wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/asn.c@4:1b0d80432c79, 2016-04-28 (annotated)
- Committer:
- wolfSSL
- Date:
- Thu Apr 28 00:57:21 2016 +0000
- Revision:
- 4:1b0d80432c79
wolfSSL 3.9.0
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 4:1b0d80432c79 | 1 | /* asn.c |
wolfSSL | 4:1b0d80432c79 | 2 | * |
wolfSSL | 4:1b0d80432c79 | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
wolfSSL | 4:1b0d80432c79 | 4 | * |
wolfSSL | 4:1b0d80432c79 | 5 | * This file is part of wolfSSL. |
wolfSSL | 4:1b0d80432c79 | 6 | * |
wolfSSL | 4:1b0d80432c79 | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 4:1b0d80432c79 | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 4:1b0d80432c79 | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 4:1b0d80432c79 | 10 | * (at your option) any later version. |
wolfSSL | 4:1b0d80432c79 | 11 | * |
wolfSSL | 4:1b0d80432c79 | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 4:1b0d80432c79 | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 4:1b0d80432c79 | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 4:1b0d80432c79 | 15 | * GNU General Public License for more details. |
wolfSSL | 4:1b0d80432c79 | 16 | * |
wolfSSL | 4:1b0d80432c79 | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 4:1b0d80432c79 | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 4:1b0d80432c79 | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 4:1b0d80432c79 | 20 | */ |
wolfSSL | 4:1b0d80432c79 | 21 | |
wolfSSL | 4:1b0d80432c79 | 22 | |
wolfSSL | 4:1b0d80432c79 | 23 | #ifdef HAVE_CONFIG_H |
wolfSSL | 4:1b0d80432c79 | 24 | #include <config.h> |
wolfSSL | 4:1b0d80432c79 | 25 | #endif |
wolfSSL | 4:1b0d80432c79 | 26 | |
wolfSSL | 4:1b0d80432c79 | 27 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 4:1b0d80432c79 | 28 | |
wolfSSL | 4:1b0d80432c79 | 29 | /* |
wolfSSL | 4:1b0d80432c79 | 30 | ASN Options: |
wolfSSL | 4:1b0d80432c79 | 31 | * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC |
wolfSSL | 4:1b0d80432c79 | 32 | or wishing to save space. |
wolfSSL | 4:1b0d80432c79 | 33 | * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks. |
wolfSSL | 4:1b0d80432c79 | 34 | */ |
wolfSSL | 4:1b0d80432c79 | 35 | |
wolfSSL | 4:1b0d80432c79 | 36 | #ifndef NO_ASN |
wolfSSL | 4:1b0d80432c79 | 37 | |
wolfSSL | 4:1b0d80432c79 | 38 | #ifdef HAVE_RTP_SYS |
wolfSSL | 4:1b0d80432c79 | 39 | #include "os.h" /* dc_rtc_api needs */ |
wolfSSL | 4:1b0d80432c79 | 40 | #include "dc_rtc_api.h" /* to get current time */ |
wolfSSL | 4:1b0d80432c79 | 41 | #endif |
wolfSSL | 4:1b0d80432c79 | 42 | |
wolfSSL | 4:1b0d80432c79 | 43 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 4:1b0d80432c79 | 44 | #include <wolfssl/wolfcrypt/coding.h> |
wolfSSL | 4:1b0d80432c79 | 45 | #include <wolfssl/wolfcrypt/md2.h> |
wolfSSL | 4:1b0d80432c79 | 46 | #include <wolfssl/wolfcrypt/hmac.h> |
wolfSSL | 4:1b0d80432c79 | 47 | #include <wolfssl/wolfcrypt/error-crypt.h> |
wolfSSL | 4:1b0d80432c79 | 48 | #include <wolfssl/wolfcrypt/pwdbased.h> |
wolfSSL | 4:1b0d80432c79 | 49 | #include <wolfssl/wolfcrypt/des3.h> |
wolfSSL | 4:1b0d80432c79 | 50 | #include <wolfssl/wolfcrypt/logging.h> |
wolfSSL | 4:1b0d80432c79 | 51 | |
wolfSSL | 4:1b0d80432c79 | 52 | #include <wolfssl/wolfcrypt/random.h> |
wolfSSL | 4:1b0d80432c79 | 53 | #include <wolfssl/wolfcrypt/hash.h> |
wolfSSL | 4:1b0d80432c79 | 54 | #ifdef NO_INLINE |
wolfSSL | 4:1b0d80432c79 | 55 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 4:1b0d80432c79 | 56 | #else |
wolfSSL | 4:1b0d80432c79 | 57 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 4:1b0d80432c79 | 58 | #endif |
wolfSSL | 4:1b0d80432c79 | 59 | |
wolfSSL | 4:1b0d80432c79 | 60 | #ifndef NO_RC4 |
wolfSSL | 4:1b0d80432c79 | 61 | #include <wolfssl/wolfcrypt/arc4.h> |
wolfSSL | 4:1b0d80432c79 | 62 | #endif |
wolfSSL | 4:1b0d80432c79 | 63 | |
wolfSSL | 4:1b0d80432c79 | 64 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 65 | #include "libntruencrypt/ntru_crypto.h" |
wolfSSL | 4:1b0d80432c79 | 66 | #endif |
wolfSSL | 4:1b0d80432c79 | 67 | |
wolfSSL | 4:1b0d80432c79 | 68 | #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) |
wolfSSL | 4:1b0d80432c79 | 69 | #include <wolfssl/wolfcrypt/sha512.h> |
wolfSSL | 4:1b0d80432c79 | 70 | #endif |
wolfSSL | 4:1b0d80432c79 | 71 | |
wolfSSL | 4:1b0d80432c79 | 72 | #ifndef NO_SHA256 |
wolfSSL | 4:1b0d80432c79 | 73 | #include <wolfssl/wolfcrypt/sha256.h> |
wolfSSL | 4:1b0d80432c79 | 74 | #endif |
wolfSSL | 4:1b0d80432c79 | 75 | |
wolfSSL | 4:1b0d80432c79 | 76 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 77 | #include <wolfssl/wolfcrypt/ecc.h> |
wolfSSL | 4:1b0d80432c79 | 78 | #endif |
wolfSSL | 4:1b0d80432c79 | 79 | |
wolfSSL | 4:1b0d80432c79 | 80 | #ifdef WOLFSSL_DEBUG_ENCODING |
wolfSSL | 4:1b0d80432c79 | 81 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 4:1b0d80432c79 | 82 | #if MQX_USE_IO_OLD |
wolfSSL | 4:1b0d80432c79 | 83 | #include <fio.h> |
wolfSSL | 4:1b0d80432c79 | 84 | #else |
wolfSSL | 4:1b0d80432c79 | 85 | #include <nio.h> |
wolfSSL | 4:1b0d80432c79 | 86 | #endif |
wolfSSL | 4:1b0d80432c79 | 87 | #else |
wolfSSL | 4:1b0d80432c79 | 88 | #include <stdio.h> |
wolfSSL | 4:1b0d80432c79 | 89 | #endif |
wolfSSL | 4:1b0d80432c79 | 90 | #endif |
wolfSSL | 4:1b0d80432c79 | 91 | |
wolfSSL | 4:1b0d80432c79 | 92 | #ifdef _MSC_VER |
wolfSSL | 4:1b0d80432c79 | 93 | /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */ |
wolfSSL | 4:1b0d80432c79 | 94 | #pragma warning(disable: 4996) |
wolfSSL | 4:1b0d80432c79 | 95 | #endif |
wolfSSL | 4:1b0d80432c79 | 96 | |
wolfSSL | 4:1b0d80432c79 | 97 | |
wolfSSL | 4:1b0d80432c79 | 98 | #ifndef TRUE |
wolfSSL | 4:1b0d80432c79 | 99 | #define TRUE 1 |
wolfSSL | 4:1b0d80432c79 | 100 | #endif |
wolfSSL | 4:1b0d80432c79 | 101 | #ifndef FALSE |
wolfSSL | 4:1b0d80432c79 | 102 | #define FALSE 0 |
wolfSSL | 4:1b0d80432c79 | 103 | #endif |
wolfSSL | 4:1b0d80432c79 | 104 | |
wolfSSL | 4:1b0d80432c79 | 105 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 106 | #if defined(HAVE_RTP_SYS) |
wolfSSL | 4:1b0d80432c79 | 107 | /* uses parital <time.h> structures */ |
wolfSSL | 4:1b0d80432c79 | 108 | #define XTIME(tl) (0) |
wolfSSL | 4:1b0d80432c79 | 109 | #define XGMTIME(c, t) rtpsys_gmtime((c)) |
wolfSSL | 4:1b0d80432c79 | 110 | |
wolfSSL | 4:1b0d80432c79 | 111 | #elif defined(MICRIUM) |
wolfSSL | 4:1b0d80432c79 | 112 | #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) |
wolfSSL | 4:1b0d80432c79 | 113 | #define XVALIDATE_DATE(d, f, t) NetSecure_ValidateDateHandler((d), (f), (t)) |
wolfSSL | 4:1b0d80432c79 | 114 | #else |
wolfSSL | 4:1b0d80432c79 | 115 | #define XVALIDATE_DATE(d, f, t) (0) |
wolfSSL | 4:1b0d80432c79 | 116 | #endif |
wolfSSL | 4:1b0d80432c79 | 117 | #define NO_TIME_H |
wolfSSL | 4:1b0d80432c79 | 118 | /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */ |
wolfSSL | 4:1b0d80432c79 | 119 | |
wolfSSL | 4:1b0d80432c79 | 120 | #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 4:1b0d80432c79 | 121 | #include <time.h> |
wolfSSL | 4:1b0d80432c79 | 122 | #define XTIME(t1) pic32_time((t1)) |
wolfSSL | 4:1b0d80432c79 | 123 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 4:1b0d80432c79 | 124 | |
wolfSSL | 4:1b0d80432c79 | 125 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 4:1b0d80432c79 | 126 | #define XTIME(t1) mqx_time((t1)) |
wolfSSL | 4:1b0d80432c79 | 127 | #define HAVE_GMTIME_R |
wolfSSL | 4:1b0d80432c79 | 128 | |
wolfSSL | 4:1b0d80432c79 | 129 | #elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) |
wolfSSL | 4:1b0d80432c79 | 130 | #include <time.h> |
wolfSSL | 4:1b0d80432c79 | 131 | #define XTIME(t1) ksdk_time((t1)) |
wolfSSL | 4:1b0d80432c79 | 132 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 4:1b0d80432c79 | 133 | |
wolfSSL | 4:1b0d80432c79 | 134 | #elif defined(USER_TIME) |
wolfSSL | 4:1b0d80432c79 | 135 | /* user time, and gmtime compatible functions, there is a gmtime |
wolfSSL | 4:1b0d80432c79 | 136 | implementation here that WINCE uses, so really just need some ticks |
wolfSSL | 4:1b0d80432c79 | 137 | since the EPOCH |
wolfSSL | 4:1b0d80432c79 | 138 | */ |
wolfSSL | 4:1b0d80432c79 | 139 | #define WOLFSSL_GMTIME |
wolfSSL | 4:1b0d80432c79 | 140 | #define USE_WOLF_TM |
wolfSSL | 4:1b0d80432c79 | 141 | #define USE_WOLF_TIME_T |
wolfSSL | 4:1b0d80432c79 | 142 | |
wolfSSL | 4:1b0d80432c79 | 143 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 4:1b0d80432c79 | 144 | /* user would like to override time() and gmtime() functionality */ |
wolfSSL | 4:1b0d80432c79 | 145 | #ifndef HAVE_TIME_T_TYPE |
wolfSSL | 4:1b0d80432c79 | 146 | #define USE_WOLF_TIME_T |
wolfSSL | 4:1b0d80432c79 | 147 | #endif |
wolfSSL | 4:1b0d80432c79 | 148 | #ifndef HAVE_TM_TYPE |
wolfSSL | 4:1b0d80432c79 | 149 | #define USE_WOLF_TM |
wolfSSL | 4:1b0d80432c79 | 150 | #endif |
wolfSSL | 4:1b0d80432c79 | 151 | #define NEED_TMP_TIME |
wolfSSL | 4:1b0d80432c79 | 152 | |
wolfSSL | 4:1b0d80432c79 | 153 | #elif defined(IDIRECT_DEV_TIME) |
wolfSSL | 4:1b0d80432c79 | 154 | /*Gets the timestamp from cloak software owned by VT iDirect |
wolfSSL | 4:1b0d80432c79 | 155 | in place of time() from <time.h> */ |
wolfSSL | 4:1b0d80432c79 | 156 | #include <time.h> |
wolfSSL | 4:1b0d80432c79 | 157 | #define XTIME(t1) idirect_time((t1)) |
wolfSSL | 4:1b0d80432c79 | 158 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 4:1b0d80432c79 | 159 | |
wolfSSL | 4:1b0d80432c79 | 160 | #elif defined(_WIN32_WCE) |
wolfSSL | 4:1b0d80432c79 | 161 | #include <windows.h> |
wolfSSL | 4:1b0d80432c79 | 162 | #define XTIME(t1) windows_time((t1)) |
wolfSSL | 4:1b0d80432c79 | 163 | #define WOLFSSL_GMTIME |
wolfSSL | 4:1b0d80432c79 | 164 | |
wolfSSL | 4:1b0d80432c79 | 165 | #else |
wolfSSL | 4:1b0d80432c79 | 166 | /* default */ |
wolfSSL | 4:1b0d80432c79 | 167 | /* uses complete <time.h> facility */ |
wolfSSL | 4:1b0d80432c79 | 168 | #include <time.h> |
wolfSSL | 4:1b0d80432c79 | 169 | #endif |
wolfSSL | 4:1b0d80432c79 | 170 | |
wolfSSL | 4:1b0d80432c79 | 171 | |
wolfSSL | 4:1b0d80432c79 | 172 | /* Map default time functions */ |
wolfSSL | 4:1b0d80432c79 | 173 | #if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME) |
wolfSSL | 4:1b0d80432c79 | 174 | #define XTIME(tl) time((tl)) |
wolfSSL | 4:1b0d80432c79 | 175 | #endif |
wolfSSL | 4:1b0d80432c79 | 176 | #if !defined(XGMTIME) && !defined(TIME_OVERRIDES) |
wolfSSL | 4:1b0d80432c79 | 177 | #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R) |
wolfSSL | 4:1b0d80432c79 | 178 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 4:1b0d80432c79 | 179 | #else |
wolfSSL | 4:1b0d80432c79 | 180 | #define XGMTIME(c, t) gmtime_r((c), (t)) |
wolfSSL | 4:1b0d80432c79 | 181 | #define NEED_TMP_TIME |
wolfSSL | 4:1b0d80432c79 | 182 | #endif |
wolfSSL | 4:1b0d80432c79 | 183 | #endif |
wolfSSL | 4:1b0d80432c79 | 184 | #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE) |
wolfSSL | 4:1b0d80432c79 | 185 | #define USE_WOLF_VALIDDATE |
wolfSSL | 4:1b0d80432c79 | 186 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 4:1b0d80432c79 | 187 | #endif |
wolfSSL | 4:1b0d80432c79 | 188 | |
wolfSSL | 4:1b0d80432c79 | 189 | /* wolf struct tm and time_t */ |
wolfSSL | 4:1b0d80432c79 | 190 | #if defined(USE_WOLF_TM) |
wolfSSL | 4:1b0d80432c79 | 191 | struct tm { |
wolfSSL | 4:1b0d80432c79 | 192 | int tm_sec; /* seconds after the minute [0-60] */ |
wolfSSL | 4:1b0d80432c79 | 193 | int tm_min; /* minutes after the hour [0-59] */ |
wolfSSL | 4:1b0d80432c79 | 194 | int tm_hour; /* hours since midnight [0-23] */ |
wolfSSL | 4:1b0d80432c79 | 195 | int tm_mday; /* day of the month [1-31] */ |
wolfSSL | 4:1b0d80432c79 | 196 | int tm_mon; /* months since January [0-11] */ |
wolfSSL | 4:1b0d80432c79 | 197 | int tm_year; /* years since 1900 */ |
wolfSSL | 4:1b0d80432c79 | 198 | int tm_wday; /* days since Sunday [0-6] */ |
wolfSSL | 4:1b0d80432c79 | 199 | int tm_yday; /* days since January 1 [0-365] */ |
wolfSSL | 4:1b0d80432c79 | 200 | int tm_isdst; /* Daylight Savings Time flag */ |
wolfSSL | 4:1b0d80432c79 | 201 | long tm_gmtoff; /* offset from CUT in seconds */ |
wolfSSL | 4:1b0d80432c79 | 202 | char *tm_zone; /* timezone abbreviation */ |
wolfSSL | 4:1b0d80432c79 | 203 | }; |
wolfSSL | 4:1b0d80432c79 | 204 | #endif /* USE_WOLF_TM */ |
wolfSSL | 4:1b0d80432c79 | 205 | #if defined(USE_WOLF_TIME_T) |
wolfSSL | 4:1b0d80432c79 | 206 | typedef long time_t; |
wolfSSL | 4:1b0d80432c79 | 207 | #endif |
wolfSSL | 4:1b0d80432c79 | 208 | |
wolfSSL | 4:1b0d80432c79 | 209 | /* forward declarations */ |
wolfSSL | 4:1b0d80432c79 | 210 | #if defined(USER_TIME) |
wolfSSL | 4:1b0d80432c79 | 211 | struct tm* gmtime(const time_t* timer); |
wolfSSL | 4:1b0d80432c79 | 212 | extern time_t XTIME(time_t * timer); |
wolfSSL | 4:1b0d80432c79 | 213 | |
wolfSSL | 4:1b0d80432c79 | 214 | #ifdef STACK_TRAP |
wolfSSL | 4:1b0d80432c79 | 215 | /* for stack trap tracking, don't call os gmtime on OS X/linux, |
wolfSSL | 4:1b0d80432c79 | 216 | uses a lot of stack spce */ |
wolfSSL | 4:1b0d80432c79 | 217 | extern time_t time(time_t * timer); |
wolfSSL | 4:1b0d80432c79 | 218 | #define XTIME(tl) time((tl)) |
wolfSSL | 4:1b0d80432c79 | 219 | #endif /* STACK_TRAP */ |
wolfSSL | 4:1b0d80432c79 | 220 | |
wolfSSL | 4:1b0d80432c79 | 221 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 4:1b0d80432c79 | 222 | extern time_t XTIME(time_t * timer); |
wolfSSL | 4:1b0d80432c79 | 223 | extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp); |
wolfSSL | 4:1b0d80432c79 | 224 | #endif |
wolfSSL | 4:1b0d80432c79 | 225 | |
wolfSSL | 4:1b0d80432c79 | 226 | |
wolfSSL | 4:1b0d80432c79 | 227 | #if defined(_WIN32_WCE) |
wolfSSL | 4:1b0d80432c79 | 228 | time_t windows_time(time_t* timer) |
wolfSSL | 4:1b0d80432c79 | 229 | { |
wolfSSL | 4:1b0d80432c79 | 230 | SYSTEMTIME sysTime; |
wolfSSL | 4:1b0d80432c79 | 231 | FILETIME fTime; |
wolfSSL | 4:1b0d80432c79 | 232 | ULARGE_INTEGER intTime; |
wolfSSL | 4:1b0d80432c79 | 233 | time_t localTime; |
wolfSSL | 4:1b0d80432c79 | 234 | |
wolfSSL | 4:1b0d80432c79 | 235 | if (timer == NULL) |
wolfSSL | 4:1b0d80432c79 | 236 | timer = &localTime; |
wolfSSL | 4:1b0d80432c79 | 237 | |
wolfSSL | 4:1b0d80432c79 | 238 | GetSystemTime(&sysTime); |
wolfSSL | 4:1b0d80432c79 | 239 | SystemTimeToFileTime(&sysTime, &fTime); |
wolfSSL | 4:1b0d80432c79 | 240 | |
wolfSSL | 4:1b0d80432c79 | 241 | XMEMCPY(&intTime, &fTime, sizeof(FILETIME)); |
wolfSSL | 4:1b0d80432c79 | 242 | /* subtract EPOCH */ |
wolfSSL | 4:1b0d80432c79 | 243 | intTime.QuadPart -= 0x19db1ded53e8000; |
wolfSSL | 4:1b0d80432c79 | 244 | /* to secs */ |
wolfSSL | 4:1b0d80432c79 | 245 | intTime.QuadPart /= 10000000; |
wolfSSL | 4:1b0d80432c79 | 246 | *timer = (time_t)intTime.QuadPart; |
wolfSSL | 4:1b0d80432c79 | 247 | |
wolfSSL | 4:1b0d80432c79 | 248 | return *timer; |
wolfSSL | 4:1b0d80432c79 | 249 | } |
wolfSSL | 4:1b0d80432c79 | 250 | #endif /* _WIN32_WCE */ |
wolfSSL | 4:1b0d80432c79 | 251 | |
wolfSSL | 4:1b0d80432c79 | 252 | #if defined(WOLFSSL_GMTIME) |
wolfSSL | 4:1b0d80432c79 | 253 | struct tm* gmtime(const time_t* timer) |
wolfSSL | 4:1b0d80432c79 | 254 | { |
wolfSSL | 4:1b0d80432c79 | 255 | #define YEAR0 1900 |
wolfSSL | 4:1b0d80432c79 | 256 | #define EPOCH_YEAR 1970 |
wolfSSL | 4:1b0d80432c79 | 257 | #define SECS_DAY (24L * 60L * 60L) |
wolfSSL | 4:1b0d80432c79 | 258 | #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400))) |
wolfSSL | 4:1b0d80432c79 | 259 | #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365) |
wolfSSL | 4:1b0d80432c79 | 260 | |
wolfSSL | 4:1b0d80432c79 | 261 | static const int _ytab[2][12] = |
wolfSSL | 4:1b0d80432c79 | 262 | { |
wolfSSL | 4:1b0d80432c79 | 263 | {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}, |
wolfSSL | 4:1b0d80432c79 | 264 | {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31} |
wolfSSL | 4:1b0d80432c79 | 265 | }; |
wolfSSL | 4:1b0d80432c79 | 266 | |
wolfSSL | 4:1b0d80432c79 | 267 | static struct tm st_time; |
wolfSSL | 4:1b0d80432c79 | 268 | struct tm* ret = &st_time; |
wolfSSL | 4:1b0d80432c79 | 269 | time_t secs = *timer; |
wolfSSL | 4:1b0d80432c79 | 270 | unsigned long dayclock, dayno; |
wolfSSL | 4:1b0d80432c79 | 271 | int year = EPOCH_YEAR; |
wolfSSL | 4:1b0d80432c79 | 272 | |
wolfSSL | 4:1b0d80432c79 | 273 | dayclock = (unsigned long)secs % SECS_DAY; |
wolfSSL | 4:1b0d80432c79 | 274 | dayno = (unsigned long)secs / SECS_DAY; |
wolfSSL | 4:1b0d80432c79 | 275 | |
wolfSSL | 4:1b0d80432c79 | 276 | ret->tm_sec = (int) dayclock % 60; |
wolfSSL | 4:1b0d80432c79 | 277 | ret->tm_min = (int)(dayclock % 3600) / 60; |
wolfSSL | 4:1b0d80432c79 | 278 | ret->tm_hour = (int) dayclock / 3600; |
wolfSSL | 4:1b0d80432c79 | 279 | ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */ |
wolfSSL | 4:1b0d80432c79 | 280 | |
wolfSSL | 4:1b0d80432c79 | 281 | while(dayno >= (unsigned long)YEARSIZE(year)) { |
wolfSSL | 4:1b0d80432c79 | 282 | dayno -= YEARSIZE(year); |
wolfSSL | 4:1b0d80432c79 | 283 | year++; |
wolfSSL | 4:1b0d80432c79 | 284 | } |
wolfSSL | 4:1b0d80432c79 | 285 | |
wolfSSL | 4:1b0d80432c79 | 286 | ret->tm_year = year - YEAR0; |
wolfSSL | 4:1b0d80432c79 | 287 | ret->tm_yday = (int)dayno; |
wolfSSL | 4:1b0d80432c79 | 288 | ret->tm_mon = 0; |
wolfSSL | 4:1b0d80432c79 | 289 | |
wolfSSL | 4:1b0d80432c79 | 290 | while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) { |
wolfSSL | 4:1b0d80432c79 | 291 | dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon]; |
wolfSSL | 4:1b0d80432c79 | 292 | ret->tm_mon++; |
wolfSSL | 4:1b0d80432c79 | 293 | } |
wolfSSL | 4:1b0d80432c79 | 294 | |
wolfSSL | 4:1b0d80432c79 | 295 | ret->tm_mday = (int)++dayno; |
wolfSSL | 4:1b0d80432c79 | 296 | ret->tm_isdst = 0; |
wolfSSL | 4:1b0d80432c79 | 297 | |
wolfSSL | 4:1b0d80432c79 | 298 | return ret; |
wolfSSL | 4:1b0d80432c79 | 299 | } |
wolfSSL | 4:1b0d80432c79 | 300 | #endif /* WOLFSSL_GMTIME */ |
wolfSSL | 4:1b0d80432c79 | 301 | |
wolfSSL | 4:1b0d80432c79 | 302 | |
wolfSSL | 4:1b0d80432c79 | 303 | #if defined(HAVE_RTP_SYS) |
wolfSSL | 4:1b0d80432c79 | 304 | #define YEAR0 1900 |
wolfSSL | 4:1b0d80432c79 | 305 | |
wolfSSL | 4:1b0d80432c79 | 306 | struct tm* rtpsys_gmtime(const time_t* timer) /* has a gmtime() but hangs */ |
wolfSSL | 4:1b0d80432c79 | 307 | { |
wolfSSL | 4:1b0d80432c79 | 308 | static struct tm st_time; |
wolfSSL | 4:1b0d80432c79 | 309 | struct tm* ret = &st_time; |
wolfSSL | 4:1b0d80432c79 | 310 | |
wolfSSL | 4:1b0d80432c79 | 311 | DC_RTC_CALENDAR cal; |
wolfSSL | 4:1b0d80432c79 | 312 | dc_rtc_time_get(&cal, TRUE); |
wolfSSL | 4:1b0d80432c79 | 313 | |
wolfSSL | 4:1b0d80432c79 | 314 | ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */ |
wolfSSL | 4:1b0d80432c79 | 315 | ret->tm_mon = cal.month - 1; /* gm starts at 0 */ |
wolfSSL | 4:1b0d80432c79 | 316 | ret->tm_mday = cal.day; |
wolfSSL | 4:1b0d80432c79 | 317 | ret->tm_hour = cal.hour; |
wolfSSL | 4:1b0d80432c79 | 318 | ret->tm_min = cal.minute; |
wolfSSL | 4:1b0d80432c79 | 319 | ret->tm_sec = cal.second; |
wolfSSL | 4:1b0d80432c79 | 320 | |
wolfSSL | 4:1b0d80432c79 | 321 | return ret; |
wolfSSL | 4:1b0d80432c79 | 322 | } |
wolfSSL | 4:1b0d80432c79 | 323 | |
wolfSSL | 4:1b0d80432c79 | 324 | #endif /* HAVE_RTP_SYS */ |
wolfSSL | 4:1b0d80432c79 | 325 | |
wolfSSL | 4:1b0d80432c79 | 326 | |
wolfSSL | 4:1b0d80432c79 | 327 | #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 4:1b0d80432c79 | 328 | |
wolfSSL | 4:1b0d80432c79 | 329 | /* |
wolfSSL | 4:1b0d80432c79 | 330 | * time() is just a stub in Microchip libraries. We need our own |
wolfSSL | 4:1b0d80432c79 | 331 | * implementation. Use SNTP client to get seconds since epoch. |
wolfSSL | 4:1b0d80432c79 | 332 | */ |
wolfSSL | 4:1b0d80432c79 | 333 | time_t pic32_time(time_t* timer) |
wolfSSL | 4:1b0d80432c79 | 334 | { |
wolfSSL | 4:1b0d80432c79 | 335 | #ifdef MICROCHIP_TCPIP_V5 |
wolfSSL | 4:1b0d80432c79 | 336 | DWORD sec = 0; |
wolfSSL | 4:1b0d80432c79 | 337 | #else |
wolfSSL | 4:1b0d80432c79 | 338 | uint32_t sec = 0; |
wolfSSL | 4:1b0d80432c79 | 339 | #endif |
wolfSSL | 4:1b0d80432c79 | 340 | time_t localTime; |
wolfSSL | 4:1b0d80432c79 | 341 | |
wolfSSL | 4:1b0d80432c79 | 342 | if (timer == NULL) |
wolfSSL | 4:1b0d80432c79 | 343 | timer = &localTime; |
wolfSSL | 4:1b0d80432c79 | 344 | |
wolfSSL | 4:1b0d80432c79 | 345 | #ifdef MICROCHIP_MPLAB_HARMONY |
wolfSSL | 4:1b0d80432c79 | 346 | sec = TCPIP_SNTP_UTCSecondsGet(); |
wolfSSL | 4:1b0d80432c79 | 347 | #else |
wolfSSL | 4:1b0d80432c79 | 348 | sec = SNTPGetUTCSeconds(); |
wolfSSL | 4:1b0d80432c79 | 349 | #endif |
wolfSSL | 4:1b0d80432c79 | 350 | *timer = (time_t) sec; |
wolfSSL | 4:1b0d80432c79 | 351 | |
wolfSSL | 4:1b0d80432c79 | 352 | return *timer; |
wolfSSL | 4:1b0d80432c79 | 353 | } |
wolfSSL | 4:1b0d80432c79 | 354 | |
wolfSSL | 4:1b0d80432c79 | 355 | #endif /* MICROCHIP_TCPIP */ |
wolfSSL | 4:1b0d80432c79 | 356 | |
wolfSSL | 4:1b0d80432c79 | 357 | |
wolfSSL | 4:1b0d80432c79 | 358 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 4:1b0d80432c79 | 359 | |
wolfSSL | 4:1b0d80432c79 | 360 | time_t mqx_time(time_t* timer) |
wolfSSL | 4:1b0d80432c79 | 361 | { |
wolfSSL | 4:1b0d80432c79 | 362 | time_t localTime; |
wolfSSL | 4:1b0d80432c79 | 363 | TIME_STRUCT time_s; |
wolfSSL | 4:1b0d80432c79 | 364 | |
wolfSSL | 4:1b0d80432c79 | 365 | if (timer == NULL) |
wolfSSL | 4:1b0d80432c79 | 366 | timer = &localTime; |
wolfSSL | 4:1b0d80432c79 | 367 | |
wolfSSL | 4:1b0d80432c79 | 368 | _time_get(&time_s); |
wolfSSL | 4:1b0d80432c79 | 369 | *timer = (time_t) time_s.SECONDS; |
wolfSSL | 4:1b0d80432c79 | 370 | |
wolfSSL | 4:1b0d80432c79 | 371 | return *timer; |
wolfSSL | 4:1b0d80432c79 | 372 | } |
wolfSSL | 4:1b0d80432c79 | 373 | |
wolfSSL | 4:1b0d80432c79 | 374 | #endif /* FREESCALE_MQX */ |
wolfSSL | 4:1b0d80432c79 | 375 | |
wolfSSL | 4:1b0d80432c79 | 376 | #if defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) |
wolfSSL | 4:1b0d80432c79 | 377 | |
wolfSSL | 4:1b0d80432c79 | 378 | #include "fsl_pit_driver.h" |
wolfSSL | 4:1b0d80432c79 | 379 | |
wolfSSL | 4:1b0d80432c79 | 380 | time_t ksdk_time(time_t* timer) |
wolfSSL | 4:1b0d80432c79 | 381 | { |
wolfSSL | 4:1b0d80432c79 | 382 | time_t localTime; |
wolfSSL | 4:1b0d80432c79 | 383 | |
wolfSSL | 4:1b0d80432c79 | 384 | if (timer == NULL) |
wolfSSL | 4:1b0d80432c79 | 385 | timer = &localTime; |
wolfSSL | 4:1b0d80432c79 | 386 | |
wolfSSL | 4:1b0d80432c79 | 387 | *timer = (PIT_DRV_ReadTimerUs(PIT_INSTANCE, PIT_CHANNEL)) / 1000000; |
wolfSSL | 4:1b0d80432c79 | 388 | return *timer; |
wolfSSL | 4:1b0d80432c79 | 389 | } |
wolfSSL | 4:1b0d80432c79 | 390 | |
wolfSSL | 4:1b0d80432c79 | 391 | #endif /* FREESCALE_KSDK_BM */ |
wolfSSL | 4:1b0d80432c79 | 392 | |
wolfSSL | 4:1b0d80432c79 | 393 | #if defined(WOLFSSL_TIRTOS) |
wolfSSL | 4:1b0d80432c79 | 394 | |
wolfSSL | 4:1b0d80432c79 | 395 | time_t XTIME(time_t * timer) |
wolfSSL | 4:1b0d80432c79 | 396 | { |
wolfSSL | 4:1b0d80432c79 | 397 | time_t sec = 0; |
wolfSSL | 4:1b0d80432c79 | 398 | |
wolfSSL | 4:1b0d80432c79 | 399 | sec = (time_t) Seconds_get(); |
wolfSSL | 4:1b0d80432c79 | 400 | |
wolfSSL | 4:1b0d80432c79 | 401 | if (timer != NULL) |
wolfSSL | 4:1b0d80432c79 | 402 | *timer = sec; |
wolfSSL | 4:1b0d80432c79 | 403 | |
wolfSSL | 4:1b0d80432c79 | 404 | return sec; |
wolfSSL | 4:1b0d80432c79 | 405 | } |
wolfSSL | 4:1b0d80432c79 | 406 | |
wolfSSL | 4:1b0d80432c79 | 407 | #endif /* WOLFSSL_TIRTOS */ |
wolfSSL | 4:1b0d80432c79 | 408 | |
wolfSSL | 4:1b0d80432c79 | 409 | |
wolfSSL | 4:1b0d80432c79 | 410 | static INLINE word32 btoi(byte b) |
wolfSSL | 4:1b0d80432c79 | 411 | { |
wolfSSL | 4:1b0d80432c79 | 412 | return b - 0x30; |
wolfSSL | 4:1b0d80432c79 | 413 | } |
wolfSSL | 4:1b0d80432c79 | 414 | |
wolfSSL | 4:1b0d80432c79 | 415 | |
wolfSSL | 4:1b0d80432c79 | 416 | /* two byte date/time, add to value */ |
wolfSSL | 4:1b0d80432c79 | 417 | static INLINE void GetTime(int* value, const byte* date, int* idx) |
wolfSSL | 4:1b0d80432c79 | 418 | { |
wolfSSL | 4:1b0d80432c79 | 419 | int i = *idx; |
wolfSSL | 4:1b0d80432c79 | 420 | |
wolfSSL | 4:1b0d80432c79 | 421 | *value += btoi(date[i++]) * 10; |
wolfSSL | 4:1b0d80432c79 | 422 | *value += btoi(date[i++]); |
wolfSSL | 4:1b0d80432c79 | 423 | |
wolfSSL | 4:1b0d80432c79 | 424 | *idx = i; |
wolfSSL | 4:1b0d80432c79 | 425 | } |
wolfSSL | 4:1b0d80432c79 | 426 | |
wolfSSL | 4:1b0d80432c79 | 427 | |
wolfSSL | 4:1b0d80432c79 | 428 | #if defined(MICRIUM) |
wolfSSL | 4:1b0d80432c79 | 429 | |
wolfSSL | 4:1b0d80432c79 | 430 | CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format, |
wolfSSL | 4:1b0d80432c79 | 431 | CPU_INT08U dateType) |
wolfSSL | 4:1b0d80432c79 | 432 | { |
wolfSSL | 4:1b0d80432c79 | 433 | CPU_BOOLEAN rtn_code; |
wolfSSL | 4:1b0d80432c79 | 434 | CPU_INT32S i; |
wolfSSL | 4:1b0d80432c79 | 435 | CPU_INT32S val; |
wolfSSL | 4:1b0d80432c79 | 436 | CPU_INT16U year; |
wolfSSL | 4:1b0d80432c79 | 437 | CPU_INT08U month; |
wolfSSL | 4:1b0d80432c79 | 438 | CPU_INT16U day; |
wolfSSL | 4:1b0d80432c79 | 439 | CPU_INT08U hour; |
wolfSSL | 4:1b0d80432c79 | 440 | CPU_INT08U min; |
wolfSSL | 4:1b0d80432c79 | 441 | CPU_INT08U sec; |
wolfSSL | 4:1b0d80432c79 | 442 | |
wolfSSL | 4:1b0d80432c79 | 443 | i = 0; |
wolfSSL | 4:1b0d80432c79 | 444 | year = 0u; |
wolfSSL | 4:1b0d80432c79 | 445 | |
wolfSSL | 4:1b0d80432c79 | 446 | if (format == ASN_UTC_TIME) { |
wolfSSL | 4:1b0d80432c79 | 447 | if (btoi(date[0]) >= 5) |
wolfSSL | 4:1b0d80432c79 | 448 | year = 1900; |
wolfSSL | 4:1b0d80432c79 | 449 | else |
wolfSSL | 4:1b0d80432c79 | 450 | year = 2000; |
wolfSSL | 4:1b0d80432c79 | 451 | } |
wolfSSL | 4:1b0d80432c79 | 452 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 4:1b0d80432c79 | 453 | year += btoi(date[i++]) * 1000; |
wolfSSL | 4:1b0d80432c79 | 454 | year += btoi(date[i++]) * 100; |
wolfSSL | 4:1b0d80432c79 | 455 | } |
wolfSSL | 4:1b0d80432c79 | 456 | |
wolfSSL | 4:1b0d80432c79 | 457 | val = year; |
wolfSSL | 4:1b0d80432c79 | 458 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 459 | year = (CPU_INT16U)val; |
wolfSSL | 4:1b0d80432c79 | 460 | |
wolfSSL | 4:1b0d80432c79 | 461 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 462 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 463 | month = (CPU_INT08U)val; |
wolfSSL | 4:1b0d80432c79 | 464 | |
wolfSSL | 4:1b0d80432c79 | 465 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 466 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 467 | day = (CPU_INT16U)val; |
wolfSSL | 4:1b0d80432c79 | 468 | |
wolfSSL | 4:1b0d80432c79 | 469 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 470 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 471 | hour = (CPU_INT08U)val; |
wolfSSL | 4:1b0d80432c79 | 472 | |
wolfSSL | 4:1b0d80432c79 | 473 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 474 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 475 | min = (CPU_INT08U)val; |
wolfSSL | 4:1b0d80432c79 | 476 | |
wolfSSL | 4:1b0d80432c79 | 477 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 478 | GetTime(&val, date, &i); |
wolfSSL | 4:1b0d80432c79 | 479 | sec = (CPU_INT08U)val; |
wolfSSL | 4:1b0d80432c79 | 480 | |
wolfSSL | 4:1b0d80432c79 | 481 | return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType); |
wolfSSL | 4:1b0d80432c79 | 482 | } |
wolfSSL | 4:1b0d80432c79 | 483 | |
wolfSSL | 4:1b0d80432c79 | 484 | #endif /* MICRIUM */ |
wolfSSL | 4:1b0d80432c79 | 485 | |
wolfSSL | 4:1b0d80432c79 | 486 | #if defined(IDIRECT_DEV_TIME) |
wolfSSL | 4:1b0d80432c79 | 487 | |
wolfSSL | 4:1b0d80432c79 | 488 | extern time_t getTimestamp(); |
wolfSSL | 4:1b0d80432c79 | 489 | |
wolfSSL | 4:1b0d80432c79 | 490 | time_t idirect_time(time_t * timer) |
wolfSSL | 4:1b0d80432c79 | 491 | { |
wolfSSL | 4:1b0d80432c79 | 492 | time_t sec = getTimestamp(); |
wolfSSL | 4:1b0d80432c79 | 493 | |
wolfSSL | 4:1b0d80432c79 | 494 | if (timer != NULL) |
wolfSSL | 4:1b0d80432c79 | 495 | *timer = sec; |
wolfSSL | 4:1b0d80432c79 | 496 | |
wolfSSL | 4:1b0d80432c79 | 497 | return sec; |
wolfSSL | 4:1b0d80432c79 | 498 | } |
wolfSSL | 4:1b0d80432c79 | 499 | |
wolfSSL | 4:1b0d80432c79 | 500 | #endif /* IDIRECT_DEV_TIME */ |
wolfSSL | 4:1b0d80432c79 | 501 | |
wolfSSL | 4:1b0d80432c79 | 502 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 503 | |
wolfSSL | 4:1b0d80432c79 | 504 | WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 4:1b0d80432c79 | 505 | word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 506 | { |
wolfSSL | 4:1b0d80432c79 | 507 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 508 | word32 i = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 509 | byte b; |
wolfSSL | 4:1b0d80432c79 | 510 | |
wolfSSL | 4:1b0d80432c79 | 511 | *len = 0; /* default length */ |
wolfSSL | 4:1b0d80432c79 | 512 | |
wolfSSL | 4:1b0d80432c79 | 513 | if ( (i+1) > maxIdx) { /* for first read */ |
wolfSSL | 4:1b0d80432c79 | 514 | WOLFSSL_MSG("GetLength bad index on input"); |
wolfSSL | 4:1b0d80432c79 | 515 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 516 | } |
wolfSSL | 4:1b0d80432c79 | 517 | |
wolfSSL | 4:1b0d80432c79 | 518 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 519 | if (b >= ASN_LONG_LENGTH) { |
wolfSSL | 4:1b0d80432c79 | 520 | word32 bytes = b & 0x7F; |
wolfSSL | 4:1b0d80432c79 | 521 | |
wolfSSL | 4:1b0d80432c79 | 522 | if ( (i+bytes) > maxIdx) { /* for reading bytes */ |
wolfSSL | 4:1b0d80432c79 | 523 | WOLFSSL_MSG("GetLength bad long length"); |
wolfSSL | 4:1b0d80432c79 | 524 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 525 | } |
wolfSSL | 4:1b0d80432c79 | 526 | |
wolfSSL | 4:1b0d80432c79 | 527 | while (bytes--) { |
wolfSSL | 4:1b0d80432c79 | 528 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 529 | length = (length << 8) | b; |
wolfSSL | 4:1b0d80432c79 | 530 | } |
wolfSSL | 4:1b0d80432c79 | 531 | } |
wolfSSL | 4:1b0d80432c79 | 532 | else |
wolfSSL | 4:1b0d80432c79 | 533 | length = b; |
wolfSSL | 4:1b0d80432c79 | 534 | |
wolfSSL | 4:1b0d80432c79 | 535 | if ( (i+length) > maxIdx) { /* for user of length */ |
wolfSSL | 4:1b0d80432c79 | 536 | WOLFSSL_MSG("GetLength value exceeds buffer length"); |
wolfSSL | 4:1b0d80432c79 | 537 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 538 | } |
wolfSSL | 4:1b0d80432c79 | 539 | |
wolfSSL | 4:1b0d80432c79 | 540 | *inOutIdx = i; |
wolfSSL | 4:1b0d80432c79 | 541 | if (length > 0) |
wolfSSL | 4:1b0d80432c79 | 542 | *len = length; |
wolfSSL | 4:1b0d80432c79 | 543 | |
wolfSSL | 4:1b0d80432c79 | 544 | return length; |
wolfSSL | 4:1b0d80432c79 | 545 | } |
wolfSSL | 4:1b0d80432c79 | 546 | |
wolfSSL | 4:1b0d80432c79 | 547 | |
wolfSSL | 4:1b0d80432c79 | 548 | WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 4:1b0d80432c79 | 549 | word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 550 | { |
wolfSSL | 4:1b0d80432c79 | 551 | int length = -1; |
wolfSSL | 4:1b0d80432c79 | 552 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 553 | |
wolfSSL | 4:1b0d80432c79 | 554 | if (input[idx++] != (ASN_SEQUENCE | ASN_CONSTRUCTED) || |
wolfSSL | 4:1b0d80432c79 | 555 | GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 556 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 557 | |
wolfSSL | 4:1b0d80432c79 | 558 | *len = length; |
wolfSSL | 4:1b0d80432c79 | 559 | *inOutIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 560 | |
wolfSSL | 4:1b0d80432c79 | 561 | return length; |
wolfSSL | 4:1b0d80432c79 | 562 | } |
wolfSSL | 4:1b0d80432c79 | 563 | |
wolfSSL | 4:1b0d80432c79 | 564 | |
wolfSSL | 4:1b0d80432c79 | 565 | WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 4:1b0d80432c79 | 566 | word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 567 | { |
wolfSSL | 4:1b0d80432c79 | 568 | int length = -1; |
wolfSSL | 4:1b0d80432c79 | 569 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 570 | |
wolfSSL | 4:1b0d80432c79 | 571 | if (input[idx++] != (ASN_SET | ASN_CONSTRUCTED) || |
wolfSSL | 4:1b0d80432c79 | 572 | GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 573 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 574 | |
wolfSSL | 4:1b0d80432c79 | 575 | *len = length; |
wolfSSL | 4:1b0d80432c79 | 576 | *inOutIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 577 | |
wolfSSL | 4:1b0d80432c79 | 578 | return length; |
wolfSSL | 4:1b0d80432c79 | 579 | } |
wolfSSL | 4:1b0d80432c79 | 580 | |
wolfSSL | 4:1b0d80432c79 | 581 | |
wolfSSL | 4:1b0d80432c79 | 582 | /* Windows header clash for WinCE using GetVersion */ |
wolfSSL | 4:1b0d80432c79 | 583 | WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, |
wolfSSL | 4:1b0d80432c79 | 584 | int* version) |
wolfSSL | 4:1b0d80432c79 | 585 | { |
wolfSSL | 4:1b0d80432c79 | 586 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 587 | |
wolfSSL | 4:1b0d80432c79 | 588 | WOLFSSL_ENTER("GetMyVersion"); |
wolfSSL | 4:1b0d80432c79 | 589 | |
wolfSSL | 4:1b0d80432c79 | 590 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 591 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 592 | |
wolfSSL | 4:1b0d80432c79 | 593 | if (input[idx++] != 0x01) |
wolfSSL | 4:1b0d80432c79 | 594 | return ASN_VERSION_E; |
wolfSSL | 4:1b0d80432c79 | 595 | |
wolfSSL | 4:1b0d80432c79 | 596 | *version = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 597 | *inOutIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 598 | |
wolfSSL | 4:1b0d80432c79 | 599 | return *version; |
wolfSSL | 4:1b0d80432c79 | 600 | } |
wolfSSL | 4:1b0d80432c79 | 601 | |
wolfSSL | 4:1b0d80432c79 | 602 | |
wolfSSL | 4:1b0d80432c79 | 603 | #ifndef NO_PWDBASED |
wolfSSL | 4:1b0d80432c79 | 604 | /* Get small count integer, 32 bits or less */ |
wolfSSL | 4:1b0d80432c79 | 605 | static int GetShortInt(const byte* input, word32* inOutIdx, int* number) |
wolfSSL | 4:1b0d80432c79 | 606 | { |
wolfSSL | 4:1b0d80432c79 | 607 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 608 | word32 len; |
wolfSSL | 4:1b0d80432c79 | 609 | |
wolfSSL | 4:1b0d80432c79 | 610 | *number = 0; |
wolfSSL | 4:1b0d80432c79 | 611 | |
wolfSSL | 4:1b0d80432c79 | 612 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 613 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 614 | |
wolfSSL | 4:1b0d80432c79 | 615 | len = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 616 | if (len > 4) |
wolfSSL | 4:1b0d80432c79 | 617 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 618 | |
wolfSSL | 4:1b0d80432c79 | 619 | while (len--) { |
wolfSSL | 4:1b0d80432c79 | 620 | *number = *number << 8 | input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 621 | } |
wolfSSL | 4:1b0d80432c79 | 622 | |
wolfSSL | 4:1b0d80432c79 | 623 | *inOutIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 624 | |
wolfSSL | 4:1b0d80432c79 | 625 | return *number; |
wolfSSL | 4:1b0d80432c79 | 626 | } |
wolfSSL | 4:1b0d80432c79 | 627 | #endif /* !NO_PWDBASED */ |
wolfSSL | 4:1b0d80432c79 | 628 | |
wolfSSL | 4:1b0d80432c79 | 629 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 630 | /* May not have one, not an error */ |
wolfSSL | 4:1b0d80432c79 | 631 | static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version) |
wolfSSL | 4:1b0d80432c79 | 632 | { |
wolfSSL | 4:1b0d80432c79 | 633 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 634 | |
wolfSSL | 4:1b0d80432c79 | 635 | WOLFSSL_ENTER("GetExplicitVersion"); |
wolfSSL | 4:1b0d80432c79 | 636 | if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 4:1b0d80432c79 | 637 | *inOutIdx = ++idx; /* eat header */ |
wolfSSL | 4:1b0d80432c79 | 638 | return GetMyVersion(input, inOutIdx, version); |
wolfSSL | 4:1b0d80432c79 | 639 | } |
wolfSSL | 4:1b0d80432c79 | 640 | |
wolfSSL | 4:1b0d80432c79 | 641 | /* go back as is */ |
wolfSSL | 4:1b0d80432c79 | 642 | *version = 0; |
wolfSSL | 4:1b0d80432c79 | 643 | |
wolfSSL | 4:1b0d80432c79 | 644 | return 0; |
wolfSSL | 4:1b0d80432c79 | 645 | } |
wolfSSL | 4:1b0d80432c79 | 646 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 647 | |
wolfSSL | 4:1b0d80432c79 | 648 | WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, |
wolfSSL | 4:1b0d80432c79 | 649 | word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 650 | { |
wolfSSL | 4:1b0d80432c79 | 651 | word32 i = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 652 | byte b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 653 | int length; |
wolfSSL | 4:1b0d80432c79 | 654 | |
wolfSSL | 4:1b0d80432c79 | 655 | if (b != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 656 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 657 | |
wolfSSL | 4:1b0d80432c79 | 658 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 659 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 660 | |
wolfSSL | 4:1b0d80432c79 | 661 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 4:1b0d80432c79 | 662 | length--; |
wolfSSL | 4:1b0d80432c79 | 663 | else |
wolfSSL | 4:1b0d80432c79 | 664 | i--; |
wolfSSL | 4:1b0d80432c79 | 665 | |
wolfSSL | 4:1b0d80432c79 | 666 | if (mp_init(mpi) != MP_OKAY) |
wolfSSL | 4:1b0d80432c79 | 667 | return MP_INIT_E; |
wolfSSL | 4:1b0d80432c79 | 668 | |
wolfSSL | 4:1b0d80432c79 | 669 | if (mp_read_unsigned_bin(mpi, (byte*)input + i, length) != 0) { |
wolfSSL | 4:1b0d80432c79 | 670 | mp_clear(mpi); |
wolfSSL | 4:1b0d80432c79 | 671 | return ASN_GETINT_E; |
wolfSSL | 4:1b0d80432c79 | 672 | } |
wolfSSL | 4:1b0d80432c79 | 673 | |
wolfSSL | 4:1b0d80432c79 | 674 | *inOutIdx = i + length; |
wolfSSL | 4:1b0d80432c79 | 675 | return 0; |
wolfSSL | 4:1b0d80432c79 | 676 | } |
wolfSSL | 4:1b0d80432c79 | 677 | |
wolfSSL | 4:1b0d80432c79 | 678 | |
wolfSSL | 4:1b0d80432c79 | 679 | /* hashType */ |
wolfSSL | 4:1b0d80432c79 | 680 | static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2}; |
wolfSSL | 4:1b0d80432c79 | 681 | static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5}; |
wolfSSL | 4:1b0d80432c79 | 682 | static const byte hashSha1hOid[] = {43, 14, 3, 2, 26}; |
wolfSSL | 4:1b0d80432c79 | 683 | static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1}; |
wolfSSL | 4:1b0d80432c79 | 684 | static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2}; |
wolfSSL | 4:1b0d80432c79 | 685 | static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3}; |
wolfSSL | 4:1b0d80432c79 | 686 | |
wolfSSL | 4:1b0d80432c79 | 687 | /* sigType */ |
wolfSSL | 4:1b0d80432c79 | 688 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 689 | static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3}; |
wolfSSL | 4:1b0d80432c79 | 690 | #endif /* NO_DSA */ |
wolfSSL | 4:1b0d80432c79 | 691 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 692 | static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2}; |
wolfSSL | 4:1b0d80432c79 | 693 | static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4}; |
wolfSSL | 4:1b0d80432c79 | 694 | static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5}; |
wolfSSL | 4:1b0d80432c79 | 695 | static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11}; |
wolfSSL | 4:1b0d80432c79 | 696 | static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12}; |
wolfSSL | 4:1b0d80432c79 | 697 | static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13}; |
wolfSSL | 4:1b0d80432c79 | 698 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 699 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 700 | static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1}; |
wolfSSL | 4:1b0d80432c79 | 701 | static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2}; |
wolfSSL | 4:1b0d80432c79 | 702 | static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3}; |
wolfSSL | 4:1b0d80432c79 | 703 | static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4}; |
wolfSSL | 4:1b0d80432c79 | 704 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 705 | |
wolfSSL | 4:1b0d80432c79 | 706 | /* keyType */ |
wolfSSL | 4:1b0d80432c79 | 707 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 708 | static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1}; |
wolfSSL | 4:1b0d80432c79 | 709 | #endif /* NO_DSA */ |
wolfSSL | 4:1b0d80432c79 | 710 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 711 | static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; |
wolfSSL | 4:1b0d80432c79 | 712 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 713 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 714 | static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1}; |
wolfSSL | 4:1b0d80432c79 | 715 | #endif /* HAVE_NTRU */ |
wolfSSL | 4:1b0d80432c79 | 716 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 717 | static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; |
wolfSSL | 4:1b0d80432c79 | 718 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 719 | |
wolfSSL | 4:1b0d80432c79 | 720 | /* curveType */ |
wolfSSL | 4:1b0d80432c79 | 721 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 722 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 4:1b0d80432c79 | 723 | static const byte curve192v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 1}; |
wolfSSL | 4:1b0d80432c79 | 724 | #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */ |
wolfSSL | 4:1b0d80432c79 | 725 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 4:1b0d80432c79 | 726 | static const byte curve256v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 7}; |
wolfSSL | 4:1b0d80432c79 | 727 | #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */ |
wolfSSL | 4:1b0d80432c79 | 728 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 4:1b0d80432c79 | 729 | static const byte curve160r1Oid[] = {43, 129, 4, 0, 2}; |
wolfSSL | 4:1b0d80432c79 | 730 | #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */ |
wolfSSL | 4:1b0d80432c79 | 731 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 4:1b0d80432c79 | 732 | static const byte curve224r1Oid[] = {43, 129, 4, 0, 33}; |
wolfSSL | 4:1b0d80432c79 | 733 | #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */ |
wolfSSL | 4:1b0d80432c79 | 734 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 4:1b0d80432c79 | 735 | static const byte curve384r1Oid[] = {43, 129, 4, 0, 34}; |
wolfSSL | 4:1b0d80432c79 | 736 | #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */ |
wolfSSL | 4:1b0d80432c79 | 737 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 4:1b0d80432c79 | 738 | static const byte curve521r1Oid[] = {43, 129, 4, 0, 35}; |
wolfSSL | 4:1b0d80432c79 | 739 | #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */ |
wolfSSL | 4:1b0d80432c79 | 740 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 741 | |
wolfSSL | 4:1b0d80432c79 | 742 | /* blkType */ |
wolfSSL | 4:1b0d80432c79 | 743 | static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7}; |
wolfSSL | 4:1b0d80432c79 | 744 | static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7}; |
wolfSSL | 4:1b0d80432c79 | 745 | |
wolfSSL | 4:1b0d80432c79 | 746 | /* ocspType */ |
wolfSSL | 4:1b0d80432c79 | 747 | #ifdef HAVE_OCSP |
wolfSSL | 4:1b0d80432c79 | 748 | static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1}; |
wolfSSL | 4:1b0d80432c79 | 749 | static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2}; |
wolfSSL | 4:1b0d80432c79 | 750 | #endif /* HAVE_OCSP */ |
wolfSSL | 4:1b0d80432c79 | 751 | |
wolfSSL | 4:1b0d80432c79 | 752 | /* certExtType */ |
wolfSSL | 4:1b0d80432c79 | 753 | static const byte extBasicCaOid[] = {85, 29, 19}; |
wolfSSL | 4:1b0d80432c79 | 754 | static const byte extAltNamesOid[] = {85, 29, 17}; |
wolfSSL | 4:1b0d80432c79 | 755 | static const byte extCrlDistOid[] = {85, 29, 31}; |
wolfSSL | 4:1b0d80432c79 | 756 | static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1}; |
wolfSSL | 4:1b0d80432c79 | 757 | static const byte extAuthKeyOid[] = {85, 29, 35}; |
wolfSSL | 4:1b0d80432c79 | 758 | static const byte extSubjKeyOid[] = {85, 29, 14}; |
wolfSSL | 4:1b0d80432c79 | 759 | static const byte extCertPolicyOid[] = {85, 29, 32}; |
wolfSSL | 4:1b0d80432c79 | 760 | static const byte extKeyUsageOid[] = {85, 29, 15}; |
wolfSSL | 4:1b0d80432c79 | 761 | static const byte extInhibitAnyOid[] = {85, 29, 54}; |
wolfSSL | 4:1b0d80432c79 | 762 | static const byte extExtKeyUsageOid[] = {85, 29, 37}; |
wolfSSL | 4:1b0d80432c79 | 763 | static const byte extNameConsOid[] = {85, 29, 30}; |
wolfSSL | 4:1b0d80432c79 | 764 | |
wolfSSL | 4:1b0d80432c79 | 765 | /* certAuthInfoType */ |
wolfSSL | 4:1b0d80432c79 | 766 | static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; |
wolfSSL | 4:1b0d80432c79 | 767 | static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; |
wolfSSL | 4:1b0d80432c79 | 768 | |
wolfSSL | 4:1b0d80432c79 | 769 | /* certPolicyType */ |
wolfSSL | 4:1b0d80432c79 | 770 | static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; |
wolfSSL | 4:1b0d80432c79 | 771 | |
wolfSSL | 4:1b0d80432c79 | 772 | /* certKeyUseType */ |
wolfSSL | 4:1b0d80432c79 | 773 | static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4}; |
wolfSSL | 4:1b0d80432c79 | 774 | |
wolfSSL | 4:1b0d80432c79 | 775 | /* certKeyUseType */ |
wolfSSL | 4:1b0d80432c79 | 776 | static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0}; |
wolfSSL | 4:1b0d80432c79 | 777 | static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1}; |
wolfSSL | 4:1b0d80432c79 | 778 | static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2}; |
wolfSSL | 4:1b0d80432c79 | 779 | static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; |
wolfSSL | 4:1b0d80432c79 | 780 | |
wolfSSL | 4:1b0d80432c79 | 781 | /* kdfType */ |
wolfSSL | 4:1b0d80432c79 | 782 | static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12}; |
wolfSSL | 4:1b0d80432c79 | 783 | |
wolfSSL | 4:1b0d80432c79 | 784 | static const byte* OidFromId(word32 id, word32 type, word32* oidSz) |
wolfSSL | 4:1b0d80432c79 | 785 | { |
wolfSSL | 4:1b0d80432c79 | 786 | const byte* oid = NULL; |
wolfSSL | 4:1b0d80432c79 | 787 | |
wolfSSL | 4:1b0d80432c79 | 788 | *oidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 789 | |
wolfSSL | 4:1b0d80432c79 | 790 | switch (type) { |
wolfSSL | 4:1b0d80432c79 | 791 | |
wolfSSL | 4:1b0d80432c79 | 792 | case hashType: |
wolfSSL | 4:1b0d80432c79 | 793 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 794 | case MD2h: |
wolfSSL | 4:1b0d80432c79 | 795 | oid = hashMd2hOid; |
wolfSSL | 4:1b0d80432c79 | 796 | *oidSz = sizeof(hashMd2hOid); |
wolfSSL | 4:1b0d80432c79 | 797 | break; |
wolfSSL | 4:1b0d80432c79 | 798 | case MD5h: |
wolfSSL | 4:1b0d80432c79 | 799 | oid = hashMd5hOid; |
wolfSSL | 4:1b0d80432c79 | 800 | *oidSz = sizeof(hashMd5hOid); |
wolfSSL | 4:1b0d80432c79 | 801 | break; |
wolfSSL | 4:1b0d80432c79 | 802 | case SHAh: |
wolfSSL | 4:1b0d80432c79 | 803 | oid = hashSha1hOid; |
wolfSSL | 4:1b0d80432c79 | 804 | *oidSz = sizeof(hashSha1hOid); |
wolfSSL | 4:1b0d80432c79 | 805 | break; |
wolfSSL | 4:1b0d80432c79 | 806 | case SHA256h: |
wolfSSL | 4:1b0d80432c79 | 807 | oid = hashSha256hOid; |
wolfSSL | 4:1b0d80432c79 | 808 | *oidSz = sizeof(hashSha256hOid); |
wolfSSL | 4:1b0d80432c79 | 809 | break; |
wolfSSL | 4:1b0d80432c79 | 810 | case SHA384h: |
wolfSSL | 4:1b0d80432c79 | 811 | oid = hashSha384hOid; |
wolfSSL | 4:1b0d80432c79 | 812 | *oidSz = sizeof(hashSha384hOid); |
wolfSSL | 4:1b0d80432c79 | 813 | break; |
wolfSSL | 4:1b0d80432c79 | 814 | case SHA512h: |
wolfSSL | 4:1b0d80432c79 | 815 | oid = hashSha512hOid; |
wolfSSL | 4:1b0d80432c79 | 816 | *oidSz = sizeof(hashSha512hOid); |
wolfSSL | 4:1b0d80432c79 | 817 | break; |
wolfSSL | 4:1b0d80432c79 | 818 | } |
wolfSSL | 4:1b0d80432c79 | 819 | break; |
wolfSSL | 4:1b0d80432c79 | 820 | |
wolfSSL | 4:1b0d80432c79 | 821 | case sigType: |
wolfSSL | 4:1b0d80432c79 | 822 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 823 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 824 | case CTC_SHAwDSA: |
wolfSSL | 4:1b0d80432c79 | 825 | oid = sigSha1wDsaOid; |
wolfSSL | 4:1b0d80432c79 | 826 | *oidSz = sizeof(sigSha1wDsaOid); |
wolfSSL | 4:1b0d80432c79 | 827 | break; |
wolfSSL | 4:1b0d80432c79 | 828 | #endif /* NO_DSA */ |
wolfSSL | 4:1b0d80432c79 | 829 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 830 | case CTC_MD2wRSA: |
wolfSSL | 4:1b0d80432c79 | 831 | oid = sigMd2wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 832 | *oidSz = sizeof(sigMd2wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 833 | break; |
wolfSSL | 4:1b0d80432c79 | 834 | case CTC_MD5wRSA: |
wolfSSL | 4:1b0d80432c79 | 835 | oid = sigMd5wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 836 | *oidSz = sizeof(sigMd5wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 837 | break; |
wolfSSL | 4:1b0d80432c79 | 838 | case CTC_SHAwRSA: |
wolfSSL | 4:1b0d80432c79 | 839 | oid = sigSha1wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 840 | *oidSz = sizeof(sigSha1wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 841 | break; |
wolfSSL | 4:1b0d80432c79 | 842 | case CTC_SHA256wRSA: |
wolfSSL | 4:1b0d80432c79 | 843 | oid = sigSha256wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 844 | *oidSz = sizeof(sigSha256wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 845 | break; |
wolfSSL | 4:1b0d80432c79 | 846 | case CTC_SHA384wRSA: |
wolfSSL | 4:1b0d80432c79 | 847 | oid = sigSha384wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 848 | *oidSz = sizeof(sigSha384wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 849 | break; |
wolfSSL | 4:1b0d80432c79 | 850 | case CTC_SHA512wRSA: |
wolfSSL | 4:1b0d80432c79 | 851 | oid = sigSha512wRsaOid; |
wolfSSL | 4:1b0d80432c79 | 852 | *oidSz = sizeof(sigSha512wRsaOid); |
wolfSSL | 4:1b0d80432c79 | 853 | break; |
wolfSSL | 4:1b0d80432c79 | 854 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 855 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 856 | case CTC_SHAwECDSA: |
wolfSSL | 4:1b0d80432c79 | 857 | oid = sigSha1wEcdsaOid; |
wolfSSL | 4:1b0d80432c79 | 858 | *oidSz = sizeof(sigSha1wEcdsaOid); |
wolfSSL | 4:1b0d80432c79 | 859 | break; |
wolfSSL | 4:1b0d80432c79 | 860 | case CTC_SHA256wECDSA: |
wolfSSL | 4:1b0d80432c79 | 861 | oid = sigSha256wEcdsaOid; |
wolfSSL | 4:1b0d80432c79 | 862 | *oidSz = sizeof(sigSha256wEcdsaOid); |
wolfSSL | 4:1b0d80432c79 | 863 | break; |
wolfSSL | 4:1b0d80432c79 | 864 | case CTC_SHA384wECDSA: |
wolfSSL | 4:1b0d80432c79 | 865 | oid = sigSha384wEcdsaOid; |
wolfSSL | 4:1b0d80432c79 | 866 | *oidSz = sizeof(sigSha384wEcdsaOid); |
wolfSSL | 4:1b0d80432c79 | 867 | break; |
wolfSSL | 4:1b0d80432c79 | 868 | case CTC_SHA512wECDSA: |
wolfSSL | 4:1b0d80432c79 | 869 | oid = sigSha512wEcdsaOid; |
wolfSSL | 4:1b0d80432c79 | 870 | *oidSz = sizeof(sigSha512wEcdsaOid); |
wolfSSL | 4:1b0d80432c79 | 871 | break; |
wolfSSL | 4:1b0d80432c79 | 872 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 873 | default: |
wolfSSL | 4:1b0d80432c79 | 874 | break; |
wolfSSL | 4:1b0d80432c79 | 875 | } |
wolfSSL | 4:1b0d80432c79 | 876 | break; |
wolfSSL | 4:1b0d80432c79 | 877 | |
wolfSSL | 4:1b0d80432c79 | 878 | case keyType: |
wolfSSL | 4:1b0d80432c79 | 879 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 880 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 881 | case DSAk: |
wolfSSL | 4:1b0d80432c79 | 882 | oid = keyDsaOid; |
wolfSSL | 4:1b0d80432c79 | 883 | *oidSz = sizeof(keyDsaOid); |
wolfSSL | 4:1b0d80432c79 | 884 | break; |
wolfSSL | 4:1b0d80432c79 | 885 | #endif /* NO_DSA */ |
wolfSSL | 4:1b0d80432c79 | 886 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 887 | case RSAk: |
wolfSSL | 4:1b0d80432c79 | 888 | oid = keyRsaOid; |
wolfSSL | 4:1b0d80432c79 | 889 | *oidSz = sizeof(keyRsaOid); |
wolfSSL | 4:1b0d80432c79 | 890 | break; |
wolfSSL | 4:1b0d80432c79 | 891 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 892 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 893 | case NTRUk: |
wolfSSL | 4:1b0d80432c79 | 894 | oid = keyNtruOid; |
wolfSSL | 4:1b0d80432c79 | 895 | *oidSz = sizeof(keyNtruOid); |
wolfSSL | 4:1b0d80432c79 | 896 | break; |
wolfSSL | 4:1b0d80432c79 | 897 | #endif /* HAVE_NTRU */ |
wolfSSL | 4:1b0d80432c79 | 898 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 899 | case ECDSAk: |
wolfSSL | 4:1b0d80432c79 | 900 | oid = keyEcdsaOid; |
wolfSSL | 4:1b0d80432c79 | 901 | *oidSz = sizeof(keyEcdsaOid); |
wolfSSL | 4:1b0d80432c79 | 902 | break; |
wolfSSL | 4:1b0d80432c79 | 903 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 904 | default: |
wolfSSL | 4:1b0d80432c79 | 905 | break; |
wolfSSL | 4:1b0d80432c79 | 906 | } |
wolfSSL | 4:1b0d80432c79 | 907 | break; |
wolfSSL | 4:1b0d80432c79 | 908 | |
wolfSSL | 4:1b0d80432c79 | 909 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 910 | case curveType: |
wolfSSL | 4:1b0d80432c79 | 911 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 912 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 4:1b0d80432c79 | 913 | case ECC_256R1: |
wolfSSL | 4:1b0d80432c79 | 914 | oid = curve256v1Oid; |
wolfSSL | 4:1b0d80432c79 | 915 | *oidSz = sizeof(curve256v1Oid); |
wolfSSL | 4:1b0d80432c79 | 916 | break; |
wolfSSL | 4:1b0d80432c79 | 917 | #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */ |
wolfSSL | 4:1b0d80432c79 | 918 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 4:1b0d80432c79 | 919 | case ECC_384R1: |
wolfSSL | 4:1b0d80432c79 | 920 | oid = curve384r1Oid; |
wolfSSL | 4:1b0d80432c79 | 921 | *oidSz = sizeof(curve384r1Oid); |
wolfSSL | 4:1b0d80432c79 | 922 | break; |
wolfSSL | 4:1b0d80432c79 | 923 | #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */ |
wolfSSL | 4:1b0d80432c79 | 924 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 4:1b0d80432c79 | 925 | case ECC_521R1: |
wolfSSL | 4:1b0d80432c79 | 926 | oid = curve521r1Oid; |
wolfSSL | 4:1b0d80432c79 | 927 | *oidSz = sizeof(curve521r1Oid); |
wolfSSL | 4:1b0d80432c79 | 928 | break; |
wolfSSL | 4:1b0d80432c79 | 929 | #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */ |
wolfSSL | 4:1b0d80432c79 | 930 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 4:1b0d80432c79 | 931 | case ECC_160R1: |
wolfSSL | 4:1b0d80432c79 | 932 | oid = curve160r1Oid; |
wolfSSL | 4:1b0d80432c79 | 933 | *oidSz = sizeof(curve160r1Oid); |
wolfSSL | 4:1b0d80432c79 | 934 | break; |
wolfSSL | 4:1b0d80432c79 | 935 | #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */ |
wolfSSL | 4:1b0d80432c79 | 936 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 4:1b0d80432c79 | 937 | case ECC_192R1: |
wolfSSL | 4:1b0d80432c79 | 938 | oid = curve192v1Oid; |
wolfSSL | 4:1b0d80432c79 | 939 | *oidSz = sizeof(curve192v1Oid); |
wolfSSL | 4:1b0d80432c79 | 940 | break; |
wolfSSL | 4:1b0d80432c79 | 941 | #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */ |
wolfSSL | 4:1b0d80432c79 | 942 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 4:1b0d80432c79 | 943 | case ECC_224R1: |
wolfSSL | 4:1b0d80432c79 | 944 | oid = curve224r1Oid; |
wolfSSL | 4:1b0d80432c79 | 945 | *oidSz = sizeof(curve224r1Oid); |
wolfSSL | 4:1b0d80432c79 | 946 | break; |
wolfSSL | 4:1b0d80432c79 | 947 | #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */ |
wolfSSL | 4:1b0d80432c79 | 948 | default: |
wolfSSL | 4:1b0d80432c79 | 949 | break; |
wolfSSL | 4:1b0d80432c79 | 950 | } |
wolfSSL | 4:1b0d80432c79 | 951 | break; |
wolfSSL | 4:1b0d80432c79 | 952 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 953 | |
wolfSSL | 4:1b0d80432c79 | 954 | case blkType: |
wolfSSL | 4:1b0d80432c79 | 955 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 956 | case DESb: |
wolfSSL | 4:1b0d80432c79 | 957 | oid = blkDesCbcOid; |
wolfSSL | 4:1b0d80432c79 | 958 | *oidSz = sizeof(blkDesCbcOid); |
wolfSSL | 4:1b0d80432c79 | 959 | break; |
wolfSSL | 4:1b0d80432c79 | 960 | case DES3b: |
wolfSSL | 4:1b0d80432c79 | 961 | oid = blkDes3CbcOid; |
wolfSSL | 4:1b0d80432c79 | 962 | *oidSz = sizeof(blkDes3CbcOid); |
wolfSSL | 4:1b0d80432c79 | 963 | break; |
wolfSSL | 4:1b0d80432c79 | 964 | } |
wolfSSL | 4:1b0d80432c79 | 965 | break; |
wolfSSL | 4:1b0d80432c79 | 966 | |
wolfSSL | 4:1b0d80432c79 | 967 | #ifdef HAVE_OCSP |
wolfSSL | 4:1b0d80432c79 | 968 | case ocspType: |
wolfSSL | 4:1b0d80432c79 | 969 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 970 | case OCSP_BASIC_OID: |
wolfSSL | 4:1b0d80432c79 | 971 | oid = ocspBasicOid; |
wolfSSL | 4:1b0d80432c79 | 972 | *oidSz = sizeof(ocspBasicOid); |
wolfSSL | 4:1b0d80432c79 | 973 | break; |
wolfSSL | 4:1b0d80432c79 | 974 | case OCSP_NONCE_OID: |
wolfSSL | 4:1b0d80432c79 | 975 | oid = ocspNonceOid; |
wolfSSL | 4:1b0d80432c79 | 976 | *oidSz = sizeof(ocspNonceOid); |
wolfSSL | 4:1b0d80432c79 | 977 | break; |
wolfSSL | 4:1b0d80432c79 | 978 | } |
wolfSSL | 4:1b0d80432c79 | 979 | break; |
wolfSSL | 4:1b0d80432c79 | 980 | #endif /* HAVE_OCSP */ |
wolfSSL | 4:1b0d80432c79 | 981 | |
wolfSSL | 4:1b0d80432c79 | 982 | case certExtType: |
wolfSSL | 4:1b0d80432c79 | 983 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 984 | case BASIC_CA_OID: |
wolfSSL | 4:1b0d80432c79 | 985 | oid = extBasicCaOid; |
wolfSSL | 4:1b0d80432c79 | 986 | *oidSz = sizeof(extBasicCaOid); |
wolfSSL | 4:1b0d80432c79 | 987 | break; |
wolfSSL | 4:1b0d80432c79 | 988 | case ALT_NAMES_OID: |
wolfSSL | 4:1b0d80432c79 | 989 | oid = extAltNamesOid; |
wolfSSL | 4:1b0d80432c79 | 990 | *oidSz = sizeof(extAltNamesOid); |
wolfSSL | 4:1b0d80432c79 | 991 | break; |
wolfSSL | 4:1b0d80432c79 | 992 | case CRL_DIST_OID: |
wolfSSL | 4:1b0d80432c79 | 993 | oid = extCrlDistOid; |
wolfSSL | 4:1b0d80432c79 | 994 | *oidSz = sizeof(extCrlDistOid); |
wolfSSL | 4:1b0d80432c79 | 995 | break; |
wolfSSL | 4:1b0d80432c79 | 996 | case AUTH_INFO_OID: |
wolfSSL | 4:1b0d80432c79 | 997 | oid = extAuthInfoOid; |
wolfSSL | 4:1b0d80432c79 | 998 | *oidSz = sizeof(extAuthInfoOid); |
wolfSSL | 4:1b0d80432c79 | 999 | break; |
wolfSSL | 4:1b0d80432c79 | 1000 | case AUTH_KEY_OID: |
wolfSSL | 4:1b0d80432c79 | 1001 | oid = extAuthKeyOid; |
wolfSSL | 4:1b0d80432c79 | 1002 | *oidSz = sizeof(extAuthKeyOid); |
wolfSSL | 4:1b0d80432c79 | 1003 | break; |
wolfSSL | 4:1b0d80432c79 | 1004 | case SUBJ_KEY_OID: |
wolfSSL | 4:1b0d80432c79 | 1005 | oid = extSubjKeyOid; |
wolfSSL | 4:1b0d80432c79 | 1006 | *oidSz = sizeof(extSubjKeyOid); |
wolfSSL | 4:1b0d80432c79 | 1007 | break; |
wolfSSL | 4:1b0d80432c79 | 1008 | case CERT_POLICY_OID: |
wolfSSL | 4:1b0d80432c79 | 1009 | oid = extCertPolicyOid; |
wolfSSL | 4:1b0d80432c79 | 1010 | *oidSz = sizeof(extCertPolicyOid); |
wolfSSL | 4:1b0d80432c79 | 1011 | break; |
wolfSSL | 4:1b0d80432c79 | 1012 | case KEY_USAGE_OID: |
wolfSSL | 4:1b0d80432c79 | 1013 | oid = extKeyUsageOid; |
wolfSSL | 4:1b0d80432c79 | 1014 | *oidSz = sizeof(extKeyUsageOid); |
wolfSSL | 4:1b0d80432c79 | 1015 | break; |
wolfSSL | 4:1b0d80432c79 | 1016 | case INHIBIT_ANY_OID: |
wolfSSL | 4:1b0d80432c79 | 1017 | oid = extInhibitAnyOid; |
wolfSSL | 4:1b0d80432c79 | 1018 | *oidSz = sizeof(extInhibitAnyOid); |
wolfSSL | 4:1b0d80432c79 | 1019 | break; |
wolfSSL | 4:1b0d80432c79 | 1020 | case EXT_KEY_USAGE_OID: |
wolfSSL | 4:1b0d80432c79 | 1021 | oid = extExtKeyUsageOid; |
wolfSSL | 4:1b0d80432c79 | 1022 | *oidSz = sizeof(extExtKeyUsageOid); |
wolfSSL | 4:1b0d80432c79 | 1023 | break; |
wolfSSL | 4:1b0d80432c79 | 1024 | case NAME_CONS_OID: |
wolfSSL | 4:1b0d80432c79 | 1025 | oid = extNameConsOid; |
wolfSSL | 4:1b0d80432c79 | 1026 | *oidSz = sizeof(extNameConsOid); |
wolfSSL | 4:1b0d80432c79 | 1027 | break; |
wolfSSL | 4:1b0d80432c79 | 1028 | } |
wolfSSL | 4:1b0d80432c79 | 1029 | break; |
wolfSSL | 4:1b0d80432c79 | 1030 | |
wolfSSL | 4:1b0d80432c79 | 1031 | case certAuthInfoType: |
wolfSSL | 4:1b0d80432c79 | 1032 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1033 | case AIA_OCSP_OID: |
wolfSSL | 4:1b0d80432c79 | 1034 | oid = extAuthInfoOcspOid; |
wolfSSL | 4:1b0d80432c79 | 1035 | *oidSz = sizeof(extAuthInfoOcspOid); |
wolfSSL | 4:1b0d80432c79 | 1036 | break; |
wolfSSL | 4:1b0d80432c79 | 1037 | case AIA_CA_ISSUER_OID: |
wolfSSL | 4:1b0d80432c79 | 1038 | oid = extAuthInfoCaIssuerOid; |
wolfSSL | 4:1b0d80432c79 | 1039 | *oidSz = sizeof(extAuthInfoCaIssuerOid); |
wolfSSL | 4:1b0d80432c79 | 1040 | break; |
wolfSSL | 4:1b0d80432c79 | 1041 | } |
wolfSSL | 4:1b0d80432c79 | 1042 | break; |
wolfSSL | 4:1b0d80432c79 | 1043 | |
wolfSSL | 4:1b0d80432c79 | 1044 | case certPolicyType: |
wolfSSL | 4:1b0d80432c79 | 1045 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1046 | case CP_ANY_OID: |
wolfSSL | 4:1b0d80432c79 | 1047 | oid = extCertPolicyAnyOid; |
wolfSSL | 4:1b0d80432c79 | 1048 | *oidSz = sizeof(extCertPolicyAnyOid); |
wolfSSL | 4:1b0d80432c79 | 1049 | break; |
wolfSSL | 4:1b0d80432c79 | 1050 | } |
wolfSSL | 4:1b0d80432c79 | 1051 | break; |
wolfSSL | 4:1b0d80432c79 | 1052 | |
wolfSSL | 4:1b0d80432c79 | 1053 | case certAltNameType: |
wolfSSL | 4:1b0d80432c79 | 1054 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1055 | case HW_NAME_OID: |
wolfSSL | 4:1b0d80432c79 | 1056 | oid = extAltNamesHwNameOid; |
wolfSSL | 4:1b0d80432c79 | 1057 | *oidSz = sizeof(extAltNamesHwNameOid); |
wolfSSL | 4:1b0d80432c79 | 1058 | break; |
wolfSSL | 4:1b0d80432c79 | 1059 | } |
wolfSSL | 4:1b0d80432c79 | 1060 | break; |
wolfSSL | 4:1b0d80432c79 | 1061 | |
wolfSSL | 4:1b0d80432c79 | 1062 | case certKeyUseType: |
wolfSSL | 4:1b0d80432c79 | 1063 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1064 | case EKU_ANY_OID: |
wolfSSL | 4:1b0d80432c79 | 1065 | oid = extExtKeyUsageAnyOid; |
wolfSSL | 4:1b0d80432c79 | 1066 | *oidSz = sizeof(extExtKeyUsageAnyOid); |
wolfSSL | 4:1b0d80432c79 | 1067 | break; |
wolfSSL | 4:1b0d80432c79 | 1068 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 4:1b0d80432c79 | 1069 | oid = extExtKeyUsageServerAuthOid; |
wolfSSL | 4:1b0d80432c79 | 1070 | *oidSz = sizeof(extExtKeyUsageServerAuthOid); |
wolfSSL | 4:1b0d80432c79 | 1071 | break; |
wolfSSL | 4:1b0d80432c79 | 1072 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 4:1b0d80432c79 | 1073 | oid = extExtKeyUsageClientAuthOid; |
wolfSSL | 4:1b0d80432c79 | 1074 | *oidSz = sizeof(extExtKeyUsageClientAuthOid); |
wolfSSL | 4:1b0d80432c79 | 1075 | break; |
wolfSSL | 4:1b0d80432c79 | 1076 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 4:1b0d80432c79 | 1077 | oid = extExtKeyUsageOcspSignOid; |
wolfSSL | 4:1b0d80432c79 | 1078 | *oidSz = sizeof(extExtKeyUsageOcspSignOid); |
wolfSSL | 4:1b0d80432c79 | 1079 | break; |
wolfSSL | 4:1b0d80432c79 | 1080 | } |
wolfSSL | 4:1b0d80432c79 | 1081 | |
wolfSSL | 4:1b0d80432c79 | 1082 | case kdfType: |
wolfSSL | 4:1b0d80432c79 | 1083 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1084 | case PBKDF2_OID: |
wolfSSL | 4:1b0d80432c79 | 1085 | oid = pbkdf2Oid; |
wolfSSL | 4:1b0d80432c79 | 1086 | *oidSz = sizeof(pbkdf2Oid); |
wolfSSL | 4:1b0d80432c79 | 1087 | break; |
wolfSSL | 4:1b0d80432c79 | 1088 | } |
wolfSSL | 4:1b0d80432c79 | 1089 | break; |
wolfSSL | 4:1b0d80432c79 | 1090 | |
wolfSSL | 4:1b0d80432c79 | 1091 | case ignoreType: |
wolfSSL | 4:1b0d80432c79 | 1092 | default: |
wolfSSL | 4:1b0d80432c79 | 1093 | break; |
wolfSSL | 4:1b0d80432c79 | 1094 | } |
wolfSSL | 4:1b0d80432c79 | 1095 | |
wolfSSL | 4:1b0d80432c79 | 1096 | return oid; |
wolfSSL | 4:1b0d80432c79 | 1097 | } |
wolfSSL | 4:1b0d80432c79 | 1098 | |
wolfSSL | 4:1b0d80432c79 | 1099 | |
wolfSSL | 4:1b0d80432c79 | 1100 | WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 4:1b0d80432c79 | 1101 | word32 oidType, word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 1102 | { |
wolfSSL | 4:1b0d80432c79 | 1103 | int length; |
wolfSSL | 4:1b0d80432c79 | 1104 | word32 i = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 1105 | #ifndef NO_VERIFY_OID |
wolfSSL | 4:1b0d80432c79 | 1106 | word32 actualOidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 1107 | const byte* actualOid; |
wolfSSL | 4:1b0d80432c79 | 1108 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 4:1b0d80432c79 | 1109 | byte b; |
wolfSSL | 4:1b0d80432c79 | 1110 | |
wolfSSL | 4:1b0d80432c79 | 1111 | (void)oidType; |
wolfSSL | 4:1b0d80432c79 | 1112 | WOLFSSL_ENTER("GetObjectId()"); |
wolfSSL | 4:1b0d80432c79 | 1113 | *oid = 0; |
wolfSSL | 4:1b0d80432c79 | 1114 | |
wolfSSL | 4:1b0d80432c79 | 1115 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 1116 | if (b != ASN_OBJECT_ID) |
wolfSSL | 4:1b0d80432c79 | 1117 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1118 | |
wolfSSL | 4:1b0d80432c79 | 1119 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 1120 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1121 | |
wolfSSL | 4:1b0d80432c79 | 1122 | #ifndef NO_VERIFY_OID |
wolfSSL | 4:1b0d80432c79 | 1123 | actualOid = &input[i]; |
wolfSSL | 4:1b0d80432c79 | 1124 | if (length > 0) |
wolfSSL | 4:1b0d80432c79 | 1125 | actualOidSz = (word32)length; |
wolfSSL | 4:1b0d80432c79 | 1126 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 4:1b0d80432c79 | 1127 | |
wolfSSL | 4:1b0d80432c79 | 1128 | while(length--) { |
wolfSSL | 4:1b0d80432c79 | 1129 | /* odd HC08 compiler behavior here when input[i++] */ |
wolfSSL | 4:1b0d80432c79 | 1130 | *oid += input[i]; |
wolfSSL | 4:1b0d80432c79 | 1131 | i++; |
wolfSSL | 4:1b0d80432c79 | 1132 | } |
wolfSSL | 4:1b0d80432c79 | 1133 | /* just sum it up for now */ |
wolfSSL | 4:1b0d80432c79 | 1134 | |
wolfSSL | 4:1b0d80432c79 | 1135 | *inOutIdx = i; |
wolfSSL | 4:1b0d80432c79 | 1136 | |
wolfSSL | 4:1b0d80432c79 | 1137 | #ifndef NO_VERIFY_OID |
wolfSSL | 4:1b0d80432c79 | 1138 | { |
wolfSSL | 4:1b0d80432c79 | 1139 | const byte* checkOid = NULL; |
wolfSSL | 4:1b0d80432c79 | 1140 | word32 checkOidSz; |
wolfSSL | 4:1b0d80432c79 | 1141 | |
wolfSSL | 4:1b0d80432c79 | 1142 | if (oidType != ignoreType) { |
wolfSSL | 4:1b0d80432c79 | 1143 | checkOid = OidFromId(*oid, oidType, &checkOidSz); |
wolfSSL | 4:1b0d80432c79 | 1144 | |
wolfSSL | 4:1b0d80432c79 | 1145 | if (checkOid != NULL && |
wolfSSL | 4:1b0d80432c79 | 1146 | (checkOidSz != actualOidSz || |
wolfSSL | 4:1b0d80432c79 | 1147 | XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) { |
wolfSSL | 4:1b0d80432c79 | 1148 | |
wolfSSL | 4:1b0d80432c79 | 1149 | WOLFSSL_MSG("OID Check Failed"); |
wolfSSL | 4:1b0d80432c79 | 1150 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 4:1b0d80432c79 | 1151 | } |
wolfSSL | 4:1b0d80432c79 | 1152 | } |
wolfSSL | 4:1b0d80432c79 | 1153 | } |
wolfSSL | 4:1b0d80432c79 | 1154 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 4:1b0d80432c79 | 1155 | |
wolfSSL | 4:1b0d80432c79 | 1156 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1157 | } |
wolfSSL | 4:1b0d80432c79 | 1158 | |
wolfSSL | 4:1b0d80432c79 | 1159 | |
wolfSSL | 4:1b0d80432c79 | 1160 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 1161 | #ifndef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 1162 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 4:1b0d80432c79 | 1163 | static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 1164 | { |
wolfSSL | 4:1b0d80432c79 | 1165 | int length; |
wolfSSL | 4:1b0d80432c79 | 1166 | |
wolfSSL | 4:1b0d80432c79 | 1167 | if (input[(*inOutIdx)++] != ASN_OBJECT_ID) |
wolfSSL | 4:1b0d80432c79 | 1168 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1169 | |
wolfSSL | 4:1b0d80432c79 | 1170 | if (GetLength(input, inOutIdx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 1171 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1172 | |
wolfSSL | 4:1b0d80432c79 | 1173 | *inOutIdx += length; |
wolfSSL | 4:1b0d80432c79 | 1174 | |
wolfSSL | 4:1b0d80432c79 | 1175 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1176 | } |
wolfSSL | 4:1b0d80432c79 | 1177 | #endif /* OPENSSL_EXTRA || RSA_DECODE_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 1178 | #endif /* !HAVE_USER_RSA */ |
wolfSSL | 4:1b0d80432c79 | 1179 | #endif /* !NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 1180 | |
wolfSSL | 4:1b0d80432c79 | 1181 | WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 4:1b0d80432c79 | 1182 | word32 oidType, word32 maxIdx) |
wolfSSL | 4:1b0d80432c79 | 1183 | { |
wolfSSL | 4:1b0d80432c79 | 1184 | int length; |
wolfSSL | 4:1b0d80432c79 | 1185 | word32 i = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 1186 | byte b; |
wolfSSL | 4:1b0d80432c79 | 1187 | *oid = 0; |
wolfSSL | 4:1b0d80432c79 | 1188 | |
wolfSSL | 4:1b0d80432c79 | 1189 | WOLFSSL_ENTER("GetAlgoId"); |
wolfSSL | 4:1b0d80432c79 | 1190 | |
wolfSSL | 4:1b0d80432c79 | 1191 | if (GetSequence(input, &i, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 1192 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1193 | |
wolfSSL | 4:1b0d80432c79 | 1194 | if (GetObjectId(input, &i, oid, oidType, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 1195 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1196 | |
wolfSSL | 4:1b0d80432c79 | 1197 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 4:1b0d80432c79 | 1198 | b = input[i]; |
wolfSSL | 4:1b0d80432c79 | 1199 | |
wolfSSL | 4:1b0d80432c79 | 1200 | if (b == ASN_TAG_NULL) { |
wolfSSL | 4:1b0d80432c79 | 1201 | i++; |
wolfSSL | 4:1b0d80432c79 | 1202 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 1203 | if (b != 0) |
wolfSSL | 4:1b0d80432c79 | 1204 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 1205 | } |
wolfSSL | 4:1b0d80432c79 | 1206 | |
wolfSSL | 4:1b0d80432c79 | 1207 | *inOutIdx = i; |
wolfSSL | 4:1b0d80432c79 | 1208 | |
wolfSSL | 4:1b0d80432c79 | 1209 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1210 | } |
wolfSSL | 4:1b0d80432c79 | 1211 | |
wolfSSL | 4:1b0d80432c79 | 1212 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 1213 | |
wolfSSL | 4:1b0d80432c79 | 1214 | |
wolfSSL | 4:1b0d80432c79 | 1215 | #ifdef HAVE_CAVIUM |
wolfSSL | 4:1b0d80432c79 | 1216 | |
wolfSSL | 4:1b0d80432c79 | 1217 | static int GetCaviumInt(byte** buff, word16* buffSz, const byte* input, |
wolfSSL | 4:1b0d80432c79 | 1218 | word32* inOutIdx, word32 maxIdx, void* heap) |
wolfSSL | 4:1b0d80432c79 | 1219 | { |
wolfSSL | 4:1b0d80432c79 | 1220 | word32 i = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 1221 | byte b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 1222 | int length; |
wolfSSL | 4:1b0d80432c79 | 1223 | |
wolfSSL | 4:1b0d80432c79 | 1224 | if (b != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 1225 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1226 | |
wolfSSL | 4:1b0d80432c79 | 1227 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 1228 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1229 | |
wolfSSL | 4:1b0d80432c79 | 1230 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 4:1b0d80432c79 | 1231 | length--; |
wolfSSL | 4:1b0d80432c79 | 1232 | else |
wolfSSL | 4:1b0d80432c79 | 1233 | i--; |
wolfSSL | 4:1b0d80432c79 | 1234 | |
wolfSSL | 4:1b0d80432c79 | 1235 | *buffSz = (word16)length; |
wolfSSL | 4:1b0d80432c79 | 1236 | *buff = XMALLOC(*buffSz, heap, DYNAMIC_TYPE_CAVIUM_RSA); |
wolfSSL | 4:1b0d80432c79 | 1237 | if (*buff == NULL) |
wolfSSL | 4:1b0d80432c79 | 1238 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 1239 | |
wolfSSL | 4:1b0d80432c79 | 1240 | XMEMCPY(*buff, input + i, *buffSz); |
wolfSSL | 4:1b0d80432c79 | 1241 | |
wolfSSL | 4:1b0d80432c79 | 1242 | *inOutIdx = i + length; |
wolfSSL | 4:1b0d80432c79 | 1243 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1244 | } |
wolfSSL | 4:1b0d80432c79 | 1245 | |
wolfSSL | 4:1b0d80432c79 | 1246 | static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 4:1b0d80432c79 | 1247 | RsaKey* key, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1248 | { |
wolfSSL | 4:1b0d80432c79 | 1249 | int version, length; |
wolfSSL | 4:1b0d80432c79 | 1250 | void* h = key->heap; |
wolfSSL | 4:1b0d80432c79 | 1251 | |
wolfSSL | 4:1b0d80432c79 | 1252 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1253 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1254 | |
wolfSSL | 4:1b0d80432c79 | 1255 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 1256 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1257 | |
wolfSSL | 4:1b0d80432c79 | 1258 | key->type = RSA_PRIVATE; |
wolfSSL | 4:1b0d80432c79 | 1259 | |
wolfSSL | 4:1b0d80432c79 | 1260 | if (GetCaviumInt(&key->c_n, &key->c_nSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1261 | GetCaviumInt(&key->c_e, &key->c_eSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1262 | GetCaviumInt(&key->c_d, &key->c_dSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1263 | GetCaviumInt(&key->c_p, &key->c_pSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1264 | GetCaviumInt(&key->c_q, &key->c_qSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1265 | GetCaviumInt(&key->c_dP, &key->c_dP_Sz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1266 | GetCaviumInt(&key->c_dQ, &key->c_dQ_Sz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1267 | GetCaviumInt(&key->c_u, &key->c_uSz, input, inOutIdx, inSz, h) < 0 ) |
wolfSSL | 4:1b0d80432c79 | 1268 | return ASN_RSA_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1269 | |
wolfSSL | 4:1b0d80432c79 | 1270 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1271 | } |
wolfSSL | 4:1b0d80432c79 | 1272 | |
wolfSSL | 4:1b0d80432c79 | 1273 | |
wolfSSL | 4:1b0d80432c79 | 1274 | #endif /* HAVE_CAVIUM */ |
wolfSSL | 4:1b0d80432c79 | 1275 | |
wolfSSL | 4:1b0d80432c79 | 1276 | #ifndef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 1277 | int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 4:1b0d80432c79 | 1278 | word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1279 | { |
wolfSSL | 4:1b0d80432c79 | 1280 | int version, length; |
wolfSSL | 4:1b0d80432c79 | 1281 | |
wolfSSL | 4:1b0d80432c79 | 1282 | #ifdef HAVE_CAVIUM |
wolfSSL | 4:1b0d80432c79 | 1283 | if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) |
wolfSSL | 4:1b0d80432c79 | 1284 | return CaviumRsaPrivateKeyDecode(input, inOutIdx, key, inSz); |
wolfSSL | 4:1b0d80432c79 | 1285 | #endif |
wolfSSL | 4:1b0d80432c79 | 1286 | |
wolfSSL | 4:1b0d80432c79 | 1287 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1288 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1289 | |
wolfSSL | 4:1b0d80432c79 | 1290 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 1291 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1292 | |
wolfSSL | 4:1b0d80432c79 | 1293 | key->type = RSA_PRIVATE; |
wolfSSL | 4:1b0d80432c79 | 1294 | |
wolfSSL | 4:1b0d80432c79 | 1295 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1296 | GetInt(&key->e, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1297 | GetInt(&key->d, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1298 | GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1299 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1300 | GetInt(&key->dP, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1301 | GetInt(&key->dQ, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1302 | GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1303 | |
wolfSSL | 4:1b0d80432c79 | 1304 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1305 | } |
wolfSSL | 4:1b0d80432c79 | 1306 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 4:1b0d80432c79 | 1307 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 1308 | |
wolfSSL | 4:1b0d80432c79 | 1309 | /* Remove PKCS8 header, move beginning of traditional to beginning of input */ |
wolfSSL | 4:1b0d80432c79 | 1310 | int ToTraditional(byte* input, word32 sz) |
wolfSSL | 4:1b0d80432c79 | 1311 | { |
wolfSSL | 4:1b0d80432c79 | 1312 | word32 inOutIdx = 0, oid; |
wolfSSL | 4:1b0d80432c79 | 1313 | int version, length; |
wolfSSL | 4:1b0d80432c79 | 1314 | |
wolfSSL | 4:1b0d80432c79 | 1315 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1316 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1317 | |
wolfSSL | 4:1b0d80432c79 | 1318 | if (GetMyVersion(input, &inOutIdx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 1319 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1320 | |
wolfSSL | 4:1b0d80432c79 | 1321 | if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1322 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1323 | |
wolfSSL | 4:1b0d80432c79 | 1324 | if (input[inOutIdx] == ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 1325 | /* pkcs8 ecc uses slightly different format */ |
wolfSSL | 4:1b0d80432c79 | 1326 | inOutIdx++; /* past id */ |
wolfSSL | 4:1b0d80432c79 | 1327 | if (GetLength(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1328 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1329 | inOutIdx += length; /* over sub id, key input will verify */ |
wolfSSL | 4:1b0d80432c79 | 1330 | } |
wolfSSL | 4:1b0d80432c79 | 1331 | |
wolfSSL | 4:1b0d80432c79 | 1332 | if (input[inOutIdx++] != ASN_OCTET_STRING) |
wolfSSL | 4:1b0d80432c79 | 1333 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1334 | |
wolfSSL | 4:1b0d80432c79 | 1335 | if (GetLength(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1336 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1337 | |
wolfSSL | 4:1b0d80432c79 | 1338 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 4:1b0d80432c79 | 1339 | |
wolfSSL | 4:1b0d80432c79 | 1340 | return length; |
wolfSSL | 4:1b0d80432c79 | 1341 | } |
wolfSSL | 4:1b0d80432c79 | 1342 | |
wolfSSL | 4:1b0d80432c79 | 1343 | |
wolfSSL | 4:1b0d80432c79 | 1344 | #ifndef NO_PWDBASED |
wolfSSL | 4:1b0d80432c79 | 1345 | |
wolfSSL | 4:1b0d80432c79 | 1346 | /* Check To see if PKCS version algo is supported, set id if it is return 0 |
wolfSSL | 4:1b0d80432c79 | 1347 | < 0 on error */ |
wolfSSL | 4:1b0d80432c79 | 1348 | static int CheckAlgo(int first, int second, int* id, int* version) |
wolfSSL | 4:1b0d80432c79 | 1349 | { |
wolfSSL | 4:1b0d80432c79 | 1350 | *id = ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1351 | *version = PKCS5; /* default */ |
wolfSSL | 4:1b0d80432c79 | 1352 | |
wolfSSL | 4:1b0d80432c79 | 1353 | if (first == 1) { |
wolfSSL | 4:1b0d80432c79 | 1354 | switch (second) { |
wolfSSL | 4:1b0d80432c79 | 1355 | case 1: |
wolfSSL | 4:1b0d80432c79 | 1356 | *id = PBE_SHA1_RC4_128; |
wolfSSL | 4:1b0d80432c79 | 1357 | *version = PKCS12; |
wolfSSL | 4:1b0d80432c79 | 1358 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1359 | case 3: |
wolfSSL | 4:1b0d80432c79 | 1360 | *id = PBE_SHA1_DES3; |
wolfSSL | 4:1b0d80432c79 | 1361 | *version = PKCS12; |
wolfSSL | 4:1b0d80432c79 | 1362 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1363 | default: |
wolfSSL | 4:1b0d80432c79 | 1364 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1365 | } |
wolfSSL | 4:1b0d80432c79 | 1366 | } |
wolfSSL | 4:1b0d80432c79 | 1367 | |
wolfSSL | 4:1b0d80432c79 | 1368 | if (first != PKCS5) |
wolfSSL | 4:1b0d80432c79 | 1369 | return ASN_INPUT_E; /* VERSION ERROR */ |
wolfSSL | 4:1b0d80432c79 | 1370 | |
wolfSSL | 4:1b0d80432c79 | 1371 | if (second == PBES2) { |
wolfSSL | 4:1b0d80432c79 | 1372 | *version = PKCS5v2; |
wolfSSL | 4:1b0d80432c79 | 1373 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1374 | } |
wolfSSL | 4:1b0d80432c79 | 1375 | |
wolfSSL | 4:1b0d80432c79 | 1376 | switch (second) { |
wolfSSL | 4:1b0d80432c79 | 1377 | case 3: /* see RFC 2898 for ids */ |
wolfSSL | 4:1b0d80432c79 | 1378 | *id = PBE_MD5_DES; |
wolfSSL | 4:1b0d80432c79 | 1379 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1380 | case 10: |
wolfSSL | 4:1b0d80432c79 | 1381 | *id = PBE_SHA1_DES; |
wolfSSL | 4:1b0d80432c79 | 1382 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1383 | default: |
wolfSSL | 4:1b0d80432c79 | 1384 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1385 | |
wolfSSL | 4:1b0d80432c79 | 1386 | } |
wolfSSL | 4:1b0d80432c79 | 1387 | } |
wolfSSL | 4:1b0d80432c79 | 1388 | |
wolfSSL | 4:1b0d80432c79 | 1389 | |
wolfSSL | 4:1b0d80432c79 | 1390 | /* Check To see if PKCS v2 algo is supported, set id if it is return 0 |
wolfSSL | 4:1b0d80432c79 | 1391 | < 0 on error */ |
wolfSSL | 4:1b0d80432c79 | 1392 | static int CheckAlgoV2(int oid, int* id) |
wolfSSL | 4:1b0d80432c79 | 1393 | { |
wolfSSL | 4:1b0d80432c79 | 1394 | switch (oid) { |
wolfSSL | 4:1b0d80432c79 | 1395 | case 69: |
wolfSSL | 4:1b0d80432c79 | 1396 | *id = PBE_SHA1_DES; |
wolfSSL | 4:1b0d80432c79 | 1397 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1398 | case 652: |
wolfSSL | 4:1b0d80432c79 | 1399 | *id = PBE_SHA1_DES3; |
wolfSSL | 4:1b0d80432c79 | 1400 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1401 | default: |
wolfSSL | 4:1b0d80432c79 | 1402 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1403 | |
wolfSSL | 4:1b0d80432c79 | 1404 | } |
wolfSSL | 4:1b0d80432c79 | 1405 | } |
wolfSSL | 4:1b0d80432c79 | 1406 | |
wolfSSL | 4:1b0d80432c79 | 1407 | |
wolfSSL | 4:1b0d80432c79 | 1408 | /* Decrypt input in place from parameters based on id */ |
wolfSSL | 4:1b0d80432c79 | 1409 | static int DecryptKey(const char* password, int passwordSz, byte* salt, |
wolfSSL | 4:1b0d80432c79 | 1410 | int saltSz, int iterations, int id, byte* input, |
wolfSSL | 4:1b0d80432c79 | 1411 | int length, int version, byte* cbcIv) |
wolfSSL | 4:1b0d80432c79 | 1412 | { |
wolfSSL | 4:1b0d80432c79 | 1413 | int typeH; |
wolfSSL | 4:1b0d80432c79 | 1414 | int derivedLen; |
wolfSSL | 4:1b0d80432c79 | 1415 | int decryptionType; |
wolfSSL | 4:1b0d80432c79 | 1416 | int ret = 0; |
wolfSSL | 4:1b0d80432c79 | 1417 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1418 | byte* key; |
wolfSSL | 4:1b0d80432c79 | 1419 | #else |
wolfSSL | 4:1b0d80432c79 | 1420 | byte key[MAX_KEY_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 1421 | #endif |
wolfSSL | 4:1b0d80432c79 | 1422 | |
wolfSSL | 4:1b0d80432c79 | 1423 | (void)input; |
wolfSSL | 4:1b0d80432c79 | 1424 | (void)length; |
wolfSSL | 4:1b0d80432c79 | 1425 | |
wolfSSL | 4:1b0d80432c79 | 1426 | switch (id) { |
wolfSSL | 4:1b0d80432c79 | 1427 | case PBE_MD5_DES: |
wolfSSL | 4:1b0d80432c79 | 1428 | typeH = MD5; |
wolfSSL | 4:1b0d80432c79 | 1429 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 4:1b0d80432c79 | 1430 | decryptionType = DES_TYPE; |
wolfSSL | 4:1b0d80432c79 | 1431 | break; |
wolfSSL | 4:1b0d80432c79 | 1432 | |
wolfSSL | 4:1b0d80432c79 | 1433 | case PBE_SHA1_DES: |
wolfSSL | 4:1b0d80432c79 | 1434 | typeH = SHA; |
wolfSSL | 4:1b0d80432c79 | 1435 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 4:1b0d80432c79 | 1436 | decryptionType = DES_TYPE; |
wolfSSL | 4:1b0d80432c79 | 1437 | break; |
wolfSSL | 4:1b0d80432c79 | 1438 | |
wolfSSL | 4:1b0d80432c79 | 1439 | case PBE_SHA1_DES3: |
wolfSSL | 4:1b0d80432c79 | 1440 | typeH = SHA; |
wolfSSL | 4:1b0d80432c79 | 1441 | derivedLen = 32; /* may need iv for v1.5 */ |
wolfSSL | 4:1b0d80432c79 | 1442 | decryptionType = DES3_TYPE; |
wolfSSL | 4:1b0d80432c79 | 1443 | break; |
wolfSSL | 4:1b0d80432c79 | 1444 | |
wolfSSL | 4:1b0d80432c79 | 1445 | case PBE_SHA1_RC4_128: |
wolfSSL | 4:1b0d80432c79 | 1446 | typeH = SHA; |
wolfSSL | 4:1b0d80432c79 | 1447 | derivedLen = 16; |
wolfSSL | 4:1b0d80432c79 | 1448 | decryptionType = RC4_TYPE; |
wolfSSL | 4:1b0d80432c79 | 1449 | break; |
wolfSSL | 4:1b0d80432c79 | 1450 | |
wolfSSL | 4:1b0d80432c79 | 1451 | default: |
wolfSSL | 4:1b0d80432c79 | 1452 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1453 | } |
wolfSSL | 4:1b0d80432c79 | 1454 | |
wolfSSL | 4:1b0d80432c79 | 1455 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1456 | key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1457 | if (key == NULL) |
wolfSSL | 4:1b0d80432c79 | 1458 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 1459 | #endif |
wolfSSL | 4:1b0d80432c79 | 1460 | |
wolfSSL | 4:1b0d80432c79 | 1461 | if (version == PKCS5v2) |
wolfSSL | 4:1b0d80432c79 | 1462 | ret = wc_PBKDF2(key, (byte*)password, passwordSz, |
wolfSSL | 4:1b0d80432c79 | 1463 | salt, saltSz, iterations, derivedLen, typeH); |
wolfSSL | 4:1b0d80432c79 | 1464 | #ifndef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 1465 | else if (version == PKCS5) |
wolfSSL | 4:1b0d80432c79 | 1466 | ret = wc_PBKDF1(key, (byte*)password, passwordSz, |
wolfSSL | 4:1b0d80432c79 | 1467 | salt, saltSz, iterations, derivedLen, typeH); |
wolfSSL | 4:1b0d80432c79 | 1468 | #endif |
wolfSSL | 4:1b0d80432c79 | 1469 | else if (version == PKCS12) { |
wolfSSL | 4:1b0d80432c79 | 1470 | int i, idx = 0; |
wolfSSL | 4:1b0d80432c79 | 1471 | byte unicodePasswd[MAX_UNICODE_SZ]; |
wolfSSL | 4:1b0d80432c79 | 1472 | |
wolfSSL | 4:1b0d80432c79 | 1473 | if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) { |
wolfSSL | 4:1b0d80432c79 | 1474 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1475 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1476 | #endif |
wolfSSL | 4:1b0d80432c79 | 1477 | return UNICODE_SIZE_E; |
wolfSSL | 4:1b0d80432c79 | 1478 | } |
wolfSSL | 4:1b0d80432c79 | 1479 | |
wolfSSL | 4:1b0d80432c79 | 1480 | for (i = 0; i < passwordSz; i++) { |
wolfSSL | 4:1b0d80432c79 | 1481 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 1482 | unicodePasswd[idx++] = (byte)password[i]; |
wolfSSL | 4:1b0d80432c79 | 1483 | } |
wolfSSL | 4:1b0d80432c79 | 1484 | /* add trailing NULL */ |
wolfSSL | 4:1b0d80432c79 | 1485 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 1486 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 1487 | |
wolfSSL | 4:1b0d80432c79 | 1488 | ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 4:1b0d80432c79 | 1489 | iterations, derivedLen, typeH, 1); |
wolfSSL | 4:1b0d80432c79 | 1490 | if (decryptionType != RC4_TYPE) |
wolfSSL | 4:1b0d80432c79 | 1491 | ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 4:1b0d80432c79 | 1492 | iterations, 8, typeH, 2); |
wolfSSL | 4:1b0d80432c79 | 1493 | } |
wolfSSL | 4:1b0d80432c79 | 1494 | else { |
wolfSSL | 4:1b0d80432c79 | 1495 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1496 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1497 | #endif |
wolfSSL | 4:1b0d80432c79 | 1498 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1499 | } |
wolfSSL | 4:1b0d80432c79 | 1500 | |
wolfSSL | 4:1b0d80432c79 | 1501 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 1502 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1503 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1504 | #endif |
wolfSSL | 4:1b0d80432c79 | 1505 | return ret; |
wolfSSL | 4:1b0d80432c79 | 1506 | } |
wolfSSL | 4:1b0d80432c79 | 1507 | |
wolfSSL | 4:1b0d80432c79 | 1508 | switch (decryptionType) { |
wolfSSL | 4:1b0d80432c79 | 1509 | #ifndef NO_DES3 |
wolfSSL | 4:1b0d80432c79 | 1510 | case DES_TYPE: |
wolfSSL | 4:1b0d80432c79 | 1511 | { |
wolfSSL | 4:1b0d80432c79 | 1512 | Des dec; |
wolfSSL | 4:1b0d80432c79 | 1513 | byte* desIv = key + 8; |
wolfSSL | 4:1b0d80432c79 | 1514 | |
wolfSSL | 4:1b0d80432c79 | 1515 | if (version == PKCS5v2 || version == PKCS12) |
wolfSSL | 4:1b0d80432c79 | 1516 | desIv = cbcIv; |
wolfSSL | 4:1b0d80432c79 | 1517 | |
wolfSSL | 4:1b0d80432c79 | 1518 | ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 4:1b0d80432c79 | 1519 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 1520 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1521 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1522 | #endif |
wolfSSL | 4:1b0d80432c79 | 1523 | return ret; |
wolfSSL | 4:1b0d80432c79 | 1524 | } |
wolfSSL | 4:1b0d80432c79 | 1525 | |
wolfSSL | 4:1b0d80432c79 | 1526 | wc_Des_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 4:1b0d80432c79 | 1527 | break; |
wolfSSL | 4:1b0d80432c79 | 1528 | } |
wolfSSL | 4:1b0d80432c79 | 1529 | |
wolfSSL | 4:1b0d80432c79 | 1530 | case DES3_TYPE: |
wolfSSL | 4:1b0d80432c79 | 1531 | { |
wolfSSL | 4:1b0d80432c79 | 1532 | Des3 dec; |
wolfSSL | 4:1b0d80432c79 | 1533 | byte* desIv = key + 24; |
wolfSSL | 4:1b0d80432c79 | 1534 | |
wolfSSL | 4:1b0d80432c79 | 1535 | if (version == PKCS5v2 || version == PKCS12) |
wolfSSL | 4:1b0d80432c79 | 1536 | desIv = cbcIv; |
wolfSSL | 4:1b0d80432c79 | 1537 | ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 4:1b0d80432c79 | 1538 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 1539 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1540 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1541 | #endif |
wolfSSL | 4:1b0d80432c79 | 1542 | return ret; |
wolfSSL | 4:1b0d80432c79 | 1543 | } |
wolfSSL | 4:1b0d80432c79 | 1544 | ret = wc_Des3_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 4:1b0d80432c79 | 1545 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 1546 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1547 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1548 | #endif |
wolfSSL | 4:1b0d80432c79 | 1549 | return ret; |
wolfSSL | 4:1b0d80432c79 | 1550 | } |
wolfSSL | 4:1b0d80432c79 | 1551 | break; |
wolfSSL | 4:1b0d80432c79 | 1552 | } |
wolfSSL | 4:1b0d80432c79 | 1553 | #endif |
wolfSSL | 4:1b0d80432c79 | 1554 | #ifndef NO_RC4 |
wolfSSL | 4:1b0d80432c79 | 1555 | case RC4_TYPE: |
wolfSSL | 4:1b0d80432c79 | 1556 | { |
wolfSSL | 4:1b0d80432c79 | 1557 | Arc4 dec; |
wolfSSL | 4:1b0d80432c79 | 1558 | |
wolfSSL | 4:1b0d80432c79 | 1559 | wc_Arc4SetKey(&dec, key, derivedLen); |
wolfSSL | 4:1b0d80432c79 | 1560 | wc_Arc4Process(&dec, input, input, length); |
wolfSSL | 4:1b0d80432c79 | 1561 | break; |
wolfSSL | 4:1b0d80432c79 | 1562 | } |
wolfSSL | 4:1b0d80432c79 | 1563 | #endif |
wolfSSL | 4:1b0d80432c79 | 1564 | |
wolfSSL | 4:1b0d80432c79 | 1565 | default: |
wolfSSL | 4:1b0d80432c79 | 1566 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1567 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1568 | #endif |
wolfSSL | 4:1b0d80432c79 | 1569 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 1570 | } |
wolfSSL | 4:1b0d80432c79 | 1571 | |
wolfSSL | 4:1b0d80432c79 | 1572 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1573 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1574 | #endif |
wolfSSL | 4:1b0d80432c79 | 1575 | |
wolfSSL | 4:1b0d80432c79 | 1576 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1577 | } |
wolfSSL | 4:1b0d80432c79 | 1578 | |
wolfSSL | 4:1b0d80432c79 | 1579 | |
wolfSSL | 4:1b0d80432c79 | 1580 | /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning |
wolfSSL | 4:1b0d80432c79 | 1581 | of input */ |
wolfSSL | 4:1b0d80432c79 | 1582 | int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) |
wolfSSL | 4:1b0d80432c79 | 1583 | { |
wolfSSL | 4:1b0d80432c79 | 1584 | word32 inOutIdx = 0, oid; |
wolfSSL | 4:1b0d80432c79 | 1585 | int first, second, length, version, saltSz, id; |
wolfSSL | 4:1b0d80432c79 | 1586 | int iterations = 0; |
wolfSSL | 4:1b0d80432c79 | 1587 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1588 | byte* salt = NULL; |
wolfSSL | 4:1b0d80432c79 | 1589 | byte* cbcIv = NULL; |
wolfSSL | 4:1b0d80432c79 | 1590 | #else |
wolfSSL | 4:1b0d80432c79 | 1591 | byte salt[MAX_SALT_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 1592 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 1593 | #endif |
wolfSSL | 4:1b0d80432c79 | 1594 | |
wolfSSL | 4:1b0d80432c79 | 1595 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1596 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1597 | |
wolfSSL | 4:1b0d80432c79 | 1598 | if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1599 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1600 | |
wolfSSL | 4:1b0d80432c79 | 1601 | first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */ |
wolfSSL | 4:1b0d80432c79 | 1602 | second = input[inOutIdx - 1]; /* version.algo, algo id last byte */ |
wolfSSL | 4:1b0d80432c79 | 1603 | |
wolfSSL | 4:1b0d80432c79 | 1604 | if (CheckAlgo(first, second, &id, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 1605 | return ASN_INPUT_E; /* Algo ID error */ |
wolfSSL | 4:1b0d80432c79 | 1606 | |
wolfSSL | 4:1b0d80432c79 | 1607 | if (version == PKCS5v2) { |
wolfSSL | 4:1b0d80432c79 | 1608 | |
wolfSSL | 4:1b0d80432c79 | 1609 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1610 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1611 | |
wolfSSL | 4:1b0d80432c79 | 1612 | if (GetAlgoId(input, &inOutIdx, &oid, kdfType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1613 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1614 | |
wolfSSL | 4:1b0d80432c79 | 1615 | if (oid != PBKDF2_OID) |
wolfSSL | 4:1b0d80432c79 | 1616 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1617 | } |
wolfSSL | 4:1b0d80432c79 | 1618 | |
wolfSSL | 4:1b0d80432c79 | 1619 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1620 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1621 | |
wolfSSL | 4:1b0d80432c79 | 1622 | if (input[inOutIdx++] != ASN_OCTET_STRING) |
wolfSSL | 4:1b0d80432c79 | 1623 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1624 | |
wolfSSL | 4:1b0d80432c79 | 1625 | if (GetLength(input, &inOutIdx, &saltSz, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1626 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1627 | |
wolfSSL | 4:1b0d80432c79 | 1628 | if (saltSz > MAX_SALT_SIZE) |
wolfSSL | 4:1b0d80432c79 | 1629 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1630 | |
wolfSSL | 4:1b0d80432c79 | 1631 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1632 | salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1633 | if (salt == NULL) |
wolfSSL | 4:1b0d80432c79 | 1634 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 1635 | #endif |
wolfSSL | 4:1b0d80432c79 | 1636 | |
wolfSSL | 4:1b0d80432c79 | 1637 | XMEMCPY(salt, &input[inOutIdx], saltSz); |
wolfSSL | 4:1b0d80432c79 | 1638 | inOutIdx += saltSz; |
wolfSSL | 4:1b0d80432c79 | 1639 | |
wolfSSL | 4:1b0d80432c79 | 1640 | if (GetShortInt(input, &inOutIdx, &iterations) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1641 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1642 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1643 | #endif |
wolfSSL | 4:1b0d80432c79 | 1644 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1645 | } |
wolfSSL | 4:1b0d80432c79 | 1646 | |
wolfSSL | 4:1b0d80432c79 | 1647 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1648 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1649 | if (cbcIv == NULL) { |
wolfSSL | 4:1b0d80432c79 | 1650 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1651 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 1652 | } |
wolfSSL | 4:1b0d80432c79 | 1653 | #endif |
wolfSSL | 4:1b0d80432c79 | 1654 | |
wolfSSL | 4:1b0d80432c79 | 1655 | if (version == PKCS5v2) { |
wolfSSL | 4:1b0d80432c79 | 1656 | /* get encryption algo */ |
wolfSSL | 4:1b0d80432c79 | 1657 | /* JOHN: New type. Need a little more research. */ |
wolfSSL | 4:1b0d80432c79 | 1658 | if (GetAlgoId(input, &inOutIdx, &oid, blkType, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1659 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1660 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1661 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1662 | #endif |
wolfSSL | 4:1b0d80432c79 | 1663 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1664 | } |
wolfSSL | 4:1b0d80432c79 | 1665 | |
wolfSSL | 4:1b0d80432c79 | 1666 | if (CheckAlgoV2(oid, &id) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1667 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1668 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1669 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1670 | #endif |
wolfSSL | 4:1b0d80432c79 | 1671 | return ASN_PARSE_E; /* PKCS v2 algo id error */ |
wolfSSL | 4:1b0d80432c79 | 1672 | } |
wolfSSL | 4:1b0d80432c79 | 1673 | |
wolfSSL | 4:1b0d80432c79 | 1674 | if (input[inOutIdx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 1675 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1676 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1677 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1678 | #endif |
wolfSSL | 4:1b0d80432c79 | 1679 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1680 | } |
wolfSSL | 4:1b0d80432c79 | 1681 | |
wolfSSL | 4:1b0d80432c79 | 1682 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1683 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1684 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1685 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1686 | #endif |
wolfSSL | 4:1b0d80432c79 | 1687 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1688 | } |
wolfSSL | 4:1b0d80432c79 | 1689 | |
wolfSSL | 4:1b0d80432c79 | 1690 | XMEMCPY(cbcIv, &input[inOutIdx], length); |
wolfSSL | 4:1b0d80432c79 | 1691 | inOutIdx += length; |
wolfSSL | 4:1b0d80432c79 | 1692 | } |
wolfSSL | 4:1b0d80432c79 | 1693 | |
wolfSSL | 4:1b0d80432c79 | 1694 | if (input[inOutIdx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 1695 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1696 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1697 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1698 | #endif |
wolfSSL | 4:1b0d80432c79 | 1699 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1700 | } |
wolfSSL | 4:1b0d80432c79 | 1701 | |
wolfSSL | 4:1b0d80432c79 | 1702 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1703 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1704 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1705 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1706 | #endif |
wolfSSL | 4:1b0d80432c79 | 1707 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1708 | } |
wolfSSL | 4:1b0d80432c79 | 1709 | |
wolfSSL | 4:1b0d80432c79 | 1710 | if (DecryptKey(password, passwordSz, salt, saltSz, iterations, id, |
wolfSSL | 4:1b0d80432c79 | 1711 | input + inOutIdx, length, version, cbcIv) < 0) { |
wolfSSL | 4:1b0d80432c79 | 1712 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1713 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1714 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1715 | #endif |
wolfSSL | 4:1b0d80432c79 | 1716 | return ASN_INPUT_E; /* decrypt failure */ |
wolfSSL | 4:1b0d80432c79 | 1717 | } |
wolfSSL | 4:1b0d80432c79 | 1718 | |
wolfSSL | 4:1b0d80432c79 | 1719 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 1720 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1721 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 1722 | #endif |
wolfSSL | 4:1b0d80432c79 | 1723 | |
wolfSSL | 4:1b0d80432c79 | 1724 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 4:1b0d80432c79 | 1725 | return ToTraditional(input, length); |
wolfSSL | 4:1b0d80432c79 | 1726 | } |
wolfSSL | 4:1b0d80432c79 | 1727 | |
wolfSSL | 4:1b0d80432c79 | 1728 | #endif /* NO_PWDBASED */ |
wolfSSL | 4:1b0d80432c79 | 1729 | |
wolfSSL | 4:1b0d80432c79 | 1730 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 1731 | |
wolfSSL | 4:1b0d80432c79 | 1732 | #ifndef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 1733 | int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 4:1b0d80432c79 | 1734 | word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1735 | { |
wolfSSL | 4:1b0d80432c79 | 1736 | int length; |
wolfSSL | 4:1b0d80432c79 | 1737 | |
wolfSSL | 4:1b0d80432c79 | 1738 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1739 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1740 | |
wolfSSL | 4:1b0d80432c79 | 1741 | key->type = RSA_PUBLIC; |
wolfSSL | 4:1b0d80432c79 | 1742 | |
wolfSSL | 4:1b0d80432c79 | 1743 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 4:1b0d80432c79 | 1744 | { |
wolfSSL | 4:1b0d80432c79 | 1745 | byte b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 1746 | if (b != ASN_INTEGER) { |
wolfSSL | 4:1b0d80432c79 | 1747 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 4:1b0d80432c79 | 1748 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1749 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1750 | |
wolfSSL | 4:1b0d80432c79 | 1751 | if (SkipObjectId(input, inOutIdx, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1752 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1753 | |
wolfSSL | 4:1b0d80432c79 | 1754 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 4:1b0d80432c79 | 1755 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 1756 | |
wolfSSL | 4:1b0d80432c79 | 1757 | if (b == ASN_TAG_NULL) { |
wolfSSL | 4:1b0d80432c79 | 1758 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 1759 | if (b != 0) |
wolfSSL | 4:1b0d80432c79 | 1760 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 1761 | } |
wolfSSL | 4:1b0d80432c79 | 1762 | else |
wolfSSL | 4:1b0d80432c79 | 1763 | /* go back, didn't have it */ |
wolfSSL | 4:1b0d80432c79 | 1764 | (*inOutIdx)--; |
wolfSSL | 4:1b0d80432c79 | 1765 | |
wolfSSL | 4:1b0d80432c79 | 1766 | /* should have bit tag length and seq next */ |
wolfSSL | 4:1b0d80432c79 | 1767 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 1768 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 1769 | return ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 1770 | |
wolfSSL | 4:1b0d80432c79 | 1771 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1772 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1773 | |
wolfSSL | 4:1b0d80432c79 | 1774 | /* could have 0 */ |
wolfSSL | 4:1b0d80432c79 | 1775 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 1776 | if (b != 0) |
wolfSSL | 4:1b0d80432c79 | 1777 | (*inOutIdx)--; |
wolfSSL | 4:1b0d80432c79 | 1778 | |
wolfSSL | 4:1b0d80432c79 | 1779 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1780 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1781 | } /* end if */ |
wolfSSL | 4:1b0d80432c79 | 1782 | } /* openssl var block */ |
wolfSSL | 4:1b0d80432c79 | 1783 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 1784 | |
wolfSSL | 4:1b0d80432c79 | 1785 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1786 | GetInt(&key->e, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1787 | |
wolfSSL | 4:1b0d80432c79 | 1788 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1789 | } |
wolfSSL | 4:1b0d80432c79 | 1790 | |
wolfSSL | 4:1b0d80432c79 | 1791 | /* import RSA public key elements (n, e) into RsaKey structure (key) */ |
wolfSSL | 4:1b0d80432c79 | 1792 | int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, |
wolfSSL | 4:1b0d80432c79 | 1793 | word32 eSz, RsaKey* key) |
wolfSSL | 4:1b0d80432c79 | 1794 | { |
wolfSSL | 4:1b0d80432c79 | 1795 | if (n == NULL || e == NULL || key == NULL) |
wolfSSL | 4:1b0d80432c79 | 1796 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 1797 | |
wolfSSL | 4:1b0d80432c79 | 1798 | key->type = RSA_PUBLIC; |
wolfSSL | 4:1b0d80432c79 | 1799 | |
wolfSSL | 4:1b0d80432c79 | 1800 | if (mp_init(&key->n) != MP_OKAY) |
wolfSSL | 4:1b0d80432c79 | 1801 | return MP_INIT_E; |
wolfSSL | 4:1b0d80432c79 | 1802 | |
wolfSSL | 4:1b0d80432c79 | 1803 | if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) { |
wolfSSL | 4:1b0d80432c79 | 1804 | mp_clear(&key->n); |
wolfSSL | 4:1b0d80432c79 | 1805 | return ASN_GETINT_E; |
wolfSSL | 4:1b0d80432c79 | 1806 | } |
wolfSSL | 4:1b0d80432c79 | 1807 | |
wolfSSL | 4:1b0d80432c79 | 1808 | if (mp_init(&key->e) != MP_OKAY) { |
wolfSSL | 4:1b0d80432c79 | 1809 | mp_clear(&key->n); |
wolfSSL | 4:1b0d80432c79 | 1810 | return MP_INIT_E; |
wolfSSL | 4:1b0d80432c79 | 1811 | } |
wolfSSL | 4:1b0d80432c79 | 1812 | |
wolfSSL | 4:1b0d80432c79 | 1813 | if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) { |
wolfSSL | 4:1b0d80432c79 | 1814 | mp_clear(&key->n); |
wolfSSL | 4:1b0d80432c79 | 1815 | mp_clear(&key->e); |
wolfSSL | 4:1b0d80432c79 | 1816 | return ASN_GETINT_E; |
wolfSSL | 4:1b0d80432c79 | 1817 | } |
wolfSSL | 4:1b0d80432c79 | 1818 | |
wolfSSL | 4:1b0d80432c79 | 1819 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1820 | } |
wolfSSL | 4:1b0d80432c79 | 1821 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 4:1b0d80432c79 | 1822 | #endif |
wolfSSL | 4:1b0d80432c79 | 1823 | |
wolfSSL | 4:1b0d80432c79 | 1824 | #ifndef NO_DH |
wolfSSL | 4:1b0d80432c79 | 1825 | |
wolfSSL | 4:1b0d80432c79 | 1826 | int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1827 | { |
wolfSSL | 4:1b0d80432c79 | 1828 | int length; |
wolfSSL | 4:1b0d80432c79 | 1829 | |
wolfSSL | 4:1b0d80432c79 | 1830 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1831 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1832 | |
wolfSSL | 4:1b0d80432c79 | 1833 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1834 | GetInt(&key->g, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1835 | |
wolfSSL | 4:1b0d80432c79 | 1836 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1837 | } |
wolfSSL | 4:1b0d80432c79 | 1838 | |
wolfSSL | 4:1b0d80432c79 | 1839 | |
wolfSSL | 4:1b0d80432c79 | 1840 | int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, |
wolfSSL | 4:1b0d80432c79 | 1841 | byte* g, word32* gInOutSz) |
wolfSSL | 4:1b0d80432c79 | 1842 | { |
wolfSSL | 4:1b0d80432c79 | 1843 | word32 i = 0; |
wolfSSL | 4:1b0d80432c79 | 1844 | byte b; |
wolfSSL | 4:1b0d80432c79 | 1845 | int length; |
wolfSSL | 4:1b0d80432c79 | 1846 | |
wolfSSL | 4:1b0d80432c79 | 1847 | if (GetSequence(input, &i, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1848 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1849 | |
wolfSSL | 4:1b0d80432c79 | 1850 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 1851 | if (b != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 1852 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1853 | |
wolfSSL | 4:1b0d80432c79 | 1854 | if (GetLength(input, &i, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1855 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1856 | |
wolfSSL | 4:1b0d80432c79 | 1857 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 4:1b0d80432c79 | 1858 | length--; |
wolfSSL | 4:1b0d80432c79 | 1859 | else |
wolfSSL | 4:1b0d80432c79 | 1860 | i--; |
wolfSSL | 4:1b0d80432c79 | 1861 | |
wolfSSL | 4:1b0d80432c79 | 1862 | if (length <= (int)*pInOutSz) { |
wolfSSL | 4:1b0d80432c79 | 1863 | XMEMCPY(p, &input[i], length); |
wolfSSL | 4:1b0d80432c79 | 1864 | *pInOutSz = length; |
wolfSSL | 4:1b0d80432c79 | 1865 | } |
wolfSSL | 4:1b0d80432c79 | 1866 | else |
wolfSSL | 4:1b0d80432c79 | 1867 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 1868 | |
wolfSSL | 4:1b0d80432c79 | 1869 | i += length; |
wolfSSL | 4:1b0d80432c79 | 1870 | |
wolfSSL | 4:1b0d80432c79 | 1871 | b = input[i++]; |
wolfSSL | 4:1b0d80432c79 | 1872 | if (b != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 1873 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1874 | |
wolfSSL | 4:1b0d80432c79 | 1875 | if (GetLength(input, &i, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1876 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1877 | |
wolfSSL | 4:1b0d80432c79 | 1878 | if (length <= (int)*gInOutSz) { |
wolfSSL | 4:1b0d80432c79 | 1879 | XMEMCPY(g, &input[i], length); |
wolfSSL | 4:1b0d80432c79 | 1880 | *gInOutSz = length; |
wolfSSL | 4:1b0d80432c79 | 1881 | } |
wolfSSL | 4:1b0d80432c79 | 1882 | else |
wolfSSL | 4:1b0d80432c79 | 1883 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 1884 | |
wolfSSL | 4:1b0d80432c79 | 1885 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1886 | } |
wolfSSL | 4:1b0d80432c79 | 1887 | |
wolfSSL | 4:1b0d80432c79 | 1888 | #endif /* NO_DH */ |
wolfSSL | 4:1b0d80432c79 | 1889 | |
wolfSSL | 4:1b0d80432c79 | 1890 | |
wolfSSL | 4:1b0d80432c79 | 1891 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 1892 | |
wolfSSL | 4:1b0d80432c79 | 1893 | int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 4:1b0d80432c79 | 1894 | word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1895 | { |
wolfSSL | 4:1b0d80432c79 | 1896 | int length; |
wolfSSL | 4:1b0d80432c79 | 1897 | |
wolfSSL | 4:1b0d80432c79 | 1898 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1899 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1900 | |
wolfSSL | 4:1b0d80432c79 | 1901 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1902 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1903 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1904 | GetInt(&key->y, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 4:1b0d80432c79 | 1905 | return ASN_DH_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1906 | |
wolfSSL | 4:1b0d80432c79 | 1907 | key->type = DSA_PUBLIC; |
wolfSSL | 4:1b0d80432c79 | 1908 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1909 | } |
wolfSSL | 4:1b0d80432c79 | 1910 | |
wolfSSL | 4:1b0d80432c79 | 1911 | |
wolfSSL | 4:1b0d80432c79 | 1912 | int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 4:1b0d80432c79 | 1913 | word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 1914 | { |
wolfSSL | 4:1b0d80432c79 | 1915 | int length, version; |
wolfSSL | 4:1b0d80432c79 | 1916 | |
wolfSSL | 4:1b0d80432c79 | 1917 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 1918 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1919 | |
wolfSSL | 4:1b0d80432c79 | 1920 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 1921 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 1922 | |
wolfSSL | 4:1b0d80432c79 | 1923 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1924 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1925 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1926 | GetInt(&key->y, input, inOutIdx, inSz) < 0 || |
wolfSSL | 4:1b0d80432c79 | 1927 | GetInt(&key->x, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 4:1b0d80432c79 | 1928 | return ASN_DH_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 1929 | |
wolfSSL | 4:1b0d80432c79 | 1930 | key->type = DSA_PRIVATE; |
wolfSSL | 4:1b0d80432c79 | 1931 | return 0; |
wolfSSL | 4:1b0d80432c79 | 1932 | } |
wolfSSL | 4:1b0d80432c79 | 1933 | |
wolfSSL | 4:1b0d80432c79 | 1934 | static mp_int* GetDsaInt(DsaKey* key, int idx) |
wolfSSL | 4:1b0d80432c79 | 1935 | { |
wolfSSL | 4:1b0d80432c79 | 1936 | if (idx == 0) |
wolfSSL | 4:1b0d80432c79 | 1937 | return &key->p; |
wolfSSL | 4:1b0d80432c79 | 1938 | if (idx == 1) |
wolfSSL | 4:1b0d80432c79 | 1939 | return &key->q; |
wolfSSL | 4:1b0d80432c79 | 1940 | if (idx == 2) |
wolfSSL | 4:1b0d80432c79 | 1941 | return &key->g; |
wolfSSL | 4:1b0d80432c79 | 1942 | if (idx == 3) |
wolfSSL | 4:1b0d80432c79 | 1943 | return &key->y; |
wolfSSL | 4:1b0d80432c79 | 1944 | if (idx == 4) |
wolfSSL | 4:1b0d80432c79 | 1945 | return &key->x; |
wolfSSL | 4:1b0d80432c79 | 1946 | |
wolfSSL | 4:1b0d80432c79 | 1947 | return NULL; |
wolfSSL | 4:1b0d80432c79 | 1948 | } |
wolfSSL | 4:1b0d80432c79 | 1949 | |
wolfSSL | 4:1b0d80432c79 | 1950 | /* Release Tmp DSA resources */ |
wolfSSL | 4:1b0d80432c79 | 1951 | static INLINE void FreeTmpDsas(byte** tmps) |
wolfSSL | 4:1b0d80432c79 | 1952 | { |
wolfSSL | 4:1b0d80432c79 | 1953 | int i; |
wolfSSL | 4:1b0d80432c79 | 1954 | |
wolfSSL | 4:1b0d80432c79 | 1955 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 4:1b0d80432c79 | 1956 | XFREE(tmps[i], NULL, DYNAMIC_TYPE_DSA); |
wolfSSL | 4:1b0d80432c79 | 1957 | } |
wolfSSL | 4:1b0d80432c79 | 1958 | |
wolfSSL | 4:1b0d80432c79 | 1959 | /* Convert DsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 4:1b0d80432c79 | 1960 | written */ |
wolfSSL | 4:1b0d80432c79 | 1961 | int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) |
wolfSSL | 4:1b0d80432c79 | 1962 | { |
wolfSSL | 4:1b0d80432c79 | 1963 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 4:1b0d80432c79 | 1964 | word32 sizes[DSA_INTS]; |
wolfSSL | 4:1b0d80432c79 | 1965 | int i, j, outLen, ret = 0, lbit; |
wolfSSL | 4:1b0d80432c79 | 1966 | |
wolfSSL | 4:1b0d80432c79 | 1967 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 1968 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 4:1b0d80432c79 | 1969 | byte* tmps[DSA_INTS]; |
wolfSSL | 4:1b0d80432c79 | 1970 | |
wolfSSL | 4:1b0d80432c79 | 1971 | if (!key || !output) |
wolfSSL | 4:1b0d80432c79 | 1972 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 1973 | |
wolfSSL | 4:1b0d80432c79 | 1974 | if (key->type != DSA_PRIVATE) |
wolfSSL | 4:1b0d80432c79 | 1975 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 1976 | |
wolfSSL | 4:1b0d80432c79 | 1977 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 4:1b0d80432c79 | 1978 | tmps[i] = NULL; |
wolfSSL | 4:1b0d80432c79 | 1979 | |
wolfSSL | 4:1b0d80432c79 | 1980 | /* write all big ints from key to DER tmps */ |
wolfSSL | 4:1b0d80432c79 | 1981 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 4:1b0d80432c79 | 1982 | mp_int* keyInt = GetDsaInt(key, i); |
wolfSSL | 4:1b0d80432c79 | 1983 | |
wolfSSL | 4:1b0d80432c79 | 1984 | /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 1985 | lbit = mp_leading_bit(keyInt); |
wolfSSL | 4:1b0d80432c79 | 1986 | rawLen = mp_unsigned_bin_size(keyInt) + lbit; |
wolfSSL | 4:1b0d80432c79 | 1987 | |
wolfSSL | 4:1b0d80432c79 | 1988 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, NULL, DYNAMIC_TYPE_DSA); |
wolfSSL | 4:1b0d80432c79 | 1989 | if (tmps[i] == NULL) { |
wolfSSL | 4:1b0d80432c79 | 1990 | ret = MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 1991 | break; |
wolfSSL | 4:1b0d80432c79 | 1992 | } |
wolfSSL | 4:1b0d80432c79 | 1993 | |
wolfSSL | 4:1b0d80432c79 | 1994 | tmps[i][0] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 1995 | sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */ |
wolfSSL | 4:1b0d80432c79 | 1996 | |
wolfSSL | 4:1b0d80432c79 | 1997 | if (sizes[i] <= MAX_SEQ_SZ) { |
wolfSSL | 4:1b0d80432c79 | 1998 | int err; |
wolfSSL | 4:1b0d80432c79 | 1999 | |
wolfSSL | 4:1b0d80432c79 | 2000 | /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 2001 | if (lbit) |
wolfSSL | 4:1b0d80432c79 | 2002 | tmps[i][sizes[i]-1] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 2003 | |
wolfSSL | 4:1b0d80432c79 | 2004 | err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); |
wolfSSL | 4:1b0d80432c79 | 2005 | if (err == MP_OKAY) { |
wolfSSL | 4:1b0d80432c79 | 2006 | sizes[i] += (rawLen-lbit); /* lbit included in rawLen */ |
wolfSSL | 4:1b0d80432c79 | 2007 | intTotalLen += sizes[i]; |
wolfSSL | 4:1b0d80432c79 | 2008 | } |
wolfSSL | 4:1b0d80432c79 | 2009 | else { |
wolfSSL | 4:1b0d80432c79 | 2010 | ret = err; |
wolfSSL | 4:1b0d80432c79 | 2011 | break; |
wolfSSL | 4:1b0d80432c79 | 2012 | } |
wolfSSL | 4:1b0d80432c79 | 2013 | } |
wolfSSL | 4:1b0d80432c79 | 2014 | else { |
wolfSSL | 4:1b0d80432c79 | 2015 | ret = ASN_INPUT_E; |
wolfSSL | 4:1b0d80432c79 | 2016 | break; |
wolfSSL | 4:1b0d80432c79 | 2017 | } |
wolfSSL | 4:1b0d80432c79 | 2018 | } |
wolfSSL | 4:1b0d80432c79 | 2019 | |
wolfSSL | 4:1b0d80432c79 | 2020 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 2021 | FreeTmpDsas(tmps); |
wolfSSL | 4:1b0d80432c79 | 2022 | return ret; |
wolfSSL | 4:1b0d80432c79 | 2023 | } |
wolfSSL | 4:1b0d80432c79 | 2024 | |
wolfSSL | 4:1b0d80432c79 | 2025 | /* make headers */ |
wolfSSL | 4:1b0d80432c79 | 2026 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 4:1b0d80432c79 | 2027 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 4:1b0d80432c79 | 2028 | |
wolfSSL | 4:1b0d80432c79 | 2029 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 4:1b0d80432c79 | 2030 | if (outLen > (int)inLen) |
wolfSSL | 4:1b0d80432c79 | 2031 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 2032 | |
wolfSSL | 4:1b0d80432c79 | 2033 | /* write to output */ |
wolfSSL | 4:1b0d80432c79 | 2034 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 4:1b0d80432c79 | 2035 | j = seqSz; |
wolfSSL | 4:1b0d80432c79 | 2036 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 4:1b0d80432c79 | 2037 | j += verSz; |
wolfSSL | 4:1b0d80432c79 | 2038 | |
wolfSSL | 4:1b0d80432c79 | 2039 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 4:1b0d80432c79 | 2040 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 4:1b0d80432c79 | 2041 | j += sizes[i]; |
wolfSSL | 4:1b0d80432c79 | 2042 | } |
wolfSSL | 4:1b0d80432c79 | 2043 | FreeTmpDsas(tmps); |
wolfSSL | 4:1b0d80432c79 | 2044 | |
wolfSSL | 4:1b0d80432c79 | 2045 | return outLen; |
wolfSSL | 4:1b0d80432c79 | 2046 | } |
wolfSSL | 4:1b0d80432c79 | 2047 | |
wolfSSL | 4:1b0d80432c79 | 2048 | #endif /* NO_DSA */ |
wolfSSL | 4:1b0d80432c79 | 2049 | |
wolfSSL | 4:1b0d80432c79 | 2050 | |
wolfSSL | 4:1b0d80432c79 | 2051 | void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) |
wolfSSL | 4:1b0d80432c79 | 2052 | { |
wolfSSL | 4:1b0d80432c79 | 2053 | cert->publicKey = 0; |
wolfSSL | 4:1b0d80432c79 | 2054 | cert->pubKeySize = 0; |
wolfSSL | 4:1b0d80432c79 | 2055 | cert->pubKeyStored = 0; |
wolfSSL | 4:1b0d80432c79 | 2056 | cert->version = 0; |
wolfSSL | 4:1b0d80432c79 | 2057 | cert->signature = 0; |
wolfSSL | 4:1b0d80432c79 | 2058 | cert->subjectCN = 0; |
wolfSSL | 4:1b0d80432c79 | 2059 | cert->subjectCNLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2060 | cert->subjectCNEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2061 | cert->subjectCNStored = 0; |
wolfSSL | 4:1b0d80432c79 | 2062 | cert->weOwnAltNames = 0; |
wolfSSL | 4:1b0d80432c79 | 2063 | cert->altNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 2064 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 2065 | cert->altEmailNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 2066 | cert->permittedNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 2067 | cert->excludedNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 2068 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 2069 | cert->issuer[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 2070 | cert->subject[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 2071 | cert->source = source; /* don't own */ |
wolfSSL | 4:1b0d80432c79 | 2072 | cert->srcIdx = 0; |
wolfSSL | 4:1b0d80432c79 | 2073 | cert->maxIdx = inSz; /* can't go over this index */ |
wolfSSL | 4:1b0d80432c79 | 2074 | cert->heap = heap; |
wolfSSL | 4:1b0d80432c79 | 2075 | XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE); |
wolfSSL | 4:1b0d80432c79 | 2076 | cert->serialSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2077 | cert->extensions = 0; |
wolfSSL | 4:1b0d80432c79 | 2078 | cert->extensionsSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2079 | cert->extensionsIdx = 0; |
wolfSSL | 4:1b0d80432c79 | 2080 | cert->extAuthInfo = NULL; |
wolfSSL | 4:1b0d80432c79 | 2081 | cert->extAuthInfoSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2082 | cert->extCrlInfo = NULL; |
wolfSSL | 4:1b0d80432c79 | 2083 | cert->extCrlInfoSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2084 | XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 2085 | cert->extSubjKeyIdSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2086 | XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 2087 | cert->extAuthKeyIdSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2088 | cert->extKeyUsageSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2089 | cert->extKeyUsage = 0; |
wolfSSL | 4:1b0d80432c79 | 2090 | cert->extExtKeyUsageSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2091 | cert->extExtKeyUsage = 0; |
wolfSSL | 4:1b0d80432c79 | 2092 | cert->isCA = 0; |
wolfSSL | 4:1b0d80432c79 | 2093 | #ifdef HAVE_PKCS7 |
wolfSSL | 4:1b0d80432c79 | 2094 | cert->issuerRaw = NULL; |
wolfSSL | 4:1b0d80432c79 | 2095 | cert->issuerRawLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2096 | #endif |
wolfSSL | 4:1b0d80432c79 | 2097 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2098 | cert->subjectSN = 0; |
wolfSSL | 4:1b0d80432c79 | 2099 | cert->subjectSNLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2100 | cert->subjectSNEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2101 | cert->subjectC = 0; |
wolfSSL | 4:1b0d80432c79 | 2102 | cert->subjectCLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2103 | cert->subjectCEnc = CTC_PRINTABLE; |
wolfSSL | 4:1b0d80432c79 | 2104 | cert->subjectL = 0; |
wolfSSL | 4:1b0d80432c79 | 2105 | cert->subjectLLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2106 | cert->subjectLEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2107 | cert->subjectST = 0; |
wolfSSL | 4:1b0d80432c79 | 2108 | cert->subjectSTLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2109 | cert->subjectSTEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2110 | cert->subjectO = 0; |
wolfSSL | 4:1b0d80432c79 | 2111 | cert->subjectOLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2112 | cert->subjectOEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2113 | cert->subjectOU = 0; |
wolfSSL | 4:1b0d80432c79 | 2114 | cert->subjectOULen = 0; |
wolfSSL | 4:1b0d80432c79 | 2115 | cert->subjectOUEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 2116 | cert->subjectEmail = 0; |
wolfSSL | 4:1b0d80432c79 | 2117 | cert->subjectEmailLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2118 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2119 | cert->beforeDate = NULL; |
wolfSSL | 4:1b0d80432c79 | 2120 | cert->beforeDateLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2121 | cert->afterDate = NULL; |
wolfSSL | 4:1b0d80432c79 | 2122 | cert->afterDateLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2123 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2124 | XMEMSET(&cert->issuerName, 0, sizeof(DecodedName)); |
wolfSSL | 4:1b0d80432c79 | 2125 | XMEMSET(&cert->subjectName, 0, sizeof(DecodedName)); |
wolfSSL | 4:1b0d80432c79 | 2126 | cert->extBasicConstSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2127 | cert->extBasicConstCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2128 | cert->extBasicConstPlSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2129 | cert->pathLength = 0; |
wolfSSL | 4:1b0d80432c79 | 2130 | cert->extSubjAltNameSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2131 | cert->extSubjAltNameCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2132 | cert->extAuthKeyIdCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2133 | cert->extSubjKeyIdCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2134 | cert->extKeyUsageCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2135 | cert->extExtKeyUsageCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2136 | cert->extExtKeyUsageSrc = NULL; |
wolfSSL | 4:1b0d80432c79 | 2137 | cert->extExtKeyUsageSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2138 | cert->extExtKeyUsageCount = 0; |
wolfSSL | 4:1b0d80432c79 | 2139 | cert->extAuthKeyIdSrc = NULL; |
wolfSSL | 4:1b0d80432c79 | 2140 | cert->extAuthKeyIdSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2141 | cert->extSubjKeyIdSrc = NULL; |
wolfSSL | 4:1b0d80432c79 | 2142 | cert->extSubjKeyIdSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2143 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2144 | #if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS) |
wolfSSL | 4:1b0d80432c79 | 2145 | cert->extNameConstraintSet = 0; |
wolfSSL | 4:1b0d80432c79 | 2146 | #endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 2147 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 2148 | cert->pkCurveOID = 0; |
wolfSSL | 4:1b0d80432c79 | 2149 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 2150 | #ifdef WOLFSSL_SEP |
wolfSSL | 4:1b0d80432c79 | 2151 | cert->deviceTypeSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2152 | cert->deviceType = NULL; |
wolfSSL | 4:1b0d80432c79 | 2153 | cert->hwTypeSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2154 | cert->hwType = NULL; |
wolfSSL | 4:1b0d80432c79 | 2155 | cert->hwSerialNumSz = 0; |
wolfSSL | 4:1b0d80432c79 | 2156 | cert->hwSerialNum = NULL; |
wolfSSL | 4:1b0d80432c79 | 2157 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2158 | cert->extCertPolicySet = 0; |
wolfSSL | 4:1b0d80432c79 | 2159 | cert->extCertPolicyCrit = 0; |
wolfSSL | 4:1b0d80432c79 | 2160 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2161 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 2162 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 2163 | XMEMSET(cert->extCertPolicies, 0, MAX_CERTPOL_NB*MAX_CERTPOL_SZ); |
wolfSSL | 4:1b0d80432c79 | 2164 | cert->extCertPoliciesNb = 0; |
wolfSSL | 4:1b0d80432c79 | 2165 | #endif |
wolfSSL | 4:1b0d80432c79 | 2166 | } |
wolfSSL | 4:1b0d80432c79 | 2167 | |
wolfSSL | 4:1b0d80432c79 | 2168 | |
wolfSSL | 4:1b0d80432c79 | 2169 | void FreeAltNames(DNS_entry* altNames, void* heap) |
wolfSSL | 4:1b0d80432c79 | 2170 | { |
wolfSSL | 4:1b0d80432c79 | 2171 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 2172 | |
wolfSSL | 4:1b0d80432c79 | 2173 | while (altNames) { |
wolfSSL | 4:1b0d80432c79 | 2174 | DNS_entry* tmp = altNames->next; |
wolfSSL | 4:1b0d80432c79 | 2175 | |
wolfSSL | 4:1b0d80432c79 | 2176 | XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2177 | XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2178 | altNames = tmp; |
wolfSSL | 4:1b0d80432c79 | 2179 | } |
wolfSSL | 4:1b0d80432c79 | 2180 | } |
wolfSSL | 4:1b0d80432c79 | 2181 | |
wolfSSL | 4:1b0d80432c79 | 2182 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 2183 | |
wolfSSL | 4:1b0d80432c79 | 2184 | void FreeNameSubtrees(Base_entry* names, void* heap) |
wolfSSL | 4:1b0d80432c79 | 2185 | { |
wolfSSL | 4:1b0d80432c79 | 2186 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 2187 | |
wolfSSL | 4:1b0d80432c79 | 2188 | while (names) { |
wolfSSL | 4:1b0d80432c79 | 2189 | Base_entry* tmp = names->next; |
wolfSSL | 4:1b0d80432c79 | 2190 | |
wolfSSL | 4:1b0d80432c79 | 2191 | XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2192 | XFREE(names, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2193 | names = tmp; |
wolfSSL | 4:1b0d80432c79 | 2194 | } |
wolfSSL | 4:1b0d80432c79 | 2195 | } |
wolfSSL | 4:1b0d80432c79 | 2196 | |
wolfSSL | 4:1b0d80432c79 | 2197 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 2198 | |
wolfSSL | 4:1b0d80432c79 | 2199 | void FreeDecodedCert(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 2200 | { |
wolfSSL | 4:1b0d80432c79 | 2201 | if (cert->subjectCNStored == 1) |
wolfSSL | 4:1b0d80432c79 | 2202 | XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 4:1b0d80432c79 | 2203 | if (cert->pubKeyStored == 1) |
wolfSSL | 4:1b0d80432c79 | 2204 | XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 4:1b0d80432c79 | 2205 | if (cert->weOwnAltNames && cert->altNames) |
wolfSSL | 4:1b0d80432c79 | 2206 | FreeAltNames(cert->altNames, cert->heap); |
wolfSSL | 4:1b0d80432c79 | 2207 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 2208 | if (cert->altEmailNames) |
wolfSSL | 4:1b0d80432c79 | 2209 | FreeAltNames(cert->altEmailNames, cert->heap); |
wolfSSL | 4:1b0d80432c79 | 2210 | if (cert->permittedNames) |
wolfSSL | 4:1b0d80432c79 | 2211 | FreeNameSubtrees(cert->permittedNames, cert->heap); |
wolfSSL | 4:1b0d80432c79 | 2212 | if (cert->excludedNames) |
wolfSSL | 4:1b0d80432c79 | 2213 | FreeNameSubtrees(cert->excludedNames, cert->heap); |
wolfSSL | 4:1b0d80432c79 | 2214 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 2215 | #ifdef WOLFSSL_SEP |
wolfSSL | 4:1b0d80432c79 | 2216 | XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 2217 | XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 2218 | XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 2219 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 2220 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2221 | if (cert->issuerName.fullName != NULL) |
wolfSSL | 4:1b0d80432c79 | 2222 | XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 4:1b0d80432c79 | 2223 | if (cert->subjectName.fullName != NULL) |
wolfSSL | 4:1b0d80432c79 | 2224 | XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 4:1b0d80432c79 | 2225 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2226 | } |
wolfSSL | 4:1b0d80432c79 | 2227 | |
wolfSSL | 4:1b0d80432c79 | 2228 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 2229 | static int GetCertHeader(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 2230 | { |
wolfSSL | 4:1b0d80432c79 | 2231 | int ret = 0, len; |
wolfSSL | 4:1b0d80432c79 | 2232 | byte serialTmp[EXTERNAL_SERIAL_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 2233 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 4:1b0d80432c79 | 2234 | mp_int* mpi = NULL; |
wolfSSL | 4:1b0d80432c79 | 2235 | #else |
wolfSSL | 4:1b0d80432c79 | 2236 | mp_int stack_mpi; |
wolfSSL | 4:1b0d80432c79 | 2237 | mp_int* mpi = &stack_mpi; |
wolfSSL | 4:1b0d80432c79 | 2238 | #endif |
wolfSSL | 4:1b0d80432c79 | 2239 | |
wolfSSL | 4:1b0d80432c79 | 2240 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2241 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2242 | |
wolfSSL | 4:1b0d80432c79 | 2243 | cert->certBegin = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2244 | |
wolfSSL | 4:1b0d80432c79 | 2245 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2246 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2247 | cert->sigIndex = len + cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2248 | |
wolfSSL | 4:1b0d80432c79 | 2249 | if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0) |
wolfSSL | 4:1b0d80432c79 | 2250 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2251 | |
wolfSSL | 4:1b0d80432c79 | 2252 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 4:1b0d80432c79 | 2253 | mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2254 | if (mpi == NULL) |
wolfSSL | 4:1b0d80432c79 | 2255 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2256 | #endif |
wolfSSL | 4:1b0d80432c79 | 2257 | |
wolfSSL | 4:1b0d80432c79 | 2258 | if (GetInt(mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 2259 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 4:1b0d80432c79 | 2260 | XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2261 | #endif |
wolfSSL | 4:1b0d80432c79 | 2262 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2263 | } |
wolfSSL | 4:1b0d80432c79 | 2264 | |
wolfSSL | 4:1b0d80432c79 | 2265 | len = mp_unsigned_bin_size(mpi); |
wolfSSL | 4:1b0d80432c79 | 2266 | if (len < (int)sizeof(serialTmp)) { |
wolfSSL | 4:1b0d80432c79 | 2267 | if ( (ret = mp_to_unsigned_bin(mpi, serialTmp)) == MP_OKAY) { |
wolfSSL | 4:1b0d80432c79 | 2268 | XMEMCPY(cert->serial, serialTmp, len); |
wolfSSL | 4:1b0d80432c79 | 2269 | cert->serialSz = len; |
wolfSSL | 4:1b0d80432c79 | 2270 | } |
wolfSSL | 4:1b0d80432c79 | 2271 | } |
wolfSSL | 4:1b0d80432c79 | 2272 | mp_clear(mpi); |
wolfSSL | 4:1b0d80432c79 | 2273 | |
wolfSSL | 4:1b0d80432c79 | 2274 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 4:1b0d80432c79 | 2275 | XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2276 | #endif |
wolfSSL | 4:1b0d80432c79 | 2277 | |
wolfSSL | 4:1b0d80432c79 | 2278 | return ret; |
wolfSSL | 4:1b0d80432c79 | 2279 | } |
wolfSSL | 4:1b0d80432c79 | 2280 | |
wolfSSL | 4:1b0d80432c79 | 2281 | #if !defined(NO_RSA) |
wolfSSL | 4:1b0d80432c79 | 2282 | /* Store Rsa Key, may save later, Dsa could use in future */ |
wolfSSL | 4:1b0d80432c79 | 2283 | static int StoreRsaKey(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 2284 | { |
wolfSSL | 4:1b0d80432c79 | 2285 | int length; |
wolfSSL | 4:1b0d80432c79 | 2286 | word32 recvd = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2287 | |
wolfSSL | 4:1b0d80432c79 | 2288 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2289 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2290 | |
wolfSSL | 4:1b0d80432c79 | 2291 | recvd = cert->srcIdx - recvd; |
wolfSSL | 4:1b0d80432c79 | 2292 | length += recvd; |
wolfSSL | 4:1b0d80432c79 | 2293 | |
wolfSSL | 4:1b0d80432c79 | 2294 | while (recvd--) |
wolfSSL | 4:1b0d80432c79 | 2295 | cert->srcIdx--; |
wolfSSL | 4:1b0d80432c79 | 2296 | |
wolfSSL | 4:1b0d80432c79 | 2297 | cert->pubKeySize = length; |
wolfSSL | 4:1b0d80432c79 | 2298 | cert->publicKey = cert->source + cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2299 | cert->srcIdx += length; |
wolfSSL | 4:1b0d80432c79 | 2300 | |
wolfSSL | 4:1b0d80432c79 | 2301 | return 0; |
wolfSSL | 4:1b0d80432c79 | 2302 | } |
wolfSSL | 4:1b0d80432c79 | 2303 | #endif |
wolfSSL | 4:1b0d80432c79 | 2304 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 2305 | |
wolfSSL | 4:1b0d80432c79 | 2306 | |
wolfSSL | 4:1b0d80432c79 | 2307 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 2308 | |
wolfSSL | 4:1b0d80432c79 | 2309 | /* return 0 on success if the ECC curve oid sum is supported */ |
wolfSSL | 4:1b0d80432c79 | 2310 | static int CheckCurve(word32 oid) |
wolfSSL | 4:1b0d80432c79 | 2311 | { |
wolfSSL | 4:1b0d80432c79 | 2312 | int ret = 0; |
wolfSSL | 4:1b0d80432c79 | 2313 | |
wolfSSL | 4:1b0d80432c79 | 2314 | switch (oid) { |
wolfSSL | 4:1b0d80432c79 | 2315 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 4:1b0d80432c79 | 2316 | case ECC_160R1: |
wolfSSL | 4:1b0d80432c79 | 2317 | #endif |
wolfSSL | 4:1b0d80432c79 | 2318 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 4:1b0d80432c79 | 2319 | case ECC_192R1: |
wolfSSL | 4:1b0d80432c79 | 2320 | #endif |
wolfSSL | 4:1b0d80432c79 | 2321 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 4:1b0d80432c79 | 2322 | case ECC_224R1: |
wolfSSL | 4:1b0d80432c79 | 2323 | #endif |
wolfSSL | 4:1b0d80432c79 | 2324 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 4:1b0d80432c79 | 2325 | case ECC_256R1: |
wolfSSL | 4:1b0d80432c79 | 2326 | #endif |
wolfSSL | 4:1b0d80432c79 | 2327 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 4:1b0d80432c79 | 2328 | case ECC_384R1: |
wolfSSL | 4:1b0d80432c79 | 2329 | #endif |
wolfSSL | 4:1b0d80432c79 | 2330 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 4:1b0d80432c79 | 2331 | case ECC_521R1: |
wolfSSL | 4:1b0d80432c79 | 2332 | #endif |
wolfSSL | 4:1b0d80432c79 | 2333 | break; |
wolfSSL | 4:1b0d80432c79 | 2334 | |
wolfSSL | 4:1b0d80432c79 | 2335 | default: |
wolfSSL | 4:1b0d80432c79 | 2336 | ret = ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 2337 | } |
wolfSSL | 4:1b0d80432c79 | 2338 | |
wolfSSL | 4:1b0d80432c79 | 2339 | return ret; |
wolfSSL | 4:1b0d80432c79 | 2340 | } |
wolfSSL | 4:1b0d80432c79 | 2341 | |
wolfSSL | 4:1b0d80432c79 | 2342 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 2343 | |
wolfSSL | 4:1b0d80432c79 | 2344 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 2345 | static int GetKey(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 2346 | { |
wolfSSL | 4:1b0d80432c79 | 2347 | int length; |
wolfSSL | 4:1b0d80432c79 | 2348 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 2349 | int tmpIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2350 | #endif |
wolfSSL | 4:1b0d80432c79 | 2351 | |
wolfSSL | 4:1b0d80432c79 | 2352 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2353 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2354 | |
wolfSSL | 4:1b0d80432c79 | 2355 | if (GetAlgoId(cert->source, &cert->srcIdx, |
wolfSSL | 4:1b0d80432c79 | 2356 | &cert->keyOID, keyType, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2357 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2358 | |
wolfSSL | 4:1b0d80432c79 | 2359 | switch (cert->keyOID) { |
wolfSSL | 4:1b0d80432c79 | 2360 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 2361 | case RSAk: |
wolfSSL | 4:1b0d80432c79 | 2362 | { |
wolfSSL | 4:1b0d80432c79 | 2363 | byte b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2364 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 2365 | return ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 2366 | |
wolfSSL | 4:1b0d80432c79 | 2367 | if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2368 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2369 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2370 | if (b != 0x00) |
wolfSSL | 4:1b0d80432c79 | 2371 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 2372 | |
wolfSSL | 4:1b0d80432c79 | 2373 | return StoreRsaKey(cert); |
wolfSSL | 4:1b0d80432c79 | 2374 | } |
wolfSSL | 4:1b0d80432c79 | 2375 | |
wolfSSL | 4:1b0d80432c79 | 2376 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 2377 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 2378 | case NTRUk: |
wolfSSL | 4:1b0d80432c79 | 2379 | { |
wolfSSL | 4:1b0d80432c79 | 2380 | const byte* key = &cert->source[tmpIdx]; |
wolfSSL | 4:1b0d80432c79 | 2381 | byte* next = (byte*)key; |
wolfSSL | 4:1b0d80432c79 | 2382 | word16 keyLen; |
wolfSSL | 4:1b0d80432c79 | 2383 | word32 rc; |
wolfSSL | 4:1b0d80432c79 | 2384 | word32 remaining = cert->maxIdx - cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2385 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2386 | byte* keyBlob = NULL; |
wolfSSL | 4:1b0d80432c79 | 2387 | #else |
wolfSSL | 4:1b0d80432c79 | 2388 | byte keyBlob[MAX_NTRU_KEY_SZ]; |
wolfSSL | 4:1b0d80432c79 | 2389 | #endif |
wolfSSL | 4:1b0d80432c79 | 2390 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 4:1b0d80432c79 | 2391 | &keyLen, NULL, &next, &remaining); |
wolfSSL | 4:1b0d80432c79 | 2392 | if (rc != NTRU_OK) |
wolfSSL | 4:1b0d80432c79 | 2393 | return ASN_NTRU_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 2394 | if (keyLen > MAX_NTRU_KEY_SZ) |
wolfSSL | 4:1b0d80432c79 | 2395 | return ASN_NTRU_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 2396 | |
wolfSSL | 4:1b0d80432c79 | 2397 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2398 | keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL, |
wolfSSL | 4:1b0d80432c79 | 2399 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2400 | if (keyBlob == NULL) |
wolfSSL | 4:1b0d80432c79 | 2401 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2402 | #endif |
wolfSSL | 4:1b0d80432c79 | 2403 | |
wolfSSL | 4:1b0d80432c79 | 2404 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 4:1b0d80432c79 | 2405 | &keyLen, keyBlob, &next, &remaining); |
wolfSSL | 4:1b0d80432c79 | 2406 | if (rc != NTRU_OK) { |
wolfSSL | 4:1b0d80432c79 | 2407 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2408 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2409 | #endif |
wolfSSL | 4:1b0d80432c79 | 2410 | return ASN_NTRU_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 2411 | } |
wolfSSL | 4:1b0d80432c79 | 2412 | |
wolfSSL | 4:1b0d80432c79 | 2413 | if ( (next - key) < 0) { |
wolfSSL | 4:1b0d80432c79 | 2414 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2415 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2416 | #endif |
wolfSSL | 4:1b0d80432c79 | 2417 | return ASN_NTRU_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 2418 | } |
wolfSSL | 4:1b0d80432c79 | 2419 | |
wolfSSL | 4:1b0d80432c79 | 2420 | cert->srcIdx = tmpIdx + (int)(next - key); |
wolfSSL | 4:1b0d80432c79 | 2421 | |
wolfSSL | 4:1b0d80432c79 | 2422 | cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 2423 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 4:1b0d80432c79 | 2424 | if (cert->publicKey == NULL) { |
wolfSSL | 4:1b0d80432c79 | 2425 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2426 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2427 | #endif |
wolfSSL | 4:1b0d80432c79 | 2428 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2429 | } |
wolfSSL | 4:1b0d80432c79 | 2430 | XMEMCPY(cert->publicKey, keyBlob, keyLen); |
wolfSSL | 4:1b0d80432c79 | 2431 | cert->pubKeyStored = 1; |
wolfSSL | 4:1b0d80432c79 | 2432 | cert->pubKeySize = keyLen; |
wolfSSL | 4:1b0d80432c79 | 2433 | |
wolfSSL | 4:1b0d80432c79 | 2434 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 2435 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 2436 | #endif |
wolfSSL | 4:1b0d80432c79 | 2437 | |
wolfSSL | 4:1b0d80432c79 | 2438 | return 0; |
wolfSSL | 4:1b0d80432c79 | 2439 | } |
wolfSSL | 4:1b0d80432c79 | 2440 | #endif /* HAVE_NTRU */ |
wolfSSL | 4:1b0d80432c79 | 2441 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 2442 | case ECDSAk: |
wolfSSL | 4:1b0d80432c79 | 2443 | { |
wolfSSL | 4:1b0d80432c79 | 2444 | byte b; |
wolfSSL | 4:1b0d80432c79 | 2445 | |
wolfSSL | 4:1b0d80432c79 | 2446 | if (GetObjectId(cert->source, &cert->srcIdx, |
wolfSSL | 4:1b0d80432c79 | 2447 | &cert->pkCurveOID, curveType, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2448 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2449 | |
wolfSSL | 4:1b0d80432c79 | 2450 | if (CheckCurve(cert->pkCurveOID) < 0) |
wolfSSL | 4:1b0d80432c79 | 2451 | return ECC_CURVE_OID_E; |
wolfSSL | 4:1b0d80432c79 | 2452 | |
wolfSSL | 4:1b0d80432c79 | 2453 | /* key header */ |
wolfSSL | 4:1b0d80432c79 | 2454 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2455 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 2456 | return ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 2457 | |
wolfSSL | 4:1b0d80432c79 | 2458 | if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2459 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2460 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2461 | if (b != 0x00) |
wolfSSL | 4:1b0d80432c79 | 2462 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 2463 | |
wolfSSL | 4:1b0d80432c79 | 2464 | /* actual key, use length - 1 since ate preceding 0 */ |
wolfSSL | 4:1b0d80432c79 | 2465 | length -= 1; |
wolfSSL | 4:1b0d80432c79 | 2466 | |
wolfSSL | 4:1b0d80432c79 | 2467 | cert->publicKey = (byte*) XMALLOC(length, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 2468 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 4:1b0d80432c79 | 2469 | if (cert->publicKey == NULL) |
wolfSSL | 4:1b0d80432c79 | 2470 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2471 | XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 4:1b0d80432c79 | 2472 | cert->pubKeyStored = 1; |
wolfSSL | 4:1b0d80432c79 | 2473 | cert->pubKeySize = length; |
wolfSSL | 4:1b0d80432c79 | 2474 | |
wolfSSL | 4:1b0d80432c79 | 2475 | cert->srcIdx += length; |
wolfSSL | 4:1b0d80432c79 | 2476 | |
wolfSSL | 4:1b0d80432c79 | 2477 | return 0; |
wolfSSL | 4:1b0d80432c79 | 2478 | } |
wolfSSL | 4:1b0d80432c79 | 2479 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 2480 | default: |
wolfSSL | 4:1b0d80432c79 | 2481 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 4:1b0d80432c79 | 2482 | } |
wolfSSL | 4:1b0d80432c79 | 2483 | } |
wolfSSL | 4:1b0d80432c79 | 2484 | |
wolfSSL | 4:1b0d80432c79 | 2485 | |
wolfSSL | 4:1b0d80432c79 | 2486 | /* process NAME, either issuer or subject */ |
wolfSSL | 4:1b0d80432c79 | 2487 | static int GetName(DecodedCert* cert, int nameType) |
wolfSSL | 4:1b0d80432c79 | 2488 | { |
wolfSSL | 4:1b0d80432c79 | 2489 | int length; /* length of all distinguished names */ |
wolfSSL | 4:1b0d80432c79 | 2490 | int dummy; |
wolfSSL | 4:1b0d80432c79 | 2491 | int ret; |
wolfSSL | 4:1b0d80432c79 | 2492 | char* full; |
wolfSSL | 4:1b0d80432c79 | 2493 | byte* hash; |
wolfSSL | 4:1b0d80432c79 | 2494 | word32 idx; |
wolfSSL | 4:1b0d80432c79 | 2495 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2496 | DecodedName* dName = |
wolfSSL | 4:1b0d80432c79 | 2497 | (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName; |
wolfSSL | 4:1b0d80432c79 | 2498 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2499 | |
wolfSSL | 4:1b0d80432c79 | 2500 | WOLFSSL_MSG("Getting Cert Name"); |
wolfSSL | 4:1b0d80432c79 | 2501 | |
wolfSSL | 4:1b0d80432c79 | 2502 | if (nameType == ISSUER) { |
wolfSSL | 4:1b0d80432c79 | 2503 | full = cert->issuer; |
wolfSSL | 4:1b0d80432c79 | 2504 | hash = cert->issuerHash; |
wolfSSL | 4:1b0d80432c79 | 2505 | } |
wolfSSL | 4:1b0d80432c79 | 2506 | else { |
wolfSSL | 4:1b0d80432c79 | 2507 | full = cert->subject; |
wolfSSL | 4:1b0d80432c79 | 2508 | hash = cert->subjectHash; |
wolfSSL | 4:1b0d80432c79 | 2509 | } |
wolfSSL | 4:1b0d80432c79 | 2510 | |
wolfSSL | 4:1b0d80432c79 | 2511 | if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 2512 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 4:1b0d80432c79 | 2513 | |
wolfSSL | 4:1b0d80432c79 | 2514 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2515 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2516 | |
wolfSSL | 4:1b0d80432c79 | 2517 | cert->srcIdx += length; |
wolfSSL | 4:1b0d80432c79 | 2518 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 4:1b0d80432c79 | 2519 | } |
wolfSSL | 4:1b0d80432c79 | 2520 | |
wolfSSL | 4:1b0d80432c79 | 2521 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 4:1b0d80432c79 | 2522 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 4:1b0d80432c79 | 2523 | * the tag and length. */ |
wolfSSL | 4:1b0d80432c79 | 2524 | idx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2525 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2526 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2527 | |
wolfSSL | 4:1b0d80432c79 | 2528 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 2529 | ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 4:1b0d80432c79 | 2530 | #else |
wolfSSL | 4:1b0d80432c79 | 2531 | ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 4:1b0d80432c79 | 2532 | #endif |
wolfSSL | 4:1b0d80432c79 | 2533 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 2534 | return ret; |
wolfSSL | 4:1b0d80432c79 | 2535 | |
wolfSSL | 4:1b0d80432c79 | 2536 | length += cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2537 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 2538 | |
wolfSSL | 4:1b0d80432c79 | 2539 | #ifdef HAVE_PKCS7 |
wolfSSL | 4:1b0d80432c79 | 2540 | /* store pointer to raw issuer */ |
wolfSSL | 4:1b0d80432c79 | 2541 | if (nameType == ISSUER) { |
wolfSSL | 4:1b0d80432c79 | 2542 | cert->issuerRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2543 | cert->issuerRawLen = length - cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2544 | } |
wolfSSL | 4:1b0d80432c79 | 2545 | #endif |
wolfSSL | 4:1b0d80432c79 | 2546 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 2547 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2548 | cert->subjectRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2549 | cert->subjectRawLen = length - cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2550 | } |
wolfSSL | 4:1b0d80432c79 | 2551 | #endif |
wolfSSL | 4:1b0d80432c79 | 2552 | |
wolfSSL | 4:1b0d80432c79 | 2553 | while (cert->srcIdx < (word32)length) { |
wolfSSL | 4:1b0d80432c79 | 2554 | byte b; |
wolfSSL | 4:1b0d80432c79 | 2555 | byte joint[2]; |
wolfSSL | 4:1b0d80432c79 | 2556 | byte tooBig = FALSE; |
wolfSSL | 4:1b0d80432c79 | 2557 | int oidSz; |
wolfSSL | 4:1b0d80432c79 | 2558 | |
wolfSSL | 4:1b0d80432c79 | 2559 | if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 2560 | WOLFSSL_MSG("Cert name lacks set header, trying sequence"); |
wolfSSL | 4:1b0d80432c79 | 2561 | } |
wolfSSL | 4:1b0d80432c79 | 2562 | |
wolfSSL | 4:1b0d80432c79 | 2563 | if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2564 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2565 | |
wolfSSL | 4:1b0d80432c79 | 2566 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2567 | if (b != ASN_OBJECT_ID) |
wolfSSL | 4:1b0d80432c79 | 2568 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 2569 | |
wolfSSL | 4:1b0d80432c79 | 2570 | if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2571 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2572 | |
wolfSSL | 4:1b0d80432c79 | 2573 | XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint)); |
wolfSSL | 4:1b0d80432c79 | 2574 | |
wolfSSL | 4:1b0d80432c79 | 2575 | /* v1 name types */ |
wolfSSL | 4:1b0d80432c79 | 2576 | if (joint[0] == 0x55 && joint[1] == 0x04) { |
wolfSSL | 4:1b0d80432c79 | 2577 | byte id; |
wolfSSL | 4:1b0d80432c79 | 2578 | byte copy = FALSE; |
wolfSSL | 4:1b0d80432c79 | 2579 | int strLen; |
wolfSSL | 4:1b0d80432c79 | 2580 | |
wolfSSL | 4:1b0d80432c79 | 2581 | cert->srcIdx += 2; |
wolfSSL | 4:1b0d80432c79 | 2582 | id = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 2583 | b = cert->source[cert->srcIdx++]; /* encoding */ |
wolfSSL | 4:1b0d80432c79 | 2584 | |
wolfSSL | 4:1b0d80432c79 | 2585 | if (GetLength(cert->source, &cert->srcIdx, &strLen, |
wolfSSL | 4:1b0d80432c79 | 2586 | cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2587 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2588 | |
wolfSSL | 4:1b0d80432c79 | 2589 | if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 4:1b0d80432c79 | 2590 | /* include biggest pre fix header too 4 = "/serialNumber=" */ |
wolfSSL | 4:1b0d80432c79 | 2591 | WOLFSSL_MSG("ASN Name too big, skipping"); |
wolfSSL | 4:1b0d80432c79 | 2592 | tooBig = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2593 | } |
wolfSSL | 4:1b0d80432c79 | 2594 | |
wolfSSL | 4:1b0d80432c79 | 2595 | if (id == ASN_COMMON_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2596 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2597 | cert->subjectCN = (char *)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2598 | cert->subjectCNLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2599 | cert->subjectCNEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2600 | } |
wolfSSL | 4:1b0d80432c79 | 2601 | |
wolfSSL | 4:1b0d80432c79 | 2602 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2603 | XMEMCPY(&full[idx], "/CN=", 4); |
wolfSSL | 4:1b0d80432c79 | 2604 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2605 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2606 | } |
wolfSSL | 4:1b0d80432c79 | 2607 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2608 | dName->cnIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2609 | dName->cnLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2610 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2611 | } |
wolfSSL | 4:1b0d80432c79 | 2612 | else if (id == ASN_SUR_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2613 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2614 | XMEMCPY(&full[idx], "/SN=", 4); |
wolfSSL | 4:1b0d80432c79 | 2615 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2616 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2617 | } |
wolfSSL | 4:1b0d80432c79 | 2618 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2619 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2620 | cert->subjectSN = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2621 | cert->subjectSNLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2622 | cert->subjectSNEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2623 | } |
wolfSSL | 4:1b0d80432c79 | 2624 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2625 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2626 | dName->snIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2627 | dName->snLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2628 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2629 | } |
wolfSSL | 4:1b0d80432c79 | 2630 | else if (id == ASN_COUNTRY_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2631 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2632 | XMEMCPY(&full[idx], "/C=", 3); |
wolfSSL | 4:1b0d80432c79 | 2633 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2634 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2635 | } |
wolfSSL | 4:1b0d80432c79 | 2636 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2637 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2638 | cert->subjectC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2639 | cert->subjectCLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2640 | cert->subjectCEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2641 | } |
wolfSSL | 4:1b0d80432c79 | 2642 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2643 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2644 | dName->cIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2645 | dName->cLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2646 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2647 | } |
wolfSSL | 4:1b0d80432c79 | 2648 | else if (id == ASN_LOCALITY_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2649 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2650 | XMEMCPY(&full[idx], "/L=", 3); |
wolfSSL | 4:1b0d80432c79 | 2651 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2652 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2653 | } |
wolfSSL | 4:1b0d80432c79 | 2654 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2655 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2656 | cert->subjectL = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2657 | cert->subjectLLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2658 | cert->subjectLEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2659 | } |
wolfSSL | 4:1b0d80432c79 | 2660 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2661 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2662 | dName->lIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2663 | dName->lLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2664 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2665 | } |
wolfSSL | 4:1b0d80432c79 | 2666 | else if (id == ASN_STATE_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2667 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2668 | XMEMCPY(&full[idx], "/ST=", 4); |
wolfSSL | 4:1b0d80432c79 | 2669 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2670 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2671 | } |
wolfSSL | 4:1b0d80432c79 | 2672 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2673 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2674 | cert->subjectST = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2675 | cert->subjectSTLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2676 | cert->subjectSTEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2677 | } |
wolfSSL | 4:1b0d80432c79 | 2678 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2679 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2680 | dName->stIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2681 | dName->stLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2682 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2683 | } |
wolfSSL | 4:1b0d80432c79 | 2684 | else if (id == ASN_ORG_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2685 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2686 | XMEMCPY(&full[idx], "/O=", 3); |
wolfSSL | 4:1b0d80432c79 | 2687 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2688 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2689 | } |
wolfSSL | 4:1b0d80432c79 | 2690 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2691 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2692 | cert->subjectO = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2693 | cert->subjectOLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2694 | cert->subjectOEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2695 | } |
wolfSSL | 4:1b0d80432c79 | 2696 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2697 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2698 | dName->oIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2699 | dName->oLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2700 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2701 | } |
wolfSSL | 4:1b0d80432c79 | 2702 | else if (id == ASN_ORGUNIT_NAME) { |
wolfSSL | 4:1b0d80432c79 | 2703 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2704 | XMEMCPY(&full[idx], "/OU=", 4); |
wolfSSL | 4:1b0d80432c79 | 2705 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2706 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2707 | } |
wolfSSL | 4:1b0d80432c79 | 2708 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2709 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2710 | cert->subjectOU = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2711 | cert->subjectOULen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2712 | cert->subjectOUEnc = b; |
wolfSSL | 4:1b0d80432c79 | 2713 | } |
wolfSSL | 4:1b0d80432c79 | 2714 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2715 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2716 | dName->ouIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2717 | dName->ouLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2718 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2719 | } |
wolfSSL | 4:1b0d80432c79 | 2720 | else if (id == ASN_SERIAL_NUMBER) { |
wolfSSL | 4:1b0d80432c79 | 2721 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2722 | XMEMCPY(&full[idx], "/serialNumber=", 14); |
wolfSSL | 4:1b0d80432c79 | 2723 | idx += 14; |
wolfSSL | 4:1b0d80432c79 | 2724 | copy = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2725 | } |
wolfSSL | 4:1b0d80432c79 | 2726 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2727 | dName->snIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2728 | dName->snLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 2729 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2730 | } |
wolfSSL | 4:1b0d80432c79 | 2731 | |
wolfSSL | 4:1b0d80432c79 | 2732 | if (copy && !tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2733 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); |
wolfSSL | 4:1b0d80432c79 | 2734 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 2735 | } |
wolfSSL | 4:1b0d80432c79 | 2736 | |
wolfSSL | 4:1b0d80432c79 | 2737 | cert->srcIdx += strLen; |
wolfSSL | 4:1b0d80432c79 | 2738 | } |
wolfSSL | 4:1b0d80432c79 | 2739 | else { |
wolfSSL | 4:1b0d80432c79 | 2740 | /* skip */ |
wolfSSL | 4:1b0d80432c79 | 2741 | byte email = FALSE; |
wolfSSL | 4:1b0d80432c79 | 2742 | byte uid = FALSE; |
wolfSSL | 4:1b0d80432c79 | 2743 | int adv; |
wolfSSL | 4:1b0d80432c79 | 2744 | |
wolfSSL | 4:1b0d80432c79 | 2745 | if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */ |
wolfSSL | 4:1b0d80432c79 | 2746 | email = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2747 | |
wolfSSL | 4:1b0d80432c79 | 2748 | if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */ |
wolfSSL | 4:1b0d80432c79 | 2749 | uid = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2750 | |
wolfSSL | 4:1b0d80432c79 | 2751 | cert->srcIdx += oidSz + 1; |
wolfSSL | 4:1b0d80432c79 | 2752 | |
wolfSSL | 4:1b0d80432c79 | 2753 | if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 2754 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 2755 | |
wolfSSL | 4:1b0d80432c79 | 2756 | if (adv > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 4:1b0d80432c79 | 2757 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 4:1b0d80432c79 | 2758 | tooBig = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2759 | } |
wolfSSL | 4:1b0d80432c79 | 2760 | |
wolfSSL | 4:1b0d80432c79 | 2761 | if (email) { |
wolfSSL | 4:1b0d80432c79 | 2762 | if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 4:1b0d80432c79 | 2763 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 4:1b0d80432c79 | 2764 | tooBig = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2765 | } |
wolfSSL | 4:1b0d80432c79 | 2766 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2767 | XMEMCPY(&full[idx], "/emailAddress=", 14); |
wolfSSL | 4:1b0d80432c79 | 2768 | idx += 14; |
wolfSSL | 4:1b0d80432c79 | 2769 | } |
wolfSSL | 4:1b0d80432c79 | 2770 | |
wolfSSL | 4:1b0d80432c79 | 2771 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 4:1b0d80432c79 | 2772 | if (nameType == SUBJECT) { |
wolfSSL | 4:1b0d80432c79 | 2773 | cert->subjectEmail = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 2774 | cert->subjectEmailLen = adv; |
wolfSSL | 4:1b0d80432c79 | 2775 | } |
wolfSSL | 4:1b0d80432c79 | 2776 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 2777 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2778 | dName->emailIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2779 | dName->emailLen = adv; |
wolfSSL | 4:1b0d80432c79 | 2780 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2781 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 2782 | { |
wolfSSL | 4:1b0d80432c79 | 2783 | DNS_entry* emailName = NULL; |
wolfSSL | 4:1b0d80432c79 | 2784 | |
wolfSSL | 4:1b0d80432c79 | 2785 | emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), |
wolfSSL | 4:1b0d80432c79 | 2786 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2787 | if (emailName == NULL) { |
wolfSSL | 4:1b0d80432c79 | 2788 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 2789 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2790 | } |
wolfSSL | 4:1b0d80432c79 | 2791 | emailName->name = (char*)XMALLOC(adv + 1, |
wolfSSL | 4:1b0d80432c79 | 2792 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2793 | if (emailName->name == NULL) { |
wolfSSL | 4:1b0d80432c79 | 2794 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 2795 | XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 2796 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 2797 | } |
wolfSSL | 4:1b0d80432c79 | 2798 | XMEMCPY(emailName->name, |
wolfSSL | 4:1b0d80432c79 | 2799 | &cert->source[cert->srcIdx], adv); |
wolfSSL | 4:1b0d80432c79 | 2800 | emailName->name[adv] = 0; |
wolfSSL | 4:1b0d80432c79 | 2801 | |
wolfSSL | 4:1b0d80432c79 | 2802 | emailName->next = cert->altEmailNames; |
wolfSSL | 4:1b0d80432c79 | 2803 | cert->altEmailNames = emailName; |
wolfSSL | 4:1b0d80432c79 | 2804 | } |
wolfSSL | 4:1b0d80432c79 | 2805 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 2806 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2807 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 4:1b0d80432c79 | 2808 | idx += adv; |
wolfSSL | 4:1b0d80432c79 | 2809 | } |
wolfSSL | 4:1b0d80432c79 | 2810 | } |
wolfSSL | 4:1b0d80432c79 | 2811 | |
wolfSSL | 4:1b0d80432c79 | 2812 | if (uid) { |
wolfSSL | 4:1b0d80432c79 | 2813 | if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 4:1b0d80432c79 | 2814 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 4:1b0d80432c79 | 2815 | tooBig = TRUE; |
wolfSSL | 4:1b0d80432c79 | 2816 | } |
wolfSSL | 4:1b0d80432c79 | 2817 | if (!tooBig) { |
wolfSSL | 4:1b0d80432c79 | 2818 | XMEMCPY(&full[idx], "/UID=", 5); |
wolfSSL | 4:1b0d80432c79 | 2819 | idx += 5; |
wolfSSL | 4:1b0d80432c79 | 2820 | |
wolfSSL | 4:1b0d80432c79 | 2821 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 4:1b0d80432c79 | 2822 | idx += adv; |
wolfSSL | 4:1b0d80432c79 | 2823 | } |
wolfSSL | 4:1b0d80432c79 | 2824 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2825 | dName->uidIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 2826 | dName->uidLen = adv; |
wolfSSL | 4:1b0d80432c79 | 2827 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2828 | } |
wolfSSL | 4:1b0d80432c79 | 2829 | |
wolfSSL | 4:1b0d80432c79 | 2830 | cert->srcIdx += adv; |
wolfSSL | 4:1b0d80432c79 | 2831 | } |
wolfSSL | 4:1b0d80432c79 | 2832 | } |
wolfSSL | 4:1b0d80432c79 | 2833 | full[idx++] = 0; |
wolfSSL | 4:1b0d80432c79 | 2834 | |
wolfSSL | 4:1b0d80432c79 | 2835 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 2836 | { |
wolfSSL | 4:1b0d80432c79 | 2837 | int totalLen = 0; |
wolfSSL | 4:1b0d80432c79 | 2838 | |
wolfSSL | 4:1b0d80432c79 | 2839 | if (dName->cnLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2840 | totalLen += dName->cnLen + 4; |
wolfSSL | 4:1b0d80432c79 | 2841 | if (dName->snLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2842 | totalLen += dName->snLen + 4; |
wolfSSL | 4:1b0d80432c79 | 2843 | if (dName->cLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2844 | totalLen += dName->cLen + 3; |
wolfSSL | 4:1b0d80432c79 | 2845 | if (dName->lLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2846 | totalLen += dName->lLen + 3; |
wolfSSL | 4:1b0d80432c79 | 2847 | if (dName->stLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2848 | totalLen += dName->stLen + 4; |
wolfSSL | 4:1b0d80432c79 | 2849 | if (dName->oLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2850 | totalLen += dName->oLen + 3; |
wolfSSL | 4:1b0d80432c79 | 2851 | if (dName->ouLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2852 | totalLen += dName->ouLen + 4; |
wolfSSL | 4:1b0d80432c79 | 2853 | if (dName->emailLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2854 | totalLen += dName->emailLen + 14; |
wolfSSL | 4:1b0d80432c79 | 2855 | if (dName->uidLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2856 | totalLen += dName->uidLen + 5; |
wolfSSL | 4:1b0d80432c79 | 2857 | if (dName->serialLen != 0) |
wolfSSL | 4:1b0d80432c79 | 2858 | totalLen += dName->serialLen + 14; |
wolfSSL | 4:1b0d80432c79 | 2859 | |
wolfSSL | 4:1b0d80432c79 | 2860 | dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 4:1b0d80432c79 | 2861 | if (dName->fullName != NULL) { |
wolfSSL | 4:1b0d80432c79 | 2862 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 2863 | |
wolfSSL | 4:1b0d80432c79 | 2864 | if (dName->cnLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2865 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2866 | XMEMCPY(&dName->fullName[idx], "/CN=", 4); |
wolfSSL | 4:1b0d80432c79 | 2867 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2868 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2869 | &cert->source[dName->cnIdx], dName->cnLen); |
wolfSSL | 4:1b0d80432c79 | 2870 | dName->cnIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2871 | idx += dName->cnLen; |
wolfSSL | 4:1b0d80432c79 | 2872 | } |
wolfSSL | 4:1b0d80432c79 | 2873 | if (dName->snLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2874 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2875 | XMEMCPY(&dName->fullName[idx], "/SN=", 4); |
wolfSSL | 4:1b0d80432c79 | 2876 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2877 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2878 | &cert->source[dName->snIdx], dName->snLen); |
wolfSSL | 4:1b0d80432c79 | 2879 | dName->snIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2880 | idx += dName->snLen; |
wolfSSL | 4:1b0d80432c79 | 2881 | } |
wolfSSL | 4:1b0d80432c79 | 2882 | if (dName->cLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2883 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2884 | XMEMCPY(&dName->fullName[idx], "/C=", 3); |
wolfSSL | 4:1b0d80432c79 | 2885 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2886 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2887 | &cert->source[dName->cIdx], dName->cLen); |
wolfSSL | 4:1b0d80432c79 | 2888 | dName->cIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2889 | idx += dName->cLen; |
wolfSSL | 4:1b0d80432c79 | 2890 | } |
wolfSSL | 4:1b0d80432c79 | 2891 | if (dName->lLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2892 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2893 | XMEMCPY(&dName->fullName[idx], "/L=", 3); |
wolfSSL | 4:1b0d80432c79 | 2894 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2895 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2896 | &cert->source[dName->lIdx], dName->lLen); |
wolfSSL | 4:1b0d80432c79 | 2897 | dName->lIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2898 | idx += dName->lLen; |
wolfSSL | 4:1b0d80432c79 | 2899 | } |
wolfSSL | 4:1b0d80432c79 | 2900 | if (dName->stLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2901 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2902 | XMEMCPY(&dName->fullName[idx], "/ST=", 4); |
wolfSSL | 4:1b0d80432c79 | 2903 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2904 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2905 | &cert->source[dName->stIdx], dName->stLen); |
wolfSSL | 4:1b0d80432c79 | 2906 | dName->stIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2907 | idx += dName->stLen; |
wolfSSL | 4:1b0d80432c79 | 2908 | } |
wolfSSL | 4:1b0d80432c79 | 2909 | if (dName->oLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2910 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2911 | XMEMCPY(&dName->fullName[idx], "/O=", 3); |
wolfSSL | 4:1b0d80432c79 | 2912 | idx += 3; |
wolfSSL | 4:1b0d80432c79 | 2913 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2914 | &cert->source[dName->oIdx], dName->oLen); |
wolfSSL | 4:1b0d80432c79 | 2915 | dName->oIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2916 | idx += dName->oLen; |
wolfSSL | 4:1b0d80432c79 | 2917 | } |
wolfSSL | 4:1b0d80432c79 | 2918 | if (dName->ouLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2919 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2920 | XMEMCPY(&dName->fullName[idx], "/OU=", 4); |
wolfSSL | 4:1b0d80432c79 | 2921 | idx += 4; |
wolfSSL | 4:1b0d80432c79 | 2922 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2923 | &cert->source[dName->ouIdx], dName->ouLen); |
wolfSSL | 4:1b0d80432c79 | 2924 | dName->ouIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2925 | idx += dName->ouLen; |
wolfSSL | 4:1b0d80432c79 | 2926 | } |
wolfSSL | 4:1b0d80432c79 | 2927 | if (dName->emailLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2928 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2929 | XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14); |
wolfSSL | 4:1b0d80432c79 | 2930 | idx += 14; |
wolfSSL | 4:1b0d80432c79 | 2931 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2932 | &cert->source[dName->emailIdx], dName->emailLen); |
wolfSSL | 4:1b0d80432c79 | 2933 | dName->emailIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2934 | idx += dName->emailLen; |
wolfSSL | 4:1b0d80432c79 | 2935 | } |
wolfSSL | 4:1b0d80432c79 | 2936 | if (dName->uidLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2937 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2938 | XMEMCPY(&dName->fullName[idx], "/UID=", 5); |
wolfSSL | 4:1b0d80432c79 | 2939 | idx += 5; |
wolfSSL | 4:1b0d80432c79 | 2940 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2941 | &cert->source[dName->uidIdx], dName->uidLen); |
wolfSSL | 4:1b0d80432c79 | 2942 | dName->uidIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2943 | idx += dName->uidLen; |
wolfSSL | 4:1b0d80432c79 | 2944 | } |
wolfSSL | 4:1b0d80432c79 | 2945 | if (dName->serialLen != 0) { |
wolfSSL | 4:1b0d80432c79 | 2946 | dName->entryCount++; |
wolfSSL | 4:1b0d80432c79 | 2947 | XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14); |
wolfSSL | 4:1b0d80432c79 | 2948 | idx += 14; |
wolfSSL | 4:1b0d80432c79 | 2949 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 4:1b0d80432c79 | 2950 | &cert->source[dName->serialIdx], dName->serialLen); |
wolfSSL | 4:1b0d80432c79 | 2951 | dName->serialIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 2952 | idx += dName->serialLen; |
wolfSSL | 4:1b0d80432c79 | 2953 | } |
wolfSSL | 4:1b0d80432c79 | 2954 | dName->fullName[idx] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 2955 | dName->fullNameLen = totalLen; |
wolfSSL | 4:1b0d80432c79 | 2956 | } |
wolfSSL | 4:1b0d80432c79 | 2957 | } |
wolfSSL | 4:1b0d80432c79 | 2958 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 2959 | |
wolfSSL | 4:1b0d80432c79 | 2960 | return 0; |
wolfSSL | 4:1b0d80432c79 | 2961 | } |
wolfSSL | 4:1b0d80432c79 | 2962 | |
wolfSSL | 4:1b0d80432c79 | 2963 | |
wolfSSL | 4:1b0d80432c79 | 2964 | #if !defined(NO_TIME_H) && defined(USE_WOLF_VALIDDATE) |
wolfSSL | 4:1b0d80432c79 | 2965 | |
wolfSSL | 4:1b0d80432c79 | 2966 | /* to the second */ |
wolfSSL | 4:1b0d80432c79 | 2967 | static int DateGreaterThan(const struct tm* a, const struct tm* b) |
wolfSSL | 4:1b0d80432c79 | 2968 | { |
wolfSSL | 4:1b0d80432c79 | 2969 | if (a->tm_year > b->tm_year) |
wolfSSL | 4:1b0d80432c79 | 2970 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2971 | |
wolfSSL | 4:1b0d80432c79 | 2972 | if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon) |
wolfSSL | 4:1b0d80432c79 | 2973 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2974 | |
wolfSSL | 4:1b0d80432c79 | 2975 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 4:1b0d80432c79 | 2976 | a->tm_mday > b->tm_mday) |
wolfSSL | 4:1b0d80432c79 | 2977 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2978 | |
wolfSSL | 4:1b0d80432c79 | 2979 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 4:1b0d80432c79 | 2980 | a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour) |
wolfSSL | 4:1b0d80432c79 | 2981 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2982 | |
wolfSSL | 4:1b0d80432c79 | 2983 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 4:1b0d80432c79 | 2984 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 4:1b0d80432c79 | 2985 | a->tm_min > b->tm_min) |
wolfSSL | 4:1b0d80432c79 | 2986 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2987 | |
wolfSSL | 4:1b0d80432c79 | 2988 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 4:1b0d80432c79 | 2989 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 4:1b0d80432c79 | 2990 | a->tm_min == b->tm_min && a->tm_sec > b->tm_sec) |
wolfSSL | 4:1b0d80432c79 | 2991 | return 1; |
wolfSSL | 4:1b0d80432c79 | 2992 | |
wolfSSL | 4:1b0d80432c79 | 2993 | return 0; /* false */ |
wolfSSL | 4:1b0d80432c79 | 2994 | } |
wolfSSL | 4:1b0d80432c79 | 2995 | |
wolfSSL | 4:1b0d80432c79 | 2996 | |
wolfSSL | 4:1b0d80432c79 | 2997 | static INLINE int DateLessThan(const struct tm* a, const struct tm* b) |
wolfSSL | 4:1b0d80432c79 | 2998 | { |
wolfSSL | 4:1b0d80432c79 | 2999 | return DateGreaterThan(b,a); |
wolfSSL | 4:1b0d80432c79 | 3000 | } |
wolfSSL | 4:1b0d80432c79 | 3001 | |
wolfSSL | 4:1b0d80432c79 | 3002 | /* like atoi but only use first byte */ |
wolfSSL | 4:1b0d80432c79 | 3003 | /* Make sure before and after dates are valid */ |
wolfSSL | 4:1b0d80432c79 | 3004 | int ValidateDate(const byte* date, byte format, int dateType) |
wolfSSL | 4:1b0d80432c79 | 3005 | { |
wolfSSL | 4:1b0d80432c79 | 3006 | time_t ltime; |
wolfSSL | 4:1b0d80432c79 | 3007 | struct tm certTime; |
wolfSSL | 4:1b0d80432c79 | 3008 | struct tm* localTime; |
wolfSSL | 4:1b0d80432c79 | 3009 | struct tm* tmpTime = NULL; |
wolfSSL | 4:1b0d80432c79 | 3010 | int i = 0; |
wolfSSL | 4:1b0d80432c79 | 3011 | int timeDiff = 0 ; |
wolfSSL | 4:1b0d80432c79 | 3012 | int diffHH = 0 ; int diffMM = 0 ; |
wolfSSL | 4:1b0d80432c79 | 3013 | int diffSign = 0 ; |
wolfSSL | 4:1b0d80432c79 | 3014 | |
wolfSSL | 4:1b0d80432c79 | 3015 | #if defined(NEED_TMP_TIME) |
wolfSSL | 4:1b0d80432c79 | 3016 | struct tm tmpTimeStorage; |
wolfSSL | 4:1b0d80432c79 | 3017 | tmpTime = &tmpTimeStorage; |
wolfSSL | 4:1b0d80432c79 | 3018 | #else |
wolfSSL | 4:1b0d80432c79 | 3019 | (void)tmpTime; |
wolfSSL | 4:1b0d80432c79 | 3020 | #endif |
wolfSSL | 4:1b0d80432c79 | 3021 | |
wolfSSL | 4:1b0d80432c79 | 3022 | ltime = XTIME(0); |
wolfSSL | 4:1b0d80432c79 | 3023 | XMEMSET(&certTime, 0, sizeof(certTime)); |
wolfSSL | 4:1b0d80432c79 | 3024 | |
wolfSSL | 4:1b0d80432c79 | 3025 | if (format == ASN_UTC_TIME) { |
wolfSSL | 4:1b0d80432c79 | 3026 | if (btoi(date[0]) >= 5) |
wolfSSL | 4:1b0d80432c79 | 3027 | certTime.tm_year = 1900; |
wolfSSL | 4:1b0d80432c79 | 3028 | else |
wolfSSL | 4:1b0d80432c79 | 3029 | certTime.tm_year = 2000; |
wolfSSL | 4:1b0d80432c79 | 3030 | } |
wolfSSL | 4:1b0d80432c79 | 3031 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 4:1b0d80432c79 | 3032 | certTime.tm_year += btoi(date[i++]) * 1000; |
wolfSSL | 4:1b0d80432c79 | 3033 | certTime.tm_year += btoi(date[i++]) * 100; |
wolfSSL | 4:1b0d80432c79 | 3034 | } |
wolfSSL | 4:1b0d80432c79 | 3035 | |
wolfSSL | 4:1b0d80432c79 | 3036 | /* adjust tm_year, tm_mon */ |
wolfSSL | 4:1b0d80432c79 | 3037 | GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900; |
wolfSSL | 4:1b0d80432c79 | 3038 | GetTime((int*)&certTime.tm_mon, date, &i); certTime.tm_mon -= 1; |
wolfSSL | 4:1b0d80432c79 | 3039 | GetTime((int*)&certTime.tm_mday, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3040 | GetTime((int*)&certTime.tm_hour, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3041 | GetTime((int*)&certTime.tm_min, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3042 | GetTime((int*)&certTime.tm_sec, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3043 | |
wolfSSL | 4:1b0d80432c79 | 3044 | if ((date[i] == '+') || (date[i] == '-')) { |
wolfSSL | 4:1b0d80432c79 | 3045 | WOLFSSL_MSG("Using time differential, not Zulu") ; |
wolfSSL | 4:1b0d80432c79 | 3046 | diffSign = date[i++] == '+' ? 1 : -1 ; |
wolfSSL | 4:1b0d80432c79 | 3047 | GetTime(&diffHH, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3048 | GetTime(&diffMM, date, &i); |
wolfSSL | 4:1b0d80432c79 | 3049 | timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ; |
wolfSSL | 4:1b0d80432c79 | 3050 | } else if (date[i] != 'Z') { |
wolfSSL | 4:1b0d80432c79 | 3051 | WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ; |
wolfSSL | 4:1b0d80432c79 | 3052 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3053 | } |
wolfSSL | 4:1b0d80432c79 | 3054 | |
wolfSSL | 4:1b0d80432c79 | 3055 | ltime -= (time_t)timeDiff ; |
wolfSSL | 4:1b0d80432c79 | 3056 | localTime = XGMTIME(<ime, tmpTime); |
wolfSSL | 4:1b0d80432c79 | 3057 | |
wolfSSL | 4:1b0d80432c79 | 3058 | if (localTime == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3059 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 4:1b0d80432c79 | 3060 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3061 | } |
wolfSSL | 4:1b0d80432c79 | 3062 | |
wolfSSL | 4:1b0d80432c79 | 3063 | if (dateType == BEFORE) { |
wolfSSL | 4:1b0d80432c79 | 3064 | if (DateLessThan(localTime, &certTime)) |
wolfSSL | 4:1b0d80432c79 | 3065 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3066 | } |
wolfSSL | 4:1b0d80432c79 | 3067 | else |
wolfSSL | 4:1b0d80432c79 | 3068 | if (DateGreaterThan(localTime, &certTime)) |
wolfSSL | 4:1b0d80432c79 | 3069 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3070 | |
wolfSSL | 4:1b0d80432c79 | 3071 | return 1; |
wolfSSL | 4:1b0d80432c79 | 3072 | } |
wolfSSL | 4:1b0d80432c79 | 3073 | #endif /* !NO_TIME_H && USE_WOLF_VALIDDATE */ |
wolfSSL | 4:1b0d80432c79 | 3074 | |
wolfSSL | 4:1b0d80432c79 | 3075 | |
wolfSSL | 4:1b0d80432c79 | 3076 | static int GetDate(DecodedCert* cert, int dateType) |
wolfSSL | 4:1b0d80432c79 | 3077 | { |
wolfSSL | 4:1b0d80432c79 | 3078 | int length; |
wolfSSL | 4:1b0d80432c79 | 3079 | byte date[MAX_DATE_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 3080 | byte b; |
wolfSSL | 4:1b0d80432c79 | 3081 | word32 startIdx = 0; |
wolfSSL | 4:1b0d80432c79 | 3082 | |
wolfSSL | 4:1b0d80432c79 | 3083 | if (dateType == BEFORE) |
wolfSSL | 4:1b0d80432c79 | 3084 | cert->beforeDate = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 3085 | else |
wolfSSL | 4:1b0d80432c79 | 3086 | cert->afterDate = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 3087 | startIdx = cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 3088 | |
wolfSSL | 4:1b0d80432c79 | 3089 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 3090 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) |
wolfSSL | 4:1b0d80432c79 | 3091 | return ASN_TIME_E; |
wolfSSL | 4:1b0d80432c79 | 3092 | |
wolfSSL | 4:1b0d80432c79 | 3093 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 3094 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3095 | |
wolfSSL | 4:1b0d80432c79 | 3096 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 4:1b0d80432c79 | 3097 | return ASN_DATE_SZ_E; |
wolfSSL | 4:1b0d80432c79 | 3098 | |
wolfSSL | 4:1b0d80432c79 | 3099 | XMEMCPY(date, &cert->source[cert->srcIdx], length); |
wolfSSL | 4:1b0d80432c79 | 3100 | cert->srcIdx += length; |
wolfSSL | 4:1b0d80432c79 | 3101 | |
wolfSSL | 4:1b0d80432c79 | 3102 | if (dateType == BEFORE) |
wolfSSL | 4:1b0d80432c79 | 3103 | cert->beforeDateLen = cert->srcIdx - startIdx; |
wolfSSL | 4:1b0d80432c79 | 3104 | else |
wolfSSL | 4:1b0d80432c79 | 3105 | cert->afterDateLen = cert->srcIdx - startIdx; |
wolfSSL | 4:1b0d80432c79 | 3106 | |
wolfSSL | 4:1b0d80432c79 | 3107 | if (!XVALIDATE_DATE(date, b, dateType)) { |
wolfSSL | 4:1b0d80432c79 | 3108 | if (dateType == BEFORE) |
wolfSSL | 4:1b0d80432c79 | 3109 | return ASN_BEFORE_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 3110 | else |
wolfSSL | 4:1b0d80432c79 | 3111 | return ASN_AFTER_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 3112 | } |
wolfSSL | 4:1b0d80432c79 | 3113 | |
wolfSSL | 4:1b0d80432c79 | 3114 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3115 | } |
wolfSSL | 4:1b0d80432c79 | 3116 | |
wolfSSL | 4:1b0d80432c79 | 3117 | |
wolfSSL | 4:1b0d80432c79 | 3118 | static int GetValidity(DecodedCert* cert, int verify) |
wolfSSL | 4:1b0d80432c79 | 3119 | { |
wolfSSL | 4:1b0d80432c79 | 3120 | int length; |
wolfSSL | 4:1b0d80432c79 | 3121 | int badDate = 0; |
wolfSSL | 4:1b0d80432c79 | 3122 | |
wolfSSL | 4:1b0d80432c79 | 3123 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 3124 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3125 | |
wolfSSL | 4:1b0d80432c79 | 3126 | if (GetDate(cert, BEFORE) < 0 && verify) |
wolfSSL | 4:1b0d80432c79 | 3127 | badDate = ASN_BEFORE_DATE_E; /* continue parsing */ |
wolfSSL | 4:1b0d80432c79 | 3128 | |
wolfSSL | 4:1b0d80432c79 | 3129 | if (GetDate(cert, AFTER) < 0 && verify) |
wolfSSL | 4:1b0d80432c79 | 3130 | return ASN_AFTER_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 3131 | |
wolfSSL | 4:1b0d80432c79 | 3132 | if (badDate != 0) |
wolfSSL | 4:1b0d80432c79 | 3133 | return badDate; |
wolfSSL | 4:1b0d80432c79 | 3134 | |
wolfSSL | 4:1b0d80432c79 | 3135 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3136 | } |
wolfSSL | 4:1b0d80432c79 | 3137 | |
wolfSSL | 4:1b0d80432c79 | 3138 | |
wolfSSL | 4:1b0d80432c79 | 3139 | int DecodeToKey(DecodedCert* cert, int verify) |
wolfSSL | 4:1b0d80432c79 | 3140 | { |
wolfSSL | 4:1b0d80432c79 | 3141 | int badDate = 0; |
wolfSSL | 4:1b0d80432c79 | 3142 | int ret; |
wolfSSL | 4:1b0d80432c79 | 3143 | |
wolfSSL | 4:1b0d80432c79 | 3144 | if ( (ret = GetCertHeader(cert)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3145 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3146 | |
wolfSSL | 4:1b0d80432c79 | 3147 | WOLFSSL_MSG("Got Cert Header"); |
wolfSSL | 4:1b0d80432c79 | 3148 | |
wolfSSL | 4:1b0d80432c79 | 3149 | if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, |
wolfSSL | 4:1b0d80432c79 | 3150 | sigType, cert->maxIdx)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3151 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3152 | |
wolfSSL | 4:1b0d80432c79 | 3153 | WOLFSSL_MSG("Got Algo ID"); |
wolfSSL | 4:1b0d80432c79 | 3154 | |
wolfSSL | 4:1b0d80432c79 | 3155 | if ( (ret = GetName(cert, ISSUER)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3156 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3157 | |
wolfSSL | 4:1b0d80432c79 | 3158 | if ( (ret = GetValidity(cert, verify)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3159 | badDate = ret; |
wolfSSL | 4:1b0d80432c79 | 3160 | |
wolfSSL | 4:1b0d80432c79 | 3161 | if ( (ret = GetName(cert, SUBJECT)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3162 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3163 | |
wolfSSL | 4:1b0d80432c79 | 3164 | WOLFSSL_MSG("Got Subject Name"); |
wolfSSL | 4:1b0d80432c79 | 3165 | |
wolfSSL | 4:1b0d80432c79 | 3166 | if ( (ret = GetKey(cert)) < 0) |
wolfSSL | 4:1b0d80432c79 | 3167 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3168 | |
wolfSSL | 4:1b0d80432c79 | 3169 | WOLFSSL_MSG("Got Key"); |
wolfSSL | 4:1b0d80432c79 | 3170 | |
wolfSSL | 4:1b0d80432c79 | 3171 | if (badDate != 0) |
wolfSSL | 4:1b0d80432c79 | 3172 | return badDate; |
wolfSSL | 4:1b0d80432c79 | 3173 | |
wolfSSL | 4:1b0d80432c79 | 3174 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3175 | } |
wolfSSL | 4:1b0d80432c79 | 3176 | |
wolfSSL | 4:1b0d80432c79 | 3177 | |
wolfSSL | 4:1b0d80432c79 | 3178 | static int GetSignature(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 3179 | { |
wolfSSL | 4:1b0d80432c79 | 3180 | int length; |
wolfSSL | 4:1b0d80432c79 | 3181 | byte b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 3182 | |
wolfSSL | 4:1b0d80432c79 | 3183 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 3184 | return ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 3185 | |
wolfSSL | 4:1b0d80432c79 | 3186 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 3187 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3188 | |
wolfSSL | 4:1b0d80432c79 | 3189 | cert->sigLength = length; |
wolfSSL | 4:1b0d80432c79 | 3190 | |
wolfSSL | 4:1b0d80432c79 | 3191 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 3192 | if (b != 0x00) |
wolfSSL | 4:1b0d80432c79 | 3193 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 3194 | |
wolfSSL | 4:1b0d80432c79 | 3195 | cert->sigLength--; |
wolfSSL | 4:1b0d80432c79 | 3196 | cert->signature = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 3197 | cert->srcIdx += cert->sigLength; |
wolfSSL | 4:1b0d80432c79 | 3198 | |
wolfSSL | 4:1b0d80432c79 | 3199 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3200 | } |
wolfSSL | 4:1b0d80432c79 | 3201 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 3202 | |
wolfSSL | 4:1b0d80432c79 | 3203 | static word32 SetDigest(const byte* digest, word32 digSz, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3204 | { |
wolfSSL | 4:1b0d80432c79 | 3205 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 4:1b0d80432c79 | 3206 | output[1] = (byte)digSz; |
wolfSSL | 4:1b0d80432c79 | 3207 | XMEMCPY(&output[2], digest, digSz); |
wolfSSL | 4:1b0d80432c79 | 3208 | |
wolfSSL | 4:1b0d80432c79 | 3209 | return digSz + 2; |
wolfSSL | 4:1b0d80432c79 | 3210 | } |
wolfSSL | 4:1b0d80432c79 | 3211 | |
wolfSSL | 4:1b0d80432c79 | 3212 | |
wolfSSL | 4:1b0d80432c79 | 3213 | static word32 BytePrecision(word32 value) |
wolfSSL | 4:1b0d80432c79 | 3214 | { |
wolfSSL | 4:1b0d80432c79 | 3215 | word32 i; |
wolfSSL | 4:1b0d80432c79 | 3216 | for (i = sizeof(value); i; --i) |
wolfSSL | 4:1b0d80432c79 | 3217 | if (value >> ((i - 1) * WOLFSSL_BIT_SIZE)) |
wolfSSL | 4:1b0d80432c79 | 3218 | break; |
wolfSSL | 4:1b0d80432c79 | 3219 | |
wolfSSL | 4:1b0d80432c79 | 3220 | return i; |
wolfSSL | 4:1b0d80432c79 | 3221 | } |
wolfSSL | 4:1b0d80432c79 | 3222 | |
wolfSSL | 4:1b0d80432c79 | 3223 | |
wolfSSL | 4:1b0d80432c79 | 3224 | WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3225 | { |
wolfSSL | 4:1b0d80432c79 | 3226 | word32 i = 0, j; |
wolfSSL | 4:1b0d80432c79 | 3227 | |
wolfSSL | 4:1b0d80432c79 | 3228 | if (length < ASN_LONG_LENGTH) |
wolfSSL | 4:1b0d80432c79 | 3229 | output[i++] = (byte)length; |
wolfSSL | 4:1b0d80432c79 | 3230 | else { |
wolfSSL | 4:1b0d80432c79 | 3231 | output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); |
wolfSSL | 4:1b0d80432c79 | 3232 | |
wolfSSL | 4:1b0d80432c79 | 3233 | for (j = BytePrecision(length); j; --j) { |
wolfSSL | 4:1b0d80432c79 | 3234 | output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE)); |
wolfSSL | 4:1b0d80432c79 | 3235 | i++; |
wolfSSL | 4:1b0d80432c79 | 3236 | } |
wolfSSL | 4:1b0d80432c79 | 3237 | } |
wolfSSL | 4:1b0d80432c79 | 3238 | |
wolfSSL | 4:1b0d80432c79 | 3239 | return i; |
wolfSSL | 4:1b0d80432c79 | 3240 | } |
wolfSSL | 4:1b0d80432c79 | 3241 | |
wolfSSL | 4:1b0d80432c79 | 3242 | |
wolfSSL | 4:1b0d80432c79 | 3243 | WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3244 | { |
wolfSSL | 4:1b0d80432c79 | 3245 | output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED; |
wolfSSL | 4:1b0d80432c79 | 3246 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 3247 | } |
wolfSSL | 4:1b0d80432c79 | 3248 | |
wolfSSL | 4:1b0d80432c79 | 3249 | WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3250 | { |
wolfSSL | 4:1b0d80432c79 | 3251 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 4:1b0d80432c79 | 3252 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 3253 | } |
wolfSSL | 4:1b0d80432c79 | 3254 | |
wolfSSL | 4:1b0d80432c79 | 3255 | /* Write a set header to output */ |
wolfSSL | 4:1b0d80432c79 | 3256 | WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3257 | { |
wolfSSL | 4:1b0d80432c79 | 3258 | output[0] = ASN_SET | ASN_CONSTRUCTED; |
wolfSSL | 4:1b0d80432c79 | 3259 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 3260 | } |
wolfSSL | 4:1b0d80432c79 | 3261 | |
wolfSSL | 4:1b0d80432c79 | 3262 | WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3263 | { |
wolfSSL | 4:1b0d80432c79 | 3264 | |
wolfSSL | 4:1b0d80432c79 | 3265 | output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0) |
wolfSSL | 4:1b0d80432c79 | 3266 | | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 4:1b0d80432c79 | 3267 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 3268 | } |
wolfSSL | 4:1b0d80432c79 | 3269 | |
wolfSSL | 4:1b0d80432c79 | 3270 | WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3271 | { |
wolfSSL | 4:1b0d80432c79 | 3272 | output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 4:1b0d80432c79 | 3273 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 3274 | } |
wolfSSL | 4:1b0d80432c79 | 3275 | |
wolfSSL | 4:1b0d80432c79 | 3276 | |
wolfSSL | 4:1b0d80432c79 | 3277 | #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 4:1b0d80432c79 | 3278 | |
wolfSSL | 4:1b0d80432c79 | 3279 | static int SetCurve(ecc_key* key, byte* output) |
wolfSSL | 4:1b0d80432c79 | 3280 | { |
wolfSSL | 4:1b0d80432c79 | 3281 | |
wolfSSL | 4:1b0d80432c79 | 3282 | /* curve types */ |
wolfSSL | 4:1b0d80432c79 | 3283 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 4:1b0d80432c79 | 3284 | static const byte ECC_192v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 4:1b0d80432c79 | 3285 | 0x03, 0x01, 0x01}; |
wolfSSL | 4:1b0d80432c79 | 3286 | #endif |
wolfSSL | 4:1b0d80432c79 | 3287 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 4:1b0d80432c79 | 3288 | static const byte ECC_256v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 4:1b0d80432c79 | 3289 | 0x03, 0x01, 0x07}; |
wolfSSL | 4:1b0d80432c79 | 3290 | #endif |
wolfSSL | 4:1b0d80432c79 | 3291 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 4:1b0d80432c79 | 3292 | static const byte ECC_160r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 4:1b0d80432c79 | 3293 | 0x02}; |
wolfSSL | 4:1b0d80432c79 | 3294 | #endif |
wolfSSL | 4:1b0d80432c79 | 3295 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 4:1b0d80432c79 | 3296 | static const byte ECC_224r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 4:1b0d80432c79 | 3297 | 0x21}; |
wolfSSL | 4:1b0d80432c79 | 3298 | #endif |
wolfSSL | 4:1b0d80432c79 | 3299 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 4:1b0d80432c79 | 3300 | static const byte ECC_384r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 4:1b0d80432c79 | 3301 | 0x22}; |
wolfSSL | 4:1b0d80432c79 | 3302 | #endif |
wolfSSL | 4:1b0d80432c79 | 3303 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 4:1b0d80432c79 | 3304 | static const byte ECC_521r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 4:1b0d80432c79 | 3305 | 0x23}; |
wolfSSL | 4:1b0d80432c79 | 3306 | #endif |
wolfSSL | 4:1b0d80432c79 | 3307 | |
wolfSSL | 4:1b0d80432c79 | 3308 | int oidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 3309 | int idx = 0; |
wolfSSL | 4:1b0d80432c79 | 3310 | int lenSz = 0; |
wolfSSL | 4:1b0d80432c79 | 3311 | const byte* oid = 0; |
wolfSSL | 4:1b0d80432c79 | 3312 | |
wolfSSL | 4:1b0d80432c79 | 3313 | output[0] = ASN_OBJECT_ID; |
wolfSSL | 4:1b0d80432c79 | 3314 | idx++; |
wolfSSL | 4:1b0d80432c79 | 3315 | |
wolfSSL | 4:1b0d80432c79 | 3316 | switch (key->dp->size) { |
wolfSSL | 4:1b0d80432c79 | 3317 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 4:1b0d80432c79 | 3318 | case 20: |
wolfSSL | 4:1b0d80432c79 | 3319 | oidSz = sizeof(ECC_160r1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3320 | oid = ECC_160r1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3321 | break; |
wolfSSL | 4:1b0d80432c79 | 3322 | #endif |
wolfSSL | 4:1b0d80432c79 | 3323 | |
wolfSSL | 4:1b0d80432c79 | 3324 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 4:1b0d80432c79 | 3325 | case 24: |
wolfSSL | 4:1b0d80432c79 | 3326 | oidSz = sizeof(ECC_192v1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3327 | oid = ECC_192v1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3328 | break; |
wolfSSL | 4:1b0d80432c79 | 3329 | #endif |
wolfSSL | 4:1b0d80432c79 | 3330 | |
wolfSSL | 4:1b0d80432c79 | 3331 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 4:1b0d80432c79 | 3332 | case 28: |
wolfSSL | 4:1b0d80432c79 | 3333 | oidSz = sizeof(ECC_224r1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3334 | oid = ECC_224r1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3335 | break; |
wolfSSL | 4:1b0d80432c79 | 3336 | #endif |
wolfSSL | 4:1b0d80432c79 | 3337 | |
wolfSSL | 4:1b0d80432c79 | 3338 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 4:1b0d80432c79 | 3339 | case 32: |
wolfSSL | 4:1b0d80432c79 | 3340 | oidSz = sizeof(ECC_256v1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3341 | oid = ECC_256v1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3342 | break; |
wolfSSL | 4:1b0d80432c79 | 3343 | #endif |
wolfSSL | 4:1b0d80432c79 | 3344 | |
wolfSSL | 4:1b0d80432c79 | 3345 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 4:1b0d80432c79 | 3346 | case 48: |
wolfSSL | 4:1b0d80432c79 | 3347 | oidSz = sizeof(ECC_384r1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3348 | oid = ECC_384r1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3349 | break; |
wolfSSL | 4:1b0d80432c79 | 3350 | #endif |
wolfSSL | 4:1b0d80432c79 | 3351 | |
wolfSSL | 4:1b0d80432c79 | 3352 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 4:1b0d80432c79 | 3353 | case 66: |
wolfSSL | 4:1b0d80432c79 | 3354 | oidSz = sizeof(ECC_521r1_AlgoID); |
wolfSSL | 4:1b0d80432c79 | 3355 | oid = ECC_521r1_AlgoID; |
wolfSSL | 4:1b0d80432c79 | 3356 | break; |
wolfSSL | 4:1b0d80432c79 | 3357 | #endif |
wolfSSL | 4:1b0d80432c79 | 3358 | |
wolfSSL | 4:1b0d80432c79 | 3359 | default: |
wolfSSL | 4:1b0d80432c79 | 3360 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 4:1b0d80432c79 | 3361 | } |
wolfSSL | 4:1b0d80432c79 | 3362 | lenSz = SetLength(oidSz, output+idx); |
wolfSSL | 4:1b0d80432c79 | 3363 | idx += lenSz; |
wolfSSL | 4:1b0d80432c79 | 3364 | |
wolfSSL | 4:1b0d80432c79 | 3365 | XMEMCPY(output+idx, oid, oidSz); |
wolfSSL | 4:1b0d80432c79 | 3366 | idx += oidSz; |
wolfSSL | 4:1b0d80432c79 | 3367 | |
wolfSSL | 4:1b0d80432c79 | 3368 | return idx; |
wolfSSL | 4:1b0d80432c79 | 3369 | } |
wolfSSL | 4:1b0d80432c79 | 3370 | |
wolfSSL | 4:1b0d80432c79 | 3371 | #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 3372 | |
wolfSSL | 4:1b0d80432c79 | 3373 | |
wolfSSL | 4:1b0d80432c79 | 3374 | WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) |
wolfSSL | 4:1b0d80432c79 | 3375 | { |
wolfSSL | 4:1b0d80432c79 | 3376 | word32 tagSz, idSz, seqSz, algoSz = 0; |
wolfSSL | 4:1b0d80432c79 | 3377 | const byte* algoName = 0; |
wolfSSL | 4:1b0d80432c79 | 3378 | byte ID_Length[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3379 | byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ |
wolfSSL | 4:1b0d80432c79 | 3380 | |
wolfSSL | 4:1b0d80432c79 | 3381 | tagSz = (type == hashType || type == sigType || |
wolfSSL | 4:1b0d80432c79 | 3382 | (type == keyType && algoOID == RSAk)) ? 2 : 0; |
wolfSSL | 4:1b0d80432c79 | 3383 | |
wolfSSL | 4:1b0d80432c79 | 3384 | algoName = OidFromId(algoOID, type, &algoSz); |
wolfSSL | 4:1b0d80432c79 | 3385 | |
wolfSSL | 4:1b0d80432c79 | 3386 | if (algoName == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3387 | WOLFSSL_MSG("Unknown Algorithm"); |
wolfSSL | 4:1b0d80432c79 | 3388 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3389 | } |
wolfSSL | 4:1b0d80432c79 | 3390 | |
wolfSSL | 4:1b0d80432c79 | 3391 | idSz = SetLength(algoSz, ID_Length); |
wolfSSL | 4:1b0d80432c79 | 3392 | seqSz = SetSequence(idSz + algoSz + 1 + tagSz + curveSz, seqArray); |
wolfSSL | 4:1b0d80432c79 | 3393 | /* +1 for object id, curveID of curveSz follows for ecc */ |
wolfSSL | 4:1b0d80432c79 | 3394 | seqArray[seqSz++] = ASN_OBJECT_ID; |
wolfSSL | 4:1b0d80432c79 | 3395 | |
wolfSSL | 4:1b0d80432c79 | 3396 | XMEMCPY(output, seqArray, seqSz); |
wolfSSL | 4:1b0d80432c79 | 3397 | XMEMCPY(output + seqSz, ID_Length, idSz); |
wolfSSL | 4:1b0d80432c79 | 3398 | XMEMCPY(output + seqSz + idSz, algoName, algoSz); |
wolfSSL | 4:1b0d80432c79 | 3399 | if (tagSz == 2) { |
wolfSSL | 4:1b0d80432c79 | 3400 | output[seqSz + idSz + algoSz] = ASN_TAG_NULL; |
wolfSSL | 4:1b0d80432c79 | 3401 | output[seqSz + idSz + algoSz + 1] = 0; |
wolfSSL | 4:1b0d80432c79 | 3402 | } |
wolfSSL | 4:1b0d80432c79 | 3403 | |
wolfSSL | 4:1b0d80432c79 | 3404 | return seqSz + idSz + algoSz + tagSz; |
wolfSSL | 4:1b0d80432c79 | 3405 | |
wolfSSL | 4:1b0d80432c79 | 3406 | } |
wolfSSL | 4:1b0d80432c79 | 3407 | |
wolfSSL | 4:1b0d80432c79 | 3408 | |
wolfSSL | 4:1b0d80432c79 | 3409 | word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz, |
wolfSSL | 4:1b0d80432c79 | 3410 | int hashOID) |
wolfSSL | 4:1b0d80432c79 | 3411 | { |
wolfSSL | 4:1b0d80432c79 | 3412 | byte digArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3413 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3414 | byte seqArray[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3415 | word32 encDigSz, algoSz, seqSz; |
wolfSSL | 4:1b0d80432c79 | 3416 | |
wolfSSL | 4:1b0d80432c79 | 3417 | encDigSz = SetDigest(digest, digSz, digArray); |
wolfSSL | 4:1b0d80432c79 | 3418 | algoSz = SetAlgoID(hashOID, algoArray, hashType, 0); |
wolfSSL | 4:1b0d80432c79 | 3419 | seqSz = SetSequence(encDigSz + algoSz, seqArray); |
wolfSSL | 4:1b0d80432c79 | 3420 | |
wolfSSL | 4:1b0d80432c79 | 3421 | XMEMCPY(out, seqArray, seqSz); |
wolfSSL | 4:1b0d80432c79 | 3422 | XMEMCPY(out + seqSz, algoArray, algoSz); |
wolfSSL | 4:1b0d80432c79 | 3423 | XMEMCPY(out + seqSz + algoSz, digArray, encDigSz); |
wolfSSL | 4:1b0d80432c79 | 3424 | |
wolfSSL | 4:1b0d80432c79 | 3425 | return encDigSz + algoSz + seqSz; |
wolfSSL | 4:1b0d80432c79 | 3426 | } |
wolfSSL | 4:1b0d80432c79 | 3427 | |
wolfSSL | 4:1b0d80432c79 | 3428 | |
wolfSSL | 4:1b0d80432c79 | 3429 | int wc_GetCTC_HashOID(int type) |
wolfSSL | 4:1b0d80432c79 | 3430 | { |
wolfSSL | 4:1b0d80432c79 | 3431 | switch (type) { |
wolfSSL | 4:1b0d80432c79 | 3432 | #ifdef WOLFSSL_MD2 |
wolfSSL | 4:1b0d80432c79 | 3433 | case MD2: |
wolfSSL | 4:1b0d80432c79 | 3434 | return MD2h; |
wolfSSL | 4:1b0d80432c79 | 3435 | #endif |
wolfSSL | 4:1b0d80432c79 | 3436 | #ifndef NO_MD5 |
wolfSSL | 4:1b0d80432c79 | 3437 | case MD5: |
wolfSSL | 4:1b0d80432c79 | 3438 | return MD5h; |
wolfSSL | 4:1b0d80432c79 | 3439 | #endif |
wolfSSL | 4:1b0d80432c79 | 3440 | #ifndef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 3441 | case SHA: |
wolfSSL | 4:1b0d80432c79 | 3442 | return SHAh; |
wolfSSL | 4:1b0d80432c79 | 3443 | #endif |
wolfSSL | 4:1b0d80432c79 | 3444 | #ifndef NO_SHA256 |
wolfSSL | 4:1b0d80432c79 | 3445 | case SHA256: |
wolfSSL | 4:1b0d80432c79 | 3446 | return SHA256h; |
wolfSSL | 4:1b0d80432c79 | 3447 | #endif |
wolfSSL | 4:1b0d80432c79 | 3448 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 4:1b0d80432c79 | 3449 | case SHA384: |
wolfSSL | 4:1b0d80432c79 | 3450 | return SHA384h; |
wolfSSL | 4:1b0d80432c79 | 3451 | #endif |
wolfSSL | 4:1b0d80432c79 | 3452 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 4:1b0d80432c79 | 3453 | case SHA512: |
wolfSSL | 4:1b0d80432c79 | 3454 | return SHA512h; |
wolfSSL | 4:1b0d80432c79 | 3455 | #endif |
wolfSSL | 4:1b0d80432c79 | 3456 | default: |
wolfSSL | 4:1b0d80432c79 | 3457 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3458 | }; |
wolfSSL | 4:1b0d80432c79 | 3459 | } |
wolfSSL | 4:1b0d80432c79 | 3460 | |
wolfSSL | 4:1b0d80432c79 | 3461 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 3462 | /* return true (1) or false (0) for Confirmation */ |
wolfSSL | 4:1b0d80432c79 | 3463 | static int ConfirmSignature(const byte* buf, word32 bufSz, |
wolfSSL | 4:1b0d80432c79 | 3464 | const byte* key, word32 keySz, word32 keyOID, |
wolfSSL | 4:1b0d80432c79 | 3465 | const byte* sig, word32 sigSz, word32 sigOID, |
wolfSSL | 4:1b0d80432c79 | 3466 | void* heap) |
wolfSSL | 4:1b0d80432c79 | 3467 | { |
wolfSSL | 4:1b0d80432c79 | 3468 | int typeH = 0, digestSz = 0, ret = 0; |
wolfSSL | 4:1b0d80432c79 | 3469 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3470 | byte* digest; |
wolfSSL | 4:1b0d80432c79 | 3471 | #else |
wolfSSL | 4:1b0d80432c79 | 3472 | byte digest[MAX_DIGEST_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 3473 | #endif |
wolfSSL | 4:1b0d80432c79 | 3474 | |
wolfSSL | 4:1b0d80432c79 | 3475 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3476 | digest = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3477 | if (digest == NULL) |
wolfSSL | 4:1b0d80432c79 | 3478 | return 0; /* not confirmed */ |
wolfSSL | 4:1b0d80432c79 | 3479 | #endif |
wolfSSL | 4:1b0d80432c79 | 3480 | |
wolfSSL | 4:1b0d80432c79 | 3481 | (void)key; |
wolfSSL | 4:1b0d80432c79 | 3482 | (void)keySz; |
wolfSSL | 4:1b0d80432c79 | 3483 | (void)sig; |
wolfSSL | 4:1b0d80432c79 | 3484 | (void)sigSz; |
wolfSSL | 4:1b0d80432c79 | 3485 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 3486 | |
wolfSSL | 4:1b0d80432c79 | 3487 | switch (sigOID) { |
wolfSSL | 4:1b0d80432c79 | 3488 | #ifndef NO_MD5 |
wolfSSL | 4:1b0d80432c79 | 3489 | case CTC_MD5wRSA: |
wolfSSL | 4:1b0d80432c79 | 3490 | if (wc_Md5Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3491 | typeH = MD5h; |
wolfSSL | 4:1b0d80432c79 | 3492 | digestSz = MD5_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3493 | } |
wolfSSL | 4:1b0d80432c79 | 3494 | break; |
wolfSSL | 4:1b0d80432c79 | 3495 | #endif |
wolfSSL | 4:1b0d80432c79 | 3496 | #if defined(WOLFSSL_MD2) |
wolfSSL | 4:1b0d80432c79 | 3497 | case CTC_MD2wRSA: |
wolfSSL | 4:1b0d80432c79 | 3498 | if (wc_Md2Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3499 | typeH = MD2h; |
wolfSSL | 4:1b0d80432c79 | 3500 | digestSz = MD2_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3501 | } |
wolfSSL | 4:1b0d80432c79 | 3502 | break; |
wolfSSL | 4:1b0d80432c79 | 3503 | #endif |
wolfSSL | 4:1b0d80432c79 | 3504 | #ifndef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 3505 | case CTC_SHAwRSA: |
wolfSSL | 4:1b0d80432c79 | 3506 | case CTC_SHAwDSA: |
wolfSSL | 4:1b0d80432c79 | 3507 | case CTC_SHAwECDSA: |
wolfSSL | 4:1b0d80432c79 | 3508 | if (wc_ShaHash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3509 | typeH = SHAh; |
wolfSSL | 4:1b0d80432c79 | 3510 | digestSz = SHA_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3511 | } |
wolfSSL | 4:1b0d80432c79 | 3512 | break; |
wolfSSL | 4:1b0d80432c79 | 3513 | #endif |
wolfSSL | 4:1b0d80432c79 | 3514 | #ifndef NO_SHA256 |
wolfSSL | 4:1b0d80432c79 | 3515 | case CTC_SHA256wRSA: |
wolfSSL | 4:1b0d80432c79 | 3516 | case CTC_SHA256wECDSA: |
wolfSSL | 4:1b0d80432c79 | 3517 | if (wc_Sha256Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3518 | typeH = SHA256h; |
wolfSSL | 4:1b0d80432c79 | 3519 | digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3520 | } |
wolfSSL | 4:1b0d80432c79 | 3521 | break; |
wolfSSL | 4:1b0d80432c79 | 3522 | #endif |
wolfSSL | 4:1b0d80432c79 | 3523 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 4:1b0d80432c79 | 3524 | case CTC_SHA512wRSA: |
wolfSSL | 4:1b0d80432c79 | 3525 | case CTC_SHA512wECDSA: |
wolfSSL | 4:1b0d80432c79 | 3526 | if (wc_Sha512Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3527 | typeH = SHA512h; |
wolfSSL | 4:1b0d80432c79 | 3528 | digestSz = SHA512_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3529 | } |
wolfSSL | 4:1b0d80432c79 | 3530 | break; |
wolfSSL | 4:1b0d80432c79 | 3531 | #endif |
wolfSSL | 4:1b0d80432c79 | 3532 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 4:1b0d80432c79 | 3533 | case CTC_SHA384wRSA: |
wolfSSL | 4:1b0d80432c79 | 3534 | case CTC_SHA384wECDSA: |
wolfSSL | 4:1b0d80432c79 | 3535 | if (wc_Sha384Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3536 | typeH = SHA384h; |
wolfSSL | 4:1b0d80432c79 | 3537 | digestSz = SHA384_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 3538 | } |
wolfSSL | 4:1b0d80432c79 | 3539 | break; |
wolfSSL | 4:1b0d80432c79 | 3540 | #endif |
wolfSSL | 4:1b0d80432c79 | 3541 | default: |
wolfSSL | 4:1b0d80432c79 | 3542 | WOLFSSL_MSG("Verify Signature has unsupported type"); |
wolfSSL | 4:1b0d80432c79 | 3543 | } |
wolfSSL | 4:1b0d80432c79 | 3544 | |
wolfSSL | 4:1b0d80432c79 | 3545 | if (typeH == 0) { |
wolfSSL | 4:1b0d80432c79 | 3546 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3547 | XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3548 | #endif |
wolfSSL | 4:1b0d80432c79 | 3549 | return 0; /* not confirmed */ |
wolfSSL | 4:1b0d80432c79 | 3550 | } |
wolfSSL | 4:1b0d80432c79 | 3551 | |
wolfSSL | 4:1b0d80432c79 | 3552 | switch (keyOID) { |
wolfSSL | 4:1b0d80432c79 | 3553 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 3554 | case RSAk: |
wolfSSL | 4:1b0d80432c79 | 3555 | { |
wolfSSL | 4:1b0d80432c79 | 3556 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 3557 | int encodedSigSz, verifySz; |
wolfSSL | 4:1b0d80432c79 | 3558 | byte* out; |
wolfSSL | 4:1b0d80432c79 | 3559 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3560 | RsaKey* pubKey; |
wolfSSL | 4:1b0d80432c79 | 3561 | byte* plain; |
wolfSSL | 4:1b0d80432c79 | 3562 | byte* encodedSig; |
wolfSSL | 4:1b0d80432c79 | 3563 | #else |
wolfSSL | 4:1b0d80432c79 | 3564 | RsaKey pubKey[1]; |
wolfSSL | 4:1b0d80432c79 | 3565 | byte plain[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3566 | byte encodedSig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 3567 | #endif |
wolfSSL | 4:1b0d80432c79 | 3568 | |
wolfSSL | 4:1b0d80432c79 | 3569 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3570 | pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, |
wolfSSL | 4:1b0d80432c79 | 3571 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3572 | plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, |
wolfSSL | 4:1b0d80432c79 | 3573 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3574 | encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, |
wolfSSL | 4:1b0d80432c79 | 3575 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3576 | |
wolfSSL | 4:1b0d80432c79 | 3577 | if (pubKey == NULL || plain == NULL || encodedSig == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3578 | WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature"); |
wolfSSL | 4:1b0d80432c79 | 3579 | |
wolfSSL | 4:1b0d80432c79 | 3580 | if (pubKey) |
wolfSSL | 4:1b0d80432c79 | 3581 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3582 | if (plain) |
wolfSSL | 4:1b0d80432c79 | 3583 | XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3584 | if (encodedSig) |
wolfSSL | 4:1b0d80432c79 | 3585 | XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3586 | |
wolfSSL | 4:1b0d80432c79 | 3587 | break; /* not confirmed */ |
wolfSSL | 4:1b0d80432c79 | 3588 | } |
wolfSSL | 4:1b0d80432c79 | 3589 | #endif |
wolfSSL | 4:1b0d80432c79 | 3590 | if (wc_InitRsaKey(pubKey, heap) != 0) { |
wolfSSL | 4:1b0d80432c79 | 3591 | WOLFSSL_MSG("InitRsaKey failed"); |
wolfSSL | 4:1b0d80432c79 | 3592 | } |
wolfSSL | 4:1b0d80432c79 | 3593 | else if (sigSz > MAX_ENCODED_SIG_SZ) { |
wolfSSL | 4:1b0d80432c79 | 3594 | WOLFSSL_MSG("Verify Signature is too big"); |
wolfSSL | 4:1b0d80432c79 | 3595 | } |
wolfSSL | 4:1b0d80432c79 | 3596 | else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3597 | WOLFSSL_MSG("ASN Key decode error RSA"); |
wolfSSL | 4:1b0d80432c79 | 3598 | } |
wolfSSL | 4:1b0d80432c79 | 3599 | else { |
wolfSSL | 4:1b0d80432c79 | 3600 | XMEMCPY(plain, sig, sigSz); |
wolfSSL | 4:1b0d80432c79 | 3601 | |
wolfSSL | 4:1b0d80432c79 | 3602 | if ((verifySz = wc_RsaSSL_VerifyInline(plain, sigSz, &out, |
wolfSSL | 4:1b0d80432c79 | 3603 | pubKey)) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3604 | WOLFSSL_MSG("Rsa SSL verify error"); |
wolfSSL | 4:1b0d80432c79 | 3605 | } |
wolfSSL | 4:1b0d80432c79 | 3606 | else { |
wolfSSL | 4:1b0d80432c79 | 3607 | /* make sure we're right justified */ |
wolfSSL | 4:1b0d80432c79 | 3608 | encodedSigSz = |
wolfSSL | 4:1b0d80432c79 | 3609 | wc_EncodeSignature(encodedSig, digest, digestSz, typeH); |
wolfSSL | 4:1b0d80432c79 | 3610 | if (encodedSigSz != verifySz || |
wolfSSL | 4:1b0d80432c79 | 3611 | XMEMCMP(out, encodedSig, encodedSigSz) != 0) { |
wolfSSL | 4:1b0d80432c79 | 3612 | WOLFSSL_MSG("Rsa SSL verify match encode error"); |
wolfSSL | 4:1b0d80432c79 | 3613 | } |
wolfSSL | 4:1b0d80432c79 | 3614 | else |
wolfSSL | 4:1b0d80432c79 | 3615 | ret = 1; /* match */ |
wolfSSL | 4:1b0d80432c79 | 3616 | |
wolfSSL | 4:1b0d80432c79 | 3617 | #ifdef WOLFSSL_DEBUG_ENCODING |
wolfSSL | 4:1b0d80432c79 | 3618 | { |
wolfSSL | 4:1b0d80432c79 | 3619 | int x; |
wolfSSL | 4:1b0d80432c79 | 3620 | |
wolfSSL | 4:1b0d80432c79 | 3621 | printf("wolfssl encodedSig:\n"); |
wolfSSL | 4:1b0d80432c79 | 3622 | |
wolfSSL | 4:1b0d80432c79 | 3623 | for (x = 0; x < encodedSigSz; x++) { |
wolfSSL | 4:1b0d80432c79 | 3624 | printf("%02x ", encodedSig[x]); |
wolfSSL | 4:1b0d80432c79 | 3625 | if ( (x % 16) == 15) |
wolfSSL | 4:1b0d80432c79 | 3626 | printf("\n"); |
wolfSSL | 4:1b0d80432c79 | 3627 | } |
wolfSSL | 4:1b0d80432c79 | 3628 | |
wolfSSL | 4:1b0d80432c79 | 3629 | printf("\n"); |
wolfSSL | 4:1b0d80432c79 | 3630 | printf("actual digest:\n"); |
wolfSSL | 4:1b0d80432c79 | 3631 | |
wolfSSL | 4:1b0d80432c79 | 3632 | for (x = 0; x < verifySz; x++) { |
wolfSSL | 4:1b0d80432c79 | 3633 | printf("%02x ", out[x]); |
wolfSSL | 4:1b0d80432c79 | 3634 | if ( (x % 16) == 15) |
wolfSSL | 4:1b0d80432c79 | 3635 | printf("\n"); |
wolfSSL | 4:1b0d80432c79 | 3636 | } |
wolfSSL | 4:1b0d80432c79 | 3637 | |
wolfSSL | 4:1b0d80432c79 | 3638 | printf("\n"); |
wolfSSL | 4:1b0d80432c79 | 3639 | } |
wolfSSL | 4:1b0d80432c79 | 3640 | #endif /* WOLFSSL_DEBUG_ENCODING */ |
wolfSSL | 4:1b0d80432c79 | 3641 | |
wolfSSL | 4:1b0d80432c79 | 3642 | } |
wolfSSL | 4:1b0d80432c79 | 3643 | |
wolfSSL | 4:1b0d80432c79 | 3644 | } |
wolfSSL | 4:1b0d80432c79 | 3645 | |
wolfSSL | 4:1b0d80432c79 | 3646 | wc_FreeRsaKey(pubKey); |
wolfSSL | 4:1b0d80432c79 | 3647 | |
wolfSSL | 4:1b0d80432c79 | 3648 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3649 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3650 | XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3651 | XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3652 | #endif |
wolfSSL | 4:1b0d80432c79 | 3653 | break; |
wolfSSL | 4:1b0d80432c79 | 3654 | } |
wolfSSL | 4:1b0d80432c79 | 3655 | |
wolfSSL | 4:1b0d80432c79 | 3656 | #endif /* NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 3657 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 3658 | case ECDSAk: |
wolfSSL | 4:1b0d80432c79 | 3659 | { |
wolfSSL | 4:1b0d80432c79 | 3660 | int verify = 0; |
wolfSSL | 4:1b0d80432c79 | 3661 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3662 | ecc_key* pubKey; |
wolfSSL | 4:1b0d80432c79 | 3663 | #else |
wolfSSL | 4:1b0d80432c79 | 3664 | ecc_key pubKey[1]; |
wolfSSL | 4:1b0d80432c79 | 3665 | #endif |
wolfSSL | 4:1b0d80432c79 | 3666 | |
wolfSSL | 4:1b0d80432c79 | 3667 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3668 | pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, |
wolfSSL | 4:1b0d80432c79 | 3669 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3670 | if (pubKey == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3671 | WOLFSSL_MSG("Failed to allocate pubKey"); |
wolfSSL | 4:1b0d80432c79 | 3672 | break; /* not confirmed */ |
wolfSSL | 4:1b0d80432c79 | 3673 | } |
wolfSSL | 4:1b0d80432c79 | 3674 | #endif |
wolfSSL | 4:1b0d80432c79 | 3675 | |
wolfSSL | 4:1b0d80432c79 | 3676 | if (wc_ecc_init(pubKey) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3677 | WOLFSSL_MSG("Failed to initialize key"); |
wolfSSL | 4:1b0d80432c79 | 3678 | break; /* not confirmed */ |
wolfSSL | 4:1b0d80432c79 | 3679 | } |
wolfSSL | 4:1b0d80432c79 | 3680 | if (wc_ecc_import_x963(key, keySz, pubKey) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3681 | WOLFSSL_MSG("ASN Key import error ECC"); |
wolfSSL | 4:1b0d80432c79 | 3682 | } |
wolfSSL | 4:1b0d80432c79 | 3683 | else { |
wolfSSL | 4:1b0d80432c79 | 3684 | if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify, |
wolfSSL | 4:1b0d80432c79 | 3685 | pubKey) != 0) { |
wolfSSL | 4:1b0d80432c79 | 3686 | WOLFSSL_MSG("ECC verify hash error"); |
wolfSSL | 4:1b0d80432c79 | 3687 | } |
wolfSSL | 4:1b0d80432c79 | 3688 | else if (1 != verify) { |
wolfSSL | 4:1b0d80432c79 | 3689 | WOLFSSL_MSG("ECC Verify didn't match"); |
wolfSSL | 4:1b0d80432c79 | 3690 | } else |
wolfSSL | 4:1b0d80432c79 | 3691 | ret = 1; /* match */ |
wolfSSL | 4:1b0d80432c79 | 3692 | |
wolfSSL | 4:1b0d80432c79 | 3693 | } |
wolfSSL | 4:1b0d80432c79 | 3694 | wc_ecc_free(pubKey); |
wolfSSL | 4:1b0d80432c79 | 3695 | |
wolfSSL | 4:1b0d80432c79 | 3696 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3697 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3698 | #endif |
wolfSSL | 4:1b0d80432c79 | 3699 | break; |
wolfSSL | 4:1b0d80432c79 | 3700 | } |
wolfSSL | 4:1b0d80432c79 | 3701 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 3702 | default: |
wolfSSL | 4:1b0d80432c79 | 3703 | WOLFSSL_MSG("Verify Key type unknown"); |
wolfSSL | 4:1b0d80432c79 | 3704 | } |
wolfSSL | 4:1b0d80432c79 | 3705 | |
wolfSSL | 4:1b0d80432c79 | 3706 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 3707 | XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 3708 | #endif |
wolfSSL | 4:1b0d80432c79 | 3709 | |
wolfSSL | 4:1b0d80432c79 | 3710 | return ret; |
wolfSSL | 4:1b0d80432c79 | 3711 | } |
wolfSSL | 4:1b0d80432c79 | 3712 | |
wolfSSL | 4:1b0d80432c79 | 3713 | |
wolfSSL | 4:1b0d80432c79 | 3714 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 3715 | |
wolfSSL | 4:1b0d80432c79 | 3716 | static int MatchBaseName(int type, const char* name, int nameSz, |
wolfSSL | 4:1b0d80432c79 | 3717 | const char* base, int baseSz) |
wolfSSL | 4:1b0d80432c79 | 3718 | { |
wolfSSL | 4:1b0d80432c79 | 3719 | if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 || |
wolfSSL | 4:1b0d80432c79 | 3720 | name[0] == '.' || nameSz < baseSz || |
wolfSSL | 4:1b0d80432c79 | 3721 | (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE)) |
wolfSSL | 4:1b0d80432c79 | 3722 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3723 | |
wolfSSL | 4:1b0d80432c79 | 3724 | /* If an email type, handle special cases where the base is only |
wolfSSL | 4:1b0d80432c79 | 3725 | * a domain, or is an email address itself. */ |
wolfSSL | 4:1b0d80432c79 | 3726 | if (type == ASN_RFC822_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3727 | const char* p = NULL; |
wolfSSL | 4:1b0d80432c79 | 3728 | int count = 0; |
wolfSSL | 4:1b0d80432c79 | 3729 | |
wolfSSL | 4:1b0d80432c79 | 3730 | if (base[0] != '.') { |
wolfSSL | 4:1b0d80432c79 | 3731 | p = base; |
wolfSSL | 4:1b0d80432c79 | 3732 | count = 0; |
wolfSSL | 4:1b0d80432c79 | 3733 | |
wolfSSL | 4:1b0d80432c79 | 3734 | /* find the '@' in the base */ |
wolfSSL | 4:1b0d80432c79 | 3735 | while (*p != '@' && count < baseSz) { |
wolfSSL | 4:1b0d80432c79 | 3736 | count++; |
wolfSSL | 4:1b0d80432c79 | 3737 | p++; |
wolfSSL | 4:1b0d80432c79 | 3738 | } |
wolfSSL | 4:1b0d80432c79 | 3739 | |
wolfSSL | 4:1b0d80432c79 | 3740 | /* No '@' in base, reset p to NULL */ |
wolfSSL | 4:1b0d80432c79 | 3741 | if (count >= baseSz) |
wolfSSL | 4:1b0d80432c79 | 3742 | p = NULL; |
wolfSSL | 4:1b0d80432c79 | 3743 | } |
wolfSSL | 4:1b0d80432c79 | 3744 | |
wolfSSL | 4:1b0d80432c79 | 3745 | if (p == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3746 | /* Base isn't an email address, it is a domain name, |
wolfSSL | 4:1b0d80432c79 | 3747 | * wind the name forward one character past its '@'. */ |
wolfSSL | 4:1b0d80432c79 | 3748 | p = name; |
wolfSSL | 4:1b0d80432c79 | 3749 | count = 0; |
wolfSSL | 4:1b0d80432c79 | 3750 | while (*p != '@' && count < baseSz) { |
wolfSSL | 4:1b0d80432c79 | 3751 | count++; |
wolfSSL | 4:1b0d80432c79 | 3752 | p++; |
wolfSSL | 4:1b0d80432c79 | 3753 | } |
wolfSSL | 4:1b0d80432c79 | 3754 | |
wolfSSL | 4:1b0d80432c79 | 3755 | if (count < baseSz && *p == '@') { |
wolfSSL | 4:1b0d80432c79 | 3756 | name = p + 1; |
wolfSSL | 4:1b0d80432c79 | 3757 | nameSz -= count + 1; |
wolfSSL | 4:1b0d80432c79 | 3758 | } |
wolfSSL | 4:1b0d80432c79 | 3759 | } |
wolfSSL | 4:1b0d80432c79 | 3760 | } |
wolfSSL | 4:1b0d80432c79 | 3761 | |
wolfSSL | 4:1b0d80432c79 | 3762 | if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') { |
wolfSSL | 4:1b0d80432c79 | 3763 | int szAdjust = nameSz - baseSz; |
wolfSSL | 4:1b0d80432c79 | 3764 | name += szAdjust; |
wolfSSL | 4:1b0d80432c79 | 3765 | nameSz -= szAdjust; |
wolfSSL | 4:1b0d80432c79 | 3766 | } |
wolfSSL | 4:1b0d80432c79 | 3767 | |
wolfSSL | 4:1b0d80432c79 | 3768 | while (nameSz > 0) { |
wolfSSL | 4:1b0d80432c79 | 3769 | if (XTOLOWER((unsigned char)*name++) != |
wolfSSL | 4:1b0d80432c79 | 3770 | XTOLOWER((unsigned char)*base++)) |
wolfSSL | 4:1b0d80432c79 | 3771 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3772 | nameSz--; |
wolfSSL | 4:1b0d80432c79 | 3773 | } |
wolfSSL | 4:1b0d80432c79 | 3774 | |
wolfSSL | 4:1b0d80432c79 | 3775 | return 1; |
wolfSSL | 4:1b0d80432c79 | 3776 | } |
wolfSSL | 4:1b0d80432c79 | 3777 | |
wolfSSL | 4:1b0d80432c79 | 3778 | |
wolfSSL | 4:1b0d80432c79 | 3779 | static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 3780 | { |
wolfSSL | 4:1b0d80432c79 | 3781 | if (signer == NULL || cert == NULL) |
wolfSSL | 4:1b0d80432c79 | 3782 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3783 | |
wolfSSL | 4:1b0d80432c79 | 3784 | /* Check against the excluded list */ |
wolfSSL | 4:1b0d80432c79 | 3785 | if (signer->excludedNames) { |
wolfSSL | 4:1b0d80432c79 | 3786 | Base_entry* base = signer->excludedNames; |
wolfSSL | 4:1b0d80432c79 | 3787 | |
wolfSSL | 4:1b0d80432c79 | 3788 | while (base != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3789 | if (base->type == ASN_DNS_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3790 | DNS_entry* name = cert->altNames; |
wolfSSL | 4:1b0d80432c79 | 3791 | while (name != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3792 | if (MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 4:1b0d80432c79 | 3793 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 4:1b0d80432c79 | 3794 | base->name, base->nameSz)) |
wolfSSL | 4:1b0d80432c79 | 3795 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3796 | name = name->next; |
wolfSSL | 4:1b0d80432c79 | 3797 | } |
wolfSSL | 4:1b0d80432c79 | 3798 | } |
wolfSSL | 4:1b0d80432c79 | 3799 | else if (base->type == ASN_RFC822_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3800 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 4:1b0d80432c79 | 3801 | while (name != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3802 | if (MatchBaseName(ASN_RFC822_TYPE, |
wolfSSL | 4:1b0d80432c79 | 3803 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 4:1b0d80432c79 | 3804 | base->name, base->nameSz)) |
wolfSSL | 4:1b0d80432c79 | 3805 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3806 | |
wolfSSL | 4:1b0d80432c79 | 3807 | name = name->next; |
wolfSSL | 4:1b0d80432c79 | 3808 | } |
wolfSSL | 4:1b0d80432c79 | 3809 | } |
wolfSSL | 4:1b0d80432c79 | 3810 | else if (base->type == ASN_DIR_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3811 | if (cert->subjectRawLen == base->nameSz && |
wolfSSL | 4:1b0d80432c79 | 3812 | XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3813 | |
wolfSSL | 4:1b0d80432c79 | 3814 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3815 | } |
wolfSSL | 4:1b0d80432c79 | 3816 | } |
wolfSSL | 4:1b0d80432c79 | 3817 | base = base->next; |
wolfSSL | 4:1b0d80432c79 | 3818 | } |
wolfSSL | 4:1b0d80432c79 | 3819 | } |
wolfSSL | 4:1b0d80432c79 | 3820 | |
wolfSSL | 4:1b0d80432c79 | 3821 | /* Check against the permitted list */ |
wolfSSL | 4:1b0d80432c79 | 3822 | if (signer->permittedNames != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3823 | int needDns = 0; |
wolfSSL | 4:1b0d80432c79 | 3824 | int matchDns = 0; |
wolfSSL | 4:1b0d80432c79 | 3825 | int needEmail = 0; |
wolfSSL | 4:1b0d80432c79 | 3826 | int matchEmail = 0; |
wolfSSL | 4:1b0d80432c79 | 3827 | int needDir = 0; |
wolfSSL | 4:1b0d80432c79 | 3828 | int matchDir = 0; |
wolfSSL | 4:1b0d80432c79 | 3829 | Base_entry* base = signer->permittedNames; |
wolfSSL | 4:1b0d80432c79 | 3830 | |
wolfSSL | 4:1b0d80432c79 | 3831 | while (base != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3832 | if (base->type == ASN_DNS_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3833 | DNS_entry* name = cert->altNames; |
wolfSSL | 4:1b0d80432c79 | 3834 | |
wolfSSL | 4:1b0d80432c79 | 3835 | if (name != NULL) |
wolfSSL | 4:1b0d80432c79 | 3836 | needDns = 1; |
wolfSSL | 4:1b0d80432c79 | 3837 | |
wolfSSL | 4:1b0d80432c79 | 3838 | while (name != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3839 | matchDns = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 4:1b0d80432c79 | 3840 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 4:1b0d80432c79 | 3841 | base->name, base->nameSz); |
wolfSSL | 4:1b0d80432c79 | 3842 | name = name->next; |
wolfSSL | 4:1b0d80432c79 | 3843 | } |
wolfSSL | 4:1b0d80432c79 | 3844 | } |
wolfSSL | 4:1b0d80432c79 | 3845 | else if (base->type == ASN_RFC822_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3846 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 4:1b0d80432c79 | 3847 | |
wolfSSL | 4:1b0d80432c79 | 3848 | if (name != NULL) |
wolfSSL | 4:1b0d80432c79 | 3849 | needEmail = 1; |
wolfSSL | 4:1b0d80432c79 | 3850 | |
wolfSSL | 4:1b0d80432c79 | 3851 | while (name != NULL) { |
wolfSSL | 4:1b0d80432c79 | 3852 | matchEmail = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 4:1b0d80432c79 | 3853 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 4:1b0d80432c79 | 3854 | base->name, base->nameSz); |
wolfSSL | 4:1b0d80432c79 | 3855 | name = name->next; |
wolfSSL | 4:1b0d80432c79 | 3856 | } |
wolfSSL | 4:1b0d80432c79 | 3857 | } |
wolfSSL | 4:1b0d80432c79 | 3858 | else if (base->type == ASN_DIR_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 3859 | needDir = 1; |
wolfSSL | 4:1b0d80432c79 | 3860 | if (cert->subjectRaw != NULL && |
wolfSSL | 4:1b0d80432c79 | 3861 | cert->subjectRawLen == base->nameSz && |
wolfSSL | 4:1b0d80432c79 | 3862 | XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) { |
wolfSSL | 4:1b0d80432c79 | 3863 | |
wolfSSL | 4:1b0d80432c79 | 3864 | matchDir = 1; |
wolfSSL | 4:1b0d80432c79 | 3865 | } |
wolfSSL | 4:1b0d80432c79 | 3866 | } |
wolfSSL | 4:1b0d80432c79 | 3867 | base = base->next; |
wolfSSL | 4:1b0d80432c79 | 3868 | } |
wolfSSL | 4:1b0d80432c79 | 3869 | |
wolfSSL | 4:1b0d80432c79 | 3870 | if ((needDns && !matchDns) || (needEmail && !matchEmail) || |
wolfSSL | 4:1b0d80432c79 | 3871 | (needDir && !matchDir)) { |
wolfSSL | 4:1b0d80432c79 | 3872 | |
wolfSSL | 4:1b0d80432c79 | 3873 | return 0; |
wolfSSL | 4:1b0d80432c79 | 3874 | } |
wolfSSL | 4:1b0d80432c79 | 3875 | } |
wolfSSL | 4:1b0d80432c79 | 3876 | |
wolfSSL | 4:1b0d80432c79 | 3877 | return 1; |
wolfSSL | 4:1b0d80432c79 | 3878 | } |
wolfSSL | 4:1b0d80432c79 | 3879 | |
wolfSSL | 4:1b0d80432c79 | 3880 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 3881 | |
wolfSSL | 4:1b0d80432c79 | 3882 | |
wolfSSL | 4:1b0d80432c79 | 3883 | static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 3884 | { |
wolfSSL | 4:1b0d80432c79 | 3885 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 3886 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 3887 | |
wolfSSL | 4:1b0d80432c79 | 3888 | WOLFSSL_ENTER("DecodeAltNames"); |
wolfSSL | 4:1b0d80432c79 | 3889 | |
wolfSSL | 4:1b0d80432c79 | 3890 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3891 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 4:1b0d80432c79 | 3892 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3893 | } |
wolfSSL | 4:1b0d80432c79 | 3894 | |
wolfSSL | 4:1b0d80432c79 | 3895 | cert->weOwnAltNames = 1; |
wolfSSL | 4:1b0d80432c79 | 3896 | |
wolfSSL | 4:1b0d80432c79 | 3897 | while (length > 0) { |
wolfSSL | 4:1b0d80432c79 | 3898 | byte b = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 3899 | |
wolfSSL | 4:1b0d80432c79 | 3900 | length--; |
wolfSSL | 4:1b0d80432c79 | 3901 | |
wolfSSL | 4:1b0d80432c79 | 3902 | /* Save DNS Type names in the altNames list. */ |
wolfSSL | 4:1b0d80432c79 | 3903 | /* Save Other Type names in the cert's OidMap */ |
wolfSSL | 4:1b0d80432c79 | 3904 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) { |
wolfSSL | 4:1b0d80432c79 | 3905 | DNS_entry* dnsEntry; |
wolfSSL | 4:1b0d80432c79 | 3906 | int strLen; |
wolfSSL | 4:1b0d80432c79 | 3907 | word32 lenStartIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 3908 | |
wolfSSL | 4:1b0d80432c79 | 3909 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3910 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 4:1b0d80432c79 | 3911 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3912 | } |
wolfSSL | 4:1b0d80432c79 | 3913 | length -= (idx - lenStartIdx); |
wolfSSL | 4:1b0d80432c79 | 3914 | |
wolfSSL | 4:1b0d80432c79 | 3915 | dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 4:1b0d80432c79 | 3916 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3917 | if (dnsEntry == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3918 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 3919 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3920 | } |
wolfSSL | 4:1b0d80432c79 | 3921 | |
wolfSSL | 4:1b0d80432c79 | 3922 | dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 3923 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3924 | if (dnsEntry->name == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3925 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 3926 | XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3927 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3928 | } |
wolfSSL | 4:1b0d80432c79 | 3929 | |
wolfSSL | 4:1b0d80432c79 | 3930 | XMEMCPY(dnsEntry->name, &input[idx], strLen); |
wolfSSL | 4:1b0d80432c79 | 3931 | dnsEntry->name[strLen] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 3932 | |
wolfSSL | 4:1b0d80432c79 | 3933 | dnsEntry->next = cert->altNames; |
wolfSSL | 4:1b0d80432c79 | 3934 | cert->altNames = dnsEntry; |
wolfSSL | 4:1b0d80432c79 | 3935 | |
wolfSSL | 4:1b0d80432c79 | 3936 | length -= strLen; |
wolfSSL | 4:1b0d80432c79 | 3937 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 3938 | } |
wolfSSL | 4:1b0d80432c79 | 3939 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 3940 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) { |
wolfSSL | 4:1b0d80432c79 | 3941 | DNS_entry* emailEntry; |
wolfSSL | 4:1b0d80432c79 | 3942 | int strLen; |
wolfSSL | 4:1b0d80432c79 | 3943 | word32 lenStartIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 3944 | |
wolfSSL | 4:1b0d80432c79 | 3945 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3946 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 4:1b0d80432c79 | 3947 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3948 | } |
wolfSSL | 4:1b0d80432c79 | 3949 | length -= (idx - lenStartIdx); |
wolfSSL | 4:1b0d80432c79 | 3950 | |
wolfSSL | 4:1b0d80432c79 | 3951 | emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 4:1b0d80432c79 | 3952 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3953 | if (emailEntry == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3954 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 3955 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3956 | } |
wolfSSL | 4:1b0d80432c79 | 3957 | |
wolfSSL | 4:1b0d80432c79 | 3958 | emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 3959 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3960 | if (emailEntry->name == NULL) { |
wolfSSL | 4:1b0d80432c79 | 3961 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 3962 | XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 3963 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3964 | } |
wolfSSL | 4:1b0d80432c79 | 3965 | |
wolfSSL | 4:1b0d80432c79 | 3966 | XMEMCPY(emailEntry->name, &input[idx], strLen); |
wolfSSL | 4:1b0d80432c79 | 3967 | emailEntry->name[strLen] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 3968 | |
wolfSSL | 4:1b0d80432c79 | 3969 | emailEntry->next = cert->altEmailNames; |
wolfSSL | 4:1b0d80432c79 | 3970 | cert->altEmailNames = emailEntry; |
wolfSSL | 4:1b0d80432c79 | 3971 | |
wolfSSL | 4:1b0d80432c79 | 3972 | length -= strLen; |
wolfSSL | 4:1b0d80432c79 | 3973 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 3974 | } |
wolfSSL | 4:1b0d80432c79 | 3975 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 3976 | #ifdef WOLFSSL_SEP |
wolfSSL | 4:1b0d80432c79 | 3977 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) |
wolfSSL | 4:1b0d80432c79 | 3978 | { |
wolfSSL | 4:1b0d80432c79 | 3979 | int strLen; |
wolfSSL | 4:1b0d80432c79 | 3980 | word32 lenStartIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 3981 | word32 oid = 0; |
wolfSSL | 4:1b0d80432c79 | 3982 | |
wolfSSL | 4:1b0d80432c79 | 3983 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3984 | WOLFSSL_MSG("\tfail: other name length"); |
wolfSSL | 4:1b0d80432c79 | 3985 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3986 | } |
wolfSSL | 4:1b0d80432c79 | 3987 | /* Consume the rest of this sequence. */ |
wolfSSL | 4:1b0d80432c79 | 3988 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 4:1b0d80432c79 | 3989 | |
wolfSSL | 4:1b0d80432c79 | 3990 | if (GetObjectId(input, &idx, &oid, certAltNameType, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 3991 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 4:1b0d80432c79 | 3992 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3993 | } |
wolfSSL | 4:1b0d80432c79 | 3994 | |
wolfSSL | 4:1b0d80432c79 | 3995 | if (oid != HW_NAME_OID) { |
wolfSSL | 4:1b0d80432c79 | 3996 | WOLFSSL_MSG("\tincorrect OID"); |
wolfSSL | 4:1b0d80432c79 | 3997 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 3998 | } |
wolfSSL | 4:1b0d80432c79 | 3999 | |
wolfSSL | 4:1b0d80432c79 | 4000 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 4:1b0d80432c79 | 4001 | WOLFSSL_MSG("\twrong type"); |
wolfSSL | 4:1b0d80432c79 | 4002 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4003 | } |
wolfSSL | 4:1b0d80432c79 | 4004 | |
wolfSSL | 4:1b0d80432c79 | 4005 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4006 | WOLFSSL_MSG("\tfail: str len"); |
wolfSSL | 4:1b0d80432c79 | 4007 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4008 | } |
wolfSSL | 4:1b0d80432c79 | 4009 | |
wolfSSL | 4:1b0d80432c79 | 4010 | if (GetSequence(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4011 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 4:1b0d80432c79 | 4012 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4013 | } |
wolfSSL | 4:1b0d80432c79 | 4014 | |
wolfSSL | 4:1b0d80432c79 | 4015 | if (input[idx++] != ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 4016 | WOLFSSL_MSG("\texpected OID"); |
wolfSSL | 4:1b0d80432c79 | 4017 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4018 | } |
wolfSSL | 4:1b0d80432c79 | 4019 | |
wolfSSL | 4:1b0d80432c79 | 4020 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4021 | WOLFSSL_MSG("\tfailed: str len"); |
wolfSSL | 4:1b0d80432c79 | 4022 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4023 | } |
wolfSSL | 4:1b0d80432c79 | 4024 | |
wolfSSL | 4:1b0d80432c79 | 4025 | cert->hwType = (byte*)XMALLOC(strLen, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 4026 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 4027 | if (cert->hwType == NULL) { |
wolfSSL | 4:1b0d80432c79 | 4028 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 4029 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4030 | } |
wolfSSL | 4:1b0d80432c79 | 4031 | |
wolfSSL | 4:1b0d80432c79 | 4032 | XMEMCPY(cert->hwType, &input[idx], strLen); |
wolfSSL | 4:1b0d80432c79 | 4033 | cert->hwTypeSz = strLen; |
wolfSSL | 4:1b0d80432c79 | 4034 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 4035 | |
wolfSSL | 4:1b0d80432c79 | 4036 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 4037 | WOLFSSL_MSG("\texpected Octet String"); |
wolfSSL | 4:1b0d80432c79 | 4038 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4039 | } |
wolfSSL | 4:1b0d80432c79 | 4040 | |
wolfSSL | 4:1b0d80432c79 | 4041 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4042 | WOLFSSL_MSG("\tfailed: str len"); |
wolfSSL | 4:1b0d80432c79 | 4043 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4044 | } |
wolfSSL | 4:1b0d80432c79 | 4045 | |
wolfSSL | 4:1b0d80432c79 | 4046 | cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 4047 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 4048 | if (cert->hwSerialNum == NULL) { |
wolfSSL | 4:1b0d80432c79 | 4049 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 4:1b0d80432c79 | 4050 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4051 | } |
wolfSSL | 4:1b0d80432c79 | 4052 | |
wolfSSL | 4:1b0d80432c79 | 4053 | XMEMCPY(cert->hwSerialNum, &input[idx], strLen); |
wolfSSL | 4:1b0d80432c79 | 4054 | cert->hwSerialNum[strLen] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 4055 | cert->hwSerialNumSz = strLen; |
wolfSSL | 4:1b0d80432c79 | 4056 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 4057 | } |
wolfSSL | 4:1b0d80432c79 | 4058 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 4059 | else { |
wolfSSL | 4:1b0d80432c79 | 4060 | int strLen; |
wolfSSL | 4:1b0d80432c79 | 4061 | word32 lenStartIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 4062 | |
wolfSSL | 4:1b0d80432c79 | 4063 | WOLFSSL_MSG("\tUnsupported name type, skipping"); |
wolfSSL | 4:1b0d80432c79 | 4064 | |
wolfSSL | 4:1b0d80432c79 | 4065 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4066 | WOLFSSL_MSG("\tfail: unsupported name length"); |
wolfSSL | 4:1b0d80432c79 | 4067 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4068 | } |
wolfSSL | 4:1b0d80432c79 | 4069 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 4:1b0d80432c79 | 4070 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 4071 | } |
wolfSSL | 4:1b0d80432c79 | 4072 | } |
wolfSSL | 4:1b0d80432c79 | 4073 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4074 | } |
wolfSSL | 4:1b0d80432c79 | 4075 | |
wolfSSL | 4:1b0d80432c79 | 4076 | |
wolfSSL | 4:1b0d80432c79 | 4077 | static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4078 | { |
wolfSSL | 4:1b0d80432c79 | 4079 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4080 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 4081 | |
wolfSSL | 4:1b0d80432c79 | 4082 | WOLFSSL_ENTER("DecodeBasicCaConstraint"); |
wolfSSL | 4:1b0d80432c79 | 4083 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4084 | WOLFSSL_MSG("\tfail: bad SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 4085 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4086 | } |
wolfSSL | 4:1b0d80432c79 | 4087 | |
wolfSSL | 4:1b0d80432c79 | 4088 | if (length == 0) |
wolfSSL | 4:1b0d80432c79 | 4089 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4090 | |
wolfSSL | 4:1b0d80432c79 | 4091 | /* If the basic ca constraint is false, this extension may be named, but |
wolfSSL | 4:1b0d80432c79 | 4092 | * left empty. So, if the length is 0, just return. */ |
wolfSSL | 4:1b0d80432c79 | 4093 | |
wolfSSL | 4:1b0d80432c79 | 4094 | if (input[idx++] != ASN_BOOLEAN) |
wolfSSL | 4:1b0d80432c79 | 4095 | { |
wolfSSL | 4:1b0d80432c79 | 4096 | WOLFSSL_MSG("\tfail: constraint not BOOLEAN"); |
wolfSSL | 4:1b0d80432c79 | 4097 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4098 | } |
wolfSSL | 4:1b0d80432c79 | 4099 | |
wolfSSL | 4:1b0d80432c79 | 4100 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4101 | { |
wolfSSL | 4:1b0d80432c79 | 4102 | WOLFSSL_MSG("\tfail: length"); |
wolfSSL | 4:1b0d80432c79 | 4103 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4104 | } |
wolfSSL | 4:1b0d80432c79 | 4105 | |
wolfSSL | 4:1b0d80432c79 | 4106 | if (input[idx++]) |
wolfSSL | 4:1b0d80432c79 | 4107 | cert->isCA = 1; |
wolfSSL | 4:1b0d80432c79 | 4108 | |
wolfSSL | 4:1b0d80432c79 | 4109 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4110 | /* If there isn't any more data, return. */ |
wolfSSL | 4:1b0d80432c79 | 4111 | if (idx >= (word32)sz) |
wolfSSL | 4:1b0d80432c79 | 4112 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4113 | |
wolfSSL | 4:1b0d80432c79 | 4114 | /* Anything left should be the optional pathlength */ |
wolfSSL | 4:1b0d80432c79 | 4115 | if (input[idx++] != ASN_INTEGER) { |
wolfSSL | 4:1b0d80432c79 | 4116 | WOLFSSL_MSG("\tfail: pathlen not INTEGER"); |
wolfSSL | 4:1b0d80432c79 | 4117 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4118 | } |
wolfSSL | 4:1b0d80432c79 | 4119 | |
wolfSSL | 4:1b0d80432c79 | 4120 | if (input[idx++] != 1) { |
wolfSSL | 4:1b0d80432c79 | 4121 | WOLFSSL_MSG("\tfail: pathlen too long"); |
wolfSSL | 4:1b0d80432c79 | 4122 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4123 | } |
wolfSSL | 4:1b0d80432c79 | 4124 | |
wolfSSL | 4:1b0d80432c79 | 4125 | cert->pathLength = input[idx]; |
wolfSSL | 4:1b0d80432c79 | 4126 | cert->extBasicConstPlSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4127 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 4128 | |
wolfSSL | 4:1b0d80432c79 | 4129 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4130 | } |
wolfSSL | 4:1b0d80432c79 | 4131 | |
wolfSSL | 4:1b0d80432c79 | 4132 | |
wolfSSL | 4:1b0d80432c79 | 4133 | #define CRLDP_FULL_NAME 0 |
wolfSSL | 4:1b0d80432c79 | 4134 | /* From RFC3280 SS4.2.1.14, Distribution Point Name*/ |
wolfSSL | 4:1b0d80432c79 | 4135 | #define GENERALNAME_URI 6 |
wolfSSL | 4:1b0d80432c79 | 4136 | /* From RFC3280 SS4.2.1.7, GeneralName */ |
wolfSSL | 4:1b0d80432c79 | 4137 | |
wolfSSL | 4:1b0d80432c79 | 4138 | static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4139 | { |
wolfSSL | 4:1b0d80432c79 | 4140 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4141 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 4142 | |
wolfSSL | 4:1b0d80432c79 | 4143 | WOLFSSL_ENTER("DecodeCrlDist"); |
wolfSSL | 4:1b0d80432c79 | 4144 | |
wolfSSL | 4:1b0d80432c79 | 4145 | /* Unwrap the list of Distribution Points*/ |
wolfSSL | 4:1b0d80432c79 | 4146 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4147 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4148 | |
wolfSSL | 4:1b0d80432c79 | 4149 | /* Unwrap a single Distribution Point */ |
wolfSSL | 4:1b0d80432c79 | 4150 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4151 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4152 | |
wolfSSL | 4:1b0d80432c79 | 4153 | /* The Distribution Point has three explicit optional members |
wolfSSL | 4:1b0d80432c79 | 4154 | * First check for a DistributionPointName |
wolfSSL | 4:1b0d80432c79 | 4155 | */ |
wolfSSL | 4:1b0d80432c79 | 4156 | if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 4:1b0d80432c79 | 4157 | { |
wolfSSL | 4:1b0d80432c79 | 4158 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4159 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4160 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4161 | |
wolfSSL | 4:1b0d80432c79 | 4162 | if (input[idx] == |
wolfSSL | 4:1b0d80432c79 | 4163 | (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME)) |
wolfSSL | 4:1b0d80432c79 | 4164 | { |
wolfSSL | 4:1b0d80432c79 | 4165 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4166 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4167 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4168 | |
wolfSSL | 4:1b0d80432c79 | 4169 | if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) |
wolfSSL | 4:1b0d80432c79 | 4170 | { |
wolfSSL | 4:1b0d80432c79 | 4171 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4172 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4173 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4174 | |
wolfSSL | 4:1b0d80432c79 | 4175 | cert->extCrlInfoSz = length; |
wolfSSL | 4:1b0d80432c79 | 4176 | cert->extCrlInfo = input + idx; |
wolfSSL | 4:1b0d80432c79 | 4177 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4178 | } |
wolfSSL | 4:1b0d80432c79 | 4179 | else |
wolfSSL | 4:1b0d80432c79 | 4180 | /* This isn't a URI, skip it. */ |
wolfSSL | 4:1b0d80432c79 | 4181 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4182 | } |
wolfSSL | 4:1b0d80432c79 | 4183 | else |
wolfSSL | 4:1b0d80432c79 | 4184 | /* This isn't a FULLNAME, skip it. */ |
wolfSSL | 4:1b0d80432c79 | 4185 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4186 | } |
wolfSSL | 4:1b0d80432c79 | 4187 | |
wolfSSL | 4:1b0d80432c79 | 4188 | /* Check for reasonFlags */ |
wolfSSL | 4:1b0d80432c79 | 4189 | if (idx < (word32)sz && |
wolfSSL | 4:1b0d80432c79 | 4190 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 4:1b0d80432c79 | 4191 | { |
wolfSSL | 4:1b0d80432c79 | 4192 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4193 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4194 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4195 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4196 | } |
wolfSSL | 4:1b0d80432c79 | 4197 | |
wolfSSL | 4:1b0d80432c79 | 4198 | /* Check for cRLIssuer */ |
wolfSSL | 4:1b0d80432c79 | 4199 | if (idx < (word32)sz && |
wolfSSL | 4:1b0d80432c79 | 4200 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2)) |
wolfSSL | 4:1b0d80432c79 | 4201 | { |
wolfSSL | 4:1b0d80432c79 | 4202 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4203 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4204 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4205 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4206 | } |
wolfSSL | 4:1b0d80432c79 | 4207 | |
wolfSSL | 4:1b0d80432c79 | 4208 | if (idx < (word32)sz) |
wolfSSL | 4:1b0d80432c79 | 4209 | { |
wolfSSL | 4:1b0d80432c79 | 4210 | WOLFSSL_MSG("\tThere are more CRL Distribution Point records, " |
wolfSSL | 4:1b0d80432c79 | 4211 | "but we only use the first one."); |
wolfSSL | 4:1b0d80432c79 | 4212 | } |
wolfSSL | 4:1b0d80432c79 | 4213 | |
wolfSSL | 4:1b0d80432c79 | 4214 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4215 | } |
wolfSSL | 4:1b0d80432c79 | 4216 | |
wolfSSL | 4:1b0d80432c79 | 4217 | |
wolfSSL | 4:1b0d80432c79 | 4218 | static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4219 | /* |
wolfSSL | 4:1b0d80432c79 | 4220 | * Read the first of the Authority Information Access records. If there are |
wolfSSL | 4:1b0d80432c79 | 4221 | * any issues, return without saving the record. |
wolfSSL | 4:1b0d80432c79 | 4222 | */ |
wolfSSL | 4:1b0d80432c79 | 4223 | { |
wolfSSL | 4:1b0d80432c79 | 4224 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4225 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 4226 | byte b; |
wolfSSL | 4:1b0d80432c79 | 4227 | word32 oid; |
wolfSSL | 4:1b0d80432c79 | 4228 | |
wolfSSL | 4:1b0d80432c79 | 4229 | WOLFSSL_ENTER("DecodeAuthInfo"); |
wolfSSL | 4:1b0d80432c79 | 4230 | |
wolfSSL | 4:1b0d80432c79 | 4231 | /* Unwrap the list of AIAs */ |
wolfSSL | 4:1b0d80432c79 | 4232 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4233 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4234 | |
wolfSSL | 4:1b0d80432c79 | 4235 | while (idx < (word32)sz) { |
wolfSSL | 4:1b0d80432c79 | 4236 | /* Unwrap a single AIA */ |
wolfSSL | 4:1b0d80432c79 | 4237 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4238 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4239 | |
wolfSSL | 4:1b0d80432c79 | 4240 | oid = 0; |
wolfSSL | 4:1b0d80432c79 | 4241 | if (GetObjectId(input, &idx, &oid, certAuthInfoType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4242 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4243 | |
wolfSSL | 4:1b0d80432c79 | 4244 | /* Only supporting URIs right now. */ |
wolfSSL | 4:1b0d80432c79 | 4245 | b = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 4246 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4247 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4248 | |
wolfSSL | 4:1b0d80432c79 | 4249 | if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) && |
wolfSSL | 4:1b0d80432c79 | 4250 | oid == AIA_OCSP_OID) |
wolfSSL | 4:1b0d80432c79 | 4251 | { |
wolfSSL | 4:1b0d80432c79 | 4252 | cert->extAuthInfoSz = length; |
wolfSSL | 4:1b0d80432c79 | 4253 | cert->extAuthInfo = input + idx; |
wolfSSL | 4:1b0d80432c79 | 4254 | break; |
wolfSSL | 4:1b0d80432c79 | 4255 | } |
wolfSSL | 4:1b0d80432c79 | 4256 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4257 | } |
wolfSSL | 4:1b0d80432c79 | 4258 | |
wolfSSL | 4:1b0d80432c79 | 4259 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4260 | } |
wolfSSL | 4:1b0d80432c79 | 4261 | |
wolfSSL | 4:1b0d80432c79 | 4262 | |
wolfSSL | 4:1b0d80432c79 | 4263 | static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4264 | { |
wolfSSL | 4:1b0d80432c79 | 4265 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4266 | int length = 0, ret = 0; |
wolfSSL | 4:1b0d80432c79 | 4267 | |
wolfSSL | 4:1b0d80432c79 | 4268 | WOLFSSL_ENTER("DecodeAuthKeyId"); |
wolfSSL | 4:1b0d80432c79 | 4269 | |
wolfSSL | 4:1b0d80432c79 | 4270 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4271 | WOLFSSL_MSG("\tfail: should be a SEQUENCE\n"); |
wolfSSL | 4:1b0d80432c79 | 4272 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4273 | } |
wolfSSL | 4:1b0d80432c79 | 4274 | |
wolfSSL | 4:1b0d80432c79 | 4275 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 4:1b0d80432c79 | 4276 | WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n"); |
wolfSSL | 4:1b0d80432c79 | 4277 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4278 | } |
wolfSSL | 4:1b0d80432c79 | 4279 | |
wolfSSL | 4:1b0d80432c79 | 4280 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4281 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 4:1b0d80432c79 | 4282 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4283 | } |
wolfSSL | 4:1b0d80432c79 | 4284 | |
wolfSSL | 4:1b0d80432c79 | 4285 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4286 | cert->extAuthKeyIdSrc = &input[idx]; |
wolfSSL | 4:1b0d80432c79 | 4287 | cert->extAuthKeyIdSz = length; |
wolfSSL | 4:1b0d80432c79 | 4288 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 4289 | |
wolfSSL | 4:1b0d80432c79 | 4290 | if (length == KEYID_SIZE) { |
wolfSSL | 4:1b0d80432c79 | 4291 | XMEMCPY(cert->extAuthKeyId, input + idx, length); |
wolfSSL | 4:1b0d80432c79 | 4292 | } |
wolfSSL | 4:1b0d80432c79 | 4293 | else { |
wolfSSL | 4:1b0d80432c79 | 4294 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 4295 | ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 4:1b0d80432c79 | 4296 | #else |
wolfSSL | 4:1b0d80432c79 | 4297 | ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 4:1b0d80432c79 | 4298 | #endif |
wolfSSL | 4:1b0d80432c79 | 4299 | } |
wolfSSL | 4:1b0d80432c79 | 4300 | |
wolfSSL | 4:1b0d80432c79 | 4301 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4302 | } |
wolfSSL | 4:1b0d80432c79 | 4303 | |
wolfSSL | 4:1b0d80432c79 | 4304 | |
wolfSSL | 4:1b0d80432c79 | 4305 | static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4306 | { |
wolfSSL | 4:1b0d80432c79 | 4307 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4308 | int length = 0, ret = 0; |
wolfSSL | 4:1b0d80432c79 | 4309 | |
wolfSSL | 4:1b0d80432c79 | 4310 | WOLFSSL_ENTER("DecodeSubjKeyId"); |
wolfSSL | 4:1b0d80432c79 | 4311 | |
wolfSSL | 4:1b0d80432c79 | 4312 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 4313 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 4:1b0d80432c79 | 4314 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4315 | } |
wolfSSL | 4:1b0d80432c79 | 4316 | |
wolfSSL | 4:1b0d80432c79 | 4317 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4318 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 4:1b0d80432c79 | 4319 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4320 | } |
wolfSSL | 4:1b0d80432c79 | 4321 | |
wolfSSL | 4:1b0d80432c79 | 4322 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4323 | cert->extSubjKeyIdSrc = &input[idx]; |
wolfSSL | 4:1b0d80432c79 | 4324 | cert->extSubjKeyIdSz = length; |
wolfSSL | 4:1b0d80432c79 | 4325 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 4326 | |
wolfSSL | 4:1b0d80432c79 | 4327 | if (length == SIGNER_DIGEST_SIZE) { |
wolfSSL | 4:1b0d80432c79 | 4328 | XMEMCPY(cert->extSubjKeyId, input + idx, length); |
wolfSSL | 4:1b0d80432c79 | 4329 | } |
wolfSSL | 4:1b0d80432c79 | 4330 | else { |
wolfSSL | 4:1b0d80432c79 | 4331 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 4332 | ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 4:1b0d80432c79 | 4333 | #else |
wolfSSL | 4:1b0d80432c79 | 4334 | ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 4:1b0d80432c79 | 4335 | #endif |
wolfSSL | 4:1b0d80432c79 | 4336 | } |
wolfSSL | 4:1b0d80432c79 | 4337 | |
wolfSSL | 4:1b0d80432c79 | 4338 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4339 | } |
wolfSSL | 4:1b0d80432c79 | 4340 | |
wolfSSL | 4:1b0d80432c79 | 4341 | |
wolfSSL | 4:1b0d80432c79 | 4342 | static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4343 | { |
wolfSSL | 4:1b0d80432c79 | 4344 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4345 | int length; |
wolfSSL | 4:1b0d80432c79 | 4346 | WOLFSSL_ENTER("DecodeKeyUsage"); |
wolfSSL | 4:1b0d80432c79 | 4347 | |
wolfSSL | 4:1b0d80432c79 | 4348 | if (input[idx++] != ASN_BIT_STRING) { |
wolfSSL | 4:1b0d80432c79 | 4349 | WOLFSSL_MSG("\tfail: key usage expected bit string"); |
wolfSSL | 4:1b0d80432c79 | 4350 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4351 | } |
wolfSSL | 4:1b0d80432c79 | 4352 | |
wolfSSL | 4:1b0d80432c79 | 4353 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4354 | WOLFSSL_MSG("\tfail: key usage bad length"); |
wolfSSL | 4:1b0d80432c79 | 4355 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4356 | } |
wolfSSL | 4:1b0d80432c79 | 4357 | |
wolfSSL | 4:1b0d80432c79 | 4358 | /* pass the unusedBits value */ |
wolfSSL | 4:1b0d80432c79 | 4359 | idx++; length--; |
wolfSSL | 4:1b0d80432c79 | 4360 | |
wolfSSL | 4:1b0d80432c79 | 4361 | cert->extKeyUsage = (word16)(input[idx]); |
wolfSSL | 4:1b0d80432c79 | 4362 | if (length == 2) |
wolfSSL | 4:1b0d80432c79 | 4363 | cert->extKeyUsage |= (word16)(input[idx+1] << 8); |
wolfSSL | 4:1b0d80432c79 | 4364 | |
wolfSSL | 4:1b0d80432c79 | 4365 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4366 | } |
wolfSSL | 4:1b0d80432c79 | 4367 | |
wolfSSL | 4:1b0d80432c79 | 4368 | |
wolfSSL | 4:1b0d80432c79 | 4369 | static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4370 | { |
wolfSSL | 4:1b0d80432c79 | 4371 | word32 idx = 0, oid; |
wolfSSL | 4:1b0d80432c79 | 4372 | int length; |
wolfSSL | 4:1b0d80432c79 | 4373 | |
wolfSSL | 4:1b0d80432c79 | 4374 | WOLFSSL_ENTER("DecodeExtKeyUsage"); |
wolfSSL | 4:1b0d80432c79 | 4375 | |
wolfSSL | 4:1b0d80432c79 | 4376 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4377 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 4378 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4379 | } |
wolfSSL | 4:1b0d80432c79 | 4380 | |
wolfSSL | 4:1b0d80432c79 | 4381 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4382 | cert->extExtKeyUsageSrc = input + idx; |
wolfSSL | 4:1b0d80432c79 | 4383 | cert->extExtKeyUsageSz = length; |
wolfSSL | 4:1b0d80432c79 | 4384 | #endif |
wolfSSL | 4:1b0d80432c79 | 4385 | |
wolfSSL | 4:1b0d80432c79 | 4386 | while (idx < (word32)sz) { |
wolfSSL | 4:1b0d80432c79 | 4387 | if (GetObjectId(input, &idx, &oid, certKeyUseType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 4388 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4389 | |
wolfSSL | 4:1b0d80432c79 | 4390 | switch (oid) { |
wolfSSL | 4:1b0d80432c79 | 4391 | case EKU_ANY_OID: |
wolfSSL | 4:1b0d80432c79 | 4392 | cert->extExtKeyUsage |= EXTKEYUSE_ANY; |
wolfSSL | 4:1b0d80432c79 | 4393 | break; |
wolfSSL | 4:1b0d80432c79 | 4394 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 4:1b0d80432c79 | 4395 | cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH; |
wolfSSL | 4:1b0d80432c79 | 4396 | break; |
wolfSSL | 4:1b0d80432c79 | 4397 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 4:1b0d80432c79 | 4398 | cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH; |
wolfSSL | 4:1b0d80432c79 | 4399 | break; |
wolfSSL | 4:1b0d80432c79 | 4400 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 4:1b0d80432c79 | 4401 | cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; |
wolfSSL | 4:1b0d80432c79 | 4402 | break; |
wolfSSL | 4:1b0d80432c79 | 4403 | } |
wolfSSL | 4:1b0d80432c79 | 4404 | |
wolfSSL | 4:1b0d80432c79 | 4405 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4406 | cert->extExtKeyUsageCount++; |
wolfSSL | 4:1b0d80432c79 | 4407 | #endif |
wolfSSL | 4:1b0d80432c79 | 4408 | } |
wolfSSL | 4:1b0d80432c79 | 4409 | |
wolfSSL | 4:1b0d80432c79 | 4410 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4411 | } |
wolfSSL | 4:1b0d80432c79 | 4412 | |
wolfSSL | 4:1b0d80432c79 | 4413 | |
wolfSSL | 4:1b0d80432c79 | 4414 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 4415 | static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) |
wolfSSL | 4:1b0d80432c79 | 4416 | { |
wolfSSL | 4:1b0d80432c79 | 4417 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4418 | |
wolfSSL | 4:1b0d80432c79 | 4419 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 4420 | |
wolfSSL | 4:1b0d80432c79 | 4421 | while (idx < (word32)sz) { |
wolfSSL | 4:1b0d80432c79 | 4422 | int seqLength, strLength; |
wolfSSL | 4:1b0d80432c79 | 4423 | word32 nameIdx; |
wolfSSL | 4:1b0d80432c79 | 4424 | byte b; |
wolfSSL | 4:1b0d80432c79 | 4425 | |
wolfSSL | 4:1b0d80432c79 | 4426 | if (GetSequence(input, &idx, &seqLength, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4427 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 4428 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4429 | } |
wolfSSL | 4:1b0d80432c79 | 4430 | |
wolfSSL | 4:1b0d80432c79 | 4431 | nameIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 4432 | b = input[nameIdx++]; |
wolfSSL | 4:1b0d80432c79 | 4433 | if (GetLength(input, &nameIdx, &strLength, sz) <= 0) { |
wolfSSL | 4:1b0d80432c79 | 4434 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 4:1b0d80432c79 | 4435 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4436 | } |
wolfSSL | 4:1b0d80432c79 | 4437 | |
wolfSSL | 4:1b0d80432c79 | 4438 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) || |
wolfSSL | 4:1b0d80432c79 | 4439 | b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) || |
wolfSSL | 4:1b0d80432c79 | 4440 | b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) { |
wolfSSL | 4:1b0d80432c79 | 4441 | |
wolfSSL | 4:1b0d80432c79 | 4442 | Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry), |
wolfSSL | 4:1b0d80432c79 | 4443 | heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 4444 | |
wolfSSL | 4:1b0d80432c79 | 4445 | if (entry == NULL) { |
wolfSSL | 4:1b0d80432c79 | 4446 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 4:1b0d80432c79 | 4447 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4448 | } |
wolfSSL | 4:1b0d80432c79 | 4449 | |
wolfSSL | 4:1b0d80432c79 | 4450 | entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 4451 | if (entry->name == NULL) { |
wolfSSL | 4:1b0d80432c79 | 4452 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 4:1b0d80432c79 | 4453 | XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 4:1b0d80432c79 | 4454 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4455 | } |
wolfSSL | 4:1b0d80432c79 | 4456 | |
wolfSSL | 4:1b0d80432c79 | 4457 | XMEMCPY(entry->name, &input[nameIdx], strLength); |
wolfSSL | 4:1b0d80432c79 | 4458 | entry->nameSz = strLength; |
wolfSSL | 4:1b0d80432c79 | 4459 | entry->type = b & 0x0F; |
wolfSSL | 4:1b0d80432c79 | 4460 | |
wolfSSL | 4:1b0d80432c79 | 4461 | entry->next = *head; |
wolfSSL | 4:1b0d80432c79 | 4462 | *head = entry; |
wolfSSL | 4:1b0d80432c79 | 4463 | } |
wolfSSL | 4:1b0d80432c79 | 4464 | |
wolfSSL | 4:1b0d80432c79 | 4465 | idx += seqLength; |
wolfSSL | 4:1b0d80432c79 | 4466 | } |
wolfSSL | 4:1b0d80432c79 | 4467 | |
wolfSSL | 4:1b0d80432c79 | 4468 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4469 | } |
wolfSSL | 4:1b0d80432c79 | 4470 | |
wolfSSL | 4:1b0d80432c79 | 4471 | |
wolfSSL | 4:1b0d80432c79 | 4472 | static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4473 | { |
wolfSSL | 4:1b0d80432c79 | 4474 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4475 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 4476 | |
wolfSSL | 4:1b0d80432c79 | 4477 | WOLFSSL_ENTER("DecodeNameConstraints"); |
wolfSSL | 4:1b0d80432c79 | 4478 | |
wolfSSL | 4:1b0d80432c79 | 4479 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4480 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 4481 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4482 | } |
wolfSSL | 4:1b0d80432c79 | 4483 | |
wolfSSL | 4:1b0d80432c79 | 4484 | while (idx < (word32)sz) { |
wolfSSL | 4:1b0d80432c79 | 4485 | byte b = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 4486 | Base_entry** subtree = NULL; |
wolfSSL | 4:1b0d80432c79 | 4487 | |
wolfSSL | 4:1b0d80432c79 | 4488 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 4:1b0d80432c79 | 4489 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 4:1b0d80432c79 | 4490 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4491 | } |
wolfSSL | 4:1b0d80432c79 | 4492 | |
wolfSSL | 4:1b0d80432c79 | 4493 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) |
wolfSSL | 4:1b0d80432c79 | 4494 | subtree = &cert->permittedNames; |
wolfSSL | 4:1b0d80432c79 | 4495 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) |
wolfSSL | 4:1b0d80432c79 | 4496 | subtree = &cert->excludedNames; |
wolfSSL | 4:1b0d80432c79 | 4497 | else { |
wolfSSL | 4:1b0d80432c79 | 4498 | WOLFSSL_MSG("\tinvalid subtree"); |
wolfSSL | 4:1b0d80432c79 | 4499 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4500 | } |
wolfSSL | 4:1b0d80432c79 | 4501 | |
wolfSSL | 4:1b0d80432c79 | 4502 | DecodeSubtree(input + idx, length, subtree, cert->heap); |
wolfSSL | 4:1b0d80432c79 | 4503 | |
wolfSSL | 4:1b0d80432c79 | 4504 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4505 | } |
wolfSSL | 4:1b0d80432c79 | 4506 | |
wolfSSL | 4:1b0d80432c79 | 4507 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4508 | } |
wolfSSL | 4:1b0d80432c79 | 4509 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 4510 | #endif /* NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 4511 | |
wolfSSL | 4:1b0d80432c79 | 4512 | #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP) |
wolfSSL | 4:1b0d80432c79 | 4513 | |
wolfSSL | 4:1b0d80432c79 | 4514 | static int Word32ToString(char* d, word32 number) |
wolfSSL | 4:1b0d80432c79 | 4515 | { |
wolfSSL | 4:1b0d80432c79 | 4516 | int i = 0; |
wolfSSL | 4:1b0d80432c79 | 4517 | |
wolfSSL | 4:1b0d80432c79 | 4518 | if (d != NULL) { |
wolfSSL | 4:1b0d80432c79 | 4519 | word32 order = 1000000000; |
wolfSSL | 4:1b0d80432c79 | 4520 | word32 digit; |
wolfSSL | 4:1b0d80432c79 | 4521 | |
wolfSSL | 4:1b0d80432c79 | 4522 | if (number == 0) { |
wolfSSL | 4:1b0d80432c79 | 4523 | d[i++] = '0'; |
wolfSSL | 4:1b0d80432c79 | 4524 | } |
wolfSSL | 4:1b0d80432c79 | 4525 | else { |
wolfSSL | 4:1b0d80432c79 | 4526 | while (order) { |
wolfSSL | 4:1b0d80432c79 | 4527 | digit = number / order; |
wolfSSL | 4:1b0d80432c79 | 4528 | if (i > 0 || digit != 0) { |
wolfSSL | 4:1b0d80432c79 | 4529 | d[i++] = (char)digit + '0'; |
wolfSSL | 4:1b0d80432c79 | 4530 | } |
wolfSSL | 4:1b0d80432c79 | 4531 | if (digit != 0) |
wolfSSL | 4:1b0d80432c79 | 4532 | number %= digit * order; |
wolfSSL | 4:1b0d80432c79 | 4533 | if (order > 1) |
wolfSSL | 4:1b0d80432c79 | 4534 | order /= 10; |
wolfSSL | 4:1b0d80432c79 | 4535 | else |
wolfSSL | 4:1b0d80432c79 | 4536 | order = 0; |
wolfSSL | 4:1b0d80432c79 | 4537 | } |
wolfSSL | 4:1b0d80432c79 | 4538 | } |
wolfSSL | 4:1b0d80432c79 | 4539 | d[i] = 0; |
wolfSSL | 4:1b0d80432c79 | 4540 | } |
wolfSSL | 4:1b0d80432c79 | 4541 | |
wolfSSL | 4:1b0d80432c79 | 4542 | return i; |
wolfSSL | 4:1b0d80432c79 | 4543 | } |
wolfSSL | 4:1b0d80432c79 | 4544 | |
wolfSSL | 4:1b0d80432c79 | 4545 | |
wolfSSL | 4:1b0d80432c79 | 4546 | /* Decode ITU-T X.690 OID format to a string representation |
wolfSSL | 4:1b0d80432c79 | 4547 | * return string length */ |
wolfSSL | 4:1b0d80432c79 | 4548 | static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 4549 | { |
wolfSSL | 4:1b0d80432c79 | 4550 | word32 val, idx = 0, nb_bytes; |
wolfSSL | 4:1b0d80432c79 | 4551 | size_t w_bytes = 0; |
wolfSSL | 4:1b0d80432c79 | 4552 | |
wolfSSL | 4:1b0d80432c79 | 4553 | if (out == NULL || in == NULL || outSz < 4 || inSz < 2) |
wolfSSL | 4:1b0d80432c79 | 4554 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 4555 | |
wolfSSL | 4:1b0d80432c79 | 4556 | /* first two byte must be interpreted as : 40 * int1 + int2 */ |
wolfSSL | 4:1b0d80432c79 | 4557 | val = (word16)in[idx++]; |
wolfSSL | 4:1b0d80432c79 | 4558 | |
wolfSSL | 4:1b0d80432c79 | 4559 | w_bytes = Word32ToString(out, val / 40); |
wolfSSL | 4:1b0d80432c79 | 4560 | out[w_bytes++] = '.'; |
wolfSSL | 4:1b0d80432c79 | 4561 | w_bytes += Word32ToString(out+w_bytes, val % 40); |
wolfSSL | 4:1b0d80432c79 | 4562 | |
wolfSSL | 4:1b0d80432c79 | 4563 | while (idx < inSz) { |
wolfSSL | 4:1b0d80432c79 | 4564 | /* init value */ |
wolfSSL | 4:1b0d80432c79 | 4565 | val = 0; |
wolfSSL | 4:1b0d80432c79 | 4566 | nb_bytes = 0; |
wolfSSL | 4:1b0d80432c79 | 4567 | |
wolfSSL | 4:1b0d80432c79 | 4568 | /* check that output size is ok */ |
wolfSSL | 4:1b0d80432c79 | 4569 | if (w_bytes > (outSz - 3)) |
wolfSSL | 4:1b0d80432c79 | 4570 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 4571 | |
wolfSSL | 4:1b0d80432c79 | 4572 | /* first bit is used to set if value is coded on 1 or multiple bytes */ |
wolfSSL | 4:1b0d80432c79 | 4573 | while ((in[idx+nb_bytes] & 0x80)) |
wolfSSL | 4:1b0d80432c79 | 4574 | nb_bytes++; |
wolfSSL | 4:1b0d80432c79 | 4575 | |
wolfSSL | 4:1b0d80432c79 | 4576 | if (!nb_bytes) |
wolfSSL | 4:1b0d80432c79 | 4577 | val = (word32)(in[idx++] & 0x7f); |
wolfSSL | 4:1b0d80432c79 | 4578 | else { |
wolfSSL | 4:1b0d80432c79 | 4579 | word32 base = 1, tmp = nb_bytes; |
wolfSSL | 4:1b0d80432c79 | 4580 | |
wolfSSL | 4:1b0d80432c79 | 4581 | while (tmp != 0) { |
wolfSSL | 4:1b0d80432c79 | 4582 | val += (word32)(in[idx+tmp] & 0x7f) * base; |
wolfSSL | 4:1b0d80432c79 | 4583 | base *= 128; |
wolfSSL | 4:1b0d80432c79 | 4584 | tmp--; |
wolfSSL | 4:1b0d80432c79 | 4585 | } |
wolfSSL | 4:1b0d80432c79 | 4586 | val += (word32)(in[idx++] & 0x7f) * base; |
wolfSSL | 4:1b0d80432c79 | 4587 | |
wolfSSL | 4:1b0d80432c79 | 4588 | idx += nb_bytes; |
wolfSSL | 4:1b0d80432c79 | 4589 | } |
wolfSSL | 4:1b0d80432c79 | 4590 | |
wolfSSL | 4:1b0d80432c79 | 4591 | out[w_bytes++] = '.'; |
wolfSSL | 4:1b0d80432c79 | 4592 | w_bytes += Word32ToString(out+w_bytes, val); |
wolfSSL | 4:1b0d80432c79 | 4593 | } |
wolfSSL | 4:1b0d80432c79 | 4594 | |
wolfSSL | 4:1b0d80432c79 | 4595 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4596 | } |
wolfSSL | 4:1b0d80432c79 | 4597 | #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 4598 | |
wolfSSL | 4:1b0d80432c79 | 4599 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 4:1b0d80432c79 | 4600 | /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */ |
wolfSSL | 4:1b0d80432c79 | 4601 | static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4602 | { |
wolfSSL | 4:1b0d80432c79 | 4603 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4604 | int total_length = 0, policy_length = 0, length = 0; |
wolfSSL | 4:1b0d80432c79 | 4605 | |
wolfSSL | 4:1b0d80432c79 | 4606 | WOLFSSL_ENTER("DecodeCertPolicy"); |
wolfSSL | 4:1b0d80432c79 | 4607 | |
wolfSSL | 4:1b0d80432c79 | 4608 | if (GetSequence(input, &idx, &total_length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4609 | WOLFSSL_MSG("\tGet CertPolicy total seq failed"); |
wolfSSL | 4:1b0d80432c79 | 4610 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4611 | } |
wolfSSL | 4:1b0d80432c79 | 4612 | |
wolfSSL | 4:1b0d80432c79 | 4613 | /* Validate total length (2 is the CERT_POLICY_OID+SEQ) */ |
wolfSSL | 4:1b0d80432c79 | 4614 | if ((total_length + 2) != sz) { |
wolfSSL | 4:1b0d80432c79 | 4615 | WOLFSSL_MSG("\tCertPolicy length mismatch"); |
wolfSSL | 4:1b0d80432c79 | 4616 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4617 | } |
wolfSSL | 4:1b0d80432c79 | 4618 | |
wolfSSL | 4:1b0d80432c79 | 4619 | /* Unwrap certificatePolicies */ |
wolfSSL | 4:1b0d80432c79 | 4620 | do { |
wolfSSL | 4:1b0d80432c79 | 4621 | if (GetSequence(input, &idx, &policy_length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4622 | WOLFSSL_MSG("\tGet CertPolicy seq failed"); |
wolfSSL | 4:1b0d80432c79 | 4623 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4624 | } |
wolfSSL | 4:1b0d80432c79 | 4625 | |
wolfSSL | 4:1b0d80432c79 | 4626 | if (input[idx++] != ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 4627 | WOLFSSL_MSG("\tCertPolicy isn't OID"); |
wolfSSL | 4:1b0d80432c79 | 4628 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4629 | } |
wolfSSL | 4:1b0d80432c79 | 4630 | policy_length--; |
wolfSSL | 4:1b0d80432c79 | 4631 | |
wolfSSL | 4:1b0d80432c79 | 4632 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4633 | WOLFSSL_MSG("\tGet CertPolicy length failed"); |
wolfSSL | 4:1b0d80432c79 | 4634 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4635 | } |
wolfSSL | 4:1b0d80432c79 | 4636 | policy_length--; |
wolfSSL | 4:1b0d80432c79 | 4637 | |
wolfSSL | 4:1b0d80432c79 | 4638 | if (length > 0) { |
wolfSSL | 4:1b0d80432c79 | 4639 | /* Verify length won't overrun buffer */ |
wolfSSL | 4:1b0d80432c79 | 4640 | if (length > (sz - (int)idx)) { |
wolfSSL | 4:1b0d80432c79 | 4641 | WOLFSSL_MSG("\tCertPolicy length exceeds input buffer"); |
wolfSSL | 4:1b0d80432c79 | 4642 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4643 | } |
wolfSSL | 4:1b0d80432c79 | 4644 | |
wolfSSL | 4:1b0d80432c79 | 4645 | #if defined(WOLFSSL_SEP) |
wolfSSL | 4:1b0d80432c79 | 4646 | cert->deviceType = (byte*)XMALLOC(length, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 4647 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 4:1b0d80432c79 | 4648 | if (cert->deviceType == NULL) { |
wolfSSL | 4:1b0d80432c79 | 4649 | WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); |
wolfSSL | 4:1b0d80432c79 | 4650 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4651 | } |
wolfSSL | 4:1b0d80432c79 | 4652 | cert->deviceTypeSz = length; |
wolfSSL | 4:1b0d80432c79 | 4653 | XMEMCPY(cert->deviceType, input + idx, length); |
wolfSSL | 4:1b0d80432c79 | 4654 | break; |
wolfSSL | 4:1b0d80432c79 | 4655 | #elif defined(WOLFSSL_CERT_EXT) |
wolfSSL | 4:1b0d80432c79 | 4656 | /* decode cert policy */ |
wolfSSL | 4:1b0d80432c79 | 4657 | if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ, |
wolfSSL | 4:1b0d80432c79 | 4658 | input + idx, length) != 0) { |
wolfSSL | 4:1b0d80432c79 | 4659 | WOLFSSL_MSG("\tCouldn't decode CertPolicy"); |
wolfSSL | 4:1b0d80432c79 | 4660 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4661 | } |
wolfSSL | 4:1b0d80432c79 | 4662 | cert->extCertPoliciesNb++; |
wolfSSL | 4:1b0d80432c79 | 4663 | #else |
wolfSSL | 4:1b0d80432c79 | 4664 | WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0); |
wolfSSL | 4:1b0d80432c79 | 4665 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4666 | #endif |
wolfSSL | 4:1b0d80432c79 | 4667 | } |
wolfSSL | 4:1b0d80432c79 | 4668 | idx += policy_length; |
wolfSSL | 4:1b0d80432c79 | 4669 | } while((int)idx < total_length |
wolfSSL | 4:1b0d80432c79 | 4670 | #if defined(WOLFSSL_CERT_EXT) |
wolfSSL | 4:1b0d80432c79 | 4671 | && cert->extCertPoliciesNb < MAX_CERTPOL_NB |
wolfSSL | 4:1b0d80432c79 | 4672 | #endif |
wolfSSL | 4:1b0d80432c79 | 4673 | ); |
wolfSSL | 4:1b0d80432c79 | 4674 | |
wolfSSL | 4:1b0d80432c79 | 4675 | WOLFSSL_LEAVE("DecodeCertPolicy", 0); |
wolfSSL | 4:1b0d80432c79 | 4676 | return 0; |
wolfSSL | 4:1b0d80432c79 | 4677 | } |
wolfSSL | 4:1b0d80432c79 | 4678 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 4679 | |
wolfSSL | 4:1b0d80432c79 | 4680 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 4681 | static int DecodeCertExtensions(DecodedCert* cert) |
wolfSSL | 4:1b0d80432c79 | 4682 | /* |
wolfSSL | 4:1b0d80432c79 | 4683 | * Processing the Certificate Extensions. This does not modify the current |
wolfSSL | 4:1b0d80432c79 | 4684 | * index. It is works starting with the recorded extensions pointer. |
wolfSSL | 4:1b0d80432c79 | 4685 | */ |
wolfSSL | 4:1b0d80432c79 | 4686 | { |
wolfSSL | 4:1b0d80432c79 | 4687 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 4688 | int sz = cert->extensionsSz; |
wolfSSL | 4:1b0d80432c79 | 4689 | byte* input = cert->extensions; |
wolfSSL | 4:1b0d80432c79 | 4690 | int length; |
wolfSSL | 4:1b0d80432c79 | 4691 | word32 oid; |
wolfSSL | 4:1b0d80432c79 | 4692 | byte critical = 0; |
wolfSSL | 4:1b0d80432c79 | 4693 | byte criticalFail = 0; |
wolfSSL | 4:1b0d80432c79 | 4694 | |
wolfSSL | 4:1b0d80432c79 | 4695 | WOLFSSL_ENTER("DecodeCertExtensions"); |
wolfSSL | 4:1b0d80432c79 | 4696 | |
wolfSSL | 4:1b0d80432c79 | 4697 | if (input == NULL || sz == 0) |
wolfSSL | 4:1b0d80432c79 | 4698 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 4699 | |
wolfSSL | 4:1b0d80432c79 | 4700 | if (input[idx++] != ASN_EXTENSIONS) { |
wolfSSL | 4:1b0d80432c79 | 4701 | WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); |
wolfSSL | 4:1b0d80432c79 | 4702 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4703 | } |
wolfSSL | 4:1b0d80432c79 | 4704 | |
wolfSSL | 4:1b0d80432c79 | 4705 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4706 | WOLFSSL_MSG("\tfail: invalid length"); |
wolfSSL | 4:1b0d80432c79 | 4707 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4708 | } |
wolfSSL | 4:1b0d80432c79 | 4709 | |
wolfSSL | 4:1b0d80432c79 | 4710 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4711 | WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); |
wolfSSL | 4:1b0d80432c79 | 4712 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4713 | } |
wolfSSL | 4:1b0d80432c79 | 4714 | |
wolfSSL | 4:1b0d80432c79 | 4715 | while (idx < (word32)sz) { |
wolfSSL | 4:1b0d80432c79 | 4716 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4717 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 4718 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4719 | } |
wolfSSL | 4:1b0d80432c79 | 4720 | |
wolfSSL | 4:1b0d80432c79 | 4721 | oid = 0; |
wolfSSL | 4:1b0d80432c79 | 4722 | if (GetObjectId(input, &idx, &oid, certExtType, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4723 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 4:1b0d80432c79 | 4724 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4725 | } |
wolfSSL | 4:1b0d80432c79 | 4726 | |
wolfSSL | 4:1b0d80432c79 | 4727 | /* check for critical flag */ |
wolfSSL | 4:1b0d80432c79 | 4728 | critical = 0; |
wolfSSL | 4:1b0d80432c79 | 4729 | if (input[idx] == ASN_BOOLEAN) { |
wolfSSL | 4:1b0d80432c79 | 4730 | int boolLength = 0; |
wolfSSL | 4:1b0d80432c79 | 4731 | idx++; |
wolfSSL | 4:1b0d80432c79 | 4732 | if (GetLength(input, &idx, &boolLength, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4733 | WOLFSSL_MSG("\tfail: critical boolean length"); |
wolfSSL | 4:1b0d80432c79 | 4734 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4735 | } |
wolfSSL | 4:1b0d80432c79 | 4736 | if (input[idx++]) |
wolfSSL | 4:1b0d80432c79 | 4737 | critical = 1; |
wolfSSL | 4:1b0d80432c79 | 4738 | } |
wolfSSL | 4:1b0d80432c79 | 4739 | |
wolfSSL | 4:1b0d80432c79 | 4740 | /* process the extension based on the OID */ |
wolfSSL | 4:1b0d80432c79 | 4741 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 4742 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 4:1b0d80432c79 | 4743 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4744 | } |
wolfSSL | 4:1b0d80432c79 | 4745 | |
wolfSSL | 4:1b0d80432c79 | 4746 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4747 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 4:1b0d80432c79 | 4748 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4749 | } |
wolfSSL | 4:1b0d80432c79 | 4750 | |
wolfSSL | 4:1b0d80432c79 | 4751 | switch (oid) { |
wolfSSL | 4:1b0d80432c79 | 4752 | case BASIC_CA_OID: |
wolfSSL | 4:1b0d80432c79 | 4753 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4754 | cert->extBasicConstSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4755 | cert->extBasicConstCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4756 | #endif |
wolfSSL | 4:1b0d80432c79 | 4757 | if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4758 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4759 | break; |
wolfSSL | 4:1b0d80432c79 | 4760 | |
wolfSSL | 4:1b0d80432c79 | 4761 | case CRL_DIST_OID: |
wolfSSL | 4:1b0d80432c79 | 4762 | if (DecodeCrlDist(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4763 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4764 | break; |
wolfSSL | 4:1b0d80432c79 | 4765 | |
wolfSSL | 4:1b0d80432c79 | 4766 | case AUTH_INFO_OID: |
wolfSSL | 4:1b0d80432c79 | 4767 | if (DecodeAuthInfo(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4768 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4769 | break; |
wolfSSL | 4:1b0d80432c79 | 4770 | |
wolfSSL | 4:1b0d80432c79 | 4771 | case ALT_NAMES_OID: |
wolfSSL | 4:1b0d80432c79 | 4772 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4773 | cert->extSubjAltNameSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4774 | cert->extSubjAltNameCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4775 | #endif |
wolfSSL | 4:1b0d80432c79 | 4776 | if (DecodeAltNames(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4777 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4778 | break; |
wolfSSL | 4:1b0d80432c79 | 4779 | |
wolfSSL | 4:1b0d80432c79 | 4780 | case AUTH_KEY_OID: |
wolfSSL | 4:1b0d80432c79 | 4781 | cert->extAuthKeyIdSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4782 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4783 | cert->extAuthKeyIdCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4784 | #endif |
wolfSSL | 4:1b0d80432c79 | 4785 | if (DecodeAuthKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4786 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4787 | break; |
wolfSSL | 4:1b0d80432c79 | 4788 | |
wolfSSL | 4:1b0d80432c79 | 4789 | case SUBJ_KEY_OID: |
wolfSSL | 4:1b0d80432c79 | 4790 | cert->extSubjKeyIdSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4791 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4792 | cert->extSubjKeyIdCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4793 | #endif |
wolfSSL | 4:1b0d80432c79 | 4794 | if (DecodeSubjKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4795 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4796 | break; |
wolfSSL | 4:1b0d80432c79 | 4797 | |
wolfSSL | 4:1b0d80432c79 | 4798 | case CERT_POLICY_OID: |
wolfSSL | 4:1b0d80432c79 | 4799 | #ifdef WOLFSSL_SEP |
wolfSSL | 4:1b0d80432c79 | 4800 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4801 | cert->extCertPolicySet = 1; |
wolfSSL | 4:1b0d80432c79 | 4802 | cert->extCertPolicyCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4803 | #endif |
wolfSSL | 4:1b0d80432c79 | 4804 | #endif |
wolfSSL | 4:1b0d80432c79 | 4805 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 4:1b0d80432c79 | 4806 | if (DecodeCertPolicy(&input[idx], length, cert) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4807 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4808 | } |
wolfSSL | 4:1b0d80432c79 | 4809 | #else |
wolfSSL | 4:1b0d80432c79 | 4810 | WOLFSSL_MSG("Certificate Policy extension not supported yet."); |
wolfSSL | 4:1b0d80432c79 | 4811 | #endif |
wolfSSL | 4:1b0d80432c79 | 4812 | break; |
wolfSSL | 4:1b0d80432c79 | 4813 | |
wolfSSL | 4:1b0d80432c79 | 4814 | case KEY_USAGE_OID: |
wolfSSL | 4:1b0d80432c79 | 4815 | cert->extKeyUsageSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4816 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4817 | cert->extKeyUsageCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4818 | #endif |
wolfSSL | 4:1b0d80432c79 | 4819 | if (DecodeKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4820 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4821 | break; |
wolfSSL | 4:1b0d80432c79 | 4822 | |
wolfSSL | 4:1b0d80432c79 | 4823 | case EXT_KEY_USAGE_OID: |
wolfSSL | 4:1b0d80432c79 | 4824 | cert->extExtKeyUsageSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4825 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4826 | cert->extExtKeyUsageCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4827 | #endif |
wolfSSL | 4:1b0d80432c79 | 4828 | if (DecodeExtKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4829 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4830 | break; |
wolfSSL | 4:1b0d80432c79 | 4831 | |
wolfSSL | 4:1b0d80432c79 | 4832 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 4833 | case NAME_CONS_OID: |
wolfSSL | 4:1b0d80432c79 | 4834 | cert->extNameConstraintSet = 1; |
wolfSSL | 4:1b0d80432c79 | 4835 | #ifdef OPENSSL_EXTRA |
wolfSSL | 4:1b0d80432c79 | 4836 | cert->extNameConstraintCrit = critical; |
wolfSSL | 4:1b0d80432c79 | 4837 | #endif |
wolfSSL | 4:1b0d80432c79 | 4838 | if (DecodeNameConstraints(&input[idx], length, cert) < 0) |
wolfSSL | 4:1b0d80432c79 | 4839 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 4840 | break; |
wolfSSL | 4:1b0d80432c79 | 4841 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 4842 | |
wolfSSL | 4:1b0d80432c79 | 4843 | case INHIBIT_ANY_OID: |
wolfSSL | 4:1b0d80432c79 | 4844 | WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); |
wolfSSL | 4:1b0d80432c79 | 4845 | break; |
wolfSSL | 4:1b0d80432c79 | 4846 | |
wolfSSL | 4:1b0d80432c79 | 4847 | default: |
wolfSSL | 4:1b0d80432c79 | 4848 | /* While it is a failure to not support critical extensions, |
wolfSSL | 4:1b0d80432c79 | 4849 | * still parse the certificate ignoring the unsupported |
wolfSSL | 4:1b0d80432c79 | 4850 | * extension to allow caller to accept it with the verify |
wolfSSL | 4:1b0d80432c79 | 4851 | * callback. */ |
wolfSSL | 4:1b0d80432c79 | 4852 | if (critical) |
wolfSSL | 4:1b0d80432c79 | 4853 | criticalFail = 1; |
wolfSSL | 4:1b0d80432c79 | 4854 | break; |
wolfSSL | 4:1b0d80432c79 | 4855 | } |
wolfSSL | 4:1b0d80432c79 | 4856 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 4857 | } |
wolfSSL | 4:1b0d80432c79 | 4858 | |
wolfSSL | 4:1b0d80432c79 | 4859 | return criticalFail ? ASN_CRIT_EXT_E : 0; |
wolfSSL | 4:1b0d80432c79 | 4860 | } |
wolfSSL | 4:1b0d80432c79 | 4861 | |
wolfSSL | 4:1b0d80432c79 | 4862 | |
wolfSSL | 4:1b0d80432c79 | 4863 | int ParseCert(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 4:1b0d80432c79 | 4864 | { |
wolfSSL | 4:1b0d80432c79 | 4865 | int ret; |
wolfSSL | 4:1b0d80432c79 | 4866 | char* ptr; |
wolfSSL | 4:1b0d80432c79 | 4867 | |
wolfSSL | 4:1b0d80432c79 | 4868 | ret = ParseCertRelative(cert, type, verify, cm); |
wolfSSL | 4:1b0d80432c79 | 4869 | if (ret < 0) |
wolfSSL | 4:1b0d80432c79 | 4870 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4871 | |
wolfSSL | 4:1b0d80432c79 | 4872 | if (cert->subjectCNLen > 0) { |
wolfSSL | 4:1b0d80432c79 | 4873 | ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 4874 | DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 4:1b0d80432c79 | 4875 | if (ptr == NULL) |
wolfSSL | 4:1b0d80432c79 | 4876 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4877 | XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen); |
wolfSSL | 4:1b0d80432c79 | 4878 | ptr[cert->subjectCNLen] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 4879 | cert->subjectCN = ptr; |
wolfSSL | 4:1b0d80432c79 | 4880 | cert->subjectCNStored = 1; |
wolfSSL | 4:1b0d80432c79 | 4881 | } |
wolfSSL | 4:1b0d80432c79 | 4882 | |
wolfSSL | 4:1b0d80432c79 | 4883 | if (cert->keyOID == RSAk && |
wolfSSL | 4:1b0d80432c79 | 4884 | cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 4:1b0d80432c79 | 4885 | ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, |
wolfSSL | 4:1b0d80432c79 | 4886 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 4:1b0d80432c79 | 4887 | if (ptr == NULL) |
wolfSSL | 4:1b0d80432c79 | 4888 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 4889 | XMEMCPY(ptr, cert->publicKey, cert->pubKeySize); |
wolfSSL | 4:1b0d80432c79 | 4890 | cert->publicKey = (byte *)ptr; |
wolfSSL | 4:1b0d80432c79 | 4891 | cert->pubKeyStored = 1; |
wolfSSL | 4:1b0d80432c79 | 4892 | } |
wolfSSL | 4:1b0d80432c79 | 4893 | |
wolfSSL | 4:1b0d80432c79 | 4894 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4895 | } |
wolfSSL | 4:1b0d80432c79 | 4896 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 4897 | |
wolfSSL | 4:1b0d80432c79 | 4898 | |
wolfSSL | 4:1b0d80432c79 | 4899 | /* from SSL proper, for locking can't do find here anymore */ |
wolfSSL | 4:1b0d80432c79 | 4900 | #ifdef __cplusplus |
wolfSSL | 4:1b0d80432c79 | 4901 | extern "C" { |
wolfSSL | 4:1b0d80432c79 | 4902 | #endif |
wolfSSL | 4:1b0d80432c79 | 4903 | WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash); |
wolfSSL | 4:1b0d80432c79 | 4904 | #ifndef NO_SKID |
wolfSSL | 4:1b0d80432c79 | 4905 | WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash); |
wolfSSL | 4:1b0d80432c79 | 4906 | #endif |
wolfSSL | 4:1b0d80432c79 | 4907 | #ifdef __cplusplus |
wolfSSL | 4:1b0d80432c79 | 4908 | } |
wolfSSL | 4:1b0d80432c79 | 4909 | #endif |
wolfSSL | 4:1b0d80432c79 | 4910 | |
wolfSSL | 4:1b0d80432c79 | 4911 | |
wolfSSL | 4:1b0d80432c79 | 4912 | #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS) |
wolfSSL | 4:1b0d80432c79 | 4913 | |
wolfSSL | 4:1b0d80432c79 | 4914 | /* dummy functions, not using wolfSSL so don't need actual ones */ |
wolfSSL | 4:1b0d80432c79 | 4915 | Signer* GetCA(void* signers, byte* hash) |
wolfSSL | 4:1b0d80432c79 | 4916 | { |
wolfSSL | 4:1b0d80432c79 | 4917 | (void)hash; |
wolfSSL | 4:1b0d80432c79 | 4918 | |
wolfSSL | 4:1b0d80432c79 | 4919 | return (Signer*)signers; |
wolfSSL | 4:1b0d80432c79 | 4920 | } |
wolfSSL | 4:1b0d80432c79 | 4921 | |
wolfSSL | 4:1b0d80432c79 | 4922 | #ifndef NO_SKID |
wolfSSL | 4:1b0d80432c79 | 4923 | Signer* GetCAByName(void* signers, byte* hash) |
wolfSSL | 4:1b0d80432c79 | 4924 | { |
wolfSSL | 4:1b0d80432c79 | 4925 | (void)hash; |
wolfSSL | 4:1b0d80432c79 | 4926 | |
wolfSSL | 4:1b0d80432c79 | 4927 | return (Signer*)signers; |
wolfSSL | 4:1b0d80432c79 | 4928 | } |
wolfSSL | 4:1b0d80432c79 | 4929 | #endif /* NO_SKID */ |
wolfSSL | 4:1b0d80432c79 | 4930 | |
wolfSSL | 4:1b0d80432c79 | 4931 | #endif /* WOLFCRYPT_ONLY || NO_CERTS */ |
wolfSSL | 4:1b0d80432c79 | 4932 | |
wolfSSL | 4:1b0d80432c79 | 4933 | #ifndef NO_ASN_TIME |
wolfSSL | 4:1b0d80432c79 | 4934 | int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 4:1b0d80432c79 | 4935 | { |
wolfSSL | 4:1b0d80432c79 | 4936 | word32 confirmOID; |
wolfSSL | 4:1b0d80432c79 | 4937 | int ret; |
wolfSSL | 4:1b0d80432c79 | 4938 | int badDate = 0; |
wolfSSL | 4:1b0d80432c79 | 4939 | int criticalExt = 0; |
wolfSSL | 4:1b0d80432c79 | 4940 | |
wolfSSL | 4:1b0d80432c79 | 4941 | if ((ret = DecodeToKey(cert, verify)) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4942 | if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) |
wolfSSL | 4:1b0d80432c79 | 4943 | badDate = ret; |
wolfSSL | 4:1b0d80432c79 | 4944 | else |
wolfSSL | 4:1b0d80432c79 | 4945 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4946 | } |
wolfSSL | 4:1b0d80432c79 | 4947 | |
wolfSSL | 4:1b0d80432c79 | 4948 | WOLFSSL_MSG("Parsed Past Key"); |
wolfSSL | 4:1b0d80432c79 | 4949 | |
wolfSSL | 4:1b0d80432c79 | 4950 | if (cert->srcIdx < cert->sigIndex) { |
wolfSSL | 4:1b0d80432c79 | 4951 | #ifndef ALLOW_V1_EXTENSIONS |
wolfSSL | 4:1b0d80432c79 | 4952 | if (cert->version < 2) { |
wolfSSL | 4:1b0d80432c79 | 4953 | WOLFSSL_MSG(" v1 and v2 certs not allowed extensions"); |
wolfSSL | 4:1b0d80432c79 | 4954 | return ASN_VERSION_E; |
wolfSSL | 4:1b0d80432c79 | 4955 | } |
wolfSSL | 4:1b0d80432c79 | 4956 | #endif |
wolfSSL | 4:1b0d80432c79 | 4957 | /* save extensions */ |
wolfSSL | 4:1b0d80432c79 | 4958 | cert->extensions = &cert->source[cert->srcIdx]; |
wolfSSL | 4:1b0d80432c79 | 4959 | cert->extensionsSz = cert->sigIndex - cert->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 4960 | cert->extensionsIdx = cert->srcIdx; /* for potential later use */ |
wolfSSL | 4:1b0d80432c79 | 4961 | |
wolfSSL | 4:1b0d80432c79 | 4962 | if ((ret = DecodeCertExtensions(cert)) < 0) { |
wolfSSL | 4:1b0d80432c79 | 4963 | if (ret == ASN_CRIT_EXT_E) |
wolfSSL | 4:1b0d80432c79 | 4964 | criticalExt = ret; |
wolfSSL | 4:1b0d80432c79 | 4965 | else |
wolfSSL | 4:1b0d80432c79 | 4966 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4967 | } |
wolfSSL | 4:1b0d80432c79 | 4968 | |
wolfSSL | 4:1b0d80432c79 | 4969 | /* advance past extensions */ |
wolfSSL | 4:1b0d80432c79 | 4970 | cert->srcIdx = cert->sigIndex; |
wolfSSL | 4:1b0d80432c79 | 4971 | } |
wolfSSL | 4:1b0d80432c79 | 4972 | |
wolfSSL | 4:1b0d80432c79 | 4973 | if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID, |
wolfSSL | 4:1b0d80432c79 | 4974 | sigType, cert->maxIdx)) < 0) |
wolfSSL | 4:1b0d80432c79 | 4975 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4976 | |
wolfSSL | 4:1b0d80432c79 | 4977 | if ((ret = GetSignature(cert)) < 0) |
wolfSSL | 4:1b0d80432c79 | 4978 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4979 | |
wolfSSL | 4:1b0d80432c79 | 4980 | if (confirmOID != cert->signatureOID) |
wolfSSL | 4:1b0d80432c79 | 4981 | return ASN_SIG_OID_E; |
wolfSSL | 4:1b0d80432c79 | 4982 | |
wolfSSL | 4:1b0d80432c79 | 4983 | #ifndef NO_SKID |
wolfSSL | 4:1b0d80432c79 | 4984 | if (cert->extSubjKeyIdSet == 0 |
wolfSSL | 4:1b0d80432c79 | 4985 | && cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 4:1b0d80432c79 | 4986 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 4987 | ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 4:1b0d80432c79 | 4988 | cert->extSubjKeyId); |
wolfSSL | 4:1b0d80432c79 | 4989 | #else |
wolfSSL | 4:1b0d80432c79 | 4990 | ret = wc_ShaHash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 4:1b0d80432c79 | 4991 | cert->extSubjKeyId); |
wolfSSL | 4:1b0d80432c79 | 4992 | #endif |
wolfSSL | 4:1b0d80432c79 | 4993 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 4994 | return ret; |
wolfSSL | 4:1b0d80432c79 | 4995 | } |
wolfSSL | 4:1b0d80432c79 | 4996 | #endif |
wolfSSL | 4:1b0d80432c79 | 4997 | |
wolfSSL | 4:1b0d80432c79 | 4998 | if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 4999 | Signer* ca = NULL; |
wolfSSL | 4:1b0d80432c79 | 5000 | #ifndef NO_SKID |
wolfSSL | 4:1b0d80432c79 | 5001 | if (cert->extAuthKeyIdSet) |
wolfSSL | 4:1b0d80432c79 | 5002 | ca = GetCA(cm, cert->extAuthKeyId); |
wolfSSL | 4:1b0d80432c79 | 5003 | if (ca == NULL) |
wolfSSL | 4:1b0d80432c79 | 5004 | ca = GetCAByName(cm, cert->issuerHash); |
wolfSSL | 4:1b0d80432c79 | 5005 | #else /* NO_SKID */ |
wolfSSL | 4:1b0d80432c79 | 5006 | ca = GetCA(cm, cert->issuerHash); |
wolfSSL | 4:1b0d80432c79 | 5007 | #endif /* NO SKID */ |
wolfSSL | 4:1b0d80432c79 | 5008 | WOLFSSL_MSG("About to verify certificate signature"); |
wolfSSL | 4:1b0d80432c79 | 5009 | |
wolfSSL | 4:1b0d80432c79 | 5010 | if (ca) { |
wolfSSL | 4:1b0d80432c79 | 5011 | #ifdef HAVE_OCSP |
wolfSSL | 4:1b0d80432c79 | 5012 | /* Need the ca's public key hash for OCSP */ |
wolfSSL | 4:1b0d80432c79 | 5013 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 5014 | ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize, |
wolfSSL | 4:1b0d80432c79 | 5015 | cert->issuerKeyHash); |
wolfSSL | 4:1b0d80432c79 | 5016 | #else /* NO_SHA */ |
wolfSSL | 4:1b0d80432c79 | 5017 | ret = wc_ShaHash(ca->publicKey, ca->pubKeySize, |
wolfSSL | 4:1b0d80432c79 | 5018 | cert->issuerKeyHash); |
wolfSSL | 4:1b0d80432c79 | 5019 | #endif /* NO_SHA */ |
wolfSSL | 4:1b0d80432c79 | 5020 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 5021 | return ret; |
wolfSSL | 4:1b0d80432c79 | 5022 | #endif /* HAVE_OCSP */ |
wolfSSL | 4:1b0d80432c79 | 5023 | /* try to confirm/verify signature */ |
wolfSSL | 4:1b0d80432c79 | 5024 | if (!ConfirmSignature(cert->source + cert->certBegin, |
wolfSSL | 4:1b0d80432c79 | 5025 | cert->sigIndex - cert->certBegin, |
wolfSSL | 4:1b0d80432c79 | 5026 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 4:1b0d80432c79 | 5027 | cert->signature, cert->sigLength, cert->signatureOID, |
wolfSSL | 4:1b0d80432c79 | 5028 | cert->heap)) { |
wolfSSL | 4:1b0d80432c79 | 5029 | WOLFSSL_MSG("Confirm signature failed"); |
wolfSSL | 4:1b0d80432c79 | 5030 | return ASN_SIG_CONFIRM_E; |
wolfSSL | 4:1b0d80432c79 | 5031 | } |
wolfSSL | 4:1b0d80432c79 | 5032 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 5033 | /* check that this cert's name is permitted by the signer's |
wolfSSL | 4:1b0d80432c79 | 5034 | * name constraints */ |
wolfSSL | 4:1b0d80432c79 | 5035 | if (!ConfirmNameConstraints(ca, cert)) { |
wolfSSL | 4:1b0d80432c79 | 5036 | WOLFSSL_MSG("Confirm name constraint failed"); |
wolfSSL | 4:1b0d80432c79 | 5037 | return ASN_NAME_INVALID_E; |
wolfSSL | 4:1b0d80432c79 | 5038 | } |
wolfSSL | 4:1b0d80432c79 | 5039 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 5040 | } |
wolfSSL | 4:1b0d80432c79 | 5041 | else { |
wolfSSL | 4:1b0d80432c79 | 5042 | /* no signer */ |
wolfSSL | 4:1b0d80432c79 | 5043 | WOLFSSL_MSG("No CA signer to verify with"); |
wolfSSL | 4:1b0d80432c79 | 5044 | return ASN_NO_SIGNER_E; |
wolfSSL | 4:1b0d80432c79 | 5045 | } |
wolfSSL | 4:1b0d80432c79 | 5046 | } |
wolfSSL | 4:1b0d80432c79 | 5047 | |
wolfSSL | 4:1b0d80432c79 | 5048 | if (badDate != 0) |
wolfSSL | 4:1b0d80432c79 | 5049 | return badDate; |
wolfSSL | 4:1b0d80432c79 | 5050 | |
wolfSSL | 4:1b0d80432c79 | 5051 | if (criticalExt != 0) |
wolfSSL | 4:1b0d80432c79 | 5052 | return criticalExt; |
wolfSSL | 4:1b0d80432c79 | 5053 | |
wolfSSL | 4:1b0d80432c79 | 5054 | return 0; |
wolfSSL | 4:1b0d80432c79 | 5055 | } |
wolfSSL | 4:1b0d80432c79 | 5056 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 4:1b0d80432c79 | 5057 | |
wolfSSL | 4:1b0d80432c79 | 5058 | /* Create and init an new signer */ |
wolfSSL | 4:1b0d80432c79 | 5059 | Signer* MakeSigner(void* heap) |
wolfSSL | 4:1b0d80432c79 | 5060 | { |
wolfSSL | 4:1b0d80432c79 | 5061 | Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap, |
wolfSSL | 4:1b0d80432c79 | 5062 | DYNAMIC_TYPE_SIGNER); |
wolfSSL | 4:1b0d80432c79 | 5063 | if (signer) { |
wolfSSL | 4:1b0d80432c79 | 5064 | signer->pubKeySize = 0; |
wolfSSL | 4:1b0d80432c79 | 5065 | signer->keyOID = 0; |
wolfSSL | 4:1b0d80432c79 | 5066 | signer->publicKey = NULL; |
wolfSSL | 4:1b0d80432c79 | 5067 | signer->nameLen = 0; |
wolfSSL | 4:1b0d80432c79 | 5068 | signer->name = NULL; |
wolfSSL | 4:1b0d80432c79 | 5069 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 5070 | signer->permittedNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 5071 | signer->excludedNames = NULL; |
wolfSSL | 4:1b0d80432c79 | 5072 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 4:1b0d80432c79 | 5073 | signer->next = NULL; |
wolfSSL | 4:1b0d80432c79 | 5074 | } |
wolfSSL | 4:1b0d80432c79 | 5075 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 5076 | |
wolfSSL | 4:1b0d80432c79 | 5077 | return signer; |
wolfSSL | 4:1b0d80432c79 | 5078 | } |
wolfSSL | 4:1b0d80432c79 | 5079 | |
wolfSSL | 4:1b0d80432c79 | 5080 | |
wolfSSL | 4:1b0d80432c79 | 5081 | /* Free an individual signer */ |
wolfSSL | 4:1b0d80432c79 | 5082 | void FreeSigner(Signer* signer, void* heap) |
wolfSSL | 4:1b0d80432c79 | 5083 | { |
wolfSSL | 4:1b0d80432c79 | 5084 | XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 4:1b0d80432c79 | 5085 | XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 4:1b0d80432c79 | 5086 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 5087 | if (signer->permittedNames) |
wolfSSL | 4:1b0d80432c79 | 5088 | FreeNameSubtrees(signer->permittedNames, heap); |
wolfSSL | 4:1b0d80432c79 | 5089 | if (signer->excludedNames) |
wolfSSL | 4:1b0d80432c79 | 5090 | FreeNameSubtrees(signer->excludedNames, heap); |
wolfSSL | 4:1b0d80432c79 | 5091 | #endif |
wolfSSL | 4:1b0d80432c79 | 5092 | XFREE(signer, heap, DYNAMIC_TYPE_SIGNER); |
wolfSSL | 4:1b0d80432c79 | 5093 | |
wolfSSL | 4:1b0d80432c79 | 5094 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 5095 | } |
wolfSSL | 4:1b0d80432c79 | 5096 | |
wolfSSL | 4:1b0d80432c79 | 5097 | |
wolfSSL | 4:1b0d80432c79 | 5098 | /* Free the whole singer table with number of rows */ |
wolfSSL | 4:1b0d80432c79 | 5099 | void FreeSignerTable(Signer** table, int rows, void* heap) |
wolfSSL | 4:1b0d80432c79 | 5100 | { |
wolfSSL | 4:1b0d80432c79 | 5101 | int i; |
wolfSSL | 4:1b0d80432c79 | 5102 | |
wolfSSL | 4:1b0d80432c79 | 5103 | for (i = 0; i < rows; i++) { |
wolfSSL | 4:1b0d80432c79 | 5104 | Signer* signer = table[i]; |
wolfSSL | 4:1b0d80432c79 | 5105 | while (signer) { |
wolfSSL | 4:1b0d80432c79 | 5106 | Signer* next = signer->next; |
wolfSSL | 4:1b0d80432c79 | 5107 | FreeSigner(signer, heap); |
wolfSSL | 4:1b0d80432c79 | 5108 | signer = next; |
wolfSSL | 4:1b0d80432c79 | 5109 | } |
wolfSSL | 4:1b0d80432c79 | 5110 | table[i] = NULL; |
wolfSSL | 4:1b0d80432c79 | 5111 | } |
wolfSSL | 4:1b0d80432c79 | 5112 | } |
wolfSSL | 4:1b0d80432c79 | 5113 | |
wolfSSL | 4:1b0d80432c79 | 5114 | #ifdef WOLFSSL_TRUST_PEER_CERT |
wolfSSL | 4:1b0d80432c79 | 5115 | /* Free an individual trusted peer cert */ |
wolfSSL | 4:1b0d80432c79 | 5116 | void FreeTrustedPeer(TrustedPeerCert* tp, void* heap) |
wolfSSL | 4:1b0d80432c79 | 5117 | { |
wolfSSL | 4:1b0d80432c79 | 5118 | if (tp == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5119 | return; |
wolfSSL | 4:1b0d80432c79 | 5120 | } |
wolfSSL | 4:1b0d80432c79 | 5121 | |
wolfSSL | 4:1b0d80432c79 | 5122 | if (tp->name) { |
wolfSSL | 4:1b0d80432c79 | 5123 | XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 4:1b0d80432c79 | 5124 | } |
wolfSSL | 4:1b0d80432c79 | 5125 | |
wolfSSL | 4:1b0d80432c79 | 5126 | if (tp->sig) { |
wolfSSL | 4:1b0d80432c79 | 5127 | XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 4:1b0d80432c79 | 5128 | } |
wolfSSL | 4:1b0d80432c79 | 5129 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 4:1b0d80432c79 | 5130 | if (tp->permittedNames) |
wolfSSL | 4:1b0d80432c79 | 5131 | FreeNameSubtrees(tp->permittedNames, heap); |
wolfSSL | 4:1b0d80432c79 | 5132 | if (tp->excludedNames) |
wolfSSL | 4:1b0d80432c79 | 5133 | FreeNameSubtrees(tp->excludedNames, heap); |
wolfSSL | 4:1b0d80432c79 | 5134 | #endif |
wolfSSL | 4:1b0d80432c79 | 5135 | XFREE(tp, heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 5136 | |
wolfSSL | 4:1b0d80432c79 | 5137 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 5138 | } |
wolfSSL | 4:1b0d80432c79 | 5139 | |
wolfSSL | 4:1b0d80432c79 | 5140 | /* Free the whole Trusted Peer linked list */ |
wolfSSL | 4:1b0d80432c79 | 5141 | void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap) |
wolfSSL | 4:1b0d80432c79 | 5142 | { |
wolfSSL | 4:1b0d80432c79 | 5143 | int i; |
wolfSSL | 4:1b0d80432c79 | 5144 | |
wolfSSL | 4:1b0d80432c79 | 5145 | for (i = 0; i < rows; i++) { |
wolfSSL | 4:1b0d80432c79 | 5146 | TrustedPeerCert* tp = table[i]; |
wolfSSL | 4:1b0d80432c79 | 5147 | while (tp) { |
wolfSSL | 4:1b0d80432c79 | 5148 | TrustedPeerCert* next = tp->next; |
wolfSSL | 4:1b0d80432c79 | 5149 | FreeTrustedPeer(tp, heap); |
wolfSSL | 4:1b0d80432c79 | 5150 | tp = next; |
wolfSSL | 4:1b0d80432c79 | 5151 | } |
wolfSSL | 4:1b0d80432c79 | 5152 | table[i] = NULL; |
wolfSSL | 4:1b0d80432c79 | 5153 | } |
wolfSSL | 4:1b0d80432c79 | 5154 | } |
wolfSSL | 4:1b0d80432c79 | 5155 | #endif /* WOLFSSL_TRUST_PEER_CERT */ |
wolfSSL | 4:1b0d80432c79 | 5156 | |
wolfSSL | 4:1b0d80432c79 | 5157 | WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header) |
wolfSSL | 4:1b0d80432c79 | 5158 | { |
wolfSSL | 4:1b0d80432c79 | 5159 | int i = 0; |
wolfSSL | 4:1b0d80432c79 | 5160 | |
wolfSSL | 4:1b0d80432c79 | 5161 | if (output == NULL) |
wolfSSL | 4:1b0d80432c79 | 5162 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5163 | |
wolfSSL | 4:1b0d80432c79 | 5164 | if (header) { |
wolfSSL | 4:1b0d80432c79 | 5165 | output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED; |
wolfSSL | 4:1b0d80432c79 | 5166 | output[i++] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 5167 | } |
wolfSSL | 4:1b0d80432c79 | 5168 | output[i++] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5169 | output[i++] = 0x01; |
wolfSSL | 4:1b0d80432c79 | 5170 | output[i++] = (byte)version; |
wolfSSL | 4:1b0d80432c79 | 5171 | |
wolfSSL | 4:1b0d80432c79 | 5172 | return i; |
wolfSSL | 4:1b0d80432c79 | 5173 | } |
wolfSSL | 4:1b0d80432c79 | 5174 | |
wolfSSL | 4:1b0d80432c79 | 5175 | |
wolfSSL | 4:1b0d80432c79 | 5176 | WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) |
wolfSSL | 4:1b0d80432c79 | 5177 | { |
wolfSSL | 4:1b0d80432c79 | 5178 | int result = 0; |
wolfSSL | 4:1b0d80432c79 | 5179 | |
wolfSSL | 4:1b0d80432c79 | 5180 | WOLFSSL_ENTER("SetSerialNumber"); |
wolfSSL | 4:1b0d80432c79 | 5181 | |
wolfSSL | 4:1b0d80432c79 | 5182 | if (sn == NULL || output == NULL) |
wolfSSL | 4:1b0d80432c79 | 5183 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5184 | |
wolfSSL | 4:1b0d80432c79 | 5185 | if (snSz <= EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 4:1b0d80432c79 | 5186 | output[0] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5187 | /* The serial number is always positive. When encoding the |
wolfSSL | 4:1b0d80432c79 | 5188 | * INTEGER, if the MSB is 1, add a padding zero to keep the |
wolfSSL | 4:1b0d80432c79 | 5189 | * number positive. */ |
wolfSSL | 4:1b0d80432c79 | 5190 | if (sn[0] & 0x80) { |
wolfSSL | 4:1b0d80432c79 | 5191 | output[1] = (byte)snSz + 1; |
wolfSSL | 4:1b0d80432c79 | 5192 | output[2] = 0; |
wolfSSL | 4:1b0d80432c79 | 5193 | XMEMCPY(&output[3], sn, snSz); |
wolfSSL | 4:1b0d80432c79 | 5194 | result = snSz + 3; |
wolfSSL | 4:1b0d80432c79 | 5195 | } |
wolfSSL | 4:1b0d80432c79 | 5196 | else { |
wolfSSL | 4:1b0d80432c79 | 5197 | output[1] = (byte)snSz; |
wolfSSL | 4:1b0d80432c79 | 5198 | XMEMCPY(&output[2], sn, snSz); |
wolfSSL | 4:1b0d80432c79 | 5199 | result = snSz + 2; |
wolfSSL | 4:1b0d80432c79 | 5200 | } |
wolfSSL | 4:1b0d80432c79 | 5201 | } |
wolfSSL | 4:1b0d80432c79 | 5202 | return result; |
wolfSSL | 4:1b0d80432c79 | 5203 | } |
wolfSSL | 4:1b0d80432c79 | 5204 | |
wolfSSL | 4:1b0d80432c79 | 5205 | |
wolfSSL | 4:1b0d80432c79 | 5206 | |
wolfSSL | 4:1b0d80432c79 | 5207 | const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; |
wolfSSL | 4:1b0d80432c79 | 5208 | const char* END_CERT = "-----END CERTIFICATE-----"; |
wolfSSL | 4:1b0d80432c79 | 5209 | const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; |
wolfSSL | 4:1b0d80432c79 | 5210 | const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; |
wolfSSL | 4:1b0d80432c79 | 5211 | const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; |
wolfSSL | 4:1b0d80432c79 | 5212 | const char* END_DH_PARAM = "-----END DH PARAMETERS-----"; |
wolfSSL | 4:1b0d80432c79 | 5213 | const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; |
wolfSSL | 4:1b0d80432c79 | 5214 | const char* END_X509_CRL = "-----END X509 CRL-----"; |
wolfSSL | 4:1b0d80432c79 | 5215 | const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5216 | const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5217 | const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5218 | const char* END_PRIV_KEY = "-----END PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5219 | const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5220 | const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5221 | const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5222 | const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5223 | const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5224 | const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5225 | const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5226 | const char* END_PUB_KEY = "-----END PUBLIC KEY-----"; |
wolfSSL | 4:1b0d80432c79 | 5227 | |
wolfSSL | 4:1b0d80432c79 | 5228 | #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) |
wolfSSL | 4:1b0d80432c79 | 5229 | |
wolfSSL | 4:1b0d80432c79 | 5230 | /* Used for compatibility API */ |
wolfSSL | 4:1b0d80432c79 | 5231 | int wc_DerToPem(const byte* der, word32 derSz, |
wolfSSL | 4:1b0d80432c79 | 5232 | byte* output, word32 outSz, int type) |
wolfSSL | 4:1b0d80432c79 | 5233 | { |
wolfSSL | 4:1b0d80432c79 | 5234 | return wc_DerToPemEx(der, derSz, output, outSz, NULL, type); |
wolfSSL | 4:1b0d80432c79 | 5235 | } |
wolfSSL | 4:1b0d80432c79 | 5236 | |
wolfSSL | 4:1b0d80432c79 | 5237 | /* convert der buffer to pem into output, can't do inplace, der and output |
wolfSSL | 4:1b0d80432c79 | 5238 | need to be different */ |
wolfSSL | 4:1b0d80432c79 | 5239 | int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, |
wolfSSL | 4:1b0d80432c79 | 5240 | byte *cipher_info, int type) |
wolfSSL | 4:1b0d80432c79 | 5241 | { |
wolfSSL | 4:1b0d80432c79 | 5242 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5243 | char* header = NULL; |
wolfSSL | 4:1b0d80432c79 | 5244 | char* footer = NULL; |
wolfSSL | 4:1b0d80432c79 | 5245 | #else |
wolfSSL | 4:1b0d80432c79 | 5246 | char header[40 + HEADER_ENCRYPTED_KEY_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 5247 | char footer[40]; |
wolfSSL | 4:1b0d80432c79 | 5248 | #endif |
wolfSSL | 4:1b0d80432c79 | 5249 | |
wolfSSL | 4:1b0d80432c79 | 5250 | int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE; |
wolfSSL | 4:1b0d80432c79 | 5251 | int footerLen = 40; |
wolfSSL | 4:1b0d80432c79 | 5252 | int i; |
wolfSSL | 4:1b0d80432c79 | 5253 | int err; |
wolfSSL | 4:1b0d80432c79 | 5254 | int outLen; /* return length or error */ |
wolfSSL | 4:1b0d80432c79 | 5255 | |
wolfSSL | 4:1b0d80432c79 | 5256 | if (der == output) /* no in place conversion */ |
wolfSSL | 4:1b0d80432c79 | 5257 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5258 | |
wolfSSL | 4:1b0d80432c79 | 5259 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5260 | header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5261 | if (header == NULL) |
wolfSSL | 4:1b0d80432c79 | 5262 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5263 | |
wolfSSL | 4:1b0d80432c79 | 5264 | footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5265 | if (footer == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5266 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5267 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5268 | } |
wolfSSL | 4:1b0d80432c79 | 5269 | #endif |
wolfSSL | 4:1b0d80432c79 | 5270 | if (type == CERT_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 5271 | XSTRNCPY(header, BEGIN_CERT, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5272 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5273 | |
wolfSSL | 4:1b0d80432c79 | 5274 | XSTRNCPY(footer, END_CERT, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5275 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5276 | } |
wolfSSL | 4:1b0d80432c79 | 5277 | else if (type == PRIVATEKEY_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 5278 | XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5279 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5280 | |
wolfSSL | 4:1b0d80432c79 | 5281 | XSTRNCPY(footer, END_RSA_PRIV, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5282 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5283 | } |
wolfSSL | 4:1b0d80432c79 | 5284 | #ifndef NO_DSA |
wolfSSL | 4:1b0d80432c79 | 5285 | else if (type == DSA_PRIVATEKEY_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 5286 | XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5287 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5288 | |
wolfSSL | 4:1b0d80432c79 | 5289 | XSTRNCPY(footer, END_DSA_PRIV, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5290 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5291 | } |
wolfSSL | 4:1b0d80432c79 | 5292 | #endif |
wolfSSL | 4:1b0d80432c79 | 5293 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 5294 | else if (type == ECC_PRIVATEKEY_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 5295 | XSTRNCPY(header, BEGIN_EC_PRIV, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5296 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5297 | |
wolfSSL | 4:1b0d80432c79 | 5298 | XSTRNCPY(footer, END_EC_PRIV, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5299 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5300 | } |
wolfSSL | 4:1b0d80432c79 | 5301 | #endif |
wolfSSL | 4:1b0d80432c79 | 5302 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 5303 | else if (type == CERTREQ_TYPE) |
wolfSSL | 4:1b0d80432c79 | 5304 | { |
wolfSSL | 4:1b0d80432c79 | 5305 | XSTRNCPY(header, BEGIN_CERT_REQ, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5306 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5307 | |
wolfSSL | 4:1b0d80432c79 | 5308 | XSTRNCPY(footer, END_CERT_REQ, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5309 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 4:1b0d80432c79 | 5310 | } |
wolfSSL | 4:1b0d80432c79 | 5311 | #endif |
wolfSSL | 4:1b0d80432c79 | 5312 | else { |
wolfSSL | 4:1b0d80432c79 | 5313 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5314 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5315 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5316 | #endif |
wolfSSL | 4:1b0d80432c79 | 5317 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5318 | } |
wolfSSL | 4:1b0d80432c79 | 5319 | |
wolfSSL | 4:1b0d80432c79 | 5320 | /* extra header information for encrypted key */ |
wolfSSL | 4:1b0d80432c79 | 5321 | if (cipher_info != NULL) { |
wolfSSL | 4:1b0d80432c79 | 5322 | XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23); |
wolfSSL | 4:1b0d80432c79 | 5323 | XSTRNCAT(header, "DEK-Info: ", 10); |
wolfSSL | 4:1b0d80432c79 | 5324 | XSTRNCAT(header, (char*)cipher_info, XSTRLEN((char*)cipher_info)); |
wolfSSL | 4:1b0d80432c79 | 5325 | XSTRNCAT(header, "\n\n", 2); |
wolfSSL | 4:1b0d80432c79 | 5326 | } |
wolfSSL | 4:1b0d80432c79 | 5327 | |
wolfSSL | 4:1b0d80432c79 | 5328 | headerLen = (int)XSTRLEN(header); |
wolfSSL | 4:1b0d80432c79 | 5329 | footerLen = (int)XSTRLEN(footer); |
wolfSSL | 4:1b0d80432c79 | 5330 | |
wolfSSL | 4:1b0d80432c79 | 5331 | if (!der || !output) { |
wolfSSL | 4:1b0d80432c79 | 5332 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5333 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5334 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5335 | #endif |
wolfSSL | 4:1b0d80432c79 | 5336 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5337 | } |
wolfSSL | 4:1b0d80432c79 | 5338 | |
wolfSSL | 4:1b0d80432c79 | 5339 | /* don't even try if outSz too short */ |
wolfSSL | 4:1b0d80432c79 | 5340 | if (outSz < headerLen + footerLen + derSz) { |
wolfSSL | 4:1b0d80432c79 | 5341 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5342 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5343 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5344 | #endif |
wolfSSL | 4:1b0d80432c79 | 5345 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5346 | } |
wolfSSL | 4:1b0d80432c79 | 5347 | |
wolfSSL | 4:1b0d80432c79 | 5348 | /* header */ |
wolfSSL | 4:1b0d80432c79 | 5349 | XMEMCPY(output, header, headerLen); |
wolfSSL | 4:1b0d80432c79 | 5350 | i = headerLen; |
wolfSSL | 4:1b0d80432c79 | 5351 | |
wolfSSL | 4:1b0d80432c79 | 5352 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5353 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5354 | #endif |
wolfSSL | 4:1b0d80432c79 | 5355 | |
wolfSSL | 4:1b0d80432c79 | 5356 | /* body */ |
wolfSSL | 4:1b0d80432c79 | 5357 | outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */ |
wolfSSL | 4:1b0d80432c79 | 5358 | if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) { |
wolfSSL | 4:1b0d80432c79 | 5359 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5360 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5361 | #endif |
wolfSSL | 4:1b0d80432c79 | 5362 | return err; |
wolfSSL | 4:1b0d80432c79 | 5363 | } |
wolfSSL | 4:1b0d80432c79 | 5364 | i += outLen; |
wolfSSL | 4:1b0d80432c79 | 5365 | |
wolfSSL | 4:1b0d80432c79 | 5366 | /* footer */ |
wolfSSL | 4:1b0d80432c79 | 5367 | if ( (i + footerLen) > (int)outSz) { |
wolfSSL | 4:1b0d80432c79 | 5368 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5369 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5370 | #endif |
wolfSSL | 4:1b0d80432c79 | 5371 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5372 | } |
wolfSSL | 4:1b0d80432c79 | 5373 | XMEMCPY(output + i, footer, footerLen); |
wolfSSL | 4:1b0d80432c79 | 5374 | |
wolfSSL | 4:1b0d80432c79 | 5375 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5376 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5377 | #endif |
wolfSSL | 4:1b0d80432c79 | 5378 | |
wolfSSL | 4:1b0d80432c79 | 5379 | return outLen + headerLen + footerLen; |
wolfSSL | 4:1b0d80432c79 | 5380 | } |
wolfSSL | 4:1b0d80432c79 | 5381 | |
wolfSSL | 4:1b0d80432c79 | 5382 | #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 5383 | |
wolfSSL | 4:1b0d80432c79 | 5384 | #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))) |
wolfSSL | 4:1b0d80432c79 | 5385 | /* USER RSA ifdef portions used instead of refactor in consideration for |
wolfSSL | 4:1b0d80432c79 | 5386 | possible fips build */ |
wolfSSL | 4:1b0d80432c79 | 5387 | /* Write a public RSA key to output */ |
wolfSSL | 4:1b0d80432c79 | 5388 | static int SetRsaPublicKey(byte* output, RsaKey* key, |
wolfSSL | 4:1b0d80432c79 | 5389 | int outLen, int with_header) |
wolfSSL | 4:1b0d80432c79 | 5390 | { |
wolfSSL | 4:1b0d80432c79 | 5391 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5392 | byte* n = NULL; |
wolfSSL | 4:1b0d80432c79 | 5393 | byte* e = NULL; |
wolfSSL | 4:1b0d80432c79 | 5394 | #else |
wolfSSL | 4:1b0d80432c79 | 5395 | byte n[MAX_RSA_INT_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5396 | byte e[MAX_RSA_E_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5397 | #endif |
wolfSSL | 4:1b0d80432c79 | 5398 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5399 | byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */ |
wolfSSL | 4:1b0d80432c79 | 5400 | int nSz; |
wolfSSL | 4:1b0d80432c79 | 5401 | int eSz; |
wolfSSL | 4:1b0d80432c79 | 5402 | int seqSz; |
wolfSSL | 4:1b0d80432c79 | 5403 | int lenSz; |
wolfSSL | 4:1b0d80432c79 | 5404 | int idx; |
wolfSSL | 4:1b0d80432c79 | 5405 | int rawLen; |
wolfSSL | 4:1b0d80432c79 | 5406 | int leadingBit; |
wolfSSL | 4:1b0d80432c79 | 5407 | int err; |
wolfSSL | 4:1b0d80432c79 | 5408 | |
wolfSSL | 4:1b0d80432c79 | 5409 | if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) |
wolfSSL | 4:1b0d80432c79 | 5410 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5411 | |
wolfSSL | 4:1b0d80432c79 | 5412 | /* n */ |
wolfSSL | 4:1b0d80432c79 | 5413 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5414 | n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5415 | if (n == NULL) |
wolfSSL | 4:1b0d80432c79 | 5416 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5417 | #endif |
wolfSSL | 4:1b0d80432c79 | 5418 | |
wolfSSL | 4:1b0d80432c79 | 5419 | #ifdef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 5420 | leadingBit = wc_Rsa_leading_bit(key->n); |
wolfSSL | 4:1b0d80432c79 | 5421 | rawLen = wc_Rsa_unsigned_bin_size(key->n) + leadingBit; |
wolfSSL | 4:1b0d80432c79 | 5422 | #else |
wolfSSL | 4:1b0d80432c79 | 5423 | leadingBit = mp_leading_bit(&key->n); |
wolfSSL | 4:1b0d80432c79 | 5424 | rawLen = mp_unsigned_bin_size(&key->n) + leadingBit; |
wolfSSL | 4:1b0d80432c79 | 5425 | #endif |
wolfSSL | 4:1b0d80432c79 | 5426 | n[0] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5427 | nSz = SetLength(rawLen, n + 1) + 1; /* int tag */ |
wolfSSL | 4:1b0d80432c79 | 5428 | |
wolfSSL | 4:1b0d80432c79 | 5429 | if ( (nSz + rawLen) < MAX_RSA_INT_SZ) { |
wolfSSL | 4:1b0d80432c79 | 5430 | if (leadingBit) |
wolfSSL | 4:1b0d80432c79 | 5431 | n[nSz] = 0; |
wolfSSL | 4:1b0d80432c79 | 5432 | #ifdef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 5433 | err = wc_Rsa_to_unsigned_bin(key->n, n + nSz, rawLen); |
wolfSSL | 4:1b0d80432c79 | 5434 | #else |
wolfSSL | 4:1b0d80432c79 | 5435 | err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit); |
wolfSSL | 4:1b0d80432c79 | 5436 | #endif |
wolfSSL | 4:1b0d80432c79 | 5437 | if (err == MP_OKAY) |
wolfSSL | 4:1b0d80432c79 | 5438 | nSz += rawLen; |
wolfSSL | 4:1b0d80432c79 | 5439 | else { |
wolfSSL | 4:1b0d80432c79 | 5440 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5441 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5442 | #endif |
wolfSSL | 4:1b0d80432c79 | 5443 | return MP_TO_E; |
wolfSSL | 4:1b0d80432c79 | 5444 | } |
wolfSSL | 4:1b0d80432c79 | 5445 | } |
wolfSSL | 4:1b0d80432c79 | 5446 | else { |
wolfSSL | 4:1b0d80432c79 | 5447 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5448 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5449 | #endif |
wolfSSL | 4:1b0d80432c79 | 5450 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 5451 | } |
wolfSSL | 4:1b0d80432c79 | 5452 | |
wolfSSL | 4:1b0d80432c79 | 5453 | /* e */ |
wolfSSL | 4:1b0d80432c79 | 5454 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5455 | e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5456 | if (e == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5457 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5458 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5459 | #endif |
wolfSSL | 4:1b0d80432c79 | 5460 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5461 | } |
wolfSSL | 4:1b0d80432c79 | 5462 | #endif |
wolfSSL | 4:1b0d80432c79 | 5463 | |
wolfSSL | 4:1b0d80432c79 | 5464 | #ifdef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 5465 | leadingBit = wc_Rsa_leading_bit(key->e); |
wolfSSL | 4:1b0d80432c79 | 5466 | rawLen = wc_Rsa_unsigned_bin_size(key->e) + leadingBit; |
wolfSSL | 4:1b0d80432c79 | 5467 | #else |
wolfSSL | 4:1b0d80432c79 | 5468 | leadingBit = mp_leading_bit(&key->e); |
wolfSSL | 4:1b0d80432c79 | 5469 | rawLen = mp_unsigned_bin_size(&key->e) + leadingBit; |
wolfSSL | 4:1b0d80432c79 | 5470 | #endif |
wolfSSL | 4:1b0d80432c79 | 5471 | e[0] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5472 | eSz = SetLength(rawLen, e + 1) + 1; /* int tag */ |
wolfSSL | 4:1b0d80432c79 | 5473 | |
wolfSSL | 4:1b0d80432c79 | 5474 | if ( (eSz + rawLen) < MAX_RSA_E_SZ) { |
wolfSSL | 4:1b0d80432c79 | 5475 | if (leadingBit) |
wolfSSL | 4:1b0d80432c79 | 5476 | e[eSz] = 0; |
wolfSSL | 4:1b0d80432c79 | 5477 | #ifdef HAVE_USER_RSA |
wolfSSL | 4:1b0d80432c79 | 5478 | err = wc_Rsa_to_unsigned_bin(key->e, e + eSz, rawLen); |
wolfSSL | 4:1b0d80432c79 | 5479 | #else |
wolfSSL | 4:1b0d80432c79 | 5480 | err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit); |
wolfSSL | 4:1b0d80432c79 | 5481 | #endif |
wolfSSL | 4:1b0d80432c79 | 5482 | if (err == MP_OKAY) |
wolfSSL | 4:1b0d80432c79 | 5483 | eSz += rawLen; |
wolfSSL | 4:1b0d80432c79 | 5484 | else { |
wolfSSL | 4:1b0d80432c79 | 5485 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5486 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5487 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5488 | #endif |
wolfSSL | 4:1b0d80432c79 | 5489 | return MP_TO_E; |
wolfSSL | 4:1b0d80432c79 | 5490 | } |
wolfSSL | 4:1b0d80432c79 | 5491 | } |
wolfSSL | 4:1b0d80432c79 | 5492 | else { |
wolfSSL | 4:1b0d80432c79 | 5493 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5494 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5495 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5496 | #endif |
wolfSSL | 4:1b0d80432c79 | 5497 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 5498 | } |
wolfSSL | 4:1b0d80432c79 | 5499 | |
wolfSSL | 4:1b0d80432c79 | 5500 | seqSz = SetSequence(nSz + eSz, seq); |
wolfSSL | 4:1b0d80432c79 | 5501 | |
wolfSSL | 4:1b0d80432c79 | 5502 | /* check output size */ |
wolfSSL | 4:1b0d80432c79 | 5503 | if ( (seqSz + nSz + eSz) > outLen) { |
wolfSSL | 4:1b0d80432c79 | 5504 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5505 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5506 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5507 | #endif |
wolfSSL | 4:1b0d80432c79 | 5508 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 5509 | } |
wolfSSL | 4:1b0d80432c79 | 5510 | |
wolfSSL | 4:1b0d80432c79 | 5511 | /* headers */ |
wolfSSL | 4:1b0d80432c79 | 5512 | if (with_header) { |
wolfSSL | 4:1b0d80432c79 | 5513 | int algoSz; |
wolfSSL | 4:1b0d80432c79 | 5514 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5515 | byte* algo = NULL; |
wolfSSL | 4:1b0d80432c79 | 5516 | |
wolfSSL | 4:1b0d80432c79 | 5517 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5518 | if (algo == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5519 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5520 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5521 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5522 | } |
wolfSSL | 4:1b0d80432c79 | 5523 | #else |
wolfSSL | 4:1b0d80432c79 | 5524 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5525 | #endif |
wolfSSL | 4:1b0d80432c79 | 5526 | algoSz = SetAlgoID(RSAk, algo, keyType, 0); |
wolfSSL | 4:1b0d80432c79 | 5527 | lenSz = SetLength(seqSz + nSz + eSz + 1, len); |
wolfSSL | 4:1b0d80432c79 | 5528 | len[lenSz++] = 0; /* trailing 0 */ |
wolfSSL | 4:1b0d80432c79 | 5529 | |
wolfSSL | 4:1b0d80432c79 | 5530 | /* write, 1 is for ASN_BIT_STRING */ |
wolfSSL | 4:1b0d80432c79 | 5531 | idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output); |
wolfSSL | 4:1b0d80432c79 | 5532 | |
wolfSSL | 4:1b0d80432c79 | 5533 | /* check output size */ |
wolfSSL | 4:1b0d80432c79 | 5534 | if ( (idx + algoSz + 1 + lenSz + seqSz + nSz + eSz) > outLen) { |
wolfSSL | 4:1b0d80432c79 | 5535 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5536 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5537 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5538 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5539 | #endif |
wolfSSL | 4:1b0d80432c79 | 5540 | |
wolfSSL | 4:1b0d80432c79 | 5541 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 5542 | } |
wolfSSL | 4:1b0d80432c79 | 5543 | |
wolfSSL | 4:1b0d80432c79 | 5544 | /* algo */ |
wolfSSL | 4:1b0d80432c79 | 5545 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 4:1b0d80432c79 | 5546 | idx += algoSz; |
wolfSSL | 4:1b0d80432c79 | 5547 | /* bit string */ |
wolfSSL | 4:1b0d80432c79 | 5548 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 5549 | /* length */ |
wolfSSL | 4:1b0d80432c79 | 5550 | XMEMCPY(output + idx, len, lenSz); |
wolfSSL | 4:1b0d80432c79 | 5551 | idx += lenSz; |
wolfSSL | 4:1b0d80432c79 | 5552 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5553 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5554 | #endif |
wolfSSL | 4:1b0d80432c79 | 5555 | } |
wolfSSL | 4:1b0d80432c79 | 5556 | else |
wolfSSL | 4:1b0d80432c79 | 5557 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 5558 | |
wolfSSL | 4:1b0d80432c79 | 5559 | /* seq */ |
wolfSSL | 4:1b0d80432c79 | 5560 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 4:1b0d80432c79 | 5561 | idx += seqSz; |
wolfSSL | 4:1b0d80432c79 | 5562 | /* n */ |
wolfSSL | 4:1b0d80432c79 | 5563 | XMEMCPY(output + idx, n, nSz); |
wolfSSL | 4:1b0d80432c79 | 5564 | idx += nSz; |
wolfSSL | 4:1b0d80432c79 | 5565 | /* e */ |
wolfSSL | 4:1b0d80432c79 | 5566 | XMEMCPY(output + idx, e, eSz); |
wolfSSL | 4:1b0d80432c79 | 5567 | idx += eSz; |
wolfSSL | 4:1b0d80432c79 | 5568 | |
wolfSSL | 4:1b0d80432c79 | 5569 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5570 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5571 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5572 | #endif |
wolfSSL | 4:1b0d80432c79 | 5573 | |
wolfSSL | 4:1b0d80432c79 | 5574 | return idx; |
wolfSSL | 4:1b0d80432c79 | 5575 | } |
wolfSSL | 4:1b0d80432c79 | 5576 | #endif /* !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || |
wolfSSL | 4:1b0d80432c79 | 5577 | defined(WOLFSSL_KEY_GEN)) */ |
wolfSSL | 4:1b0d80432c79 | 5578 | |
wolfSSL | 4:1b0d80432c79 | 5579 | |
wolfSSL | 4:1b0d80432c79 | 5580 | #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) |
wolfSSL | 4:1b0d80432c79 | 5581 | |
wolfSSL | 4:1b0d80432c79 | 5582 | |
wolfSSL | 4:1b0d80432c79 | 5583 | static mp_int* GetRsaInt(RsaKey* key, int idx) |
wolfSSL | 4:1b0d80432c79 | 5584 | { |
wolfSSL | 4:1b0d80432c79 | 5585 | if (idx == 0) |
wolfSSL | 4:1b0d80432c79 | 5586 | return &key->n; |
wolfSSL | 4:1b0d80432c79 | 5587 | if (idx == 1) |
wolfSSL | 4:1b0d80432c79 | 5588 | return &key->e; |
wolfSSL | 4:1b0d80432c79 | 5589 | if (idx == 2) |
wolfSSL | 4:1b0d80432c79 | 5590 | return &key->d; |
wolfSSL | 4:1b0d80432c79 | 5591 | if (idx == 3) |
wolfSSL | 4:1b0d80432c79 | 5592 | return &key->p; |
wolfSSL | 4:1b0d80432c79 | 5593 | if (idx == 4) |
wolfSSL | 4:1b0d80432c79 | 5594 | return &key->q; |
wolfSSL | 4:1b0d80432c79 | 5595 | if (idx == 5) |
wolfSSL | 4:1b0d80432c79 | 5596 | return &key->dP; |
wolfSSL | 4:1b0d80432c79 | 5597 | if (idx == 6) |
wolfSSL | 4:1b0d80432c79 | 5598 | return &key->dQ; |
wolfSSL | 4:1b0d80432c79 | 5599 | if (idx == 7) |
wolfSSL | 4:1b0d80432c79 | 5600 | return &key->u; |
wolfSSL | 4:1b0d80432c79 | 5601 | |
wolfSSL | 4:1b0d80432c79 | 5602 | return NULL; |
wolfSSL | 4:1b0d80432c79 | 5603 | } |
wolfSSL | 4:1b0d80432c79 | 5604 | |
wolfSSL | 4:1b0d80432c79 | 5605 | |
wolfSSL | 4:1b0d80432c79 | 5606 | /* Release Tmp RSA resources */ |
wolfSSL | 4:1b0d80432c79 | 5607 | static INLINE void FreeTmpRsas(byte** tmps, void* heap) |
wolfSSL | 4:1b0d80432c79 | 5608 | { |
wolfSSL | 4:1b0d80432c79 | 5609 | int i; |
wolfSSL | 4:1b0d80432c79 | 5610 | |
wolfSSL | 4:1b0d80432c79 | 5611 | (void)heap; |
wolfSSL | 4:1b0d80432c79 | 5612 | |
wolfSSL | 4:1b0d80432c79 | 5613 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 4:1b0d80432c79 | 5614 | XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 5615 | } |
wolfSSL | 4:1b0d80432c79 | 5616 | |
wolfSSL | 4:1b0d80432c79 | 5617 | |
wolfSSL | 4:1b0d80432c79 | 5618 | /* Convert RsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 4:1b0d80432c79 | 5619 | written */ |
wolfSSL | 4:1b0d80432c79 | 5620 | int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 4:1b0d80432c79 | 5621 | { |
wolfSSL | 4:1b0d80432c79 | 5622 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 4:1b0d80432c79 | 5623 | word32 sizes[RSA_INTS]; |
wolfSSL | 4:1b0d80432c79 | 5624 | int i, j, outLen, ret = 0, lbit; |
wolfSSL | 4:1b0d80432c79 | 5625 | |
wolfSSL | 4:1b0d80432c79 | 5626 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5627 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5628 | byte* tmps[RSA_INTS]; |
wolfSSL | 4:1b0d80432c79 | 5629 | |
wolfSSL | 4:1b0d80432c79 | 5630 | if (!key || !output) |
wolfSSL | 4:1b0d80432c79 | 5631 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5632 | |
wolfSSL | 4:1b0d80432c79 | 5633 | if (key->type != RSA_PRIVATE) |
wolfSSL | 4:1b0d80432c79 | 5634 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5635 | |
wolfSSL | 4:1b0d80432c79 | 5636 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 4:1b0d80432c79 | 5637 | tmps[i] = NULL; |
wolfSSL | 4:1b0d80432c79 | 5638 | |
wolfSSL | 4:1b0d80432c79 | 5639 | /* write all big ints from key to DER tmps */ |
wolfSSL | 4:1b0d80432c79 | 5640 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 4:1b0d80432c79 | 5641 | mp_int* keyInt = GetRsaInt(key, i); |
wolfSSL | 4:1b0d80432c79 | 5642 | |
wolfSSL | 4:1b0d80432c79 | 5643 | /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 5644 | lbit = mp_leading_bit(keyInt); |
wolfSSL | 4:1b0d80432c79 | 5645 | rawLen = mp_unsigned_bin_size(keyInt) + lbit; |
wolfSSL | 4:1b0d80432c79 | 5646 | |
wolfSSL | 4:1b0d80432c79 | 5647 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 4:1b0d80432c79 | 5648 | DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 5649 | if (tmps[i] == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5650 | ret = MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5651 | break; |
wolfSSL | 4:1b0d80432c79 | 5652 | } |
wolfSSL | 4:1b0d80432c79 | 5653 | |
wolfSSL | 4:1b0d80432c79 | 5654 | tmps[i][0] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5655 | sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */ |
wolfSSL | 4:1b0d80432c79 | 5656 | |
wolfSSL | 4:1b0d80432c79 | 5657 | if (sizes[i] <= MAX_SEQ_SZ) { |
wolfSSL | 4:1b0d80432c79 | 5658 | int err; |
wolfSSL | 4:1b0d80432c79 | 5659 | |
wolfSSL | 4:1b0d80432c79 | 5660 | /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 5661 | if (lbit) |
wolfSSL | 4:1b0d80432c79 | 5662 | tmps[i][sizes[i]-1] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 5663 | |
wolfSSL | 4:1b0d80432c79 | 5664 | err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); |
wolfSSL | 4:1b0d80432c79 | 5665 | if (err == MP_OKAY) { |
wolfSSL | 4:1b0d80432c79 | 5666 | sizes[i] += (rawLen-lbit); /* lbit included in rawLen */ |
wolfSSL | 4:1b0d80432c79 | 5667 | intTotalLen += sizes[i]; |
wolfSSL | 4:1b0d80432c79 | 5668 | } |
wolfSSL | 4:1b0d80432c79 | 5669 | else { |
wolfSSL | 4:1b0d80432c79 | 5670 | ret = err; |
wolfSSL | 4:1b0d80432c79 | 5671 | break; |
wolfSSL | 4:1b0d80432c79 | 5672 | } |
wolfSSL | 4:1b0d80432c79 | 5673 | } |
wolfSSL | 4:1b0d80432c79 | 5674 | else { |
wolfSSL | 4:1b0d80432c79 | 5675 | ret = ASN_INPUT_E; |
wolfSSL | 4:1b0d80432c79 | 5676 | break; |
wolfSSL | 4:1b0d80432c79 | 5677 | } |
wolfSSL | 4:1b0d80432c79 | 5678 | } |
wolfSSL | 4:1b0d80432c79 | 5679 | |
wolfSSL | 4:1b0d80432c79 | 5680 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 5681 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 4:1b0d80432c79 | 5682 | return ret; |
wolfSSL | 4:1b0d80432c79 | 5683 | } |
wolfSSL | 4:1b0d80432c79 | 5684 | |
wolfSSL | 4:1b0d80432c79 | 5685 | /* make headers */ |
wolfSSL | 4:1b0d80432c79 | 5686 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 4:1b0d80432c79 | 5687 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 4:1b0d80432c79 | 5688 | |
wolfSSL | 4:1b0d80432c79 | 5689 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 4:1b0d80432c79 | 5690 | if (outLen > (int)inLen) |
wolfSSL | 4:1b0d80432c79 | 5691 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 5692 | |
wolfSSL | 4:1b0d80432c79 | 5693 | /* write to output */ |
wolfSSL | 4:1b0d80432c79 | 5694 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 4:1b0d80432c79 | 5695 | j = seqSz; |
wolfSSL | 4:1b0d80432c79 | 5696 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 4:1b0d80432c79 | 5697 | j += verSz; |
wolfSSL | 4:1b0d80432c79 | 5698 | |
wolfSSL | 4:1b0d80432c79 | 5699 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 4:1b0d80432c79 | 5700 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 4:1b0d80432c79 | 5701 | j += sizes[i]; |
wolfSSL | 4:1b0d80432c79 | 5702 | } |
wolfSSL | 4:1b0d80432c79 | 5703 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 4:1b0d80432c79 | 5704 | |
wolfSSL | 4:1b0d80432c79 | 5705 | return outLen; |
wolfSSL | 4:1b0d80432c79 | 5706 | } |
wolfSSL | 4:1b0d80432c79 | 5707 | |
wolfSSL | 4:1b0d80432c79 | 5708 | |
wolfSSL | 4:1b0d80432c79 | 5709 | /* Convert Rsa Public key to DER format, write to output (inLen), return bytes |
wolfSSL | 4:1b0d80432c79 | 5710 | written */ |
wolfSSL | 4:1b0d80432c79 | 5711 | int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 4:1b0d80432c79 | 5712 | { |
wolfSSL | 4:1b0d80432c79 | 5713 | return SetRsaPublicKey(output, key, inLen, 1); |
wolfSSL | 4:1b0d80432c79 | 5714 | } |
wolfSSL | 4:1b0d80432c79 | 5715 | |
wolfSSL | 4:1b0d80432c79 | 5716 | #endif /* WOLFSSL_KEY_GEN && !NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 5717 | |
wolfSSL | 4:1b0d80432c79 | 5718 | |
wolfSSL | 4:1b0d80432c79 | 5719 | #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) |
wolfSSL | 4:1b0d80432c79 | 5720 | |
wolfSSL | 4:1b0d80432c79 | 5721 | |
wolfSSL | 4:1b0d80432c79 | 5722 | #ifndef WOLFSSL_HAVE_MIN |
wolfSSL | 4:1b0d80432c79 | 5723 | #define WOLFSSL_HAVE_MIN |
wolfSSL | 4:1b0d80432c79 | 5724 | |
wolfSSL | 4:1b0d80432c79 | 5725 | static INLINE word32 min(word32 a, word32 b) |
wolfSSL | 4:1b0d80432c79 | 5726 | { |
wolfSSL | 4:1b0d80432c79 | 5727 | return a > b ? b : a; |
wolfSSL | 4:1b0d80432c79 | 5728 | } |
wolfSSL | 4:1b0d80432c79 | 5729 | |
wolfSSL | 4:1b0d80432c79 | 5730 | #endif /* WOLFSSL_HAVE_MIN */ |
wolfSSL | 4:1b0d80432c79 | 5731 | |
wolfSSL | 4:1b0d80432c79 | 5732 | |
wolfSSL | 4:1b0d80432c79 | 5733 | /* Initialize and Set Certificate defaults: |
wolfSSL | 4:1b0d80432c79 | 5734 | version = 3 (0x2) |
wolfSSL | 4:1b0d80432c79 | 5735 | serial = 0 |
wolfSSL | 4:1b0d80432c79 | 5736 | sigType = SHA_WITH_RSA |
wolfSSL | 4:1b0d80432c79 | 5737 | issuer = blank |
wolfSSL | 4:1b0d80432c79 | 5738 | daysValid = 500 |
wolfSSL | 4:1b0d80432c79 | 5739 | selfSigned = 1 (true) use subject as issuer |
wolfSSL | 4:1b0d80432c79 | 5740 | subject = blank |
wolfSSL | 4:1b0d80432c79 | 5741 | */ |
wolfSSL | 4:1b0d80432c79 | 5742 | void wc_InitCert(Cert* cert) |
wolfSSL | 4:1b0d80432c79 | 5743 | { |
wolfSSL | 4:1b0d80432c79 | 5744 | cert->version = 2; /* version 3 is hex 2 */ |
wolfSSL | 4:1b0d80432c79 | 5745 | cert->sigType = CTC_SHAwRSA; |
wolfSSL | 4:1b0d80432c79 | 5746 | cert->daysValid = 500; |
wolfSSL | 4:1b0d80432c79 | 5747 | cert->selfSigned = 1; |
wolfSSL | 4:1b0d80432c79 | 5748 | cert->isCA = 0; |
wolfSSL | 4:1b0d80432c79 | 5749 | cert->bodySz = 0; |
wolfSSL | 4:1b0d80432c79 | 5750 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 5751 | cert->altNamesSz = 0; |
wolfSSL | 4:1b0d80432c79 | 5752 | cert->beforeDateSz = 0; |
wolfSSL | 4:1b0d80432c79 | 5753 | cert->afterDateSz = 0; |
wolfSSL | 4:1b0d80432c79 | 5754 | #endif |
wolfSSL | 4:1b0d80432c79 | 5755 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 5756 | cert->skidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 5757 | cert->akidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 5758 | cert->keyUsage = 0; |
wolfSSL | 4:1b0d80432c79 | 5759 | cert->certPoliciesNb = 0; |
wolfSSL | 4:1b0d80432c79 | 5760 | XMEMSET(cert->akid, 0, CTC_MAX_AKID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 5761 | XMEMSET(cert->skid, 0, CTC_MAX_SKID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 5762 | XMEMSET(cert->certPolicies, 0, CTC_MAX_CERTPOL_NB*CTC_MAX_CERTPOL_SZ); |
wolfSSL | 4:1b0d80432c79 | 5763 | #endif |
wolfSSL | 4:1b0d80432c79 | 5764 | cert->keyType = RSA_KEY; |
wolfSSL | 4:1b0d80432c79 | 5765 | XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE); |
wolfSSL | 4:1b0d80432c79 | 5766 | |
wolfSSL | 4:1b0d80432c79 | 5767 | cert->issuer.country[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5768 | cert->issuer.countryEnc = CTC_PRINTABLE; |
wolfSSL | 4:1b0d80432c79 | 5769 | cert->issuer.state[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5770 | cert->issuer.stateEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5771 | cert->issuer.locality[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5772 | cert->issuer.localityEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5773 | cert->issuer.sur[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5774 | cert->issuer.surEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5775 | cert->issuer.org[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5776 | cert->issuer.orgEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5777 | cert->issuer.unit[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5778 | cert->issuer.unitEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5779 | cert->issuer.commonName[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5780 | cert->issuer.commonNameEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5781 | cert->issuer.email[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5782 | |
wolfSSL | 4:1b0d80432c79 | 5783 | cert->subject.country[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5784 | cert->subject.countryEnc = CTC_PRINTABLE; |
wolfSSL | 4:1b0d80432c79 | 5785 | cert->subject.state[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5786 | cert->subject.stateEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5787 | cert->subject.locality[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5788 | cert->subject.localityEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5789 | cert->subject.sur[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5790 | cert->subject.surEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5791 | cert->subject.org[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5792 | cert->subject.orgEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5793 | cert->subject.unit[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5794 | cert->subject.unitEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5795 | cert->subject.commonName[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5796 | cert->subject.commonNameEnc = CTC_UTF8; |
wolfSSL | 4:1b0d80432c79 | 5797 | cert->subject.email[0] = '\0'; |
wolfSSL | 4:1b0d80432c79 | 5798 | |
wolfSSL | 4:1b0d80432c79 | 5799 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 5800 | cert->challengePw[0] ='\0'; |
wolfSSL | 4:1b0d80432c79 | 5801 | #endif |
wolfSSL | 4:1b0d80432c79 | 5802 | } |
wolfSSL | 4:1b0d80432c79 | 5803 | |
wolfSSL | 4:1b0d80432c79 | 5804 | |
wolfSSL | 4:1b0d80432c79 | 5805 | /* DER encoded x509 Certificate */ |
wolfSSL | 4:1b0d80432c79 | 5806 | typedef struct DerCert { |
wolfSSL | 4:1b0d80432c79 | 5807 | byte size[MAX_LENGTH_SZ]; /* length encoded */ |
wolfSSL | 4:1b0d80432c79 | 5808 | byte version[MAX_VERSION_SZ]; /* version encoded */ |
wolfSSL | 4:1b0d80432c79 | 5809 | byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */ |
wolfSSL | 4:1b0d80432c79 | 5810 | byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */ |
wolfSSL | 4:1b0d80432c79 | 5811 | byte issuer[ASN_NAME_MAX]; /* issuer encoded */ |
wolfSSL | 4:1b0d80432c79 | 5812 | byte subject[ASN_NAME_MAX]; /* subject encoded */ |
wolfSSL | 4:1b0d80432c79 | 5813 | byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */ |
wolfSSL | 4:1b0d80432c79 | 5814 | byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */ |
wolfSSL | 4:1b0d80432c79 | 5815 | byte ca[MAX_CA_SZ]; /* basic constraint CA true size */ |
wolfSSL | 4:1b0d80432c79 | 5816 | byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ |
wolfSSL | 4:1b0d80432c79 | 5817 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 5818 | byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ |
wolfSSL | 4:1b0d80432c79 | 5819 | byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ |
wolfSSL | 4:1b0d80432c79 | 5820 | byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ |
wolfSSL | 4:1b0d80432c79 | 5821 | byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ |
wolfSSL | 4:1b0d80432c79 | 5822 | #endif |
wolfSSL | 4:1b0d80432c79 | 5823 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 5824 | byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ |
wolfSSL | 4:1b0d80432c79 | 5825 | #endif |
wolfSSL | 4:1b0d80432c79 | 5826 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 5827 | byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */ |
wolfSSL | 4:1b0d80432c79 | 5828 | #endif |
wolfSSL | 4:1b0d80432c79 | 5829 | int sizeSz; /* encoded size length */ |
wolfSSL | 4:1b0d80432c79 | 5830 | int versionSz; /* encoded version length */ |
wolfSSL | 4:1b0d80432c79 | 5831 | int serialSz; /* encoded serial length */ |
wolfSSL | 4:1b0d80432c79 | 5832 | int sigAlgoSz; /* encoded sig alog length */ |
wolfSSL | 4:1b0d80432c79 | 5833 | int issuerSz; /* encoded issuer length */ |
wolfSSL | 4:1b0d80432c79 | 5834 | int subjectSz; /* encoded subject length */ |
wolfSSL | 4:1b0d80432c79 | 5835 | int validitySz; /* encoded validity length */ |
wolfSSL | 4:1b0d80432c79 | 5836 | int publicKeySz; /* encoded public key length */ |
wolfSSL | 4:1b0d80432c79 | 5837 | int caSz; /* encoded CA extension length */ |
wolfSSL | 4:1b0d80432c79 | 5838 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 5839 | int skidSz; /* encoded SKID extension length */ |
wolfSSL | 4:1b0d80432c79 | 5840 | int akidSz; /* encoded SKID extension length */ |
wolfSSL | 4:1b0d80432c79 | 5841 | int keyUsageSz; /* encoded KeyUsage extension length */ |
wolfSSL | 4:1b0d80432c79 | 5842 | int certPoliciesSz; /* encoded CertPolicies extension length*/ |
wolfSSL | 4:1b0d80432c79 | 5843 | #endif |
wolfSSL | 4:1b0d80432c79 | 5844 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 5845 | int altNamesSz; /* encoded AltNames extension length */ |
wolfSSL | 4:1b0d80432c79 | 5846 | #endif |
wolfSSL | 4:1b0d80432c79 | 5847 | int extensionsSz; /* encoded extensions total length */ |
wolfSSL | 4:1b0d80432c79 | 5848 | int total; /* total encoded lengths */ |
wolfSSL | 4:1b0d80432c79 | 5849 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 5850 | int attribSz; |
wolfSSL | 4:1b0d80432c79 | 5851 | #endif |
wolfSSL | 4:1b0d80432c79 | 5852 | } DerCert; |
wolfSSL | 4:1b0d80432c79 | 5853 | |
wolfSSL | 4:1b0d80432c79 | 5854 | |
wolfSSL | 4:1b0d80432c79 | 5855 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 5856 | |
wolfSSL | 4:1b0d80432c79 | 5857 | /* Write a set header to output */ |
wolfSSL | 4:1b0d80432c79 | 5858 | static word32 SetUTF8String(word32 len, byte* output) |
wolfSSL | 4:1b0d80432c79 | 5859 | { |
wolfSSL | 4:1b0d80432c79 | 5860 | output[0] = ASN_UTF8STRING; |
wolfSSL | 4:1b0d80432c79 | 5861 | return SetLength(len, output + 1) + 1; |
wolfSSL | 4:1b0d80432c79 | 5862 | } |
wolfSSL | 4:1b0d80432c79 | 5863 | |
wolfSSL | 4:1b0d80432c79 | 5864 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 4:1b0d80432c79 | 5865 | |
wolfSSL | 4:1b0d80432c79 | 5866 | |
wolfSSL | 4:1b0d80432c79 | 5867 | /* Write a serial number to output */ |
wolfSSL | 4:1b0d80432c79 | 5868 | static int SetSerial(const byte* serial, byte* output) |
wolfSSL | 4:1b0d80432c79 | 5869 | { |
wolfSSL | 4:1b0d80432c79 | 5870 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 5871 | |
wolfSSL | 4:1b0d80432c79 | 5872 | output[length++] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 5873 | length += SetLength(CTC_SERIAL_SIZE, &output[length]); |
wolfSSL | 4:1b0d80432c79 | 5874 | XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE); |
wolfSSL | 4:1b0d80432c79 | 5875 | |
wolfSSL | 4:1b0d80432c79 | 5876 | return length + CTC_SERIAL_SIZE; |
wolfSSL | 4:1b0d80432c79 | 5877 | } |
wolfSSL | 4:1b0d80432c79 | 5878 | |
wolfSSL | 4:1b0d80432c79 | 5879 | |
wolfSSL | 4:1b0d80432c79 | 5880 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 5881 | |
wolfSSL | 4:1b0d80432c79 | 5882 | |
wolfSSL | 4:1b0d80432c79 | 5883 | /* Write a public ECC key to output */ |
wolfSSL | 4:1b0d80432c79 | 5884 | static int SetEccPublicKey(byte* output, ecc_key* key, int with_header) |
wolfSSL | 4:1b0d80432c79 | 5885 | { |
wolfSSL | 4:1b0d80432c79 | 5886 | byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */ |
wolfSSL | 4:1b0d80432c79 | 5887 | int algoSz; |
wolfSSL | 4:1b0d80432c79 | 5888 | int curveSz; |
wolfSSL | 4:1b0d80432c79 | 5889 | int lenSz; |
wolfSSL | 4:1b0d80432c79 | 5890 | int idx; |
wolfSSL | 4:1b0d80432c79 | 5891 | word32 pubSz = ECC_BUFSIZE; |
wolfSSL | 4:1b0d80432c79 | 5892 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5893 | byte* algo = NULL; |
wolfSSL | 4:1b0d80432c79 | 5894 | byte* curve = NULL; |
wolfSSL | 4:1b0d80432c79 | 5895 | byte* pub = NULL; |
wolfSSL | 4:1b0d80432c79 | 5896 | #else |
wolfSSL | 4:1b0d80432c79 | 5897 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5898 | byte curve[MAX_ALGO_SZ]; |
wolfSSL | 4:1b0d80432c79 | 5899 | byte pub[ECC_BUFSIZE]; |
wolfSSL | 4:1b0d80432c79 | 5900 | #endif |
wolfSSL | 4:1b0d80432c79 | 5901 | |
wolfSSL | 4:1b0d80432c79 | 5902 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5903 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5904 | if (pub == NULL) |
wolfSSL | 4:1b0d80432c79 | 5905 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5906 | #endif |
wolfSSL | 4:1b0d80432c79 | 5907 | |
wolfSSL | 4:1b0d80432c79 | 5908 | int ret = wc_ecc_export_x963(key, pub, &pubSz); |
wolfSSL | 4:1b0d80432c79 | 5909 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 5910 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5911 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5912 | #endif |
wolfSSL | 4:1b0d80432c79 | 5913 | return ret; |
wolfSSL | 4:1b0d80432c79 | 5914 | } |
wolfSSL | 4:1b0d80432c79 | 5915 | |
wolfSSL | 4:1b0d80432c79 | 5916 | /* headers */ |
wolfSSL | 4:1b0d80432c79 | 5917 | if (with_header) { |
wolfSSL | 4:1b0d80432c79 | 5918 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5919 | curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5920 | if (curve == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5921 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5922 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5923 | } |
wolfSSL | 4:1b0d80432c79 | 5924 | #endif |
wolfSSL | 4:1b0d80432c79 | 5925 | curveSz = SetCurve(key, curve); |
wolfSSL | 4:1b0d80432c79 | 5926 | if (curveSz <= 0) { |
wolfSSL | 4:1b0d80432c79 | 5927 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5928 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5929 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5930 | #endif |
wolfSSL | 4:1b0d80432c79 | 5931 | return curveSz; |
wolfSSL | 4:1b0d80432c79 | 5932 | } |
wolfSSL | 4:1b0d80432c79 | 5933 | |
wolfSSL | 4:1b0d80432c79 | 5934 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5935 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5936 | if (algo == NULL) { |
wolfSSL | 4:1b0d80432c79 | 5937 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5938 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5939 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 5940 | } |
wolfSSL | 4:1b0d80432c79 | 5941 | #endif |
wolfSSL | 4:1b0d80432c79 | 5942 | algoSz = SetAlgoID(ECDSAk, algo, keyType, curveSz); |
wolfSSL | 4:1b0d80432c79 | 5943 | |
wolfSSL | 4:1b0d80432c79 | 5944 | lenSz = SetLength(pubSz + 1, len); |
wolfSSL | 4:1b0d80432c79 | 5945 | len[lenSz++] = 0; /* trailing 0 */ |
wolfSSL | 4:1b0d80432c79 | 5946 | |
wolfSSL | 4:1b0d80432c79 | 5947 | /* write, 1 is for ASN_BIT_STRING */ |
wolfSSL | 4:1b0d80432c79 | 5948 | idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output); |
wolfSSL | 4:1b0d80432c79 | 5949 | /* algo */ |
wolfSSL | 4:1b0d80432c79 | 5950 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 4:1b0d80432c79 | 5951 | idx += algoSz; |
wolfSSL | 4:1b0d80432c79 | 5952 | /* curve */ |
wolfSSL | 4:1b0d80432c79 | 5953 | XMEMCPY(output + idx, curve, curveSz); |
wolfSSL | 4:1b0d80432c79 | 5954 | idx += curveSz; |
wolfSSL | 4:1b0d80432c79 | 5955 | /* bit string */ |
wolfSSL | 4:1b0d80432c79 | 5956 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 5957 | /* length */ |
wolfSSL | 4:1b0d80432c79 | 5958 | XMEMCPY(output + idx, len, lenSz); |
wolfSSL | 4:1b0d80432c79 | 5959 | idx += lenSz; |
wolfSSL | 4:1b0d80432c79 | 5960 | } |
wolfSSL | 4:1b0d80432c79 | 5961 | else |
wolfSSL | 4:1b0d80432c79 | 5962 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 5963 | |
wolfSSL | 4:1b0d80432c79 | 5964 | /* pub */ |
wolfSSL | 4:1b0d80432c79 | 5965 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 4:1b0d80432c79 | 5966 | idx += pubSz; |
wolfSSL | 4:1b0d80432c79 | 5967 | |
wolfSSL | 4:1b0d80432c79 | 5968 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 5969 | if (with_header) { |
wolfSSL | 4:1b0d80432c79 | 5970 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5971 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5972 | } |
wolfSSL | 4:1b0d80432c79 | 5973 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 5974 | #endif |
wolfSSL | 4:1b0d80432c79 | 5975 | |
wolfSSL | 4:1b0d80432c79 | 5976 | return idx; |
wolfSSL | 4:1b0d80432c79 | 5977 | } |
wolfSSL | 4:1b0d80432c79 | 5978 | |
wolfSSL | 4:1b0d80432c79 | 5979 | |
wolfSSL | 4:1b0d80432c79 | 5980 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 5981 | |
wolfSSL | 4:1b0d80432c79 | 5982 | |
wolfSSL | 4:1b0d80432c79 | 5983 | static INLINE byte itob(int number) |
wolfSSL | 4:1b0d80432c79 | 5984 | { |
wolfSSL | 4:1b0d80432c79 | 5985 | return (byte)number + 0x30; |
wolfSSL | 4:1b0d80432c79 | 5986 | } |
wolfSSL | 4:1b0d80432c79 | 5987 | |
wolfSSL | 4:1b0d80432c79 | 5988 | |
wolfSSL | 4:1b0d80432c79 | 5989 | /* write time to output, format */ |
wolfSSL | 4:1b0d80432c79 | 5990 | static void SetTime(struct tm* date, byte* output) |
wolfSSL | 4:1b0d80432c79 | 5991 | { |
wolfSSL | 4:1b0d80432c79 | 5992 | int i = 0; |
wolfSSL | 4:1b0d80432c79 | 5993 | |
wolfSSL | 4:1b0d80432c79 | 5994 | output[i++] = itob((date->tm_year % 10000) / 1000); |
wolfSSL | 4:1b0d80432c79 | 5995 | output[i++] = itob((date->tm_year % 1000) / 100); |
wolfSSL | 4:1b0d80432c79 | 5996 | output[i++] = itob((date->tm_year % 100) / 10); |
wolfSSL | 4:1b0d80432c79 | 5997 | output[i++] = itob( date->tm_year % 10); |
wolfSSL | 4:1b0d80432c79 | 5998 | |
wolfSSL | 4:1b0d80432c79 | 5999 | output[i++] = itob(date->tm_mon / 10); |
wolfSSL | 4:1b0d80432c79 | 6000 | output[i++] = itob(date->tm_mon % 10); |
wolfSSL | 4:1b0d80432c79 | 6001 | |
wolfSSL | 4:1b0d80432c79 | 6002 | output[i++] = itob(date->tm_mday / 10); |
wolfSSL | 4:1b0d80432c79 | 6003 | output[i++] = itob(date->tm_mday % 10); |
wolfSSL | 4:1b0d80432c79 | 6004 | |
wolfSSL | 4:1b0d80432c79 | 6005 | output[i++] = itob(date->tm_hour / 10); |
wolfSSL | 4:1b0d80432c79 | 6006 | output[i++] = itob(date->tm_hour % 10); |
wolfSSL | 4:1b0d80432c79 | 6007 | |
wolfSSL | 4:1b0d80432c79 | 6008 | output[i++] = itob(date->tm_min / 10); |
wolfSSL | 4:1b0d80432c79 | 6009 | output[i++] = itob(date->tm_min % 10); |
wolfSSL | 4:1b0d80432c79 | 6010 | |
wolfSSL | 4:1b0d80432c79 | 6011 | output[i++] = itob(date->tm_sec / 10); |
wolfSSL | 4:1b0d80432c79 | 6012 | output[i++] = itob(date->tm_sec % 10); |
wolfSSL | 4:1b0d80432c79 | 6013 | |
wolfSSL | 4:1b0d80432c79 | 6014 | output[i] = 'Z'; /* Zulu profile */ |
wolfSSL | 4:1b0d80432c79 | 6015 | } |
wolfSSL | 4:1b0d80432c79 | 6016 | |
wolfSSL | 4:1b0d80432c79 | 6017 | |
wolfSSL | 4:1b0d80432c79 | 6018 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 6019 | |
wolfSSL | 4:1b0d80432c79 | 6020 | /* Copy Dates from cert, return bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6021 | static int CopyValidity(byte* output, Cert* cert) |
wolfSSL | 4:1b0d80432c79 | 6022 | { |
wolfSSL | 4:1b0d80432c79 | 6023 | int seqSz; |
wolfSSL | 4:1b0d80432c79 | 6024 | |
wolfSSL | 4:1b0d80432c79 | 6025 | WOLFSSL_ENTER("CopyValidity"); |
wolfSSL | 4:1b0d80432c79 | 6026 | |
wolfSSL | 4:1b0d80432c79 | 6027 | /* headers and output */ |
wolfSSL | 4:1b0d80432c79 | 6028 | seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output); |
wolfSSL | 4:1b0d80432c79 | 6029 | XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz); |
wolfSSL | 4:1b0d80432c79 | 6030 | XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate, |
wolfSSL | 4:1b0d80432c79 | 6031 | cert->afterDateSz); |
wolfSSL | 4:1b0d80432c79 | 6032 | return seqSz + cert->beforeDateSz + cert->afterDateSz; |
wolfSSL | 4:1b0d80432c79 | 6033 | } |
wolfSSL | 4:1b0d80432c79 | 6034 | |
wolfSSL | 4:1b0d80432c79 | 6035 | #endif |
wolfSSL | 4:1b0d80432c79 | 6036 | |
wolfSSL | 4:1b0d80432c79 | 6037 | |
wolfSSL | 4:1b0d80432c79 | 6038 | /* for systems where mktime() doesn't normalize fully */ |
wolfSSL | 4:1b0d80432c79 | 6039 | static void RebuildTime(time_t* in, struct tm* out) |
wolfSSL | 4:1b0d80432c79 | 6040 | { |
wolfSSL | 4:1b0d80432c79 | 6041 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 4:1b0d80432c79 | 6042 | out = localtime_r(in, out); |
wolfSSL | 4:1b0d80432c79 | 6043 | #else |
wolfSSL | 4:1b0d80432c79 | 6044 | (void)in; |
wolfSSL | 4:1b0d80432c79 | 6045 | (void)out; |
wolfSSL | 4:1b0d80432c79 | 6046 | #endif |
wolfSSL | 4:1b0d80432c79 | 6047 | } |
wolfSSL | 4:1b0d80432c79 | 6048 | |
wolfSSL | 4:1b0d80432c79 | 6049 | |
wolfSSL | 4:1b0d80432c79 | 6050 | /* Set Date validity from now until now + daysValid |
wolfSSL | 4:1b0d80432c79 | 6051 | * return size in bytes written to output, 0 on error */ |
wolfSSL | 4:1b0d80432c79 | 6052 | static int SetValidity(byte* output, int daysValid) |
wolfSSL | 4:1b0d80432c79 | 6053 | { |
wolfSSL | 4:1b0d80432c79 | 6054 | byte before[MAX_DATE_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 6055 | byte after[MAX_DATE_SIZE]; |
wolfSSL | 4:1b0d80432c79 | 6056 | |
wolfSSL | 4:1b0d80432c79 | 6057 | int beforeSz; |
wolfSSL | 4:1b0d80432c79 | 6058 | int afterSz; |
wolfSSL | 4:1b0d80432c79 | 6059 | int seqSz; |
wolfSSL | 4:1b0d80432c79 | 6060 | |
wolfSSL | 4:1b0d80432c79 | 6061 | time_t ticks; |
wolfSSL | 4:1b0d80432c79 | 6062 | time_t normalTime; |
wolfSSL | 4:1b0d80432c79 | 6063 | struct tm* now; |
wolfSSL | 4:1b0d80432c79 | 6064 | struct tm* tmpTime = NULL; |
wolfSSL | 4:1b0d80432c79 | 6065 | struct tm local; |
wolfSSL | 4:1b0d80432c79 | 6066 | |
wolfSSL | 4:1b0d80432c79 | 6067 | #if defined(NEED_TMP_TIME) |
wolfSSL | 4:1b0d80432c79 | 6068 | /* for use with gmtime_r */ |
wolfSSL | 4:1b0d80432c79 | 6069 | struct tm tmpTimeStorage; |
wolfSSL | 4:1b0d80432c79 | 6070 | tmpTime = &tmpTimeStorage; |
wolfSSL | 4:1b0d80432c79 | 6071 | #else |
wolfSSL | 4:1b0d80432c79 | 6072 | (void)tmpTime; |
wolfSSL | 4:1b0d80432c79 | 6073 | #endif |
wolfSSL | 4:1b0d80432c79 | 6074 | |
wolfSSL | 4:1b0d80432c79 | 6075 | ticks = XTIME(0); |
wolfSSL | 4:1b0d80432c79 | 6076 | now = XGMTIME(&ticks, tmpTime); |
wolfSSL | 4:1b0d80432c79 | 6077 | |
wolfSSL | 4:1b0d80432c79 | 6078 | if (now == NULL) { |
wolfSSL | 4:1b0d80432c79 | 6079 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 4:1b0d80432c79 | 6080 | return 0; /* error */ |
wolfSSL | 4:1b0d80432c79 | 6081 | } |
wolfSSL | 4:1b0d80432c79 | 6082 | |
wolfSSL | 4:1b0d80432c79 | 6083 | /* before now */ |
wolfSSL | 4:1b0d80432c79 | 6084 | local = *now; |
wolfSSL | 4:1b0d80432c79 | 6085 | before[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 4:1b0d80432c79 | 6086 | beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */ |
wolfSSL | 4:1b0d80432c79 | 6087 | |
wolfSSL | 4:1b0d80432c79 | 6088 | /* subtract 1 day for more compliance */ |
wolfSSL | 4:1b0d80432c79 | 6089 | local.tm_mday -= 1; |
wolfSSL | 4:1b0d80432c79 | 6090 | normalTime = mktime(&local); |
wolfSSL | 4:1b0d80432c79 | 6091 | RebuildTime(&normalTime, &local); |
wolfSSL | 4:1b0d80432c79 | 6092 | |
wolfSSL | 4:1b0d80432c79 | 6093 | /* adjust */ |
wolfSSL | 4:1b0d80432c79 | 6094 | local.tm_year += 1900; |
wolfSSL | 4:1b0d80432c79 | 6095 | local.tm_mon += 1; |
wolfSSL | 4:1b0d80432c79 | 6096 | |
wolfSSL | 4:1b0d80432c79 | 6097 | SetTime(&local, before + beforeSz); |
wolfSSL | 4:1b0d80432c79 | 6098 | beforeSz += ASN_GEN_TIME_SZ; |
wolfSSL | 4:1b0d80432c79 | 6099 | |
wolfSSL | 4:1b0d80432c79 | 6100 | /* after now + daysValid */ |
wolfSSL | 4:1b0d80432c79 | 6101 | local = *now; |
wolfSSL | 4:1b0d80432c79 | 6102 | after[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 4:1b0d80432c79 | 6103 | afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */ |
wolfSSL | 4:1b0d80432c79 | 6104 | |
wolfSSL | 4:1b0d80432c79 | 6105 | /* add daysValid */ |
wolfSSL | 4:1b0d80432c79 | 6106 | local.tm_mday += daysValid; |
wolfSSL | 4:1b0d80432c79 | 6107 | normalTime = mktime(&local); |
wolfSSL | 4:1b0d80432c79 | 6108 | RebuildTime(&normalTime, &local); |
wolfSSL | 4:1b0d80432c79 | 6109 | |
wolfSSL | 4:1b0d80432c79 | 6110 | /* adjust */ |
wolfSSL | 4:1b0d80432c79 | 6111 | local.tm_year += 1900; |
wolfSSL | 4:1b0d80432c79 | 6112 | local.tm_mon += 1; |
wolfSSL | 4:1b0d80432c79 | 6113 | |
wolfSSL | 4:1b0d80432c79 | 6114 | SetTime(&local, after + afterSz); |
wolfSSL | 4:1b0d80432c79 | 6115 | afterSz += ASN_GEN_TIME_SZ; |
wolfSSL | 4:1b0d80432c79 | 6116 | |
wolfSSL | 4:1b0d80432c79 | 6117 | /* headers and output */ |
wolfSSL | 4:1b0d80432c79 | 6118 | seqSz = SetSequence(beforeSz + afterSz, output); |
wolfSSL | 4:1b0d80432c79 | 6119 | XMEMCPY(output + seqSz, before, beforeSz); |
wolfSSL | 4:1b0d80432c79 | 6120 | XMEMCPY(output + seqSz + beforeSz, after, afterSz); |
wolfSSL | 4:1b0d80432c79 | 6121 | |
wolfSSL | 4:1b0d80432c79 | 6122 | return seqSz + beforeSz + afterSz; |
wolfSSL | 4:1b0d80432c79 | 6123 | } |
wolfSSL | 4:1b0d80432c79 | 6124 | |
wolfSSL | 4:1b0d80432c79 | 6125 | |
wolfSSL | 4:1b0d80432c79 | 6126 | /* ASN Encoded Name field */ |
wolfSSL | 4:1b0d80432c79 | 6127 | typedef struct EncodedName { |
wolfSSL | 4:1b0d80432c79 | 6128 | int nameLen; /* actual string value length */ |
wolfSSL | 4:1b0d80432c79 | 6129 | int totalLen; /* total encoded length */ |
wolfSSL | 4:1b0d80432c79 | 6130 | int type; /* type of name */ |
wolfSSL | 4:1b0d80432c79 | 6131 | int used; /* are we actually using this one */ |
wolfSSL | 4:1b0d80432c79 | 6132 | byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ |
wolfSSL | 4:1b0d80432c79 | 6133 | } EncodedName; |
wolfSSL | 4:1b0d80432c79 | 6134 | |
wolfSSL | 4:1b0d80432c79 | 6135 | |
wolfSSL | 4:1b0d80432c79 | 6136 | /* Get Which Name from index */ |
wolfSSL | 4:1b0d80432c79 | 6137 | static const char* GetOneName(CertName* name, int idx) |
wolfSSL | 4:1b0d80432c79 | 6138 | { |
wolfSSL | 4:1b0d80432c79 | 6139 | switch (idx) { |
wolfSSL | 4:1b0d80432c79 | 6140 | case 0: |
wolfSSL | 4:1b0d80432c79 | 6141 | return name->country; |
wolfSSL | 4:1b0d80432c79 | 6142 | |
wolfSSL | 4:1b0d80432c79 | 6143 | case 1: |
wolfSSL | 4:1b0d80432c79 | 6144 | return name->state; |
wolfSSL | 4:1b0d80432c79 | 6145 | |
wolfSSL | 4:1b0d80432c79 | 6146 | case 2: |
wolfSSL | 4:1b0d80432c79 | 6147 | return name->locality; |
wolfSSL | 4:1b0d80432c79 | 6148 | |
wolfSSL | 4:1b0d80432c79 | 6149 | case 3: |
wolfSSL | 4:1b0d80432c79 | 6150 | return name->sur; |
wolfSSL | 4:1b0d80432c79 | 6151 | |
wolfSSL | 4:1b0d80432c79 | 6152 | case 4: |
wolfSSL | 4:1b0d80432c79 | 6153 | return name->org; |
wolfSSL | 4:1b0d80432c79 | 6154 | |
wolfSSL | 4:1b0d80432c79 | 6155 | case 5: |
wolfSSL | 4:1b0d80432c79 | 6156 | return name->unit; |
wolfSSL | 4:1b0d80432c79 | 6157 | |
wolfSSL | 4:1b0d80432c79 | 6158 | case 6: |
wolfSSL | 4:1b0d80432c79 | 6159 | return name->commonName; |
wolfSSL | 4:1b0d80432c79 | 6160 | |
wolfSSL | 4:1b0d80432c79 | 6161 | case 7: |
wolfSSL | 4:1b0d80432c79 | 6162 | return name->email; |
wolfSSL | 4:1b0d80432c79 | 6163 | |
wolfSSL | 4:1b0d80432c79 | 6164 | default: |
wolfSSL | 4:1b0d80432c79 | 6165 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6166 | } |
wolfSSL | 4:1b0d80432c79 | 6167 | } |
wolfSSL | 4:1b0d80432c79 | 6168 | |
wolfSSL | 4:1b0d80432c79 | 6169 | |
wolfSSL | 4:1b0d80432c79 | 6170 | /* Get Which Name Encoding from index */ |
wolfSSL | 4:1b0d80432c79 | 6171 | static char GetNameType(CertName* name, int idx) |
wolfSSL | 4:1b0d80432c79 | 6172 | { |
wolfSSL | 4:1b0d80432c79 | 6173 | switch (idx) { |
wolfSSL | 4:1b0d80432c79 | 6174 | case 0: |
wolfSSL | 4:1b0d80432c79 | 6175 | return name->countryEnc; |
wolfSSL | 4:1b0d80432c79 | 6176 | |
wolfSSL | 4:1b0d80432c79 | 6177 | case 1: |
wolfSSL | 4:1b0d80432c79 | 6178 | return name->stateEnc; |
wolfSSL | 4:1b0d80432c79 | 6179 | |
wolfSSL | 4:1b0d80432c79 | 6180 | case 2: |
wolfSSL | 4:1b0d80432c79 | 6181 | return name->localityEnc; |
wolfSSL | 4:1b0d80432c79 | 6182 | |
wolfSSL | 4:1b0d80432c79 | 6183 | case 3: |
wolfSSL | 4:1b0d80432c79 | 6184 | return name->surEnc; |
wolfSSL | 4:1b0d80432c79 | 6185 | |
wolfSSL | 4:1b0d80432c79 | 6186 | case 4: |
wolfSSL | 4:1b0d80432c79 | 6187 | return name->orgEnc; |
wolfSSL | 4:1b0d80432c79 | 6188 | |
wolfSSL | 4:1b0d80432c79 | 6189 | case 5: |
wolfSSL | 4:1b0d80432c79 | 6190 | return name->unitEnc; |
wolfSSL | 4:1b0d80432c79 | 6191 | |
wolfSSL | 4:1b0d80432c79 | 6192 | case 6: |
wolfSSL | 4:1b0d80432c79 | 6193 | return name->commonNameEnc; |
wolfSSL | 4:1b0d80432c79 | 6194 | |
wolfSSL | 4:1b0d80432c79 | 6195 | default: |
wolfSSL | 4:1b0d80432c79 | 6196 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6197 | } |
wolfSSL | 4:1b0d80432c79 | 6198 | } |
wolfSSL | 4:1b0d80432c79 | 6199 | |
wolfSSL | 4:1b0d80432c79 | 6200 | |
wolfSSL | 4:1b0d80432c79 | 6201 | /* Get ASN Name from index */ |
wolfSSL | 4:1b0d80432c79 | 6202 | static byte GetNameId(int idx) |
wolfSSL | 4:1b0d80432c79 | 6203 | { |
wolfSSL | 4:1b0d80432c79 | 6204 | switch (idx) { |
wolfSSL | 4:1b0d80432c79 | 6205 | case 0: |
wolfSSL | 4:1b0d80432c79 | 6206 | return ASN_COUNTRY_NAME; |
wolfSSL | 4:1b0d80432c79 | 6207 | |
wolfSSL | 4:1b0d80432c79 | 6208 | case 1: |
wolfSSL | 4:1b0d80432c79 | 6209 | return ASN_STATE_NAME; |
wolfSSL | 4:1b0d80432c79 | 6210 | |
wolfSSL | 4:1b0d80432c79 | 6211 | case 2: |
wolfSSL | 4:1b0d80432c79 | 6212 | return ASN_LOCALITY_NAME; |
wolfSSL | 4:1b0d80432c79 | 6213 | |
wolfSSL | 4:1b0d80432c79 | 6214 | case 3: |
wolfSSL | 4:1b0d80432c79 | 6215 | return ASN_SUR_NAME; |
wolfSSL | 4:1b0d80432c79 | 6216 | |
wolfSSL | 4:1b0d80432c79 | 6217 | case 4: |
wolfSSL | 4:1b0d80432c79 | 6218 | return ASN_ORG_NAME; |
wolfSSL | 4:1b0d80432c79 | 6219 | |
wolfSSL | 4:1b0d80432c79 | 6220 | case 5: |
wolfSSL | 4:1b0d80432c79 | 6221 | return ASN_ORGUNIT_NAME; |
wolfSSL | 4:1b0d80432c79 | 6222 | |
wolfSSL | 4:1b0d80432c79 | 6223 | case 6: |
wolfSSL | 4:1b0d80432c79 | 6224 | return ASN_COMMON_NAME; |
wolfSSL | 4:1b0d80432c79 | 6225 | |
wolfSSL | 4:1b0d80432c79 | 6226 | case 7: |
wolfSSL | 4:1b0d80432c79 | 6227 | /* email uses different id type */ |
wolfSSL | 4:1b0d80432c79 | 6228 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6229 | |
wolfSSL | 4:1b0d80432c79 | 6230 | default: |
wolfSSL | 4:1b0d80432c79 | 6231 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6232 | } |
wolfSSL | 4:1b0d80432c79 | 6233 | } |
wolfSSL | 4:1b0d80432c79 | 6234 | |
wolfSSL | 4:1b0d80432c79 | 6235 | /* |
wolfSSL | 4:1b0d80432c79 | 6236 | Extensions ::= SEQUENCE OF Extension |
wolfSSL | 4:1b0d80432c79 | 6237 | |
wolfSSL | 4:1b0d80432c79 | 6238 | Extension ::= SEQUENCE { |
wolfSSL | 4:1b0d80432c79 | 6239 | extnId OBJECT IDENTIFIER, |
wolfSSL | 4:1b0d80432c79 | 6240 | critical BOOLEAN DEFAULT FALSE, |
wolfSSL | 4:1b0d80432c79 | 6241 | extnValue OCTET STRING } |
wolfSSL | 4:1b0d80432c79 | 6242 | */ |
wolfSSL | 4:1b0d80432c79 | 6243 | |
wolfSSL | 4:1b0d80432c79 | 6244 | /* encode all extensions, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6245 | static int SetExtensions(byte* out, word32 outSz, int *IdxInOut, |
wolfSSL | 4:1b0d80432c79 | 6246 | const byte* ext, int extSz) |
wolfSSL | 4:1b0d80432c79 | 6247 | { |
wolfSSL | 4:1b0d80432c79 | 6248 | if (out == NULL || IdxInOut == NULL || ext == NULL) |
wolfSSL | 4:1b0d80432c79 | 6249 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6250 | |
wolfSSL | 4:1b0d80432c79 | 6251 | if (outSz < (word32)(*IdxInOut+extSz)) |
wolfSSL | 4:1b0d80432c79 | 6252 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6253 | |
wolfSSL | 4:1b0d80432c79 | 6254 | XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */ |
wolfSSL | 4:1b0d80432c79 | 6255 | *IdxInOut += extSz; |
wolfSSL | 4:1b0d80432c79 | 6256 | |
wolfSSL | 4:1b0d80432c79 | 6257 | return *IdxInOut; |
wolfSSL | 4:1b0d80432c79 | 6258 | } |
wolfSSL | 4:1b0d80432c79 | 6259 | |
wolfSSL | 4:1b0d80432c79 | 6260 | /* encode extensions header, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6261 | static int SetExtensionsHeader(byte* out, word32 outSz, int extSz) |
wolfSSL | 4:1b0d80432c79 | 6262 | { |
wolfSSL | 4:1b0d80432c79 | 6263 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6264 | byte len[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6265 | int seqSz, lenSz, idx = 0; |
wolfSSL | 4:1b0d80432c79 | 6266 | |
wolfSSL | 4:1b0d80432c79 | 6267 | if (out == NULL) |
wolfSSL | 4:1b0d80432c79 | 6268 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6269 | |
wolfSSL | 4:1b0d80432c79 | 6270 | if (outSz < 3) |
wolfSSL | 4:1b0d80432c79 | 6271 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6272 | |
wolfSSL | 4:1b0d80432c79 | 6273 | seqSz = SetSequence(extSz, sequence); |
wolfSSL | 4:1b0d80432c79 | 6274 | |
wolfSSL | 4:1b0d80432c79 | 6275 | /* encode extensions length provided */ |
wolfSSL | 4:1b0d80432c79 | 6276 | lenSz = SetLength(extSz+seqSz, len); |
wolfSSL | 4:1b0d80432c79 | 6277 | |
wolfSSL | 4:1b0d80432c79 | 6278 | if (outSz < (word32)(lenSz+seqSz+1)) |
wolfSSL | 4:1b0d80432c79 | 6279 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6280 | |
wolfSSL | 4:1b0d80432c79 | 6281 | out[idx++] = ASN_EXTENSIONS; /* extensions id */ |
wolfSSL | 4:1b0d80432c79 | 6282 | XMEMCPY(&out[idx], len, lenSz); /* length */ |
wolfSSL | 4:1b0d80432c79 | 6283 | idx += lenSz; |
wolfSSL | 4:1b0d80432c79 | 6284 | |
wolfSSL | 4:1b0d80432c79 | 6285 | XMEMCPY(&out[idx], sequence, seqSz); /* sequence */ |
wolfSSL | 4:1b0d80432c79 | 6286 | idx += seqSz; |
wolfSSL | 4:1b0d80432c79 | 6287 | |
wolfSSL | 4:1b0d80432c79 | 6288 | return idx; |
wolfSSL | 4:1b0d80432c79 | 6289 | } |
wolfSSL | 4:1b0d80432c79 | 6290 | |
wolfSSL | 4:1b0d80432c79 | 6291 | |
wolfSSL | 4:1b0d80432c79 | 6292 | /* encode CA basic constraint true, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6293 | static int SetCa(byte* out, word32 outSz) |
wolfSSL | 4:1b0d80432c79 | 6294 | { |
wolfSSL | 4:1b0d80432c79 | 6295 | static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, |
wolfSSL | 4:1b0d80432c79 | 6296 | 0x05, 0x30, 0x03, 0x01, 0x01, 0xff }; |
wolfSSL | 4:1b0d80432c79 | 6297 | |
wolfSSL | 4:1b0d80432c79 | 6298 | if (out == NULL) |
wolfSSL | 4:1b0d80432c79 | 6299 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6300 | |
wolfSSL | 4:1b0d80432c79 | 6301 | if (outSz < sizeof(ca)) |
wolfSSL | 4:1b0d80432c79 | 6302 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6303 | |
wolfSSL | 4:1b0d80432c79 | 6304 | XMEMCPY(out, ca, sizeof(ca)); |
wolfSSL | 4:1b0d80432c79 | 6305 | |
wolfSSL | 4:1b0d80432c79 | 6306 | return (int)sizeof(ca); |
wolfSSL | 4:1b0d80432c79 | 6307 | } |
wolfSSL | 4:1b0d80432c79 | 6308 | |
wolfSSL | 4:1b0d80432c79 | 6309 | |
wolfSSL | 4:1b0d80432c79 | 6310 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 6311 | /* encode OID and associated value, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6312 | static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz, |
wolfSSL | 4:1b0d80432c79 | 6313 | byte *in, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 6314 | { |
wolfSSL | 4:1b0d80432c79 | 6315 | int idx = 0; |
wolfSSL | 4:1b0d80432c79 | 6316 | |
wolfSSL | 4:1b0d80432c79 | 6317 | if (out == NULL || oid == NULL || in == NULL) |
wolfSSL | 4:1b0d80432c79 | 6318 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6319 | |
wolfSSL | 4:1b0d80432c79 | 6320 | if (outSz < 3) |
wolfSSL | 4:1b0d80432c79 | 6321 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6322 | |
wolfSSL | 4:1b0d80432c79 | 6323 | /* sequence, + 1 => byte to put value size */ |
wolfSSL | 4:1b0d80432c79 | 6324 | idx = SetSequence(inSz + oidSz + 1, out); |
wolfSSL | 4:1b0d80432c79 | 6325 | |
wolfSSL | 4:1b0d80432c79 | 6326 | if (outSz < idx + inSz + oidSz + 1) |
wolfSSL | 4:1b0d80432c79 | 6327 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6328 | |
wolfSSL | 4:1b0d80432c79 | 6329 | XMEMCPY(out+idx, oid, oidSz); |
wolfSSL | 4:1b0d80432c79 | 6330 | idx += oidSz; |
wolfSSL | 4:1b0d80432c79 | 6331 | out[idx++] = (byte)inSz; |
wolfSSL | 4:1b0d80432c79 | 6332 | XMEMCPY(out+idx, in, inSz); |
wolfSSL | 4:1b0d80432c79 | 6333 | |
wolfSSL | 4:1b0d80432c79 | 6334 | return (idx+inSz); |
wolfSSL | 4:1b0d80432c79 | 6335 | } |
wolfSSL | 4:1b0d80432c79 | 6336 | |
wolfSSL | 4:1b0d80432c79 | 6337 | /* encode Subject Key Identifier, return total bytes written |
wolfSSL | 4:1b0d80432c79 | 6338 | * RFC5280 : non-critical */ |
wolfSSL | 4:1b0d80432c79 | 6339 | static int SetSKID(byte* output, word32 outSz, byte *input, word32 length) |
wolfSSL | 4:1b0d80432c79 | 6340 | { |
wolfSSL | 4:1b0d80432c79 | 6341 | byte skid_len[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6342 | byte skid_enc_len[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6343 | int idx = 0, skid_lenSz, skid_enc_lenSz; |
wolfSSL | 4:1b0d80432c79 | 6344 | static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 }; |
wolfSSL | 4:1b0d80432c79 | 6345 | |
wolfSSL | 4:1b0d80432c79 | 6346 | if (output == NULL || input == NULL) |
wolfSSL | 4:1b0d80432c79 | 6347 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6348 | |
wolfSSL | 4:1b0d80432c79 | 6349 | /* length of value */ |
wolfSSL | 4:1b0d80432c79 | 6350 | skid_lenSz = SetLength(length, skid_len); |
wolfSSL | 4:1b0d80432c79 | 6351 | |
wolfSSL | 4:1b0d80432c79 | 6352 | /* length of encoded value */ |
wolfSSL | 4:1b0d80432c79 | 6353 | skid_enc_lenSz = SetLength(length + skid_lenSz + 1, skid_enc_len); |
wolfSSL | 4:1b0d80432c79 | 6354 | |
wolfSSL | 4:1b0d80432c79 | 6355 | if (outSz < 3) |
wolfSSL | 4:1b0d80432c79 | 6356 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6357 | |
wolfSSL | 4:1b0d80432c79 | 6358 | /* sequence, + 1 => byte to put type size */ |
wolfSSL | 4:1b0d80432c79 | 6359 | idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz+1, |
wolfSSL | 4:1b0d80432c79 | 6360 | output); |
wolfSSL | 4:1b0d80432c79 | 6361 | |
wolfSSL | 4:1b0d80432c79 | 6362 | if (outSz < length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz + 1) |
wolfSSL | 4:1b0d80432c79 | 6363 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6364 | |
wolfSSL | 4:1b0d80432c79 | 6365 | /* put oid */ |
wolfSSL | 4:1b0d80432c79 | 6366 | XMEMCPY(output+idx, skid_oid, sizeof(skid_oid)); |
wolfSSL | 4:1b0d80432c79 | 6367 | idx += sizeof(skid_oid); |
wolfSSL | 4:1b0d80432c79 | 6368 | |
wolfSSL | 4:1b0d80432c79 | 6369 | /* put encoded len */ |
wolfSSL | 4:1b0d80432c79 | 6370 | XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz); |
wolfSSL | 4:1b0d80432c79 | 6371 | idx += skid_enc_lenSz; |
wolfSSL | 4:1b0d80432c79 | 6372 | |
wolfSSL | 4:1b0d80432c79 | 6373 | /* put type */ |
wolfSSL | 4:1b0d80432c79 | 6374 | output[idx++] = ASN_OCTET_STRING; |
wolfSSL | 4:1b0d80432c79 | 6375 | |
wolfSSL | 4:1b0d80432c79 | 6376 | /* put value len */ |
wolfSSL | 4:1b0d80432c79 | 6377 | XMEMCPY(output+idx, skid_len, skid_lenSz); |
wolfSSL | 4:1b0d80432c79 | 6378 | idx += skid_lenSz; |
wolfSSL | 4:1b0d80432c79 | 6379 | |
wolfSSL | 4:1b0d80432c79 | 6380 | /* put value */ |
wolfSSL | 4:1b0d80432c79 | 6381 | XMEMCPY(output+idx, input, length); |
wolfSSL | 4:1b0d80432c79 | 6382 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 6383 | |
wolfSSL | 4:1b0d80432c79 | 6384 | return idx; |
wolfSSL | 4:1b0d80432c79 | 6385 | } |
wolfSSL | 4:1b0d80432c79 | 6386 | |
wolfSSL | 4:1b0d80432c79 | 6387 | /* encode Authority Key Identifier, return total bytes written |
wolfSSL | 4:1b0d80432c79 | 6388 | * RFC5280 : non-critical */ |
wolfSSL | 4:1b0d80432c79 | 6389 | static int SetAKID(byte* output, word32 outSz, byte *input, word32 length) |
wolfSSL | 4:1b0d80432c79 | 6390 | { |
wolfSSL | 4:1b0d80432c79 | 6391 | byte *enc_val; |
wolfSSL | 4:1b0d80432c79 | 6392 | int ret, enc_valSz; |
wolfSSL | 4:1b0d80432c79 | 6393 | static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04}; |
wolfSSL | 4:1b0d80432c79 | 6394 | static const byte akid_cs[] = { 0x80 }; |
wolfSSL | 4:1b0d80432c79 | 6395 | |
wolfSSL | 4:1b0d80432c79 | 6396 | if (output == NULL || input == NULL) |
wolfSSL | 4:1b0d80432c79 | 6397 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6398 | |
wolfSSL | 4:1b0d80432c79 | 6399 | enc_val = (byte *)XMALLOC(length+3+sizeof(akid_cs), NULL, |
wolfSSL | 4:1b0d80432c79 | 6400 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6401 | if (enc_val == NULL) |
wolfSSL | 4:1b0d80432c79 | 6402 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 6403 | |
wolfSSL | 4:1b0d80432c79 | 6404 | /* sequence for ContentSpec & value */ |
wolfSSL | 4:1b0d80432c79 | 6405 | enc_valSz = SetOidValue(enc_val, length+3+sizeof(akid_cs), |
wolfSSL | 4:1b0d80432c79 | 6406 | akid_cs, sizeof(akid_cs), input, length); |
wolfSSL | 4:1b0d80432c79 | 6407 | if (enc_valSz == 0) { |
wolfSSL | 4:1b0d80432c79 | 6408 | XFREE(enc_val, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6409 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6410 | } |
wolfSSL | 4:1b0d80432c79 | 6411 | |
wolfSSL | 4:1b0d80432c79 | 6412 | ret = SetOidValue(output, outSz, akid_oid, |
wolfSSL | 4:1b0d80432c79 | 6413 | sizeof(akid_oid), enc_val, enc_valSz); |
wolfSSL | 4:1b0d80432c79 | 6414 | |
wolfSSL | 4:1b0d80432c79 | 6415 | XFREE(enc_val, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6416 | return ret; |
wolfSSL | 4:1b0d80432c79 | 6417 | } |
wolfSSL | 4:1b0d80432c79 | 6418 | |
wolfSSL | 4:1b0d80432c79 | 6419 | /* encode Key Usage, return total bytes written |
wolfSSL | 4:1b0d80432c79 | 6420 | * RFC5280 : critical */ |
wolfSSL | 4:1b0d80432c79 | 6421 | static int SetKeyUsage(byte* output, word32 outSz, word16 input) |
wolfSSL | 4:1b0d80432c79 | 6422 | { |
wolfSSL | 4:1b0d80432c79 | 6423 | byte ku[5]; |
wolfSSL | 4:1b0d80432c79 | 6424 | int unusedBits = 0; |
wolfSSL | 4:1b0d80432c79 | 6425 | static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f, |
wolfSSL | 4:1b0d80432c79 | 6426 | 0x01, 0x01, 0xff, 0x04}; |
wolfSSL | 4:1b0d80432c79 | 6427 | |
wolfSSL | 4:1b0d80432c79 | 6428 | if (output == NULL) |
wolfSSL | 4:1b0d80432c79 | 6429 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6430 | |
wolfSSL | 4:1b0d80432c79 | 6431 | /* Key Usage is a BitString */ |
wolfSSL | 4:1b0d80432c79 | 6432 | ku[0] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 6433 | |
wolfSSL | 4:1b0d80432c79 | 6434 | /* put the Bit String size */ |
wolfSSL | 4:1b0d80432c79 | 6435 | if (input > 255) { |
wolfSSL | 4:1b0d80432c79 | 6436 | ku[1] = (byte)3; |
wolfSSL | 4:1b0d80432c79 | 6437 | |
wolfSSL | 4:1b0d80432c79 | 6438 | /* compute unused bits */ |
wolfSSL | 4:1b0d80432c79 | 6439 | while (((((input >> 8) & 0xff) >> unusedBits) & 0x01) == 0) |
wolfSSL | 4:1b0d80432c79 | 6440 | unusedBits++; |
wolfSSL | 4:1b0d80432c79 | 6441 | } |
wolfSSL | 4:1b0d80432c79 | 6442 | else { |
wolfSSL | 4:1b0d80432c79 | 6443 | ku[1] = (byte)2; |
wolfSSL | 4:1b0d80432c79 | 6444 | |
wolfSSL | 4:1b0d80432c79 | 6445 | /* compute unused bits */ |
wolfSSL | 4:1b0d80432c79 | 6446 | while (((input >> unusedBits) & 0x01) == 0) |
wolfSSL | 4:1b0d80432c79 | 6447 | unusedBits++; |
wolfSSL | 4:1b0d80432c79 | 6448 | } |
wolfSSL | 4:1b0d80432c79 | 6449 | |
wolfSSL | 4:1b0d80432c79 | 6450 | /* put unused bits value */ |
wolfSSL | 4:1b0d80432c79 | 6451 | ku[2] = (byte)unusedBits; |
wolfSSL | 4:1b0d80432c79 | 6452 | |
wolfSSL | 4:1b0d80432c79 | 6453 | /* compute byte value */ |
wolfSSL | 4:1b0d80432c79 | 6454 | ku[3] = (byte)(input & 0xff); |
wolfSSL | 4:1b0d80432c79 | 6455 | if (input > 255) |
wolfSSL | 4:1b0d80432c79 | 6456 | ku[4] = (byte)((input >> 8) & 0xff); |
wolfSSL | 4:1b0d80432c79 | 6457 | |
wolfSSL | 4:1b0d80432c79 | 6458 | return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid), |
wolfSSL | 4:1b0d80432c79 | 6459 | ku, (int)ku[1]+2); |
wolfSSL | 4:1b0d80432c79 | 6460 | } |
wolfSSL | 4:1b0d80432c79 | 6461 | |
wolfSSL | 4:1b0d80432c79 | 6462 | /* Encode OID string representation to ITU-T X.690 format */ |
wolfSSL | 4:1b0d80432c79 | 6463 | static int EncodePolicyOID(byte *out, word32 *outSz, const char *in) |
wolfSSL | 4:1b0d80432c79 | 6464 | { |
wolfSSL | 4:1b0d80432c79 | 6465 | word32 val, idx = 0, nb_val; |
wolfSSL | 4:1b0d80432c79 | 6466 | char *token, *str, *ptr; |
wolfSSL | 4:1b0d80432c79 | 6467 | word32 len; |
wolfSSL | 4:1b0d80432c79 | 6468 | |
wolfSSL | 4:1b0d80432c79 | 6469 | if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL) |
wolfSSL | 4:1b0d80432c79 | 6470 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6471 | |
wolfSSL | 4:1b0d80432c79 | 6472 | len = (word32)XSTRLEN(in); |
wolfSSL | 4:1b0d80432c79 | 6473 | |
wolfSSL | 4:1b0d80432c79 | 6474 | str = (char *)XMALLOC(len+1, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6475 | if (str == NULL) |
wolfSSL | 4:1b0d80432c79 | 6476 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 6477 | |
wolfSSL | 4:1b0d80432c79 | 6478 | XSTRNCPY(str, in, len); |
wolfSSL | 4:1b0d80432c79 | 6479 | str[len] = 0x00; |
wolfSSL | 4:1b0d80432c79 | 6480 | |
wolfSSL | 4:1b0d80432c79 | 6481 | nb_val = 0; |
wolfSSL | 4:1b0d80432c79 | 6482 | |
wolfSSL | 4:1b0d80432c79 | 6483 | /* parse value, and set corresponding Policy OID value */ |
wolfSSL | 4:1b0d80432c79 | 6484 | token = XSTRTOK(str, ".", &ptr); |
wolfSSL | 4:1b0d80432c79 | 6485 | while (token != NULL) |
wolfSSL | 4:1b0d80432c79 | 6486 | { |
wolfSSL | 4:1b0d80432c79 | 6487 | val = (word32)atoi(token); |
wolfSSL | 4:1b0d80432c79 | 6488 | |
wolfSSL | 4:1b0d80432c79 | 6489 | if (nb_val == 0) { |
wolfSSL | 4:1b0d80432c79 | 6490 | if (val > 2) { |
wolfSSL | 4:1b0d80432c79 | 6491 | XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6492 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 6493 | } |
wolfSSL | 4:1b0d80432c79 | 6494 | |
wolfSSL | 4:1b0d80432c79 | 6495 | out[idx] = (byte)(40 * val); |
wolfSSL | 4:1b0d80432c79 | 6496 | } |
wolfSSL | 4:1b0d80432c79 | 6497 | else if (nb_val == 1) { |
wolfSSL | 4:1b0d80432c79 | 6498 | if (val > 127) { |
wolfSSL | 4:1b0d80432c79 | 6499 | XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6500 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 6501 | } |
wolfSSL | 4:1b0d80432c79 | 6502 | |
wolfSSL | 4:1b0d80432c79 | 6503 | if (idx > *outSz) { |
wolfSSL | 4:1b0d80432c79 | 6504 | XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6505 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6506 | } |
wolfSSL | 4:1b0d80432c79 | 6507 | |
wolfSSL | 4:1b0d80432c79 | 6508 | out[idx++] += (byte)val; |
wolfSSL | 4:1b0d80432c79 | 6509 | } |
wolfSSL | 4:1b0d80432c79 | 6510 | else { |
wolfSSL | 4:1b0d80432c79 | 6511 | word32 tb = 0, x; |
wolfSSL | 4:1b0d80432c79 | 6512 | int i = 0; |
wolfSSL | 4:1b0d80432c79 | 6513 | byte oid[MAX_OID_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6514 | |
wolfSSL | 4:1b0d80432c79 | 6515 | while (val >= 128) { |
wolfSSL | 4:1b0d80432c79 | 6516 | x = val % 128; |
wolfSSL | 4:1b0d80432c79 | 6517 | val /= 128; |
wolfSSL | 4:1b0d80432c79 | 6518 | oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x); |
wolfSSL | 4:1b0d80432c79 | 6519 | } |
wolfSSL | 4:1b0d80432c79 | 6520 | |
wolfSSL | 4:1b0d80432c79 | 6521 | if ((idx+(word32)i) > *outSz) { |
wolfSSL | 4:1b0d80432c79 | 6522 | XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6523 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6524 | } |
wolfSSL | 4:1b0d80432c79 | 6525 | |
wolfSSL | 4:1b0d80432c79 | 6526 | oid[i] = (byte) (((tb++) ? 0x80 : 0) | val); |
wolfSSL | 4:1b0d80432c79 | 6527 | |
wolfSSL | 4:1b0d80432c79 | 6528 | /* push value in the right order */ |
wolfSSL | 4:1b0d80432c79 | 6529 | while (i >= 0) |
wolfSSL | 4:1b0d80432c79 | 6530 | out[idx++] = oid[i--]; |
wolfSSL | 4:1b0d80432c79 | 6531 | } |
wolfSSL | 4:1b0d80432c79 | 6532 | |
wolfSSL | 4:1b0d80432c79 | 6533 | token = XSTRTOK(NULL, ".", &ptr); |
wolfSSL | 4:1b0d80432c79 | 6534 | nb_val++; |
wolfSSL | 4:1b0d80432c79 | 6535 | } |
wolfSSL | 4:1b0d80432c79 | 6536 | |
wolfSSL | 4:1b0d80432c79 | 6537 | *outSz = idx; |
wolfSSL | 4:1b0d80432c79 | 6538 | |
wolfSSL | 4:1b0d80432c79 | 6539 | XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6540 | return 0; |
wolfSSL | 4:1b0d80432c79 | 6541 | } |
wolfSSL | 4:1b0d80432c79 | 6542 | |
wolfSSL | 4:1b0d80432c79 | 6543 | /* encode Certificate Policies, return total bytes written |
wolfSSL | 4:1b0d80432c79 | 6544 | * each input value must be ITU-T X.690 formatted : a.b.c... |
wolfSSL | 4:1b0d80432c79 | 6545 | * input must be an array of values with a NULL terminated for the latest |
wolfSSL | 4:1b0d80432c79 | 6546 | * RFC5280 : non-critical */ |
wolfSSL | 4:1b0d80432c79 | 6547 | static int SetCertificatePolicies(byte *output, |
wolfSSL | 4:1b0d80432c79 | 6548 | word32 outputSz, |
wolfSSL | 4:1b0d80432c79 | 6549 | char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ], |
wolfSSL | 4:1b0d80432c79 | 6550 | word16 nb_certpol) |
wolfSSL | 4:1b0d80432c79 | 6551 | { |
wolfSSL | 4:1b0d80432c79 | 6552 | byte oid[MAX_OID_SZ], |
wolfSSL | 4:1b0d80432c79 | 6553 | der_oid[MAX_CERTPOL_NB][MAX_OID_SZ], |
wolfSSL | 4:1b0d80432c79 | 6554 | out[MAX_CERTPOL_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6555 | word32 oidSz; |
wolfSSL | 4:1b0d80432c79 | 6556 | word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB]; |
wolfSSL | 4:1b0d80432c79 | 6557 | int ret; |
wolfSSL | 4:1b0d80432c79 | 6558 | |
wolfSSL | 4:1b0d80432c79 | 6559 | static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 }; |
wolfSSL | 4:1b0d80432c79 | 6560 | static const byte oid_oid[] = { 0x06 }; |
wolfSSL | 4:1b0d80432c79 | 6561 | |
wolfSSL | 4:1b0d80432c79 | 6562 | if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB) |
wolfSSL | 4:1b0d80432c79 | 6563 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6564 | |
wolfSSL | 4:1b0d80432c79 | 6565 | for (i = 0; i < nb_certpol; i++) { |
wolfSSL | 4:1b0d80432c79 | 6566 | oidSz = sizeof(oid); |
wolfSSL | 4:1b0d80432c79 | 6567 | XMEMSET(oid, 0, oidSz); |
wolfSSL | 4:1b0d80432c79 | 6568 | |
wolfSSL | 4:1b0d80432c79 | 6569 | ret = EncodePolicyOID(oid, &oidSz, input[i]); |
wolfSSL | 4:1b0d80432c79 | 6570 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 6571 | return ret; |
wolfSSL | 4:1b0d80432c79 | 6572 | |
wolfSSL | 4:1b0d80432c79 | 6573 | /* compute sequence value for the oid */ |
wolfSSL | 4:1b0d80432c79 | 6574 | ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid, |
wolfSSL | 4:1b0d80432c79 | 6575 | sizeof(oid_oid), oid, oidSz); |
wolfSSL | 4:1b0d80432c79 | 6576 | if (ret <= 0) |
wolfSSL | 4:1b0d80432c79 | 6577 | return ret; |
wolfSSL | 4:1b0d80432c79 | 6578 | else |
wolfSSL | 4:1b0d80432c79 | 6579 | der_oidSz[i] = (word32)ret; |
wolfSSL | 4:1b0d80432c79 | 6580 | } |
wolfSSL | 4:1b0d80432c79 | 6581 | |
wolfSSL | 4:1b0d80432c79 | 6582 | /* concatenate oid, keep two byte for sequence/size of the created value */ |
wolfSSL | 4:1b0d80432c79 | 6583 | for (i = 0, outSz = 2; i < nb_certpol; i++) { |
wolfSSL | 4:1b0d80432c79 | 6584 | XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]); |
wolfSSL | 4:1b0d80432c79 | 6585 | outSz += der_oidSz[i]; |
wolfSSL | 4:1b0d80432c79 | 6586 | } |
wolfSSL | 4:1b0d80432c79 | 6587 | |
wolfSSL | 4:1b0d80432c79 | 6588 | /* add sequence */ |
wolfSSL | 4:1b0d80432c79 | 6589 | ret = SetSequence(outSz-2, out); |
wolfSSL | 4:1b0d80432c79 | 6590 | if (ret <= 0) |
wolfSSL | 4:1b0d80432c79 | 6591 | return ret; |
wolfSSL | 4:1b0d80432c79 | 6592 | |
wolfSSL | 4:1b0d80432c79 | 6593 | /* add Policy OID to compute final value */ |
wolfSSL | 4:1b0d80432c79 | 6594 | return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid), |
wolfSSL | 4:1b0d80432c79 | 6595 | out, outSz); |
wolfSSL | 4:1b0d80432c79 | 6596 | } |
wolfSSL | 4:1b0d80432c79 | 6597 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 6598 | |
wolfSSL | 4:1b0d80432c79 | 6599 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 6600 | /* encode Alternative Names, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6601 | static int SetAltNames(byte *out, word32 outSz, byte *input, word32 length) |
wolfSSL | 4:1b0d80432c79 | 6602 | { |
wolfSSL | 4:1b0d80432c79 | 6603 | if (out == NULL || input == NULL) |
wolfSSL | 4:1b0d80432c79 | 6604 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6605 | |
wolfSSL | 4:1b0d80432c79 | 6606 | if (outSz < length) |
wolfSSL | 4:1b0d80432c79 | 6607 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6608 | |
wolfSSL | 4:1b0d80432c79 | 6609 | /* Alternative Names come from certificate or computed by |
wolfSSL | 4:1b0d80432c79 | 6610 | * external function, so already encoded. Just copy value */ |
wolfSSL | 4:1b0d80432c79 | 6611 | XMEMCPY(out, input, length); |
wolfSSL | 4:1b0d80432c79 | 6612 | return length; |
wolfSSL | 4:1b0d80432c79 | 6613 | } |
wolfSSL | 4:1b0d80432c79 | 6614 | #endif /* WOLFSL_ALT_NAMES */ |
wolfSSL | 4:1b0d80432c79 | 6615 | |
wolfSSL | 4:1b0d80432c79 | 6616 | |
wolfSSL | 4:1b0d80432c79 | 6617 | /* encode CertName into output, return total bytes written */ |
wolfSSL | 4:1b0d80432c79 | 6618 | static int SetName(byte* output, word32 outputSz, CertName* name) |
wolfSSL | 4:1b0d80432c79 | 6619 | { |
wolfSSL | 4:1b0d80432c79 | 6620 | int totalBytes = 0, i, idx; |
wolfSSL | 4:1b0d80432c79 | 6621 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6622 | EncodedName* names = NULL; |
wolfSSL | 4:1b0d80432c79 | 6623 | #else |
wolfSSL | 4:1b0d80432c79 | 6624 | EncodedName names[NAME_ENTRIES]; |
wolfSSL | 4:1b0d80432c79 | 6625 | #endif |
wolfSSL | 4:1b0d80432c79 | 6626 | |
wolfSSL | 4:1b0d80432c79 | 6627 | if (output == NULL || name == NULL) |
wolfSSL | 4:1b0d80432c79 | 6628 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6629 | |
wolfSSL | 4:1b0d80432c79 | 6630 | if (outputSz < 3) |
wolfSSL | 4:1b0d80432c79 | 6631 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6632 | |
wolfSSL | 4:1b0d80432c79 | 6633 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6634 | names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL, |
wolfSSL | 4:1b0d80432c79 | 6635 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6636 | if (names == NULL) |
wolfSSL | 4:1b0d80432c79 | 6637 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 6638 | #endif |
wolfSSL | 4:1b0d80432c79 | 6639 | |
wolfSSL | 4:1b0d80432c79 | 6640 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 4:1b0d80432c79 | 6641 | const char* nameStr = GetOneName(name, i); |
wolfSSL | 4:1b0d80432c79 | 6642 | if (nameStr) { |
wolfSSL | 4:1b0d80432c79 | 6643 | /* bottom up */ |
wolfSSL | 4:1b0d80432c79 | 6644 | byte firstLen[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6645 | byte secondLen[MAX_LENGTH_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6646 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6647 | byte set[MAX_SET_SZ]; |
wolfSSL | 4:1b0d80432c79 | 6648 | |
wolfSSL | 4:1b0d80432c79 | 6649 | int email = i == (NAME_ENTRIES - 1) ? 1 : 0; |
wolfSSL | 4:1b0d80432c79 | 6650 | int strLen = (int)XSTRLEN(nameStr); |
wolfSSL | 4:1b0d80432c79 | 6651 | int thisLen = strLen; |
wolfSSL | 4:1b0d80432c79 | 6652 | int firstSz, secondSz, seqSz, setSz; |
wolfSSL | 4:1b0d80432c79 | 6653 | |
wolfSSL | 4:1b0d80432c79 | 6654 | if (strLen == 0) { /* no user data for this item */ |
wolfSSL | 4:1b0d80432c79 | 6655 | names[i].used = 0; |
wolfSSL | 4:1b0d80432c79 | 6656 | continue; |
wolfSSL | 4:1b0d80432c79 | 6657 | } |
wolfSSL | 4:1b0d80432c79 | 6658 | |
wolfSSL | 4:1b0d80432c79 | 6659 | secondSz = SetLength(strLen, secondLen); |
wolfSSL | 4:1b0d80432c79 | 6660 | thisLen += secondSz; |
wolfSSL | 4:1b0d80432c79 | 6661 | if (email) { |
wolfSSL | 4:1b0d80432c79 | 6662 | thisLen += EMAIL_JOINT_LEN; |
wolfSSL | 4:1b0d80432c79 | 6663 | thisLen ++; /* id type */ |
wolfSSL | 4:1b0d80432c79 | 6664 | firstSz = SetLength(EMAIL_JOINT_LEN, firstLen); |
wolfSSL | 4:1b0d80432c79 | 6665 | } |
wolfSSL | 4:1b0d80432c79 | 6666 | else { |
wolfSSL | 4:1b0d80432c79 | 6667 | thisLen++; /* str type */ |
wolfSSL | 4:1b0d80432c79 | 6668 | thisLen++; /* id type */ |
wolfSSL | 4:1b0d80432c79 | 6669 | thisLen += JOINT_LEN; |
wolfSSL | 4:1b0d80432c79 | 6670 | firstSz = SetLength(JOINT_LEN + 1, firstLen); |
wolfSSL | 4:1b0d80432c79 | 6671 | } |
wolfSSL | 4:1b0d80432c79 | 6672 | thisLen += firstSz; |
wolfSSL | 4:1b0d80432c79 | 6673 | thisLen++; /* object id */ |
wolfSSL | 4:1b0d80432c79 | 6674 | |
wolfSSL | 4:1b0d80432c79 | 6675 | seqSz = SetSequence(thisLen, sequence); |
wolfSSL | 4:1b0d80432c79 | 6676 | thisLen += seqSz; |
wolfSSL | 4:1b0d80432c79 | 6677 | setSz = SetSet(thisLen, set); |
wolfSSL | 4:1b0d80432c79 | 6678 | thisLen += setSz; |
wolfSSL | 4:1b0d80432c79 | 6679 | |
wolfSSL | 4:1b0d80432c79 | 6680 | if (thisLen > (int)sizeof(names[i].encoded)) { |
wolfSSL | 4:1b0d80432c79 | 6681 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6682 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6683 | #endif |
wolfSSL | 4:1b0d80432c79 | 6684 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6685 | } |
wolfSSL | 4:1b0d80432c79 | 6686 | |
wolfSSL | 4:1b0d80432c79 | 6687 | /* store it */ |
wolfSSL | 4:1b0d80432c79 | 6688 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 6689 | /* set */ |
wolfSSL | 4:1b0d80432c79 | 6690 | XMEMCPY(names[i].encoded, set, setSz); |
wolfSSL | 4:1b0d80432c79 | 6691 | idx += setSz; |
wolfSSL | 4:1b0d80432c79 | 6692 | /* seq */ |
wolfSSL | 4:1b0d80432c79 | 6693 | XMEMCPY(names[i].encoded + idx, sequence, seqSz); |
wolfSSL | 4:1b0d80432c79 | 6694 | idx += seqSz; |
wolfSSL | 4:1b0d80432c79 | 6695 | /* asn object id */ |
wolfSSL | 4:1b0d80432c79 | 6696 | names[i].encoded[idx++] = ASN_OBJECT_ID; |
wolfSSL | 4:1b0d80432c79 | 6697 | /* first length */ |
wolfSSL | 4:1b0d80432c79 | 6698 | XMEMCPY(names[i].encoded + idx, firstLen, firstSz); |
wolfSSL | 4:1b0d80432c79 | 6699 | idx += firstSz; |
wolfSSL | 4:1b0d80432c79 | 6700 | if (email) { |
wolfSSL | 4:1b0d80432c79 | 6701 | const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 4:1b0d80432c79 | 6702 | 0x01, 0x09, 0x01, 0x16 }; |
wolfSSL | 4:1b0d80432c79 | 6703 | /* email joint id */ |
wolfSSL | 4:1b0d80432c79 | 6704 | XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); |
wolfSSL | 4:1b0d80432c79 | 6705 | idx += (int)sizeof(EMAIL_OID); |
wolfSSL | 4:1b0d80432c79 | 6706 | } |
wolfSSL | 4:1b0d80432c79 | 6707 | else { |
wolfSSL | 4:1b0d80432c79 | 6708 | /* joint id */ |
wolfSSL | 4:1b0d80432c79 | 6709 | byte bType = GetNameId(i); |
wolfSSL | 4:1b0d80432c79 | 6710 | names[i].encoded[idx++] = 0x55; |
wolfSSL | 4:1b0d80432c79 | 6711 | names[i].encoded[idx++] = 0x04; |
wolfSSL | 4:1b0d80432c79 | 6712 | /* id type */ |
wolfSSL | 4:1b0d80432c79 | 6713 | names[i].encoded[idx++] = bType; |
wolfSSL | 4:1b0d80432c79 | 6714 | /* str type */ |
wolfSSL | 4:1b0d80432c79 | 6715 | names[i].encoded[idx++] = GetNameType(name, i); |
wolfSSL | 4:1b0d80432c79 | 6716 | } |
wolfSSL | 4:1b0d80432c79 | 6717 | /* second length */ |
wolfSSL | 4:1b0d80432c79 | 6718 | XMEMCPY(names[i].encoded + idx, secondLen, secondSz); |
wolfSSL | 4:1b0d80432c79 | 6719 | idx += secondSz; |
wolfSSL | 4:1b0d80432c79 | 6720 | /* str value */ |
wolfSSL | 4:1b0d80432c79 | 6721 | XMEMCPY(names[i].encoded + idx, nameStr, strLen); |
wolfSSL | 4:1b0d80432c79 | 6722 | idx += strLen; |
wolfSSL | 4:1b0d80432c79 | 6723 | |
wolfSSL | 4:1b0d80432c79 | 6724 | totalBytes += idx; |
wolfSSL | 4:1b0d80432c79 | 6725 | names[i].totalLen = idx; |
wolfSSL | 4:1b0d80432c79 | 6726 | names[i].used = 1; |
wolfSSL | 4:1b0d80432c79 | 6727 | } |
wolfSSL | 4:1b0d80432c79 | 6728 | else |
wolfSSL | 4:1b0d80432c79 | 6729 | names[i].used = 0; |
wolfSSL | 4:1b0d80432c79 | 6730 | } |
wolfSSL | 4:1b0d80432c79 | 6731 | |
wolfSSL | 4:1b0d80432c79 | 6732 | /* header */ |
wolfSSL | 4:1b0d80432c79 | 6733 | idx = SetSequence(totalBytes, output); |
wolfSSL | 4:1b0d80432c79 | 6734 | totalBytes += idx; |
wolfSSL | 4:1b0d80432c79 | 6735 | if (totalBytes > ASN_NAME_MAX) { |
wolfSSL | 4:1b0d80432c79 | 6736 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6737 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6738 | #endif |
wolfSSL | 4:1b0d80432c79 | 6739 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6740 | } |
wolfSSL | 4:1b0d80432c79 | 6741 | |
wolfSSL | 4:1b0d80432c79 | 6742 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 4:1b0d80432c79 | 6743 | if (names[i].used) { |
wolfSSL | 4:1b0d80432c79 | 6744 | if (outputSz < (word32)(idx+names[i].totalLen)) { |
wolfSSL | 4:1b0d80432c79 | 6745 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6746 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6747 | #endif |
wolfSSL | 4:1b0d80432c79 | 6748 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 6749 | } |
wolfSSL | 4:1b0d80432c79 | 6750 | |
wolfSSL | 4:1b0d80432c79 | 6751 | XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); |
wolfSSL | 4:1b0d80432c79 | 6752 | idx += names[i].totalLen; |
wolfSSL | 4:1b0d80432c79 | 6753 | } |
wolfSSL | 4:1b0d80432c79 | 6754 | } |
wolfSSL | 4:1b0d80432c79 | 6755 | |
wolfSSL | 4:1b0d80432c79 | 6756 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 6757 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 6758 | #endif |
wolfSSL | 4:1b0d80432c79 | 6759 | |
wolfSSL | 4:1b0d80432c79 | 6760 | return totalBytes; |
wolfSSL | 4:1b0d80432c79 | 6761 | } |
wolfSSL | 4:1b0d80432c79 | 6762 | |
wolfSSL | 4:1b0d80432c79 | 6763 | /* encode info from cert into DER encoded format */ |
wolfSSL | 4:1b0d80432c79 | 6764 | static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 4:1b0d80432c79 | 6765 | WC_RNG* rng, const byte* ntruKey, word16 ntruSz) |
wolfSSL | 4:1b0d80432c79 | 6766 | { |
wolfSSL | 4:1b0d80432c79 | 6767 | int ret; |
wolfSSL | 4:1b0d80432c79 | 6768 | |
wolfSSL | 4:1b0d80432c79 | 6769 | (void)eccKey; |
wolfSSL | 4:1b0d80432c79 | 6770 | (void)ntruKey; |
wolfSSL | 4:1b0d80432c79 | 6771 | (void)ntruSz; |
wolfSSL | 4:1b0d80432c79 | 6772 | |
wolfSSL | 4:1b0d80432c79 | 6773 | if (cert == NULL || der == NULL || rng == NULL) |
wolfSSL | 4:1b0d80432c79 | 6774 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 6775 | |
wolfSSL | 4:1b0d80432c79 | 6776 | /* init */ |
wolfSSL | 4:1b0d80432c79 | 6777 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 4:1b0d80432c79 | 6778 | |
wolfSSL | 4:1b0d80432c79 | 6779 | /* version */ |
wolfSSL | 4:1b0d80432c79 | 6780 | der->versionSz = SetMyVersion(cert->version, der->version, TRUE); |
wolfSSL | 4:1b0d80432c79 | 6781 | |
wolfSSL | 4:1b0d80432c79 | 6782 | /* serial number */ |
wolfSSL | 4:1b0d80432c79 | 6783 | ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE); |
wolfSSL | 4:1b0d80432c79 | 6784 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 6785 | return ret; |
wolfSSL | 4:1b0d80432c79 | 6786 | |
wolfSSL | 4:1b0d80432c79 | 6787 | cert->serial[0] = 0x01; /* ensure positive */ |
wolfSSL | 4:1b0d80432c79 | 6788 | der->serialSz = SetSerial(cert->serial, der->serial); |
wolfSSL | 4:1b0d80432c79 | 6789 | |
wolfSSL | 4:1b0d80432c79 | 6790 | /* signature algo */ |
wolfSSL | 4:1b0d80432c79 | 6791 | der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, sigType, 0); |
wolfSSL | 4:1b0d80432c79 | 6792 | if (der->sigAlgoSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6793 | return ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 6794 | |
wolfSSL | 4:1b0d80432c79 | 6795 | /* public key */ |
wolfSSL | 4:1b0d80432c79 | 6796 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 4:1b0d80432c79 | 6797 | if (rsaKey == NULL) |
wolfSSL | 4:1b0d80432c79 | 6798 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6799 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 4:1b0d80432c79 | 6800 | sizeof(der->publicKey), 1); |
wolfSSL | 4:1b0d80432c79 | 6801 | if (der->publicKeySz <= 0) |
wolfSSL | 4:1b0d80432c79 | 6802 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6803 | } |
wolfSSL | 4:1b0d80432c79 | 6804 | |
wolfSSL | 4:1b0d80432c79 | 6805 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 6806 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 4:1b0d80432c79 | 6807 | if (eccKey == NULL) |
wolfSSL | 4:1b0d80432c79 | 6808 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6809 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 4:1b0d80432c79 | 6810 | if (der->publicKeySz <= 0) |
wolfSSL | 4:1b0d80432c79 | 6811 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6812 | } |
wolfSSL | 4:1b0d80432c79 | 6813 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 6814 | |
wolfSSL | 4:1b0d80432c79 | 6815 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 6816 | if (cert->keyType == NTRU_KEY) { |
wolfSSL | 4:1b0d80432c79 | 6817 | word32 rc; |
wolfSSL | 4:1b0d80432c79 | 6818 | word16 encodedSz; |
wolfSSL | 4:1b0d80432c79 | 6819 | |
wolfSSL | 4:1b0d80432c79 | 6820 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 4:1b0d80432c79 | 6821 | ntruKey, &encodedSz, NULL); |
wolfSSL | 4:1b0d80432c79 | 6822 | if (rc != NTRU_OK) |
wolfSSL | 4:1b0d80432c79 | 6823 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6824 | if (encodedSz > MAX_PUBLIC_KEY_SZ) |
wolfSSL | 4:1b0d80432c79 | 6825 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6826 | |
wolfSSL | 4:1b0d80432c79 | 6827 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 4:1b0d80432c79 | 6828 | ntruKey, &encodedSz, der->publicKey); |
wolfSSL | 4:1b0d80432c79 | 6829 | if (rc != NTRU_OK) |
wolfSSL | 4:1b0d80432c79 | 6830 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 6831 | |
wolfSSL | 4:1b0d80432c79 | 6832 | der->publicKeySz = encodedSz; |
wolfSSL | 4:1b0d80432c79 | 6833 | } |
wolfSSL | 4:1b0d80432c79 | 6834 | #endif /* HAVE_NTRU */ |
wolfSSL | 4:1b0d80432c79 | 6835 | |
wolfSSL | 4:1b0d80432c79 | 6836 | der->validitySz = 0; |
wolfSSL | 4:1b0d80432c79 | 6837 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 6838 | /* date validity copy ? */ |
wolfSSL | 4:1b0d80432c79 | 6839 | if (cert->beforeDateSz && cert->afterDateSz) { |
wolfSSL | 4:1b0d80432c79 | 6840 | der->validitySz = CopyValidity(der->validity, cert); |
wolfSSL | 4:1b0d80432c79 | 6841 | if (der->validitySz == 0) |
wolfSSL | 4:1b0d80432c79 | 6842 | return DATE_E; |
wolfSSL | 4:1b0d80432c79 | 6843 | } |
wolfSSL | 4:1b0d80432c79 | 6844 | #endif |
wolfSSL | 4:1b0d80432c79 | 6845 | |
wolfSSL | 4:1b0d80432c79 | 6846 | /* date validity */ |
wolfSSL | 4:1b0d80432c79 | 6847 | if (der->validitySz == 0) { |
wolfSSL | 4:1b0d80432c79 | 6848 | der->validitySz = SetValidity(der->validity, cert->daysValid); |
wolfSSL | 4:1b0d80432c79 | 6849 | if (der->validitySz == 0) |
wolfSSL | 4:1b0d80432c79 | 6850 | return DATE_E; |
wolfSSL | 4:1b0d80432c79 | 6851 | } |
wolfSSL | 4:1b0d80432c79 | 6852 | |
wolfSSL | 4:1b0d80432c79 | 6853 | /* subject name */ |
wolfSSL | 4:1b0d80432c79 | 6854 | der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject); |
wolfSSL | 4:1b0d80432c79 | 6855 | if (der->subjectSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6856 | return SUBJECT_E; |
wolfSSL | 4:1b0d80432c79 | 6857 | |
wolfSSL | 4:1b0d80432c79 | 6858 | /* issuer name */ |
wolfSSL | 4:1b0d80432c79 | 6859 | der->issuerSz = SetName(der->issuer, sizeof(der->issuer), cert->selfSigned ? |
wolfSSL | 4:1b0d80432c79 | 6860 | &cert->subject : &cert->issuer); |
wolfSSL | 4:1b0d80432c79 | 6861 | if (der->issuerSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6862 | return ISSUER_E; |
wolfSSL | 4:1b0d80432c79 | 6863 | |
wolfSSL | 4:1b0d80432c79 | 6864 | /* set the extensions */ |
wolfSSL | 4:1b0d80432c79 | 6865 | der->extensionsSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6866 | |
wolfSSL | 4:1b0d80432c79 | 6867 | /* CA */ |
wolfSSL | 4:1b0d80432c79 | 6868 | if (cert->isCA) { |
wolfSSL | 4:1b0d80432c79 | 6869 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 4:1b0d80432c79 | 6870 | if (der->caSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6871 | return CA_TRUE_E; |
wolfSSL | 4:1b0d80432c79 | 6872 | |
wolfSSL | 4:1b0d80432c79 | 6873 | der->extensionsSz += der->caSz; |
wolfSSL | 4:1b0d80432c79 | 6874 | } |
wolfSSL | 4:1b0d80432c79 | 6875 | else |
wolfSSL | 4:1b0d80432c79 | 6876 | der->caSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6877 | |
wolfSSL | 4:1b0d80432c79 | 6878 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 6879 | /* Alternative Name */ |
wolfSSL | 4:1b0d80432c79 | 6880 | if (cert->altNamesSz) { |
wolfSSL | 4:1b0d80432c79 | 6881 | der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames), |
wolfSSL | 4:1b0d80432c79 | 6882 | cert->altNames, cert->altNamesSz); |
wolfSSL | 4:1b0d80432c79 | 6883 | if (der->altNamesSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6884 | return ALT_NAME_E; |
wolfSSL | 4:1b0d80432c79 | 6885 | |
wolfSSL | 4:1b0d80432c79 | 6886 | der->extensionsSz += der->altNamesSz; |
wolfSSL | 4:1b0d80432c79 | 6887 | } |
wolfSSL | 4:1b0d80432c79 | 6888 | else |
wolfSSL | 4:1b0d80432c79 | 6889 | der->altNamesSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6890 | #endif |
wolfSSL | 4:1b0d80432c79 | 6891 | |
wolfSSL | 4:1b0d80432c79 | 6892 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 6893 | /* SKID */ |
wolfSSL | 4:1b0d80432c79 | 6894 | if (cert->skidSz) { |
wolfSSL | 4:1b0d80432c79 | 6895 | /* check the provided SKID size */ |
wolfSSL | 4:1b0d80432c79 | 6896 | if (cert->skidSz > (int)sizeof(der->skid)) |
wolfSSL | 4:1b0d80432c79 | 6897 | return SKID_E; |
wolfSSL | 4:1b0d80432c79 | 6898 | |
wolfSSL | 4:1b0d80432c79 | 6899 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 4:1b0d80432c79 | 6900 | cert->skid, cert->skidSz); |
wolfSSL | 4:1b0d80432c79 | 6901 | if (der->skidSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6902 | return SKID_E; |
wolfSSL | 4:1b0d80432c79 | 6903 | |
wolfSSL | 4:1b0d80432c79 | 6904 | der->extensionsSz += der->skidSz; |
wolfSSL | 4:1b0d80432c79 | 6905 | } |
wolfSSL | 4:1b0d80432c79 | 6906 | else |
wolfSSL | 4:1b0d80432c79 | 6907 | der->skidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6908 | |
wolfSSL | 4:1b0d80432c79 | 6909 | /* AKID */ |
wolfSSL | 4:1b0d80432c79 | 6910 | if (cert->akidSz) { |
wolfSSL | 4:1b0d80432c79 | 6911 | /* check the provided AKID size */ |
wolfSSL | 4:1b0d80432c79 | 6912 | if (cert->akidSz > (int)sizeof(der->akid)) |
wolfSSL | 4:1b0d80432c79 | 6913 | return AKID_E; |
wolfSSL | 4:1b0d80432c79 | 6914 | |
wolfSSL | 4:1b0d80432c79 | 6915 | der->akidSz = SetAKID(der->akid, sizeof(der->akid), |
wolfSSL | 4:1b0d80432c79 | 6916 | cert->akid, cert->akidSz); |
wolfSSL | 4:1b0d80432c79 | 6917 | if (der->akidSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6918 | return AKID_E; |
wolfSSL | 4:1b0d80432c79 | 6919 | |
wolfSSL | 4:1b0d80432c79 | 6920 | der->extensionsSz += der->akidSz; |
wolfSSL | 4:1b0d80432c79 | 6921 | } |
wolfSSL | 4:1b0d80432c79 | 6922 | else |
wolfSSL | 4:1b0d80432c79 | 6923 | der->akidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6924 | |
wolfSSL | 4:1b0d80432c79 | 6925 | /* Key Usage */ |
wolfSSL | 4:1b0d80432c79 | 6926 | if (cert->keyUsage != 0){ |
wolfSSL | 4:1b0d80432c79 | 6927 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 4:1b0d80432c79 | 6928 | cert->keyUsage); |
wolfSSL | 4:1b0d80432c79 | 6929 | if (der->keyUsageSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6930 | return KEYUSAGE_E; |
wolfSSL | 4:1b0d80432c79 | 6931 | |
wolfSSL | 4:1b0d80432c79 | 6932 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 4:1b0d80432c79 | 6933 | } |
wolfSSL | 4:1b0d80432c79 | 6934 | else |
wolfSSL | 4:1b0d80432c79 | 6935 | der->keyUsageSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6936 | |
wolfSSL | 4:1b0d80432c79 | 6937 | /* Certificate Policies */ |
wolfSSL | 4:1b0d80432c79 | 6938 | if (cert->certPoliciesNb != 0) { |
wolfSSL | 4:1b0d80432c79 | 6939 | der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, |
wolfSSL | 4:1b0d80432c79 | 6940 | sizeof(der->certPolicies), |
wolfSSL | 4:1b0d80432c79 | 6941 | cert->certPolicies, |
wolfSSL | 4:1b0d80432c79 | 6942 | cert->certPoliciesNb); |
wolfSSL | 4:1b0d80432c79 | 6943 | if (der->certPoliciesSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6944 | return CERTPOLICIES_E; |
wolfSSL | 4:1b0d80432c79 | 6945 | |
wolfSSL | 4:1b0d80432c79 | 6946 | der->extensionsSz += der->certPoliciesSz; |
wolfSSL | 4:1b0d80432c79 | 6947 | } |
wolfSSL | 4:1b0d80432c79 | 6948 | else |
wolfSSL | 4:1b0d80432c79 | 6949 | der->certPoliciesSz = 0; |
wolfSSL | 4:1b0d80432c79 | 6950 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 6951 | |
wolfSSL | 4:1b0d80432c79 | 6952 | /* put extensions */ |
wolfSSL | 4:1b0d80432c79 | 6953 | if (der->extensionsSz > 0) { |
wolfSSL | 4:1b0d80432c79 | 6954 | |
wolfSSL | 4:1b0d80432c79 | 6955 | /* put the start of extensions sequence (ID, Size) */ |
wolfSSL | 4:1b0d80432c79 | 6956 | der->extensionsSz = SetExtensionsHeader(der->extensions, |
wolfSSL | 4:1b0d80432c79 | 6957 | sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 6958 | der->extensionsSz); |
wolfSSL | 4:1b0d80432c79 | 6959 | if (der->extensionsSz == 0) |
wolfSSL | 4:1b0d80432c79 | 6960 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 6961 | |
wolfSSL | 4:1b0d80432c79 | 6962 | /* put CA */ |
wolfSSL | 4:1b0d80432c79 | 6963 | if (der->caSz) { |
wolfSSL | 4:1b0d80432c79 | 6964 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 6965 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 6966 | der->ca, der->caSz); |
wolfSSL | 4:1b0d80432c79 | 6967 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 6968 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 6969 | } |
wolfSSL | 4:1b0d80432c79 | 6970 | |
wolfSSL | 4:1b0d80432c79 | 6971 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 6972 | /* put Alternative Names */ |
wolfSSL | 4:1b0d80432c79 | 6973 | if (der->altNamesSz) { |
wolfSSL | 4:1b0d80432c79 | 6974 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 6975 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 6976 | der->altNames, der->altNamesSz); |
wolfSSL | 4:1b0d80432c79 | 6977 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 6978 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 6979 | } |
wolfSSL | 4:1b0d80432c79 | 6980 | #endif |
wolfSSL | 4:1b0d80432c79 | 6981 | |
wolfSSL | 4:1b0d80432c79 | 6982 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 6983 | /* put SKID */ |
wolfSSL | 4:1b0d80432c79 | 6984 | if (der->skidSz) { |
wolfSSL | 4:1b0d80432c79 | 6985 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 6986 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 6987 | der->skid, der->skidSz); |
wolfSSL | 4:1b0d80432c79 | 6988 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 6989 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 6990 | } |
wolfSSL | 4:1b0d80432c79 | 6991 | |
wolfSSL | 4:1b0d80432c79 | 6992 | /* put AKID */ |
wolfSSL | 4:1b0d80432c79 | 6993 | if (der->akidSz) { |
wolfSSL | 4:1b0d80432c79 | 6994 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 6995 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 6996 | der->akid, der->akidSz); |
wolfSSL | 4:1b0d80432c79 | 6997 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 6998 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 6999 | } |
wolfSSL | 4:1b0d80432c79 | 7000 | |
wolfSSL | 4:1b0d80432c79 | 7001 | /* put KeyUsage */ |
wolfSSL | 4:1b0d80432c79 | 7002 | if (der->keyUsageSz) { |
wolfSSL | 4:1b0d80432c79 | 7003 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7004 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7005 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 4:1b0d80432c79 | 7006 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7007 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7008 | } |
wolfSSL | 4:1b0d80432c79 | 7009 | |
wolfSSL | 4:1b0d80432c79 | 7010 | /* put Certificate Policies */ |
wolfSSL | 4:1b0d80432c79 | 7011 | if (der->certPoliciesSz) { |
wolfSSL | 4:1b0d80432c79 | 7012 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7013 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7014 | der->certPolicies, der->certPoliciesSz); |
wolfSSL | 4:1b0d80432c79 | 7015 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7016 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7017 | } |
wolfSSL | 4:1b0d80432c79 | 7018 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 7019 | } |
wolfSSL | 4:1b0d80432c79 | 7020 | |
wolfSSL | 4:1b0d80432c79 | 7021 | der->total = der->versionSz + der->serialSz + der->sigAlgoSz + |
wolfSSL | 4:1b0d80432c79 | 7022 | der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + |
wolfSSL | 4:1b0d80432c79 | 7023 | der->extensionsSz; |
wolfSSL | 4:1b0d80432c79 | 7024 | |
wolfSSL | 4:1b0d80432c79 | 7025 | return 0; |
wolfSSL | 4:1b0d80432c79 | 7026 | } |
wolfSSL | 4:1b0d80432c79 | 7027 | |
wolfSSL | 4:1b0d80432c79 | 7028 | |
wolfSSL | 4:1b0d80432c79 | 7029 | /* write DER encoded cert to buffer, size already checked */ |
wolfSSL | 4:1b0d80432c79 | 7030 | static int WriteCertBody(DerCert* der, byte* buffer) |
wolfSSL | 4:1b0d80432c79 | 7031 | { |
wolfSSL | 4:1b0d80432c79 | 7032 | int idx; |
wolfSSL | 4:1b0d80432c79 | 7033 | |
wolfSSL | 4:1b0d80432c79 | 7034 | /* signed part header */ |
wolfSSL | 4:1b0d80432c79 | 7035 | idx = SetSequence(der->total, buffer); |
wolfSSL | 4:1b0d80432c79 | 7036 | /* version */ |
wolfSSL | 4:1b0d80432c79 | 7037 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 4:1b0d80432c79 | 7038 | idx += der->versionSz; |
wolfSSL | 4:1b0d80432c79 | 7039 | /* serial */ |
wolfSSL | 4:1b0d80432c79 | 7040 | XMEMCPY(buffer + idx, der->serial, der->serialSz); |
wolfSSL | 4:1b0d80432c79 | 7041 | idx += der->serialSz; |
wolfSSL | 4:1b0d80432c79 | 7042 | /* sig algo */ |
wolfSSL | 4:1b0d80432c79 | 7043 | XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz); |
wolfSSL | 4:1b0d80432c79 | 7044 | idx += der->sigAlgoSz; |
wolfSSL | 4:1b0d80432c79 | 7045 | /* issuer */ |
wolfSSL | 4:1b0d80432c79 | 7046 | XMEMCPY(buffer + idx, der->issuer, der->issuerSz); |
wolfSSL | 4:1b0d80432c79 | 7047 | idx += der->issuerSz; |
wolfSSL | 4:1b0d80432c79 | 7048 | /* validity */ |
wolfSSL | 4:1b0d80432c79 | 7049 | XMEMCPY(buffer + idx, der->validity, der->validitySz); |
wolfSSL | 4:1b0d80432c79 | 7050 | idx += der->validitySz; |
wolfSSL | 4:1b0d80432c79 | 7051 | /* subject */ |
wolfSSL | 4:1b0d80432c79 | 7052 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 4:1b0d80432c79 | 7053 | idx += der->subjectSz; |
wolfSSL | 4:1b0d80432c79 | 7054 | /* public key */ |
wolfSSL | 4:1b0d80432c79 | 7055 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 4:1b0d80432c79 | 7056 | idx += der->publicKeySz; |
wolfSSL | 4:1b0d80432c79 | 7057 | if (der->extensionsSz) { |
wolfSSL | 4:1b0d80432c79 | 7058 | /* extensions */ |
wolfSSL | 4:1b0d80432c79 | 7059 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7060 | sizeof(der->extensions))); |
wolfSSL | 4:1b0d80432c79 | 7061 | idx += der->extensionsSz; |
wolfSSL | 4:1b0d80432c79 | 7062 | } |
wolfSSL | 4:1b0d80432c79 | 7063 | |
wolfSSL | 4:1b0d80432c79 | 7064 | return idx; |
wolfSSL | 4:1b0d80432c79 | 7065 | } |
wolfSSL | 4:1b0d80432c79 | 7066 | |
wolfSSL | 4:1b0d80432c79 | 7067 | |
wolfSSL | 4:1b0d80432c79 | 7068 | /* Make RSA signature from buffer (sz), write to sig (sigSz) */ |
wolfSSL | 4:1b0d80432c79 | 7069 | static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz, |
wolfSSL | 4:1b0d80432c79 | 7070 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng, |
wolfSSL | 4:1b0d80432c79 | 7071 | int sigAlgoType) |
wolfSSL | 4:1b0d80432c79 | 7072 | { |
wolfSSL | 4:1b0d80432c79 | 7073 | int encSigSz, digestSz, typeH = 0, ret = 0; |
wolfSSL | 4:1b0d80432c79 | 7074 | byte digest[MAX_DIGEST_SIZE]; /* max size */ |
wolfSSL | 4:1b0d80432c79 | 7075 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7076 | byte* encSig; |
wolfSSL | 4:1b0d80432c79 | 7077 | #else |
wolfSSL | 4:1b0d80432c79 | 7078 | byte encSig[MAX_DER_DIGEST_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7079 | #endif |
wolfSSL | 4:1b0d80432c79 | 7080 | |
wolfSSL | 4:1b0d80432c79 | 7081 | (void)digest; |
wolfSSL | 4:1b0d80432c79 | 7082 | (void)digestSz; |
wolfSSL | 4:1b0d80432c79 | 7083 | (void)encSig; |
wolfSSL | 4:1b0d80432c79 | 7084 | (void)encSigSz; |
wolfSSL | 4:1b0d80432c79 | 7085 | (void)typeH; |
wolfSSL | 4:1b0d80432c79 | 7086 | |
wolfSSL | 4:1b0d80432c79 | 7087 | (void)buffer; |
wolfSSL | 4:1b0d80432c79 | 7088 | (void)sz; |
wolfSSL | 4:1b0d80432c79 | 7089 | (void)sig; |
wolfSSL | 4:1b0d80432c79 | 7090 | (void)sigSz; |
wolfSSL | 4:1b0d80432c79 | 7091 | (void)rsaKey; |
wolfSSL | 4:1b0d80432c79 | 7092 | (void)eccKey; |
wolfSSL | 4:1b0d80432c79 | 7093 | (void)rng; |
wolfSSL | 4:1b0d80432c79 | 7094 | |
wolfSSL | 4:1b0d80432c79 | 7095 | switch (sigAlgoType) { |
wolfSSL | 4:1b0d80432c79 | 7096 | #ifndef NO_MD5 |
wolfSSL | 4:1b0d80432c79 | 7097 | case CTC_MD5wRSA: |
wolfSSL | 4:1b0d80432c79 | 7098 | if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) { |
wolfSSL | 4:1b0d80432c79 | 7099 | typeH = MD5h; |
wolfSSL | 4:1b0d80432c79 | 7100 | digestSz = MD5_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7101 | } |
wolfSSL | 4:1b0d80432c79 | 7102 | break; |
wolfSSL | 4:1b0d80432c79 | 7103 | #endif |
wolfSSL | 4:1b0d80432c79 | 7104 | #ifndef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 7105 | case CTC_SHAwRSA: |
wolfSSL | 4:1b0d80432c79 | 7106 | case CTC_SHAwECDSA: |
wolfSSL | 4:1b0d80432c79 | 7107 | if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) { |
wolfSSL | 4:1b0d80432c79 | 7108 | typeH = SHAh; |
wolfSSL | 4:1b0d80432c79 | 7109 | digestSz = SHA_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7110 | } |
wolfSSL | 4:1b0d80432c79 | 7111 | break; |
wolfSSL | 4:1b0d80432c79 | 7112 | #endif |
wolfSSL | 4:1b0d80432c79 | 7113 | #ifndef NO_SHA256 |
wolfSSL | 4:1b0d80432c79 | 7114 | case CTC_SHA256wRSA: |
wolfSSL | 4:1b0d80432c79 | 7115 | case CTC_SHA256wECDSA: |
wolfSSL | 4:1b0d80432c79 | 7116 | if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) { |
wolfSSL | 4:1b0d80432c79 | 7117 | typeH = SHA256h; |
wolfSSL | 4:1b0d80432c79 | 7118 | digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7119 | } |
wolfSSL | 4:1b0d80432c79 | 7120 | break; |
wolfSSL | 4:1b0d80432c79 | 7121 | #endif |
wolfSSL | 4:1b0d80432c79 | 7122 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 4:1b0d80432c79 | 7123 | case CTC_SHA512wRSA: |
wolfSSL | 4:1b0d80432c79 | 7124 | case CTC_SHA512wECDSA: |
wolfSSL | 4:1b0d80432c79 | 7125 | if ((ret = wc_Sha512Hash(buffer, sz, digest)) == 0) { |
wolfSSL | 4:1b0d80432c79 | 7126 | typeH = SHA256h; |
wolfSSL | 4:1b0d80432c79 | 7127 | digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7128 | } |
wolfSSL | 4:1b0d80432c79 | 7129 | break; |
wolfSSL | 4:1b0d80432c79 | 7130 | #endif |
wolfSSL | 4:1b0d80432c79 | 7131 | default: |
wolfSSL | 4:1b0d80432c79 | 7132 | WOLFSSL_MSG("MakeSignautre called with unsupported type"); |
wolfSSL | 4:1b0d80432c79 | 7133 | ret = ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 7134 | } |
wolfSSL | 4:1b0d80432c79 | 7135 | |
wolfSSL | 4:1b0d80432c79 | 7136 | if (ret != 0) |
wolfSSL | 4:1b0d80432c79 | 7137 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7138 | |
wolfSSL | 4:1b0d80432c79 | 7139 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7140 | encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ, |
wolfSSL | 4:1b0d80432c79 | 7141 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7142 | if (encSig == NULL) |
wolfSSL | 4:1b0d80432c79 | 7143 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7144 | #endif |
wolfSSL | 4:1b0d80432c79 | 7145 | |
wolfSSL | 4:1b0d80432c79 | 7146 | ret = ALGO_ID_E; |
wolfSSL | 4:1b0d80432c79 | 7147 | |
wolfSSL | 4:1b0d80432c79 | 7148 | #ifndef NO_RSA |
wolfSSL | 4:1b0d80432c79 | 7149 | if (rsaKey) { |
wolfSSL | 4:1b0d80432c79 | 7150 | /* signature */ |
wolfSSL | 4:1b0d80432c79 | 7151 | encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH); |
wolfSSL | 4:1b0d80432c79 | 7152 | ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng); |
wolfSSL | 4:1b0d80432c79 | 7153 | } |
wolfSSL | 4:1b0d80432c79 | 7154 | #endif |
wolfSSL | 4:1b0d80432c79 | 7155 | |
wolfSSL | 4:1b0d80432c79 | 7156 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 7157 | if (!rsaKey && eccKey) { |
wolfSSL | 4:1b0d80432c79 | 7158 | word32 outSz = sigSz; |
wolfSSL | 4:1b0d80432c79 | 7159 | ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey); |
wolfSSL | 4:1b0d80432c79 | 7160 | |
wolfSSL | 4:1b0d80432c79 | 7161 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7162 | ret = outSz; |
wolfSSL | 4:1b0d80432c79 | 7163 | } |
wolfSSL | 4:1b0d80432c79 | 7164 | #endif |
wolfSSL | 4:1b0d80432c79 | 7165 | |
wolfSSL | 4:1b0d80432c79 | 7166 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7167 | XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7168 | #endif |
wolfSSL | 4:1b0d80432c79 | 7169 | |
wolfSSL | 4:1b0d80432c79 | 7170 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7171 | } |
wolfSSL | 4:1b0d80432c79 | 7172 | |
wolfSSL | 4:1b0d80432c79 | 7173 | |
wolfSSL | 4:1b0d80432c79 | 7174 | /* add signature to end of buffer, size of buffer assumed checked, return |
wolfSSL | 4:1b0d80432c79 | 7175 | new length */ |
wolfSSL | 4:1b0d80432c79 | 7176 | static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz, |
wolfSSL | 4:1b0d80432c79 | 7177 | int sigAlgoType) |
wolfSSL | 4:1b0d80432c79 | 7178 | { |
wolfSSL | 4:1b0d80432c79 | 7179 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7180 | int idx = bodySz, seqSz; |
wolfSSL | 4:1b0d80432c79 | 7181 | |
wolfSSL | 4:1b0d80432c79 | 7182 | /* algo */ |
wolfSSL | 4:1b0d80432c79 | 7183 | idx += SetAlgoID(sigAlgoType, buffer + idx, sigType, 0); |
wolfSSL | 4:1b0d80432c79 | 7184 | /* bit string */ |
wolfSSL | 4:1b0d80432c79 | 7185 | buffer[idx++] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 7186 | /* length */ |
wolfSSL | 4:1b0d80432c79 | 7187 | idx += SetLength(sigSz + 1, buffer + idx); |
wolfSSL | 4:1b0d80432c79 | 7188 | buffer[idx++] = 0; /* trailing 0 */ |
wolfSSL | 4:1b0d80432c79 | 7189 | /* signature */ |
wolfSSL | 4:1b0d80432c79 | 7190 | XMEMCPY(buffer + idx, sig, sigSz); |
wolfSSL | 4:1b0d80432c79 | 7191 | idx += sigSz; |
wolfSSL | 4:1b0d80432c79 | 7192 | |
wolfSSL | 4:1b0d80432c79 | 7193 | /* make room for overall header */ |
wolfSSL | 4:1b0d80432c79 | 7194 | seqSz = SetSequence(idx, seq); |
wolfSSL | 4:1b0d80432c79 | 7195 | XMEMMOVE(buffer + seqSz, buffer, idx); |
wolfSSL | 4:1b0d80432c79 | 7196 | XMEMCPY(buffer, seq, seqSz); |
wolfSSL | 4:1b0d80432c79 | 7197 | |
wolfSSL | 4:1b0d80432c79 | 7198 | return idx + seqSz; |
wolfSSL | 4:1b0d80432c79 | 7199 | } |
wolfSSL | 4:1b0d80432c79 | 7200 | |
wolfSSL | 4:1b0d80432c79 | 7201 | |
wolfSSL | 4:1b0d80432c79 | 7202 | /* Make an x509 Certificate v3 any key type from cert input, write to buffer */ |
wolfSSL | 4:1b0d80432c79 | 7203 | static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 4:1b0d80432c79 | 7204 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng, |
wolfSSL | 4:1b0d80432c79 | 7205 | const byte* ntruKey, word16 ntruSz) |
wolfSSL | 4:1b0d80432c79 | 7206 | { |
wolfSSL | 4:1b0d80432c79 | 7207 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7208 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7209 | DerCert* der; |
wolfSSL | 4:1b0d80432c79 | 7210 | #else |
wolfSSL | 4:1b0d80432c79 | 7211 | DerCert der[1]; |
wolfSSL | 4:1b0d80432c79 | 7212 | #endif |
wolfSSL | 4:1b0d80432c79 | 7213 | |
wolfSSL | 4:1b0d80432c79 | 7214 | cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY); |
wolfSSL | 4:1b0d80432c79 | 7215 | |
wolfSSL | 4:1b0d80432c79 | 7216 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7217 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7218 | if (der == NULL) |
wolfSSL | 4:1b0d80432c79 | 7219 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7220 | #endif |
wolfSSL | 4:1b0d80432c79 | 7221 | |
wolfSSL | 4:1b0d80432c79 | 7222 | ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz); |
wolfSSL | 4:1b0d80432c79 | 7223 | if (ret == 0) { |
wolfSSL | 4:1b0d80432c79 | 7224 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 4:1b0d80432c79 | 7225 | ret = BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 7226 | else |
wolfSSL | 4:1b0d80432c79 | 7227 | ret = cert->bodySz = WriteCertBody(der, derBuffer); |
wolfSSL | 4:1b0d80432c79 | 7228 | } |
wolfSSL | 4:1b0d80432c79 | 7229 | |
wolfSSL | 4:1b0d80432c79 | 7230 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7231 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7232 | #endif |
wolfSSL | 4:1b0d80432c79 | 7233 | |
wolfSSL | 4:1b0d80432c79 | 7234 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7235 | } |
wolfSSL | 4:1b0d80432c79 | 7236 | |
wolfSSL | 4:1b0d80432c79 | 7237 | |
wolfSSL | 4:1b0d80432c79 | 7238 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 4:1b0d80432c79 | 7239 | int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, |
wolfSSL | 4:1b0d80432c79 | 7240 | ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 4:1b0d80432c79 | 7241 | { |
wolfSSL | 4:1b0d80432c79 | 7242 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0); |
wolfSSL | 4:1b0d80432c79 | 7243 | } |
wolfSSL | 4:1b0d80432c79 | 7244 | |
wolfSSL | 4:1b0d80432c79 | 7245 | |
wolfSSL | 4:1b0d80432c79 | 7246 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 7247 | |
wolfSSL | 4:1b0d80432c79 | 7248 | int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 4:1b0d80432c79 | 7249 | const byte* ntruKey, word16 keySz, WC_RNG* rng) |
wolfSSL | 4:1b0d80432c79 | 7250 | { |
wolfSSL | 4:1b0d80432c79 | 7251 | return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz); |
wolfSSL | 4:1b0d80432c79 | 7252 | } |
wolfSSL | 4:1b0d80432c79 | 7253 | |
wolfSSL | 4:1b0d80432c79 | 7254 | #endif /* HAVE_NTRU */ |
wolfSSL | 4:1b0d80432c79 | 7255 | |
wolfSSL | 4:1b0d80432c79 | 7256 | |
wolfSSL | 4:1b0d80432c79 | 7257 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 4:1b0d80432c79 | 7258 | |
wolfSSL | 4:1b0d80432c79 | 7259 | static int SetReqAttrib(byte* output, char* pw, int extSz) |
wolfSSL | 4:1b0d80432c79 | 7260 | { |
wolfSSL | 4:1b0d80432c79 | 7261 | static const byte cpOid[] = |
wolfSSL | 4:1b0d80432c79 | 7262 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 4:1b0d80432c79 | 7263 | 0x09, 0x07 }; |
wolfSSL | 4:1b0d80432c79 | 7264 | static const byte erOid[] = |
wolfSSL | 4:1b0d80432c79 | 7265 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 4:1b0d80432c79 | 7266 | 0x09, 0x0e }; |
wolfSSL | 4:1b0d80432c79 | 7267 | |
wolfSSL | 4:1b0d80432c79 | 7268 | int sz = 0; /* overall size */ |
wolfSSL | 4:1b0d80432c79 | 7269 | int cpSz = 0; /* Challenge Password section size */ |
wolfSSL | 4:1b0d80432c79 | 7270 | int cpSeqSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7271 | int cpSetSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7272 | int cpStrSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7273 | int pwSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7274 | int erSz = 0; /* Extension Request section size */ |
wolfSSL | 4:1b0d80432c79 | 7275 | int erSeqSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7276 | int erSetSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7277 | byte cpSeq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7278 | byte cpSet[MAX_SET_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7279 | byte cpStr[MAX_PRSTR_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7280 | byte erSeq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7281 | byte erSet[MAX_SET_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7282 | |
wolfSSL | 4:1b0d80432c79 | 7283 | output[0] = 0xa0; |
wolfSSL | 4:1b0d80432c79 | 7284 | sz++; |
wolfSSL | 4:1b0d80432c79 | 7285 | |
wolfSSL | 4:1b0d80432c79 | 7286 | if (pw && pw[0]) { |
wolfSSL | 4:1b0d80432c79 | 7287 | pwSz = (int)XSTRLEN(pw); |
wolfSSL | 4:1b0d80432c79 | 7288 | cpStrSz = SetUTF8String(pwSz, cpStr); |
wolfSSL | 4:1b0d80432c79 | 7289 | cpSetSz = SetSet(cpStrSz + pwSz, cpSet); |
wolfSSL | 4:1b0d80432c79 | 7290 | cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq); |
wolfSSL | 4:1b0d80432c79 | 7291 | cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz; |
wolfSSL | 4:1b0d80432c79 | 7292 | } |
wolfSSL | 4:1b0d80432c79 | 7293 | |
wolfSSL | 4:1b0d80432c79 | 7294 | if (extSz) { |
wolfSSL | 4:1b0d80432c79 | 7295 | erSetSz = SetSet(extSz, erSet); |
wolfSSL | 4:1b0d80432c79 | 7296 | erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq); |
wolfSSL | 4:1b0d80432c79 | 7297 | erSz = extSz + erSetSz + erSeqSz + sizeof(erOid); |
wolfSSL | 4:1b0d80432c79 | 7298 | } |
wolfSSL | 4:1b0d80432c79 | 7299 | |
wolfSSL | 4:1b0d80432c79 | 7300 | /* Put the pieces together. */ |
wolfSSL | 4:1b0d80432c79 | 7301 | sz += SetLength(cpSz + erSz, &output[sz]); |
wolfSSL | 4:1b0d80432c79 | 7302 | |
wolfSSL | 4:1b0d80432c79 | 7303 | if (cpSz) { |
wolfSSL | 4:1b0d80432c79 | 7304 | XMEMCPY(&output[sz], cpSeq, cpSeqSz); |
wolfSSL | 4:1b0d80432c79 | 7305 | sz += cpSeqSz; |
wolfSSL | 4:1b0d80432c79 | 7306 | XMEMCPY(&output[sz], cpOid, sizeof(cpOid)); |
wolfSSL | 4:1b0d80432c79 | 7307 | sz += sizeof(cpOid); |
wolfSSL | 4:1b0d80432c79 | 7308 | XMEMCPY(&output[sz], cpSet, cpSetSz); |
wolfSSL | 4:1b0d80432c79 | 7309 | sz += cpSetSz; |
wolfSSL | 4:1b0d80432c79 | 7310 | XMEMCPY(&output[sz], cpStr, cpStrSz); |
wolfSSL | 4:1b0d80432c79 | 7311 | sz += cpStrSz; |
wolfSSL | 4:1b0d80432c79 | 7312 | XMEMCPY(&output[sz], pw, pwSz); |
wolfSSL | 4:1b0d80432c79 | 7313 | sz += pwSz; |
wolfSSL | 4:1b0d80432c79 | 7314 | } |
wolfSSL | 4:1b0d80432c79 | 7315 | |
wolfSSL | 4:1b0d80432c79 | 7316 | if (erSz) { |
wolfSSL | 4:1b0d80432c79 | 7317 | XMEMCPY(&output[sz], erSeq, erSeqSz); |
wolfSSL | 4:1b0d80432c79 | 7318 | sz += erSeqSz; |
wolfSSL | 4:1b0d80432c79 | 7319 | XMEMCPY(&output[sz], erOid, sizeof(erOid)); |
wolfSSL | 4:1b0d80432c79 | 7320 | sz += sizeof(erOid); |
wolfSSL | 4:1b0d80432c79 | 7321 | XMEMCPY(&output[sz], erSet, erSetSz); |
wolfSSL | 4:1b0d80432c79 | 7322 | sz += erSetSz; |
wolfSSL | 4:1b0d80432c79 | 7323 | /* The actual extension data will be tacked onto the output later. */ |
wolfSSL | 4:1b0d80432c79 | 7324 | } |
wolfSSL | 4:1b0d80432c79 | 7325 | |
wolfSSL | 4:1b0d80432c79 | 7326 | return sz; |
wolfSSL | 4:1b0d80432c79 | 7327 | } |
wolfSSL | 4:1b0d80432c79 | 7328 | |
wolfSSL | 4:1b0d80432c79 | 7329 | |
wolfSSL | 4:1b0d80432c79 | 7330 | /* encode info from cert into DER encoded format */ |
wolfSSL | 4:1b0d80432c79 | 7331 | static int EncodeCertReq(Cert* cert, DerCert* der, |
wolfSSL | 4:1b0d80432c79 | 7332 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 4:1b0d80432c79 | 7333 | { |
wolfSSL | 4:1b0d80432c79 | 7334 | (void)eccKey; |
wolfSSL | 4:1b0d80432c79 | 7335 | |
wolfSSL | 4:1b0d80432c79 | 7336 | if (cert == NULL || der == NULL) |
wolfSSL | 4:1b0d80432c79 | 7337 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7338 | |
wolfSSL | 4:1b0d80432c79 | 7339 | /* init */ |
wolfSSL | 4:1b0d80432c79 | 7340 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 4:1b0d80432c79 | 7341 | |
wolfSSL | 4:1b0d80432c79 | 7342 | /* version */ |
wolfSSL | 4:1b0d80432c79 | 7343 | der->versionSz = SetMyVersion(cert->version, der->version, FALSE); |
wolfSSL | 4:1b0d80432c79 | 7344 | |
wolfSSL | 4:1b0d80432c79 | 7345 | /* subject name */ |
wolfSSL | 4:1b0d80432c79 | 7346 | der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject); |
wolfSSL | 4:1b0d80432c79 | 7347 | if (der->subjectSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7348 | return SUBJECT_E; |
wolfSSL | 4:1b0d80432c79 | 7349 | |
wolfSSL | 4:1b0d80432c79 | 7350 | /* public key */ |
wolfSSL | 4:1b0d80432c79 | 7351 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 4:1b0d80432c79 | 7352 | if (rsaKey == NULL) |
wolfSSL | 4:1b0d80432c79 | 7353 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7354 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 4:1b0d80432c79 | 7355 | sizeof(der->publicKey), 1); |
wolfSSL | 4:1b0d80432c79 | 7356 | if (der->publicKeySz <= 0) |
wolfSSL | 4:1b0d80432c79 | 7357 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7358 | } |
wolfSSL | 4:1b0d80432c79 | 7359 | |
wolfSSL | 4:1b0d80432c79 | 7360 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 7361 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 4:1b0d80432c79 | 7362 | if (eccKey == NULL) |
wolfSSL | 4:1b0d80432c79 | 7363 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7364 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 4:1b0d80432c79 | 7365 | if (der->publicKeySz <= 0) |
wolfSSL | 4:1b0d80432c79 | 7366 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7367 | } |
wolfSSL | 4:1b0d80432c79 | 7368 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 7369 | |
wolfSSL | 4:1b0d80432c79 | 7370 | /* set the extensions */ |
wolfSSL | 4:1b0d80432c79 | 7371 | der->extensionsSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7372 | |
wolfSSL | 4:1b0d80432c79 | 7373 | /* CA */ |
wolfSSL | 4:1b0d80432c79 | 7374 | if (cert->isCA) { |
wolfSSL | 4:1b0d80432c79 | 7375 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 4:1b0d80432c79 | 7376 | if (der->caSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7377 | return CA_TRUE_E; |
wolfSSL | 4:1b0d80432c79 | 7378 | |
wolfSSL | 4:1b0d80432c79 | 7379 | der->extensionsSz += der->caSz; |
wolfSSL | 4:1b0d80432c79 | 7380 | } |
wolfSSL | 4:1b0d80432c79 | 7381 | else |
wolfSSL | 4:1b0d80432c79 | 7382 | der->caSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7383 | |
wolfSSL | 4:1b0d80432c79 | 7384 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 7385 | /* SKID */ |
wolfSSL | 4:1b0d80432c79 | 7386 | if (cert->skidSz) { |
wolfSSL | 4:1b0d80432c79 | 7387 | /* check the provided SKID size */ |
wolfSSL | 4:1b0d80432c79 | 7388 | if (cert->skidSz > (int)sizeof(der->skid)) |
wolfSSL | 4:1b0d80432c79 | 7389 | return SKID_E; |
wolfSSL | 4:1b0d80432c79 | 7390 | |
wolfSSL | 4:1b0d80432c79 | 7391 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 4:1b0d80432c79 | 7392 | cert->skid, cert->skidSz); |
wolfSSL | 4:1b0d80432c79 | 7393 | if (der->skidSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7394 | return SKID_E; |
wolfSSL | 4:1b0d80432c79 | 7395 | |
wolfSSL | 4:1b0d80432c79 | 7396 | der->extensionsSz += der->skidSz; |
wolfSSL | 4:1b0d80432c79 | 7397 | } |
wolfSSL | 4:1b0d80432c79 | 7398 | else |
wolfSSL | 4:1b0d80432c79 | 7399 | der->skidSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7400 | |
wolfSSL | 4:1b0d80432c79 | 7401 | /* Key Usage */ |
wolfSSL | 4:1b0d80432c79 | 7402 | if (cert->keyUsage != 0){ |
wolfSSL | 4:1b0d80432c79 | 7403 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 4:1b0d80432c79 | 7404 | cert->keyUsage); |
wolfSSL | 4:1b0d80432c79 | 7405 | if (der->keyUsageSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7406 | return KEYUSAGE_E; |
wolfSSL | 4:1b0d80432c79 | 7407 | |
wolfSSL | 4:1b0d80432c79 | 7408 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 4:1b0d80432c79 | 7409 | } |
wolfSSL | 4:1b0d80432c79 | 7410 | else |
wolfSSL | 4:1b0d80432c79 | 7411 | der->keyUsageSz = 0; |
wolfSSL | 4:1b0d80432c79 | 7412 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 7413 | |
wolfSSL | 4:1b0d80432c79 | 7414 | /* put extensions */ |
wolfSSL | 4:1b0d80432c79 | 7415 | if (der->extensionsSz > 0) { |
wolfSSL | 4:1b0d80432c79 | 7416 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7417 | |
wolfSSL | 4:1b0d80432c79 | 7418 | /* put the start of sequence (ID, Size) */ |
wolfSSL | 4:1b0d80432c79 | 7419 | der->extensionsSz = SetSequence(der->extensionsSz, der->extensions); |
wolfSSL | 4:1b0d80432c79 | 7420 | if (der->extensionsSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7421 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7422 | |
wolfSSL | 4:1b0d80432c79 | 7423 | /* put CA */ |
wolfSSL | 4:1b0d80432c79 | 7424 | if (der->caSz) { |
wolfSSL | 4:1b0d80432c79 | 7425 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7426 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7427 | der->ca, der->caSz); |
wolfSSL | 4:1b0d80432c79 | 7428 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7429 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7430 | } |
wolfSSL | 4:1b0d80432c79 | 7431 | |
wolfSSL | 4:1b0d80432c79 | 7432 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 7433 | /* put SKID */ |
wolfSSL | 4:1b0d80432c79 | 7434 | if (der->skidSz) { |
wolfSSL | 4:1b0d80432c79 | 7435 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7436 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7437 | der->skid, der->skidSz); |
wolfSSL | 4:1b0d80432c79 | 7438 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7439 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7440 | } |
wolfSSL | 4:1b0d80432c79 | 7441 | |
wolfSSL | 4:1b0d80432c79 | 7442 | /* put AKID */ |
wolfSSL | 4:1b0d80432c79 | 7443 | if (der->akidSz) { |
wolfSSL | 4:1b0d80432c79 | 7444 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7445 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7446 | der->akid, der->akidSz); |
wolfSSL | 4:1b0d80432c79 | 7447 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7448 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7449 | } |
wolfSSL | 4:1b0d80432c79 | 7450 | |
wolfSSL | 4:1b0d80432c79 | 7451 | /* put KeyUsage */ |
wolfSSL | 4:1b0d80432c79 | 7452 | if (der->keyUsageSz) { |
wolfSSL | 4:1b0d80432c79 | 7453 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 4:1b0d80432c79 | 7454 | &der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7455 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 4:1b0d80432c79 | 7456 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 7457 | return EXTENSIONS_E; |
wolfSSL | 4:1b0d80432c79 | 7458 | } |
wolfSSL | 4:1b0d80432c79 | 7459 | |
wolfSSL | 4:1b0d80432c79 | 7460 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 7461 | } |
wolfSSL | 4:1b0d80432c79 | 7462 | |
wolfSSL | 4:1b0d80432c79 | 7463 | der->attribSz = SetReqAttrib(der->attrib, |
wolfSSL | 4:1b0d80432c79 | 7464 | cert->challengePw, der->extensionsSz); |
wolfSSL | 4:1b0d80432c79 | 7465 | if (der->attribSz == 0) |
wolfSSL | 4:1b0d80432c79 | 7466 | return REQ_ATTRIBUTE_E; |
wolfSSL | 4:1b0d80432c79 | 7467 | |
wolfSSL | 4:1b0d80432c79 | 7468 | der->total = der->versionSz + der->subjectSz + der->publicKeySz + |
wolfSSL | 4:1b0d80432c79 | 7469 | der->extensionsSz + der->attribSz; |
wolfSSL | 4:1b0d80432c79 | 7470 | |
wolfSSL | 4:1b0d80432c79 | 7471 | return 0; |
wolfSSL | 4:1b0d80432c79 | 7472 | } |
wolfSSL | 4:1b0d80432c79 | 7473 | |
wolfSSL | 4:1b0d80432c79 | 7474 | |
wolfSSL | 4:1b0d80432c79 | 7475 | /* write DER encoded cert req to buffer, size already checked */ |
wolfSSL | 4:1b0d80432c79 | 7476 | static int WriteCertReqBody(DerCert* der, byte* buffer) |
wolfSSL | 4:1b0d80432c79 | 7477 | { |
wolfSSL | 4:1b0d80432c79 | 7478 | int idx; |
wolfSSL | 4:1b0d80432c79 | 7479 | |
wolfSSL | 4:1b0d80432c79 | 7480 | /* signed part header */ |
wolfSSL | 4:1b0d80432c79 | 7481 | idx = SetSequence(der->total, buffer); |
wolfSSL | 4:1b0d80432c79 | 7482 | /* version */ |
wolfSSL | 4:1b0d80432c79 | 7483 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 4:1b0d80432c79 | 7484 | idx += der->versionSz; |
wolfSSL | 4:1b0d80432c79 | 7485 | /* subject */ |
wolfSSL | 4:1b0d80432c79 | 7486 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 4:1b0d80432c79 | 7487 | idx += der->subjectSz; |
wolfSSL | 4:1b0d80432c79 | 7488 | /* public key */ |
wolfSSL | 4:1b0d80432c79 | 7489 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 4:1b0d80432c79 | 7490 | idx += der->publicKeySz; |
wolfSSL | 4:1b0d80432c79 | 7491 | /* attributes */ |
wolfSSL | 4:1b0d80432c79 | 7492 | XMEMCPY(buffer + idx, der->attrib, der->attribSz); |
wolfSSL | 4:1b0d80432c79 | 7493 | idx += der->attribSz; |
wolfSSL | 4:1b0d80432c79 | 7494 | /* extensions */ |
wolfSSL | 4:1b0d80432c79 | 7495 | if (der->extensionsSz) { |
wolfSSL | 4:1b0d80432c79 | 7496 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 4:1b0d80432c79 | 7497 | sizeof(der->extensions))); |
wolfSSL | 4:1b0d80432c79 | 7498 | idx += der->extensionsSz; |
wolfSSL | 4:1b0d80432c79 | 7499 | } |
wolfSSL | 4:1b0d80432c79 | 7500 | |
wolfSSL | 4:1b0d80432c79 | 7501 | return idx; |
wolfSSL | 4:1b0d80432c79 | 7502 | } |
wolfSSL | 4:1b0d80432c79 | 7503 | |
wolfSSL | 4:1b0d80432c79 | 7504 | |
wolfSSL | 4:1b0d80432c79 | 7505 | int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 4:1b0d80432c79 | 7506 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 4:1b0d80432c79 | 7507 | { |
wolfSSL | 4:1b0d80432c79 | 7508 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7509 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7510 | DerCert* der; |
wolfSSL | 4:1b0d80432c79 | 7511 | #else |
wolfSSL | 4:1b0d80432c79 | 7512 | DerCert der[1]; |
wolfSSL | 4:1b0d80432c79 | 7513 | #endif |
wolfSSL | 4:1b0d80432c79 | 7514 | |
wolfSSL | 4:1b0d80432c79 | 7515 | cert->keyType = eccKey ? ECC_KEY : RSA_KEY; |
wolfSSL | 4:1b0d80432c79 | 7516 | |
wolfSSL | 4:1b0d80432c79 | 7517 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7518 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7519 | if (der == NULL) |
wolfSSL | 4:1b0d80432c79 | 7520 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7521 | #endif |
wolfSSL | 4:1b0d80432c79 | 7522 | |
wolfSSL | 4:1b0d80432c79 | 7523 | ret = EncodeCertReq(cert, der, rsaKey, eccKey); |
wolfSSL | 4:1b0d80432c79 | 7524 | |
wolfSSL | 4:1b0d80432c79 | 7525 | if (ret == 0) { |
wolfSSL | 4:1b0d80432c79 | 7526 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 4:1b0d80432c79 | 7527 | ret = BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 7528 | else |
wolfSSL | 4:1b0d80432c79 | 7529 | ret = cert->bodySz = WriteCertReqBody(der, derBuffer); |
wolfSSL | 4:1b0d80432c79 | 7530 | } |
wolfSSL | 4:1b0d80432c79 | 7531 | |
wolfSSL | 4:1b0d80432c79 | 7532 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7533 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7534 | #endif |
wolfSSL | 4:1b0d80432c79 | 7535 | |
wolfSSL | 4:1b0d80432c79 | 7536 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7537 | } |
wolfSSL | 4:1b0d80432c79 | 7538 | |
wolfSSL | 4:1b0d80432c79 | 7539 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 4:1b0d80432c79 | 7540 | |
wolfSSL | 4:1b0d80432c79 | 7541 | |
wolfSSL | 4:1b0d80432c79 | 7542 | int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz, |
wolfSSL | 4:1b0d80432c79 | 7543 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 4:1b0d80432c79 | 7544 | { |
wolfSSL | 4:1b0d80432c79 | 7545 | int sigSz; |
wolfSSL | 4:1b0d80432c79 | 7546 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7547 | byte* sig; |
wolfSSL | 4:1b0d80432c79 | 7548 | #else |
wolfSSL | 4:1b0d80432c79 | 7549 | byte sig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 7550 | #endif |
wolfSSL | 4:1b0d80432c79 | 7551 | |
wolfSSL | 4:1b0d80432c79 | 7552 | if (requestSz < 0) |
wolfSSL | 4:1b0d80432c79 | 7553 | return requestSz; |
wolfSSL | 4:1b0d80432c79 | 7554 | |
wolfSSL | 4:1b0d80432c79 | 7555 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7556 | sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7557 | if (sig == NULL) |
wolfSSL | 4:1b0d80432c79 | 7558 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7559 | #endif |
wolfSSL | 4:1b0d80432c79 | 7560 | |
wolfSSL | 4:1b0d80432c79 | 7561 | sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey, |
wolfSSL | 4:1b0d80432c79 | 7562 | eccKey, rng, sType); |
wolfSSL | 4:1b0d80432c79 | 7563 | |
wolfSSL | 4:1b0d80432c79 | 7564 | if (sigSz >= 0) { |
wolfSSL | 4:1b0d80432c79 | 7565 | if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz) |
wolfSSL | 4:1b0d80432c79 | 7566 | sigSz = BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 7567 | else |
wolfSSL | 4:1b0d80432c79 | 7568 | sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType); |
wolfSSL | 4:1b0d80432c79 | 7569 | } |
wolfSSL | 4:1b0d80432c79 | 7570 | |
wolfSSL | 4:1b0d80432c79 | 7571 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7572 | XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7573 | #endif |
wolfSSL | 4:1b0d80432c79 | 7574 | |
wolfSSL | 4:1b0d80432c79 | 7575 | return sigSz; |
wolfSSL | 4:1b0d80432c79 | 7576 | } |
wolfSSL | 4:1b0d80432c79 | 7577 | |
wolfSSL | 4:1b0d80432c79 | 7578 | |
wolfSSL | 4:1b0d80432c79 | 7579 | int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, |
wolfSSL | 4:1b0d80432c79 | 7580 | RsaKey* key, WC_RNG* rng) |
wolfSSL | 4:1b0d80432c79 | 7581 | { |
wolfSSL | 4:1b0d80432c79 | 7582 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7583 | |
wolfSSL | 4:1b0d80432c79 | 7584 | ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng); |
wolfSSL | 4:1b0d80432c79 | 7585 | if (ret < 0) |
wolfSSL | 4:1b0d80432c79 | 7586 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7587 | |
wolfSSL | 4:1b0d80432c79 | 7588 | return wc_SignCert(cert->bodySz, cert->sigType, |
wolfSSL | 4:1b0d80432c79 | 7589 | buffer, buffSz, key, NULL, rng); |
wolfSSL | 4:1b0d80432c79 | 7590 | } |
wolfSSL | 4:1b0d80432c79 | 7591 | |
wolfSSL | 4:1b0d80432c79 | 7592 | |
wolfSSL | 4:1b0d80432c79 | 7593 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 4:1b0d80432c79 | 7594 | |
wolfSSL | 4:1b0d80432c79 | 7595 | /* Set KID from RSA or ECC public key */ |
wolfSSL | 4:1b0d80432c79 | 7596 | static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, |
wolfSSL | 4:1b0d80432c79 | 7597 | byte *ntruKey, word16 ntruKeySz, int kid_type) |
wolfSSL | 4:1b0d80432c79 | 7598 | { |
wolfSSL | 4:1b0d80432c79 | 7599 | byte *buffer; |
wolfSSL | 4:1b0d80432c79 | 7600 | int bufferSz, ret; |
wolfSSL | 4:1b0d80432c79 | 7601 | |
wolfSSL | 4:1b0d80432c79 | 7602 | #ifndef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 7603 | (void)ntruKeySz; |
wolfSSL | 4:1b0d80432c79 | 7604 | #endif |
wolfSSL | 4:1b0d80432c79 | 7605 | |
wolfSSL | 4:1b0d80432c79 | 7606 | if (cert == NULL || (rsakey == NULL && eckey == NULL && ntruKey == NULL) || |
wolfSSL | 4:1b0d80432c79 | 7607 | (rsakey != NULL && eckey != NULL) || |
wolfSSL | 4:1b0d80432c79 | 7608 | (rsakey != NULL && ntruKey != NULL) || |
wolfSSL | 4:1b0d80432c79 | 7609 | (ntruKey != NULL && eckey != NULL) || |
wolfSSL | 4:1b0d80432c79 | 7610 | (kid_type != SKID_TYPE && kid_type != AKID_TYPE)) |
wolfSSL | 4:1b0d80432c79 | 7611 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7612 | |
wolfSSL | 4:1b0d80432c79 | 7613 | buffer = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7614 | if (buffer == NULL) |
wolfSSL | 4:1b0d80432c79 | 7615 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7616 | |
wolfSSL | 4:1b0d80432c79 | 7617 | /* RSA public key */ |
wolfSSL | 4:1b0d80432c79 | 7618 | if (rsakey != NULL) |
wolfSSL | 4:1b0d80432c79 | 7619 | bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0); |
wolfSSL | 4:1b0d80432c79 | 7620 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 7621 | /* ECC public key */ |
wolfSSL | 4:1b0d80432c79 | 7622 | else if (eckey != NULL) |
wolfSSL | 4:1b0d80432c79 | 7623 | bufferSz = SetEccPublicKey(buffer, eckey, 0); |
wolfSSL | 4:1b0d80432c79 | 7624 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 7625 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 7626 | /* NTRU public key */ |
wolfSSL | 4:1b0d80432c79 | 7627 | else if (ntruKey != NULL) { |
wolfSSL | 4:1b0d80432c79 | 7628 | bufferSz = MAX_PUBLIC_KEY_SZ; |
wolfSSL | 4:1b0d80432c79 | 7629 | ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( |
wolfSSL | 4:1b0d80432c79 | 7630 | ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer); |
wolfSSL | 4:1b0d80432c79 | 7631 | if (ret != NTRU_OK) |
wolfSSL | 4:1b0d80432c79 | 7632 | bufferSz = -1; |
wolfSSL | 4:1b0d80432c79 | 7633 | } |
wolfSSL | 4:1b0d80432c79 | 7634 | #endif |
wolfSSL | 4:1b0d80432c79 | 7635 | else |
wolfSSL | 4:1b0d80432c79 | 7636 | bufferSz = -1; |
wolfSSL | 4:1b0d80432c79 | 7637 | |
wolfSSL | 4:1b0d80432c79 | 7638 | if (bufferSz <= 0) { |
wolfSSL | 4:1b0d80432c79 | 7639 | XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7640 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7641 | } |
wolfSSL | 4:1b0d80432c79 | 7642 | |
wolfSSL | 4:1b0d80432c79 | 7643 | /* Compute SKID by hashing public key */ |
wolfSSL | 4:1b0d80432c79 | 7644 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 7645 | if (kid_type == SKID_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 7646 | ret = wc_Sha256Hash(buffer, bufferSz, cert->skid); |
wolfSSL | 4:1b0d80432c79 | 7647 | cert->skidSz = SHA256_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7648 | } |
wolfSSL | 4:1b0d80432c79 | 7649 | else if (kid_type == AKID_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 7650 | ret = wc_Sha256Hash(buffer, bufferSz, cert->akid); |
wolfSSL | 4:1b0d80432c79 | 7651 | cert->akidSz = SHA256_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7652 | } |
wolfSSL | 4:1b0d80432c79 | 7653 | else |
wolfSSL | 4:1b0d80432c79 | 7654 | ret = BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7655 | #else /* NO_SHA */ |
wolfSSL | 4:1b0d80432c79 | 7656 | if (kid_type == SKID_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 7657 | ret = wc_ShaHash(buffer, bufferSz, cert->skid); |
wolfSSL | 4:1b0d80432c79 | 7658 | cert->skidSz = SHA_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7659 | } |
wolfSSL | 4:1b0d80432c79 | 7660 | else if (kid_type == AKID_TYPE) { |
wolfSSL | 4:1b0d80432c79 | 7661 | ret = wc_ShaHash(buffer, bufferSz, cert->akid); |
wolfSSL | 4:1b0d80432c79 | 7662 | cert->akidSz = SHA_DIGEST_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7663 | } |
wolfSSL | 4:1b0d80432c79 | 7664 | else |
wolfSSL | 4:1b0d80432c79 | 7665 | ret = BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7666 | #endif /* NO_SHA */ |
wolfSSL | 4:1b0d80432c79 | 7667 | |
wolfSSL | 4:1b0d80432c79 | 7668 | XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7669 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7670 | } |
wolfSSL | 4:1b0d80432c79 | 7671 | |
wolfSSL | 4:1b0d80432c79 | 7672 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 4:1b0d80432c79 | 7673 | int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 4:1b0d80432c79 | 7674 | { |
wolfSSL | 4:1b0d80432c79 | 7675 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, SKID_TYPE); |
wolfSSL | 4:1b0d80432c79 | 7676 | } |
wolfSSL | 4:1b0d80432c79 | 7677 | |
wolfSSL | 4:1b0d80432c79 | 7678 | #ifdef HAVE_NTRU |
wolfSSL | 4:1b0d80432c79 | 7679 | /* Set SKID from NTRU public key */ |
wolfSSL | 4:1b0d80432c79 | 7680 | int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, |
wolfSSL | 4:1b0d80432c79 | 7681 | byte *ntruKey, word16 ntruKeySz) |
wolfSSL | 4:1b0d80432c79 | 7682 | { |
wolfSSL | 4:1b0d80432c79 | 7683 | return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, SKID_TYPE); |
wolfSSL | 4:1b0d80432c79 | 7684 | } |
wolfSSL | 4:1b0d80432c79 | 7685 | #endif |
wolfSSL | 4:1b0d80432c79 | 7686 | |
wolfSSL | 4:1b0d80432c79 | 7687 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 4:1b0d80432c79 | 7688 | int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 4:1b0d80432c79 | 7689 | { |
wolfSSL | 4:1b0d80432c79 | 7690 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, AKID_TYPE); |
wolfSSL | 4:1b0d80432c79 | 7691 | } |
wolfSSL | 4:1b0d80432c79 | 7692 | |
wolfSSL | 4:1b0d80432c79 | 7693 | |
wolfSSL | 4:1b0d80432c79 | 7694 | #ifndef NO_FILESYSTEM |
wolfSSL | 4:1b0d80432c79 | 7695 | |
wolfSSL | 4:1b0d80432c79 | 7696 | /* Set SKID from public key file in PEM */ |
wolfSSL | 4:1b0d80432c79 | 7697 | int wc_SetSubjectKeyId(Cert *cert, const char* file) |
wolfSSL | 4:1b0d80432c79 | 7698 | { |
wolfSSL | 4:1b0d80432c79 | 7699 | int ret, derSz; |
wolfSSL | 4:1b0d80432c79 | 7700 | byte* der; |
wolfSSL | 4:1b0d80432c79 | 7701 | word32 idx; |
wolfSSL | 4:1b0d80432c79 | 7702 | RsaKey *rsakey = NULL; |
wolfSSL | 4:1b0d80432c79 | 7703 | ecc_key *eckey = NULL; |
wolfSSL | 4:1b0d80432c79 | 7704 | |
wolfSSL | 4:1b0d80432c79 | 7705 | if (cert == NULL || file == NULL) |
wolfSSL | 4:1b0d80432c79 | 7706 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7707 | |
wolfSSL | 4:1b0d80432c79 | 7708 | der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7709 | if (der == NULL) { |
wolfSSL | 4:1b0d80432c79 | 7710 | WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem"); |
wolfSSL | 4:1b0d80432c79 | 7711 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7712 | } |
wolfSSL | 4:1b0d80432c79 | 7713 | |
wolfSSL | 4:1b0d80432c79 | 7714 | derSz = wolfSSL_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ); |
wolfSSL | 4:1b0d80432c79 | 7715 | if (derSz <= 0) |
wolfSSL | 4:1b0d80432c79 | 7716 | { |
wolfSSL | 4:1b0d80432c79 | 7717 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7718 | return derSz; |
wolfSSL | 4:1b0d80432c79 | 7719 | } |
wolfSSL | 4:1b0d80432c79 | 7720 | |
wolfSSL | 4:1b0d80432c79 | 7721 | /* Load PubKey in internal structure */ |
wolfSSL | 4:1b0d80432c79 | 7722 | rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 7723 | if (rsakey == NULL) { |
wolfSSL | 4:1b0d80432c79 | 7724 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7725 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7726 | } |
wolfSSL | 4:1b0d80432c79 | 7727 | |
wolfSSL | 4:1b0d80432c79 | 7728 | if (wc_InitRsaKey(rsakey, NULL) != 0) { |
wolfSSL | 4:1b0d80432c79 | 7729 | WOLFSSL_MSG("wc_InitRsaKey failure"); |
wolfSSL | 4:1b0d80432c79 | 7730 | XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 7731 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7732 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7733 | } |
wolfSSL | 4:1b0d80432c79 | 7734 | |
wolfSSL | 4:1b0d80432c79 | 7735 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 7736 | ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz); |
wolfSSL | 4:1b0d80432c79 | 7737 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 7738 | WOLFSSL_MSG("wc_RsaPublicKeyDecode failed"); |
wolfSSL | 4:1b0d80432c79 | 7739 | wc_FreeRsaKey(rsakey); |
wolfSSL | 4:1b0d80432c79 | 7740 | XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 7741 | rsakey = NULL; |
wolfSSL | 4:1b0d80432c79 | 7742 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 7743 | /* Check to load ecc public key */ |
wolfSSL | 4:1b0d80432c79 | 7744 | eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 4:1b0d80432c79 | 7745 | if (eckey == NULL) { |
wolfSSL | 4:1b0d80432c79 | 7746 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7747 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7748 | } |
wolfSSL | 4:1b0d80432c79 | 7749 | |
wolfSSL | 4:1b0d80432c79 | 7750 | if (wc_ecc_init(eckey) != 0) { |
wolfSSL | 4:1b0d80432c79 | 7751 | WOLFSSL_MSG("wc_ecc_init failure"); |
wolfSSL | 4:1b0d80432c79 | 7752 | wc_ecc_free(eckey); |
wolfSSL | 4:1b0d80432c79 | 7753 | XFREE(eckey, NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 4:1b0d80432c79 | 7754 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7755 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7756 | } |
wolfSSL | 4:1b0d80432c79 | 7757 | |
wolfSSL | 4:1b0d80432c79 | 7758 | idx = 0; |
wolfSSL | 4:1b0d80432c79 | 7759 | ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz); |
wolfSSL | 4:1b0d80432c79 | 7760 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 7761 | WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); |
wolfSSL | 4:1b0d80432c79 | 7762 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7763 | wc_ecc_free(eckey); |
wolfSSL | 4:1b0d80432c79 | 7764 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7765 | } |
wolfSSL | 4:1b0d80432c79 | 7766 | #else |
wolfSSL | 4:1b0d80432c79 | 7767 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7768 | return PUBLIC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 7769 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 7770 | } |
wolfSSL | 4:1b0d80432c79 | 7771 | |
wolfSSL | 4:1b0d80432c79 | 7772 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7773 | |
wolfSSL | 4:1b0d80432c79 | 7774 | ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey); |
wolfSSL | 4:1b0d80432c79 | 7775 | |
wolfSSL | 4:1b0d80432c79 | 7776 | wc_FreeRsaKey(rsakey); |
wolfSSL | 4:1b0d80432c79 | 7777 | XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 4:1b0d80432c79 | 7778 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 7779 | wc_ecc_free(eckey); |
wolfSSL | 4:1b0d80432c79 | 7780 | XFREE(eckey, NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 4:1b0d80432c79 | 7781 | #endif |
wolfSSL | 4:1b0d80432c79 | 7782 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7783 | } |
wolfSSL | 4:1b0d80432c79 | 7784 | |
wolfSSL | 4:1b0d80432c79 | 7785 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 4:1b0d80432c79 | 7786 | |
wolfSSL | 4:1b0d80432c79 | 7787 | /* Set AKID from certificate contains in buffer (DER encoded) */ |
wolfSSL | 4:1b0d80432c79 | 7788 | int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 7789 | { |
wolfSSL | 4:1b0d80432c79 | 7790 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7791 | |
wolfSSL | 4:1b0d80432c79 | 7792 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7793 | DecodedCert* decoded; |
wolfSSL | 4:1b0d80432c79 | 7794 | #else |
wolfSSL | 4:1b0d80432c79 | 7795 | DecodedCert decoded[1]; |
wolfSSL | 4:1b0d80432c79 | 7796 | #endif |
wolfSSL | 4:1b0d80432c79 | 7797 | |
wolfSSL | 4:1b0d80432c79 | 7798 | if (cert == NULL || der == NULL || derSz <= 0) |
wolfSSL | 4:1b0d80432c79 | 7799 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7800 | |
wolfSSL | 4:1b0d80432c79 | 7801 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7802 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), |
wolfSSL | 4:1b0d80432c79 | 7803 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7804 | if (decoded == NULL) |
wolfSSL | 4:1b0d80432c79 | 7805 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7806 | #endif |
wolfSSL | 4:1b0d80432c79 | 7807 | |
wolfSSL | 4:1b0d80432c79 | 7808 | /* decode certificate and get SKID that will be AKID of current cert */ |
wolfSSL | 4:1b0d80432c79 | 7809 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 4:1b0d80432c79 | 7810 | ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0); |
wolfSSL | 4:1b0d80432c79 | 7811 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 7812 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 7813 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7814 | } |
wolfSSL | 4:1b0d80432c79 | 7815 | |
wolfSSL | 4:1b0d80432c79 | 7816 | /* Subject Key Id not found !! */ |
wolfSSL | 4:1b0d80432c79 | 7817 | if (decoded->extSubjKeyIdSet == 0) { |
wolfSSL | 4:1b0d80432c79 | 7818 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 7819 | return ASN_NO_SKID; |
wolfSSL | 4:1b0d80432c79 | 7820 | } |
wolfSSL | 4:1b0d80432c79 | 7821 | |
wolfSSL | 4:1b0d80432c79 | 7822 | /* SKID invalid size */ |
wolfSSL | 4:1b0d80432c79 | 7823 | if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) { |
wolfSSL | 4:1b0d80432c79 | 7824 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 7825 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7826 | } |
wolfSSL | 4:1b0d80432c79 | 7827 | |
wolfSSL | 4:1b0d80432c79 | 7828 | /* Put the SKID of CA to AKID of certificate */ |
wolfSSL | 4:1b0d80432c79 | 7829 | XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 7830 | cert->akidSz = KEYID_SIZE; |
wolfSSL | 4:1b0d80432c79 | 7831 | |
wolfSSL | 4:1b0d80432c79 | 7832 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 7833 | return 0; |
wolfSSL | 4:1b0d80432c79 | 7834 | } |
wolfSSL | 4:1b0d80432c79 | 7835 | |
wolfSSL | 4:1b0d80432c79 | 7836 | |
wolfSSL | 4:1b0d80432c79 | 7837 | #ifndef NO_FILESYSTEM |
wolfSSL | 4:1b0d80432c79 | 7838 | |
wolfSSL | 4:1b0d80432c79 | 7839 | /* Set AKID from certificate file in PEM */ |
wolfSSL | 4:1b0d80432c79 | 7840 | int wc_SetAuthKeyId(Cert *cert, const char* file) |
wolfSSL | 4:1b0d80432c79 | 7841 | { |
wolfSSL | 4:1b0d80432c79 | 7842 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7843 | int derSz; |
wolfSSL | 4:1b0d80432c79 | 7844 | byte* der; |
wolfSSL | 4:1b0d80432c79 | 7845 | |
wolfSSL | 4:1b0d80432c79 | 7846 | if (cert == NULL || file == NULL) |
wolfSSL | 4:1b0d80432c79 | 7847 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7848 | |
wolfSSL | 4:1b0d80432c79 | 7849 | der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7850 | if (der == NULL) { |
wolfSSL | 4:1b0d80432c79 | 7851 | WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem"); |
wolfSSL | 4:1b0d80432c79 | 7852 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7853 | } |
wolfSSL | 4:1b0d80432c79 | 7854 | |
wolfSSL | 4:1b0d80432c79 | 7855 | derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 4:1b0d80432c79 | 7856 | if (derSz <= 0) |
wolfSSL | 4:1b0d80432c79 | 7857 | { |
wolfSSL | 4:1b0d80432c79 | 7858 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7859 | return derSz; |
wolfSSL | 4:1b0d80432c79 | 7860 | } |
wolfSSL | 4:1b0d80432c79 | 7861 | |
wolfSSL | 4:1b0d80432c79 | 7862 | ret = wc_SetAuthKeyIdFromCert(cert, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 7863 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 7864 | |
wolfSSL | 4:1b0d80432c79 | 7865 | return ret; |
wolfSSL | 4:1b0d80432c79 | 7866 | } |
wolfSSL | 4:1b0d80432c79 | 7867 | |
wolfSSL | 4:1b0d80432c79 | 7868 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 4:1b0d80432c79 | 7869 | |
wolfSSL | 4:1b0d80432c79 | 7870 | /* Set KeyUsage from human readable string */ |
wolfSSL | 4:1b0d80432c79 | 7871 | int wc_SetKeyUsage(Cert *cert, const char *value) |
wolfSSL | 4:1b0d80432c79 | 7872 | { |
wolfSSL | 4:1b0d80432c79 | 7873 | char *token, *str, *ptr; |
wolfSSL | 4:1b0d80432c79 | 7874 | word32 len; |
wolfSSL | 4:1b0d80432c79 | 7875 | |
wolfSSL | 4:1b0d80432c79 | 7876 | if (cert == NULL || value == NULL) |
wolfSSL | 4:1b0d80432c79 | 7877 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 7878 | |
wolfSSL | 4:1b0d80432c79 | 7879 | cert->keyUsage = 0; |
wolfSSL | 4:1b0d80432c79 | 7880 | |
wolfSSL | 4:1b0d80432c79 | 7881 | str = (char *)XMALLOC(XSTRLEN(value)+1, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7882 | if (str == NULL) |
wolfSSL | 4:1b0d80432c79 | 7883 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7884 | |
wolfSSL | 4:1b0d80432c79 | 7885 | XMEMSET(str, 0, XSTRLEN(value)+1); |
wolfSSL | 4:1b0d80432c79 | 7886 | XSTRNCPY(str, value, XSTRLEN(value)); |
wolfSSL | 4:1b0d80432c79 | 7887 | |
wolfSSL | 4:1b0d80432c79 | 7888 | /* parse value, and set corresponding Key Usage value */ |
wolfSSL | 4:1b0d80432c79 | 7889 | token = XSTRTOK(str, ",", &ptr); |
wolfSSL | 4:1b0d80432c79 | 7890 | while (token != NULL) |
wolfSSL | 4:1b0d80432c79 | 7891 | { |
wolfSSL | 4:1b0d80432c79 | 7892 | len = (word32)XSTRLEN(token); |
wolfSSL | 4:1b0d80432c79 | 7893 | |
wolfSSL | 4:1b0d80432c79 | 7894 | if (!XSTRNCASECMP(token, "digitalSignature", len)) |
wolfSSL | 4:1b0d80432c79 | 7895 | cert->keyUsage |= KEYUSE_DIGITAL_SIG; |
wolfSSL | 4:1b0d80432c79 | 7896 | else if (!XSTRNCASECMP(token, "nonRepudiation", len) || |
wolfSSL | 4:1b0d80432c79 | 7897 | !XSTRNCASECMP(token, "contentCommitment", len)) |
wolfSSL | 4:1b0d80432c79 | 7898 | cert->keyUsage |= KEYUSE_CONTENT_COMMIT; |
wolfSSL | 4:1b0d80432c79 | 7899 | else if (!XSTRNCASECMP(token, "keyEncipherment", len)) |
wolfSSL | 4:1b0d80432c79 | 7900 | cert->keyUsage |= KEYUSE_KEY_ENCIPHER; |
wolfSSL | 4:1b0d80432c79 | 7901 | else if (!XSTRNCASECMP(token, "dataEncipherment", len)) |
wolfSSL | 4:1b0d80432c79 | 7902 | cert->keyUsage |= KEYUSE_DATA_ENCIPHER; |
wolfSSL | 4:1b0d80432c79 | 7903 | else if (!XSTRNCASECMP(token, "keyAgreement", len)) |
wolfSSL | 4:1b0d80432c79 | 7904 | cert->keyUsage |= KEYUSE_KEY_AGREE; |
wolfSSL | 4:1b0d80432c79 | 7905 | else if (!XSTRNCASECMP(token, "keyCertSign", len)) |
wolfSSL | 4:1b0d80432c79 | 7906 | cert->keyUsage |= KEYUSE_KEY_CERT_SIGN; |
wolfSSL | 4:1b0d80432c79 | 7907 | else if (!XSTRNCASECMP(token, "cRLSign", len)) |
wolfSSL | 4:1b0d80432c79 | 7908 | cert->keyUsage |= KEYUSE_CRL_SIGN; |
wolfSSL | 4:1b0d80432c79 | 7909 | else if (!XSTRNCASECMP(token, "encipherOnly", len)) |
wolfSSL | 4:1b0d80432c79 | 7910 | cert->keyUsage |= KEYUSE_ENCIPHER_ONLY; |
wolfSSL | 4:1b0d80432c79 | 7911 | else if (!XSTRNCASECMP(token, "decipherOnly", len)) |
wolfSSL | 4:1b0d80432c79 | 7912 | cert->keyUsage |= KEYUSE_DECIPHER_ONLY; |
wolfSSL | 4:1b0d80432c79 | 7913 | else |
wolfSSL | 4:1b0d80432c79 | 7914 | return KEYUSAGE_E; |
wolfSSL | 4:1b0d80432c79 | 7915 | |
wolfSSL | 4:1b0d80432c79 | 7916 | token = XSTRTOK(NULL, ",", &ptr); |
wolfSSL | 4:1b0d80432c79 | 7917 | } |
wolfSSL | 4:1b0d80432c79 | 7918 | |
wolfSSL | 4:1b0d80432c79 | 7919 | XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7920 | return 0; |
wolfSSL | 4:1b0d80432c79 | 7921 | } |
wolfSSL | 4:1b0d80432c79 | 7922 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 4:1b0d80432c79 | 7923 | |
wolfSSL | 4:1b0d80432c79 | 7924 | |
wolfSSL | 4:1b0d80432c79 | 7925 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 7926 | |
wolfSSL | 4:1b0d80432c79 | 7927 | /* Set Alt Names from der cert, return 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 7928 | static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 7929 | { |
wolfSSL | 4:1b0d80432c79 | 7930 | int ret; |
wolfSSL | 4:1b0d80432c79 | 7931 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7932 | DecodedCert* decoded; |
wolfSSL | 4:1b0d80432c79 | 7933 | #else |
wolfSSL | 4:1b0d80432c79 | 7934 | DecodedCert decoded[1]; |
wolfSSL | 4:1b0d80432c79 | 7935 | #endif |
wolfSSL | 4:1b0d80432c79 | 7936 | |
wolfSSL | 4:1b0d80432c79 | 7937 | if (derSz < 0) |
wolfSSL | 4:1b0d80432c79 | 7938 | return derSz; |
wolfSSL | 4:1b0d80432c79 | 7939 | |
wolfSSL | 4:1b0d80432c79 | 7940 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 7941 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 4:1b0d80432c79 | 7942 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 7943 | if (decoded == NULL) |
wolfSSL | 4:1b0d80432c79 | 7944 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 7945 | #endif |
wolfSSL | 4:1b0d80432c79 | 7946 | |
wolfSSL | 4:1b0d80432c79 | 7947 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 4:1b0d80432c79 | 7948 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 4:1b0d80432c79 | 7949 | |
wolfSSL | 4:1b0d80432c79 | 7950 | if (ret < 0) { |
wolfSSL | 4:1b0d80432c79 | 7951 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 4:1b0d80432c79 | 7952 | } |
wolfSSL | 4:1b0d80432c79 | 7953 | else if (decoded->extensions) { |
wolfSSL | 4:1b0d80432c79 | 7954 | byte b; |
wolfSSL | 4:1b0d80432c79 | 7955 | int length; |
wolfSSL | 4:1b0d80432c79 | 7956 | word32 maxExtensionsIdx; |
wolfSSL | 4:1b0d80432c79 | 7957 | |
wolfSSL | 4:1b0d80432c79 | 7958 | decoded->srcIdx = decoded->extensionsIdx; |
wolfSSL | 4:1b0d80432c79 | 7959 | b = decoded->source[decoded->srcIdx++]; |
wolfSSL | 4:1b0d80432c79 | 7960 | |
wolfSSL | 4:1b0d80432c79 | 7961 | if (b != ASN_EXTENSIONS) { |
wolfSSL | 4:1b0d80432c79 | 7962 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 7963 | } |
wolfSSL | 4:1b0d80432c79 | 7964 | else if (GetLength(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 4:1b0d80432c79 | 7965 | decoded->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 7966 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 7967 | } |
wolfSSL | 4:1b0d80432c79 | 7968 | else if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 4:1b0d80432c79 | 7969 | decoded->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 7970 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 7971 | } |
wolfSSL | 4:1b0d80432c79 | 7972 | else { |
wolfSSL | 4:1b0d80432c79 | 7973 | maxExtensionsIdx = decoded->srcIdx + length; |
wolfSSL | 4:1b0d80432c79 | 7974 | |
wolfSSL | 4:1b0d80432c79 | 7975 | while (decoded->srcIdx < maxExtensionsIdx) { |
wolfSSL | 4:1b0d80432c79 | 7976 | word32 oid; |
wolfSSL | 4:1b0d80432c79 | 7977 | word32 startIdx = decoded->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 7978 | word32 tmpIdx; |
wolfSSL | 4:1b0d80432c79 | 7979 | |
wolfSSL | 4:1b0d80432c79 | 7980 | if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 4:1b0d80432c79 | 7981 | decoded->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 7982 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 7983 | break; |
wolfSSL | 4:1b0d80432c79 | 7984 | } |
wolfSSL | 4:1b0d80432c79 | 7985 | |
wolfSSL | 4:1b0d80432c79 | 7986 | tmpIdx = decoded->srcIdx; |
wolfSSL | 4:1b0d80432c79 | 7987 | decoded->srcIdx = startIdx; |
wolfSSL | 4:1b0d80432c79 | 7988 | |
wolfSSL | 4:1b0d80432c79 | 7989 | if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid, |
wolfSSL | 4:1b0d80432c79 | 7990 | certExtType, decoded->maxIdx) < 0) { |
wolfSSL | 4:1b0d80432c79 | 7991 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 7992 | break; |
wolfSSL | 4:1b0d80432c79 | 7993 | } |
wolfSSL | 4:1b0d80432c79 | 7994 | |
wolfSSL | 4:1b0d80432c79 | 7995 | if (oid == ALT_NAMES_OID) { |
wolfSSL | 4:1b0d80432c79 | 7996 | cert->altNamesSz = length + (tmpIdx - startIdx); |
wolfSSL | 4:1b0d80432c79 | 7997 | |
wolfSSL | 4:1b0d80432c79 | 7998 | if (cert->altNamesSz < (int)sizeof(cert->altNames)) |
wolfSSL | 4:1b0d80432c79 | 7999 | XMEMCPY(cert->altNames, &decoded->source[startIdx], |
wolfSSL | 4:1b0d80432c79 | 8000 | cert->altNamesSz); |
wolfSSL | 4:1b0d80432c79 | 8001 | else { |
wolfSSL | 4:1b0d80432c79 | 8002 | cert->altNamesSz = 0; |
wolfSSL | 4:1b0d80432c79 | 8003 | WOLFSSL_MSG("AltNames extensions too big"); |
wolfSSL | 4:1b0d80432c79 | 8004 | ret = ALT_NAME_E; |
wolfSSL | 4:1b0d80432c79 | 8005 | break; |
wolfSSL | 4:1b0d80432c79 | 8006 | } |
wolfSSL | 4:1b0d80432c79 | 8007 | } |
wolfSSL | 4:1b0d80432c79 | 8008 | decoded->srcIdx = tmpIdx + length; |
wolfSSL | 4:1b0d80432c79 | 8009 | } |
wolfSSL | 4:1b0d80432c79 | 8010 | } |
wolfSSL | 4:1b0d80432c79 | 8011 | } |
wolfSSL | 4:1b0d80432c79 | 8012 | |
wolfSSL | 4:1b0d80432c79 | 8013 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 8014 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8015 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8016 | #endif |
wolfSSL | 4:1b0d80432c79 | 8017 | |
wolfSSL | 4:1b0d80432c79 | 8018 | return ret < 0 ? ret : 0; |
wolfSSL | 4:1b0d80432c79 | 8019 | } |
wolfSSL | 4:1b0d80432c79 | 8020 | |
wolfSSL | 4:1b0d80432c79 | 8021 | |
wolfSSL | 4:1b0d80432c79 | 8022 | /* Set Dates from der cert, return 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 8023 | static int SetDatesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8024 | { |
wolfSSL | 4:1b0d80432c79 | 8025 | int ret; |
wolfSSL | 4:1b0d80432c79 | 8026 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8027 | DecodedCert* decoded; |
wolfSSL | 4:1b0d80432c79 | 8028 | #else |
wolfSSL | 4:1b0d80432c79 | 8029 | DecodedCert decoded[1]; |
wolfSSL | 4:1b0d80432c79 | 8030 | #endif |
wolfSSL | 4:1b0d80432c79 | 8031 | |
wolfSSL | 4:1b0d80432c79 | 8032 | WOLFSSL_ENTER("SetDatesFromCert"); |
wolfSSL | 4:1b0d80432c79 | 8033 | if (derSz < 0) |
wolfSSL | 4:1b0d80432c79 | 8034 | return derSz; |
wolfSSL | 4:1b0d80432c79 | 8035 | |
wolfSSL | 4:1b0d80432c79 | 8036 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8037 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 4:1b0d80432c79 | 8038 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8039 | if (decoded == NULL) |
wolfSSL | 4:1b0d80432c79 | 8040 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8041 | #endif |
wolfSSL | 4:1b0d80432c79 | 8042 | |
wolfSSL | 4:1b0d80432c79 | 8043 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 4:1b0d80432c79 | 8044 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 4:1b0d80432c79 | 8045 | |
wolfSSL | 4:1b0d80432c79 | 8046 | if (ret < 0) { |
wolfSSL | 4:1b0d80432c79 | 8047 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 4:1b0d80432c79 | 8048 | } |
wolfSSL | 4:1b0d80432c79 | 8049 | else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8050 | WOLFSSL_MSG("Couldn't extract dates"); |
wolfSSL | 4:1b0d80432c79 | 8051 | ret = -1; |
wolfSSL | 4:1b0d80432c79 | 8052 | } |
wolfSSL | 4:1b0d80432c79 | 8053 | else if (decoded->beforeDateLen > MAX_DATE_SIZE || |
wolfSSL | 4:1b0d80432c79 | 8054 | decoded->afterDateLen > MAX_DATE_SIZE) { |
wolfSSL | 4:1b0d80432c79 | 8055 | WOLFSSL_MSG("Bad date size"); |
wolfSSL | 4:1b0d80432c79 | 8056 | ret = -1; |
wolfSSL | 4:1b0d80432c79 | 8057 | } |
wolfSSL | 4:1b0d80432c79 | 8058 | else { |
wolfSSL | 4:1b0d80432c79 | 8059 | XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen); |
wolfSSL | 4:1b0d80432c79 | 8060 | XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen); |
wolfSSL | 4:1b0d80432c79 | 8061 | |
wolfSSL | 4:1b0d80432c79 | 8062 | cert->beforeDateSz = decoded->beforeDateLen; |
wolfSSL | 4:1b0d80432c79 | 8063 | cert->afterDateSz = decoded->afterDateLen; |
wolfSSL | 4:1b0d80432c79 | 8064 | } |
wolfSSL | 4:1b0d80432c79 | 8065 | |
wolfSSL | 4:1b0d80432c79 | 8066 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 8067 | |
wolfSSL | 4:1b0d80432c79 | 8068 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8069 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8070 | #endif |
wolfSSL | 4:1b0d80432c79 | 8071 | |
wolfSSL | 4:1b0d80432c79 | 8072 | return ret < 0 ? ret : 0; |
wolfSSL | 4:1b0d80432c79 | 8073 | } |
wolfSSL | 4:1b0d80432c79 | 8074 | |
wolfSSL | 4:1b0d80432c79 | 8075 | |
wolfSSL | 4:1b0d80432c79 | 8076 | #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */ |
wolfSSL | 4:1b0d80432c79 | 8077 | |
wolfSSL | 4:1b0d80432c79 | 8078 | |
wolfSSL | 4:1b0d80432c79 | 8079 | /* Set cn name from der buffer, return 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 8080 | static int SetNameFromCert(CertName* cn, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8081 | { |
wolfSSL | 4:1b0d80432c79 | 8082 | int ret, sz; |
wolfSSL | 4:1b0d80432c79 | 8083 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8084 | DecodedCert* decoded; |
wolfSSL | 4:1b0d80432c79 | 8085 | #else |
wolfSSL | 4:1b0d80432c79 | 8086 | DecodedCert decoded[1]; |
wolfSSL | 4:1b0d80432c79 | 8087 | #endif |
wolfSSL | 4:1b0d80432c79 | 8088 | |
wolfSSL | 4:1b0d80432c79 | 8089 | if (derSz < 0) |
wolfSSL | 4:1b0d80432c79 | 8090 | return derSz; |
wolfSSL | 4:1b0d80432c79 | 8091 | |
wolfSSL | 4:1b0d80432c79 | 8092 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8093 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 4:1b0d80432c79 | 8094 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8095 | if (decoded == NULL) |
wolfSSL | 4:1b0d80432c79 | 8096 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8097 | #endif |
wolfSSL | 4:1b0d80432c79 | 8098 | |
wolfSSL | 4:1b0d80432c79 | 8099 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 4:1b0d80432c79 | 8100 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 4:1b0d80432c79 | 8101 | |
wolfSSL | 4:1b0d80432c79 | 8102 | if (ret < 0) { |
wolfSSL | 4:1b0d80432c79 | 8103 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 4:1b0d80432c79 | 8104 | } |
wolfSSL | 4:1b0d80432c79 | 8105 | else { |
wolfSSL | 4:1b0d80432c79 | 8106 | if (decoded->subjectCN) { |
wolfSSL | 4:1b0d80432c79 | 8107 | sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen |
wolfSSL | 4:1b0d80432c79 | 8108 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8109 | strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8110 | cn->commonName[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8111 | cn->commonNameEnc = decoded->subjectCNEnc; |
wolfSSL | 4:1b0d80432c79 | 8112 | } |
wolfSSL | 4:1b0d80432c79 | 8113 | if (decoded->subjectC) { |
wolfSSL | 4:1b0d80432c79 | 8114 | sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen |
wolfSSL | 4:1b0d80432c79 | 8115 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8116 | strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8117 | cn->country[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8118 | cn->countryEnc = decoded->subjectCEnc; |
wolfSSL | 4:1b0d80432c79 | 8119 | } |
wolfSSL | 4:1b0d80432c79 | 8120 | if (decoded->subjectST) { |
wolfSSL | 4:1b0d80432c79 | 8121 | sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen |
wolfSSL | 4:1b0d80432c79 | 8122 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8123 | strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8124 | cn->state[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8125 | cn->stateEnc = decoded->subjectSTEnc; |
wolfSSL | 4:1b0d80432c79 | 8126 | } |
wolfSSL | 4:1b0d80432c79 | 8127 | if (decoded->subjectL) { |
wolfSSL | 4:1b0d80432c79 | 8128 | sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen |
wolfSSL | 4:1b0d80432c79 | 8129 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8130 | strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8131 | cn->locality[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8132 | cn->localityEnc = decoded->subjectLEnc; |
wolfSSL | 4:1b0d80432c79 | 8133 | } |
wolfSSL | 4:1b0d80432c79 | 8134 | if (decoded->subjectO) { |
wolfSSL | 4:1b0d80432c79 | 8135 | sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen |
wolfSSL | 4:1b0d80432c79 | 8136 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8137 | strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8138 | cn->org[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8139 | cn->orgEnc = decoded->subjectOEnc; |
wolfSSL | 4:1b0d80432c79 | 8140 | } |
wolfSSL | 4:1b0d80432c79 | 8141 | if (decoded->subjectOU) { |
wolfSSL | 4:1b0d80432c79 | 8142 | sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen |
wolfSSL | 4:1b0d80432c79 | 8143 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8144 | strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8145 | cn->unit[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8146 | cn->unitEnc = decoded->subjectOUEnc; |
wolfSSL | 4:1b0d80432c79 | 8147 | } |
wolfSSL | 4:1b0d80432c79 | 8148 | if (decoded->subjectSN) { |
wolfSSL | 4:1b0d80432c79 | 8149 | sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen |
wolfSSL | 4:1b0d80432c79 | 8150 | : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8151 | strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8152 | cn->sur[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8153 | cn->surEnc = decoded->subjectSNEnc; |
wolfSSL | 4:1b0d80432c79 | 8154 | } |
wolfSSL | 4:1b0d80432c79 | 8155 | if (decoded->subjectEmail) { |
wolfSSL | 4:1b0d80432c79 | 8156 | sz = (decoded->subjectEmailLen < CTC_NAME_SIZE) |
wolfSSL | 4:1b0d80432c79 | 8157 | ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1; |
wolfSSL | 4:1b0d80432c79 | 8158 | strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE); |
wolfSSL | 4:1b0d80432c79 | 8159 | cn->email[sz] = 0; |
wolfSSL | 4:1b0d80432c79 | 8160 | } |
wolfSSL | 4:1b0d80432c79 | 8161 | } |
wolfSSL | 4:1b0d80432c79 | 8162 | |
wolfSSL | 4:1b0d80432c79 | 8163 | FreeDecodedCert(decoded); |
wolfSSL | 4:1b0d80432c79 | 8164 | |
wolfSSL | 4:1b0d80432c79 | 8165 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8166 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8167 | #endif |
wolfSSL | 4:1b0d80432c79 | 8168 | |
wolfSSL | 4:1b0d80432c79 | 8169 | return ret < 0 ? ret : 0; |
wolfSSL | 4:1b0d80432c79 | 8170 | } |
wolfSSL | 4:1b0d80432c79 | 8171 | |
wolfSSL | 4:1b0d80432c79 | 8172 | |
wolfSSL | 4:1b0d80432c79 | 8173 | #ifndef NO_FILESYSTEM |
wolfSSL | 4:1b0d80432c79 | 8174 | |
wolfSSL | 4:1b0d80432c79 | 8175 | /* Set cert issuer from issuerFile in PEM */ |
wolfSSL | 4:1b0d80432c79 | 8176 | int wc_SetIssuer(Cert* cert, const char* issuerFile) |
wolfSSL | 4:1b0d80432c79 | 8177 | { |
wolfSSL | 4:1b0d80432c79 | 8178 | int ret; |
wolfSSL | 4:1b0d80432c79 | 8179 | int derSz; |
wolfSSL | 4:1b0d80432c79 | 8180 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8181 | |
wolfSSL | 4:1b0d80432c79 | 8182 | if (der == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8183 | WOLFSSL_MSG("wc_SetIssuer OOF Problem"); |
wolfSSL | 4:1b0d80432c79 | 8184 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8185 | } |
wolfSSL | 4:1b0d80432c79 | 8186 | derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF); |
wolfSSL | 4:1b0d80432c79 | 8187 | cert->selfSigned = 0; |
wolfSSL | 4:1b0d80432c79 | 8188 | ret = SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8189 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8190 | |
wolfSSL | 4:1b0d80432c79 | 8191 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8192 | } |
wolfSSL | 4:1b0d80432c79 | 8193 | |
wolfSSL | 4:1b0d80432c79 | 8194 | |
wolfSSL | 4:1b0d80432c79 | 8195 | /* Set cert subject from subjectFile in PEM */ |
wolfSSL | 4:1b0d80432c79 | 8196 | int wc_SetSubject(Cert* cert, const char* subjectFile) |
wolfSSL | 4:1b0d80432c79 | 8197 | { |
wolfSSL | 4:1b0d80432c79 | 8198 | int ret; |
wolfSSL | 4:1b0d80432c79 | 8199 | int derSz; |
wolfSSL | 4:1b0d80432c79 | 8200 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8201 | |
wolfSSL | 4:1b0d80432c79 | 8202 | if (der == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8203 | WOLFSSL_MSG("wc_SetSubject OOF Problem"); |
wolfSSL | 4:1b0d80432c79 | 8204 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8205 | } |
wolfSSL | 4:1b0d80432c79 | 8206 | derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF); |
wolfSSL | 4:1b0d80432c79 | 8207 | ret = SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8208 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8209 | |
wolfSSL | 4:1b0d80432c79 | 8210 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8211 | } |
wolfSSL | 4:1b0d80432c79 | 8212 | |
wolfSSL | 4:1b0d80432c79 | 8213 | |
wolfSSL | 4:1b0d80432c79 | 8214 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 8215 | |
wolfSSL | 4:1b0d80432c79 | 8216 | /* Set atl names from file in PEM */ |
wolfSSL | 4:1b0d80432c79 | 8217 | int wc_SetAltNames(Cert* cert, const char* file) |
wolfSSL | 4:1b0d80432c79 | 8218 | { |
wolfSSL | 4:1b0d80432c79 | 8219 | int ret; |
wolfSSL | 4:1b0d80432c79 | 8220 | int derSz; |
wolfSSL | 4:1b0d80432c79 | 8221 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8222 | |
wolfSSL | 4:1b0d80432c79 | 8223 | if (der == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8224 | WOLFSSL_MSG("wc_SetAltNames OOF Problem"); |
wolfSSL | 4:1b0d80432c79 | 8225 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8226 | } |
wolfSSL | 4:1b0d80432c79 | 8227 | derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 4:1b0d80432c79 | 8228 | ret = SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8229 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 4:1b0d80432c79 | 8230 | |
wolfSSL | 4:1b0d80432c79 | 8231 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8232 | } |
wolfSSL | 4:1b0d80432c79 | 8233 | |
wolfSSL | 4:1b0d80432c79 | 8234 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 4:1b0d80432c79 | 8235 | |
wolfSSL | 4:1b0d80432c79 | 8236 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 4:1b0d80432c79 | 8237 | |
wolfSSL | 4:1b0d80432c79 | 8238 | /* Set cert issuer from DER buffer */ |
wolfSSL | 4:1b0d80432c79 | 8239 | int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8240 | { |
wolfSSL | 4:1b0d80432c79 | 8241 | cert->selfSigned = 0; |
wolfSSL | 4:1b0d80432c79 | 8242 | return SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8243 | } |
wolfSSL | 4:1b0d80432c79 | 8244 | |
wolfSSL | 4:1b0d80432c79 | 8245 | |
wolfSSL | 4:1b0d80432c79 | 8246 | /* Set cert subject from DER buffer */ |
wolfSSL | 4:1b0d80432c79 | 8247 | int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8248 | { |
wolfSSL | 4:1b0d80432c79 | 8249 | return SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8250 | } |
wolfSSL | 4:1b0d80432c79 | 8251 | |
wolfSSL | 4:1b0d80432c79 | 8252 | |
wolfSSL | 4:1b0d80432c79 | 8253 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 4:1b0d80432c79 | 8254 | |
wolfSSL | 4:1b0d80432c79 | 8255 | /* Set cert alt names from DER buffer */ |
wolfSSL | 4:1b0d80432c79 | 8256 | int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8257 | { |
wolfSSL | 4:1b0d80432c79 | 8258 | return SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8259 | } |
wolfSSL | 4:1b0d80432c79 | 8260 | |
wolfSSL | 4:1b0d80432c79 | 8261 | /* Set cert dates from DER buffer */ |
wolfSSL | 4:1b0d80432c79 | 8262 | int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 4:1b0d80432c79 | 8263 | { |
wolfSSL | 4:1b0d80432c79 | 8264 | return SetDatesFromCert(cert, der, derSz); |
wolfSSL | 4:1b0d80432c79 | 8265 | } |
wolfSSL | 4:1b0d80432c79 | 8266 | |
wolfSSL | 4:1b0d80432c79 | 8267 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 4:1b0d80432c79 | 8268 | |
wolfSSL | 4:1b0d80432c79 | 8269 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 4:1b0d80432c79 | 8270 | |
wolfSSL | 4:1b0d80432c79 | 8271 | |
wolfSSL | 4:1b0d80432c79 | 8272 | #ifdef HAVE_ECC |
wolfSSL | 4:1b0d80432c79 | 8273 | |
wolfSSL | 4:1b0d80432c79 | 8274 | /* Der Encode r & s ints into out, outLen is (in/out) size */ |
wolfSSL | 4:1b0d80432c79 | 8275 | int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) |
wolfSSL | 4:1b0d80432c79 | 8276 | { |
wolfSSL | 4:1b0d80432c79 | 8277 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 8278 | word32 rSz; /* encoding size */ |
wolfSSL | 4:1b0d80432c79 | 8279 | word32 sSz; |
wolfSSL | 4:1b0d80432c79 | 8280 | word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ |
wolfSSL | 4:1b0d80432c79 | 8281 | |
wolfSSL | 4:1b0d80432c79 | 8282 | /* If the leading bit on the INTEGER is a 1, add a leading zero */ |
wolfSSL | 4:1b0d80432c79 | 8283 | int rLeadingZero = mp_leading_bit(r); |
wolfSSL | 4:1b0d80432c79 | 8284 | int sLeadingZero = mp_leading_bit(s); |
wolfSSL | 4:1b0d80432c79 | 8285 | int rLen = mp_unsigned_bin_size(r); /* big int size */ |
wolfSSL | 4:1b0d80432c79 | 8286 | int sLen = mp_unsigned_bin_size(s); |
wolfSSL | 4:1b0d80432c79 | 8287 | int err; |
wolfSSL | 4:1b0d80432c79 | 8288 | |
wolfSSL | 4:1b0d80432c79 | 8289 | if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero + |
wolfSSL | 4:1b0d80432c79 | 8290 | headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */ |
wolfSSL | 4:1b0d80432c79 | 8291 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 8292 | |
wolfSSL | 4:1b0d80432c79 | 8293 | idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out); |
wolfSSL | 4:1b0d80432c79 | 8294 | |
wolfSSL | 4:1b0d80432c79 | 8295 | /* store r */ |
wolfSSL | 4:1b0d80432c79 | 8296 | out[idx++] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 8297 | rSz = SetLength(rLen + rLeadingZero, &out[idx]); |
wolfSSL | 4:1b0d80432c79 | 8298 | idx += rSz; |
wolfSSL | 4:1b0d80432c79 | 8299 | if (rLeadingZero) |
wolfSSL | 4:1b0d80432c79 | 8300 | out[idx++] = 0; |
wolfSSL | 4:1b0d80432c79 | 8301 | err = mp_to_unsigned_bin(r, &out[idx]); |
wolfSSL | 4:1b0d80432c79 | 8302 | if (err != MP_OKAY) return err; |
wolfSSL | 4:1b0d80432c79 | 8303 | idx += rLen; |
wolfSSL | 4:1b0d80432c79 | 8304 | |
wolfSSL | 4:1b0d80432c79 | 8305 | /* store s */ |
wolfSSL | 4:1b0d80432c79 | 8306 | out[idx++] = ASN_INTEGER; |
wolfSSL | 4:1b0d80432c79 | 8307 | sSz = SetLength(sLen + sLeadingZero, &out[idx]); |
wolfSSL | 4:1b0d80432c79 | 8308 | idx += sSz; |
wolfSSL | 4:1b0d80432c79 | 8309 | if (sLeadingZero) |
wolfSSL | 4:1b0d80432c79 | 8310 | out[idx++] = 0; |
wolfSSL | 4:1b0d80432c79 | 8311 | err = mp_to_unsigned_bin(s, &out[idx]); |
wolfSSL | 4:1b0d80432c79 | 8312 | if (err != MP_OKAY) return err; |
wolfSSL | 4:1b0d80432c79 | 8313 | idx += sLen; |
wolfSSL | 4:1b0d80432c79 | 8314 | |
wolfSSL | 4:1b0d80432c79 | 8315 | *outLen = idx; |
wolfSSL | 4:1b0d80432c79 | 8316 | |
wolfSSL | 4:1b0d80432c79 | 8317 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8318 | } |
wolfSSL | 4:1b0d80432c79 | 8319 | |
wolfSSL | 4:1b0d80432c79 | 8320 | |
wolfSSL | 4:1b0d80432c79 | 8321 | /* Der Decode ECC-DSA Signature, r & s stored as big ints */ |
wolfSSL | 4:1b0d80432c79 | 8322 | int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s) |
wolfSSL | 4:1b0d80432c79 | 8323 | { |
wolfSSL | 4:1b0d80432c79 | 8324 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 8325 | int len = 0; |
wolfSSL | 4:1b0d80432c79 | 8326 | |
wolfSSL | 4:1b0d80432c79 | 8327 | if (GetSequence(sig, &idx, &len, sigLen) < 0) |
wolfSSL | 4:1b0d80432c79 | 8328 | return ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8329 | |
wolfSSL | 4:1b0d80432c79 | 8330 | if ((word32)len > (sigLen - idx)) |
wolfSSL | 4:1b0d80432c79 | 8331 | return ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8332 | |
wolfSSL | 4:1b0d80432c79 | 8333 | if (GetInt(r, sig, &idx, sigLen) < 0) |
wolfSSL | 4:1b0d80432c79 | 8334 | return ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8335 | |
wolfSSL | 4:1b0d80432c79 | 8336 | if (GetInt(s, sig, &idx, sigLen) < 0) |
wolfSSL | 4:1b0d80432c79 | 8337 | return ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8338 | |
wolfSSL | 4:1b0d80432c79 | 8339 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8340 | } |
wolfSSL | 4:1b0d80432c79 | 8341 | |
wolfSSL | 4:1b0d80432c79 | 8342 | |
wolfSSL | 4:1b0d80432c79 | 8343 | int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, |
wolfSSL | 4:1b0d80432c79 | 8344 | word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 8345 | { |
wolfSSL | 4:1b0d80432c79 | 8346 | word32 oid = 0; |
wolfSSL | 4:1b0d80432c79 | 8347 | int version, length; |
wolfSSL | 4:1b0d80432c79 | 8348 | int privSz, pubSz; |
wolfSSL | 4:1b0d80432c79 | 8349 | byte b; |
wolfSSL | 4:1b0d80432c79 | 8350 | int ret = 0; |
wolfSSL | 4:1b0d80432c79 | 8351 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8352 | byte* priv; |
wolfSSL | 4:1b0d80432c79 | 8353 | byte* pub; |
wolfSSL | 4:1b0d80432c79 | 8354 | #else |
wolfSSL | 4:1b0d80432c79 | 8355 | byte priv[ECC_MAXSIZE+1]; |
wolfSSL | 4:1b0d80432c79 | 8356 | byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */ |
wolfSSL | 4:1b0d80432c79 | 8357 | #endif |
wolfSSL | 4:1b0d80432c79 | 8358 | |
wolfSSL | 4:1b0d80432c79 | 8359 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 4:1b0d80432c79 | 8360 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 8361 | |
wolfSSL | 4:1b0d80432c79 | 8362 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8363 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8364 | |
wolfSSL | 4:1b0d80432c79 | 8365 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 8366 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8367 | |
wolfSSL | 4:1b0d80432c79 | 8368 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8369 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8370 | |
wolfSSL | 4:1b0d80432c79 | 8371 | /* priv type */ |
wolfSSL | 4:1b0d80432c79 | 8372 | if (b != 4 && b != 6 && b != 7) |
wolfSSL | 4:1b0d80432c79 | 8373 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8374 | |
wolfSSL | 4:1b0d80432c79 | 8375 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8376 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8377 | |
wolfSSL | 4:1b0d80432c79 | 8378 | if (length > ECC_MAXSIZE) |
wolfSSL | 4:1b0d80432c79 | 8379 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 8380 | |
wolfSSL | 4:1b0d80432c79 | 8381 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8382 | priv = (byte*)XMALLOC(ECC_MAXSIZE+1, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8383 | if (priv == NULL) |
wolfSSL | 4:1b0d80432c79 | 8384 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8385 | |
wolfSSL | 4:1b0d80432c79 | 8386 | pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8387 | if (pub == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8388 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8389 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8390 | } |
wolfSSL | 4:1b0d80432c79 | 8391 | #endif |
wolfSSL | 4:1b0d80432c79 | 8392 | |
wolfSSL | 4:1b0d80432c79 | 8393 | /* priv key */ |
wolfSSL | 4:1b0d80432c79 | 8394 | privSz = length; |
wolfSSL | 4:1b0d80432c79 | 8395 | XMEMCPY(priv, &input[*inOutIdx], privSz); |
wolfSSL | 4:1b0d80432c79 | 8396 | *inOutIdx += length; |
wolfSSL | 4:1b0d80432c79 | 8397 | |
wolfSSL | 4:1b0d80432c79 | 8398 | /* prefix 0, may have */ |
wolfSSL | 4:1b0d80432c79 | 8399 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8400 | if (b == ECC_PREFIX_0) { |
wolfSSL | 4:1b0d80432c79 | 8401 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8402 | |
wolfSSL | 4:1b0d80432c79 | 8403 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8404 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8405 | else { |
wolfSSL | 4:1b0d80432c79 | 8406 | /* object id */ |
wolfSSL | 4:1b0d80432c79 | 8407 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8408 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8409 | |
wolfSSL | 4:1b0d80432c79 | 8410 | if (b != ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 8411 | ret = ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 8412 | } |
wolfSSL | 4:1b0d80432c79 | 8413 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8414 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8415 | } |
wolfSSL | 4:1b0d80432c79 | 8416 | else { |
wolfSSL | 4:1b0d80432c79 | 8417 | while(length--) { |
wolfSSL | 4:1b0d80432c79 | 8418 | oid += input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8419 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8420 | } |
wolfSSL | 4:1b0d80432c79 | 8421 | if (CheckCurve(oid) < 0) |
wolfSSL | 4:1b0d80432c79 | 8422 | ret = ECC_CURVE_OID_E; |
wolfSSL | 4:1b0d80432c79 | 8423 | } |
wolfSSL | 4:1b0d80432c79 | 8424 | } |
wolfSSL | 4:1b0d80432c79 | 8425 | } |
wolfSSL | 4:1b0d80432c79 | 8426 | |
wolfSSL | 4:1b0d80432c79 | 8427 | if (ret == 0) { |
wolfSSL | 4:1b0d80432c79 | 8428 | /* prefix 1 */ |
wolfSSL | 4:1b0d80432c79 | 8429 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8430 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8431 | |
wolfSSL | 4:1b0d80432c79 | 8432 | if (b != ECC_PREFIX_1) { |
wolfSSL | 4:1b0d80432c79 | 8433 | ret = ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8434 | } |
wolfSSL | 4:1b0d80432c79 | 8435 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8436 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8437 | } |
wolfSSL | 4:1b0d80432c79 | 8438 | else { |
wolfSSL | 4:1b0d80432c79 | 8439 | /* key header */ |
wolfSSL | 4:1b0d80432c79 | 8440 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8441 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8442 | |
wolfSSL | 4:1b0d80432c79 | 8443 | if (b != ASN_BIT_STRING) { |
wolfSSL | 4:1b0d80432c79 | 8444 | ret = ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 8445 | } |
wolfSSL | 4:1b0d80432c79 | 8446 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8447 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8448 | } |
wolfSSL | 4:1b0d80432c79 | 8449 | else if (length <= 0) { |
wolfSSL | 4:1b0d80432c79 | 8450 | /* pubkey needs some size */ |
wolfSSL | 4:1b0d80432c79 | 8451 | ret = ASN_INPUT_E; |
wolfSSL | 4:1b0d80432c79 | 8452 | } |
wolfSSL | 4:1b0d80432c79 | 8453 | else { |
wolfSSL | 4:1b0d80432c79 | 8454 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8455 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8456 | |
wolfSSL | 4:1b0d80432c79 | 8457 | if (b != 0x00) { |
wolfSSL | 4:1b0d80432c79 | 8458 | ret = ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 8459 | } |
wolfSSL | 4:1b0d80432c79 | 8460 | else { |
wolfSSL | 4:1b0d80432c79 | 8461 | /* pub key */ |
wolfSSL | 4:1b0d80432c79 | 8462 | pubSz = length - 1; /* null prefix */ |
wolfSSL | 4:1b0d80432c79 | 8463 | if (pubSz < 2*(ECC_MAXSIZE+1)) { |
wolfSSL | 4:1b0d80432c79 | 8464 | XMEMCPY(pub, &input[*inOutIdx], pubSz); |
wolfSSL | 4:1b0d80432c79 | 8465 | *inOutIdx += length; |
wolfSSL | 4:1b0d80432c79 | 8466 | ret = wc_ecc_import_private_key(priv, privSz, pub, pubSz, |
wolfSSL | 4:1b0d80432c79 | 8467 | key); |
wolfSSL | 4:1b0d80432c79 | 8468 | } else |
wolfSSL | 4:1b0d80432c79 | 8469 | ret = BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 8470 | } |
wolfSSL | 4:1b0d80432c79 | 8471 | } |
wolfSSL | 4:1b0d80432c79 | 8472 | } |
wolfSSL | 4:1b0d80432c79 | 8473 | } |
wolfSSL | 4:1b0d80432c79 | 8474 | |
wolfSSL | 4:1b0d80432c79 | 8475 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 4:1b0d80432c79 | 8476 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8477 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8478 | #endif |
wolfSSL | 4:1b0d80432c79 | 8479 | |
wolfSSL | 4:1b0d80432c79 | 8480 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8481 | } |
wolfSSL | 4:1b0d80432c79 | 8482 | |
wolfSSL | 4:1b0d80432c79 | 8483 | int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 4:1b0d80432c79 | 8484 | ecc_key* key, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 8485 | { |
wolfSSL | 4:1b0d80432c79 | 8486 | int length; |
wolfSSL | 4:1b0d80432c79 | 8487 | int ret = 0; |
wolfSSL | 4:1b0d80432c79 | 8488 | |
wolfSSL | 4:1b0d80432c79 | 8489 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 4:1b0d80432c79 | 8490 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 8491 | |
wolfSSL | 4:1b0d80432c79 | 8492 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8493 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8494 | |
wolfSSL | 4:1b0d80432c79 | 8495 | #if defined(OPENSSL_EXTRA) || defined(ECC_DECODE_EXTRA) |
wolfSSL | 4:1b0d80432c79 | 8496 | { |
wolfSSL | 4:1b0d80432c79 | 8497 | byte b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8498 | if (b != ASN_INTEGER) { |
wolfSSL | 4:1b0d80432c79 | 8499 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 4:1b0d80432c79 | 8500 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8501 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8502 | |
wolfSSL | 4:1b0d80432c79 | 8503 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 8504 | if (b != ASN_OBJECT_ID) |
wolfSSL | 4:1b0d80432c79 | 8505 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 8506 | |
wolfSSL | 4:1b0d80432c79 | 8507 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8508 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8509 | |
wolfSSL | 4:1b0d80432c79 | 8510 | *inOutIdx += length; /* skip past */ |
wolfSSL | 4:1b0d80432c79 | 8511 | |
wolfSSL | 4:1b0d80432c79 | 8512 | /* ecc params information */ |
wolfSSL | 4:1b0d80432c79 | 8513 | b = input[(*inOutIdx)++]; |
wolfSSL | 4:1b0d80432c79 | 8514 | if (b != ASN_OBJECT_ID) |
wolfSSL | 4:1b0d80432c79 | 8515 | return ASN_OBJECT_ID_E; |
wolfSSL | 4:1b0d80432c79 | 8516 | |
wolfSSL | 4:1b0d80432c79 | 8517 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8518 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8519 | |
wolfSSL | 4:1b0d80432c79 | 8520 | *inOutIdx += length; /* skip past */ |
wolfSSL | 4:1b0d80432c79 | 8521 | |
wolfSSL | 4:1b0d80432c79 | 8522 | /* key header */ |
wolfSSL | 4:1b0d80432c79 | 8523 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8524 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8525 | |
wolfSSL | 4:1b0d80432c79 | 8526 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 8527 | ret = ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 8528 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 4:1b0d80432c79 | 8529 | ret = ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8530 | else { |
wolfSSL | 4:1b0d80432c79 | 8531 | b = input[*inOutIdx]; |
wolfSSL | 4:1b0d80432c79 | 8532 | *inOutIdx += 1; |
wolfSSL | 4:1b0d80432c79 | 8533 | |
wolfSSL | 4:1b0d80432c79 | 8534 | if (b != 0x00) |
wolfSSL | 4:1b0d80432c79 | 8535 | ret = ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 8536 | } |
wolfSSL | 4:1b0d80432c79 | 8537 | } |
wolfSSL | 4:1b0d80432c79 | 8538 | } /* openssl var block */ |
wolfSSL | 4:1b0d80432c79 | 8539 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 4:1b0d80432c79 | 8540 | |
wolfSSL | 4:1b0d80432c79 | 8541 | if (wc_ecc_import_x963(input+*inOutIdx, inSz - *inOutIdx, key) != 0) |
wolfSSL | 4:1b0d80432c79 | 8542 | return ASN_ECC_KEY_E; |
wolfSSL | 4:1b0d80432c79 | 8543 | |
wolfSSL | 4:1b0d80432c79 | 8544 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8545 | } |
wolfSSL | 4:1b0d80432c79 | 8546 | |
wolfSSL | 4:1b0d80432c79 | 8547 | |
wolfSSL | 4:1b0d80432c79 | 8548 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 4:1b0d80432c79 | 8549 | |
wolfSSL | 4:1b0d80432c79 | 8550 | /* Write a Private ecc key to DER format, length on success else < 0 */ |
wolfSSL | 4:1b0d80432c79 | 8551 | int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 4:1b0d80432c79 | 8552 | { |
wolfSSL | 4:1b0d80432c79 | 8553 | byte curve[MAX_ALGO_SZ+2]; |
wolfSSL | 4:1b0d80432c79 | 8554 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 4:1b0d80432c79 | 8555 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 8556 | byte *prv, *pub; |
wolfSSL | 4:1b0d80432c79 | 8557 | int ret, totalSz, curveSz, verSz; |
wolfSSL | 4:1b0d80432c79 | 8558 | int privHdrSz = ASN_ECC_HEADER_SZ; |
wolfSSL | 4:1b0d80432c79 | 8559 | int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ; |
wolfSSL | 4:1b0d80432c79 | 8560 | |
wolfSSL | 4:1b0d80432c79 | 8561 | word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0; |
wolfSSL | 4:1b0d80432c79 | 8562 | word32 seqSz, privSz, pubSz = ECC_BUFSIZE; |
wolfSSL | 4:1b0d80432c79 | 8563 | |
wolfSSL | 4:1b0d80432c79 | 8564 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 4:1b0d80432c79 | 8565 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 8566 | |
wolfSSL | 4:1b0d80432c79 | 8567 | /* curve */ |
wolfSSL | 4:1b0d80432c79 | 8568 | curve[curveidx++] = ECC_PREFIX_0; |
wolfSSL | 4:1b0d80432c79 | 8569 | curveidx++ /* to put the size after computation */; |
wolfSSL | 4:1b0d80432c79 | 8570 | curveSz = SetCurve(key, curve+curveidx); |
wolfSSL | 4:1b0d80432c79 | 8571 | if (curveSz < 0) |
wolfSSL | 4:1b0d80432c79 | 8572 | return curveSz; |
wolfSSL | 4:1b0d80432c79 | 8573 | /* set computed size */ |
wolfSSL | 4:1b0d80432c79 | 8574 | curve[1] = (byte)curveSz; |
wolfSSL | 4:1b0d80432c79 | 8575 | curveidx += curveSz; |
wolfSSL | 4:1b0d80432c79 | 8576 | |
wolfSSL | 4:1b0d80432c79 | 8577 | /* private */ |
wolfSSL | 4:1b0d80432c79 | 8578 | privSz = key->dp->size; |
wolfSSL | 4:1b0d80432c79 | 8579 | prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ, |
wolfSSL | 4:1b0d80432c79 | 8580 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8581 | if (prv == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8582 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8583 | } |
wolfSSL | 4:1b0d80432c79 | 8584 | prv[prvidx++] = ASN_OCTET_STRING; |
wolfSSL | 4:1b0d80432c79 | 8585 | prv[prvidx++] = (byte)key->dp->size; |
wolfSSL | 4:1b0d80432c79 | 8586 | ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz); |
wolfSSL | 4:1b0d80432c79 | 8587 | if (ret < 0) { |
wolfSSL | 4:1b0d80432c79 | 8588 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8589 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8590 | } |
wolfSSL | 4:1b0d80432c79 | 8591 | prvidx += privSz; |
wolfSSL | 4:1b0d80432c79 | 8592 | |
wolfSSL | 4:1b0d80432c79 | 8593 | /* public */ |
wolfSSL | 4:1b0d80432c79 | 8594 | ret = wc_ecc_export_x963(key, NULL, &pubSz); |
wolfSSL | 4:1b0d80432c79 | 8595 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 4:1b0d80432c79 | 8596 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8597 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8598 | } |
wolfSSL | 4:1b0d80432c79 | 8599 | |
wolfSSL | 4:1b0d80432c79 | 8600 | pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ, |
wolfSSL | 4:1b0d80432c79 | 8601 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8602 | if (pub == NULL) { |
wolfSSL | 4:1b0d80432c79 | 8603 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8604 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 8605 | } |
wolfSSL | 4:1b0d80432c79 | 8606 | |
wolfSSL | 4:1b0d80432c79 | 8607 | pub[pubidx++] = ECC_PREFIX_1; |
wolfSSL | 4:1b0d80432c79 | 8608 | if (pubSz > 128) /* leading zero + extra size byte */ |
wolfSSL | 4:1b0d80432c79 | 8609 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx); |
wolfSSL | 4:1b0d80432c79 | 8610 | else /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 8611 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx); |
wolfSSL | 4:1b0d80432c79 | 8612 | pub[pubidx++] = ASN_BIT_STRING; |
wolfSSL | 4:1b0d80432c79 | 8613 | pubidx += SetLength(pubSz + 1, pub+pubidx); |
wolfSSL | 4:1b0d80432c79 | 8614 | pub[pubidx++] = (byte)0; /* leading zero */ |
wolfSSL | 4:1b0d80432c79 | 8615 | ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz); |
wolfSSL | 4:1b0d80432c79 | 8616 | if (ret != 0) { |
wolfSSL | 4:1b0d80432c79 | 8617 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8618 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8619 | return ret; |
wolfSSL | 4:1b0d80432c79 | 8620 | } |
wolfSSL | 4:1b0d80432c79 | 8621 | pubidx += pubSz; |
wolfSSL | 4:1b0d80432c79 | 8622 | |
wolfSSL | 4:1b0d80432c79 | 8623 | /* make headers */ |
wolfSSL | 4:1b0d80432c79 | 8624 | verSz = SetMyVersion(1, ver, FALSE); |
wolfSSL | 4:1b0d80432c79 | 8625 | seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq); |
wolfSSL | 4:1b0d80432c79 | 8626 | |
wolfSSL | 4:1b0d80432c79 | 8627 | totalSz = prvidx + pubidx + curveidx + verSz + seqSz; |
wolfSSL | 4:1b0d80432c79 | 8628 | if (totalSz > (int)inLen) { |
wolfSSL | 4:1b0d80432c79 | 8629 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8630 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8631 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 8632 | } |
wolfSSL | 4:1b0d80432c79 | 8633 | |
wolfSSL | 4:1b0d80432c79 | 8634 | /* write out */ |
wolfSSL | 4:1b0d80432c79 | 8635 | /* seq */ |
wolfSSL | 4:1b0d80432c79 | 8636 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 4:1b0d80432c79 | 8637 | idx = seqSz; |
wolfSSL | 4:1b0d80432c79 | 8638 | |
wolfSSL | 4:1b0d80432c79 | 8639 | /* ver */ |
wolfSSL | 4:1b0d80432c79 | 8640 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 4:1b0d80432c79 | 8641 | idx += verSz; |
wolfSSL | 4:1b0d80432c79 | 8642 | |
wolfSSL | 4:1b0d80432c79 | 8643 | /* private */ |
wolfSSL | 4:1b0d80432c79 | 8644 | XMEMCPY(output + idx, prv, prvidx); |
wolfSSL | 4:1b0d80432c79 | 8645 | idx += prvidx; |
wolfSSL | 4:1b0d80432c79 | 8646 | XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8647 | |
wolfSSL | 4:1b0d80432c79 | 8648 | /* curve */ |
wolfSSL | 4:1b0d80432c79 | 8649 | XMEMCPY(output + idx, curve, curveidx); |
wolfSSL | 4:1b0d80432c79 | 8650 | idx += curveidx; |
wolfSSL | 4:1b0d80432c79 | 8651 | |
wolfSSL | 4:1b0d80432c79 | 8652 | /* public */ |
wolfSSL | 4:1b0d80432c79 | 8653 | XMEMCPY(output + idx, pub, pubidx); |
wolfSSL | 4:1b0d80432c79 | 8654 | /* idx += pubidx; not used after write, if more data remove comment */ |
wolfSSL | 4:1b0d80432c79 | 8655 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 4:1b0d80432c79 | 8656 | |
wolfSSL | 4:1b0d80432c79 | 8657 | return totalSz; |
wolfSSL | 4:1b0d80432c79 | 8658 | } |
wolfSSL | 4:1b0d80432c79 | 8659 | |
wolfSSL | 4:1b0d80432c79 | 8660 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 4:1b0d80432c79 | 8661 | |
wolfSSL | 4:1b0d80432c79 | 8662 | #endif /* HAVE_ECC */ |
wolfSSL | 4:1b0d80432c79 | 8663 | |
wolfSSL | 4:1b0d80432c79 | 8664 | |
wolfSSL | 4:1b0d80432c79 | 8665 | #if defined(HAVE_OCSP) || defined(HAVE_CRL) |
wolfSSL | 4:1b0d80432c79 | 8666 | |
wolfSSL | 4:1b0d80432c79 | 8667 | /* Get raw Date only, no processing, 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 8668 | static int GetBasicDate(const byte* source, word32* idx, byte* date, |
wolfSSL | 4:1b0d80432c79 | 8669 | byte* format, int maxIdx) |
wolfSSL | 4:1b0d80432c79 | 8670 | { |
wolfSSL | 4:1b0d80432c79 | 8671 | int length; |
wolfSSL | 4:1b0d80432c79 | 8672 | |
wolfSSL | 4:1b0d80432c79 | 8673 | WOLFSSL_ENTER("GetBasicDate"); |
wolfSSL | 4:1b0d80432c79 | 8674 | |
wolfSSL | 4:1b0d80432c79 | 8675 | *format = source[*idx]; |
wolfSSL | 4:1b0d80432c79 | 8676 | *idx += 1; |
wolfSSL | 4:1b0d80432c79 | 8677 | if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME) |
wolfSSL | 4:1b0d80432c79 | 8678 | return ASN_TIME_E; |
wolfSSL | 4:1b0d80432c79 | 8679 | |
wolfSSL | 4:1b0d80432c79 | 8680 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 8681 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8682 | |
wolfSSL | 4:1b0d80432c79 | 8683 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 4:1b0d80432c79 | 8684 | return ASN_DATE_SZ_E; |
wolfSSL | 4:1b0d80432c79 | 8685 | |
wolfSSL | 4:1b0d80432c79 | 8686 | XMEMCPY(date, &source[*idx], length); |
wolfSSL | 4:1b0d80432c79 | 8687 | *idx += length; |
wolfSSL | 4:1b0d80432c79 | 8688 | |
wolfSSL | 4:1b0d80432c79 | 8689 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8690 | } |
wolfSSL | 4:1b0d80432c79 | 8691 | |
wolfSSL | 4:1b0d80432c79 | 8692 | #endif |
wolfSSL | 4:1b0d80432c79 | 8693 | |
wolfSSL | 4:1b0d80432c79 | 8694 | |
wolfSSL | 4:1b0d80432c79 | 8695 | #ifdef HAVE_OCSP |
wolfSSL | 4:1b0d80432c79 | 8696 | |
wolfSSL | 4:1b0d80432c79 | 8697 | static int GetEnumerated(const byte* input, word32* inOutIdx, int *value) |
wolfSSL | 4:1b0d80432c79 | 8698 | { |
wolfSSL | 4:1b0d80432c79 | 8699 | word32 idx = *inOutIdx; |
wolfSSL | 4:1b0d80432c79 | 8700 | word32 len; |
wolfSSL | 4:1b0d80432c79 | 8701 | |
wolfSSL | 4:1b0d80432c79 | 8702 | WOLFSSL_ENTER("GetEnumerated"); |
wolfSSL | 4:1b0d80432c79 | 8703 | |
wolfSSL | 4:1b0d80432c79 | 8704 | *value = 0; |
wolfSSL | 4:1b0d80432c79 | 8705 | |
wolfSSL | 4:1b0d80432c79 | 8706 | if (input[idx++] != ASN_ENUMERATED) |
wolfSSL | 4:1b0d80432c79 | 8707 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8708 | |
wolfSSL | 4:1b0d80432c79 | 8709 | len = input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 8710 | if (len > 4) |
wolfSSL | 4:1b0d80432c79 | 8711 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8712 | |
wolfSSL | 4:1b0d80432c79 | 8713 | while (len--) { |
wolfSSL | 4:1b0d80432c79 | 8714 | *value = *value << 8 | input[idx++]; |
wolfSSL | 4:1b0d80432c79 | 8715 | } |
wolfSSL | 4:1b0d80432c79 | 8716 | |
wolfSSL | 4:1b0d80432c79 | 8717 | *inOutIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 8718 | |
wolfSSL | 4:1b0d80432c79 | 8719 | return *value; |
wolfSSL | 4:1b0d80432c79 | 8720 | } |
wolfSSL | 4:1b0d80432c79 | 8721 | |
wolfSSL | 4:1b0d80432c79 | 8722 | |
wolfSSL | 4:1b0d80432c79 | 8723 | static int DecodeSingleResponse(byte* source, |
wolfSSL | 4:1b0d80432c79 | 8724 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 4:1b0d80432c79 | 8725 | { |
wolfSSL | 4:1b0d80432c79 | 8726 | word32 idx = *ioIndex, prevIndex, oid; |
wolfSSL | 4:1b0d80432c79 | 8727 | int length, wrapperSz; |
wolfSSL | 4:1b0d80432c79 | 8728 | CertStatus* cs = resp->status; |
wolfSSL | 4:1b0d80432c79 | 8729 | |
wolfSSL | 4:1b0d80432c79 | 8730 | WOLFSSL_ENTER("DecodeSingleResponse"); |
wolfSSL | 4:1b0d80432c79 | 8731 | |
wolfSSL | 4:1b0d80432c79 | 8732 | /* Outer wrapper of the SEQUENCE OF Single Responses. */ |
wolfSSL | 4:1b0d80432c79 | 8733 | if (GetSequence(source, &idx, &wrapperSz, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8734 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8735 | |
wolfSSL | 4:1b0d80432c79 | 8736 | prevIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 8737 | |
wolfSSL | 4:1b0d80432c79 | 8738 | /* When making a request, we only request one status on one certificate |
wolfSSL | 4:1b0d80432c79 | 8739 | * at a time. There should only be one SingleResponse */ |
wolfSSL | 4:1b0d80432c79 | 8740 | |
wolfSSL | 4:1b0d80432c79 | 8741 | /* Wrapper around the Single Response */ |
wolfSSL | 4:1b0d80432c79 | 8742 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8743 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8744 | |
wolfSSL | 4:1b0d80432c79 | 8745 | /* Wrapper around the CertID */ |
wolfSSL | 4:1b0d80432c79 | 8746 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8747 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8748 | /* Skip the hash algorithm */ |
wolfSSL | 4:1b0d80432c79 | 8749 | if (GetAlgoId(source, &idx, &oid, ignoreType, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8750 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8751 | /* Save reference to the hash of CN */ |
wolfSSL | 4:1b0d80432c79 | 8752 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 4:1b0d80432c79 | 8753 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8754 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8755 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8756 | resp->issuerHash = source + idx; |
wolfSSL | 4:1b0d80432c79 | 8757 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8758 | /* Save reference to the hash of the issuer public key */ |
wolfSSL | 4:1b0d80432c79 | 8759 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 4:1b0d80432c79 | 8760 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8761 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8762 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8763 | resp->issuerKeyHash = source + idx; |
wolfSSL | 4:1b0d80432c79 | 8764 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8765 | |
wolfSSL | 4:1b0d80432c79 | 8766 | /* Read the serial number, it is handled as a string, not as a |
wolfSSL | 4:1b0d80432c79 | 8767 | * proper number. Just XMEMCPY the data over, rather than load it |
wolfSSL | 4:1b0d80432c79 | 8768 | * as an mp_int. */ |
wolfSSL | 4:1b0d80432c79 | 8769 | if (source[idx++] != ASN_INTEGER) |
wolfSSL | 4:1b0d80432c79 | 8770 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8771 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8772 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8773 | if (length <= EXTERNAL_SERIAL_SIZE) |
wolfSSL | 4:1b0d80432c79 | 8774 | { |
wolfSSL | 4:1b0d80432c79 | 8775 | if (source[idx] == 0) |
wolfSSL | 4:1b0d80432c79 | 8776 | { |
wolfSSL | 4:1b0d80432c79 | 8777 | idx++; |
wolfSSL | 4:1b0d80432c79 | 8778 | length--; |
wolfSSL | 4:1b0d80432c79 | 8779 | } |
wolfSSL | 4:1b0d80432c79 | 8780 | XMEMCPY(cs->serial, source + idx, length); |
wolfSSL | 4:1b0d80432c79 | 8781 | cs->serialSz = length; |
wolfSSL | 4:1b0d80432c79 | 8782 | } |
wolfSSL | 4:1b0d80432c79 | 8783 | else |
wolfSSL | 4:1b0d80432c79 | 8784 | { |
wolfSSL | 4:1b0d80432c79 | 8785 | return ASN_GETINT_E; |
wolfSSL | 4:1b0d80432c79 | 8786 | } |
wolfSSL | 4:1b0d80432c79 | 8787 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8788 | |
wolfSSL | 4:1b0d80432c79 | 8789 | /* CertStatus */ |
wolfSSL | 4:1b0d80432c79 | 8790 | switch (source[idx++]) |
wolfSSL | 4:1b0d80432c79 | 8791 | { |
wolfSSL | 4:1b0d80432c79 | 8792 | case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): |
wolfSSL | 4:1b0d80432c79 | 8793 | cs->status = CERT_GOOD; |
wolfSSL | 4:1b0d80432c79 | 8794 | idx++; |
wolfSSL | 4:1b0d80432c79 | 8795 | break; |
wolfSSL | 4:1b0d80432c79 | 8796 | case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): |
wolfSSL | 4:1b0d80432c79 | 8797 | cs->status = CERT_REVOKED; |
wolfSSL | 4:1b0d80432c79 | 8798 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8799 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8800 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8801 | break; |
wolfSSL | 4:1b0d80432c79 | 8802 | case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): |
wolfSSL | 4:1b0d80432c79 | 8803 | cs->status = CERT_UNKNOWN; |
wolfSSL | 4:1b0d80432c79 | 8804 | idx++; |
wolfSSL | 4:1b0d80432c79 | 8805 | break; |
wolfSSL | 4:1b0d80432c79 | 8806 | default: |
wolfSSL | 4:1b0d80432c79 | 8807 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8808 | } |
wolfSSL | 4:1b0d80432c79 | 8809 | |
wolfSSL | 4:1b0d80432c79 | 8810 | if (GetBasicDate(source, &idx, cs->thisDate, |
wolfSSL | 4:1b0d80432c79 | 8811 | &cs->thisDateFormat, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8812 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8813 | if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) |
wolfSSL | 4:1b0d80432c79 | 8814 | return ASN_BEFORE_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 8815 | |
wolfSSL | 4:1b0d80432c79 | 8816 | /* The following items are optional. Only check for them if there is more |
wolfSSL | 4:1b0d80432c79 | 8817 | * unprocessed data in the singleResponse wrapper. */ |
wolfSSL | 4:1b0d80432c79 | 8818 | |
wolfSSL | 4:1b0d80432c79 | 8819 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 4:1b0d80432c79 | 8820 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))) |
wolfSSL | 4:1b0d80432c79 | 8821 | { |
wolfSSL | 4:1b0d80432c79 | 8822 | idx++; |
wolfSSL | 4:1b0d80432c79 | 8823 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8824 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8825 | if (GetBasicDate(source, &idx, cs->nextDate, |
wolfSSL | 4:1b0d80432c79 | 8826 | &cs->nextDateFormat, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8827 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8828 | if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) |
wolfSSL | 4:1b0d80432c79 | 8829 | return ASN_AFTER_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 8830 | } |
wolfSSL | 4:1b0d80432c79 | 8831 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 4:1b0d80432c79 | 8832 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) |
wolfSSL | 4:1b0d80432c79 | 8833 | { |
wolfSSL | 4:1b0d80432c79 | 8834 | idx++; |
wolfSSL | 4:1b0d80432c79 | 8835 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8836 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8837 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8838 | } |
wolfSSL | 4:1b0d80432c79 | 8839 | |
wolfSSL | 4:1b0d80432c79 | 8840 | *ioIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 8841 | |
wolfSSL | 4:1b0d80432c79 | 8842 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8843 | } |
wolfSSL | 4:1b0d80432c79 | 8844 | |
wolfSSL | 4:1b0d80432c79 | 8845 | static int DecodeOcspRespExtensions(byte* source, |
wolfSSL | 4:1b0d80432c79 | 8846 | word32* ioIndex, OcspResponse* resp, word32 sz) |
wolfSSL | 4:1b0d80432c79 | 8847 | { |
wolfSSL | 4:1b0d80432c79 | 8848 | word32 idx = *ioIndex; |
wolfSSL | 4:1b0d80432c79 | 8849 | int length; |
wolfSSL | 4:1b0d80432c79 | 8850 | int ext_bound; /* boundary index for the sequence of extensions */ |
wolfSSL | 4:1b0d80432c79 | 8851 | word32 oid; |
wolfSSL | 4:1b0d80432c79 | 8852 | |
wolfSSL | 4:1b0d80432c79 | 8853 | WOLFSSL_ENTER("DecodeOcspRespExtensions"); |
wolfSSL | 4:1b0d80432c79 | 8854 | |
wolfSSL | 4:1b0d80432c79 | 8855 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 4:1b0d80432c79 | 8856 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8857 | |
wolfSSL | 4:1b0d80432c79 | 8858 | if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8859 | |
wolfSSL | 4:1b0d80432c79 | 8860 | if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8861 | |
wolfSSL | 4:1b0d80432c79 | 8862 | ext_bound = idx + length; |
wolfSSL | 4:1b0d80432c79 | 8863 | |
wolfSSL | 4:1b0d80432c79 | 8864 | while (idx < (word32)ext_bound) { |
wolfSSL | 4:1b0d80432c79 | 8865 | if (GetSequence(source, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8866 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 4:1b0d80432c79 | 8867 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8868 | } |
wolfSSL | 4:1b0d80432c79 | 8869 | |
wolfSSL | 4:1b0d80432c79 | 8870 | oid = 0; |
wolfSSL | 4:1b0d80432c79 | 8871 | if (GetObjectId(source, &idx, &oid, ocspType, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8872 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 4:1b0d80432c79 | 8873 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8874 | } |
wolfSSL | 4:1b0d80432c79 | 8875 | |
wolfSSL | 4:1b0d80432c79 | 8876 | /* check for critical flag */ |
wolfSSL | 4:1b0d80432c79 | 8877 | if (source[idx] == ASN_BOOLEAN) { |
wolfSSL | 4:1b0d80432c79 | 8878 | WOLFSSL_MSG("\tfound optional critical flag, moving past"); |
wolfSSL | 4:1b0d80432c79 | 8879 | idx += (ASN_BOOL_SIZE + 1); |
wolfSSL | 4:1b0d80432c79 | 8880 | } |
wolfSSL | 4:1b0d80432c79 | 8881 | |
wolfSSL | 4:1b0d80432c79 | 8882 | /* process the extension based on the OID */ |
wolfSSL | 4:1b0d80432c79 | 8883 | if (source[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 8884 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 4:1b0d80432c79 | 8885 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8886 | } |
wolfSSL | 4:1b0d80432c79 | 8887 | |
wolfSSL | 4:1b0d80432c79 | 8888 | if (GetLength(source, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8889 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 4:1b0d80432c79 | 8890 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8891 | } |
wolfSSL | 4:1b0d80432c79 | 8892 | |
wolfSSL | 4:1b0d80432c79 | 8893 | if (oid == OCSP_NONCE_OID) { |
wolfSSL | 4:1b0d80432c79 | 8894 | /* get data inside extra OCTET_STRING */ |
wolfSSL | 4:1b0d80432c79 | 8895 | if (source[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 4:1b0d80432c79 | 8896 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 4:1b0d80432c79 | 8897 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8898 | } |
wolfSSL | 4:1b0d80432c79 | 8899 | |
wolfSSL | 4:1b0d80432c79 | 8900 | if (GetLength(source, &idx, &length, sz) < 0) { |
wolfSSL | 4:1b0d80432c79 | 8901 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 4:1b0d80432c79 | 8902 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8903 | } |
wolfSSL | 4:1b0d80432c79 | 8904 | |
wolfSSL | 4:1b0d80432c79 | 8905 | resp->nonce = source + idx; |
wolfSSL | 4:1b0d80432c79 | 8906 | resp->nonceSz = length; |
wolfSSL | 4:1b0d80432c79 | 8907 | } |
wolfSSL | 4:1b0d80432c79 | 8908 | |
wolfSSL | 4:1b0d80432c79 | 8909 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8910 | } |
wolfSSL | 4:1b0d80432c79 | 8911 | |
wolfSSL | 4:1b0d80432c79 | 8912 | *ioIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 8913 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8914 | } |
wolfSSL | 4:1b0d80432c79 | 8915 | |
wolfSSL | 4:1b0d80432c79 | 8916 | |
wolfSSL | 4:1b0d80432c79 | 8917 | static int DecodeResponseData(byte* source, |
wolfSSL | 4:1b0d80432c79 | 8918 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 4:1b0d80432c79 | 8919 | { |
wolfSSL | 4:1b0d80432c79 | 8920 | word32 idx = *ioIndex, prev_idx; |
wolfSSL | 4:1b0d80432c79 | 8921 | int length; |
wolfSSL | 4:1b0d80432c79 | 8922 | int version; |
wolfSSL | 4:1b0d80432c79 | 8923 | word32 responderId = 0; |
wolfSSL | 4:1b0d80432c79 | 8924 | |
wolfSSL | 4:1b0d80432c79 | 8925 | WOLFSSL_ENTER("DecodeResponseData"); |
wolfSSL | 4:1b0d80432c79 | 8926 | |
wolfSSL | 4:1b0d80432c79 | 8927 | resp->response = source + idx; |
wolfSSL | 4:1b0d80432c79 | 8928 | prev_idx = idx; |
wolfSSL | 4:1b0d80432c79 | 8929 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8930 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8931 | resp->responseSz = length + idx - prev_idx; |
wolfSSL | 4:1b0d80432c79 | 8932 | |
wolfSSL | 4:1b0d80432c79 | 8933 | /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this |
wolfSSL | 4:1b0d80432c79 | 8934 | * item isn't an EXPLICIT[0], then set version to zero and move |
wolfSSL | 4:1b0d80432c79 | 8935 | * onto the next item. |
wolfSSL | 4:1b0d80432c79 | 8936 | */ |
wolfSSL | 4:1b0d80432c79 | 8937 | if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) |
wolfSSL | 4:1b0d80432c79 | 8938 | { |
wolfSSL | 4:1b0d80432c79 | 8939 | idx += 2; /* Eat the value and length */ |
wolfSSL | 4:1b0d80432c79 | 8940 | if (GetMyVersion(source, &idx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 8941 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8942 | } else |
wolfSSL | 4:1b0d80432c79 | 8943 | version = 0; |
wolfSSL | 4:1b0d80432c79 | 8944 | |
wolfSSL | 4:1b0d80432c79 | 8945 | responderId = source[idx++]; |
wolfSSL | 4:1b0d80432c79 | 8946 | if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) || |
wolfSSL | 4:1b0d80432c79 | 8947 | (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2))) |
wolfSSL | 4:1b0d80432c79 | 8948 | { |
wolfSSL | 4:1b0d80432c79 | 8949 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8950 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8951 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8952 | } |
wolfSSL | 4:1b0d80432c79 | 8953 | else |
wolfSSL | 4:1b0d80432c79 | 8954 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8955 | |
wolfSSL | 4:1b0d80432c79 | 8956 | /* save pointer to the producedAt time */ |
wolfSSL | 4:1b0d80432c79 | 8957 | if (GetBasicDate(source, &idx, resp->producedDate, |
wolfSSL | 4:1b0d80432c79 | 8958 | &resp->producedDateFormat, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8959 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8960 | |
wolfSSL | 4:1b0d80432c79 | 8961 | if (DecodeSingleResponse(source, &idx, resp, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8962 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8963 | |
wolfSSL | 4:1b0d80432c79 | 8964 | /* |
wolfSSL | 4:1b0d80432c79 | 8965 | * Check the length of the ResponseData against the current index to |
wolfSSL | 4:1b0d80432c79 | 8966 | * see if there are extensions, they are optional. |
wolfSSL | 4:1b0d80432c79 | 8967 | */ |
wolfSSL | 4:1b0d80432c79 | 8968 | if (idx - prev_idx < resp->responseSz) |
wolfSSL | 4:1b0d80432c79 | 8969 | if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8970 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8971 | |
wolfSSL | 4:1b0d80432c79 | 8972 | *ioIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 8973 | return 0; |
wolfSSL | 4:1b0d80432c79 | 8974 | } |
wolfSSL | 4:1b0d80432c79 | 8975 | |
wolfSSL | 4:1b0d80432c79 | 8976 | |
wolfSSL | 4:1b0d80432c79 | 8977 | static int DecodeCerts(byte* source, |
wolfSSL | 4:1b0d80432c79 | 8978 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 4:1b0d80432c79 | 8979 | { |
wolfSSL | 4:1b0d80432c79 | 8980 | word32 idx = *ioIndex; |
wolfSSL | 4:1b0d80432c79 | 8981 | |
wolfSSL | 4:1b0d80432c79 | 8982 | WOLFSSL_ENTER("DecodeCerts"); |
wolfSSL | 4:1b0d80432c79 | 8983 | |
wolfSSL | 4:1b0d80432c79 | 8984 | if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 4:1b0d80432c79 | 8985 | { |
wolfSSL | 4:1b0d80432c79 | 8986 | int length; |
wolfSSL | 4:1b0d80432c79 | 8987 | |
wolfSSL | 4:1b0d80432c79 | 8988 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8989 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8990 | |
wolfSSL | 4:1b0d80432c79 | 8991 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 8992 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 8993 | |
wolfSSL | 4:1b0d80432c79 | 8994 | resp->cert = source + idx; |
wolfSSL | 4:1b0d80432c79 | 8995 | resp->certSz = length; |
wolfSSL | 4:1b0d80432c79 | 8996 | |
wolfSSL | 4:1b0d80432c79 | 8997 | idx += length; |
wolfSSL | 4:1b0d80432c79 | 8998 | } |
wolfSSL | 4:1b0d80432c79 | 8999 | *ioIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 9000 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9001 | } |
wolfSSL | 4:1b0d80432c79 | 9002 | |
wolfSSL | 4:1b0d80432c79 | 9003 | static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, |
wolfSSL | 4:1b0d80432c79 | 9004 | OcspResponse* resp, word32 size, void* cm) |
wolfSSL | 4:1b0d80432c79 | 9005 | { |
wolfSSL | 4:1b0d80432c79 | 9006 | int length; |
wolfSSL | 4:1b0d80432c79 | 9007 | word32 idx = *ioIndex; |
wolfSSL | 4:1b0d80432c79 | 9008 | word32 end_index; |
wolfSSL | 4:1b0d80432c79 | 9009 | int ret = -1; |
wolfSSL | 4:1b0d80432c79 | 9010 | |
wolfSSL | 4:1b0d80432c79 | 9011 | WOLFSSL_ENTER("DecodeBasicOcspResponse"); |
wolfSSL | 4:1b0d80432c79 | 9012 | |
wolfSSL | 4:1b0d80432c79 | 9013 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9014 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9015 | |
wolfSSL | 4:1b0d80432c79 | 9016 | if (idx + length > size) |
wolfSSL | 4:1b0d80432c79 | 9017 | return ASN_INPUT_E; |
wolfSSL | 4:1b0d80432c79 | 9018 | end_index = idx + length; |
wolfSSL | 4:1b0d80432c79 | 9019 | |
wolfSSL | 4:1b0d80432c79 | 9020 | if (DecodeResponseData(source, &idx, resp, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9021 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9022 | |
wolfSSL | 4:1b0d80432c79 | 9023 | /* Get the signature algorithm */ |
wolfSSL | 4:1b0d80432c79 | 9024 | if (GetAlgoId(source, &idx, &resp->sigOID, sigType, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9025 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9026 | |
wolfSSL | 4:1b0d80432c79 | 9027 | /* Obtain pointer to the start of the signature, and save the size */ |
wolfSSL | 4:1b0d80432c79 | 9028 | if (source[idx++] == ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 9029 | { |
wolfSSL | 4:1b0d80432c79 | 9030 | int sigLength = 0; |
wolfSSL | 4:1b0d80432c79 | 9031 | if (GetLength(source, &idx, &sigLength, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9032 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9033 | resp->sigSz = sigLength; |
wolfSSL | 4:1b0d80432c79 | 9034 | resp->sig = source + idx; |
wolfSSL | 4:1b0d80432c79 | 9035 | idx += sigLength; |
wolfSSL | 4:1b0d80432c79 | 9036 | } |
wolfSSL | 4:1b0d80432c79 | 9037 | |
wolfSSL | 4:1b0d80432c79 | 9038 | /* |
wolfSSL | 4:1b0d80432c79 | 9039 | * Check the length of the BasicOcspResponse against the current index to |
wolfSSL | 4:1b0d80432c79 | 9040 | * see if there are certificates, they are optional. |
wolfSSL | 4:1b0d80432c79 | 9041 | */ |
wolfSSL | 4:1b0d80432c79 | 9042 | if (idx < end_index) |
wolfSSL | 4:1b0d80432c79 | 9043 | { |
wolfSSL | 4:1b0d80432c79 | 9044 | DecodedCert cert; |
wolfSSL | 4:1b0d80432c79 | 9045 | |
wolfSSL | 4:1b0d80432c79 | 9046 | if (DecodeCerts(source, &idx, resp, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9047 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9048 | |
wolfSSL | 4:1b0d80432c79 | 9049 | InitDecodedCert(&cert, resp->cert, resp->certSz, 0); |
wolfSSL | 4:1b0d80432c79 | 9050 | ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm); |
wolfSSL | 4:1b0d80432c79 | 9051 | if (ret < 0) |
wolfSSL | 4:1b0d80432c79 | 9052 | return ret; |
wolfSSL | 4:1b0d80432c79 | 9053 | |
wolfSSL | 4:1b0d80432c79 | 9054 | ret = ConfirmSignature(resp->response, resp->responseSz, |
wolfSSL | 4:1b0d80432c79 | 9055 | cert.publicKey, cert.pubKeySize, cert.keyOID, |
wolfSSL | 4:1b0d80432c79 | 9056 | resp->sig, resp->sigSz, resp->sigOID, NULL); |
wolfSSL | 4:1b0d80432c79 | 9057 | FreeDecodedCert(&cert); |
wolfSSL | 4:1b0d80432c79 | 9058 | |
wolfSSL | 4:1b0d80432c79 | 9059 | if (ret == 0) |
wolfSSL | 4:1b0d80432c79 | 9060 | { |
wolfSSL | 4:1b0d80432c79 | 9061 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 4:1b0d80432c79 | 9062 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 4:1b0d80432c79 | 9063 | } |
wolfSSL | 4:1b0d80432c79 | 9064 | } |
wolfSSL | 4:1b0d80432c79 | 9065 | else { |
wolfSSL | 4:1b0d80432c79 | 9066 | Signer* ca = GetCA(cm, resp->issuerHash); |
wolfSSL | 4:1b0d80432c79 | 9067 | |
wolfSSL | 4:1b0d80432c79 | 9068 | if (!ca || !ConfirmSignature(resp->response, resp->responseSz, |
wolfSSL | 4:1b0d80432c79 | 9069 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 4:1b0d80432c79 | 9070 | resp->sig, resp->sigSz, resp->sigOID, NULL)) { |
wolfSSL | 4:1b0d80432c79 | 9071 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 4:1b0d80432c79 | 9072 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 4:1b0d80432c79 | 9073 | } |
wolfSSL | 4:1b0d80432c79 | 9074 | } |
wolfSSL | 4:1b0d80432c79 | 9075 | |
wolfSSL | 4:1b0d80432c79 | 9076 | *ioIndex = idx; |
wolfSSL | 4:1b0d80432c79 | 9077 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9078 | } |
wolfSSL | 4:1b0d80432c79 | 9079 | |
wolfSSL | 4:1b0d80432c79 | 9080 | |
wolfSSL | 4:1b0d80432c79 | 9081 | void InitOcspResponse(OcspResponse* resp, CertStatus* status, |
wolfSSL | 4:1b0d80432c79 | 9082 | byte* source, word32 inSz) |
wolfSSL | 4:1b0d80432c79 | 9083 | { |
wolfSSL | 4:1b0d80432c79 | 9084 | WOLFSSL_ENTER("InitOcspResponse"); |
wolfSSL | 4:1b0d80432c79 | 9085 | |
wolfSSL | 4:1b0d80432c79 | 9086 | XMEMSET(status, 0, sizeof(CertStatus)); |
wolfSSL | 4:1b0d80432c79 | 9087 | XMEMSET(resp, 0, sizeof(OcspResponse)); |
wolfSSL | 4:1b0d80432c79 | 9088 | |
wolfSSL | 4:1b0d80432c79 | 9089 | resp->responseStatus = -1; |
wolfSSL | 4:1b0d80432c79 | 9090 | resp->status = status; |
wolfSSL | 4:1b0d80432c79 | 9091 | resp->source = source; |
wolfSSL | 4:1b0d80432c79 | 9092 | resp->maxIdx = inSz; |
wolfSSL | 4:1b0d80432c79 | 9093 | } |
wolfSSL | 4:1b0d80432c79 | 9094 | |
wolfSSL | 4:1b0d80432c79 | 9095 | |
wolfSSL | 4:1b0d80432c79 | 9096 | int OcspResponseDecode(OcspResponse* resp, void* cm) |
wolfSSL | 4:1b0d80432c79 | 9097 | { |
wolfSSL | 4:1b0d80432c79 | 9098 | int length = 0; |
wolfSSL | 4:1b0d80432c79 | 9099 | word32 idx = 0; |
wolfSSL | 4:1b0d80432c79 | 9100 | byte* source = resp->source; |
wolfSSL | 4:1b0d80432c79 | 9101 | word32 size = resp->maxIdx; |
wolfSSL | 4:1b0d80432c79 | 9102 | word32 oid; |
wolfSSL | 4:1b0d80432c79 | 9103 | |
wolfSSL | 4:1b0d80432c79 | 9104 | WOLFSSL_ENTER("OcspResponseDecode"); |
wolfSSL | 4:1b0d80432c79 | 9105 | |
wolfSSL | 4:1b0d80432c79 | 9106 | /* peel the outer SEQUENCE wrapper */ |
wolfSSL | 4:1b0d80432c79 | 9107 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9108 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9109 | |
wolfSSL | 4:1b0d80432c79 | 9110 | /* First get the responseStatus, an ENUMERATED */ |
wolfSSL | 4:1b0d80432c79 | 9111 | if (GetEnumerated(source, &idx, &resp->responseStatus) < 0) |
wolfSSL | 4:1b0d80432c79 | 9112 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9113 | |
wolfSSL | 4:1b0d80432c79 | 9114 | if (resp->responseStatus != OCSP_SUCCESSFUL) |
wolfSSL | 4:1b0d80432c79 | 9115 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9116 | |
wolfSSL | 4:1b0d80432c79 | 9117 | /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */ |
wolfSSL | 4:1b0d80432c79 | 9118 | if (idx >= size) |
wolfSSL | 4:1b0d80432c79 | 9119 | return ASN_INPUT_E; |
wolfSSL | 4:1b0d80432c79 | 9120 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 4:1b0d80432c79 | 9121 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9122 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9123 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9124 | |
wolfSSL | 4:1b0d80432c79 | 9125 | /* Get the responseBytes SEQUENCE */ |
wolfSSL | 4:1b0d80432c79 | 9126 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9127 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9128 | |
wolfSSL | 4:1b0d80432c79 | 9129 | /* Check ObjectID for the resposeBytes */ |
wolfSSL | 4:1b0d80432c79 | 9130 | if (GetObjectId(source, &idx, &oid, ocspType, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9131 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9132 | if (oid != OCSP_BASIC_OID) |
wolfSSL | 4:1b0d80432c79 | 9133 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9134 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 4:1b0d80432c79 | 9135 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9136 | |
wolfSSL | 4:1b0d80432c79 | 9137 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 4:1b0d80432c79 | 9138 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9139 | |
wolfSSL | 4:1b0d80432c79 | 9140 | if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0) |
wolfSSL | 4:1b0d80432c79 | 9141 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9142 | |
wolfSSL | 4:1b0d80432c79 | 9143 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9144 | } |
wolfSSL | 4:1b0d80432c79 | 9145 | |
wolfSSL | 4:1b0d80432c79 | 9146 | |
wolfSSL | 4:1b0d80432c79 | 9147 | word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 4:1b0d80432c79 | 9148 | { |
wolfSSL | 4:1b0d80432c79 | 9149 | static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, |
wolfSSL | 4:1b0d80432c79 | 9150 | 0x30, 0x01, 0x02 }; |
wolfSSL | 4:1b0d80432c79 | 9151 | byte seqArray[6][MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9152 | word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId); |
wolfSSL | 4:1b0d80432c79 | 9153 | |
wolfSSL | 4:1b0d80432c79 | 9154 | WOLFSSL_ENTER("SetOcspReqExtensions"); |
wolfSSL | 4:1b0d80432c79 | 9155 | |
wolfSSL | 4:1b0d80432c79 | 9156 | if (!req || !output || !req->nonceSz) |
wolfSSL | 4:1b0d80432c79 | 9157 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9158 | |
wolfSSL | 4:1b0d80432c79 | 9159 | totalSz += req->nonceSz; |
wolfSSL | 4:1b0d80432c79 | 9160 | totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]); |
wolfSSL | 4:1b0d80432c79 | 9161 | totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]); |
wolfSSL | 4:1b0d80432c79 | 9162 | seqArray[2][0] = ASN_OBJECT_ID; |
wolfSSL | 4:1b0d80432c79 | 9163 | totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]); |
wolfSSL | 4:1b0d80432c79 | 9164 | totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); |
wolfSSL | 4:1b0d80432c79 | 9165 | totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); |
wolfSSL | 4:1b0d80432c79 | 9166 | totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); |
wolfSSL | 4:1b0d80432c79 | 9167 | |
wolfSSL | 4:1b0d80432c79 | 9168 | if (totalSz > size) |
wolfSSL | 4:1b0d80432c79 | 9169 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9170 | |
wolfSSL | 4:1b0d80432c79 | 9171 | totalSz = 0; |
wolfSSL | 4:1b0d80432c79 | 9172 | |
wolfSSL | 4:1b0d80432c79 | 9173 | XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); |
wolfSSL | 4:1b0d80432c79 | 9174 | totalSz += seqSz[5]; |
wolfSSL | 4:1b0d80432c79 | 9175 | |
wolfSSL | 4:1b0d80432c79 | 9176 | XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); |
wolfSSL | 4:1b0d80432c79 | 9177 | totalSz += seqSz[4]; |
wolfSSL | 4:1b0d80432c79 | 9178 | |
wolfSSL | 4:1b0d80432c79 | 9179 | XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); |
wolfSSL | 4:1b0d80432c79 | 9180 | totalSz += seqSz[3]; |
wolfSSL | 4:1b0d80432c79 | 9181 | |
wolfSSL | 4:1b0d80432c79 | 9182 | XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); |
wolfSSL | 4:1b0d80432c79 | 9183 | totalSz += seqSz[2]; |
wolfSSL | 4:1b0d80432c79 | 9184 | |
wolfSSL | 4:1b0d80432c79 | 9185 | XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); |
wolfSSL | 4:1b0d80432c79 | 9186 | totalSz += (word32)sizeof(NonceObjId); |
wolfSSL | 4:1b0d80432c79 | 9187 | |
wolfSSL | 4:1b0d80432c79 | 9188 | XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); |
wolfSSL | 4:1b0d80432c79 | 9189 | totalSz += seqSz[1]; |
wolfSSL | 4:1b0d80432c79 | 9190 | |
wolfSSL | 4:1b0d80432c79 | 9191 | XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); |
wolfSSL | 4:1b0d80432c79 | 9192 | totalSz += seqSz[0]; |
wolfSSL | 4:1b0d80432c79 | 9193 | |
wolfSSL | 4:1b0d80432c79 | 9194 | XMEMCPY(output + totalSz, req->nonce, req->nonceSz); |
wolfSSL | 4:1b0d80432c79 | 9195 | totalSz += req->nonceSz; |
wolfSSL | 4:1b0d80432c79 | 9196 | |
wolfSSL | 4:1b0d80432c79 | 9197 | return totalSz; |
wolfSSL | 4:1b0d80432c79 | 9198 | } |
wolfSSL | 4:1b0d80432c79 | 9199 | |
wolfSSL | 4:1b0d80432c79 | 9200 | |
wolfSSL | 4:1b0d80432c79 | 9201 | int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 4:1b0d80432c79 | 9202 | { |
wolfSSL | 4:1b0d80432c79 | 9203 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9204 | /* The ASN.1 of the OCSP Request is an onion of sequences */ |
wolfSSL | 4:1b0d80432c79 | 9205 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9206 | byte issuerArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9207 | byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9208 | byte snArray[MAX_SN_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9209 | byte extArray[MAX_OCSP_EXT_SZ]; |
wolfSSL | 4:1b0d80432c79 | 9210 | word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; |
wolfSSL | 4:1b0d80432c79 | 9211 | int i; |
wolfSSL | 4:1b0d80432c79 | 9212 | |
wolfSSL | 4:1b0d80432c79 | 9213 | WOLFSSL_ENTER("EncodeOcspRequest"); |
wolfSSL | 4:1b0d80432c79 | 9214 | |
wolfSSL | 4:1b0d80432c79 | 9215 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 9216 | algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0); |
wolfSSL | 4:1b0d80432c79 | 9217 | #else |
wolfSSL | 4:1b0d80432c79 | 9218 | algoSz = SetAlgoID(SHAh, algoArray, hashType, 0); |
wolfSSL | 4:1b0d80432c79 | 9219 | #endif |
wolfSSL | 4:1b0d80432c79 | 9220 | |
wolfSSL | 4:1b0d80432c79 | 9221 | issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); |
wolfSSL | 4:1b0d80432c79 | 9222 | issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); |
wolfSSL | 4:1b0d80432c79 | 9223 | snSz = SetSerialNumber(req->serial, req->serialSz, snArray); |
wolfSSL | 4:1b0d80432c79 | 9224 | extSz = 0; |
wolfSSL | 4:1b0d80432c79 | 9225 | |
wolfSSL | 4:1b0d80432c79 | 9226 | if (req->nonceSz) |
wolfSSL | 4:1b0d80432c79 | 9227 | extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ); |
wolfSSL | 4:1b0d80432c79 | 9228 | |
wolfSSL | 4:1b0d80432c79 | 9229 | totalSz = algoSz + issuerSz + issuerKeySz + snSz; |
wolfSSL | 4:1b0d80432c79 | 9230 | for (i = 4; i >= 0; i--) { |
wolfSSL | 4:1b0d80432c79 | 9231 | seqSz[i] = SetSequence(totalSz, seqArray[i]); |
wolfSSL | 4:1b0d80432c79 | 9232 | totalSz += seqSz[i]; |
wolfSSL | 4:1b0d80432c79 | 9233 | if (i == 2) totalSz += extSz; |
wolfSSL | 4:1b0d80432c79 | 9234 | } |
wolfSSL | 4:1b0d80432c79 | 9235 | |
wolfSSL | 4:1b0d80432c79 | 9236 | if (totalSz > size) |
wolfSSL | 4:1b0d80432c79 | 9237 | return BUFFER_E; |
wolfSSL | 4:1b0d80432c79 | 9238 | |
wolfSSL | 4:1b0d80432c79 | 9239 | totalSz = 0; |
wolfSSL | 4:1b0d80432c79 | 9240 | for (i = 0; i < 5; i++) { |
wolfSSL | 4:1b0d80432c79 | 9241 | XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); |
wolfSSL | 4:1b0d80432c79 | 9242 | totalSz += seqSz[i]; |
wolfSSL | 4:1b0d80432c79 | 9243 | } |
wolfSSL | 4:1b0d80432c79 | 9244 | |
wolfSSL | 4:1b0d80432c79 | 9245 | XMEMCPY(output + totalSz, algoArray, algoSz); |
wolfSSL | 4:1b0d80432c79 | 9246 | totalSz += algoSz; |
wolfSSL | 4:1b0d80432c79 | 9247 | |
wolfSSL | 4:1b0d80432c79 | 9248 | XMEMCPY(output + totalSz, issuerArray, issuerSz); |
wolfSSL | 4:1b0d80432c79 | 9249 | totalSz += issuerSz; |
wolfSSL | 4:1b0d80432c79 | 9250 | |
wolfSSL | 4:1b0d80432c79 | 9251 | XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); |
wolfSSL | 4:1b0d80432c79 | 9252 | totalSz += issuerKeySz; |
wolfSSL | 4:1b0d80432c79 | 9253 | |
wolfSSL | 4:1b0d80432c79 | 9254 | XMEMCPY(output + totalSz, snArray, snSz); |
wolfSSL | 4:1b0d80432c79 | 9255 | totalSz += snSz; |
wolfSSL | 4:1b0d80432c79 | 9256 | |
wolfSSL | 4:1b0d80432c79 | 9257 | if (extSz != 0) { |
wolfSSL | 4:1b0d80432c79 | 9258 | XMEMCPY(output + totalSz, extArray, extSz); |
wolfSSL | 4:1b0d80432c79 | 9259 | totalSz += extSz; |
wolfSSL | 4:1b0d80432c79 | 9260 | } |
wolfSSL | 4:1b0d80432c79 | 9261 | |
wolfSSL | 4:1b0d80432c79 | 9262 | return totalSz; |
wolfSSL | 4:1b0d80432c79 | 9263 | } |
wolfSSL | 4:1b0d80432c79 | 9264 | |
wolfSSL | 4:1b0d80432c79 | 9265 | |
wolfSSL | 4:1b0d80432c79 | 9266 | int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce) |
wolfSSL | 4:1b0d80432c79 | 9267 | { |
wolfSSL | 4:1b0d80432c79 | 9268 | WOLFSSL_ENTER("InitOcspRequest"); |
wolfSSL | 4:1b0d80432c79 | 9269 | |
wolfSSL | 4:1b0d80432c79 | 9270 | if (req == NULL) |
wolfSSL | 4:1b0d80432c79 | 9271 | return BAD_FUNC_ARG; |
wolfSSL | 4:1b0d80432c79 | 9272 | |
wolfSSL | 4:1b0d80432c79 | 9273 | ForceZero(req, sizeof(OcspRequest)); |
wolfSSL | 4:1b0d80432c79 | 9274 | |
wolfSSL | 4:1b0d80432c79 | 9275 | if (cert) { |
wolfSSL | 4:1b0d80432c79 | 9276 | XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 9277 | XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 9278 | |
wolfSSL | 4:1b0d80432c79 | 9279 | req->serial = (byte*)XMALLOC(cert->serialSz, NULL, |
wolfSSL | 4:1b0d80432c79 | 9280 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 4:1b0d80432c79 | 9281 | if (req->serial == NULL) |
wolfSSL | 4:1b0d80432c79 | 9282 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 9283 | |
wolfSSL | 4:1b0d80432c79 | 9284 | XMEMCPY(req->serial, cert->serial, cert->serialSz); |
wolfSSL | 4:1b0d80432c79 | 9285 | req->serialSz = cert->serialSz; |
wolfSSL | 4:1b0d80432c79 | 9286 | |
wolfSSL | 4:1b0d80432c79 | 9287 | if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { |
wolfSSL | 4:1b0d80432c79 | 9288 | req->url = (byte*)XMALLOC(cert->extAuthInfoSz, NULL, |
wolfSSL | 4:1b0d80432c79 | 9289 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 4:1b0d80432c79 | 9290 | if (req->url == NULL) { |
wolfSSL | 4:1b0d80432c79 | 9291 | XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); |
wolfSSL | 4:1b0d80432c79 | 9292 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 9293 | } |
wolfSSL | 4:1b0d80432c79 | 9294 | |
wolfSSL | 4:1b0d80432c79 | 9295 | XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); |
wolfSSL | 4:1b0d80432c79 | 9296 | req->urlSz = cert->extAuthInfoSz; |
wolfSSL | 4:1b0d80432c79 | 9297 | } |
wolfSSL | 4:1b0d80432c79 | 9298 | |
wolfSSL | 4:1b0d80432c79 | 9299 | } |
wolfSSL | 4:1b0d80432c79 | 9300 | |
wolfSSL | 4:1b0d80432c79 | 9301 | if (useNonce) { |
wolfSSL | 4:1b0d80432c79 | 9302 | WC_RNG rng; |
wolfSSL | 4:1b0d80432c79 | 9303 | |
wolfSSL | 4:1b0d80432c79 | 9304 | if (wc_InitRng(&rng) != 0) { |
wolfSSL | 4:1b0d80432c79 | 9305 | WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); |
wolfSSL | 4:1b0d80432c79 | 9306 | } else { |
wolfSSL | 4:1b0d80432c79 | 9307 | if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) |
wolfSSL | 4:1b0d80432c79 | 9308 | WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); |
wolfSSL | 4:1b0d80432c79 | 9309 | else |
wolfSSL | 4:1b0d80432c79 | 9310 | req->nonceSz = MAX_OCSP_NONCE_SZ; |
wolfSSL | 4:1b0d80432c79 | 9311 | |
wolfSSL | 4:1b0d80432c79 | 9312 | wc_FreeRng(&rng); |
wolfSSL | 4:1b0d80432c79 | 9313 | } |
wolfSSL | 4:1b0d80432c79 | 9314 | } |
wolfSSL | 4:1b0d80432c79 | 9315 | |
wolfSSL | 4:1b0d80432c79 | 9316 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9317 | } |
wolfSSL | 4:1b0d80432c79 | 9318 | |
wolfSSL | 4:1b0d80432c79 | 9319 | void FreeOcspRequest(OcspRequest* req) |
wolfSSL | 4:1b0d80432c79 | 9320 | { |
wolfSSL | 4:1b0d80432c79 | 9321 | WOLFSSL_ENTER("FreeOcspRequest"); |
wolfSSL | 4:1b0d80432c79 | 9322 | |
wolfSSL | 4:1b0d80432c79 | 9323 | if (req) { |
wolfSSL | 4:1b0d80432c79 | 9324 | if (req->serial) |
wolfSSL | 4:1b0d80432c79 | 9325 | XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 4:1b0d80432c79 | 9326 | |
wolfSSL | 4:1b0d80432c79 | 9327 | if (req->url) |
wolfSSL | 4:1b0d80432c79 | 9328 | XFREE(req->url, NULL, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 4:1b0d80432c79 | 9329 | } |
wolfSSL | 4:1b0d80432c79 | 9330 | } |
wolfSSL | 4:1b0d80432c79 | 9331 | |
wolfSSL | 4:1b0d80432c79 | 9332 | |
wolfSSL | 4:1b0d80432c79 | 9333 | int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) |
wolfSSL | 4:1b0d80432c79 | 9334 | { |
wolfSSL | 4:1b0d80432c79 | 9335 | int cmp; |
wolfSSL | 4:1b0d80432c79 | 9336 | |
wolfSSL | 4:1b0d80432c79 | 9337 | WOLFSSL_ENTER("CompareOcspReqResp"); |
wolfSSL | 4:1b0d80432c79 | 9338 | |
wolfSSL | 4:1b0d80432c79 | 9339 | if (req == NULL) |
wolfSSL | 4:1b0d80432c79 | 9340 | { |
wolfSSL | 4:1b0d80432c79 | 9341 | WOLFSSL_MSG("\tReq missing"); |
wolfSSL | 4:1b0d80432c79 | 9342 | return -1; |
wolfSSL | 4:1b0d80432c79 | 9343 | } |
wolfSSL | 4:1b0d80432c79 | 9344 | |
wolfSSL | 4:1b0d80432c79 | 9345 | if (resp == NULL) |
wolfSSL | 4:1b0d80432c79 | 9346 | { |
wolfSSL | 4:1b0d80432c79 | 9347 | WOLFSSL_MSG("\tResp missing"); |
wolfSSL | 4:1b0d80432c79 | 9348 | return 1; |
wolfSSL | 4:1b0d80432c79 | 9349 | } |
wolfSSL | 4:1b0d80432c79 | 9350 | |
wolfSSL | 4:1b0d80432c79 | 9351 | /* Nonces are not critical. The responder may not necessarily add |
wolfSSL | 4:1b0d80432c79 | 9352 | * the nonce to the response. */ |
wolfSSL | 4:1b0d80432c79 | 9353 | if (req->nonceSz && resp->nonceSz != 0) { |
wolfSSL | 4:1b0d80432c79 | 9354 | cmp = req->nonceSz - resp->nonceSz; |
wolfSSL | 4:1b0d80432c79 | 9355 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9356 | { |
wolfSSL | 4:1b0d80432c79 | 9357 | WOLFSSL_MSG("\tnonceSz mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9358 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9359 | } |
wolfSSL | 4:1b0d80432c79 | 9360 | |
wolfSSL | 4:1b0d80432c79 | 9361 | cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); |
wolfSSL | 4:1b0d80432c79 | 9362 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9363 | { |
wolfSSL | 4:1b0d80432c79 | 9364 | WOLFSSL_MSG("\tnonce mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9365 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9366 | } |
wolfSSL | 4:1b0d80432c79 | 9367 | } |
wolfSSL | 4:1b0d80432c79 | 9368 | |
wolfSSL | 4:1b0d80432c79 | 9369 | cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 9370 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9371 | { |
wolfSSL | 4:1b0d80432c79 | 9372 | WOLFSSL_MSG("\tissuerHash mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9373 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9374 | } |
wolfSSL | 4:1b0d80432c79 | 9375 | |
wolfSSL | 4:1b0d80432c79 | 9376 | cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 4:1b0d80432c79 | 9377 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9378 | { |
wolfSSL | 4:1b0d80432c79 | 9379 | WOLFSSL_MSG("\tissuerKeyHash mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9380 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9381 | } |
wolfSSL | 4:1b0d80432c79 | 9382 | |
wolfSSL | 4:1b0d80432c79 | 9383 | cmp = req->serialSz - resp->status->serialSz; |
wolfSSL | 4:1b0d80432c79 | 9384 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9385 | { |
wolfSSL | 4:1b0d80432c79 | 9386 | WOLFSSL_MSG("\tserialSz mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9387 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9388 | } |
wolfSSL | 4:1b0d80432c79 | 9389 | |
wolfSSL | 4:1b0d80432c79 | 9390 | cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); |
wolfSSL | 4:1b0d80432c79 | 9391 | if (cmp != 0) |
wolfSSL | 4:1b0d80432c79 | 9392 | { |
wolfSSL | 4:1b0d80432c79 | 9393 | WOLFSSL_MSG("\tserial mismatch"); |
wolfSSL | 4:1b0d80432c79 | 9394 | return cmp; |
wolfSSL | 4:1b0d80432c79 | 9395 | } |
wolfSSL | 4:1b0d80432c79 | 9396 | |
wolfSSL | 4:1b0d80432c79 | 9397 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9398 | } |
wolfSSL | 4:1b0d80432c79 | 9399 | |
wolfSSL | 4:1b0d80432c79 | 9400 | #endif |
wolfSSL | 4:1b0d80432c79 | 9401 | |
wolfSSL | 4:1b0d80432c79 | 9402 | |
wolfSSL | 4:1b0d80432c79 | 9403 | /* store SHA hash of NAME */ |
wolfSSL | 4:1b0d80432c79 | 9404 | WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, |
wolfSSL | 4:1b0d80432c79 | 9405 | int maxIdx) |
wolfSSL | 4:1b0d80432c79 | 9406 | { |
wolfSSL | 4:1b0d80432c79 | 9407 | int length; /* length of all distinguished names */ |
wolfSSL | 4:1b0d80432c79 | 9408 | int ret; |
wolfSSL | 4:1b0d80432c79 | 9409 | word32 dummy; |
wolfSSL | 4:1b0d80432c79 | 9410 | |
wolfSSL | 4:1b0d80432c79 | 9411 | WOLFSSL_ENTER("GetNameHash"); |
wolfSSL | 4:1b0d80432c79 | 9412 | |
wolfSSL | 4:1b0d80432c79 | 9413 | if (source[*idx] == ASN_OBJECT_ID) { |
wolfSSL | 4:1b0d80432c79 | 9414 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 4:1b0d80432c79 | 9415 | |
wolfSSL | 4:1b0d80432c79 | 9416 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9417 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9418 | |
wolfSSL | 4:1b0d80432c79 | 9419 | *idx += length; |
wolfSSL | 4:1b0d80432c79 | 9420 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 4:1b0d80432c79 | 9421 | } |
wolfSSL | 4:1b0d80432c79 | 9422 | |
wolfSSL | 4:1b0d80432c79 | 9423 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 4:1b0d80432c79 | 9424 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 4:1b0d80432c79 | 9425 | * the tag and length. */ |
wolfSSL | 4:1b0d80432c79 | 9426 | dummy = *idx; |
wolfSSL | 4:1b0d80432c79 | 9427 | if (GetSequence(source, idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9428 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9429 | |
wolfSSL | 4:1b0d80432c79 | 9430 | #ifdef NO_SHA |
wolfSSL | 4:1b0d80432c79 | 9431 | ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 4:1b0d80432c79 | 9432 | #else |
wolfSSL | 4:1b0d80432c79 | 9433 | ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 4:1b0d80432c79 | 9434 | #endif |
wolfSSL | 4:1b0d80432c79 | 9435 | |
wolfSSL | 4:1b0d80432c79 | 9436 | *idx += length; |
wolfSSL | 4:1b0d80432c79 | 9437 | |
wolfSSL | 4:1b0d80432c79 | 9438 | return ret; |
wolfSSL | 4:1b0d80432c79 | 9439 | } |
wolfSSL | 4:1b0d80432c79 | 9440 | |
wolfSSL | 4:1b0d80432c79 | 9441 | |
wolfSSL | 4:1b0d80432c79 | 9442 | #ifdef HAVE_CRL |
wolfSSL | 4:1b0d80432c79 | 9443 | |
wolfSSL | 4:1b0d80432c79 | 9444 | /* initialize decoded CRL */ |
wolfSSL | 4:1b0d80432c79 | 9445 | void InitDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 4:1b0d80432c79 | 9446 | { |
wolfSSL | 4:1b0d80432c79 | 9447 | WOLFSSL_MSG("InitDecodedCRL"); |
wolfSSL | 4:1b0d80432c79 | 9448 | |
wolfSSL | 4:1b0d80432c79 | 9449 | dcrl->certBegin = 0; |
wolfSSL | 4:1b0d80432c79 | 9450 | dcrl->sigIndex = 0; |
wolfSSL | 4:1b0d80432c79 | 9451 | dcrl->sigLength = 0; |
wolfSSL | 4:1b0d80432c79 | 9452 | dcrl->signatureOID = 0; |
wolfSSL | 4:1b0d80432c79 | 9453 | dcrl->certs = NULL; |
wolfSSL | 4:1b0d80432c79 | 9454 | dcrl->totalCerts = 0; |
wolfSSL | 4:1b0d80432c79 | 9455 | } |
wolfSSL | 4:1b0d80432c79 | 9456 | |
wolfSSL | 4:1b0d80432c79 | 9457 | |
wolfSSL | 4:1b0d80432c79 | 9458 | /* free decoded CRL resources */ |
wolfSSL | 4:1b0d80432c79 | 9459 | void FreeDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 4:1b0d80432c79 | 9460 | { |
wolfSSL | 4:1b0d80432c79 | 9461 | RevokedCert* tmp = dcrl->certs; |
wolfSSL | 4:1b0d80432c79 | 9462 | |
wolfSSL | 4:1b0d80432c79 | 9463 | WOLFSSL_MSG("FreeDecodedCRL"); |
wolfSSL | 4:1b0d80432c79 | 9464 | |
wolfSSL | 4:1b0d80432c79 | 9465 | while(tmp) { |
wolfSSL | 4:1b0d80432c79 | 9466 | RevokedCert* next = tmp->next; |
wolfSSL | 4:1b0d80432c79 | 9467 | XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 4:1b0d80432c79 | 9468 | tmp = next; |
wolfSSL | 4:1b0d80432c79 | 9469 | } |
wolfSSL | 4:1b0d80432c79 | 9470 | } |
wolfSSL | 4:1b0d80432c79 | 9471 | |
wolfSSL | 4:1b0d80432c79 | 9472 | |
wolfSSL | 4:1b0d80432c79 | 9473 | /* Get Revoked Cert list, 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 9474 | static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 4:1b0d80432c79 | 9475 | int maxIdx) |
wolfSSL | 4:1b0d80432c79 | 9476 | { |
wolfSSL | 4:1b0d80432c79 | 9477 | int len; |
wolfSSL | 4:1b0d80432c79 | 9478 | word32 end; |
wolfSSL | 4:1b0d80432c79 | 9479 | byte b; |
wolfSSL | 4:1b0d80432c79 | 9480 | RevokedCert* rc; |
wolfSSL | 4:1b0d80432c79 | 9481 | |
wolfSSL | 4:1b0d80432c79 | 9482 | WOLFSSL_ENTER("GetRevoked"); |
wolfSSL | 4:1b0d80432c79 | 9483 | |
wolfSSL | 4:1b0d80432c79 | 9484 | if (GetSequence(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9485 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9486 | |
wolfSSL | 4:1b0d80432c79 | 9487 | end = *idx + len; |
wolfSSL | 4:1b0d80432c79 | 9488 | |
wolfSSL | 4:1b0d80432c79 | 9489 | /* get serial number */ |
wolfSSL | 4:1b0d80432c79 | 9490 | b = buff[*idx]; |
wolfSSL | 4:1b0d80432c79 | 9491 | *idx += 1; |
wolfSSL | 4:1b0d80432c79 | 9492 | |
wolfSSL | 4:1b0d80432c79 | 9493 | if (b != ASN_INTEGER) { |
wolfSSL | 4:1b0d80432c79 | 9494 | WOLFSSL_MSG("Expecting Integer"); |
wolfSSL | 4:1b0d80432c79 | 9495 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9496 | } |
wolfSSL | 4:1b0d80432c79 | 9497 | |
wolfSSL | 4:1b0d80432c79 | 9498 | if (GetLength(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9499 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9500 | |
wolfSSL | 4:1b0d80432c79 | 9501 | if (len > EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 4:1b0d80432c79 | 9502 | WOLFSSL_MSG("Serial Size too big"); |
wolfSSL | 4:1b0d80432c79 | 9503 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9504 | } |
wolfSSL | 4:1b0d80432c79 | 9505 | |
wolfSSL | 4:1b0d80432c79 | 9506 | rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL); |
wolfSSL | 4:1b0d80432c79 | 9507 | if (rc == NULL) { |
wolfSSL | 4:1b0d80432c79 | 9508 | WOLFSSL_MSG("Alloc Revoked Cert failed"); |
wolfSSL | 4:1b0d80432c79 | 9509 | return MEMORY_E; |
wolfSSL | 4:1b0d80432c79 | 9510 | } |
wolfSSL | 4:1b0d80432c79 | 9511 | |
wolfSSL | 4:1b0d80432c79 | 9512 | XMEMCPY(rc->serialNumber, &buff[*idx], len); |
wolfSSL | 4:1b0d80432c79 | 9513 | rc->serialSz = len; |
wolfSSL | 4:1b0d80432c79 | 9514 | |
wolfSSL | 4:1b0d80432c79 | 9515 | /* add to list */ |
wolfSSL | 4:1b0d80432c79 | 9516 | rc->next = dcrl->certs; |
wolfSSL | 4:1b0d80432c79 | 9517 | dcrl->certs = rc; |
wolfSSL | 4:1b0d80432c79 | 9518 | dcrl->totalCerts++; |
wolfSSL | 4:1b0d80432c79 | 9519 | |
wolfSSL | 4:1b0d80432c79 | 9520 | *idx += len; |
wolfSSL | 4:1b0d80432c79 | 9521 | |
wolfSSL | 4:1b0d80432c79 | 9522 | /* get date */ |
wolfSSL | 4:1b0d80432c79 | 9523 | b = buff[*idx]; |
wolfSSL | 4:1b0d80432c79 | 9524 | *idx += 1; |
wolfSSL | 4:1b0d80432c79 | 9525 | |
wolfSSL | 4:1b0d80432c79 | 9526 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) { |
wolfSSL | 4:1b0d80432c79 | 9527 | WOLFSSL_MSG("Expecting Date"); |
wolfSSL | 4:1b0d80432c79 | 9528 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9529 | } |
wolfSSL | 4:1b0d80432c79 | 9530 | |
wolfSSL | 4:1b0d80432c79 | 9531 | if (GetLength(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9532 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9533 | |
wolfSSL | 4:1b0d80432c79 | 9534 | /* skip for now */ |
wolfSSL | 4:1b0d80432c79 | 9535 | *idx += len; |
wolfSSL | 4:1b0d80432c79 | 9536 | |
wolfSSL | 4:1b0d80432c79 | 9537 | if (*idx != end) /* skip extensions */ |
wolfSSL | 4:1b0d80432c79 | 9538 | *idx = end; |
wolfSSL | 4:1b0d80432c79 | 9539 | |
wolfSSL | 4:1b0d80432c79 | 9540 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9541 | } |
wolfSSL | 4:1b0d80432c79 | 9542 | |
wolfSSL | 4:1b0d80432c79 | 9543 | |
wolfSSL | 4:1b0d80432c79 | 9544 | /* Get CRL Signature, 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 9545 | static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 4:1b0d80432c79 | 9546 | int maxIdx) |
wolfSSL | 4:1b0d80432c79 | 9547 | { |
wolfSSL | 4:1b0d80432c79 | 9548 | int length; |
wolfSSL | 4:1b0d80432c79 | 9549 | byte b; |
wolfSSL | 4:1b0d80432c79 | 9550 | |
wolfSSL | 4:1b0d80432c79 | 9551 | WOLFSSL_ENTER("GetCRL_Signature"); |
wolfSSL | 4:1b0d80432c79 | 9552 | |
wolfSSL | 4:1b0d80432c79 | 9553 | b = source[*idx]; |
wolfSSL | 4:1b0d80432c79 | 9554 | *idx += 1; |
wolfSSL | 4:1b0d80432c79 | 9555 | if (b != ASN_BIT_STRING) |
wolfSSL | 4:1b0d80432c79 | 9556 | return ASN_BITSTR_E; |
wolfSSL | 4:1b0d80432c79 | 9557 | |
wolfSSL | 4:1b0d80432c79 | 9558 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 4:1b0d80432c79 | 9559 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9560 | |
wolfSSL | 4:1b0d80432c79 | 9561 | dcrl->sigLength = length; |
wolfSSL | 4:1b0d80432c79 | 9562 | |
wolfSSL | 4:1b0d80432c79 | 9563 | b = source[*idx]; |
wolfSSL | 4:1b0d80432c79 | 9564 | *idx += 1; |
wolfSSL | 4:1b0d80432c79 | 9565 | if (b != 0x00) |
wolfSSL | 4:1b0d80432c79 | 9566 | return ASN_EXPECT_0_E; |
wolfSSL | 4:1b0d80432c79 | 9567 | |
wolfSSL | 4:1b0d80432c79 | 9568 | dcrl->sigLength--; |
wolfSSL | 4:1b0d80432c79 | 9569 | dcrl->signature = (byte*)&source[*idx]; |
wolfSSL | 4:1b0d80432c79 | 9570 | |
wolfSSL | 4:1b0d80432c79 | 9571 | *idx += dcrl->sigLength; |
wolfSSL | 4:1b0d80432c79 | 9572 | |
wolfSSL | 4:1b0d80432c79 | 9573 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9574 | } |
wolfSSL | 4:1b0d80432c79 | 9575 | |
wolfSSL | 4:1b0d80432c79 | 9576 | |
wolfSSL | 4:1b0d80432c79 | 9577 | /* prase crl buffer into decoded state, 0 on success */ |
wolfSSL | 4:1b0d80432c79 | 9578 | int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) |
wolfSSL | 4:1b0d80432c79 | 9579 | { |
wolfSSL | 4:1b0d80432c79 | 9580 | int version, len, doNextDate = 1; |
wolfSSL | 4:1b0d80432c79 | 9581 | word32 oid, idx = 0, dateIdx; |
wolfSSL | 4:1b0d80432c79 | 9582 | Signer* ca = NULL; |
wolfSSL | 4:1b0d80432c79 | 9583 | |
wolfSSL | 4:1b0d80432c79 | 9584 | WOLFSSL_MSG("ParseCRL"); |
wolfSSL | 4:1b0d80432c79 | 9585 | |
wolfSSL | 4:1b0d80432c79 | 9586 | /* raw crl hash */ |
wolfSSL | 4:1b0d80432c79 | 9587 | /* hash here if needed for optimized comparisons |
wolfSSL | 4:1b0d80432c79 | 9588 | * Sha sha; |
wolfSSL | 4:1b0d80432c79 | 9589 | * wc_InitSha(&sha); |
wolfSSL | 4:1b0d80432c79 | 9590 | * wc_ShaUpdate(&sha, buff, sz); |
wolfSSL | 4:1b0d80432c79 | 9591 | * wc_ShaFinal(&sha, dcrl->crlHash); */ |
wolfSSL | 4:1b0d80432c79 | 9592 | |
wolfSSL | 4:1b0d80432c79 | 9593 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9594 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9595 | |
wolfSSL | 4:1b0d80432c79 | 9596 | dcrl->certBegin = idx; |
wolfSSL | 4:1b0d80432c79 | 9597 | |
wolfSSL | 4:1b0d80432c79 | 9598 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9599 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9600 | dcrl->sigIndex = len + idx; |
wolfSSL | 4:1b0d80432c79 | 9601 | |
wolfSSL | 4:1b0d80432c79 | 9602 | /* may have version */ |
wolfSSL | 4:1b0d80432c79 | 9603 | if (buff[idx] == ASN_INTEGER) { |
wolfSSL | 4:1b0d80432c79 | 9604 | if (GetMyVersion(buff, &idx, &version) < 0) |
wolfSSL | 4:1b0d80432c79 | 9605 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9606 | } |
wolfSSL | 4:1b0d80432c79 | 9607 | |
wolfSSL | 4:1b0d80432c79 | 9608 | if (GetAlgoId(buff, &idx, &oid, ignoreType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9609 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9610 | |
wolfSSL | 4:1b0d80432c79 | 9611 | if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9612 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9613 | |
wolfSSL | 4:1b0d80432c79 | 9614 | if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9615 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9616 | |
wolfSSL | 4:1b0d80432c79 | 9617 | dateIdx = idx; |
wolfSSL | 4:1b0d80432c79 | 9618 | |
wolfSSL | 4:1b0d80432c79 | 9619 | if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9620 | { |
wolfSSL | 4:1b0d80432c79 | 9621 | #ifndef WOLFSSL_NO_CRL_NEXT_DATE |
wolfSSL | 4:1b0d80432c79 | 9622 | (void)dateIdx; |
wolfSSL | 4:1b0d80432c79 | 9623 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9624 | #else |
wolfSSL | 4:1b0d80432c79 | 9625 | dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */ |
wolfSSL | 4:1b0d80432c79 | 9626 | doNextDate = 0; |
wolfSSL | 4:1b0d80432c79 | 9627 | idx = dateIdx; |
wolfSSL | 4:1b0d80432c79 | 9628 | #endif |
wolfSSL | 4:1b0d80432c79 | 9629 | } |
wolfSSL | 4:1b0d80432c79 | 9630 | |
wolfSSL | 4:1b0d80432c79 | 9631 | if (doNextDate && !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, |
wolfSSL | 4:1b0d80432c79 | 9632 | AFTER)) { |
wolfSSL | 4:1b0d80432c79 | 9633 | WOLFSSL_MSG("CRL after date is no longer valid"); |
wolfSSL | 4:1b0d80432c79 | 9634 | return ASN_AFTER_DATE_E; |
wolfSSL | 4:1b0d80432c79 | 9635 | } |
wolfSSL | 4:1b0d80432c79 | 9636 | |
wolfSSL | 4:1b0d80432c79 | 9637 | if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { |
wolfSSL | 4:1b0d80432c79 | 9638 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9639 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9640 | |
wolfSSL | 4:1b0d80432c79 | 9641 | len += idx; |
wolfSSL | 4:1b0d80432c79 | 9642 | |
wolfSSL | 4:1b0d80432c79 | 9643 | while (idx < (word32)len) { |
wolfSSL | 4:1b0d80432c79 | 9644 | if (GetRevoked(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9645 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9646 | } |
wolfSSL | 4:1b0d80432c79 | 9647 | } |
wolfSSL | 4:1b0d80432c79 | 9648 | |
wolfSSL | 4:1b0d80432c79 | 9649 | if (idx != dcrl->sigIndex) |
wolfSSL | 4:1b0d80432c79 | 9650 | idx = dcrl->sigIndex; /* skip extensions */ |
wolfSSL | 4:1b0d80432c79 | 9651 | |
wolfSSL | 4:1b0d80432c79 | 9652 | if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sigType, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9653 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9654 | |
wolfSSL | 4:1b0d80432c79 | 9655 | if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 4:1b0d80432c79 | 9656 | return ASN_PARSE_E; |
wolfSSL | 4:1b0d80432c79 | 9657 | |
wolfSSL | 4:1b0d80432c79 | 9658 | /* openssl doesn't add skid by default for CRLs cause firefox chokes |
wolfSSL | 4:1b0d80432c79 | 9659 | we're not assuming it's available yet */ |
wolfSSL | 4:1b0d80432c79 | 9660 | #if !defined(NO_SKID) && defined(CRL_SKID_READY) |
wolfSSL | 4:1b0d80432c79 | 9661 | if (dcrl->extAuthKeyIdSet) |
wolfSSL | 4:1b0d80432c79 | 9662 | ca = GetCA(cm, dcrl->extAuthKeyId); |
wolfSSL | 4:1b0d80432c79 | 9663 | if (ca == NULL) |
wolfSSL | 4:1b0d80432c79 | 9664 | ca = GetCAByName(cm, dcrl->issuerHash); |
wolfSSL | 4:1b0d80432c79 | 9665 | #else /* NO_SKID */ |
wolfSSL | 4:1b0d80432c79 | 9666 | ca = GetCA(cm, dcrl->issuerHash); |
wolfSSL | 4:1b0d80432c79 | 9667 | #endif /* NO_SKID */ |
wolfSSL | 4:1b0d80432c79 | 9668 | WOLFSSL_MSG("About to verify CRL signature"); |
wolfSSL | 4:1b0d80432c79 | 9669 | |
wolfSSL | 4:1b0d80432c79 | 9670 | if (ca) { |
wolfSSL | 4:1b0d80432c79 | 9671 | WOLFSSL_MSG("Found CRL issuer CA"); |
wolfSSL | 4:1b0d80432c79 | 9672 | /* try to confirm/verify signature */ |
wolfSSL | 4:1b0d80432c79 | 9673 | #ifndef IGNORE_KEY_EXTENSIONS |
wolfSSL | 4:1b0d80432c79 | 9674 | if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) { |
wolfSSL | 4:1b0d80432c79 | 9675 | WOLFSSL_MSG("CA cannot sign CRLs"); |
wolfSSL | 4:1b0d80432c79 | 9676 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 4:1b0d80432c79 | 9677 | } |
wolfSSL | 4:1b0d80432c79 | 9678 | #endif /* IGNORE_KEY_EXTENSIONS */ |
wolfSSL | 4:1b0d80432c79 | 9679 | if (!ConfirmSignature(buff + dcrl->certBegin, |
wolfSSL | 4:1b0d80432c79 | 9680 | dcrl->sigIndex - dcrl->certBegin, |
wolfSSL | 4:1b0d80432c79 | 9681 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 4:1b0d80432c79 | 9682 | dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) { |
wolfSSL | 4:1b0d80432c79 | 9683 | WOLFSSL_MSG("CRL Confirm signature failed"); |
wolfSSL | 4:1b0d80432c79 | 9684 | return ASN_CRL_CONFIRM_E; |
wolfSSL | 4:1b0d80432c79 | 9685 | } |
wolfSSL | 4:1b0d80432c79 | 9686 | } |
wolfSSL | 4:1b0d80432c79 | 9687 | else { |
wolfSSL | 4:1b0d80432c79 | 9688 | WOLFSSL_MSG("Did NOT find CRL issuer CA"); |
wolfSSL | 4:1b0d80432c79 | 9689 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 4:1b0d80432c79 | 9690 | } |
wolfSSL | 4:1b0d80432c79 | 9691 | |
wolfSSL | 4:1b0d80432c79 | 9692 | return 0; |
wolfSSL | 4:1b0d80432c79 | 9693 | } |
wolfSSL | 4:1b0d80432c79 | 9694 | |
wolfSSL | 4:1b0d80432c79 | 9695 | #endif /* HAVE_CRL */ |
wolfSSL | 4:1b0d80432c79 | 9696 | #endif /* !NO_ASN */ |
wolfSSL | 4:1b0d80432c79 | 9697 | |
wolfSSL | 4:1b0d80432c79 | 9698 | #ifdef WOLFSSL_SEP |
wolfSSL | 4:1b0d80432c79 | 9699 | |
wolfSSL | 4:1b0d80432c79 | 9700 | |
wolfSSL | 4:1b0d80432c79 | 9701 | |
wolfSSL | 4:1b0d80432c79 | 9702 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 4:1b0d80432c79 | 9703 |