {
wolfSSL 13:80fb167dafdf 7210 switch (idx) {
wolfSSL 13:80fb167dafdf 7211 case 0:
wolfSSL 13:80fb167dafdf 7212 return name->country;
wolfSSL 13:80fb167dafdf 7213
wolfSSL 13:80fb167dafdf 7214 case 1:
wolfSSL 13:80fb167dafdf 7215 return name->state;
wolfSSL 13:80fb167dafdf 7216
wolfSSL 13:80fb167dafdf 7217 case 2:
wolfSSL 13:80fb167dafdf 7218 return name->locality;
wolfSSL 13:80fb167dafdf 7219
wolfSSL 13:80fb167dafdf 7220 case 3:
wolfSSL 13:80fb167dafdf 7221 return name->sur;
wolfSSL 13:80fb167dafdf 7222
wolfSSL 13:80fb167dafdf 7223 case 4:
wolfSSL 13:80fb167dafdf 7224 return name->org;
wolfSSL 13:80fb167dafdf 7225
wolfSSL 13:80fb167dafdf 7226 case 5:
wolfSSL 13:80fb167dafdf 7227 return name->unit;
wolfSSL 13:80fb167dafdf 7228
wolfSSL 13:80fb167dafdf 7229 case 6:
wolfSSL 13:80fb167dafdf 7230 return name->commonName;
wolfSSL 13:80fb167dafdf 7231
wolfSSL 13:80fb167dafdf 7232 case 7:
wolfSSL 13:80fb167dafdf 7233 return name->email;
wolfSSL 13:80fb167dafdf 7234
wolfSSL 13:80fb167dafdf 7235 default:
wolfSSL 13:80fb167dafdf 7236 return 0;
wolfSSL 13:80fb167dafdf 7237 }
wolfSSL 13:80fb167dafdf 7238 }
wolfSSL 13:80fb167dafdf 7239
wolfSSL 13:80fb167dafdf 7240
wolfSSL 13:80fb167dafdf 7241 /* Get Which Name Encoding from index */
wolfSSL 13:80fb167dafdf 7242 static char GetNameType(CertName* name, int idx)
wolfSSL 13:80fb167dafdf 7243 {
wolfSSL 13:80fb167dafdf 7244 switch (idx) {
wolfSSL 13:80fb167dafdf 7245 case 0:
wolfSSL 13:80fb167dafdf 7246 return name->countryEnc;
wolfSSL 13:80fb167dafdf 7247
wolfSSL 13:80fb167dafdf 7248 case 1:
wolfSSL 13:80fb167dafdf 7249 return name->stateEnc;
wolfSSL 13:80fb167dafdf 7250
wolfSSL 13:80fb167dafdf 7251 case 2:
wolfSSL 13:80fb167dafdf 7252 return name->localityEnc;
wolfSSL 13:80fb167dafdf 7253
wolfSSL 13:80fb167dafdf 7254 case 3:
wolfSSL 13:80fb167dafdf 7255 return name->surEnc;
wolfSSL 13:80fb167dafdf 7256
wolfSSL 13:80fb167dafdf 7257 case 4:
wolfSSL 13:80fb167dafdf 7258 return name->orgEnc;
wolfSSL 13:80fb167dafdf 7259
wolfSSL 13:80fb167dafdf 7260 case 5:
wolfSSL 13:80fb167dafdf 7261 return name->unitEnc;
wolfSSL 13:80fb167dafdf 7262
wolfSSL 13:80fb167dafdf 7263 case 6:
wolfSSL 13:80fb167dafdf 7264 return name->commonNameEnc;
wolfSSL 13:80fb167dafdf 7265
wolfSSL 13:80fb167dafdf 7266 default:
wolfSSL 13:80fb167dafdf 7267 return 0;
wolfSSL 13:80fb167dafdf 7268 }
wolfSSL 13:80fb167dafdf 7269 }
wolfSSL 13:80fb167dafdf 7270
wolfSSL 13:80fb167dafdf 7271
wolfSSL 13:80fb167dafdf 7272 /* Get ASN Name from index */
wolfSSL 13:80fb167dafdf 7273 static byte GetNameId(int idx)
wolfSSL 13:80fb167dafdf 7274 {
wolfSSL 13:80fb167dafdf 7275 switch (idx) {
wolfSSL 13:80fb167dafdf 7276 case 0:
wolfSSL 13:80fb167dafdf 7277 return ASN_COUNTRY_NAME;
wolfSSL 13:80fb167dafdf 7278
wolfSSL 13:80fb167dafdf 7279 case 1:
wolfSSL 13:80fb167dafdf 7280 return ASN_STATE_NAME;
wolfSSL 13:80fb167dafdf 7281
wolfSSL 13:80fb167dafdf 7282 case 2:
wolfSSL 13:80fb167dafdf 7283 return ASN_LOCALITY_NAME;
wolfSSL 13:80fb167dafdf 7284
wolfSSL 13:80fb167dafdf 7285 case 3:
wolfSSL 13:80fb167dafdf 7286 return ASN_SUR_NAME;
wolfSSL 13:80fb167dafdf 7287
wolfSSL 13:80fb167dafdf 7288 case 4:
wolfSSL 13:80fb167dafdf 7289 return ASN_ORG_NAME;
wolfSSL 13:80fb167dafdf 7290
wolfSSL 13:80fb167dafdf 7291 case 5:
wolfSSL 13:80fb167dafdf 7292 return ASN_ORGUNIT_NAME;
wolfSSL 13:80fb167dafdf 7293
wolfSSL 13:80fb167dafdf 7294 case 6:
wolfSSL 13:80fb167dafdf 7295 return ASN_COMMON_NAME;
wolfSSL 13:80fb167dafdf 7296
wolfSSL 13:80fb167dafdf 7297 case 7:
wolfSSL 13:80fb167dafdf 7298 /* email uses different id type */
wolfSSL 13:80fb167dafdf 7299 return 0;
wolfSSL 13:80fb167dafdf 7300
wolfSSL 13:80fb167dafdf 7301 default:
wolfSSL 13:80fb167dafdf 7302 return 0;
wolfSSL 13:80fb167dafdf 7303 }
wolfSSL 13:80fb167dafdf 7304 }
wolfSSL 13:80fb167dafdf 7305
wolfSSL 13:80fb167dafdf 7306 /*
wolfSSL 13:80fb167dafdf 7307 Extensions ::= SEQUENCE OF Extension
wolfSSL 13:80fb167dafdf 7308
wolfSSL 13:80fb167dafdf 7309 Extension ::= SEQUENCE {
wolfSSL 13:80fb167dafdf 7310 extnId OBJECT IDENTIFIER,
wolfSSL 13:80fb167dafdf 7311 critical BOOLEAN DEFAULT FALSE,
wolfSSL 13:80fb167dafdf 7312 extnValue OCTET STRING }
wolfSSL 13:80fb167dafdf 7313 */
wolfSSL 13:80fb167dafdf 7314
wolfSSL 13:80fb167dafdf 7315 /* encode all extensions, return total bytes written */
wolfSSL 13:80fb167dafdf 7316 static int SetExtensions(byte* out, word32 outSz, int *IdxInOut,
wolfSSL 13:80fb167dafdf 7317 const byte* ext, int extSz)
wolfSSL 13:80fb167dafdf 7318 {
wolfSSL 13:80fb167dafdf 7319 if (out == NULL || IdxInOut == NULL || ext == NULL)
wolfSSL 13:80fb167dafdf 7320 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7321
wolfSSL 13:80fb167dafdf 7322 if (outSz < (word32)(*IdxInOut+extSz))
wolfSSL 13:80fb167dafdf 7323 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7324
wolfSSL 13:80fb167dafdf 7325 XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */
wolfSSL 13:80fb167dafdf 7326 *IdxInOut += extSz;
wolfSSL 13:80fb167dafdf 7327
wolfSSL 13:80fb167dafdf 7328 return *IdxInOut;
wolfSSL 13:80fb167dafdf 7329 }
wolfSSL 13:80fb167dafdf 7330
wolfSSL 13:80fb167dafdf 7331 /* encode extensions header, return total bytes written */
wolfSSL 13:80fb167dafdf 7332 static int SetExtensionsHeader(byte* out, word32 outSz, int extSz)
wolfSSL 13:80fb167dafdf 7333 {
wolfSSL 13:80fb167dafdf 7334 byte sequence[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 7335 byte len[MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 7336 int seqSz, lenSz, idx = 0;
wolfSSL 13:80fb167dafdf 7337
wolfSSL 13:80fb167dafdf 7338 if (out == NULL)
wolfSSL 13:80fb167dafdf 7339 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7340
wolfSSL 13:80fb167dafdf 7341 if (outSz < 3)
wolfSSL 13:80fb167dafdf 7342 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7343
wolfSSL 13:80fb167dafdf 7344 seqSz = SetSequence(extSz, sequence);
wolfSSL 13:80fb167dafdf 7345
wolfSSL 13:80fb167dafdf 7346 /* encode extensions length provided */
wolfSSL 13:80fb167dafdf 7347 lenSz = SetLength(extSz+seqSz, len);
wolfSSL 13:80fb167dafdf 7348
wolfSSL 13:80fb167dafdf 7349 if (outSz < (word32)(lenSz+seqSz+1))
wolfSSL 13:80fb167dafdf 7350 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7351
wolfSSL 13:80fb167dafdf 7352 out[idx++] = ASN_EXTENSIONS; /* extensions id */
wolfSSL 13:80fb167dafdf 7353 XMEMCPY(&out[idx], len, lenSz); /* length */
wolfSSL 13:80fb167dafdf 7354 idx += lenSz;
wolfSSL 13:80fb167dafdf 7355
wolfSSL 13:80fb167dafdf 7356 XMEMCPY(&out[idx], sequence, seqSz); /* sequence */
wolfSSL 13:80fb167dafdf 7357 idx += seqSz;
wolfSSL 13:80fb167dafdf 7358
wolfSSL 13:80fb167dafdf 7359 return idx;
wolfSSL 13:80fb167dafdf 7360 }
wolfSSL 13:80fb167dafdf 7361
wolfSSL 13:80fb167dafdf 7362
wolfSSL 13:80fb167dafdf 7363 /* encode CA basic constraint true, return total bytes written */
wolfSSL 13:80fb167dafdf 7364 static int SetCa(byte* out, word32 outSz)
wolfSSL 13:80fb167dafdf 7365 {
wolfSSL 13:80fb167dafdf 7366 static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
wolfSSL 13:80fb167dafdf 7367 0x05, 0x30, 0x03, 0x01, 0x01, 0xff };
wolfSSL 13:80fb167dafdf 7368
wolfSSL 13:80fb167dafdf 7369 if (out == NULL)
wolfSSL 13:80fb167dafdf 7370 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7371
wolfSSL 13:80fb167dafdf 7372 if (outSz < sizeof(ca))
wolfSSL 13:80fb167dafdf 7373 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7374
wolfSSL 13:80fb167dafdf 7375 XMEMCPY(out, ca, sizeof(ca));
wolfSSL 13:80fb167dafdf 7376
wolfSSL 13:80fb167dafdf 7377 return (int)sizeof(ca);
wolfSSL 13:80fb167dafdf 7378 }
wolfSSL 13:80fb167dafdf 7379
wolfSSL 13:80fb167dafdf 7380
wolfSSL 13:80fb167dafdf 7381 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 7382 /* encode OID and associated value, return total bytes written */
wolfSSL 13:80fb167dafdf 7383 static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz,
wolfSSL 13:80fb167dafdf 7384 byte *in, word32 inSz)
wolfSSL 13:80fb167dafdf 7385 {
wolfSSL 13:80fb167dafdf 7386 int idx = 0;
wolfSSL 13:80fb167dafdf 7387
wolfSSL 13:80fb167dafdf 7388 if (out == NULL || oid == NULL || in == NULL)
wolfSSL 13:80fb167dafdf 7389 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7390
wolfSSL 13:80fb167dafdf 7391 if (outSz < 3)
wolfSSL 13:80fb167dafdf 7392 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7393
wolfSSL 13:80fb167dafdf 7394 /* sequence, + 1 => byte to put value size */
wolfSSL 13:80fb167dafdf 7395 idx = SetSequence(inSz + oidSz + 1, out);
wolfSSL 13:80fb167dafdf 7396
wolfSSL 13:80fb167dafdf 7397 if ((idx + inSz + oidSz + 1) > outSz)
wolfSSL 13:80fb167dafdf 7398 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7399
wolfSSL 13:80fb167dafdf 7400 XMEMCPY(out+idx, oid, oidSz);
wolfSSL 13:80fb167dafdf 7401 idx += oidSz;
wolfSSL 13:80fb167dafdf 7402 out[idx++] = (byte)inSz;
wolfSSL 13:80fb167dafdf 7403 XMEMCPY(out+idx, in, inSz);
wolfSSL 13:80fb167dafdf 7404
wolfSSL 13:80fb167dafdf 7405 return (idx+inSz);
wolfSSL 13:80fb167dafdf 7406 }
wolfSSL 13:80fb167dafdf 7407
wolfSSL 13:80fb167dafdf 7408 /* encode Subject Key Identifier, return total bytes written
wolfSSL 13:80fb167dafdf 7409 * RFC5280 : non-critical */
wolfSSL 13:80fb167dafdf 7410 static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length)
wolfSSL 13:80fb167dafdf 7411 {
wolfSSL 13:80fb167dafdf 7412 byte skid_len[1 + MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 7413 byte skid_enc_len[MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 7414 int idx = 0, skid_lenSz, skid_enc_lenSz;
wolfSSL 13:80fb167dafdf 7415 static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 };
wolfSSL 13:80fb167dafdf 7416
wolfSSL 13:80fb167dafdf 7417 if (output == NULL || input == NULL)
wolfSSL 13:80fb167dafdf 7418 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7419
wolfSSL 13:80fb167dafdf 7420 /* Octet String header */
wolfSSL 13:80fb167dafdf 7421 skid_lenSz = SetOctetString(length, skid_len);
wolfSSL 13:80fb167dafdf 7422
wolfSSL 13:80fb167dafdf 7423 /* length of encoded value */
wolfSSL 13:80fb167dafdf 7424 skid_enc_lenSz = SetLength(length + skid_lenSz, skid_enc_len);
wolfSSL 13:80fb167dafdf 7425
wolfSSL 13:80fb167dafdf 7426 if (outSz < 3)
wolfSSL 13:80fb167dafdf 7427 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7428
wolfSSL 13:80fb167dafdf 7429 idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz,
wolfSSL 13:80fb167dafdf 7430 output);
wolfSSL 13:80fb167dafdf 7431
wolfSSL 13:80fb167dafdf 7432 if ((length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz) > outSz)
wolfSSL 13:80fb167dafdf 7433 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7434
wolfSSL 13:80fb167dafdf 7435 /* put oid */
wolfSSL 13:80fb167dafdf 7436 XMEMCPY(output+idx, skid_oid, sizeof(skid_oid));
wolfSSL 13:80fb167dafdf 7437 idx += sizeof(skid_oid);
wolfSSL 13:80fb167dafdf 7438
wolfSSL 13:80fb167dafdf 7439 /* put encoded len */
wolfSSL 13:80fb167dafdf 7440 XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz);
wolfSSL 13:80fb167dafdf 7441 idx += skid_enc_lenSz;
wolfSSL 13:80fb167dafdf 7442
wolfSSL 13:80fb167dafdf 7443 /* put octet header */
wolfSSL 13:80fb167dafdf 7444 XMEMCPY(output+idx, skid_len, skid_lenSz);
wolfSSL 13:80fb167dafdf 7445 idx += skid_lenSz;
wolfSSL 13:80fb167dafdf 7446
wolfSSL 13:80fb167dafdf 7447 /* put value */
wolfSSL 13:80fb167dafdf 7448 XMEMCPY(output+idx, input, length);
wolfSSL 13:80fb167dafdf 7449 idx += length;
wolfSSL 13:80fb167dafdf 7450
wolfSSL 13:80fb167dafdf 7451 return idx;
wolfSSL 13:80fb167dafdf 7452 }
wolfSSL 13:80fb167dafdf 7453
wolfSSL 13:80fb167dafdf 7454 /* encode Authority Key Identifier, return total bytes written
wolfSSL 13:80fb167dafdf 7455 * RFC5280 : non-critical */
wolfSSL 13:80fb167dafdf 7456 static int SetAKID(byte* output, word32 outSz,
wolfSSL 13:80fb167dafdf 7457 byte *input, word32 length, void* heap)
wolfSSL 13:80fb167dafdf 7458 {
wolfSSL 13:80fb167dafdf 7459 byte *enc_val;
wolfSSL 13:80fb167dafdf 7460 int ret, enc_valSz;
wolfSSL 13:80fb167dafdf 7461 static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 };
wolfSSL 13:80fb167dafdf 7462 static const byte akid_cs[] = { 0x80 };
wolfSSL 13:80fb167dafdf 7463
wolfSSL 13:80fb167dafdf 7464 if (output == NULL || input == NULL)
wolfSSL 13:80fb167dafdf 7465 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7466
wolfSSL 13:80fb167dafdf 7467 enc_valSz = length + 3 + sizeof(akid_cs);
wolfSSL 13:80fb167dafdf 7468 enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7469 if (enc_val == NULL)
wolfSSL 13:80fb167dafdf 7470 return MEMORY_E;
wolfSSL 13:80fb167dafdf 7471
wolfSSL 13:80fb167dafdf 7472 /* sequence for ContentSpec & value */
wolfSSL 13:80fb167dafdf 7473 ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs),
wolfSSL 13:80fb167dafdf 7474 input, length);
wolfSSL 13:80fb167dafdf 7475 if (ret > 0) {
wolfSSL 13:80fb167dafdf 7476 enc_valSz = ret;
wolfSSL 13:80fb167dafdf 7477
wolfSSL 13:80fb167dafdf 7478 ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid),
wolfSSL 13:80fb167dafdf 7479 enc_val, enc_valSz);
wolfSSL 13:80fb167dafdf 7480 }
wolfSSL 13:80fb167dafdf 7481
wolfSSL 13:80fb167dafdf 7482 XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7483 return ret;
wolfSSL 13:80fb167dafdf 7484 }
wolfSSL 13:80fb167dafdf 7485
wolfSSL 13:80fb167dafdf 7486 /* encode Key Usage, return total bytes written
wolfSSL 13:80fb167dafdf 7487 * RFC5280 : critical */
wolfSSL 13:80fb167dafdf 7488 static int SetKeyUsage(byte* output, word32 outSz, word16 input)
wolfSSL 13:80fb167dafdf 7489 {
wolfSSL 13:80fb167dafdf 7490 byte ku[5];
wolfSSL 13:80fb167dafdf 7491 int idx;
wolfSSL 13:80fb167dafdf 7492 static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f,
wolfSSL 13:80fb167dafdf 7493 0x01, 0x01, 0xff, 0x04};
wolfSSL 13:80fb167dafdf 7494
wolfSSL 13:80fb167dafdf 7495 if (output == NULL)
wolfSSL 13:80fb167dafdf 7496 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7497
wolfSSL 13:80fb167dafdf 7498 idx = SetBitString16Bit(input, ku);
wolfSSL 13:80fb167dafdf 7499 return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid),
wolfSSL 13:80fb167dafdf 7500 ku, idx);
wolfSSL 13:80fb167dafdf 7501 }
wolfSSL 13:80fb167dafdf 7502
wolfSSL 13:80fb167dafdf 7503 /* Encode OID string representation to ITU-T X.690 format */
wolfSSL 13:80fb167dafdf 7504 static int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
wolfSSL 13:80fb167dafdf 7505 {
wolfSSL 13:80fb167dafdf 7506 word32 val, idx = 0, nb_val;
wolfSSL 13:80fb167dafdf 7507 char *token, *str, *ptr;
wolfSSL 13:80fb167dafdf 7508 word32 len;
wolfSSL 13:80fb167dafdf 7509
wolfSSL 13:80fb167dafdf 7510 if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL)
wolfSSL 13:80fb167dafdf 7511 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7512
wolfSSL 13:80fb167dafdf 7513 len = (word32)XSTRLEN(in);
wolfSSL 13:80fb167dafdf 7514
wolfSSL 13:80fb167dafdf 7515 str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7516 if (str == NULL)
wolfSSL 13:80fb167dafdf 7517 return MEMORY_E;
wolfSSL 13:80fb167dafdf 7518
wolfSSL 13:80fb167dafdf 7519 XSTRNCPY(str, in, len);
wolfSSL 13:80fb167dafdf 7520 str[len] = 0x00;
wolfSSL 13:80fb167dafdf 7521
wolfSSL 13:80fb167dafdf 7522 nb_val = 0;
wolfSSL 13:80fb167dafdf 7523
wolfSSL 13:80fb167dafdf 7524 /* parse value, and set corresponding Policy OID value */
wolfSSL 13:80fb167dafdf 7525 token = XSTRTOK(str, ".", &ptr);
wolfSSL 13:80fb167dafdf 7526 while (token != NULL)
wolfSSL 13:80fb167dafdf 7527 {
wolfSSL 13:80fb167dafdf 7528 val = (word32)atoi(token);
wolfSSL 13:80fb167dafdf 7529
wolfSSL 13:80fb167dafdf 7530 if (nb_val == 0) {
wolfSSL 13:80fb167dafdf 7531 if (val > 2) {
wolfSSL 13:80fb167dafdf 7532 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7533 return ASN_OBJECT_ID_E;
wolfSSL 13:80fb167dafdf 7534 }
wolfSSL 13:80fb167dafdf 7535
wolfSSL 13:80fb167dafdf 7536 out[idx] = (byte)(40 * val);
wolfSSL 13:80fb167dafdf 7537 }
wolfSSL 13:80fb167dafdf 7538 else if (nb_val == 1) {
wolfSSL 13:80fb167dafdf 7539 if (val > 127) {
wolfSSL 13:80fb167dafdf 7540 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7541 return ASN_OBJECT_ID_E;
wolfSSL 13:80fb167dafdf 7542 }
wolfSSL 13:80fb167dafdf 7543
wolfSSL 13:80fb167dafdf 7544 if (idx > *outSz) {
wolfSSL 13:80fb167dafdf 7545 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7546 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7547 }
wolfSSL 13:80fb167dafdf 7548
wolfSSL 13:80fb167dafdf 7549 out[idx++] += (byte)val;
wolfSSL 13:80fb167dafdf 7550 }
wolfSSL 13:80fb167dafdf 7551 else {
wolfSSL 13:80fb167dafdf 7552 word32 tb = 0, x;
wolfSSL 13:80fb167dafdf 7553 int i = 0;
wolfSSL 13:80fb167dafdf 7554 byte oid[MAX_OID_SZ];
wolfSSL 13:80fb167dafdf 7555
wolfSSL 13:80fb167dafdf 7556 while (val >= 128) {
wolfSSL 13:80fb167dafdf 7557 x = val % 128;
wolfSSL 13:80fb167dafdf 7558 val /= 128;
wolfSSL 13:80fb167dafdf 7559 oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x);
wolfSSL 13:80fb167dafdf 7560 }
wolfSSL 13:80fb167dafdf 7561
wolfSSL 13:80fb167dafdf 7562 if ((idx+(word32)i) > *outSz) {
wolfSSL 13:80fb167dafdf 7563 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7564 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7565 }
wolfSSL 13:80fb167dafdf 7566
wolfSSL 13:80fb167dafdf 7567 oid[i] = (byte) (((tb++) ? 0x80 : 0) | val);
wolfSSL 13:80fb167dafdf 7568
wolfSSL 13:80fb167dafdf 7569 /* push value in the right order */
wolfSSL 13:80fb167dafdf 7570 while (i >= 0)
wolfSSL 13:80fb167dafdf 7571 out[idx++] = oid[i--];
wolfSSL 13:80fb167dafdf 7572 }
wolfSSL 13:80fb167dafdf 7573
wolfSSL 13:80fb167dafdf 7574 token = XSTRTOK(NULL, ".", &ptr);
wolfSSL 13:80fb167dafdf 7575 nb_val++;
wolfSSL 13:80fb167dafdf 7576 }
wolfSSL 13:80fb167dafdf 7577
wolfSSL 13:80fb167dafdf 7578 *outSz = idx;
wolfSSL 13:80fb167dafdf 7579
wolfSSL 13:80fb167dafdf 7580 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7581 return 0;
wolfSSL 13:80fb167dafdf 7582 }
wolfSSL 13:80fb167dafdf 7583
wolfSSL 13:80fb167dafdf 7584 /* encode Certificate Policies, return total bytes written
wolfSSL 13:80fb167dafdf 7585 * each input value must be ITU-T X.690 formatted : a.b.c...
wolfSSL 13:80fb167dafdf 7586 * input must be an array of values with a NULL terminated for the latest
wolfSSL 13:80fb167dafdf 7587 * RFC5280 : non-critical */
wolfSSL 13:80fb167dafdf 7588 static int SetCertificatePolicies(byte *output,
wolfSSL 13:80fb167dafdf 7589 word32 outputSz,
wolfSSL 13:80fb167dafdf 7590 char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ],
wolfSSL 13:80fb167dafdf 7591 word16 nb_certpol,
wolfSSL 13:80fb167dafdf 7592 void* heap)
wolfSSL 13:80fb167dafdf 7593 {
wolfSSL 13:80fb167dafdf 7594 byte oid[MAX_OID_SZ],
wolfSSL 13:80fb167dafdf 7595 der_oid[MAX_CERTPOL_NB][MAX_OID_SZ],
wolfSSL 13:80fb167dafdf 7596 out[MAX_CERTPOL_SZ];
wolfSSL 13:80fb167dafdf 7597 word32 oidSz;
wolfSSL 13:80fb167dafdf 7598 word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB];
wolfSSL 13:80fb167dafdf 7599 int ret;
wolfSSL 13:80fb167dafdf 7600
wolfSSL 13:80fb167dafdf 7601 static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 };
wolfSSL 13:80fb167dafdf 7602 static const byte oid_oid[] = { 0x06 };
wolfSSL 13:80fb167dafdf 7603
wolfSSL 13:80fb167dafdf 7604 if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB)
wolfSSL 13:80fb167dafdf 7605 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7606
wolfSSL 13:80fb167dafdf 7607 for (i = 0; i < nb_certpol; i++) {
wolfSSL 13:80fb167dafdf 7608 oidSz = sizeof(oid);
wolfSSL 13:80fb167dafdf 7609 XMEMSET(oid, 0, oidSz);
wolfSSL 13:80fb167dafdf 7610
wolfSSL 13:80fb167dafdf 7611 ret = EncodePolicyOID(oid, &oidSz, input[i], heap);
wolfSSL 13:80fb167dafdf 7612 if (ret != 0)
wolfSSL 13:80fb167dafdf 7613 return ret;
wolfSSL 13:80fb167dafdf 7614
wolfSSL 13:80fb167dafdf 7615 /* compute sequence value for the oid */
wolfSSL 13:80fb167dafdf 7616 ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid,
wolfSSL 13:80fb167dafdf 7617 sizeof(oid_oid), oid, oidSz);
wolfSSL 13:80fb167dafdf 7618 if (ret <= 0)
wolfSSL 13:80fb167dafdf 7619 return ret;
wolfSSL 13:80fb167dafdf 7620 else
wolfSSL 13:80fb167dafdf 7621 der_oidSz[i] = (word32)ret;
wolfSSL 13:80fb167dafdf 7622 }
wolfSSL 13:80fb167dafdf 7623
wolfSSL 13:80fb167dafdf 7624 /* concatenate oid, keep two byte for sequence/size of the created value */
wolfSSL 13:80fb167dafdf 7625 for (i = 0, outSz = 2; i < nb_certpol; i++) {
wolfSSL 13:80fb167dafdf 7626 XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]);
wolfSSL 13:80fb167dafdf 7627 outSz += der_oidSz[i];
wolfSSL 13:80fb167dafdf 7628 }
wolfSSL 13:80fb167dafdf 7629
wolfSSL 13:80fb167dafdf 7630 /* add sequence */
wolfSSL 13:80fb167dafdf 7631 ret = SetSequence(outSz-2, out);
wolfSSL 13:80fb167dafdf 7632 if (ret <= 0)
wolfSSL 13:80fb167dafdf 7633 return ret;
wolfSSL 13:80fb167dafdf 7634
wolfSSL 13:80fb167dafdf 7635 /* add Policy OID to compute final value */
wolfSSL 13:80fb167dafdf 7636 return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid),
wolfSSL 13:80fb167dafdf 7637 out, outSz);
wolfSSL 13:80fb167dafdf 7638 }
wolfSSL 13:80fb167dafdf 7639 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 7640
wolfSSL 13:80fb167dafdf 7641 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 7642 /* encode Alternative Names, return total bytes written */
wolfSSL 13:80fb167dafdf 7643 static int SetAltNames(byte *out, word32 outSz, byte *input, word32 length)
wolfSSL 13:80fb167dafdf 7644 {
wolfSSL 13:80fb167dafdf 7645 if (out == NULL || input == NULL)
wolfSSL 13:80fb167dafdf 7646 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7647
wolfSSL 13:80fb167dafdf 7648 if (outSz < length)
wolfSSL 13:80fb167dafdf 7649 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7650
wolfSSL 13:80fb167dafdf 7651 /* Alternative Names come from certificate or computed by
wolfSSL 13:80fb167dafdf 7652 * external function, so already encoded. Just copy value */
wolfSSL 13:80fb167dafdf 7653 XMEMCPY(out, input, length);
wolfSSL 13:80fb167dafdf 7654 return length;
wolfSSL 13:80fb167dafdf 7655 }
wolfSSL 13:80fb167dafdf 7656 #endif /* WOLFSL_ALT_NAMES */
wolfSSL 13:80fb167dafdf 7657
wolfSSL 13:80fb167dafdf 7658
wolfSSL 13:80fb167dafdf 7659 /* encode CertName into output, return total bytes written */
wolfSSL 13:80fb167dafdf 7660 int SetName(byte* output, word32 outputSz, CertName* name)
wolfSSL 13:80fb167dafdf 7661 {
wolfSSL 13:80fb167dafdf 7662 int totalBytes = 0, i, idx;
wolfSSL 13:80fb167dafdf 7663 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7664 EncodedName* names = NULL;
wolfSSL 13:80fb167dafdf 7665 #else
wolfSSL 13:80fb167dafdf 7666 EncodedName names[NAME_ENTRIES];
wolfSSL 13:80fb167dafdf 7667 #endif
wolfSSL 13:80fb167dafdf 7668
wolfSSL 13:80fb167dafdf 7669 if (output == NULL || name == NULL)
wolfSSL 13:80fb167dafdf 7670 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7671
wolfSSL 13:80fb167dafdf 7672 if (outputSz < 3)
wolfSSL 13:80fb167dafdf 7673 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7674
wolfSSL 13:80fb167dafdf 7675 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7676 names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL,
wolfSSL 13:80fb167dafdf 7677 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7678 if (names == NULL)
wolfSSL 13:80fb167dafdf 7679 return MEMORY_E;
wolfSSL 13:80fb167dafdf 7680 #endif
wolfSSL 13:80fb167dafdf 7681
wolfSSL 13:80fb167dafdf 7682 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 13:80fb167dafdf 7683 const char* nameStr = GetOneName(name, i);
wolfSSL 13:80fb167dafdf 7684 if (nameStr) {
wolfSSL 13:80fb167dafdf 7685 /* bottom up */
wolfSSL 13:80fb167dafdf 7686 byte firstLen[1 + MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 7687 byte secondLen[MAX_LENGTH_SZ];
wolfSSL 13:80fb167dafdf 7688 byte sequence[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 7689 byte set[MAX_SET_SZ];
wolfSSL 13:80fb167dafdf 7690
wolfSSL 13:80fb167dafdf 7691 int email = i == (NAME_ENTRIES - 1) ? 1 : 0;
wolfSSL 13:80fb167dafdf 7692 int strLen = (int)XSTRLEN(nameStr);
wolfSSL 13:80fb167dafdf 7693 int thisLen = strLen;
wolfSSL 13:80fb167dafdf 7694 int firstSz, secondSz, seqSz, setSz;
wolfSSL 13:80fb167dafdf 7695
wolfSSL 13:80fb167dafdf 7696 if (strLen == 0) { /* no user data for this item */
wolfSSL 13:80fb167dafdf 7697 names[i].used = 0;
wolfSSL 13:80fb167dafdf 7698 continue;
wolfSSL 13:80fb167dafdf 7699 }
wolfSSL 13:80fb167dafdf 7700
wolfSSL 13:80fb167dafdf 7701 /* Restrict country code size */
wolfSSL 13:80fb167dafdf 7702 if (i == 0 && strLen != CTC_COUNTRY_SIZE) {
wolfSSL 13:80fb167dafdf 7703 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7704 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7705 #endif
wolfSSL 13:80fb167dafdf 7706 return ASN_COUNTRY_SIZE_E;
wolfSSL 13:80fb167dafdf 7707 }
wolfSSL 13:80fb167dafdf 7708
wolfSSL 13:80fb167dafdf 7709 secondSz = SetLength(strLen, secondLen);
wolfSSL 13:80fb167dafdf 7710 thisLen += secondSz;
wolfSSL 13:80fb167dafdf 7711 if (email) {
wolfSSL 13:80fb167dafdf 7712 thisLen += EMAIL_JOINT_LEN;
wolfSSL 13:80fb167dafdf 7713 thisLen ++; /* id type */
wolfSSL 13:80fb167dafdf 7714 firstSz = SetObjectId(EMAIL_JOINT_LEN, firstLen);
wolfSSL 13:80fb167dafdf 7715 }
wolfSSL 13:80fb167dafdf 7716 else {
wolfSSL 13:80fb167dafdf 7717 thisLen++; /* str type */
wolfSSL 13:80fb167dafdf 7718 thisLen++; /* id type */
wolfSSL 13:80fb167dafdf 7719 thisLen += JOINT_LEN;
wolfSSL 13:80fb167dafdf 7720 firstSz = SetObjectId(JOINT_LEN + 1, firstLen);
wolfSSL 13:80fb167dafdf 7721 }
wolfSSL 13:80fb167dafdf 7722 thisLen += firstSz;
wolfSSL 13:80fb167dafdf 7723
wolfSSL 13:80fb167dafdf 7724 seqSz = SetSequence(thisLen, sequence);
wolfSSL 13:80fb167dafdf 7725 thisLen += seqSz;
wolfSSL 13:80fb167dafdf 7726 setSz = SetSet(thisLen, set);
wolfSSL 13:80fb167dafdf 7727 thisLen += setSz;
wolfSSL 13:80fb167dafdf 7728
wolfSSL 13:80fb167dafdf 7729 if (thisLen > (int)sizeof(names[i].encoded)) {
wolfSSL 13:80fb167dafdf 7730 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7731 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7732 #endif
wolfSSL 13:80fb167dafdf 7733 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7734 }
wolfSSL 13:80fb167dafdf 7735
wolfSSL 13:80fb167dafdf 7736 /* store it */
wolfSSL 13:80fb167dafdf 7737 idx = 0;
wolfSSL 13:80fb167dafdf 7738 /* set */
wolfSSL 13:80fb167dafdf 7739 XMEMCPY(names[i].encoded, set, setSz);
wolfSSL 13:80fb167dafdf 7740 idx += setSz;
wolfSSL 13:80fb167dafdf 7741 /* seq */
wolfSSL 13:80fb167dafdf 7742 XMEMCPY(names[i].encoded + idx, sequence, seqSz);
wolfSSL 13:80fb167dafdf 7743 idx += seqSz;
wolfSSL 13:80fb167dafdf 7744 /* asn object id */
wolfSSL 13:80fb167dafdf 7745 XMEMCPY(names[i].encoded + idx, firstLen, firstSz);
wolfSSL 13:80fb167dafdf 7746 idx += firstSz;
wolfSSL 13:80fb167dafdf 7747 if (email) {
wolfSSL 13:80fb167dafdf 7748 const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL 13:80fb167dafdf 7749 0x01, 0x09, 0x01, 0x16 };
wolfSSL 13:80fb167dafdf 7750 /* email joint id */
wolfSSL 13:80fb167dafdf 7751 XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
wolfSSL 13:80fb167dafdf 7752 idx += (int)sizeof(EMAIL_OID);
wolfSSL 13:80fb167dafdf 7753 }
wolfSSL 13:80fb167dafdf 7754 else {
wolfSSL 13:80fb167dafdf 7755 /* joint id */
wolfSSL 13:80fb167dafdf 7756 byte bType = GetNameId(i);
wolfSSL 13:80fb167dafdf 7757 names[i].encoded[idx++] = 0x55;
wolfSSL 13:80fb167dafdf 7758 names[i].encoded[idx++] = 0x04;
wolfSSL 13:80fb167dafdf 7759 /* id type */
wolfSSL 13:80fb167dafdf 7760 names[i].encoded[idx++] = bType;
wolfSSL 13:80fb167dafdf 7761 /* str type */
wolfSSL 13:80fb167dafdf 7762 names[i].encoded[idx++] = GetNameType(name, i);
wolfSSL 13:80fb167dafdf 7763 }
wolfSSL 13:80fb167dafdf 7764 /* second length */
wolfSSL 13:80fb167dafdf 7765 XMEMCPY(names[i].encoded + idx, secondLen, secondSz);
wolfSSL 13:80fb167dafdf 7766 idx += secondSz;
wolfSSL 13:80fb167dafdf 7767 /* str value */
wolfSSL 13:80fb167dafdf 7768 XMEMCPY(names[i].encoded + idx, nameStr, strLen);
wolfSSL 13:80fb167dafdf 7769 idx += strLen;
wolfSSL 13:80fb167dafdf 7770
wolfSSL 13:80fb167dafdf 7771 totalBytes += idx;
wolfSSL 13:80fb167dafdf 7772 names[i].totalLen = idx;
wolfSSL 13:80fb167dafdf 7773 names[i].used = 1;
wolfSSL 13:80fb167dafdf 7774 }
wolfSSL 13:80fb167dafdf 7775 else
wolfSSL 13:80fb167dafdf 7776 names[i].used = 0;
wolfSSL 13:80fb167dafdf 7777 }
wolfSSL 13:80fb167dafdf 7778
wolfSSL 13:80fb167dafdf 7779 /* header */
wolfSSL 13:80fb167dafdf 7780 idx = SetSequence(totalBytes, output);
wolfSSL 13:80fb167dafdf 7781 totalBytes += idx;
wolfSSL 13:80fb167dafdf 7782 if (totalBytes > ASN_NAME_MAX) {
wolfSSL 13:80fb167dafdf 7783 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7784 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7785 #endif
wolfSSL 13:80fb167dafdf 7786 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7787 }
wolfSSL 13:80fb167dafdf 7788
wolfSSL 13:80fb167dafdf 7789 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 13:80fb167dafdf 7790 if (names[i].used) {
wolfSSL 13:80fb167dafdf 7791 if (outputSz < (word32)(idx+names[i].totalLen)) {
wolfSSL 13:80fb167dafdf 7792 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7793 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7794 #endif
wolfSSL 13:80fb167dafdf 7795 return BUFFER_E;
wolfSSL 13:80fb167dafdf 7796 }
wolfSSL 13:80fb167dafdf 7797
wolfSSL 13:80fb167dafdf 7798 XMEMCPY(output + idx, names[i].encoded, names[i].totalLen);
wolfSSL 13:80fb167dafdf 7799 idx += names[i].totalLen;
wolfSSL 13:80fb167dafdf 7800 }
wolfSSL 13:80fb167dafdf 7801 }
wolfSSL 13:80fb167dafdf 7802
wolfSSL 13:80fb167dafdf 7803 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 7804 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 7805 #endif
wolfSSL 13:80fb167dafdf 7806
wolfSSL 13:80fb167dafdf 7807 return totalBytes;
wolfSSL 13:80fb167dafdf 7808 }
wolfSSL 13:80fb167dafdf 7809
wolfSSL 13:80fb167dafdf 7810 /* encode info from cert into DER encoded format */
wolfSSL 13:80fb167dafdf 7811 static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
wolfSSL 13:80fb167dafdf 7812 WC_RNG* rng, const byte* ntruKey, word16 ntruSz)
wolfSSL 13:80fb167dafdf 7813 {
wolfSSL 13:80fb167dafdf 7814 int ret;
wolfSSL 13:80fb167dafdf 7815
wolfSSL 13:80fb167dafdf 7816 (void)eccKey;
wolfSSL 13:80fb167dafdf 7817 (void)ntruKey;
wolfSSL 13:80fb167dafdf 7818 (void)ntruSz;
wolfSSL 13:80fb167dafdf 7819
wolfSSL 13:80fb167dafdf 7820 if (cert == NULL || der == NULL || rng == NULL)
wolfSSL 13:80fb167dafdf 7821 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 7822
wolfSSL 13:80fb167dafdf 7823 /* init */
wolfSSL 13:80fb167dafdf 7824 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 13:80fb167dafdf 7825
wolfSSL 13:80fb167dafdf 7826 /* version */
wolfSSL 13:80fb167dafdf 7827 der->versionSz = SetMyVersion(cert->version, der->version, TRUE);
wolfSSL 13:80fb167dafdf 7828
wolfSSL 13:80fb167dafdf 7829 /* serial number */
wolfSSL 13:80fb167dafdf 7830 ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE);
wolfSSL 13:80fb167dafdf 7831 if (ret != 0)
wolfSSL 13:80fb167dafdf 7832 return ret;
wolfSSL 13:80fb167dafdf 7833
wolfSSL 13:80fb167dafdf 7834 cert->serial[0] = 0x01; /* ensure positive */
wolfSSL 13:80fb167dafdf 7835 der->serialSz = SetSerial(cert->serial, der->serial);
wolfSSL 13:80fb167dafdf 7836
wolfSSL 13:80fb167dafdf 7837 /* signature algo */
wolfSSL 13:80fb167dafdf 7838 der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, oidSigType, 0);
wolfSSL 13:80fb167dafdf 7839 if (der->sigAlgoSz <= 0)
wolfSSL 13:80fb167dafdf 7840 return ALGO_ID_E;
wolfSSL 13:80fb167dafdf 7841
wolfSSL 13:80fb167dafdf 7842 /* public key */
wolfSSL 13:80fb167dafdf 7843 if (cert->keyType == RSA_KEY) {
wolfSSL 13:80fb167dafdf 7844 if (rsaKey == NULL)
wolfSSL 13:80fb167dafdf 7845 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7846 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 13:80fb167dafdf 7847 sizeof(der->publicKey), 1);
wolfSSL 13:80fb167dafdf 7848 if (der->publicKeySz <= 0)
wolfSSL 13:80fb167dafdf 7849 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7850 }
wolfSSL 13:80fb167dafdf 7851
wolfSSL 13:80fb167dafdf 7852 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 7853 if (cert->keyType == ECC_KEY) {
wolfSSL 13:80fb167dafdf 7854 if (eccKey == NULL)
wolfSSL 13:80fb167dafdf 7855 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7856 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 13:80fb167dafdf 7857 if (der->publicKeySz <= 0)
wolfSSL 13:80fb167dafdf 7858 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7859 }
wolfSSL 13:80fb167dafdf 7860 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 7861
wolfSSL 13:80fb167dafdf 7862 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 7863 if (cert->keyType == NTRU_KEY) {
wolfSSL 13:80fb167dafdf 7864 word32 rc;
wolfSSL 13:80fb167dafdf 7865 word16 encodedSz;
wolfSSL 13:80fb167dafdf 7866
wolfSSL 13:80fb167dafdf 7867 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 13:80fb167dafdf 7868 ntruKey, &encodedSz, NULL);
wolfSSL 13:80fb167dafdf 7869 if (rc != NTRU_OK)
wolfSSL 13:80fb167dafdf 7870 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7871 if (encodedSz > MAX_PUBLIC_KEY_SZ)
wolfSSL 13:80fb167dafdf 7872 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7873
wolfSSL 13:80fb167dafdf 7874 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 13:80fb167dafdf 7875 ntruKey, &encodedSz, der->publicKey);
wolfSSL 13:80fb167dafdf 7876 if (rc != NTRU_OK)
wolfSSL 13:80fb167dafdf 7877 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 7878
wolfSSL 13:80fb167dafdf 7879 der->publicKeySz = encodedSz;
wolfSSL 13:80fb167dafdf 7880 }
wolfSSL 13:80fb167dafdf 7881 #endif /* HAVE_NTRU */
wolfSSL 13:80fb167dafdf 7882
wolfSSL 13:80fb167dafdf 7883 der->validitySz = 0;
wolfSSL 13:80fb167dafdf 7884 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 7885 /* date validity copy ? */
wolfSSL 13:80fb167dafdf 7886 if (cert->beforeDateSz && cert->afterDateSz) {
wolfSSL 13:80fb167dafdf 7887 der->validitySz = CopyValidity(der->validity, cert);
wolfSSL 13:80fb167dafdf 7888 if (der->validitySz <= 0)
wolfSSL 13:80fb167dafdf 7889 return DATE_E;
wolfSSL 13:80fb167dafdf 7890 }
wolfSSL 13:80fb167dafdf 7891 #endif
wolfSSL 13:80fb167dafdf 7892
wolfSSL 13:80fb167dafdf 7893 /* date validity */
wolfSSL 13:80fb167dafdf 7894 if (der->validitySz == 0) {
wolfSSL 13:80fb167dafdf 7895 der->validitySz = SetValidity(der->validity, cert->daysValid);
wolfSSL 13:80fb167dafdf 7896 if (der->validitySz <= 0)
wolfSSL 13:80fb167dafdf 7897 return DATE_E;
wolfSSL 13:80fb167dafdf 7898 }
wolfSSL 13:80fb167dafdf 7899
wolfSSL 13:80fb167dafdf 7900 /* subject name */
wolfSSL 13:80fb167dafdf 7901 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 13:80fb167dafdf 7902 if (der->subjectSz <= 0)
wolfSSL 13:80fb167dafdf 7903 return SUBJECT_E;
wolfSSL 13:80fb167dafdf 7904
wolfSSL 13:80fb167dafdf 7905 /* issuer name */
wolfSSL 13:80fb167dafdf 7906 der->issuerSz = SetName(der->issuer, sizeof(der->issuer), cert->selfSigned ?
wolfSSL 13:80fb167dafdf 7907 &cert->subject : &cert->issuer);
wolfSSL 13:80fb167dafdf 7908 if (der->issuerSz <= 0)
wolfSSL 13:80fb167dafdf 7909 return ISSUER_E;
wolfSSL 13:80fb167dafdf 7910
wolfSSL 13:80fb167dafdf 7911 /* set the extensions */
wolfSSL 13:80fb167dafdf 7912 der->extensionsSz = 0;
wolfSSL 13:80fb167dafdf 7913
wolfSSL 13:80fb167dafdf 7914 /* CA */
wolfSSL 13:80fb167dafdf 7915 if (cert->isCA) {
wolfSSL 13:80fb167dafdf 7916 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 13:80fb167dafdf 7917 if (der->caSz <= 0)
wolfSSL 13:80fb167dafdf 7918 return CA_TRUE_E;
wolfSSL 13:80fb167dafdf 7919
wolfSSL 13:80fb167dafdf 7920 der->extensionsSz += der->caSz;
wolfSSL 13:80fb167dafdf 7921 }
wolfSSL 13:80fb167dafdf 7922 else
wolfSSL 13:80fb167dafdf 7923 der->caSz = 0;
wolfSSL 13:80fb167dafdf 7924
wolfSSL 13:80fb167dafdf 7925 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 7926 /* Alternative Name */
wolfSSL 13:80fb167dafdf 7927 if (cert->altNamesSz) {
wolfSSL 13:80fb167dafdf 7928 der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
wolfSSL 13:80fb167dafdf 7929 cert->altNames, cert->altNamesSz);
wolfSSL 13:80fb167dafdf 7930 if (der->altNamesSz <= 0)
wolfSSL 13:80fb167dafdf 7931 return ALT_NAME_E;
wolfSSL 13:80fb167dafdf 7932
wolfSSL 13:80fb167dafdf 7933 der->extensionsSz += der->altNamesSz;
wolfSSL 13:80fb167dafdf 7934 }
wolfSSL 13:80fb167dafdf 7935 else
wolfSSL 13:80fb167dafdf 7936 der->altNamesSz = 0;
wolfSSL 13:80fb167dafdf 7937 #endif
wolfSSL 13:80fb167dafdf 7938
wolfSSL 13:80fb167dafdf 7939 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 7940 /* SKID */
wolfSSL 13:80fb167dafdf 7941 if (cert->skidSz) {
wolfSSL 13:80fb167dafdf 7942 /* check the provided SKID size */
wolfSSL 13:80fb167dafdf 7943 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 13:80fb167dafdf 7944 return SKID_E;
wolfSSL 13:80fb167dafdf 7945
wolfSSL 13:80fb167dafdf 7946 /* Note: different skid buffers sizes for der (MAX_KID_SZ) and
wolfSSL 13:80fb167dafdf 7947 cert (CTC_MAX_SKID_SIZE). */
wolfSSL 13:80fb167dafdf 7948 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 13:80fb167dafdf 7949 cert->skid, cert->skidSz);
wolfSSL 13:80fb167dafdf 7950 if (der->skidSz <= 0)
wolfSSL 13:80fb167dafdf 7951 return SKID_E;
wolfSSL 13:80fb167dafdf 7952
wolfSSL 13:80fb167dafdf 7953 der->extensionsSz += der->skidSz;
wolfSSL 13:80fb167dafdf 7954 }
wolfSSL 13:80fb167dafdf 7955 else
wolfSSL 13:80fb167dafdf 7956 der->skidSz = 0;
wolfSSL 13:80fb167dafdf 7957
wolfSSL 13:80fb167dafdf 7958 /* AKID */
wolfSSL 13:80fb167dafdf 7959 if (cert->akidSz) {
wolfSSL 13:80fb167dafdf 7960 /* check the provided AKID size */
wolfSSL 13:80fb167dafdf 7961 if (cert->akidSz > (int)sizeof(der->akid))
wolfSSL 13:80fb167dafdf 7962 return AKID_E;
wolfSSL 13:80fb167dafdf 7963
wolfSSL 13:80fb167dafdf 7964 der->akidSz = SetAKID(der->akid, sizeof(der->akid),
wolfSSL 13:80fb167dafdf 7965 cert->akid, cert->akidSz, cert->heap);
wolfSSL 13:80fb167dafdf 7966 if (der->akidSz <= 0)
wolfSSL 13:80fb167dafdf 7967 return AKID_E;
wolfSSL 13:80fb167dafdf 7968
wolfSSL 13:80fb167dafdf 7969 der->extensionsSz += der->akidSz;
wolfSSL 13:80fb167dafdf 7970 }
wolfSSL 13:80fb167dafdf 7971 else
wolfSSL 13:80fb167dafdf 7972 der->akidSz = 0;
wolfSSL 13:80fb167dafdf 7973
wolfSSL 13:80fb167dafdf 7974 /* Key Usage */
wolfSSL 13:80fb167dafdf 7975 if (cert->keyUsage != 0){
wolfSSL 13:80fb167dafdf 7976 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 13:80fb167dafdf 7977 cert->keyUsage);
wolfSSL 13:80fb167dafdf 7978 if (der->keyUsageSz <= 0)
wolfSSL 13:80fb167dafdf 7979 return KEYUSAGE_E;
wolfSSL 13:80fb167dafdf 7980
wolfSSL 13:80fb167dafdf 7981 der->extensionsSz += der->keyUsageSz;
wolfSSL 13:80fb167dafdf 7982 }
wolfSSL 13:80fb167dafdf 7983 else
wolfSSL 13:80fb167dafdf 7984 der->keyUsageSz = 0;
wolfSSL 13:80fb167dafdf 7985
wolfSSL 13:80fb167dafdf 7986 /* Certificate Policies */
wolfSSL 13:80fb167dafdf 7987 if (cert->certPoliciesNb != 0) {
wolfSSL 13:80fb167dafdf 7988 der->certPoliciesSz = SetCertificatePolicies(der->certPolicies,
wolfSSL 13:80fb167dafdf 7989 sizeof(der->certPolicies),
wolfSSL 13:80fb167dafdf 7990 cert->certPolicies,
wolfSSL 13:80fb167dafdf 7991 cert->certPoliciesNb,
wolfSSL 13:80fb167dafdf 7992 cert->heap);
wolfSSL 13:80fb167dafdf 7993 if (der->certPoliciesSz <= 0)
wolfSSL 13:80fb167dafdf 7994 return CERTPOLICIES_E;
wolfSSL 13:80fb167dafdf 7995
wolfSSL 13:80fb167dafdf 7996 der->extensionsSz += der->certPoliciesSz;
wolfSSL 13:80fb167dafdf 7997 }
wolfSSL 13:80fb167dafdf 7998 else
wolfSSL 13:80fb167dafdf 7999 der->certPoliciesSz = 0;
wolfSSL 13:80fb167dafdf 8000 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 8001
wolfSSL 13:80fb167dafdf 8002 /* put extensions */
wolfSSL 13:80fb167dafdf 8003 if (der->extensionsSz > 0) {
wolfSSL 13:80fb167dafdf 8004
wolfSSL 13:80fb167dafdf 8005 /* put the start of extensions sequence (ID, Size) */
wolfSSL 13:80fb167dafdf 8006 der->extensionsSz = SetExtensionsHeader(der->extensions,
wolfSSL 13:80fb167dafdf 8007 sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8008 der->extensionsSz);
wolfSSL 13:80fb167dafdf 8009 if (der->extensionsSz <= 0)
wolfSSL 13:80fb167dafdf 8010 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8011
wolfSSL 13:80fb167dafdf 8012 /* put CA */
wolfSSL 13:80fb167dafdf 8013 if (der->caSz) {
wolfSSL 13:80fb167dafdf 8014 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8015 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8016 der->ca, der->caSz);
wolfSSL 13:80fb167dafdf 8017 if (ret == 0)
wolfSSL 13:80fb167dafdf 8018 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8019 }
wolfSSL 13:80fb167dafdf 8020
wolfSSL 13:80fb167dafdf 8021 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 8022 /* put Alternative Names */
wolfSSL 13:80fb167dafdf 8023 if (der->altNamesSz) {
wolfSSL 13:80fb167dafdf 8024 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8025 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8026 der->altNames, der->altNamesSz);
wolfSSL 13:80fb167dafdf 8027 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8028 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8029 }
wolfSSL 13:80fb167dafdf 8030 #endif
wolfSSL 13:80fb167dafdf 8031
wolfSSL 13:80fb167dafdf 8032 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 8033 /* put SKID */
wolfSSL 13:80fb167dafdf 8034 if (der->skidSz) {
wolfSSL 13:80fb167dafdf 8035 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8036 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8037 der->skid, der->skidSz);
wolfSSL 13:80fb167dafdf 8038 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8039 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8040 }
wolfSSL 13:80fb167dafdf 8041
wolfSSL 13:80fb167dafdf 8042 /* put AKID */
wolfSSL 13:80fb167dafdf 8043 if (der->akidSz) {
wolfSSL 13:80fb167dafdf 8044 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8045 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8046 der->akid, der->akidSz);
wolfSSL 13:80fb167dafdf 8047 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8048 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8049 }
wolfSSL 13:80fb167dafdf 8050
wolfSSL 13:80fb167dafdf 8051 /* put KeyUsage */
wolfSSL 13:80fb167dafdf 8052 if (der->keyUsageSz) {
wolfSSL 13:80fb167dafdf 8053 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8054 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8055 der->keyUsage, der->keyUsageSz);
wolfSSL 13:80fb167dafdf 8056 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8057 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8058 }
wolfSSL 13:80fb167dafdf 8059
wolfSSL 13:80fb167dafdf 8060 /* put Certificate Policies */
wolfSSL 13:80fb167dafdf 8061 if (der->certPoliciesSz) {
wolfSSL 13:80fb167dafdf 8062 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8063 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8064 der->certPolicies, der->certPoliciesSz);
wolfSSL 13:80fb167dafdf 8065 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8066 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8067 }
wolfSSL 13:80fb167dafdf 8068 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 8069 }
wolfSSL 13:80fb167dafdf 8070
wolfSSL 13:80fb167dafdf 8071 der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
wolfSSL 13:80fb167dafdf 8072 der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz +
wolfSSL 13:80fb167dafdf 8073 der->extensionsSz;
wolfSSL 13:80fb167dafdf 8074
wolfSSL 13:80fb167dafdf 8075 return 0;
wolfSSL 13:80fb167dafdf 8076 }
wolfSSL 13:80fb167dafdf 8077
wolfSSL 13:80fb167dafdf 8078
wolfSSL 13:80fb167dafdf 8079 /* write DER encoded cert to buffer, size already checked */
wolfSSL 13:80fb167dafdf 8080 static int WriteCertBody(DerCert* der, byte* buffer)
wolfSSL 13:80fb167dafdf 8081 {
wolfSSL 13:80fb167dafdf 8082 int idx;
wolfSSL 13:80fb167dafdf 8083
wolfSSL 13:80fb167dafdf 8084 /* signed part header */
wolfSSL 13:80fb167dafdf 8085 idx = SetSequence(der->total, buffer);
wolfSSL 13:80fb167dafdf 8086 /* version */
wolfSSL 13:80fb167dafdf 8087 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 13:80fb167dafdf 8088 idx += der->versionSz;
wolfSSL 13:80fb167dafdf 8089 /* serial */
wolfSSL 13:80fb167dafdf 8090 XMEMCPY(buffer + idx, der->serial, der->serialSz);
wolfSSL 13:80fb167dafdf 8091 idx += der->serialSz;
wolfSSL 13:80fb167dafdf 8092 /* sig algo */
wolfSSL 13:80fb167dafdf 8093 XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz);
wolfSSL 13:80fb167dafdf 8094 idx += der->sigAlgoSz;
wolfSSL 13:80fb167dafdf 8095 /* issuer */
wolfSSL 13:80fb167dafdf 8096 XMEMCPY(buffer + idx, der->issuer, der->issuerSz);
wolfSSL 13:80fb167dafdf 8097 idx += der->issuerSz;
wolfSSL 13:80fb167dafdf 8098 /* validity */
wolfSSL 13:80fb167dafdf 8099 XMEMCPY(buffer + idx, der->validity, der->validitySz);
wolfSSL 13:80fb167dafdf 8100 idx += der->validitySz;
wolfSSL 13:80fb167dafdf 8101 /* subject */
wolfSSL 13:80fb167dafdf 8102 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 13:80fb167dafdf 8103 idx += der->subjectSz;
wolfSSL 13:80fb167dafdf 8104 /* public key */
wolfSSL 13:80fb167dafdf 8105 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 13:80fb167dafdf 8106 idx += der->publicKeySz;
wolfSSL 13:80fb167dafdf 8107 if (der->extensionsSz) {
wolfSSL 13:80fb167dafdf 8108 /* extensions */
wolfSSL 13:80fb167dafdf 8109 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 13:80fb167dafdf 8110 (int)sizeof(der->extensions)));
wolfSSL 13:80fb167dafdf 8111 idx += der->extensionsSz;
wolfSSL 13:80fb167dafdf 8112 }
wolfSSL 13:80fb167dafdf 8113
wolfSSL 13:80fb167dafdf 8114 return idx;
wolfSSL 13:80fb167dafdf 8115 }
wolfSSL 13:80fb167dafdf 8116
wolfSSL 13:80fb167dafdf 8117
wolfSSL 13:80fb167dafdf 8118 /* Make RSA signature from buffer (sz), write to sig (sigSz) */
wolfSSL 13:80fb167dafdf 8119 static int MakeSignature(CertSignCtx* certSignCtx, const byte* buffer, int sz,
wolfSSL 13:80fb167dafdf 8120 byte* sig, int sigSz, RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 13:80fb167dafdf 8121 int sigAlgoType, void* heap)
wolfSSL 13:80fb167dafdf 8122 {
wolfSSL 13:80fb167dafdf 8123 int digestSz = 0, typeH = 0, ret = 0;
wolfSSL 13:80fb167dafdf 8124
wolfSSL 13:80fb167dafdf 8125 (void)digestSz;
wolfSSL 13:80fb167dafdf 8126 (void)typeH;
wolfSSL 13:80fb167dafdf 8127 (void)buffer;
wolfSSL 13:80fb167dafdf 8128 (void)sz;
wolfSSL 13:80fb167dafdf 8129 (void)sig;
wolfSSL 13:80fb167dafdf 8130 (void)sigSz;
wolfSSL 13:80fb167dafdf 8131 (void)rsaKey;
wolfSSL 13:80fb167dafdf 8132 (void)eccKey;
wolfSSL 13:80fb167dafdf 8133 (void)rng;
wolfSSL 13:80fb167dafdf 8134
wolfSSL 13:80fb167dafdf 8135 switch (certSignCtx->state) {
wolfSSL 13:80fb167dafdf 8136 case CERTSIGN_STATE_BEGIN:
wolfSSL 13:80fb167dafdf 8137 case CERTSIGN_STATE_DIGEST:
wolfSSL 13:80fb167dafdf 8138
wolfSSL 13:80fb167dafdf 8139 certSignCtx->state = CERTSIGN_STATE_DIGEST;
wolfSSL 13:80fb167dafdf 8140 certSignCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap,
wolfSSL 13:80fb167dafdf 8141 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8142 if (certSignCtx->digest == NULL) {
wolfSSL 13:80fb167dafdf 8143 ret = MEMORY_E; goto exit_ms;
wolfSSL 13:80fb167dafdf 8144 }
wolfSSL 13:80fb167dafdf 8145
wolfSSL 13:80fb167dafdf 8146 switch (sigAlgoType) {
wolfSSL 13:80fb167dafdf 8147 #ifndef NO_MD5
wolfSSL 13:80fb167dafdf 8148 case CTC_MD5wRSA:
wolfSSL 13:80fb167dafdf 8149 if ((ret = wc_Md5Hash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8150 typeH = MD5h;
wolfSSL 13:80fb167dafdf 8151 digestSz = MD5_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8152 }
wolfSSL 13:80fb167dafdf 8153 break;
wolfSSL 13:80fb167dafdf 8154 #endif
wolfSSL 13:80fb167dafdf 8155 #ifndef NO_SHA
wolfSSL 13:80fb167dafdf 8156 case CTC_SHAwRSA:
wolfSSL 13:80fb167dafdf 8157 case CTC_SHAwECDSA:
wolfSSL 13:80fb167dafdf 8158 if ((ret = wc_ShaHash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8159 typeH = SHAh;
wolfSSL 13:80fb167dafdf 8160 digestSz = SHA_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8161 }
wolfSSL 13:80fb167dafdf 8162 break;
wolfSSL 13:80fb167dafdf 8163 #endif
wolfSSL 13:80fb167dafdf 8164 #ifdef WOLFSSL_SHA224
wolfSSL 13:80fb167dafdf 8165 case CTC_SHA224wRSA:
wolfSSL 13:80fb167dafdf 8166 case CTC_SHA224wECDSA:
wolfSSL 13:80fb167dafdf 8167 if ((ret = wc_Sha224Hash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8168 typeH = SHA224h;
wolfSSL 13:80fb167dafdf 8169 digestSz = SHA224_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8170 }
wolfSSL 13:80fb167dafdf 8171 break;
wolfSSL 13:80fb167dafdf 8172 #endif
wolfSSL 13:80fb167dafdf 8173 #ifndef NO_SHA256
wolfSSL 13:80fb167dafdf 8174 case CTC_SHA256wRSA:
wolfSSL 13:80fb167dafdf 8175 case CTC_SHA256wECDSA:
wolfSSL 13:80fb167dafdf 8176 if ((ret = wc_Sha256Hash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8177 typeH = SHA256h;
wolfSSL 13:80fb167dafdf 8178 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8179 }
wolfSSL 13:80fb167dafdf 8180 break;
wolfSSL 13:80fb167dafdf 8181 #endif
wolfSSL 13:80fb167dafdf 8182 #ifdef WOLFSSL_SHA384
wolfSSL 13:80fb167dafdf 8183 case CTC_SHA384wRSA:
wolfSSL 13:80fb167dafdf 8184 case CTC_SHA384wECDSA:
wolfSSL 13:80fb167dafdf 8185 if ((ret = wc_Sha384Hash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8186 typeH = SHA384h;
wolfSSL 13:80fb167dafdf 8187 digestSz = SHA384_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8188 }
wolfSSL 13:80fb167dafdf 8189 break;
wolfSSL 13:80fb167dafdf 8190 #endif
wolfSSL 13:80fb167dafdf 8191 #ifdef WOLFSSL_SHA512
wolfSSL 13:80fb167dafdf 8192 case CTC_SHA512wRSA:
wolfSSL 13:80fb167dafdf 8193 case CTC_SHA512wECDSA:
wolfSSL 13:80fb167dafdf 8194 if ((ret = wc_Sha512Hash(buffer, sz, certSignCtx->digest)) == 0) {
wolfSSL 13:80fb167dafdf 8195 typeH = SHA512h;
wolfSSL 13:80fb167dafdf 8196 digestSz = SHA512_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8197 }
wolfSSL 13:80fb167dafdf 8198 break;
wolfSSL 13:80fb167dafdf 8199 #endif
wolfSSL 13:80fb167dafdf 8200 default:
wolfSSL 13:80fb167dafdf 8201 WOLFSSL_MSG("MakeSignautre called with unsupported type");
wolfSSL 13:80fb167dafdf 8202 ret = ALGO_ID_E;
wolfSSL 13:80fb167dafdf 8203 }
wolfSSL 13:80fb167dafdf 8204
wolfSSL 13:80fb167dafdf 8205 /* set next state, since WC_PENDING rentry for these are not "call again" */
wolfSSL 13:80fb167dafdf 8206 certSignCtx->state = CERTSIGN_STATE_ENCODE;
wolfSSL 13:80fb167dafdf 8207 if (ret != 0) {
wolfSSL 13:80fb167dafdf 8208 goto exit_ms;
wolfSSL 13:80fb167dafdf 8209 }
wolfSSL 13:80fb167dafdf 8210
wolfSSL 13:80fb167dafdf 8211 /* fall-through */
wolfSSL 13:80fb167dafdf 8212 case CERTSIGN_STATE_ENCODE:
wolfSSL 13:80fb167dafdf 8213 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 8214 if (rsaKey) {
wolfSSL 13:80fb167dafdf 8215 certSignCtx->encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ, heap,
wolfSSL 13:80fb167dafdf 8216 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8217 if (certSignCtx->encSig == NULL) {
wolfSSL 13:80fb167dafdf 8218 ret = MEMORY_E; goto exit_ms;
wolfSSL 13:80fb167dafdf 8219 }
wolfSSL 13:80fb167dafdf 8220
wolfSSL 13:80fb167dafdf 8221 /* signature */
wolfSSL 13:80fb167dafdf 8222 certSignCtx->encSigSz = wc_EncodeSignature(certSignCtx->encSig,
wolfSSL 13:80fb167dafdf 8223 certSignCtx->digest, digestSz, typeH);
wolfSSL 13:80fb167dafdf 8224 }
wolfSSL 13:80fb167dafdf 8225 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 8226
wolfSSL 13:80fb167dafdf 8227 /* fall-through */
wolfSSL 13:80fb167dafdf 8228 case CERTSIGN_STATE_DO:
wolfSSL 13:80fb167dafdf 8229 certSignCtx->state = CERTSIGN_STATE_DO;
wolfSSL 13:80fb167dafdf 8230 ret = ALGO_ID_E; /* default to error */
wolfSSL 13:80fb167dafdf 8231
wolfSSL 13:80fb167dafdf 8232 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 8233 if (rsaKey) {
wolfSSL 13:80fb167dafdf 8234 /* signature */
wolfSSL 13:80fb167dafdf 8235 ret = wc_RsaSSL_Sign(certSignCtx->encSig, certSignCtx->encSigSz,
wolfSSL 13:80fb167dafdf 8236 sig, sigSz, rsaKey, rng);
wolfSSL 13:80fb167dafdf 8237 }
wolfSSL 13:80fb167dafdf 8238 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 8239
wolfSSL 13:80fb167dafdf 8240 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 8241 if (!rsaKey && eccKey) {
wolfSSL 13:80fb167dafdf 8242 word32 outSz = sigSz;
wolfSSL 13:80fb167dafdf 8243
wolfSSL 13:80fb167dafdf 8244 ret = wc_ecc_sign_hash(certSignCtx->digest, digestSz,
wolfSSL 13:80fb167dafdf 8245 sig, &outSz, rng, eccKey);
wolfSSL 13:80fb167dafdf 8246 if (ret == 0)
wolfSSL 13:80fb167dafdf 8247 ret = outSz;
wolfSSL 13:80fb167dafdf 8248 }
wolfSSL 13:80fb167dafdf 8249 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 8250 break;
wolfSSL 13:80fb167dafdf 8251 }
wolfSSL 13:80fb167dafdf 8252
wolfSSL 13:80fb167dafdf 8253 exit_ms:
wolfSSL 13:80fb167dafdf 8254
wolfSSL 13:80fb167dafdf 8255 if (ret == WC_PENDING_E) {
wolfSSL 13:80fb167dafdf 8256 return ret;
wolfSSL 13:80fb167dafdf 8257 }
wolfSSL 13:80fb167dafdf 8258
wolfSSL 13:80fb167dafdf 8259 #ifndef NO_RSA
wolfSSL 13:80fb167dafdf 8260 if (rsaKey) {
wolfSSL 13:80fb167dafdf 8261 XFREE(certSignCtx->encSig, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8262 }
wolfSSL 13:80fb167dafdf 8263 #endif /* !NO_RSA */
wolfSSL 13:80fb167dafdf 8264
wolfSSL 13:80fb167dafdf 8265 XFREE(certSignCtx->digest, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8266 certSignCtx->digest = NULL;
wolfSSL 13:80fb167dafdf 8267
wolfSSL 13:80fb167dafdf 8268 /* reset state */
wolfSSL 13:80fb167dafdf 8269 certSignCtx->state = CERTSIGN_STATE_BEGIN;
wolfSSL 13:80fb167dafdf 8270
wolfSSL 13:80fb167dafdf 8271 return ret;
wolfSSL 13:80fb167dafdf 8272 }
wolfSSL 13:80fb167dafdf 8273
wolfSSL 13:80fb167dafdf 8274
wolfSSL 13:80fb167dafdf 8275 /* add signature to end of buffer, size of buffer assumed checked, return
wolfSSL 13:80fb167dafdf 8276 new length */
wolfSSL 13:80fb167dafdf 8277 static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
wolfSSL 13:80fb167dafdf 8278 int sigAlgoType)
wolfSSL 13:80fb167dafdf 8279 {
wolfSSL 13:80fb167dafdf 8280 byte seq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 8281 int idx = bodySz, seqSz;
wolfSSL 13:80fb167dafdf 8282
wolfSSL 13:80fb167dafdf 8283 /* algo */
wolfSSL 13:80fb167dafdf 8284 idx += SetAlgoID(sigAlgoType, buffer + idx, oidSigType, 0);
wolfSSL 13:80fb167dafdf 8285 /* bit string */
wolfSSL 13:80fb167dafdf 8286 idx += SetBitString(sigSz, 0, buffer + idx);
wolfSSL 13:80fb167dafdf 8287 /* signature */
wolfSSL 13:80fb167dafdf 8288 XMEMCPY(buffer + idx, sig, sigSz);
wolfSSL 13:80fb167dafdf 8289 idx += sigSz;
wolfSSL 13:80fb167dafdf 8290
wolfSSL 13:80fb167dafdf 8291 /* make room for overall header */
wolfSSL 13:80fb167dafdf 8292 seqSz = SetSequence(idx, seq);
wolfSSL 13:80fb167dafdf 8293 XMEMMOVE(buffer + seqSz, buffer, idx);
wolfSSL 13:80fb167dafdf 8294 XMEMCPY(buffer, seq, seqSz);
wolfSSL 13:80fb167dafdf 8295
wolfSSL 13:80fb167dafdf 8296 return idx + seqSz;
wolfSSL 13:80fb167dafdf 8297 }
wolfSSL 13:80fb167dafdf 8298
wolfSSL 13:80fb167dafdf 8299
wolfSSL 13:80fb167dafdf 8300 /* Make an x509 Certificate v3 any key type from cert input, write to buffer */
wolfSSL 13:80fb167dafdf 8301 static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 13:80fb167dafdf 8302 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 13:80fb167dafdf 8303 const byte* ntruKey, word16 ntruSz)
wolfSSL 13:80fb167dafdf 8304 {
wolfSSL 13:80fb167dafdf 8305 int ret;
wolfSSL 13:80fb167dafdf 8306 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8307 DerCert* der;
wolfSSL 13:80fb167dafdf 8308 #else
wolfSSL 13:80fb167dafdf 8309 DerCert der[1];
wolfSSL 13:80fb167dafdf 8310 #endif
wolfSSL 13:80fb167dafdf 8311
wolfSSL 13:80fb167dafdf 8312 cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY);
wolfSSL 13:80fb167dafdf 8313
wolfSSL 13:80fb167dafdf 8314 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8315 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8316 if (der == NULL)
wolfSSL 13:80fb167dafdf 8317 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8318 #endif
wolfSSL 13:80fb167dafdf 8319
wolfSSL 13:80fb167dafdf 8320 ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz);
wolfSSL 13:80fb167dafdf 8321 if (ret == 0) {
wolfSSL 13:80fb167dafdf 8322 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 13:80fb167dafdf 8323 ret = BUFFER_E;
wolfSSL 13:80fb167dafdf 8324 else
wolfSSL 13:80fb167dafdf 8325 ret = cert->bodySz = WriteCertBody(der, derBuffer);
wolfSSL 13:80fb167dafdf 8326 }
wolfSSL 13:80fb167dafdf 8327
wolfSSL 13:80fb167dafdf 8328 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8329 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8330 #endif
wolfSSL 13:80fb167dafdf 8331
wolfSSL 13:80fb167dafdf 8332 return ret;
wolfSSL 13:80fb167dafdf 8333 }
wolfSSL 13:80fb167dafdf 8334
wolfSSL 13:80fb167dafdf 8335
wolfSSL 13:80fb167dafdf 8336 /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
wolfSSL 13:80fb167dafdf 8337 int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey,
wolfSSL 13:80fb167dafdf 8338 ecc_key* eccKey, WC_RNG* rng)
wolfSSL 13:80fb167dafdf 8339 {
wolfSSL 13:80fb167dafdf 8340 return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0);
wolfSSL 13:80fb167dafdf 8341 }
wolfSSL 13:80fb167dafdf 8342
wolfSSL 13:80fb167dafdf 8343
wolfSSL 13:80fb167dafdf 8344 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 8345
wolfSSL 13:80fb167dafdf 8346 int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 13:80fb167dafdf 8347 const byte* ntruKey, word16 keySz, WC_RNG* rng)
wolfSSL 13:80fb167dafdf 8348 {
wolfSSL 13:80fb167dafdf 8349 return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz);
wolfSSL 13:80fb167dafdf 8350 }
wolfSSL 13:80fb167dafdf 8351
wolfSSL 13:80fb167dafdf 8352 #endif /* HAVE_NTRU */
wolfSSL 13:80fb167dafdf 8353
wolfSSL 13:80fb167dafdf 8354
wolfSSL 13:80fb167dafdf 8355 #ifdef WOLFSSL_CERT_REQ
wolfSSL 13:80fb167dafdf 8356
wolfSSL 13:80fb167dafdf 8357 static int SetReqAttrib(byte* output, char* pw, int extSz)
wolfSSL 13:80fb167dafdf 8358 {
wolfSSL 13:80fb167dafdf 8359 static const byte cpOid[] =
wolfSSL 13:80fb167dafdf 8360 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 13:80fb167dafdf 8361 0x09, 0x07 };
wolfSSL 13:80fb167dafdf 8362 static const byte erOid[] =
wolfSSL 13:80fb167dafdf 8363 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 13:80fb167dafdf 8364 0x09, 0x0e };
wolfSSL 13:80fb167dafdf 8365
wolfSSL 13:80fb167dafdf 8366 int sz = 0; /* overall size */
wolfSSL 13:80fb167dafdf 8367 int cpSz = 0; /* Challenge Password section size */
wolfSSL 13:80fb167dafdf 8368 int cpSeqSz = 0;
wolfSSL 13:80fb167dafdf 8369 int cpSetSz = 0;
wolfSSL 13:80fb167dafdf 8370 int cpStrSz = 0;
wolfSSL 13:80fb167dafdf 8371 int pwSz = 0;
wolfSSL 13:80fb167dafdf 8372 int erSz = 0; /* Extension Request section size */
wolfSSL 13:80fb167dafdf 8373 int erSeqSz = 0;
wolfSSL 13:80fb167dafdf 8374 int erSetSz = 0;
wolfSSL 13:80fb167dafdf 8375 byte cpSeq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 8376 byte cpSet[MAX_SET_SZ];
wolfSSL 13:80fb167dafdf 8377 byte cpStr[MAX_PRSTR_SZ];
wolfSSL 13:80fb167dafdf 8378 byte erSeq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 8379 byte erSet[MAX_SET_SZ];
wolfSSL 13:80fb167dafdf 8380
wolfSSL 13:80fb167dafdf 8381 output[0] = 0xa0;
wolfSSL 13:80fb167dafdf 8382 sz++;
wolfSSL 13:80fb167dafdf 8383
wolfSSL 13:80fb167dafdf 8384 if (pw && pw[0]) {
wolfSSL 13:80fb167dafdf 8385 pwSz = (int)XSTRLEN(pw);
wolfSSL 13:80fb167dafdf 8386 cpStrSz = SetUTF8String(pwSz, cpStr);
wolfSSL 13:80fb167dafdf 8387 cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
wolfSSL 13:80fb167dafdf 8388 cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
wolfSSL 13:80fb167dafdf 8389 cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
wolfSSL 13:80fb167dafdf 8390 }
wolfSSL 13:80fb167dafdf 8391
wolfSSL 13:80fb167dafdf 8392 if (extSz) {
wolfSSL 13:80fb167dafdf 8393 erSetSz = SetSet(extSz, erSet);
wolfSSL 13:80fb167dafdf 8394 erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq);
wolfSSL 13:80fb167dafdf 8395 erSz = extSz + erSetSz + erSeqSz + sizeof(erOid);
wolfSSL 13:80fb167dafdf 8396 }
wolfSSL 13:80fb167dafdf 8397
wolfSSL 13:80fb167dafdf 8398 /* Put the pieces together. */
wolfSSL 13:80fb167dafdf 8399 sz += SetLength(cpSz + erSz, &output[sz]);
wolfSSL 13:80fb167dafdf 8400
wolfSSL 13:80fb167dafdf 8401 if (cpSz) {
wolfSSL 13:80fb167dafdf 8402 XMEMCPY(&output[sz], cpSeq, cpSeqSz);
wolfSSL 13:80fb167dafdf 8403 sz += cpSeqSz;
wolfSSL 13:80fb167dafdf 8404 XMEMCPY(&output[sz], cpOid, sizeof(cpOid));
wolfSSL 13:80fb167dafdf 8405 sz += sizeof(cpOid);
wolfSSL 13:80fb167dafdf 8406 XMEMCPY(&output[sz], cpSet, cpSetSz);
wolfSSL 13:80fb167dafdf 8407 sz += cpSetSz;
wolfSSL 13:80fb167dafdf 8408 XMEMCPY(&output[sz], cpStr, cpStrSz);
wolfSSL 13:80fb167dafdf 8409 sz += cpStrSz;
wolfSSL 13:80fb167dafdf 8410 XMEMCPY(&output[sz], pw, pwSz);
wolfSSL 13:80fb167dafdf 8411 sz += pwSz;
wolfSSL 13:80fb167dafdf 8412 }
wolfSSL 13:80fb167dafdf 8413
wolfSSL 13:80fb167dafdf 8414 if (erSz) {
wolfSSL 13:80fb167dafdf 8415 XMEMCPY(&output[sz], erSeq, erSeqSz);
wolfSSL 13:80fb167dafdf 8416 sz += erSeqSz;
wolfSSL 13:80fb167dafdf 8417 XMEMCPY(&output[sz], erOid, sizeof(erOid));
wolfSSL 13:80fb167dafdf 8418 sz += sizeof(erOid);
wolfSSL 13:80fb167dafdf 8419 XMEMCPY(&output[sz], erSet, erSetSz);
wolfSSL 13:80fb167dafdf 8420 sz += erSetSz;
wolfSSL 13:80fb167dafdf 8421 /* The actual extension data will be tacked onto the output later. */
wolfSSL 13:80fb167dafdf 8422 }
wolfSSL 13:80fb167dafdf 8423
wolfSSL 13:80fb167dafdf 8424 return sz;
wolfSSL 13:80fb167dafdf 8425 }
wolfSSL 13:80fb167dafdf 8426
wolfSSL 13:80fb167dafdf 8427
wolfSSL 13:80fb167dafdf 8428 /* encode info from cert into DER encoded format */
wolfSSL 13:80fb167dafdf 8429 static int EncodeCertReq(Cert* cert, DerCert* der,
wolfSSL 13:80fb167dafdf 8430 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 13:80fb167dafdf 8431 {
wolfSSL 13:80fb167dafdf 8432 (void)eccKey;
wolfSSL 13:80fb167dafdf 8433
wolfSSL 13:80fb167dafdf 8434 if (cert == NULL || der == NULL)
wolfSSL 13:80fb167dafdf 8435 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8436
wolfSSL 13:80fb167dafdf 8437 /* init */
wolfSSL 13:80fb167dafdf 8438 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 13:80fb167dafdf 8439
wolfSSL 13:80fb167dafdf 8440 /* version */
wolfSSL 13:80fb167dafdf 8441 der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
wolfSSL 13:80fb167dafdf 8442
wolfSSL 13:80fb167dafdf 8443 /* subject name */
wolfSSL 13:80fb167dafdf 8444 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 13:80fb167dafdf 8445 if (der->subjectSz <= 0)
wolfSSL 13:80fb167dafdf 8446 return SUBJECT_E;
wolfSSL 13:80fb167dafdf 8447
wolfSSL 13:80fb167dafdf 8448 /* public key */
wolfSSL 13:80fb167dafdf 8449 if (cert->keyType == RSA_KEY) {
wolfSSL 13:80fb167dafdf 8450 if (rsaKey == NULL)
wolfSSL 13:80fb167dafdf 8451 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8452 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 13:80fb167dafdf 8453 sizeof(der->publicKey), 1);
wolfSSL 13:80fb167dafdf 8454 if (der->publicKeySz <= 0)
wolfSSL 13:80fb167dafdf 8455 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8456 }
wolfSSL 13:80fb167dafdf 8457
wolfSSL 13:80fb167dafdf 8458 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 8459 if (cert->keyType == ECC_KEY) {
wolfSSL 13:80fb167dafdf 8460 if (eccKey == NULL)
wolfSSL 13:80fb167dafdf 8461 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8462 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 13:80fb167dafdf 8463 if (der->publicKeySz <= 0)
wolfSSL 13:80fb167dafdf 8464 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8465 }
wolfSSL 13:80fb167dafdf 8466 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 8467
wolfSSL 13:80fb167dafdf 8468 /* set the extensions */
wolfSSL 13:80fb167dafdf 8469 der->extensionsSz = 0;
wolfSSL 13:80fb167dafdf 8470
wolfSSL 13:80fb167dafdf 8471 /* CA */
wolfSSL 13:80fb167dafdf 8472 if (cert->isCA) {
wolfSSL 13:80fb167dafdf 8473 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 13:80fb167dafdf 8474 if (der->caSz <= 0)
wolfSSL 13:80fb167dafdf 8475 return CA_TRUE_E;
wolfSSL 13:80fb167dafdf 8476
wolfSSL 13:80fb167dafdf 8477 der->extensionsSz += der->caSz;
wolfSSL 13:80fb167dafdf 8478 }
wolfSSL 13:80fb167dafdf 8479 else
wolfSSL 13:80fb167dafdf 8480 der->caSz = 0;
wolfSSL 13:80fb167dafdf 8481
wolfSSL 13:80fb167dafdf 8482 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 8483 /* SKID */
wolfSSL 13:80fb167dafdf 8484 if (cert->skidSz) {
wolfSSL 13:80fb167dafdf 8485 /* check the provided SKID size */
wolfSSL 13:80fb167dafdf 8486 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 13:80fb167dafdf 8487 return SKID_E;
wolfSSL 13:80fb167dafdf 8488
wolfSSL 13:80fb167dafdf 8489 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 13:80fb167dafdf 8490 cert->skid, cert->skidSz);
wolfSSL 13:80fb167dafdf 8491 if (der->skidSz <= 0)
wolfSSL 13:80fb167dafdf 8492 return SKID_E;
wolfSSL 13:80fb167dafdf 8493
wolfSSL 13:80fb167dafdf 8494 der->extensionsSz += der->skidSz;
wolfSSL 13:80fb167dafdf 8495 }
wolfSSL 13:80fb167dafdf 8496 else
wolfSSL 13:80fb167dafdf 8497 der->skidSz = 0;
wolfSSL 13:80fb167dafdf 8498
wolfSSL 13:80fb167dafdf 8499 /* Key Usage */
wolfSSL 13:80fb167dafdf 8500 if (cert->keyUsage != 0){
wolfSSL 13:80fb167dafdf 8501 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 13:80fb167dafdf 8502 cert->keyUsage);
wolfSSL 13:80fb167dafdf 8503 if (der->keyUsageSz <= 0)
wolfSSL 13:80fb167dafdf 8504 return KEYUSAGE_E;
wolfSSL 13:80fb167dafdf 8505
wolfSSL 13:80fb167dafdf 8506 der->extensionsSz += der->keyUsageSz;
wolfSSL 13:80fb167dafdf 8507 }
wolfSSL 13:80fb167dafdf 8508 else
wolfSSL 13:80fb167dafdf 8509 der->keyUsageSz = 0;
wolfSSL 13:80fb167dafdf 8510 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 8511
wolfSSL 13:80fb167dafdf 8512 /* put extensions */
wolfSSL 13:80fb167dafdf 8513 if (der->extensionsSz > 0) {
wolfSSL 13:80fb167dafdf 8514 int ret;
wolfSSL 13:80fb167dafdf 8515
wolfSSL 13:80fb167dafdf 8516 /* put the start of sequence (ID, Size) */
wolfSSL 13:80fb167dafdf 8517 der->extensionsSz = SetSequence(der->extensionsSz, der->extensions);
wolfSSL 13:80fb167dafdf 8518 if (der->extensionsSz <= 0)
wolfSSL 13:80fb167dafdf 8519 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8520
wolfSSL 13:80fb167dafdf 8521 /* put CA */
wolfSSL 13:80fb167dafdf 8522 if (der->caSz) {
wolfSSL 13:80fb167dafdf 8523 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8524 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8525 der->ca, der->caSz);
wolfSSL 13:80fb167dafdf 8526 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8527 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8528 }
wolfSSL 13:80fb167dafdf 8529
wolfSSL 13:80fb167dafdf 8530 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 8531 /* put SKID */
wolfSSL 13:80fb167dafdf 8532 if (der->skidSz) {
wolfSSL 13:80fb167dafdf 8533 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8534 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8535 der->skid, der->skidSz);
wolfSSL 13:80fb167dafdf 8536 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8537 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8538 }
wolfSSL 13:80fb167dafdf 8539
wolfSSL 13:80fb167dafdf 8540 /* put AKID */
wolfSSL 13:80fb167dafdf 8541 if (der->akidSz) {
wolfSSL 13:80fb167dafdf 8542 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8543 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8544 der->akid, der->akidSz);
wolfSSL 13:80fb167dafdf 8545 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8546 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8547 }
wolfSSL 13:80fb167dafdf 8548
wolfSSL 13:80fb167dafdf 8549 /* put KeyUsage */
wolfSSL 13:80fb167dafdf 8550 if (der->keyUsageSz) {
wolfSSL 13:80fb167dafdf 8551 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 13:80fb167dafdf 8552 &der->extensionsSz,
wolfSSL 13:80fb167dafdf 8553 der->keyUsage, der->keyUsageSz);
wolfSSL 13:80fb167dafdf 8554 if (ret <= 0)
wolfSSL 13:80fb167dafdf 8555 return EXTENSIONS_E;
wolfSSL 13:80fb167dafdf 8556 }
wolfSSL 13:80fb167dafdf 8557
wolfSSL 13:80fb167dafdf 8558 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 8559 }
wolfSSL 13:80fb167dafdf 8560
wolfSSL 13:80fb167dafdf 8561 der->attribSz = SetReqAttrib(der->attrib,
wolfSSL 13:80fb167dafdf 8562 cert->challengePw, der->extensionsSz);
wolfSSL 13:80fb167dafdf 8563 if (der->attribSz <= 0)
wolfSSL 13:80fb167dafdf 8564 return REQ_ATTRIBUTE_E;
wolfSSL 13:80fb167dafdf 8565
wolfSSL 13:80fb167dafdf 8566 der->total = der->versionSz + der->subjectSz + der->publicKeySz +
wolfSSL 13:80fb167dafdf 8567 der->extensionsSz + der->attribSz;
wolfSSL 13:80fb167dafdf 8568
wolfSSL 13:80fb167dafdf 8569 return 0;
wolfSSL 13:80fb167dafdf 8570 }
wolfSSL 13:80fb167dafdf 8571
wolfSSL 13:80fb167dafdf 8572
wolfSSL 13:80fb167dafdf 8573 /* write DER encoded cert req to buffer, size already checked */
wolfSSL 13:80fb167dafdf 8574 static int WriteCertReqBody(DerCert* der, byte* buffer)
wolfSSL 13:80fb167dafdf 8575 {
wolfSSL 13:80fb167dafdf 8576 int idx;
wolfSSL 13:80fb167dafdf 8577
wolfSSL 13:80fb167dafdf 8578 /* signed part header */
wolfSSL 13:80fb167dafdf 8579 idx = SetSequence(der->total, buffer);
wolfSSL 13:80fb167dafdf 8580 /* version */
wolfSSL 13:80fb167dafdf 8581 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 13:80fb167dafdf 8582 idx += der->versionSz;
wolfSSL 13:80fb167dafdf 8583 /* subject */
wolfSSL 13:80fb167dafdf 8584 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 13:80fb167dafdf 8585 idx += der->subjectSz;
wolfSSL 13:80fb167dafdf 8586 /* public key */
wolfSSL 13:80fb167dafdf 8587 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 13:80fb167dafdf 8588 idx += der->publicKeySz;
wolfSSL 13:80fb167dafdf 8589 /* attributes */
wolfSSL 13:80fb167dafdf 8590 XMEMCPY(buffer + idx, der->attrib, der->attribSz);
wolfSSL 13:80fb167dafdf 8591 idx += der->attribSz;
wolfSSL 13:80fb167dafdf 8592 /* extensions */
wolfSSL 13:80fb167dafdf 8593 if (der->extensionsSz) {
wolfSSL 13:80fb167dafdf 8594 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 13:80fb167dafdf 8595 (int)sizeof(der->extensions)));
wolfSSL 13:80fb167dafdf 8596 idx += der->extensionsSz;
wolfSSL 13:80fb167dafdf 8597 }
wolfSSL 13:80fb167dafdf 8598
wolfSSL 13:80fb167dafdf 8599 return idx;
wolfSSL 13:80fb167dafdf 8600 }
wolfSSL 13:80fb167dafdf 8601
wolfSSL 13:80fb167dafdf 8602
wolfSSL 13:80fb167dafdf 8603 int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 13:80fb167dafdf 8604 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 13:80fb167dafdf 8605 {
wolfSSL 13:80fb167dafdf 8606 int ret;
wolfSSL 13:80fb167dafdf 8607 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8608 DerCert* der;
wolfSSL 13:80fb167dafdf 8609 #else
wolfSSL 13:80fb167dafdf 8610 DerCert der[1];
wolfSSL 13:80fb167dafdf 8611 #endif
wolfSSL 13:80fb167dafdf 8612
wolfSSL 13:80fb167dafdf 8613 cert->keyType = eccKey ? ECC_KEY : RSA_KEY;
wolfSSL 13:80fb167dafdf 8614
wolfSSL 13:80fb167dafdf 8615 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8616 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8617 if (der == NULL)
wolfSSL 13:80fb167dafdf 8618 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8619 #endif
wolfSSL 13:80fb167dafdf 8620
wolfSSL 13:80fb167dafdf 8621 ret = EncodeCertReq(cert, der, rsaKey, eccKey);
wolfSSL 13:80fb167dafdf 8622
wolfSSL 13:80fb167dafdf 8623 if (ret == 0) {
wolfSSL 13:80fb167dafdf 8624 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 13:80fb167dafdf 8625 ret = BUFFER_E;
wolfSSL 13:80fb167dafdf 8626 else
wolfSSL 13:80fb167dafdf 8627 ret = cert->bodySz = WriteCertReqBody(der, derBuffer);
wolfSSL 13:80fb167dafdf 8628 }
wolfSSL 13:80fb167dafdf 8629
wolfSSL 13:80fb167dafdf 8630 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8631 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8632 #endif
wolfSSL 13:80fb167dafdf 8633
wolfSSL 13:80fb167dafdf 8634 return ret;
wolfSSL 13:80fb167dafdf 8635 }
wolfSSL 13:80fb167dafdf 8636
wolfSSL 13:80fb167dafdf 8637 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 13:80fb167dafdf 8638
wolfSSL 13:80fb167dafdf 8639
wolfSSL 13:80fb167dafdf 8640 int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
wolfSSL 13:80fb167dafdf 8641 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng)
wolfSSL 13:80fb167dafdf 8642 {
wolfSSL 13:80fb167dafdf 8643 int sigSz = 0;
wolfSSL 13:80fb167dafdf 8644 void* heap = NULL;
wolfSSL 13:80fb167dafdf 8645 CertSignCtx* certSignCtx = NULL;
wolfSSL 13:80fb167dafdf 8646 #ifndef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 8647 CertSignCtx certSignCtx_lcl;
wolfSSL 13:80fb167dafdf 8648 certSignCtx = &certSignCtx_lcl;
wolfSSL 13:80fb167dafdf 8649 XMEMSET(certSignCtx, 0, sizeof(CertSignCtx));
wolfSSL 13:80fb167dafdf 8650 #endif
wolfSSL 13:80fb167dafdf 8651
wolfSSL 13:80fb167dafdf 8652 if (requestSz < 0)
wolfSSL 13:80fb167dafdf 8653 return requestSz;
wolfSSL 13:80fb167dafdf 8654
wolfSSL 13:80fb167dafdf 8655 /* locate ctx */
wolfSSL 13:80fb167dafdf 8656 if (rsaKey) {
wolfSSL 13:80fb167dafdf 8657 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 8658 certSignCtx = &rsaKey->certSignCtx;
wolfSSL 13:80fb167dafdf 8659 #endif
wolfSSL 13:80fb167dafdf 8660 heap = rsaKey->heap;
wolfSSL 13:80fb167dafdf 8661 }
wolfSSL 13:80fb167dafdf 8662 else if (eccKey) {
wolfSSL 13:80fb167dafdf 8663 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 8664 certSignCtx = &eccKey->certSignCtx;
wolfSSL 13:80fb167dafdf 8665 #endif
wolfSSL 13:80fb167dafdf 8666 heap = eccKey->heap;
wolfSSL 13:80fb167dafdf 8667 }
wolfSSL 13:80fb167dafdf 8668
wolfSSL 13:80fb167dafdf 8669 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:80fb167dafdf 8670 if (certSignCtx == NULL) {
wolfSSL 13:80fb167dafdf 8671 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8672 }
wolfSSL 13:80fb167dafdf 8673 #endif
wolfSSL 13:80fb167dafdf 8674
wolfSSL 13:80fb167dafdf 8675 if (certSignCtx->sig == NULL) {
wolfSSL 13:80fb167dafdf 8676 certSignCtx->sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, heap,
wolfSSL 13:80fb167dafdf 8677 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8678 if (certSignCtx->sig == NULL)
wolfSSL 13:80fb167dafdf 8679 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8680 }
wolfSSL 13:80fb167dafdf 8681
wolfSSL 13:80fb167dafdf 8682 sigSz = MakeSignature(certSignCtx, buffer, requestSz, certSignCtx->sig,
wolfSSL 13:80fb167dafdf 8683 MAX_ENCODED_SIG_SZ, rsaKey, eccKey, rng, sType, heap);
wolfSSL 13:80fb167dafdf 8684 if (sigSz == WC_PENDING_E)
wolfSSL 13:80fb167dafdf 8685 return sigSz;
wolfSSL 13:80fb167dafdf 8686
wolfSSL 13:80fb167dafdf 8687 if (sigSz >= 0) {
wolfSSL 13:80fb167dafdf 8688 if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
wolfSSL 13:80fb167dafdf 8689 sigSz = BUFFER_E;
wolfSSL 13:80fb167dafdf 8690 else
wolfSSL 13:80fb167dafdf 8691 sigSz = AddSignature(buffer, requestSz, certSignCtx->sig, sigSz, sType);
wolfSSL 13:80fb167dafdf 8692 }
wolfSSL 13:80fb167dafdf 8693
wolfSSL 13:80fb167dafdf 8694 XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8695 certSignCtx->sig = NULL;
wolfSSL 13:80fb167dafdf 8696
wolfSSL 13:80fb167dafdf 8697 return sigSz;
wolfSSL 13:80fb167dafdf 8698 }
wolfSSL 13:80fb167dafdf 8699
wolfSSL 13:80fb167dafdf 8700
wolfSSL 13:80fb167dafdf 8701 int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz,
wolfSSL 13:80fb167dafdf 8702 RsaKey* key, WC_RNG* rng)
wolfSSL 13:80fb167dafdf 8703 {
wolfSSL 13:80fb167dafdf 8704 int ret;
wolfSSL 13:80fb167dafdf 8705
wolfSSL 13:80fb167dafdf 8706 ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng);
wolfSSL 13:80fb167dafdf 8707 if (ret < 0)
wolfSSL 13:80fb167dafdf 8708 return ret;
wolfSSL 13:80fb167dafdf 8709
wolfSSL 13:80fb167dafdf 8710 return wc_SignCert(cert->bodySz, cert->sigType,
wolfSSL 13:80fb167dafdf 8711 buffer, buffSz, key, NULL, rng);
wolfSSL 13:80fb167dafdf 8712 }
wolfSSL 13:80fb167dafdf 8713
wolfSSL 13:80fb167dafdf 8714
wolfSSL 13:80fb167dafdf 8715 #ifdef WOLFSSL_CERT_EXT
wolfSSL 13:80fb167dafdf 8716
wolfSSL 13:80fb167dafdf 8717 /* Set KID from RSA or ECC public key */
wolfSSL 13:80fb167dafdf 8718 static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
wolfSSL 13:80fb167dafdf 8719 byte *ntruKey, word16 ntruKeySz, int kid_type)
wolfSSL 13:80fb167dafdf 8720 {
wolfSSL 13:80fb167dafdf 8721 byte *buffer;
wolfSSL 13:80fb167dafdf 8722 int bufferSz, ret;
wolfSSL 13:80fb167dafdf 8723
wolfSSL 13:80fb167dafdf 8724 #ifndef HAVE_NTRU
wolfSSL 13:80fb167dafdf 8725 (void)ntruKeySz;
wolfSSL 13:80fb167dafdf 8726 #endif
wolfSSL 13:80fb167dafdf 8727
wolfSSL 13:80fb167dafdf 8728 if (cert == NULL || (rsakey == NULL && eckey == NULL && ntruKey == NULL) ||
wolfSSL 13:80fb167dafdf 8729 (rsakey != NULL && eckey != NULL) ||
wolfSSL 13:80fb167dafdf 8730 (rsakey != NULL && ntruKey != NULL) ||
wolfSSL 13:80fb167dafdf 8731 (ntruKey != NULL && eckey != NULL) ||
wolfSSL 13:80fb167dafdf 8732 (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
wolfSSL 13:80fb167dafdf 8733 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8734
wolfSSL 13:80fb167dafdf 8735 buffer = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap,
wolfSSL 13:80fb167dafdf 8736 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8737 if (buffer == NULL)
wolfSSL 13:80fb167dafdf 8738 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8739
wolfSSL 13:80fb167dafdf 8740 /* RSA public key */
wolfSSL 13:80fb167dafdf 8741 if (rsakey != NULL)
wolfSSL 13:80fb167dafdf 8742 bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0);
wolfSSL 13:80fb167dafdf 8743 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 8744 /* ECC public key */
wolfSSL 13:80fb167dafdf 8745 else if (eckey != NULL)
wolfSSL 13:80fb167dafdf 8746 bufferSz = SetEccPublicKey(buffer, eckey, 0);
wolfSSL 13:80fb167dafdf 8747 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 8748 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 8749 /* NTRU public key */
wolfSSL 13:80fb167dafdf 8750 else if (ntruKey != NULL) {
wolfSSL 13:80fb167dafdf 8751 bufferSz = MAX_PUBLIC_KEY_SZ;
wolfSSL 13:80fb167dafdf 8752 ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
wolfSSL 13:80fb167dafdf 8753 ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer);
wolfSSL 13:80fb167dafdf 8754 if (ret != NTRU_OK)
wolfSSL 13:80fb167dafdf 8755 bufferSz = -1;
wolfSSL 13:80fb167dafdf 8756 }
wolfSSL 13:80fb167dafdf 8757 #endif
wolfSSL 13:80fb167dafdf 8758 else
wolfSSL 13:80fb167dafdf 8759 bufferSz = -1;
wolfSSL 13:80fb167dafdf 8760
wolfSSL 13:80fb167dafdf 8761 if (bufferSz <= 0) {
wolfSSL 13:80fb167dafdf 8762 XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8763 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8764 }
wolfSSL 13:80fb167dafdf 8765
wolfSSL 13:80fb167dafdf 8766 /* Compute SKID by hashing public key */
wolfSSL 13:80fb167dafdf 8767 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 8768 if (kid_type == SKID_TYPE) {
wolfSSL 13:80fb167dafdf 8769 ret = wc_Sha256Hash(buffer, bufferSz, cert->skid);
wolfSSL 13:80fb167dafdf 8770 cert->skidSz = SHA256_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8771 }
wolfSSL 13:80fb167dafdf 8772 else if (kid_type == AKID_TYPE) {
wolfSSL 13:80fb167dafdf 8773 ret = wc_Sha256Hash(buffer, bufferSz, cert->akid);
wolfSSL 13:80fb167dafdf 8774 cert->akidSz = SHA256_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8775 }
wolfSSL 13:80fb167dafdf 8776 else
wolfSSL 13:80fb167dafdf 8777 ret = BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8778 #else /* NO_SHA */
wolfSSL 13:80fb167dafdf 8779 if (kid_type == SKID_TYPE) {
wolfSSL 13:80fb167dafdf 8780 ret = wc_ShaHash(buffer, bufferSz, cert->skid);
wolfSSL 13:80fb167dafdf 8781 cert->skidSz = SHA_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8782 }
wolfSSL 13:80fb167dafdf 8783 else if (kid_type == AKID_TYPE) {
wolfSSL 13:80fb167dafdf 8784 ret = wc_ShaHash(buffer, bufferSz, cert->akid);
wolfSSL 13:80fb167dafdf 8785 cert->akidSz = SHA_DIGEST_SIZE;
wolfSSL 13:80fb167dafdf 8786 }
wolfSSL 13:80fb167dafdf 8787 else
wolfSSL 13:80fb167dafdf 8788 ret = BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8789 #endif /* NO_SHA */
wolfSSL 13:80fb167dafdf 8790
wolfSSL 13:80fb167dafdf 8791 XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8792 return ret;
wolfSSL 13:80fb167dafdf 8793 }
wolfSSL 13:80fb167dafdf 8794
wolfSSL 13:80fb167dafdf 8795 /* Set SKID from RSA or ECC public key */
wolfSSL 13:80fb167dafdf 8796 int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 13:80fb167dafdf 8797 {
wolfSSL 13:80fb167dafdf 8798 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, SKID_TYPE);
wolfSSL 13:80fb167dafdf 8799 }
wolfSSL 13:80fb167dafdf 8800
wolfSSL 13:80fb167dafdf 8801 #ifdef HAVE_NTRU
wolfSSL 13:80fb167dafdf 8802 /* Set SKID from NTRU public key */
wolfSSL 13:80fb167dafdf 8803 int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert,
wolfSSL 13:80fb167dafdf 8804 byte *ntruKey, word16 ntruKeySz)
wolfSSL 13:80fb167dafdf 8805 {
wolfSSL 13:80fb167dafdf 8806 return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, SKID_TYPE);
wolfSSL 13:80fb167dafdf 8807 }
wolfSSL 13:80fb167dafdf 8808 #endif
wolfSSL 13:80fb167dafdf 8809
wolfSSL 13:80fb167dafdf 8810 /* Set SKID from RSA or ECC public key */
wolfSSL 13:80fb167dafdf 8811 int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 13:80fb167dafdf 8812 {
wolfSSL 13:80fb167dafdf 8813 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, AKID_TYPE);
wolfSSL 13:80fb167dafdf 8814 }
wolfSSL 13:80fb167dafdf 8815
wolfSSL 13:80fb167dafdf 8816
wolfSSL 13:80fb167dafdf 8817 #ifndef NO_FILESYSTEM
wolfSSL 13:80fb167dafdf 8818
wolfSSL 13:80fb167dafdf 8819 /* Set SKID from public key file in PEM */
wolfSSL 13:80fb167dafdf 8820 int wc_SetSubjectKeyId(Cert *cert, const char* file)
wolfSSL 13:80fb167dafdf 8821 {
wolfSSL 13:80fb167dafdf 8822 int ret, derSz;
wolfSSL 13:80fb167dafdf 8823 byte* der;
wolfSSL 13:80fb167dafdf 8824 word32 idx;
wolfSSL 13:80fb167dafdf 8825 RsaKey *rsakey = NULL;
wolfSSL 13:80fb167dafdf 8826 ecc_key *eckey = NULL;
wolfSSL 13:80fb167dafdf 8827
wolfSSL 13:80fb167dafdf 8828 if (cert == NULL || file == NULL)
wolfSSL 13:80fb167dafdf 8829 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8830
wolfSSL 13:80fb167dafdf 8831 der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8832 if (der == NULL) {
wolfSSL 13:80fb167dafdf 8833 WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem");
wolfSSL 13:80fb167dafdf 8834 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8835 }
wolfSSL 13:80fb167dafdf 8836
wolfSSL 13:80fb167dafdf 8837 derSz = wolfSSL_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ);
wolfSSL 13:80fb167dafdf 8838 if (derSz <= 0)
wolfSSL 13:80fb167dafdf 8839 {
wolfSSL 13:80fb167dafdf 8840 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8841 return derSz;
wolfSSL 13:80fb167dafdf 8842 }
wolfSSL 13:80fb167dafdf 8843
wolfSSL 13:80fb167dafdf 8844 /* Load PubKey in internal structure */
wolfSSL 13:80fb167dafdf 8845 rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 8846 if (rsakey == NULL) {
wolfSSL 13:80fb167dafdf 8847 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8848 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8849 }
wolfSSL 13:80fb167dafdf 8850
wolfSSL 13:80fb167dafdf 8851 if (wc_InitRsaKey(rsakey, cert->heap) != 0) {
wolfSSL 13:80fb167dafdf 8852 WOLFSSL_MSG("wc_InitRsaKey failure");
wolfSSL 13:80fb167dafdf 8853 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 8854 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8855 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8856 }
wolfSSL 13:80fb167dafdf 8857
wolfSSL 13:80fb167dafdf 8858 idx = 0;
wolfSSL 13:80fb167dafdf 8859 ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
wolfSSL 13:80fb167dafdf 8860 if (ret != 0) {
wolfSSL 13:80fb167dafdf 8861 WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
wolfSSL 13:80fb167dafdf 8862 wc_FreeRsaKey(rsakey);
wolfSSL 13:80fb167dafdf 8863 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 8864 rsakey = NULL;
wolfSSL 13:80fb167dafdf 8865 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 8866 /* Check to load ecc public key */
wolfSSL 13:80fb167dafdf 8867 eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap,
wolfSSL 13:80fb167dafdf 8868 DYNAMIC_TYPE_ECC);
wolfSSL 13:80fb167dafdf 8869 if (eckey == NULL) {
wolfSSL 13:80fb167dafdf 8870 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8871 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8872 }
wolfSSL 13:80fb167dafdf 8873
wolfSSL 13:80fb167dafdf 8874 if (wc_ecc_init(eckey) != 0) {
wolfSSL 13:80fb167dafdf 8875 WOLFSSL_MSG("wc_ecc_init failure");
wolfSSL 13:80fb167dafdf 8876 wc_ecc_free(eckey);
wolfSSL 13:80fb167dafdf 8877 XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
wolfSSL 13:80fb167dafdf 8878 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8879 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8880 }
wolfSSL 13:80fb167dafdf 8881
wolfSSL 13:80fb167dafdf 8882 idx = 0;
wolfSSL 13:80fb167dafdf 8883 ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz);
wolfSSL 13:80fb167dafdf 8884 if (ret != 0) {
wolfSSL 13:80fb167dafdf 8885 WOLFSSL_MSG("wc_EccPublicKeyDecode failed");
wolfSSL 13:80fb167dafdf 8886 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8887 wc_ecc_free(eckey);
wolfSSL 13:80fb167dafdf 8888 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8889 }
wolfSSL 13:80fb167dafdf 8890 #else
wolfSSL 13:80fb167dafdf 8891 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8892 return PUBLIC_KEY_E;
wolfSSL 13:80fb167dafdf 8893 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 8894 }
wolfSSL 13:80fb167dafdf 8895
wolfSSL 13:80fb167dafdf 8896 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8897
wolfSSL 13:80fb167dafdf 8898 ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
wolfSSL 13:80fb167dafdf 8899
wolfSSL 13:80fb167dafdf 8900 wc_FreeRsaKey(rsakey);
wolfSSL 13:80fb167dafdf 8901 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:80fb167dafdf 8902 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 8903 wc_ecc_free(eckey);
wolfSSL 13:80fb167dafdf 8904 XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
wolfSSL 13:80fb167dafdf 8905 #endif
wolfSSL 13:80fb167dafdf 8906 return ret;
wolfSSL 13:80fb167dafdf 8907 }
wolfSSL 13:80fb167dafdf 8908
wolfSSL 13:80fb167dafdf 8909 #endif /* NO_FILESYSTEM */
wolfSSL 13:80fb167dafdf 8910
wolfSSL 13:80fb167dafdf 8911 /* Set AKID from certificate contains in buffer (DER encoded) */
wolfSSL 13:80fb167dafdf 8912 int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
wolfSSL 13:80fb167dafdf 8913 {
wolfSSL 13:80fb167dafdf 8914 int ret;
wolfSSL 13:80fb167dafdf 8915
wolfSSL 13:80fb167dafdf 8916 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8917 DecodedCert* decoded;
wolfSSL 13:80fb167dafdf 8918 #else
wolfSSL 13:80fb167dafdf 8919 DecodedCert decoded[1];
wolfSSL 13:80fb167dafdf 8920 #endif
wolfSSL 13:80fb167dafdf 8921
wolfSSL 13:80fb167dafdf 8922 if (cert == NULL || der == NULL || derSz <= 0)
wolfSSL 13:80fb167dafdf 8923 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8924
wolfSSL 13:80fb167dafdf 8925 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8926 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert),
wolfSSL 13:80fb167dafdf 8927 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8928 if (decoded == NULL)
wolfSSL 13:80fb167dafdf 8929 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8930 #endif
wolfSSL 13:80fb167dafdf 8931
wolfSSL 13:80fb167dafdf 8932 /* decode certificate and get SKID that will be AKID of current cert */
wolfSSL 13:80fb167dafdf 8933 InitDecodedCert(decoded, (byte*)der, derSz, NULL);
wolfSSL 13:80fb167dafdf 8934 ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0);
wolfSSL 13:80fb167dafdf 8935 if (ret != 0) {
wolfSSL 13:80fb167dafdf 8936 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 8937 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8938 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8939 #endif
wolfSSL 13:80fb167dafdf 8940 return ret;
wolfSSL 13:80fb167dafdf 8941 }
wolfSSL 13:80fb167dafdf 8942
wolfSSL 13:80fb167dafdf 8943 /* Subject Key Id not found !! */
wolfSSL 13:80fb167dafdf 8944 if (decoded->extSubjKeyIdSet == 0) {
wolfSSL 13:80fb167dafdf 8945 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 8946 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8947 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8948 #endif
wolfSSL 13:80fb167dafdf 8949 return ASN_NO_SKID;
wolfSSL 13:80fb167dafdf 8950 }
wolfSSL 13:80fb167dafdf 8951
wolfSSL 13:80fb167dafdf 8952 /* SKID invalid size */
wolfSSL 13:80fb167dafdf 8953 if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) {
wolfSSL 13:80fb167dafdf 8954 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 8955 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8956 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8957 #endif
wolfSSL 13:80fb167dafdf 8958 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8959 }
wolfSSL 13:80fb167dafdf 8960
wolfSSL 13:80fb167dafdf 8961 /* Put the SKID of CA to AKID of certificate */
wolfSSL 13:80fb167dafdf 8962 XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 8963 cert->akidSz = KEYID_SIZE;
wolfSSL 13:80fb167dafdf 8964
wolfSSL 13:80fb167dafdf 8965 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 8966 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 8967 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 8968 #endif
wolfSSL 13:80fb167dafdf 8969
wolfSSL 13:80fb167dafdf 8970 return 0;
wolfSSL 13:80fb167dafdf 8971 }
wolfSSL 13:80fb167dafdf 8972
wolfSSL 13:80fb167dafdf 8973
wolfSSL 13:80fb167dafdf 8974 #ifndef NO_FILESYSTEM
wolfSSL 13:80fb167dafdf 8975
wolfSSL 13:80fb167dafdf 8976 /* Set AKID from certificate file in PEM */
wolfSSL 13:80fb167dafdf 8977 int wc_SetAuthKeyId(Cert *cert, const char* file)
wolfSSL 13:80fb167dafdf 8978 {
wolfSSL 13:80fb167dafdf 8979 int ret;
wolfSSL 13:80fb167dafdf 8980 int derSz;
wolfSSL 13:80fb167dafdf 8981 byte* der;
wolfSSL 13:80fb167dafdf 8982
wolfSSL 13:80fb167dafdf 8983 if (cert == NULL || file == NULL)
wolfSSL 13:80fb167dafdf 8984 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 8985
wolfSSL 13:80fb167dafdf 8986 der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8987 if (der == NULL) {
wolfSSL 13:80fb167dafdf 8988 WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem");
wolfSSL 13:80fb167dafdf 8989 return MEMORY_E;
wolfSSL 13:80fb167dafdf 8990 }
wolfSSL 13:80fb167dafdf 8991
wolfSSL 13:80fb167dafdf 8992 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 13:80fb167dafdf 8993 if (derSz <= 0)
wolfSSL 13:80fb167dafdf 8994 {
wolfSSL 13:80fb167dafdf 8995 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 8996 return derSz;
wolfSSL 13:80fb167dafdf 8997 }
wolfSSL 13:80fb167dafdf 8998
wolfSSL 13:80fb167dafdf 8999 ret = wc_SetAuthKeyIdFromCert(cert, der, derSz);
wolfSSL 13:80fb167dafdf 9000 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9001
wolfSSL 13:80fb167dafdf 9002 return ret;
wolfSSL 13:80fb167dafdf 9003 }
wolfSSL 13:80fb167dafdf 9004
wolfSSL 13:80fb167dafdf 9005 #endif /* NO_FILESYSTEM */
wolfSSL 13:80fb167dafdf 9006
wolfSSL 13:80fb167dafdf 9007 /* Set KeyUsage from human readable string */
wolfSSL 13:80fb167dafdf 9008 int wc_SetKeyUsage(Cert *cert, const char *value)
wolfSSL 13:80fb167dafdf 9009 {
wolfSSL 13:80fb167dafdf 9010 int ret = 0;
wolfSSL 13:80fb167dafdf 9011 char *token, *str, *ptr;
wolfSSL 13:80fb167dafdf 9012 word32 len;
wolfSSL 13:80fb167dafdf 9013
wolfSSL 13:80fb167dafdf 9014 if (cert == NULL || value == NULL)
wolfSSL 13:80fb167dafdf 9015 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 9016
wolfSSL 13:80fb167dafdf 9017 cert->keyUsage = 0;
wolfSSL 13:80fb167dafdf 9018
wolfSSL 13:80fb167dafdf 9019 str = (char *)XMALLOC(XSTRLEN(value)+1, cert->heap,
wolfSSL 13:80fb167dafdf 9020 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9021 if (str == NULL)
wolfSSL 13:80fb167dafdf 9022 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9023
wolfSSL 13:80fb167dafdf 9024 XMEMSET(str, 0, XSTRLEN(value)+1);
wolfSSL 13:80fb167dafdf 9025 XSTRNCPY(str, value, XSTRLEN(value));
wolfSSL 13:80fb167dafdf 9026
wolfSSL 13:80fb167dafdf 9027 /* parse value, and set corresponding Key Usage value */
wolfSSL 13:80fb167dafdf 9028 token = XSTRTOK(str, ",", &ptr);
wolfSSL 13:80fb167dafdf 9029 while (token != NULL)
wolfSSL 13:80fb167dafdf 9030 {
wolfSSL 13:80fb167dafdf 9031 len = (word32)XSTRLEN(token);
wolfSSL 13:80fb167dafdf 9032
wolfSSL 13:80fb167dafdf 9033 if (!XSTRNCASECMP(token, "digitalSignature", len))
wolfSSL 13:80fb167dafdf 9034 cert->keyUsage |= KEYUSE_DIGITAL_SIG;
wolfSSL 13:80fb167dafdf 9035 else if (!XSTRNCASECMP(token, "nonRepudiation", len) ||
wolfSSL 13:80fb167dafdf 9036 !XSTRNCASECMP(token, "contentCommitment", len))
wolfSSL 13:80fb167dafdf 9037 cert->keyUsage |= KEYUSE_CONTENT_COMMIT;
wolfSSL 13:80fb167dafdf 9038 else if (!XSTRNCASECMP(token, "keyEncipherment", len))
wolfSSL 13:80fb167dafdf 9039 cert->keyUsage |= KEYUSE_KEY_ENCIPHER;
wolfSSL 13:80fb167dafdf 9040 else if (!XSTRNCASECMP(token, "dataEncipherment", len))
wolfSSL 13:80fb167dafdf 9041 cert->keyUsage |= KEYUSE_DATA_ENCIPHER;
wolfSSL 13:80fb167dafdf 9042 else if (!XSTRNCASECMP(token, "keyAgreement", len))
wolfSSL 13:80fb167dafdf 9043 cert->keyUsage |= KEYUSE_KEY_AGREE;
wolfSSL 13:80fb167dafdf 9044 else if (!XSTRNCASECMP(token, "keyCertSign", len))
wolfSSL 13:80fb167dafdf 9045 cert->keyUsage |= KEYUSE_KEY_CERT_SIGN;
wolfSSL 13:80fb167dafdf 9046 else if (!XSTRNCASECMP(token, "cRLSign", len))
wolfSSL 13:80fb167dafdf 9047 cert->keyUsage |= KEYUSE_CRL_SIGN;
wolfSSL 13:80fb167dafdf 9048 else if (!XSTRNCASECMP(token, "encipherOnly", len))
wolfSSL 13:80fb167dafdf 9049 cert->keyUsage |= KEYUSE_ENCIPHER_ONLY;
wolfSSL 13:80fb167dafdf 9050 else if (!XSTRNCASECMP(token, "decipherOnly", len))
wolfSSL 13:80fb167dafdf 9051 cert->keyUsage |= KEYUSE_DECIPHER_ONLY;
wolfSSL 13:80fb167dafdf 9052 else {
wolfSSL 13:80fb167dafdf 9053 ret = KEYUSAGE_E;
wolfSSL 13:80fb167dafdf 9054 break;
wolfSSL 13:80fb167dafdf 9055 }
wolfSSL 13:80fb167dafdf 9056
wolfSSL 13:80fb167dafdf 9057 token = XSTRTOK(NULL, ",", &ptr);
wolfSSL 13:80fb167dafdf 9058 }
wolfSSL 13:80fb167dafdf 9059
wolfSSL 13:80fb167dafdf 9060 XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9061 return ret;
wolfSSL 13:80fb167dafdf 9062 }
wolfSSL 13:80fb167dafdf 9063 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 13:80fb167dafdf 9064
wolfSSL 13:80fb167dafdf 9065
wolfSSL 13:80fb167dafdf 9066 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 9067
wolfSSL 13:80fb167dafdf 9068 /* Set Alt Names from der cert, return 0 on success */
wolfSSL 13:80fb167dafdf 9069 static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9070 {
wolfSSL 13:80fb167dafdf 9071 int ret;
wolfSSL 13:80fb167dafdf 9072 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9073 DecodedCert* decoded;
wolfSSL 13:80fb167dafdf 9074 #else
wolfSSL 13:80fb167dafdf 9075 DecodedCert decoded[1];
wolfSSL 13:80fb167dafdf 9076 #endif
wolfSSL 13:80fb167dafdf 9077
wolfSSL 13:80fb167dafdf 9078 if (derSz < 0)
wolfSSL 13:80fb167dafdf 9079 return derSz;
wolfSSL 13:80fb167dafdf 9080
wolfSSL 13:80fb167dafdf 9081 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9082 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 13:80fb167dafdf 9083 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9084 if (decoded == NULL)
wolfSSL 13:80fb167dafdf 9085 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9086 #endif
wolfSSL 13:80fb167dafdf 9087
wolfSSL 13:80fb167dafdf 9088 InitDecodedCert(decoded, (byte*)der, derSz, NULL);
wolfSSL 13:80fb167dafdf 9089 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 13:80fb167dafdf 9090
wolfSSL 13:80fb167dafdf 9091 if (ret < 0) {
wolfSSL 13:80fb167dafdf 9092 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 13:80fb167dafdf 9093 }
wolfSSL 13:80fb167dafdf 9094 else if (decoded->extensions) {
wolfSSL 13:80fb167dafdf 9095 byte b;
wolfSSL 13:80fb167dafdf 9096 int length;
wolfSSL 13:80fb167dafdf 9097 word32 maxExtensionsIdx;
wolfSSL 13:80fb167dafdf 9098
wolfSSL 13:80fb167dafdf 9099 decoded->srcIdx = decoded->extensionsIdx;
wolfSSL 13:80fb167dafdf 9100 b = decoded->source[decoded->srcIdx++];
wolfSSL 13:80fb167dafdf 9101
wolfSSL 13:80fb167dafdf 9102 if (b != ASN_EXTENSIONS) {
wolfSSL 13:80fb167dafdf 9103 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9104 }
wolfSSL 13:80fb167dafdf 9105 else if (GetLength(decoded->source, &decoded->srcIdx, &length,
wolfSSL 13:80fb167dafdf 9106 decoded->maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 9107 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9108 }
wolfSSL 13:80fb167dafdf 9109 else if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 13:80fb167dafdf 9110 decoded->maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 9111 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9112 }
wolfSSL 13:80fb167dafdf 9113 else {
wolfSSL 13:80fb167dafdf 9114 maxExtensionsIdx = decoded->srcIdx + length;
wolfSSL 13:80fb167dafdf 9115
wolfSSL 13:80fb167dafdf 9116 while (decoded->srcIdx < maxExtensionsIdx) {
wolfSSL 13:80fb167dafdf 9117 word32 oid;
wolfSSL 13:80fb167dafdf 9118 word32 startIdx = decoded->srcIdx;
wolfSSL 13:80fb167dafdf 9119 word32 tmpIdx;
wolfSSL 13:80fb167dafdf 9120
wolfSSL 13:80fb167dafdf 9121 if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 13:80fb167dafdf 9122 decoded->maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 9123 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9124 break;
wolfSSL 13:80fb167dafdf 9125 }
wolfSSL 13:80fb167dafdf 9126
wolfSSL 13:80fb167dafdf 9127 tmpIdx = decoded->srcIdx;
wolfSSL 13:80fb167dafdf 9128 decoded->srcIdx = startIdx;
wolfSSL 13:80fb167dafdf 9129
wolfSSL 13:80fb167dafdf 9130 if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
wolfSSL 13:80fb167dafdf 9131 oidCertExtType, decoded->maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 9132 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9133 break;
wolfSSL 13:80fb167dafdf 9134 }
wolfSSL 13:80fb167dafdf 9135
wolfSSL 13:80fb167dafdf 9136 if (oid == ALT_NAMES_OID) {
wolfSSL 13:80fb167dafdf 9137 cert->altNamesSz = length + (tmpIdx - startIdx);
wolfSSL 13:80fb167dafdf 9138
wolfSSL 13:80fb167dafdf 9139 if (cert->altNamesSz < (int)sizeof(cert->altNames))
wolfSSL 13:80fb167dafdf 9140 XMEMCPY(cert->altNames, &decoded->source[startIdx],
wolfSSL 13:80fb167dafdf 9141 cert->altNamesSz);
wolfSSL 13:80fb167dafdf 9142 else {
wolfSSL 13:80fb167dafdf 9143 cert->altNamesSz = 0;
wolfSSL 13:80fb167dafdf 9144 WOLFSSL_MSG("AltNames extensions too big");
wolfSSL 13:80fb167dafdf 9145 ret = ALT_NAME_E;
wolfSSL 13:80fb167dafdf 9146 break;
wolfSSL 13:80fb167dafdf 9147 }
wolfSSL 13:80fb167dafdf 9148 }
wolfSSL 13:80fb167dafdf 9149 decoded->srcIdx = tmpIdx + length;
wolfSSL 13:80fb167dafdf 9150 }
wolfSSL 13:80fb167dafdf 9151 }
wolfSSL 13:80fb167dafdf 9152 }
wolfSSL 13:80fb167dafdf 9153
wolfSSL 13:80fb167dafdf 9154 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 9155 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9156 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9157 #endif
wolfSSL 13:80fb167dafdf 9158
wolfSSL 13:80fb167dafdf 9159 return ret < 0 ? ret : 0;
wolfSSL 13:80fb167dafdf 9160 }
wolfSSL 13:80fb167dafdf 9161
wolfSSL 13:80fb167dafdf 9162
wolfSSL 13:80fb167dafdf 9163 /* Set Dates from der cert, return 0 on success */
wolfSSL 13:80fb167dafdf 9164 static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9165 {
wolfSSL 13:80fb167dafdf 9166 int ret;
wolfSSL 13:80fb167dafdf 9167 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9168 DecodedCert* decoded;
wolfSSL 13:80fb167dafdf 9169 #else
wolfSSL 13:80fb167dafdf 9170 DecodedCert decoded[1];
wolfSSL 13:80fb167dafdf 9171 #endif
wolfSSL 13:80fb167dafdf 9172
wolfSSL 13:80fb167dafdf 9173 WOLFSSL_ENTER("SetDatesFromCert");
wolfSSL 13:80fb167dafdf 9174 if (derSz < 0)
wolfSSL 13:80fb167dafdf 9175 return derSz;
wolfSSL 13:80fb167dafdf 9176
wolfSSL 13:80fb167dafdf 9177 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9178 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 13:80fb167dafdf 9179 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9180 if (decoded == NULL)
wolfSSL 13:80fb167dafdf 9181 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9182 #endif
wolfSSL 13:80fb167dafdf 9183
wolfSSL 13:80fb167dafdf 9184 InitDecodedCert(decoded, (byte*)der, derSz, NULL);
wolfSSL 13:80fb167dafdf 9185 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 13:80fb167dafdf 9186
wolfSSL 13:80fb167dafdf 9187 if (ret < 0) {
wolfSSL 13:80fb167dafdf 9188 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 13:80fb167dafdf 9189 }
wolfSSL 13:80fb167dafdf 9190 else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) {
wolfSSL 13:80fb167dafdf 9191 WOLFSSL_MSG("Couldn't extract dates");
wolfSSL 13:80fb167dafdf 9192 ret = -1;
wolfSSL 13:80fb167dafdf 9193 }
wolfSSL 13:80fb167dafdf 9194 else if (decoded->beforeDateLen > MAX_DATE_SIZE ||
wolfSSL 13:80fb167dafdf 9195 decoded->afterDateLen > MAX_DATE_SIZE) {
wolfSSL 13:80fb167dafdf 9196 WOLFSSL_MSG("Bad date size");
wolfSSL 13:80fb167dafdf 9197 ret = -1;
wolfSSL 13:80fb167dafdf 9198 }
wolfSSL 13:80fb167dafdf 9199 else {
wolfSSL 13:80fb167dafdf 9200 XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen);
wolfSSL 13:80fb167dafdf 9201 XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen);
wolfSSL 13:80fb167dafdf 9202
wolfSSL 13:80fb167dafdf 9203 cert->beforeDateSz = decoded->beforeDateLen;
wolfSSL 13:80fb167dafdf 9204 cert->afterDateSz = decoded->afterDateLen;
wolfSSL 13:80fb167dafdf 9205 }
wolfSSL 13:80fb167dafdf 9206
wolfSSL 13:80fb167dafdf 9207 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 9208
wolfSSL 13:80fb167dafdf 9209 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9210 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9211 #endif
wolfSSL 13:80fb167dafdf 9212
wolfSSL 13:80fb167dafdf 9213 return ret < 0 ? ret : 0;
wolfSSL 13:80fb167dafdf 9214 }
wolfSSL 13:80fb167dafdf 9215
wolfSSL 13:80fb167dafdf 9216
wolfSSL 13:80fb167dafdf 9217 #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
wolfSSL 13:80fb167dafdf 9218
wolfSSL 13:80fb167dafdf 9219
wolfSSL 13:80fb167dafdf 9220 /* Set cn name from der buffer, return 0 on success */
wolfSSL 13:80fb167dafdf 9221 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9222 {
wolfSSL 13:80fb167dafdf 9223 int ret, sz;
wolfSSL 13:80fb167dafdf 9224 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9225 DecodedCert* decoded;
wolfSSL 13:80fb167dafdf 9226 #else
wolfSSL 13:80fb167dafdf 9227 DecodedCert decoded[1];
wolfSSL 13:80fb167dafdf 9228 #endif
wolfSSL 13:80fb167dafdf 9229
wolfSSL 13:80fb167dafdf 9230 if (derSz < 0)
wolfSSL 13:80fb167dafdf 9231 return derSz;
wolfSSL 13:80fb167dafdf 9232
wolfSSL 13:80fb167dafdf 9233 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9234 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 13:80fb167dafdf 9235 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9236 if (decoded == NULL)
wolfSSL 13:80fb167dafdf 9237 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9238 #endif
wolfSSL 13:80fb167dafdf 9239
wolfSSL 13:80fb167dafdf 9240 InitDecodedCert(decoded, (byte*)der, derSz, NULL);
wolfSSL 13:80fb167dafdf 9241 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 13:80fb167dafdf 9242
wolfSSL 13:80fb167dafdf 9243 if (ret < 0) {
wolfSSL 13:80fb167dafdf 9244 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 13:80fb167dafdf 9245 }
wolfSSL 13:80fb167dafdf 9246 else {
wolfSSL 13:80fb167dafdf 9247 if (decoded->subjectCN) {
wolfSSL 13:80fb167dafdf 9248 sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
wolfSSL 13:80fb167dafdf 9249 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9250 strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9251 cn->commonName[sz] = 0;
wolfSSL 13:80fb167dafdf 9252 cn->commonNameEnc = decoded->subjectCNEnc;
wolfSSL 13:80fb167dafdf 9253 }
wolfSSL 13:80fb167dafdf 9254 if (decoded->subjectC) {
wolfSSL 13:80fb167dafdf 9255 sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
wolfSSL 13:80fb167dafdf 9256 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9257 strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9258 cn->country[sz] = 0;
wolfSSL 13:80fb167dafdf 9259 cn->countryEnc = decoded->subjectCEnc;
wolfSSL 13:80fb167dafdf 9260 }
wolfSSL 13:80fb167dafdf 9261 if (decoded->subjectST) {
wolfSSL 13:80fb167dafdf 9262 sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
wolfSSL 13:80fb167dafdf 9263 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9264 strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9265 cn->state[sz] = 0;
wolfSSL 13:80fb167dafdf 9266 cn->stateEnc = decoded->subjectSTEnc;
wolfSSL 13:80fb167dafdf 9267 }
wolfSSL 13:80fb167dafdf 9268 if (decoded->subjectL) {
wolfSSL 13:80fb167dafdf 9269 sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
wolfSSL 13:80fb167dafdf 9270 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9271 strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9272 cn->locality[sz] = 0;
wolfSSL 13:80fb167dafdf 9273 cn->localityEnc = decoded->subjectLEnc;
wolfSSL 13:80fb167dafdf 9274 }
wolfSSL 13:80fb167dafdf 9275 if (decoded->subjectO) {
wolfSSL 13:80fb167dafdf 9276 sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
wolfSSL 13:80fb167dafdf 9277 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9278 strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9279 cn->org[sz] = 0;
wolfSSL 13:80fb167dafdf 9280 cn->orgEnc = decoded->subjectOEnc;
wolfSSL 13:80fb167dafdf 9281 }
wolfSSL 13:80fb167dafdf 9282 if (decoded->subjectOU) {
wolfSSL 13:80fb167dafdf 9283 sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
wolfSSL 13:80fb167dafdf 9284 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9285 strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9286 cn->unit[sz] = 0;
wolfSSL 13:80fb167dafdf 9287 cn->unitEnc = decoded->subjectOUEnc;
wolfSSL 13:80fb167dafdf 9288 }
wolfSSL 13:80fb167dafdf 9289 if (decoded->subjectSN) {
wolfSSL 13:80fb167dafdf 9290 sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
wolfSSL 13:80fb167dafdf 9291 : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9292 strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9293 cn->sur[sz] = 0;
wolfSSL 13:80fb167dafdf 9294 cn->surEnc = decoded->subjectSNEnc;
wolfSSL 13:80fb167dafdf 9295 }
wolfSSL 13:80fb167dafdf 9296 if (decoded->subjectEmail) {
wolfSSL 13:80fb167dafdf 9297 sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
wolfSSL 13:80fb167dafdf 9298 ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
wolfSSL 13:80fb167dafdf 9299 strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE);
wolfSSL 13:80fb167dafdf 9300 cn->email[sz] = 0;
wolfSSL 13:80fb167dafdf 9301 }
wolfSSL 13:80fb167dafdf 9302 }
wolfSSL 13:80fb167dafdf 9303
wolfSSL 13:80fb167dafdf 9304 FreeDecodedCert(decoded);
wolfSSL 13:80fb167dafdf 9305
wolfSSL 13:80fb167dafdf 9306 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9307 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9308 #endif
wolfSSL 13:80fb167dafdf 9309
wolfSSL 13:80fb167dafdf 9310 return ret < 0 ? ret : 0;
wolfSSL 13:80fb167dafdf 9311 }
wolfSSL 13:80fb167dafdf 9312
wolfSSL 13:80fb167dafdf 9313
wolfSSL 13:80fb167dafdf 9314 #ifndef NO_FILESYSTEM
wolfSSL 13:80fb167dafdf 9315
wolfSSL 13:80fb167dafdf 9316 /* Set cert issuer from issuerFile in PEM */
wolfSSL 13:80fb167dafdf 9317 int wc_SetIssuer(Cert* cert, const char* issuerFile)
wolfSSL 13:80fb167dafdf 9318 {
wolfSSL 13:80fb167dafdf 9319 int ret;
wolfSSL 13:80fb167dafdf 9320 int derSz;
wolfSSL 13:80fb167dafdf 9321 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9322
wolfSSL 13:80fb167dafdf 9323 if (der == NULL) {
wolfSSL 13:80fb167dafdf 9324 WOLFSSL_MSG("wc_SetIssuer OOF Problem");
wolfSSL 13:80fb167dafdf 9325 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9326 }
wolfSSL 13:80fb167dafdf 9327 derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF);
wolfSSL 13:80fb167dafdf 9328 cert->selfSigned = 0;
wolfSSL 13:80fb167dafdf 9329 ret = SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 13:80fb167dafdf 9330 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9331
wolfSSL 13:80fb167dafdf 9332 return ret;
wolfSSL 13:80fb167dafdf 9333 }
wolfSSL 13:80fb167dafdf 9334
wolfSSL 13:80fb167dafdf 9335
wolfSSL 13:80fb167dafdf 9336 /* Set cert subject from subjectFile in PEM */
wolfSSL 13:80fb167dafdf 9337 int wc_SetSubject(Cert* cert, const char* subjectFile)
wolfSSL 13:80fb167dafdf 9338 {
wolfSSL 13:80fb167dafdf 9339 int ret;
wolfSSL 13:80fb167dafdf 9340 int derSz;
wolfSSL 13:80fb167dafdf 9341 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9342
wolfSSL 13:80fb167dafdf 9343 if (der == NULL) {
wolfSSL 13:80fb167dafdf 9344 WOLFSSL_MSG("wc_SetSubject OOF Problem");
wolfSSL 13:80fb167dafdf 9345 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9346 }
wolfSSL 13:80fb167dafdf 9347 derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF);
wolfSSL 13:80fb167dafdf 9348 ret = SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 13:80fb167dafdf 9349 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9350
wolfSSL 13:80fb167dafdf 9351 return ret;
wolfSSL 13:80fb167dafdf 9352 }
wolfSSL 13:80fb167dafdf 9353
wolfSSL 13:80fb167dafdf 9354
wolfSSL 13:80fb167dafdf 9355 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 9356
wolfSSL 13:80fb167dafdf 9357 /* Set atl names from file in PEM */
wolfSSL 13:80fb167dafdf 9358 int wc_SetAltNames(Cert* cert, const char* file)
wolfSSL 13:80fb167dafdf 9359 {
wolfSSL 13:80fb167dafdf 9360 int ret;
wolfSSL 13:80fb167dafdf 9361 int derSz;
wolfSSL 13:80fb167dafdf 9362 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9363
wolfSSL 13:80fb167dafdf 9364 if (der == NULL) {
wolfSSL 13:80fb167dafdf 9365 WOLFSSL_MSG("wc_SetAltNames OOF Problem");
wolfSSL 13:80fb167dafdf 9366 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9367 }
wolfSSL 13:80fb167dafdf 9368 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 13:80fb167dafdf 9369 ret = SetAltNamesFromCert(cert, der, derSz);
wolfSSL 13:80fb167dafdf 9370 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 13:80fb167dafdf 9371
wolfSSL 13:80fb167dafdf 9372 return ret;
wolfSSL 13:80fb167dafdf 9373 }
wolfSSL 13:80fb167dafdf 9374
wolfSSL 13:80fb167dafdf 9375 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 13:80fb167dafdf 9376
wolfSSL 13:80fb167dafdf 9377 #endif /* NO_FILESYSTEM */
wolfSSL 13:80fb167dafdf 9378
wolfSSL 13:80fb167dafdf 9379 /* Set cert issuer from DER buffer */
wolfSSL 13:80fb167dafdf 9380 int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9381 {
wolfSSL 13:80fb167dafdf 9382 cert->selfSigned = 0;
wolfSSL 13:80fb167dafdf 9383 return SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 13:80fb167dafdf 9384 }
wolfSSL 13:80fb167dafdf 9385
wolfSSL 13:80fb167dafdf 9386
wolfSSL 13:80fb167dafdf 9387 /* Set cert subject from DER buffer */
wolfSSL 13:80fb167dafdf 9388 int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9389 {
wolfSSL 13:80fb167dafdf 9390 return SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 13:80fb167dafdf 9391 }
wolfSSL 13:80fb167dafdf 9392
wolfSSL 13:80fb167dafdf 9393
wolfSSL 13:80fb167dafdf 9394 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 13:80fb167dafdf 9395
wolfSSL 13:80fb167dafdf 9396 /* Set cert alt names from DER buffer */
wolfSSL 13:80fb167dafdf 9397 int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9398 {
wolfSSL 13:80fb167dafdf 9399 return SetAltNamesFromCert(cert, der, derSz);
wolfSSL 13:80fb167dafdf 9400 }
wolfSSL 13:80fb167dafdf 9401
wolfSSL 13:80fb167dafdf 9402 /* Set cert dates from DER buffer */
wolfSSL 13:80fb167dafdf 9403 int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 13:80fb167dafdf 9404 {
wolfSSL 13:80fb167dafdf 9405 return SetDatesFromCert(cert, der, derSz);
wolfSSL 13:80fb167dafdf 9406 }
wolfSSL 13:80fb167dafdf 9407
wolfSSL 13:80fb167dafdf 9408 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 13:80fb167dafdf 9409
wolfSSL 13:80fb167dafdf 9410 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 13:80fb167dafdf 9411
wolfSSL 13:80fb167dafdf 9412
wolfSSL 13:80fb167dafdf 9413 #ifdef HAVE_ECC
wolfSSL 13:80fb167dafdf 9414
wolfSSL 13:80fb167dafdf 9415 /* Der Encode r & s ints into out, outLen is (in/out) size */
wolfSSL 13:80fb167dafdf 9416 int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
wolfSSL 13:80fb167dafdf 9417 {
wolfSSL 13:80fb167dafdf 9418 word32 idx = 0;
wolfSSL 13:80fb167dafdf 9419 int rSz; /* encoding size */
wolfSSL 13:80fb167dafdf 9420 int sSz;
wolfSSL 13:80fb167dafdf 9421 word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */
wolfSSL 13:80fb167dafdf 9422
wolfSSL 13:80fb167dafdf 9423 /* If the leading bit on the INTEGER is a 1, add a leading zero */
wolfSSL 13:80fb167dafdf 9424 int rLeadingZero = mp_leading_bit(r);
wolfSSL 13:80fb167dafdf 9425 int sLeadingZero = mp_leading_bit(s);
wolfSSL 13:80fb167dafdf 9426 int rLen = mp_unsigned_bin_size(r); /* big int size */
wolfSSL 13:80fb167dafdf 9427 int sLen = mp_unsigned_bin_size(s);
wolfSSL 13:80fb167dafdf 9428
wolfSSL 13:80fb167dafdf 9429 if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
wolfSSL 13:80fb167dafdf 9430 headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
wolfSSL 13:80fb167dafdf 9431 return BUFFER_E;
wolfSSL 13:80fb167dafdf 9432
wolfSSL 13:80fb167dafdf 9433 idx = SetSequence(rLen + rLeadingZero + sLen+sLeadingZero + headerSz, out);
wolfSSL 13:80fb167dafdf 9434
wolfSSL 13:80fb167dafdf 9435 /* store r */
wolfSSL 13:80fb167dafdf 9436 rSz = SetASNIntMP(r, -1, &out[idx]);
wolfSSL 13:80fb167dafdf 9437 if (rSz < 0)
wolfSSL 13:80fb167dafdf 9438 return rSz;
wolfSSL 13:80fb167dafdf 9439 idx += rSz;
wolfSSL 13:80fb167dafdf 9440
wolfSSL 13:80fb167dafdf 9441 /* store s */
wolfSSL 13:80fb167dafdf 9442 sSz = SetASNIntMP(s, -1, &out[idx]);
wolfSSL 13:80fb167dafdf 9443 if (sSz < 0)
wolfSSL 13:80fb167dafdf 9444 return sSz;
wolfSSL 13:80fb167dafdf 9445 idx += sSz;
wolfSSL 13:80fb167dafdf 9446
wolfSSL 13:80fb167dafdf 9447 *outLen = idx;
wolfSSL 13:80fb167dafdf 9448
wolfSSL 13:80fb167dafdf 9449 return 0;
wolfSSL 13:80fb167dafdf 9450 }
wolfSSL 13:80fb167dafdf 9451
wolfSSL 13:80fb167dafdf 9452
wolfSSL 13:80fb167dafdf 9453 /* Der Decode ECC-DSA Signature, r & s stored as big ints */
wolfSSL 13:80fb167dafdf 9454 int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
wolfSSL 13:80fb167dafdf 9455 {
wolfSSL 13:80fb167dafdf 9456 word32 idx = 0;
wolfSSL 13:80fb167dafdf 9457 int len = 0;
wolfSSL 13:80fb167dafdf 9458
wolfSSL 13:80fb167dafdf 9459 if (GetSequence(sig, &idx, &len, sigLen) < 0) {
wolfSSL 13:80fb167dafdf 9460 return ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9461 }
wolfSSL 13:80fb167dafdf 9462
wolfSSL 13:80fb167dafdf 9463 if ((word32)len > (sigLen - idx)) {
wolfSSL 13:80fb167dafdf 9464 return ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9465 }
wolfSSL 13:80fb167dafdf 9466
wolfSSL 13:80fb167dafdf 9467 if (GetInt(r, sig, &idx, sigLen) < 0) {
wolfSSL 13:80fb167dafdf 9468 return ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9469 }
wolfSSL 13:80fb167dafdf 9470
wolfSSL 13:80fb167dafdf 9471 if (GetInt(s, sig, &idx, sigLen) < 0) {
wolfSSL 13:80fb167dafdf 9472 return ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9473 }
wolfSSL 13:80fb167dafdf 9474
wolfSSL 13:80fb167dafdf 9475 return 0;
wolfSSL 13:80fb167dafdf 9476 }
wolfSSL 13:80fb167dafdf 9477
wolfSSL 13:80fb167dafdf 9478
wolfSSL 13:80fb167dafdf 9479 int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
wolfSSL 13:80fb167dafdf 9480 word32 inSz)
wolfSSL 13:80fb167dafdf 9481 {
wolfSSL 13:80fb167dafdf 9482 word32 oidSum;
wolfSSL 13:80fb167dafdf 9483 int version, length;
wolfSSL 13:80fb167dafdf 9484 int privSz, pubSz;
wolfSSL 13:80fb167dafdf 9485 byte b;
wolfSSL 13:80fb167dafdf 9486 int ret = 0;
wolfSSL 13:80fb167dafdf 9487 int curve_id = ECC_CURVE_DEF;
wolfSSL 13:80fb167dafdf 9488 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9489 byte* priv;
wolfSSL 13:80fb167dafdf 9490 byte* pub;
wolfSSL 13:80fb167dafdf 9491 #else
wolfSSL 13:80fb167dafdf 9492 byte priv[ECC_MAXSIZE+1];
wolfSSL 13:80fb167dafdf 9493 byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */
wolfSSL 13:80fb167dafdf 9494 #endif
wolfSSL 13:80fb167dafdf 9495
wolfSSL 13:80fb167dafdf 9496 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 13:80fb167dafdf 9497 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 9498
wolfSSL 13:80fb167dafdf 9499 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 9500 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9501
wolfSSL 13:80fb167dafdf 9502 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 13:80fb167dafdf 9503 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9504
wolfSSL 13:80fb167dafdf 9505 b = input[*inOutIdx];
wolfSSL 13:80fb167dafdf 9506 *inOutIdx += 1;
wolfSSL 13:80fb167dafdf 9507
wolfSSL 13:80fb167dafdf 9508 /* priv type */
wolfSSL 13:80fb167dafdf 9509 if (b != 4 && b != 6 && b != 7)
wolfSSL 13:80fb167dafdf 9510 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9511
wolfSSL 13:80fb167dafdf 9512 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 9513 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9514
wolfSSL 13:80fb167dafdf 9515 if (length > ECC_MAXSIZE)
wolfSSL 13:80fb167dafdf 9516 return BUFFER_E;
wolfSSL 13:80fb167dafdf 9517
wolfSSL 13:80fb167dafdf 9518 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9519 priv = (byte*)XMALLOC(ECC_MAXSIZE+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9520 if (priv == NULL)
wolfSSL 13:80fb167dafdf 9521 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9522
wolfSSL 13:80fb167dafdf 9523 pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9524 if (pub == NULL) {
wolfSSL 13:80fb167dafdf 9525 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9526 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9527 }
wolfSSL 13:80fb167dafdf 9528 #endif
wolfSSL 13:80fb167dafdf 9529
wolfSSL 13:80fb167dafdf 9530 /* priv key */
wolfSSL 13:80fb167dafdf 9531 privSz = length;
wolfSSL 13:80fb167dafdf 9532 XMEMCPY(priv, &input[*inOutIdx], privSz);
wolfSSL 13:80fb167dafdf 9533 *inOutIdx += length;
wolfSSL 13:80fb167dafdf 9534
wolfSSL 13:80fb167dafdf 9535 if ((*inOutIdx + 1) > inSz)
wolfSSL 13:80fb167dafdf 9536 return BUFFER_E;
wolfSSL 13:80fb167dafdf 9537
wolfSSL 13:80fb167dafdf 9538 /* prefix 0, may have */
wolfSSL 13:80fb167dafdf 9539 b = input[*inOutIdx];
wolfSSL 13:80fb167dafdf 9540 if (b == ECC_PREFIX_0) {
wolfSSL 13:80fb167dafdf 9541 *inOutIdx += 1;
wolfSSL 13:80fb167dafdf 9542
wolfSSL 13:80fb167dafdf 9543 if (GetLength(input, inOutIdx, &length, inSz) <= 0)
wolfSSL 13:80fb167dafdf 9544 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9545 else {
wolfSSL 13:80fb167dafdf 9546 ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, inSz);
wolfSSL 13:80fb167dafdf 9547 if (ret == 0) {
wolfSSL 13:80fb167dafdf 9548 if ((ret = CheckCurve(oidSum)) < 0)
wolfSSL 13:80fb167dafdf 9549 ret = ECC_CURVE_OID_E;
wolfSSL 13:80fb167dafdf 9550 else {
wolfSSL 13:80fb167dafdf 9551 curve_id = ret;
wolfSSL 13:80fb167dafdf 9552 ret = 0;
wolfSSL 13:80fb167dafdf 9553 }
wolfSSL 13:80fb167dafdf 9554 }
wolfSSL 13:80fb167dafdf 9555 }
wolfSSL 13:80fb167dafdf 9556 }
wolfSSL 13:80fb167dafdf 9557
wolfSSL 13:80fb167dafdf 9558 if (ret == 0) {
wolfSSL 13:80fb167dafdf 9559 /* prefix 1 */
wolfSSL 13:80fb167dafdf 9560 b = input[*inOutIdx];
wolfSSL 13:80fb167dafdf 9561 *inOutIdx += 1;
wolfSSL 13:80fb167dafdf 9562
wolfSSL 13:80fb167dafdf 9563 if (b != ECC_PREFIX_1) {
wolfSSL 13:80fb167dafdf 9564 ret = ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9565 }
wolfSSL 13:80fb167dafdf 9566 else if (GetLength(input, inOutIdx, &length, inSz) <= 0) {
wolfSSL 13:80fb167dafdf 9567 ret = ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9568 }
wolfSSL 13:80fb167dafdf 9569 else {
wolfSSL 13:80fb167dafdf 9570 /* key header */
wolfSSL 13:80fb167dafdf 9571 ret = CheckBitString(input, inOutIdx, &length, inSz, 0, NULL);
wolfSSL 13:80fb167dafdf 9572 if (ret == 0) {
wolfSSL 13:80fb167dafdf 9573 /* pub key */
wolfSSL 13:80fb167dafdf 9574 pubSz = length;
wolfSSL 13:80fb167dafdf 9575 if (pubSz < 2*(ECC_MAXSIZE+1)) {
wolfSSL 13:80fb167dafdf 9576 XMEMCPY(pub, &input[*inOutIdx], pubSz);
wolfSSL 13:80fb167dafdf 9577 *inOutIdx += length;
wolfSSL 13:80fb167dafdf 9578 ret = wc_ecc_import_private_key_ex(priv, privSz, pub,
wolfSSL 13:80fb167dafdf 9579 pubSz, key, curve_id);
wolfSSL 13:80fb167dafdf 9580 }
wolfSSL 13:80fb167dafdf 9581 else
wolfSSL 13:80fb167dafdf 9582 ret = BUFFER_E;
wolfSSL 13:80fb167dafdf 9583 }
wolfSSL 13:80fb167dafdf 9584 }
wolfSSL 13:80fb167dafdf 9585 }
wolfSSL 13:80fb167dafdf 9586
wolfSSL 13:80fb167dafdf 9587 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:80fb167dafdf 9588 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9589 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9590 #endif
wolfSSL 13:80fb167dafdf 9591
wolfSSL 13:80fb167dafdf 9592 return ret;
wolfSSL 13:80fb167dafdf 9593 }
wolfSSL 13:80fb167dafdf 9594
wolfSSL 13:80fb167dafdf 9595
wolfSSL 13:80fb167dafdf 9596 int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
wolfSSL 13:80fb167dafdf 9597 ecc_key* key, word32 inSz)
wolfSSL 13:80fb167dafdf 9598 {
wolfSSL 13:80fb167dafdf 9599 int length;
wolfSSL 13:80fb167dafdf 9600 int ret;
wolfSSL 13:80fb167dafdf 9601 #ifdef ECC_CHECK_PUBLIC_KEY_OID
wolfSSL 13:80fb167dafdf 9602 word32 oidSum;
wolfSSL 13:80fb167dafdf 9603 #endif
wolfSSL 13:80fb167dafdf 9604
wolfSSL 13:80fb167dafdf 9605 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 13:80fb167dafdf 9606 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 9607
wolfSSL 13:80fb167dafdf 9608 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 9609 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9610
wolfSSL 13:80fb167dafdf 9611 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 13:80fb167dafdf 9612 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9613
wolfSSL 13:80fb167dafdf 9614 ret = SkipObjectId(input, inOutIdx, inSz);
wolfSSL 13:80fb167dafdf 9615 if (ret != 0)
wolfSSL 13:80fb167dafdf 9616 return ret;
wolfSSL 13:80fb167dafdf 9617
wolfSSL 13:80fb167dafdf 9618 /* ecc params information */
wolfSSL 13:80fb167dafdf 9619 #ifdef ECC_CHECK_PUBLIC_KEY_OID
wolfSSL 13:80fb167dafdf 9620 ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, inSz);
wolfSSL 13:80fb167dafdf 9621 if (ret != 0)
wolfSSL 13:80fb167dafdf 9622 return ret;
wolfSSL 13:80fb167dafdf 9623 if (CheckCurve(oidSum) < 0)
wolfSSL 13:80fb167dafdf 9624 return ECC_CURVE_OID_E;
wolfSSL 13:80fb167dafdf 9625 #else
wolfSSL 13:80fb167dafdf 9626 ret = SkipObjectId(input, inOutIdx, inSz);
wolfSSL 13:80fb167dafdf 9627 if (ret != 0)
wolfSSL 13:80fb167dafdf 9628 return ret;
wolfSSL 13:80fb167dafdf 9629 #endif
wolfSSL 13:80fb167dafdf 9630
wolfSSL 13:80fb167dafdf 9631 /* key header */
wolfSSL 13:80fb167dafdf 9632 ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
wolfSSL 13:80fb167dafdf 9633 if (ret != 0)
wolfSSL 13:80fb167dafdf 9634 return ret;
wolfSSL 13:80fb167dafdf 9635
wolfSSL 13:80fb167dafdf 9636 /* This is the raw point data compressed or uncompressed. */
wolfSSL 13:80fb167dafdf 9637 if (wc_ecc_import_x963(input + *inOutIdx, inSz - *inOutIdx, key) != 0)
wolfSSL 13:80fb167dafdf 9638 return ASN_ECC_KEY_E;
wolfSSL 13:80fb167dafdf 9639
wolfSSL 13:80fb167dafdf 9640 return 0;
wolfSSL 13:80fb167dafdf 9641 }
wolfSSL 13:80fb167dafdf 9642
wolfSSL 13:80fb167dafdf 9643
wolfSSL 13:80fb167dafdf 9644 #ifdef WOLFSSL_KEY_GEN
wolfSSL 13:80fb167dafdf 9645
wolfSSL 13:80fb167dafdf 9646 /* build DER formatted ECC key, include optional public key if requested,
wolfSSL 13:80fb167dafdf 9647 * return length on success, negative on error */
wolfSSL 13:80fb167dafdf 9648 static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
wolfSSL 13:80fb167dafdf 9649 int pubIn)
wolfSSL 13:80fb167dafdf 9650 {
wolfSSL 13:80fb167dafdf 9651 byte curve[MAX_ALGO_SZ+2];
wolfSSL 13:80fb167dafdf 9652 byte ver[MAX_VERSION_SZ];
wolfSSL 13:80fb167dafdf 9653 byte seq[MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 9654 byte *prv = NULL, *pub = NULL;
wolfSSL 13:80fb167dafdf 9655 int ret, totalSz, curveSz, verSz;
wolfSSL 13:80fb167dafdf 9656 int privHdrSz = ASN_ECC_HEADER_SZ;
wolfSSL 13:80fb167dafdf 9657 int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ;
wolfSSL 13:80fb167dafdf 9658
wolfSSL 13:80fb167dafdf 9659 word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0;
wolfSSL 13:80fb167dafdf 9660 word32 seqSz, privSz, pubSz = ECC_BUFSIZE;
wolfSSL 13:80fb167dafdf 9661
wolfSSL 13:80fb167dafdf 9662 if (key == NULL || output == NULL || inLen == 0)
wolfSSL 13:80fb167dafdf 9663 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 9664
wolfSSL 13:80fb167dafdf 9665 /* curve */
wolfSSL 13:80fb167dafdf 9666 curve[curveidx++] = ECC_PREFIX_0;
wolfSSL 13:80fb167dafdf 9667 curveidx++ /* to put the size after computation */;
wolfSSL 13:80fb167dafdf 9668 curveSz = SetCurve(key, curve+curveidx);
wolfSSL 13:80fb167dafdf 9669 if (curveSz < 0)
wolfSSL 13:80fb167dafdf 9670 return curveSz;
wolfSSL 13:80fb167dafdf 9671 /* set computed size */
wolfSSL 13:80fb167dafdf 9672 curve[1] = (byte)curveSz;
wolfSSL 13:80fb167dafdf 9673 curveidx += curveSz;
wolfSSL 13:80fb167dafdf 9674
wolfSSL 13:80fb167dafdf 9675 /* private */
wolfSSL 13:80fb167dafdf 9676 privSz = key->dp->size;
wolfSSL 13:80fb167dafdf 9677 prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ,
wolfSSL 13:80fb167dafdf 9678 key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9679 if (prv == NULL) {
wolfSSL 13:80fb167dafdf 9680 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9681 }
wolfSSL 13:80fb167dafdf 9682 prvidx += SetOctetString8Bit(key->dp->size, &prv[prvidx]);
wolfSSL 13:80fb167dafdf 9683 ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz);
wolfSSL 13:80fb167dafdf 9684 if (ret < 0) {
wolfSSL 13:80fb167dafdf 9685 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9686 return ret;
wolfSSL 13:80fb167dafdf 9687 }
wolfSSL 13:80fb167dafdf 9688 prvidx += privSz;
wolfSSL 13:80fb167dafdf 9689
wolfSSL 13:80fb167dafdf 9690 /* pubIn */
wolfSSL 13:80fb167dafdf 9691 if (pubIn) {
wolfSSL 13:80fb167dafdf 9692 ret = wc_ecc_export_x963(key, NULL, &pubSz);
wolfSSL 13:80fb167dafdf 9693 if (ret != LENGTH_ONLY_E) {
wolfSSL 13:80fb167dafdf 9694 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9695 return ret;
wolfSSL 13:80fb167dafdf 9696 }
wolfSSL 13:80fb167dafdf 9697
wolfSSL 13:80fb167dafdf 9698 pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ,
wolfSSL 13:80fb167dafdf 9699 key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9700 if (pub == NULL) {
wolfSSL 13:80fb167dafdf 9701 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9702 return MEMORY_E;
wolfSSL 13:80fb167dafdf 9703 }
wolfSSL 13:80fb167dafdf 9704
wolfSSL 13:80fb167dafdf 9705 pub[pubidx++] = ECC_PREFIX_1;
wolfSSL 13:80fb167dafdf 9706 if (pubSz > 128) /* leading zero + extra size byte */
wolfSSL 13:80fb167dafdf 9707 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx);
wolfSSL 13:80fb167dafdf 9708 else /* leading zero */
wolfSSL 13:80fb167dafdf 9709 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx);
wolfSSL 13:80fb167dafdf 9710
wolfSSL 13:80fb167dafdf 9711 /* SetBitString adds leading zero */
wolfSSL 13:80fb167dafdf 9712 pubidx += SetBitString(pubSz, 0, pub + pubidx);
wolfSSL 13:80fb167dafdf 9713 ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz);
wolfSSL 13:80fb167dafdf 9714 if (ret != 0) {
wolfSSL 13:80fb167dafdf 9715 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9716 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9717 return ret;
wolfSSL 13:80fb167dafdf 9718 }
wolfSSL 13:80fb167dafdf 9719 pubidx += pubSz;
wolfSSL 13:80fb167dafdf 9720 }
wolfSSL 13:80fb167dafdf 9721
wolfSSL 13:80fb167dafdf 9722 /* make headers */
wolfSSL 13:80fb167dafdf 9723 verSz = SetMyVersion(1, ver, FALSE);
wolfSSL 13:80fb167dafdf 9724 seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq);
wolfSSL 13:80fb167dafdf 9725
wolfSSL 13:80fb167dafdf 9726 totalSz = prvidx + pubidx + curveidx + verSz + seqSz;
wolfSSL 13:80fb167dafdf 9727 if (totalSz > (int)inLen) {
wolfSSL 13:80fb167dafdf 9728 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9729 if (pubIn) {
wolfSSL 13:80fb167dafdf 9730 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9731 }
wolfSSL 13:80fb167dafdf 9732 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 9733 }
wolfSSL 13:80fb167dafdf 9734
wolfSSL 13:80fb167dafdf 9735 /* write out */
wolfSSL 13:80fb167dafdf 9736 /* seq */
wolfSSL 13:80fb167dafdf 9737 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 13:80fb167dafdf 9738 idx = seqSz;
wolfSSL 13:80fb167dafdf 9739
wolfSSL 13:80fb167dafdf 9740 /* ver */
wolfSSL 13:80fb167dafdf 9741 XMEMCPY(output + idx, ver, verSz);
wolfSSL 13:80fb167dafdf 9742 idx += verSz;
wolfSSL 13:80fb167dafdf 9743
wolfSSL 13:80fb167dafdf 9744 /* private */
wolfSSL 13:80fb167dafdf 9745 XMEMCPY(output + idx, prv, prvidx);
wolfSSL 13:80fb167dafdf 9746 idx += prvidx;
wolfSSL 13:80fb167dafdf 9747 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9748
wolfSSL 13:80fb167dafdf 9749 /* curve */
wolfSSL 13:80fb167dafdf 9750 XMEMCPY(output + idx, curve, curveidx);
wolfSSL 13:80fb167dafdf 9751 idx += curveidx;
wolfSSL 13:80fb167dafdf 9752
wolfSSL 13:80fb167dafdf 9753 /* pubIn */
wolfSSL 13:80fb167dafdf 9754 if (pubIn) {
wolfSSL 13:80fb167dafdf 9755 XMEMCPY(output + idx, pub, pubidx);
wolfSSL 13:80fb167dafdf 9756 /* idx += pubidx; not used after write, if more data remove comment */
wolfSSL 13:80fb167dafdf 9757 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:80fb167dafdf 9758 }
wolfSSL 13:80fb167dafdf 9759
wolfSSL 13:80fb167dafdf 9760 return totalSz;
wolfSSL 13:80fb167dafdf 9761 }
wolfSSL 13:80fb167dafdf 9762
wolfSSL 13:80fb167dafdf 9763
wolfSSL 13:80fb167dafdf 9764 /* Write a Private ecc key, including public to DER format,
wolfSSL 13:80fb167dafdf 9765 * length on success else < 0 */
wolfSSL 13:80fb167dafdf 9766 int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
wolfSSL 13:80fb167dafdf 9767 {
wolfSSL 13:80fb167dafdf 9768 return wc_BuildEccKeyDer(key, output, inLen, 1);
wolfSSL 13:80fb167dafdf 9769 }
wolfSSL 13:80fb167dafdf 9770
wolfSSL 13:80fb167dafdf 9771
wolfSSL 13:80fb167dafdf 9772 /* Write only private ecc key to DER format,
wolfSSL 13:80fb167dafdf 9773 * length on success else < 0 */
wolfSSL 13:80fb167dafdf 9774 int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen)
wolfSSL 13:80fb167dafdf 9775 {
wolfSSL 13:80fb167dafdf 9776 return wc_BuildEccKeyDer(key, output, inLen, 0);
wolfSSL 13:80fb167dafdf 9777 }
wolfSSL 13:80fb167dafdf 9778
wolfSSL 13:80fb167dafdf 9779 #endif /* WOLFSSL_KEY_GEN */
wolfSSL 13:80fb167dafdf 9780
wolfSSL 13:80fb167dafdf 9781 #endif /* HAVE_ECC */
wolfSSL 13:80fb167dafdf 9782
wolfSSL 13:80fb167dafdf 9783
wolfSSL 13:80fb167dafdf 9784 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
wolfSSL 13:80fb167dafdf 9785
wolfSSL 13:80fb167dafdf 9786 /* Get raw Date only, no processing, 0 on success */
wolfSSL 13:80fb167dafdf 9787 static int GetBasicDate(const byte* source, word32* idx, byte* date,
wolfSSL 13:80fb167dafdf 9788 byte* format, int maxIdx)
wolfSSL 13:80fb167dafdf 9789 {
wolfSSL 13:80fb167dafdf 9790 int length;
wolfSSL 13:80fb167dafdf 9791
wolfSSL 13:80fb167dafdf 9792 WOLFSSL_ENTER("GetBasicDate");
wolfSSL 13:80fb167dafdf 9793
wolfSSL 13:80fb167dafdf 9794 *format = source[*idx];
wolfSSL 13:80fb167dafdf 9795 *idx += 1;
wolfSSL 13:80fb167dafdf 9796 if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
wolfSSL 13:80fb167dafdf 9797 return ASN_TIME_E;
wolfSSL 13:80fb167dafdf 9798
wolfSSL 13:80fb167dafdf 9799 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 9800 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9801
wolfSSL 13:80fb167dafdf 9802 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 13:80fb167dafdf 9803 return ASN_DATE_SZ_E;
wolfSSL 13:80fb167dafdf 9804
wolfSSL 13:80fb167dafdf 9805 XMEMCPY(date, &source[*idx], length);
wolfSSL 13:80fb167dafdf 9806 *idx += length;
wolfSSL 13:80fb167dafdf 9807
wolfSSL 13:80fb167dafdf 9808 return 0;
wolfSSL 13:80fb167dafdf 9809 }
wolfSSL 13:80fb167dafdf 9810
wolfSSL 13:80fb167dafdf 9811 #endif
wolfSSL 13:80fb167dafdf 9812
wolfSSL 13:80fb167dafdf 9813
wolfSSL 13:80fb167dafdf 9814 #ifdef HAVE_OCSP
wolfSSL 13:80fb167dafdf 9815
wolfSSL 13:80fb167dafdf 9816 static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
wolfSSL 13:80fb167dafdf 9817 {
wolfSSL 13:80fb167dafdf 9818 word32 idx = *inOutIdx;
wolfSSL 13:80fb167dafdf 9819 word32 len;
wolfSSL 13:80fb167dafdf 9820
wolfSSL 13:80fb167dafdf 9821 WOLFSSL_ENTER("GetEnumerated");
wolfSSL 13:80fb167dafdf 9822
wolfSSL 13:80fb167dafdf 9823 *value = 0;
wolfSSL 13:80fb167dafdf 9824
wolfSSL 13:80fb167dafdf 9825 if (input[idx++] != ASN_ENUMERATED)
wolfSSL 13:80fb167dafdf 9826 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9827
wolfSSL 13:80fb167dafdf 9828 len = input[idx++];
wolfSSL 13:80fb167dafdf 9829 if (len > 4)
wolfSSL 13:80fb167dafdf 9830 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9831
wolfSSL 13:80fb167dafdf 9832 while (len--) {
wolfSSL 13:80fb167dafdf 9833 *value = *value << 8 | input[idx++];
wolfSSL 13:80fb167dafdf 9834 }
wolfSSL 13:80fb167dafdf 9835
wolfSSL 13:80fb167dafdf 9836 *inOutIdx = idx;
wolfSSL 13:80fb167dafdf 9837
wolfSSL 13:80fb167dafdf 9838 return *value;
wolfSSL 13:80fb167dafdf 9839 }
wolfSSL 13:80fb167dafdf 9840
wolfSSL 13:80fb167dafdf 9841
wolfSSL 13:80fb167dafdf 9842 static int DecodeSingleResponse(byte* source,
wolfSSL 13:80fb167dafdf 9843 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 13:80fb167dafdf 9844 {
wolfSSL 13:80fb167dafdf 9845 word32 idx = *ioIndex, prevIndex, oid;
wolfSSL 13:80fb167dafdf 9846 int length, wrapperSz;
wolfSSL 13:80fb167dafdf 9847 CertStatus* cs = resp->status;
wolfSSL 13:80fb167dafdf 9848 int ret;
wolfSSL 13:80fb167dafdf 9849
wolfSSL 13:80fb167dafdf 9850 WOLFSSL_ENTER("DecodeSingleResponse");
wolfSSL 13:80fb167dafdf 9851
wolfSSL 13:80fb167dafdf 9852 /* Outer wrapper of the SEQUENCE OF Single Responses. */
wolfSSL 13:80fb167dafdf 9853 if (GetSequence(source, &idx, &wrapperSz, size) < 0)
wolfSSL 13:80fb167dafdf 9854 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9855
wolfSSL 13:80fb167dafdf 9856 prevIndex = idx;
wolfSSL 13:80fb167dafdf 9857
wolfSSL 13:80fb167dafdf 9858 /* When making a request, we only request one status on one certificate
wolfSSL 13:80fb167dafdf 9859 * at a time. There should only be one SingleResponse */
wolfSSL 13:80fb167dafdf 9860
wolfSSL 13:80fb167dafdf 9861 /* Wrapper around the Single Response */
wolfSSL 13:80fb167dafdf 9862 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 9863 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9864
wolfSSL 13:80fb167dafdf 9865 /* Wrapper around the CertID */
wolfSSL 13:80fb167dafdf 9866 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 9867 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9868 /* Skip the hash algorithm */
wolfSSL 13:80fb167dafdf 9869 if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0)
wolfSSL 13:80fb167dafdf 9870 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9871 /* Save reference to the hash of CN */
wolfSSL 13:80fb167dafdf 9872 ret = GetOctetString(source, &idx, &length, size);
wolfSSL 13:80fb167dafdf 9873 if (ret < 0)
wolfSSL 13:80fb167dafdf 9874 return ret;
wolfSSL 13:80fb167dafdf 9875 resp->issuerHash = source + idx;
wolfSSL 13:80fb167dafdf 9876 idx += length;
wolfSSL 13:80fb167dafdf 9877 /* Save reference to the hash of the issuer public key */
wolfSSL 13:80fb167dafdf 9878 ret = GetOctetString(source, &idx, &length, size);
wolfSSL 13:80fb167dafdf 9879 if (ret < 0)
wolfSSL 13:80fb167dafdf 9880 return ret;
wolfSSL 13:80fb167dafdf 9881 resp->issuerKeyHash = source + idx;
wolfSSL 13:80fb167dafdf 9882 idx += length;
wolfSSL 13:80fb167dafdf 9883
wolfSSL 13:80fb167dafdf 9884 /* Get serial number */
wolfSSL 13:80fb167dafdf 9885 if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0)
wolfSSL 13:80fb167dafdf 9886 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9887
wolfSSL 13:80fb167dafdf 9888 /* CertStatus */
wolfSSL 13:80fb167dafdf 9889 switch (source[idx++])
wolfSSL 13:80fb167dafdf 9890 {
wolfSSL 13:80fb167dafdf 9891 case (ASN_CONTEXT_SPECIFIC | CERT_GOOD):
wolfSSL 13:80fb167dafdf 9892 cs->status = CERT_GOOD;
wolfSSL 13:80fb167dafdf 9893 idx++;
wolfSSL 13:80fb167dafdf 9894 break;
wolfSSL 13:80fb167dafdf 9895 case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED):
wolfSSL 13:80fb167dafdf 9896 cs->status = CERT_REVOKED;
wolfSSL 13:80fb167dafdf 9897 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 9898 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9899 idx += length;
wolfSSL 13:80fb167dafdf 9900 break;
wolfSSL 13:80fb167dafdf 9901 case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN):
wolfSSL 13:80fb167dafdf 9902 cs->status = CERT_UNKNOWN;
wolfSSL 13:80fb167dafdf 9903 idx++;
wolfSSL 13:80fb167dafdf 9904 break;
wolfSSL 13:80fb167dafdf 9905 default:
wolfSSL 13:80fb167dafdf 9906 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9907 }
wolfSSL 13:80fb167dafdf 9908
wolfSSL 13:80fb167dafdf 9909 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
wolfSSL 13:80fb167dafdf 9910 cs->thisDateAsn = source + idx;
wolfSSL 13:80fb167dafdf 9911 #endif
wolfSSL 13:80fb167dafdf 9912 if (GetBasicDate(source, &idx, cs->thisDate,
wolfSSL 13:80fb167dafdf 9913 &cs->thisDateFormat, size) < 0)
wolfSSL 13:80fb167dafdf 9914 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9915
wolfSSL 13:80fb167dafdf 9916 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 9917 if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
wolfSSL 13:80fb167dafdf 9918 return ASN_BEFORE_DATE_E;
wolfSSL 13:80fb167dafdf 9919 #endif
wolfSSL 13:80fb167dafdf 9920
wolfSSL 13:80fb167dafdf 9921 /* The following items are optional. Only check for them if there is more
wolfSSL 13:80fb167dafdf 9922 * unprocessed data in the singleResponse wrapper. */
wolfSSL 13:80fb167dafdf 9923
wolfSSL 13:80fb167dafdf 9924 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 13:80fb167dafdf 9925 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)))
wolfSSL 13:80fb167dafdf 9926 {
wolfSSL 13:80fb167dafdf 9927 idx++;
wolfSSL 13:80fb167dafdf 9928 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 9929 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9930 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
wolfSSL 13:80fb167dafdf 9931 cs->nextDateAsn = source + idx;
wolfSSL 13:80fb167dafdf 9932 #endif
wolfSSL 13:80fb167dafdf 9933 if (GetBasicDate(source, &idx, cs->nextDate,
wolfSSL 13:80fb167dafdf 9934 &cs->nextDateFormat, size) < 0)
wolfSSL 13:80fb167dafdf 9935 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9936
wolfSSL 13:80fb167dafdf 9937 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 9938 if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
wolfSSL 13:80fb167dafdf 9939 return ASN_AFTER_DATE_E;
wolfSSL 13:80fb167dafdf 9940 #endif
wolfSSL 13:80fb167dafdf 9941 }
wolfSSL 13:80fb167dafdf 9942 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 13:80fb167dafdf 9943 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
wolfSSL 13:80fb167dafdf 9944 {
wolfSSL 13:80fb167dafdf 9945 idx++;
wolfSSL 13:80fb167dafdf 9946 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 9947 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9948 idx += length;
wolfSSL 13:80fb167dafdf 9949 }
wolfSSL 13:80fb167dafdf 9950
wolfSSL 13:80fb167dafdf 9951 *ioIndex = idx;
wolfSSL 13:80fb167dafdf 9952
wolfSSL 13:80fb167dafdf 9953 return 0;
wolfSSL 13:80fb167dafdf 9954 }
wolfSSL 13:80fb167dafdf 9955
wolfSSL 13:80fb167dafdf 9956 static int DecodeOcspRespExtensions(byte* source,
wolfSSL 13:80fb167dafdf 9957 word32* ioIndex, OcspResponse* resp, word32 sz)
wolfSSL 13:80fb167dafdf 9958 {
wolfSSL 13:80fb167dafdf 9959 word32 idx = *ioIndex;
wolfSSL 13:80fb167dafdf 9960 int length;
wolfSSL 13:80fb167dafdf 9961 int ext_bound; /* boundary index for the sequence of extensions */
wolfSSL 13:80fb167dafdf 9962 word32 oid;
wolfSSL 13:80fb167dafdf 9963 int ret;
wolfSSL 13:80fb167dafdf 9964
wolfSSL 13:80fb167dafdf 9965 WOLFSSL_ENTER("DecodeOcspRespExtensions");
wolfSSL 13:80fb167dafdf 9966
wolfSSL 13:80fb167dafdf 9967 if ((idx + 1) > sz)
wolfSSL 13:80fb167dafdf 9968 return BUFFER_E;
wolfSSL 13:80fb167dafdf 9969
wolfSSL 13:80fb167dafdf 9970 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 13:80fb167dafdf 9971 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9972
wolfSSL 13:80fb167dafdf 9973 if (GetLength(source, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 9974 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9975
wolfSSL 13:80fb167dafdf 9976 if (GetSequence(source, &idx, &length, sz) < 0)
wolfSSL 13:80fb167dafdf 9977 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9978
wolfSSL 13:80fb167dafdf 9979 ext_bound = idx + length;
wolfSSL 13:80fb167dafdf 9980
wolfSSL 13:80fb167dafdf 9981 while (idx < (word32)ext_bound) {
wolfSSL 13:80fb167dafdf 9982 if (GetSequence(source, &idx, &length, sz) < 0) {
wolfSSL 13:80fb167dafdf 9983 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 13:80fb167dafdf 9984 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9985 }
wolfSSL 13:80fb167dafdf 9986
wolfSSL 13:80fb167dafdf 9987 oid = 0;
wolfSSL 13:80fb167dafdf 9988 if (GetObjectId(source, &idx, &oid, oidOcspType, sz) < 0) {
wolfSSL 13:80fb167dafdf 9989 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 13:80fb167dafdf 9990 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 9991 }
wolfSSL 13:80fb167dafdf 9992
wolfSSL 13:80fb167dafdf 9993 /* check for critical flag */
wolfSSL 13:80fb167dafdf 9994 if (source[idx] == ASN_BOOLEAN) {
wolfSSL 13:80fb167dafdf 9995 WOLFSSL_MSG("\tfound optional critical flag, moving past");
wolfSSL 13:80fb167dafdf 9996 ret = GetBoolean(source, &idx, sz);
wolfSSL 13:80fb167dafdf 9997 if (ret < 0)
wolfSSL 13:80fb167dafdf 9998 return ret;
wolfSSL 13:80fb167dafdf 9999 }
wolfSSL 13:80fb167dafdf 10000
wolfSSL 13:80fb167dafdf 10001 ret = GetOctetString(source, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 10002 if (ret < 0)
wolfSSL 13:80fb167dafdf 10003 return ret;
wolfSSL 13:80fb167dafdf 10004
wolfSSL 13:80fb167dafdf 10005 if (oid == OCSP_NONCE_OID) {
wolfSSL 13:80fb167dafdf 10006 /* get data inside extra OCTET_STRING */
wolfSSL 13:80fb167dafdf 10007 ret = GetOctetString(source, &idx, &length, sz);
wolfSSL 13:80fb167dafdf 10008 if (ret < 0)
wolfSSL 13:80fb167dafdf 10009 return ret;
wolfSSL 13:80fb167dafdf 10010
wolfSSL 13:80fb167dafdf 10011 resp->nonce = source + idx;
wolfSSL 13:80fb167dafdf 10012 resp->nonceSz = length;
wolfSSL 13:80fb167dafdf 10013 }
wolfSSL 13:80fb167dafdf 10014
wolfSSL 13:80fb167dafdf 10015 idx += length;
wolfSSL 13:80fb167dafdf 10016 }
wolfSSL 13:80fb167dafdf 10017
wolfSSL 13:80fb167dafdf 10018 *ioIndex = idx;
wolfSSL 13:80fb167dafdf 10019 return 0;
wolfSSL 13:80fb167dafdf 10020 }
wolfSSL 13:80fb167dafdf 10021
wolfSSL 13:80fb167dafdf 10022
wolfSSL 13:80fb167dafdf 10023 static int DecodeResponseData(byte* source,
wolfSSL 13:80fb167dafdf 10024 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 13:80fb167dafdf 10025 {
wolfSSL 13:80fb167dafdf 10026 word32 idx = *ioIndex, prev_idx;
wolfSSL 13:80fb167dafdf 10027 int length;
wolfSSL 13:80fb167dafdf 10028 int version;
wolfSSL 13:80fb167dafdf 10029 word32 responderId = 0;
wolfSSL 13:80fb167dafdf 10030
wolfSSL 13:80fb167dafdf 10031 WOLFSSL_ENTER("DecodeResponseData");
wolfSSL 13:80fb167dafdf 10032
wolfSSL 13:80fb167dafdf 10033 resp->response = source + idx;
wolfSSL 13:80fb167dafdf 10034 prev_idx = idx;
wolfSSL 13:80fb167dafdf 10035 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10036 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10037 resp->responseSz = length + idx - prev_idx;
wolfSSL 13:80fb167dafdf 10038
wolfSSL 13:80fb167dafdf 10039 /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
wolfSSL 13:80fb167dafdf 10040 * item isn't an EXPLICIT[0], then set version to zero and move
wolfSSL 13:80fb167dafdf 10041 * onto the next item.
wolfSSL 13:80fb167dafdf 10042 */
wolfSSL 13:80fb167dafdf 10043 if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
wolfSSL 13:80fb167dafdf 10044 {
wolfSSL 13:80fb167dafdf 10045 idx += 2; /* Eat the value and length */
wolfSSL 13:80fb167dafdf 10046 if (GetMyVersion(source, &idx, &version, size) < 0)
wolfSSL 13:80fb167dafdf 10047 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10048 } else
wolfSSL 13:80fb167dafdf 10049 version = 0;
wolfSSL 13:80fb167dafdf 10050
wolfSSL 13:80fb167dafdf 10051 responderId = source[idx++];
wolfSSL 13:80fb167dafdf 10052 if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
wolfSSL 13:80fb167dafdf 10053 (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
wolfSSL 13:80fb167dafdf 10054 {
wolfSSL 13:80fb167dafdf 10055 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10056 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10057 idx += length;
wolfSSL 13:80fb167dafdf 10058 }
wolfSSL 13:80fb167dafdf 10059 else
wolfSSL 13:80fb167dafdf 10060 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10061
wolfSSL 13:80fb167dafdf 10062 /* save pointer to the producedAt time */
wolfSSL 13:80fb167dafdf 10063 if (GetBasicDate(source, &idx, resp->producedDate,
wolfSSL 13:80fb167dafdf 10064 &resp->producedDateFormat, size) < 0)
wolfSSL 13:80fb167dafdf 10065 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10066
wolfSSL 13:80fb167dafdf 10067 if (DecodeSingleResponse(source, &idx, resp, size) < 0)
wolfSSL 13:80fb167dafdf 10068 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10069
wolfSSL 13:80fb167dafdf 10070 /*
wolfSSL 13:80fb167dafdf 10071 * Check the length of the ResponseData against the current index to
wolfSSL 13:80fb167dafdf 10072 * see if there are extensions, they are optional.
wolfSSL 13:80fb167dafdf 10073 */
wolfSSL 13:80fb167dafdf 10074 if (idx - prev_idx < resp->responseSz)
wolfSSL 13:80fb167dafdf 10075 if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
wolfSSL 13:80fb167dafdf 10076 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10077
wolfSSL 13:80fb167dafdf 10078 *ioIndex = idx;
wolfSSL 13:80fb167dafdf 10079 return 0;
wolfSSL 13:80fb167dafdf 10080 }
wolfSSL 13:80fb167dafdf 10081
wolfSSL 13:80fb167dafdf 10082
wolfSSL 13:80fb167dafdf 10083 #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
wolfSSL 13:80fb167dafdf 10084
wolfSSL 13:80fb167dafdf 10085 static int DecodeCerts(byte* source,
wolfSSL 13:80fb167dafdf 10086 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 13:80fb167dafdf 10087 {
wolfSSL 13:80fb167dafdf 10088 word32 idx = *ioIndex;
wolfSSL 13:80fb167dafdf 10089
wolfSSL 13:80fb167dafdf 10090 WOLFSSL_ENTER("DecodeCerts");
wolfSSL 13:80fb167dafdf 10091
wolfSSL 13:80fb167dafdf 10092 if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 13:80fb167dafdf 10093 {
wolfSSL 13:80fb167dafdf 10094 int length;
wolfSSL 13:80fb167dafdf 10095
wolfSSL 13:80fb167dafdf 10096 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10097 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10098
wolfSSL 13:80fb167dafdf 10099 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10100 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10101
wolfSSL 13:80fb167dafdf 10102 resp->cert = source + idx;
wolfSSL 13:80fb167dafdf 10103 resp->certSz = length;
wolfSSL 13:80fb167dafdf 10104
wolfSSL 13:80fb167dafdf 10105 idx += length;
wolfSSL 13:80fb167dafdf 10106 }
wolfSSL 13:80fb167dafdf 10107 *ioIndex = idx;
wolfSSL 13:80fb167dafdf 10108 return 0;
wolfSSL 13:80fb167dafdf 10109 }
wolfSSL 13:80fb167dafdf 10110
wolfSSL 13:80fb167dafdf 10111 #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
wolfSSL 13:80fb167dafdf 10112
wolfSSL 13:80fb167dafdf 10113
wolfSSL 13:80fb167dafdf 10114 static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
wolfSSL 13:80fb167dafdf 10115 OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify)
wolfSSL 13:80fb167dafdf 10116 {
wolfSSL 13:80fb167dafdf 10117 int length;
wolfSSL 13:80fb167dafdf 10118 word32 idx = *ioIndex;
wolfSSL 13:80fb167dafdf 10119 word32 end_index;
wolfSSL 13:80fb167dafdf 10120 int ret;
wolfSSL 13:80fb167dafdf 10121 int sigLength;
wolfSSL 13:80fb167dafdf 10122
wolfSSL 13:80fb167dafdf 10123 WOLFSSL_ENTER("DecodeBasicOcspResponse");
wolfSSL 13:80fb167dafdf 10124 (void)heap;
wolfSSL 13:80fb167dafdf 10125
wolfSSL 13:80fb167dafdf 10126 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10127 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10128
wolfSSL 13:80fb167dafdf 10129 if (idx + length > size)
wolfSSL 13:80fb167dafdf 10130 return ASN_INPUT_E;
wolfSSL 13:80fb167dafdf 10131 end_index = idx + length;
wolfSSL 13:80fb167dafdf 10132
wolfSSL 13:80fb167dafdf 10133 if (DecodeResponseData(source, &idx, resp, size) < 0)
wolfSSL 13:80fb167dafdf 10134 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10135
wolfSSL 13:80fb167dafdf 10136 /* Get the signature algorithm */
wolfSSL 13:80fb167dafdf 10137 if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0)
wolfSSL 13:80fb167dafdf 10138 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10139
wolfSSL 13:80fb167dafdf 10140 ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL);
wolfSSL 13:80fb167dafdf 10141 if (ret != 0)
wolfSSL 13:80fb167dafdf 10142 return ret;
wolfSSL 13:80fb167dafdf 10143
wolfSSL 13:80fb167dafdf 10144 resp->sigSz = sigLength;
wolfSSL 13:80fb167dafdf 10145 resp->sig = source + idx;
wolfSSL 13:80fb167dafdf 10146 idx += sigLength;
wolfSSL 13:80fb167dafdf 10147
wolfSSL 13:80fb167dafdf 10148 /*
wolfSSL 13:80fb167dafdf 10149 * Check the length of the BasicOcspResponse against the current index to
wolfSSL 13:80fb167dafdf 10150 * see if there are certificates, they are optional.
wolfSSL 13:80fb167dafdf 10151 */
wolfSSL 13:80fb167dafdf 10152 #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
wolfSSL 13:80fb167dafdf 10153 if (idx < end_index)
wolfSSL 13:80fb167dafdf 10154 {
wolfSSL 13:80fb167dafdf 10155 DecodedCert cert;
wolfSSL 13:80fb167dafdf 10156
wolfSSL 13:80fb167dafdf 10157 if (DecodeCerts(source, &idx, resp, size) < 0)
wolfSSL 13:80fb167dafdf 10158 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10159
wolfSSL 13:80fb167dafdf 10160 InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
wolfSSL 13:80fb167dafdf 10161 /* Don't verify if we don't have access to Cert Manager. */
wolfSSL 13:80fb167dafdf 10162 ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY,
wolfSSL 13:80fb167dafdf 10163 cm);
wolfSSL 13:80fb167dafdf 10164 if (ret < 0) {
wolfSSL 13:80fb167dafdf 10165 WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
wolfSSL 13:80fb167dafdf 10166 FreeDecodedCert(&cert);
wolfSSL 13:80fb167dafdf 10167 return ret;
wolfSSL 13:80fb167dafdf 10168 }
wolfSSL 13:80fb167dafdf 10169
wolfSSL 13:80fb167dafdf 10170 /* ConfirmSignature is blocking here */
wolfSSL 13:80fb167dafdf 10171 ret = ConfirmSignature(&cert.sigCtx,
wolfSSL 13:80fb167dafdf 10172 resp->response, resp->responseSz,
wolfSSL 13:80fb167dafdf 10173 cert.publicKey, cert.pubKeySize, cert.keyOID,
wolfSSL 13:80fb167dafdf 10174 resp->sig, resp->sigSz, resp->sigOID);
wolfSSL 13:80fb167dafdf 10175 FreeDecodedCert(&cert);
wolfSSL 13:80fb167dafdf 10176
wolfSSL 13:80fb167dafdf 10177 if (ret != 0) {
wolfSSL 13:80fb167dafdf 10178 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 13:80fb167dafdf 10179 return ASN_OCSP_CONFIRM_E;
wolfSSL 13:80fb167dafdf 10180 }
wolfSSL 13:80fb167dafdf 10181 }
wolfSSL 13:80fb167dafdf 10182 else
wolfSSL 13:80fb167dafdf 10183 #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
wolfSSL 13:80fb167dafdf 10184 {
wolfSSL 13:80fb167dafdf 10185 Signer* ca = NULL;
wolfSSL 13:80fb167dafdf 10186 int sigValid = -1;
wolfSSL 13:80fb167dafdf 10187
wolfSSL 13:80fb167dafdf 10188 #ifndef NO_SKID
wolfSSL 13:80fb167dafdf 10189 ca = GetCA(cm, resp->issuerKeyHash);
wolfSSL 13:80fb167dafdf 10190 #else
wolfSSL 13:80fb167dafdf 10191 ca = GetCA(cm, resp->issuerHash);
wolfSSL 13:80fb167dafdf 10192 #endif
wolfSSL 13:80fb167dafdf 10193
wolfSSL 13:80fb167dafdf 10194 if (ca) {
wolfSSL 13:80fb167dafdf 10195 SignatureCtx sigCtx;
wolfSSL 13:80fb167dafdf 10196 InitSignatureCtx(&sigCtx, heap, INVALID_DEVID);
wolfSSL 13:80fb167dafdf 10197
wolfSSL 13:80fb167dafdf 10198 /* ConfirmSignature is blocking here */
wolfSSL 13:80fb167dafdf 10199 sigValid = ConfirmSignature(&sigCtx, resp->response,
wolfSSL 13:80fb167dafdf 10200 resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 13:80fb167dafdf 10201 resp->sig, resp->sigSz, resp->sigOID);
wolfSSL 13:80fb167dafdf 10202 }
wolfSSL 13:80fb167dafdf 10203 if (ca == NULL || sigValid != 0) {
wolfSSL 13:80fb167dafdf 10204 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 13:80fb167dafdf 10205 return ASN_OCSP_CONFIRM_E;
wolfSSL 13:80fb167dafdf 10206 }
wolfSSL 13:80fb167dafdf 10207 }
wolfSSL 13:80fb167dafdf 10208
wolfSSL 13:80fb167dafdf 10209 *ioIndex = idx;
wolfSSL 13:80fb167dafdf 10210 return 0;
wolfSSL 13:80fb167dafdf 10211 }
wolfSSL 13:80fb167dafdf 10212
wolfSSL 13:80fb167dafdf 10213
wolfSSL 13:80fb167dafdf 10214 void InitOcspResponse(OcspResponse* resp, CertStatus* status,
wolfSSL 13:80fb167dafdf 10215 byte* source, word32 inSz)
wolfSSL 13:80fb167dafdf 10216 {
wolfSSL 13:80fb167dafdf 10217 WOLFSSL_ENTER("InitOcspResponse");
wolfSSL 13:80fb167dafdf 10218
wolfSSL 13:80fb167dafdf 10219 XMEMSET(status, 0, sizeof(CertStatus));
wolfSSL 13:80fb167dafdf 10220 XMEMSET(resp, 0, sizeof(OcspResponse));
wolfSSL 13:80fb167dafdf 10221
wolfSSL 13:80fb167dafdf 10222 resp->responseStatus = -1;
wolfSSL 13:80fb167dafdf 10223 resp->status = status;
wolfSSL 13:80fb167dafdf 10224 resp->source = source;
wolfSSL 13:80fb167dafdf 10225 resp->maxIdx = inSz;
wolfSSL 13:80fb167dafdf 10226 }
wolfSSL 13:80fb167dafdf 10227
wolfSSL 13:80fb167dafdf 10228
wolfSSL 13:80fb167dafdf 10229 int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
wolfSSL 13:80fb167dafdf 10230 {
wolfSSL 13:80fb167dafdf 10231 int ret;
wolfSSL 13:80fb167dafdf 10232 int length = 0;
wolfSSL 13:80fb167dafdf 10233 word32 idx = 0;
wolfSSL 13:80fb167dafdf 10234 byte* source = resp->source;
wolfSSL 13:80fb167dafdf 10235 word32 size = resp->maxIdx;
wolfSSL 13:80fb167dafdf 10236 word32 oid;
wolfSSL 13:80fb167dafdf 10237
wolfSSL 13:80fb167dafdf 10238 WOLFSSL_ENTER("OcspResponseDecode");
wolfSSL 13:80fb167dafdf 10239
wolfSSL 13:80fb167dafdf 10240 /* peel the outer SEQUENCE wrapper */
wolfSSL 13:80fb167dafdf 10241 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10242 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10243
wolfSSL 13:80fb167dafdf 10244 /* First get the responseStatus, an ENUMERATED */
wolfSSL 13:80fb167dafdf 10245 if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
wolfSSL 13:80fb167dafdf 10246 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10247
wolfSSL 13:80fb167dafdf 10248 if (resp->responseStatus != OCSP_SUCCESSFUL)
wolfSSL 13:80fb167dafdf 10249 return 0;
wolfSSL 13:80fb167dafdf 10250
wolfSSL 13:80fb167dafdf 10251 /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
wolfSSL 13:80fb167dafdf 10252 if (idx >= size)
wolfSSL 13:80fb167dafdf 10253 return ASN_INPUT_E;
wolfSSL 13:80fb167dafdf 10254 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 13:80fb167dafdf 10255 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10256 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10257 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10258
wolfSSL 13:80fb167dafdf 10259 /* Get the responseBytes SEQUENCE */
wolfSSL 13:80fb167dafdf 10260 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 13:80fb167dafdf 10261 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10262
wolfSSL 13:80fb167dafdf 10263 /* Check ObjectID for the resposeBytes */
wolfSSL 13:80fb167dafdf 10264 if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0)
wolfSSL 13:80fb167dafdf 10265 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10266 if (oid != OCSP_BASIC_OID)
wolfSSL 13:80fb167dafdf 10267 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10268 ret = GetOctetString(source, &idx, &length, size);
wolfSSL 13:80fb167dafdf 10269 if (ret < 0)
wolfSSL 13:80fb167dafdf 10270 return ret;
wolfSSL 13:80fb167dafdf 10271
wolfSSL 13:80fb167dafdf 10272 ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify);
wolfSSL 13:80fb167dafdf 10273 if (ret < 0)
wolfSSL 13:80fb167dafdf 10274 return ret;
wolfSSL 13:80fb167dafdf 10275
wolfSSL 13:80fb167dafdf 10276 return 0;
wolfSSL 13:80fb167dafdf 10277 }
wolfSSL 13:80fb167dafdf 10278
wolfSSL 13:80fb167dafdf 10279
wolfSSL 13:80fb167dafdf 10280 word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
wolfSSL 13:80fb167dafdf 10281 {
wolfSSL 13:80fb167dafdf 10282 static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
wolfSSL 13:80fb167dafdf 10283 0x30, 0x01, 0x02 };
wolfSSL 13:80fb167dafdf 10284 byte seqArray[5][MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 10285 word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId);
wolfSSL 13:80fb167dafdf 10286
wolfSSL 13:80fb167dafdf 10287 WOLFSSL_ENTER("SetOcspReqExtensions");
wolfSSL 13:80fb167dafdf 10288
wolfSSL 13:80fb167dafdf 10289 if (!req || !output || !req->nonceSz)
wolfSSL 13:80fb167dafdf 10290 return 0;
wolfSSL 13:80fb167dafdf 10291
wolfSSL 13:80fb167dafdf 10292 totalSz += req->nonceSz;
wolfSSL 13:80fb167dafdf 10293 totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]);
wolfSSL 13:80fb167dafdf 10294 totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]);
wolfSSL 13:80fb167dafdf 10295 totalSz += seqSz[2] = SetObjectId(sizeof(NonceObjId), seqArray[2]);
wolfSSL 13:80fb167dafdf 10296 totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
wolfSSL 13:80fb167dafdf 10297 totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
wolfSSL 13:80fb167dafdf 10298
wolfSSL 13:80fb167dafdf 10299 if (totalSz > size)
wolfSSL 13:80fb167dafdf 10300 return 0;
wolfSSL 13:80fb167dafdf 10301
wolfSSL 13:80fb167dafdf 10302 totalSz = 0;
wolfSSL 13:80fb167dafdf 10303
wolfSSL 13:80fb167dafdf 10304 XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
wolfSSL 13:80fb167dafdf 10305 totalSz += seqSz[4];
wolfSSL 13:80fb167dafdf 10306
wolfSSL 13:80fb167dafdf 10307 XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
wolfSSL 13:80fb167dafdf 10308 totalSz += seqSz[3];
wolfSSL 13:80fb167dafdf 10309
wolfSSL 13:80fb167dafdf 10310 XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
wolfSSL 13:80fb167dafdf 10311 totalSz += seqSz[2];
wolfSSL 13:80fb167dafdf 10312
wolfSSL 13:80fb167dafdf 10313 XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
wolfSSL 13:80fb167dafdf 10314 totalSz += (word32)sizeof(NonceObjId);
wolfSSL 13:80fb167dafdf 10315
wolfSSL 13:80fb167dafdf 10316 XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
wolfSSL 13:80fb167dafdf 10317 totalSz += seqSz[1];
wolfSSL 13:80fb167dafdf 10318
wolfSSL 13:80fb167dafdf 10319 XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
wolfSSL 13:80fb167dafdf 10320 totalSz += seqSz[0];
wolfSSL 13:80fb167dafdf 10321
wolfSSL 13:80fb167dafdf 10322 XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
wolfSSL 13:80fb167dafdf 10323 totalSz += req->nonceSz;
wolfSSL 13:80fb167dafdf 10324
wolfSSL 13:80fb167dafdf 10325 return totalSz;
wolfSSL 13:80fb167dafdf 10326 }
wolfSSL 13:80fb167dafdf 10327
wolfSSL 13:80fb167dafdf 10328
wolfSSL 13:80fb167dafdf 10329 int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
wolfSSL 13:80fb167dafdf 10330 {
wolfSSL 13:80fb167dafdf 10331 byte seqArray[5][MAX_SEQ_SZ];
wolfSSL 13:80fb167dafdf 10332 /* The ASN.1 of the OCSP Request is an onion of sequences */
wolfSSL 13:80fb167dafdf 10333 byte algoArray[MAX_ALGO_SZ];
wolfSSL 13:80fb167dafdf 10334 byte issuerArray[MAX_ENCODED_DIG_SZ];
wolfSSL 13:80fb167dafdf 10335 byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
wolfSSL 13:80fb167dafdf 10336 byte snArray[MAX_SN_SZ];
wolfSSL 13:80fb167dafdf 10337 byte extArray[MAX_OCSP_EXT_SZ];
wolfSSL 13:80fb167dafdf 10338 word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
wolfSSL 13:80fb167dafdf 10339 int i;
wolfSSL 13:80fb167dafdf 10340
wolfSSL 13:80fb167dafdf 10341 WOLFSSL_ENTER("EncodeOcspRequest");
wolfSSL 13:80fb167dafdf 10342
wolfSSL 13:80fb167dafdf 10343 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 10344 algoSz = SetAlgoID(SHA256h, algoArray, oidHashType, 0);
wolfSSL 13:80fb167dafdf 10345 #else
wolfSSL 13:80fb167dafdf 10346 algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0);
wolfSSL 13:80fb167dafdf 10347 #endif
wolfSSL 13:80fb167dafdf 10348
wolfSSL 13:80fb167dafdf 10349 issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray);
wolfSSL 13:80fb167dafdf 10350 issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray);
wolfSSL 13:80fb167dafdf 10351 snSz = SetSerialNumber(req->serial, req->serialSz, snArray);
wolfSSL 13:80fb167dafdf 10352 extSz = 0;
wolfSSL 13:80fb167dafdf 10353
wolfSSL 13:80fb167dafdf 10354 if (req->nonceSz) {
wolfSSL 13:80fb167dafdf 10355 /* TLS Extensions use this function too - put extensions after
wolfSSL 13:80fb167dafdf 10356 * ASN.1: Context Specific [2].
wolfSSL 13:80fb167dafdf 10357 */
wolfSSL 13:80fb167dafdf 10358 extSz = EncodeOcspRequestExtensions(req, extArray + 2,
wolfSSL 13:80fb167dafdf 10359 OCSP_NONCE_EXT_SZ);
wolfSSL 13:80fb167dafdf 10360 extSz += SetExplicit(2, extSz, extArray);
wolfSSL 13:80fb167dafdf 10361 }
wolfSSL 13:80fb167dafdf 10362
wolfSSL 13:80fb167dafdf 10363 totalSz = algoSz + issuerSz + issuerKeySz + snSz;
wolfSSL 13:80fb167dafdf 10364 for (i = 4; i >= 0; i--) {
wolfSSL 13:80fb167dafdf 10365 seqSz[i] = SetSequence(totalSz, seqArray[i]);
wolfSSL 13:80fb167dafdf 10366 totalSz += seqSz[i];
wolfSSL 13:80fb167dafdf 10367 if (i == 2) totalSz += extSz;
wolfSSL 13:80fb167dafdf 10368 }
wolfSSL 13:80fb167dafdf 10369
wolfSSL 13:80fb167dafdf 10370 if (output == NULL)
wolfSSL 13:80fb167dafdf 10371 return totalSz;
wolfSSL 13:80fb167dafdf 10372 if (totalSz > size)
wolfSSL 13:80fb167dafdf 10373 return BUFFER_E;
wolfSSL 13:80fb167dafdf 10374
wolfSSL 13:80fb167dafdf 10375 totalSz = 0;
wolfSSL 13:80fb167dafdf 10376 for (i = 0; i < 5; i++) {
wolfSSL 13:80fb167dafdf 10377 XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
wolfSSL 13:80fb167dafdf 10378 totalSz += seqSz[i];
wolfSSL 13:80fb167dafdf 10379 }
wolfSSL 13:80fb167dafdf 10380
wolfSSL 13:80fb167dafdf 10381 XMEMCPY(output + totalSz, algoArray, algoSz);
wolfSSL 13:80fb167dafdf 10382 totalSz += algoSz;
wolfSSL 13:80fb167dafdf 10383
wolfSSL 13:80fb167dafdf 10384 XMEMCPY(output + totalSz, issuerArray, issuerSz);
wolfSSL 13:80fb167dafdf 10385 totalSz += issuerSz;
wolfSSL 13:80fb167dafdf 10386
wolfSSL 13:80fb167dafdf 10387 XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
wolfSSL 13:80fb167dafdf 10388 totalSz += issuerKeySz;
wolfSSL 13:80fb167dafdf 10389
wolfSSL 13:80fb167dafdf 10390 XMEMCPY(output + totalSz, snArray, snSz);
wolfSSL 13:80fb167dafdf 10391 totalSz += snSz;
wolfSSL 13:80fb167dafdf 10392
wolfSSL 13:80fb167dafdf 10393 if (extSz != 0) {
wolfSSL 13:80fb167dafdf 10394 XMEMCPY(output + totalSz, extArray, extSz);
wolfSSL 13:80fb167dafdf 10395 totalSz += extSz;
wolfSSL 13:80fb167dafdf 10396 }
wolfSSL 13:80fb167dafdf 10397
wolfSSL 13:80fb167dafdf 10398 return totalSz;
wolfSSL 13:80fb167dafdf 10399 }
wolfSSL 13:80fb167dafdf 10400
wolfSSL 13:80fb167dafdf 10401
wolfSSL 13:80fb167dafdf 10402 int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
wolfSSL 13:80fb167dafdf 10403 void* heap)
wolfSSL 13:80fb167dafdf 10404 {
wolfSSL 13:80fb167dafdf 10405 int ret;
wolfSSL 13:80fb167dafdf 10406
wolfSSL 13:80fb167dafdf 10407 WOLFSSL_ENTER("InitOcspRequest");
wolfSSL 13:80fb167dafdf 10408
wolfSSL 13:80fb167dafdf 10409 if (req == NULL)
wolfSSL 13:80fb167dafdf 10410 return BAD_FUNC_ARG;
wolfSSL 13:80fb167dafdf 10411
wolfSSL 13:80fb167dafdf 10412 ForceZero(req, sizeof(OcspRequest));
wolfSSL 13:80fb167dafdf 10413 req->heap = heap;
wolfSSL 13:80fb167dafdf 10414
wolfSSL 13:80fb167dafdf 10415 if (cert) {
wolfSSL 13:80fb167dafdf 10416 XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 10417 XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 10418
wolfSSL 13:80fb167dafdf 10419 req->serial = (byte*)XMALLOC(cert->serialSz, req->heap,
wolfSSL 13:80fb167dafdf 10420 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:80fb167dafdf 10421 if (req->serial == NULL)
wolfSSL 13:80fb167dafdf 10422 return MEMORY_E;
wolfSSL 13:80fb167dafdf 10423
wolfSSL 13:80fb167dafdf 10424 XMEMCPY(req->serial, cert->serial, cert->serialSz);
wolfSSL 13:80fb167dafdf 10425 req->serialSz = cert->serialSz;
wolfSSL 13:80fb167dafdf 10426
wolfSSL 13:80fb167dafdf 10427 if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
wolfSSL 13:80fb167dafdf 10428 req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap,
wolfSSL 13:80fb167dafdf 10429 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:80fb167dafdf 10430 if (req->url == NULL) {
wolfSSL 13:80fb167dafdf 10431 XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 13:80fb167dafdf 10432 return MEMORY_E;
wolfSSL 13:80fb167dafdf 10433 }
wolfSSL 13:80fb167dafdf 10434
wolfSSL 13:80fb167dafdf 10435 XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
wolfSSL 13:80fb167dafdf 10436 req->urlSz = cert->extAuthInfoSz;
wolfSSL 13:80fb167dafdf 10437 }
wolfSSL 13:80fb167dafdf 10438 }
wolfSSL 13:80fb167dafdf 10439
wolfSSL 13:80fb167dafdf 10440 if (useNonce) {
wolfSSL 13:80fb167dafdf 10441 WC_RNG rng;
wolfSSL 13:80fb167dafdf 10442
wolfSSL 13:80fb167dafdf 10443 #ifndef HAVE_FIPS
wolfSSL 13:80fb167dafdf 10444 ret = wc_InitRng_ex(&rng, req->heap, INVALID_DEVID);
wolfSSL 13:80fb167dafdf 10445 #else
wolfSSL 13:80fb167dafdf 10446 ret = wc_InitRng(&rng);
wolfSSL 13:80fb167dafdf 10447 #endif
wolfSSL 13:80fb167dafdf 10448 if (ret != 0) {
wolfSSL 13:80fb167dafdf 10449 WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
wolfSSL 13:80fb167dafdf 10450 } else {
wolfSSL 13:80fb167dafdf 10451 if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
wolfSSL 13:80fb167dafdf 10452 WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
wolfSSL 13:80fb167dafdf 10453 else
wolfSSL 13:80fb167dafdf 10454 req->nonceSz = MAX_OCSP_NONCE_SZ;
wolfSSL 13:80fb167dafdf 10455
wolfSSL 13:80fb167dafdf 10456 wc_FreeRng(&rng);
wolfSSL 13:80fb167dafdf 10457 }
wolfSSL 13:80fb167dafdf 10458 }
wolfSSL 13:80fb167dafdf 10459
wolfSSL 13:80fb167dafdf 10460 return 0;
wolfSSL 13:80fb167dafdf 10461 }
wolfSSL 13:80fb167dafdf 10462
wolfSSL 13:80fb167dafdf 10463 void FreeOcspRequest(OcspRequest* req)
wolfSSL 13:80fb167dafdf 10464 {
wolfSSL 13:80fb167dafdf 10465 WOLFSSL_ENTER("FreeOcspRequest");
wolfSSL 13:80fb167dafdf 10466
wolfSSL 13:80fb167dafdf 10467 if (req) {
wolfSSL 13:80fb167dafdf 10468 if (req->serial)
wolfSSL 13:80fb167dafdf 10469 XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:80fb167dafdf 10470
wolfSSL 13:80fb167dafdf 10471 if (req->url)
wolfSSL 13:80fb167dafdf 10472 XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:80fb167dafdf 10473 }
wolfSSL 13:80fb167dafdf 10474 }
wolfSSL 13:80fb167dafdf 10475
wolfSSL 13:80fb167dafdf 10476
wolfSSL 13:80fb167dafdf 10477 int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
wolfSSL 13:80fb167dafdf 10478 {
wolfSSL 13:80fb167dafdf 10479 int cmp;
wolfSSL 13:80fb167dafdf 10480
wolfSSL 13:80fb167dafdf 10481 WOLFSSL_ENTER("CompareOcspReqResp");
wolfSSL 13:80fb167dafdf 10482
wolfSSL 13:80fb167dafdf 10483 if (req == NULL)
wolfSSL 13:80fb167dafdf 10484 {
wolfSSL 13:80fb167dafdf 10485 WOLFSSL_MSG("\tReq missing");
wolfSSL 13:80fb167dafdf 10486 return -1;
wolfSSL 13:80fb167dafdf 10487 }
wolfSSL 13:80fb167dafdf 10488
wolfSSL 13:80fb167dafdf 10489 if (resp == NULL)
wolfSSL 13:80fb167dafdf 10490 {
wolfSSL 13:80fb167dafdf 10491 WOLFSSL_MSG("\tResp missing");
wolfSSL 13:80fb167dafdf 10492 return 1;
wolfSSL 13:80fb167dafdf 10493 }
wolfSSL 13:80fb167dafdf 10494
wolfSSL 13:80fb167dafdf 10495 /* Nonces are not critical. The responder may not necessarily add
wolfSSL 13:80fb167dafdf 10496 * the nonce to the response. */
wolfSSL 13:80fb167dafdf 10497 if (resp->nonceSz != 0) {
wolfSSL 13:80fb167dafdf 10498 cmp = req->nonceSz - resp->nonceSz;
wolfSSL 13:80fb167dafdf 10499 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10500 {
wolfSSL 13:80fb167dafdf 10501 WOLFSSL_MSG("\tnonceSz mismatch");
wolfSSL 13:80fb167dafdf 10502 return cmp;
wolfSSL 13:80fb167dafdf 10503 }
wolfSSL 13:80fb167dafdf 10504
wolfSSL 13:80fb167dafdf 10505 cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
wolfSSL 13:80fb167dafdf 10506 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10507 {
wolfSSL 13:80fb167dafdf 10508 WOLFSSL_MSG("\tnonce mismatch");
wolfSSL 13:80fb167dafdf 10509 return cmp;
wolfSSL 13:80fb167dafdf 10510 }
wolfSSL 13:80fb167dafdf 10511 }
wolfSSL 13:80fb167dafdf 10512
wolfSSL 13:80fb167dafdf 10513 cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 10514 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10515 {
wolfSSL 13:80fb167dafdf 10516 WOLFSSL_MSG("\tissuerHash mismatch");
wolfSSL 13:80fb167dafdf 10517 return cmp;
wolfSSL 13:80fb167dafdf 10518 }
wolfSSL 13:80fb167dafdf 10519
wolfSSL 13:80fb167dafdf 10520 cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
wolfSSL 13:80fb167dafdf 10521 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10522 {
wolfSSL 13:80fb167dafdf 10523 WOLFSSL_MSG("\tissuerKeyHash mismatch");
wolfSSL 13:80fb167dafdf 10524 return cmp;
wolfSSL 13:80fb167dafdf 10525 }
wolfSSL 13:80fb167dafdf 10526
wolfSSL 13:80fb167dafdf 10527 cmp = req->serialSz - resp->status->serialSz;
wolfSSL 13:80fb167dafdf 10528 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10529 {
wolfSSL 13:80fb167dafdf 10530 WOLFSSL_MSG("\tserialSz mismatch");
wolfSSL 13:80fb167dafdf 10531 return cmp;
wolfSSL 13:80fb167dafdf 10532 }
wolfSSL 13:80fb167dafdf 10533
wolfSSL 13:80fb167dafdf 10534 cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz);
wolfSSL 13:80fb167dafdf 10535 if (cmp != 0)
wolfSSL 13:80fb167dafdf 10536 {
wolfSSL 13:80fb167dafdf 10537 WOLFSSL_MSG("\tserial mismatch");
wolfSSL 13:80fb167dafdf 10538 return cmp;
wolfSSL 13:80fb167dafdf 10539 }
wolfSSL 13:80fb167dafdf 10540
wolfSSL 13:80fb167dafdf 10541 return 0;
wolfSSL 13:80fb167dafdf 10542 }
wolfSSL 13:80fb167dafdf 10543
wolfSSL 13:80fb167dafdf 10544 #endif
wolfSSL 13:80fb167dafdf 10545
wolfSSL 13:80fb167dafdf 10546
wolfSSL 13:80fb167dafdf 10547 /* store SHA hash of NAME */
wolfSSL 13:80fb167dafdf 10548 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
wolfSSL 13:80fb167dafdf 10549 int maxIdx)
wolfSSL 13:80fb167dafdf 10550 {
wolfSSL 13:80fb167dafdf 10551 int length; /* length of all distinguished names */
wolfSSL 13:80fb167dafdf 10552 int ret;
wolfSSL 13:80fb167dafdf 10553 word32 dummy;
wolfSSL 13:80fb167dafdf 10554
wolfSSL 13:80fb167dafdf 10555 WOLFSSL_ENTER("GetNameHash");
wolfSSL 13:80fb167dafdf 10556
wolfSSL 13:80fb167dafdf 10557 if (source[*idx] == ASN_OBJECT_ID) {
wolfSSL 13:80fb167dafdf 10558 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 13:80fb167dafdf 10559
wolfSSL 13:80fb167dafdf 10560 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 10561 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10562
wolfSSL 13:80fb167dafdf 10563 *idx += length;
wolfSSL 13:80fb167dafdf 10564 WOLFSSL_MSG("Got optional prefix");
wolfSSL 13:80fb167dafdf 10565 }
wolfSSL 13:80fb167dafdf 10566
wolfSSL 13:80fb167dafdf 10567 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 13:80fb167dafdf 10568 * calculated over the entire DER encoding of the Name field, including
wolfSSL 13:80fb167dafdf 10569 * the tag and length. */
wolfSSL 13:80fb167dafdf 10570 dummy = *idx;
wolfSSL 13:80fb167dafdf 10571 if (GetSequence(source, idx, &length, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 10572 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10573
wolfSSL 13:80fb167dafdf 10574 #ifdef NO_SHA
wolfSSL 13:80fb167dafdf 10575 ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash);
wolfSSL 13:80fb167dafdf 10576 #else
wolfSSL 13:80fb167dafdf 10577 ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash);
wolfSSL 13:80fb167dafdf 10578 #endif
wolfSSL 13:80fb167dafdf 10579
wolfSSL 13:80fb167dafdf 10580 *idx += length;
wolfSSL 13:80fb167dafdf 10581
wolfSSL 13:80fb167dafdf 10582 return ret;
wolfSSL 13:80fb167dafdf 10583 }
wolfSSL 13:80fb167dafdf 10584
wolfSSL 13:80fb167dafdf 10585
wolfSSL 13:80fb167dafdf 10586 #ifdef HAVE_CRL
wolfSSL 13:80fb167dafdf 10587
wolfSSL 13:80fb167dafdf 10588 /* initialize decoded CRL */
wolfSSL 13:80fb167dafdf 10589 void InitDecodedCRL(DecodedCRL* dcrl, void* heap)
wolfSSL 13:80fb167dafdf 10590 {
wolfSSL 13:80fb167dafdf 10591 WOLFSSL_MSG("InitDecodedCRL");
wolfSSL 13:80fb167dafdf 10592
wolfSSL 13:80fb167dafdf 10593 dcrl->certBegin = 0;
wolfSSL 13:80fb167dafdf 10594 dcrl->sigIndex = 0;
wolfSSL 13:80fb167dafdf 10595 dcrl->sigLength = 0;
wolfSSL 13:80fb167dafdf 10596 dcrl->signatureOID = 0;
wolfSSL 13:80fb167dafdf 10597 dcrl->certs = NULL;
wolfSSL 13:80fb167dafdf 10598 dcrl->totalCerts = 0;
wolfSSL 13:80fb167dafdf 10599 dcrl->heap = heap;
wolfSSL 13:80fb167dafdf 10600 #ifdef WOLFSSL_HEAP_TEST
wolfSSL 13:80fb167dafdf 10601 dcrl->heap = (void*)WOLFSSL_HEAP_TEST;
wolfSSL 13:80fb167dafdf 10602 #endif
wolfSSL 13:80fb167dafdf 10603 }
wolfSSL 13:80fb167dafdf 10604
wolfSSL 13:80fb167dafdf 10605
wolfSSL 13:80fb167dafdf 10606 /* free decoded CRL resources */
wolfSSL 13:80fb167dafdf 10607 void FreeDecodedCRL(DecodedCRL* dcrl)
wolfSSL 13:80fb167dafdf 10608 {
wolfSSL 13:80fb167dafdf 10609 RevokedCert* tmp = dcrl->certs;
wolfSSL 13:80fb167dafdf 10610
wolfSSL 13:80fb167dafdf 10611 WOLFSSL_MSG("FreeDecodedCRL");
wolfSSL 13:80fb167dafdf 10612
wolfSSL 13:80fb167dafdf 10613 while(tmp) {
wolfSSL 13:80fb167dafdf 10614 RevokedCert* next = tmp->next;
wolfSSL 13:80fb167dafdf 10615 XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED);
wolfSSL 13:80fb167dafdf 10616 tmp = next;
wolfSSL 13:80fb167dafdf 10617 }
wolfSSL 13:80fb167dafdf 10618 }
wolfSSL 13:80fb167dafdf 10619
wolfSSL 13:80fb167dafdf 10620
wolfSSL 13:80fb167dafdf 10621 /* Get Revoked Cert list, 0 on success */
wolfSSL 13:80fb167dafdf 10622 static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
wolfSSL 13:80fb167dafdf 10623 int maxIdx)
wolfSSL 13:80fb167dafdf 10624 {
wolfSSL 13:80fb167dafdf 10625 int len;
wolfSSL 13:80fb167dafdf 10626 word32 end;
wolfSSL 13:80fb167dafdf 10627 byte b;
wolfSSL 13:80fb167dafdf 10628 RevokedCert* rc;
wolfSSL 13:80fb167dafdf 10629
wolfSSL 13:80fb167dafdf 10630 WOLFSSL_ENTER("GetRevoked");
wolfSSL 13:80fb167dafdf 10631
wolfSSL 13:80fb167dafdf 10632 if (GetSequence(buff, idx, &len, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 10633 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10634
wolfSSL 13:80fb167dafdf 10635 end = *idx + len;
wolfSSL 13:80fb167dafdf 10636
wolfSSL 13:80fb167dafdf 10637 rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap,
wolfSSL 13:80fb167dafdf 10638 DYNAMIC_TYPE_CRL);
wolfSSL 13:80fb167dafdf 10639 if (rc == NULL) {
wolfSSL 13:80fb167dafdf 10640 WOLFSSL_MSG("Alloc Revoked Cert failed");
wolfSSL 13:80fb167dafdf 10641 return MEMORY_E;
wolfSSL 13:80fb167dafdf 10642 }
wolfSSL 13:80fb167dafdf 10643
wolfSSL 13:80fb167dafdf 10644 if (GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,
wolfSSL 13:80fb167dafdf 10645 maxIdx) < 0) {
wolfSSL 13:80fb167dafdf 10646 XFREE(rc, dcrl->heap, DYNAMIC_TYPE_CRL);
wolfSSL 13:80fb167dafdf 10647 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10648 }
wolfSSL 13:80fb167dafdf 10649
wolfSSL 13:80fb167dafdf 10650 /* add to list */
wolfSSL 13:80fb167dafdf 10651 rc->next = dcrl->certs;
wolfSSL 13:80fb167dafdf 10652 dcrl->certs = rc;
wolfSSL 13:80fb167dafdf 10653 dcrl->totalCerts++;
wolfSSL 13:80fb167dafdf 10654
wolfSSL 13:80fb167dafdf 10655
wolfSSL 13:80fb167dafdf 10656 /* get date */
wolfSSL 13:80fb167dafdf 10657 b = buff[*idx];
wolfSSL 13:80fb167dafdf 10658 *idx += 1;
wolfSSL 13:80fb167dafdf 10659
wolfSSL 13:80fb167dafdf 10660 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
wolfSSL 13:80fb167dafdf 10661 WOLFSSL_MSG("Expecting Date");
wolfSSL 13:80fb167dafdf 10662 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10663 }
wolfSSL 13:80fb167dafdf 10664
wolfSSL 13:80fb167dafdf 10665 if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL 13:80fb167dafdf 10666 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10667
wolfSSL 13:80fb167dafdf 10668 /* skip for now */
wolfSSL 13:80fb167dafdf 10669 *idx += len;
wolfSSL 13:80fb167dafdf 10670
wolfSSL 13:80fb167dafdf 10671 if (*idx != end) /* skip extensions */
wolfSSL 13:80fb167dafdf 10672 *idx = end;
wolfSSL 13:80fb167dafdf 10673
wolfSSL 13:80fb167dafdf 10674 return 0;
wolfSSL 13:80fb167dafdf 10675 }
wolfSSL 13:80fb167dafdf 10676
wolfSSL 13:80fb167dafdf 10677
wolfSSL 13:80fb167dafdf 10678 /* Get CRL Signature, 0 on success */
wolfSSL 13:80fb167dafdf 10679 static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
wolfSSL 13:80fb167dafdf 10680 int maxIdx)
wolfSSL 13:80fb167dafdf 10681 {
wolfSSL 13:80fb167dafdf 10682 int length;
wolfSSL 13:80fb167dafdf 10683 int ret;
wolfSSL 13:80fb167dafdf 10684
wolfSSL 13:80fb167dafdf 10685 WOLFSSL_ENTER("GetCRL_Signature");
wolfSSL 13:80fb167dafdf 10686
wolfSSL 13:80fb167dafdf 10687 ret = CheckBitString(source, idx, &length, maxIdx, 1, NULL);
wolfSSL 13:80fb167dafdf 10688 if (ret != 0)
wolfSSL 13:80fb167dafdf 10689 return ret;
wolfSSL 13:80fb167dafdf 10690 dcrl->sigLength = length;
wolfSSL 13:80fb167dafdf 10691
wolfSSL 13:80fb167dafdf 10692 dcrl->signature = (byte*)&source[*idx];
wolfSSL 13:80fb167dafdf 10693 *idx += dcrl->sigLength;
wolfSSL 13:80fb167dafdf 10694
wolfSSL 13:80fb167dafdf 10695 return 0;
wolfSSL 13:80fb167dafdf 10696 }
wolfSSL 13:80fb167dafdf 10697
wolfSSL 13:80fb167dafdf 10698
wolfSSL 13:80fb167dafdf 10699 /* prase crl buffer into decoded state, 0 on success */
wolfSSL 13:80fb167dafdf 10700 int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
wolfSSL 13:80fb167dafdf 10701 {
wolfSSL 13:80fb167dafdf 10702 int ret = 0, version, len, doNextDate = 1;
wolfSSL 13:80fb167dafdf 10703 word32 oid, idx = 0, dateIdx;
wolfSSL 13:80fb167dafdf 10704 Signer* ca = NULL;
wolfSSL 13:80fb167dafdf 10705
wolfSSL 13:80fb167dafdf 10706 WOLFSSL_MSG("ParseCRL");
wolfSSL 13:80fb167dafdf 10707
wolfSSL 13:80fb167dafdf 10708 /* raw crl hash */
wolfSSL 13:80fb167dafdf 10709 /* hash here if needed for optimized comparisons
wolfSSL 13:80fb167dafdf 10710 * Sha sha;
wolfSSL 13:80fb167dafdf 10711 * wc_InitSha(&sha);
wolfSSL 13:80fb167dafdf 10712 * wc_ShaUpdate(&sha, buff, sz);
wolfSSL 13:80fb167dafdf 10713 * wc_ShaFinal(&sha, dcrl->crlHash); */
wolfSSL 13:80fb167dafdf 10714
wolfSSL 13:80fb167dafdf 10715 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 13:80fb167dafdf 10716 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10717
wolfSSL 13:80fb167dafdf 10718 dcrl->certBegin = idx;
wolfSSL 13:80fb167dafdf 10719
wolfSSL 13:80fb167dafdf 10720 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 13:80fb167dafdf 10721 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10722 dcrl->sigIndex = len + idx;
wolfSSL 13:80fb167dafdf 10723
wolfSSL 13:80fb167dafdf 10724 /* may have version */
wolfSSL 13:80fb167dafdf 10725 if (buff[idx] == ASN_INTEGER) {
wolfSSL 13:80fb167dafdf 10726 if (GetMyVersion(buff, &idx, &version, sz) < 0)
wolfSSL 13:80fb167dafdf 10727 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10728 }
wolfSSL 13:80fb167dafdf 10729
wolfSSL 13:80fb167dafdf 10730 if (GetAlgoId(buff, &idx, &oid, oidIgnoreType, sz) < 0)
wolfSSL 13:80fb167dafdf 10731 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10732
wolfSSL 13:80fb167dafdf 10733 if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
wolfSSL 13:80fb167dafdf 10734 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10735
wolfSSL 13:80fb167dafdf 10736 if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
wolfSSL 13:80fb167dafdf 10737 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10738
wolfSSL 13:80fb167dafdf 10739 dateIdx = idx;
wolfSSL 13:80fb167dafdf 10740
wolfSSL 13:80fb167dafdf 10741 if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
wolfSSL 13:80fb167dafdf 10742 {
wolfSSL 13:80fb167dafdf 10743 #ifndef WOLFSSL_NO_CRL_NEXT_DATE
wolfSSL 13:80fb167dafdf 10744 (void)dateIdx;
wolfSSL 13:80fb167dafdf 10745 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10746 #else
wolfSSL 13:80fb167dafdf 10747 dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */
wolfSSL 13:80fb167dafdf 10748 doNextDate = 0;
wolfSSL 13:80fb167dafdf 10749 idx = dateIdx;
wolfSSL 13:80fb167dafdf 10750 #endif
wolfSSL 13:80fb167dafdf 10751 }
wolfSSL 13:80fb167dafdf 10752
wolfSSL 13:80fb167dafdf 10753 if (doNextDate) {
wolfSSL 13:80fb167dafdf 10754 #ifndef NO_ASN_TIME
wolfSSL 13:80fb167dafdf 10755 if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
wolfSSL 13:80fb167dafdf 10756 WOLFSSL_MSG("CRL after date is no longer valid");
wolfSSL 13:80fb167dafdf 10757 return ASN_AFTER_DATE_E;
wolfSSL 13:80fb167dafdf 10758 }
wolfSSL 13:80fb167dafdf 10759 #endif
wolfSSL 13:80fb167dafdf 10760 }
wolfSSL 13:80fb167dafdf 10761
wolfSSL 13:80fb167dafdf 10762 if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
wolfSSL 13:80fb167dafdf 10763 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 13:80fb167dafdf 10764 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10765
wolfSSL 13:80fb167dafdf 10766 len += idx;
wolfSSL 13:80fb167dafdf 10767
wolfSSL 13:80fb167dafdf 10768 while (idx < (word32)len) {
wolfSSL 13:80fb167dafdf 10769 if (GetRevoked(buff, &idx, dcrl, sz) < 0)
wolfSSL 13:80fb167dafdf 10770 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10771 }
wolfSSL 13:80fb167dafdf 10772 }
wolfSSL 13:80fb167dafdf 10773
wolfSSL 13:80fb167dafdf 10774 if (idx != dcrl->sigIndex)
wolfSSL 13:80fb167dafdf 10775 idx = dcrl->sigIndex; /* skip extensions */
wolfSSL 13:80fb167dafdf 10776
wolfSSL 13:80fb167dafdf 10777 if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0)
wolfSSL 13:80fb167dafdf 10778 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10779
wolfSSL 13:80fb167dafdf 10780 if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
wolfSSL 13:80fb167dafdf 10781 return ASN_PARSE_E;
wolfSSL 13:80fb167dafdf 10782
wolfSSL 13:80fb167dafdf 10783 /* openssl doesn't add skid by default for CRLs cause firefox chokes
wolfSSL 13:80fb167dafdf 10784 we're not assuming it's available yet */
wolfSSL 13:80fb167dafdf 10785 #if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL 13:80fb167dafdf 10786 if (dcrl->extAuthKeyIdSet)
wolfSSL 13:80fb167dafdf 10787 ca = GetCA(cm, dcrl->extAuthKeyId);
wolfSSL 13:80fb167dafdf 10788 if (ca == NULL)
wolfSSL 13:80fb167dafdf 10789 ca = GetCAByName(cm, dcrl->issuerHash);
wolfSSL 13:80fb167dafdf 10790 #else
wolfSSL 13:80fb167dafdf 10791 ca = GetCA(cm, dcrl->issuerHash);
wolfSSL 13:80fb167dafdf 10792 #endif /* !NO_SKID && CRL_SKID_READY */
wolfSSL 13:80fb167dafdf 10793 WOLFSSL_MSG("About to verify CRL signature");
wolfSSL 13:80fb167dafdf 10794
wolfSSL 13:80fb167dafdf 10795 if (ca) {
wolfSSL 13:80fb167dafdf 10796 SignatureCtx sigCtx;
wolfSSL 13:80fb167dafdf 10797
wolfSSL 13:80fb167dafdf 10798 WOLFSSL_MSG("Found CRL issuer CA");
wolfSSL 13:80fb167dafdf 10799 /* try to confirm/verify signature */
wolfSSL 13:80fb167dafdf 10800 #ifndef IGNORE_KEY_EXTENSIONS
wolfSSL 13:80fb167dafdf 10801 if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
wolfSSL 13:80fb167dafdf 10802 WOLFSSL_MSG("CA cannot sign CRLs");
wolfSSL 13:80fb167dafdf 10803 return ASN_CRL_NO_SIGNER_E;
wolfSSL 13:80fb167dafdf 10804 }
wolfSSL 13:80fb167dafdf 10805 #endif /* IGNORE_KEY_EXTENSIONS */
wolfSSL 13:80fb167dafdf 10806
wolfSSL 13:80fb167dafdf 10807 InitSignatureCtx(&sigCtx, dcrl->heap, INVALID_DEVID);
wolfSSL 13:80fb167dafdf 10808 if (ConfirmSignature(&sigCtx, buff + dcrl->certBegin,
wolfSSL 13:80fb167dafdf 10809 dcrl->sigIndex - dcrl->certBegin,
wolfSSL 13:80fb167dafdf 10810 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 13:80fb167dafdf 10811 dcrl->signature, dcrl->sigLength, dcrl->signatureOID) != 0) {
wolfSSL 13:80fb167dafdf 10812 WOLFSSL_MSG("CRL Confirm signature failed");
wolfSSL 13:80fb167dafdf 10813 return ASN_CRL_CONFIRM_E;
wolfSSL 13:80fb167dafdf 10814 }
wolfSSL 13:80fb167dafdf 10815 }
wolfSSL 13:80fb167dafdf 10816 else {
wolfSSL 13:80fb167dafdf 10817 WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL 13:80fb167dafdf 10818 return ASN_CRL_NO_SIGNER_E;
wolfSSL 13:80fb167dafdf 10819 }
wolfSSL 13:80fb167dafdf 10820
wolfSSL 13:80fb167dafdf 10821 return ret;
wolfSSL 13:80fb167dafdf 10822 }
wolfSSL 13:80fb167dafdf 10823
wolfSSL 13:80fb167dafdf 10824 #endif /* HAVE_CRL */
wolfSSL 13:80fb167dafdf 10825
wolfSSL 13:80fb167dafdf 10826 #undef ERROR_OUT
wolfSSL 13:80fb167dafdf 10827
wolfSSL 13:80fb167dafdf 10828 #endif /* !NO_ASN */
wolfSSL 13:80fb167dafdf 10829
wolfSSL 13:80fb167dafdf 10830 #ifdef WOLFSSL_SEP
wolfSSL 13:80fb167dafdf 10831
wolfSSL 13:80fb167dafdf 10832
wolfSSL 13:80fb167dafdf 10833 #endif /* WOLFSSL_SEP */
wolfSSL 13:80fb167dafdf 10834