wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/asn.c@4:1b0d80432c79, 2016-04-28 (annotated)

Committer:
wolfSSL
Date:
Thu Apr 28 00:57:21 2016 +0000
Revision:
4:1b0d80432c79
wolfSSL 3.9.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 4:1b0d80432c79 1 /* asn.c
wolfSSL 4:1b0d80432c79 2 *
wolfSSL 4:1b0d80432c79 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 4:1b0d80432c79 4 *
wolfSSL 4:1b0d80432c79 5 * This file is part of wolfSSL.
wolfSSL 4:1b0d80432c79 6 *
wolfSSL 4:1b0d80432c79 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 4:1b0d80432c79 8 * it under the terms of the GNU General Public License as published by
wolfSSL 4:1b0d80432c79 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 4:1b0d80432c79 10 * (at your option) any later version.
wolfSSL 4:1b0d80432c79 11 *
wolfSSL 4:1b0d80432c79 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 4:1b0d80432c79 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 4:1b0d80432c79 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 4:1b0d80432c79 15 * GNU General Public License for more details.
wolfSSL 4:1b0d80432c79 16 *
wolfSSL 4:1b0d80432c79 17 * You should have received a copy of the GNU General Public License
wolfSSL 4:1b0d80432c79 18 * along with this program; if not, write to the Free Software
wolfSSL 4:1b0d80432c79 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 4:1b0d80432c79 20 */
wolfSSL 4:1b0d80432c79 21
wolfSSL 4:1b0d80432c79 22
wolfSSL 4:1b0d80432c79 23 #ifdef HAVE_CONFIG_H
wolfSSL 4:1b0d80432c79 24 #include <config.h>
wolfSSL 4:1b0d80432c79 25 #endif
wolfSSL 4:1b0d80432c79 26
wolfSSL 4:1b0d80432c79 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 4:1b0d80432c79 28
wolfSSL 4:1b0d80432c79 29 /*
wolfSSL 4:1b0d80432c79 30 ASN Options:
wolfSSL 4:1b0d80432c79 31 * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
wolfSSL 4:1b0d80432c79 32 or wishing to save space.
wolfSSL 4:1b0d80432c79 33 * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
wolfSSL 4:1b0d80432c79 34 */
wolfSSL 4:1b0d80432c79 35
wolfSSL 4:1b0d80432c79 36 #ifndef NO_ASN
wolfSSL 4:1b0d80432c79 37
wolfSSL 4:1b0d80432c79 38 #ifdef HAVE_RTP_SYS
wolfSSL 4:1b0d80432c79 39 #include "os.h" /* dc_rtc_api needs */
wolfSSL 4:1b0d80432c79 40 #include "dc_rtc_api.h" /* to get current time */
wolfSSL 4:1b0d80432c79 41 #endif
wolfSSL 4:1b0d80432c79 42
wolfSSL 4:1b0d80432c79 43 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 4:1b0d80432c79 44 #include <wolfssl/wolfcrypt/coding.h>
wolfSSL 4:1b0d80432c79 45 #include <wolfssl/wolfcrypt/md2.h>
wolfSSL 4:1b0d80432c79 46 #include <wolfssl/wolfcrypt/hmac.h>
wolfSSL 4:1b0d80432c79 47 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 4:1b0d80432c79 48 #include <wolfssl/wolfcrypt/pwdbased.h>
wolfSSL 4:1b0d80432c79 49 #include <wolfssl/wolfcrypt/des3.h>
wolfSSL 4:1b0d80432c79 50 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 4:1b0d80432c79 51
wolfSSL 4:1b0d80432c79 52 #include <wolfssl/wolfcrypt/random.h>
wolfSSL 4:1b0d80432c79 53 #include <wolfssl/wolfcrypt/hash.h>
wolfSSL 4:1b0d80432c79 54 #ifdef NO_INLINE
wolfSSL 4:1b0d80432c79 55 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 4:1b0d80432c79 56 #else
wolfSSL 4:1b0d80432c79 57 #include <wolfcrypt/src/misc.c>
wolfSSL 4:1b0d80432c79 58 #endif
wolfSSL 4:1b0d80432c79 59
wolfSSL 4:1b0d80432c79 60 #ifndef NO_RC4
wolfSSL 4:1b0d80432c79 61 #include <wolfssl/wolfcrypt/arc4.h>
wolfSSL 4:1b0d80432c79 62 #endif
wolfSSL 4:1b0d80432c79 63
wolfSSL 4:1b0d80432c79 64 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 65 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 4:1b0d80432c79 66 #endif
wolfSSL 4:1b0d80432c79 67
wolfSSL 4:1b0d80432c79 68 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
wolfSSL 4:1b0d80432c79 69 #include <wolfssl/wolfcrypt/sha512.h>
wolfSSL 4:1b0d80432c79 70 #endif
wolfSSL 4:1b0d80432c79 71
wolfSSL 4:1b0d80432c79 72 #ifndef NO_SHA256
wolfSSL 4:1b0d80432c79 73 #include <wolfssl/wolfcrypt/sha256.h>
wolfSSL 4:1b0d80432c79 74 #endif
wolfSSL 4:1b0d80432c79 75
wolfSSL 4:1b0d80432c79 76 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 77 #include <wolfssl/wolfcrypt/ecc.h>
wolfSSL 4:1b0d80432c79 78 #endif
wolfSSL 4:1b0d80432c79 79
wolfSSL 4:1b0d80432c79 80 #ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL 4:1b0d80432c79 81 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 4:1b0d80432c79 82 #if MQX_USE_IO_OLD
wolfSSL 4:1b0d80432c79 83 #include <fio.h>
wolfSSL 4:1b0d80432c79 84 #else
wolfSSL 4:1b0d80432c79 85 #include <nio.h>
wolfSSL 4:1b0d80432c79 86 #endif
wolfSSL 4:1b0d80432c79 87 #else
wolfSSL 4:1b0d80432c79 88 #include <stdio.h>
wolfSSL 4:1b0d80432c79 89 #endif
wolfSSL 4:1b0d80432c79 90 #endif
wolfSSL 4:1b0d80432c79 91
wolfSSL 4:1b0d80432c79 92 #ifdef _MSC_VER
wolfSSL 4:1b0d80432c79 93 /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
wolfSSL 4:1b0d80432c79 94 #pragma warning(disable: 4996)
wolfSSL 4:1b0d80432c79 95 #endif
wolfSSL 4:1b0d80432c79 96
wolfSSL 4:1b0d80432c79 97
wolfSSL 4:1b0d80432c79 98 #ifndef TRUE
wolfSSL 4:1b0d80432c79 99 #define TRUE 1
wolfSSL 4:1b0d80432c79 100 #endif
wolfSSL 4:1b0d80432c79 101 #ifndef FALSE
wolfSSL 4:1b0d80432c79 102 #define FALSE 0
wolfSSL 4:1b0d80432c79 103 #endif
wolfSSL 4:1b0d80432c79 104
wolfSSL 4:1b0d80432c79 105 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 106 #if defined(HAVE_RTP_SYS)
wolfSSL 4:1b0d80432c79 107 /* uses parital <time.h> structures */
wolfSSL 4:1b0d80432c79 108 #define XTIME(tl) (0)
wolfSSL 4:1b0d80432c79 109 #define XGMTIME(c, t) rtpsys_gmtime((c))
wolfSSL 4:1b0d80432c79 110
wolfSSL 4:1b0d80432c79 111 #elif defined(MICRIUM)
wolfSSL 4:1b0d80432c79 112 #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL 4:1b0d80432c79 113 #define XVALIDATE_DATE(d, f, t) NetSecure_ValidateDateHandler((d), (f), (t))
wolfSSL 4:1b0d80432c79 114 #else
wolfSSL 4:1b0d80432c79 115 #define XVALIDATE_DATE(d, f, t) (0)
wolfSSL 4:1b0d80432c79 116 #endif
wolfSSL 4:1b0d80432c79 117 #define NO_TIME_H
wolfSSL 4:1b0d80432c79 118 /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
wolfSSL 4:1b0d80432c79 119
wolfSSL 4:1b0d80432c79 120 #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 4:1b0d80432c79 121 #include <time.h>
wolfSSL 4:1b0d80432c79 122 #define XTIME(t1) pic32_time((t1))
wolfSSL 4:1b0d80432c79 123 #define XGMTIME(c, t) gmtime((c))
wolfSSL 4:1b0d80432c79 124
wolfSSL 4:1b0d80432c79 125 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 4:1b0d80432c79 126 #define XTIME(t1) mqx_time((t1))
wolfSSL 4:1b0d80432c79 127 #define HAVE_GMTIME_R
wolfSSL 4:1b0d80432c79 128
wolfSSL 4:1b0d80432c79 129 #elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
wolfSSL 4:1b0d80432c79 130 #include <time.h>
wolfSSL 4:1b0d80432c79 131 #define XTIME(t1) ksdk_time((t1))
wolfSSL 4:1b0d80432c79 132 #define XGMTIME(c, t) gmtime((c))
wolfSSL 4:1b0d80432c79 133
wolfSSL 4:1b0d80432c79 134 #elif defined(USER_TIME)
wolfSSL 4:1b0d80432c79 135 /* user time, and gmtime compatible functions, there is a gmtime
wolfSSL 4:1b0d80432c79 136 implementation here that WINCE uses, so really just need some ticks
wolfSSL 4:1b0d80432c79 137 since the EPOCH
wolfSSL 4:1b0d80432c79 138 */
wolfSSL 4:1b0d80432c79 139 #define WOLFSSL_GMTIME
wolfSSL 4:1b0d80432c79 140 #define USE_WOLF_TM
wolfSSL 4:1b0d80432c79 141 #define USE_WOLF_TIME_T
wolfSSL 4:1b0d80432c79 142
wolfSSL 4:1b0d80432c79 143 #elif defined(TIME_OVERRIDES)
wolfSSL 4:1b0d80432c79 144 /* user would like to override time() and gmtime() functionality */
wolfSSL 4:1b0d80432c79 145 #ifndef HAVE_TIME_T_TYPE
wolfSSL 4:1b0d80432c79 146 #define USE_WOLF_TIME_T
wolfSSL 4:1b0d80432c79 147 #endif
wolfSSL 4:1b0d80432c79 148 #ifndef HAVE_TM_TYPE
wolfSSL 4:1b0d80432c79 149 #define USE_WOLF_TM
wolfSSL 4:1b0d80432c79 150 #endif
wolfSSL 4:1b0d80432c79 151 #define NEED_TMP_TIME
wolfSSL 4:1b0d80432c79 152
wolfSSL 4:1b0d80432c79 153 #elif defined(IDIRECT_DEV_TIME)
wolfSSL 4:1b0d80432c79 154 /*Gets the timestamp from cloak software owned by VT iDirect
wolfSSL 4:1b0d80432c79 155 in place of time() from <time.h> */
wolfSSL 4:1b0d80432c79 156 #include <time.h>
wolfSSL 4:1b0d80432c79 157 #define XTIME(t1) idirect_time((t1))
wolfSSL 4:1b0d80432c79 158 #define XGMTIME(c, t) gmtime((c))
wolfSSL 4:1b0d80432c79 159
wolfSSL 4:1b0d80432c79 160 #elif defined(_WIN32_WCE)
wolfSSL 4:1b0d80432c79 161 #include <windows.h>
wolfSSL 4:1b0d80432c79 162 #define XTIME(t1) windows_time((t1))
wolfSSL 4:1b0d80432c79 163 #define WOLFSSL_GMTIME
wolfSSL 4:1b0d80432c79 164
wolfSSL 4:1b0d80432c79 165 #else
wolfSSL 4:1b0d80432c79 166 /* default */
wolfSSL 4:1b0d80432c79 167 /* uses complete <time.h> facility */
wolfSSL 4:1b0d80432c79 168 #include <time.h>
wolfSSL 4:1b0d80432c79 169 #endif
wolfSSL 4:1b0d80432c79 170
wolfSSL 4:1b0d80432c79 171
wolfSSL 4:1b0d80432c79 172 /* Map default time functions */
wolfSSL 4:1b0d80432c79 173 #if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME)
wolfSSL 4:1b0d80432c79 174 #define XTIME(tl) time((tl))
wolfSSL 4:1b0d80432c79 175 #endif
wolfSSL 4:1b0d80432c79 176 #if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
wolfSSL 4:1b0d80432c79 177 #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R)
wolfSSL 4:1b0d80432c79 178 #define XGMTIME(c, t) gmtime((c))
wolfSSL 4:1b0d80432c79 179 #else
wolfSSL 4:1b0d80432c79 180 #define XGMTIME(c, t) gmtime_r((c), (t))
wolfSSL 4:1b0d80432c79 181 #define NEED_TMP_TIME
wolfSSL 4:1b0d80432c79 182 #endif
wolfSSL 4:1b0d80432c79 183 #endif
wolfSSL 4:1b0d80432c79 184 #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE)
wolfSSL 4:1b0d80432c79 185 #define USE_WOLF_VALIDDATE
wolfSSL 4:1b0d80432c79 186 #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL 4:1b0d80432c79 187 #endif
wolfSSL 4:1b0d80432c79 188
wolfSSL 4:1b0d80432c79 189 /* wolf struct tm and time_t */
wolfSSL 4:1b0d80432c79 190 #if defined(USE_WOLF_TM)
wolfSSL 4:1b0d80432c79 191 struct tm {
wolfSSL 4:1b0d80432c79 192 int tm_sec; /* seconds after the minute [0-60] */
wolfSSL 4:1b0d80432c79 193 int tm_min; /* minutes after the hour [0-59] */
wolfSSL 4:1b0d80432c79 194 int tm_hour; /* hours since midnight [0-23] */
wolfSSL 4:1b0d80432c79 195 int tm_mday; /* day of the month [1-31] */
wolfSSL 4:1b0d80432c79 196 int tm_mon; /* months since January [0-11] */
wolfSSL 4:1b0d80432c79 197 int tm_year; /* years since 1900 */
wolfSSL 4:1b0d80432c79 198 int tm_wday; /* days since Sunday [0-6] */
wolfSSL 4:1b0d80432c79 199 int tm_yday; /* days since January 1 [0-365] */
wolfSSL 4:1b0d80432c79 200 int tm_isdst; /* Daylight Savings Time flag */
wolfSSL 4:1b0d80432c79 201 long tm_gmtoff; /* offset from CUT in seconds */
wolfSSL 4:1b0d80432c79 202 char *tm_zone; /* timezone abbreviation */
wolfSSL 4:1b0d80432c79 203 };
wolfSSL 4:1b0d80432c79 204 #endif /* USE_WOLF_TM */
wolfSSL 4:1b0d80432c79 205 #if defined(USE_WOLF_TIME_T)
wolfSSL 4:1b0d80432c79 206 typedef long time_t;
wolfSSL 4:1b0d80432c79 207 #endif
wolfSSL 4:1b0d80432c79 208
wolfSSL 4:1b0d80432c79 209 /* forward declarations */
wolfSSL 4:1b0d80432c79 210 #if defined(USER_TIME)
wolfSSL 4:1b0d80432c79 211 struct tm* gmtime(const time_t* timer);
wolfSSL 4:1b0d80432c79 212 extern time_t XTIME(time_t * timer);
wolfSSL 4:1b0d80432c79 213
wolfSSL 4:1b0d80432c79 214 #ifdef STACK_TRAP
wolfSSL 4:1b0d80432c79 215 /* for stack trap tracking, don't call os gmtime on OS X/linux,
wolfSSL 4:1b0d80432c79 216 uses a lot of stack spce */
wolfSSL 4:1b0d80432c79 217 extern time_t time(time_t * timer);
wolfSSL 4:1b0d80432c79 218 #define XTIME(tl) time((tl))
wolfSSL 4:1b0d80432c79 219 #endif /* STACK_TRAP */
wolfSSL 4:1b0d80432c79 220
wolfSSL 4:1b0d80432c79 221 #elif defined(TIME_OVERRIDES)
wolfSSL 4:1b0d80432c79 222 extern time_t XTIME(time_t * timer);
wolfSSL 4:1b0d80432c79 223 extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp);
wolfSSL 4:1b0d80432c79 224 #endif
wolfSSL 4:1b0d80432c79 225
wolfSSL 4:1b0d80432c79 226
wolfSSL 4:1b0d80432c79 227 #if defined(_WIN32_WCE)
wolfSSL 4:1b0d80432c79 228 time_t windows_time(time_t* timer)
wolfSSL 4:1b0d80432c79 229 {
wolfSSL 4:1b0d80432c79 230 SYSTEMTIME sysTime;
wolfSSL 4:1b0d80432c79 231 FILETIME fTime;
wolfSSL 4:1b0d80432c79 232 ULARGE_INTEGER intTime;
wolfSSL 4:1b0d80432c79 233 time_t localTime;
wolfSSL 4:1b0d80432c79 234
wolfSSL 4:1b0d80432c79 235 if (timer == NULL)
wolfSSL 4:1b0d80432c79 236 timer = &localTime;
wolfSSL 4:1b0d80432c79 237
wolfSSL 4:1b0d80432c79 238 GetSystemTime(&sysTime);
wolfSSL 4:1b0d80432c79 239 SystemTimeToFileTime(&sysTime, &fTime);
wolfSSL 4:1b0d80432c79 240
wolfSSL 4:1b0d80432c79 241 XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
wolfSSL 4:1b0d80432c79 242 /* subtract EPOCH */
wolfSSL 4:1b0d80432c79 243 intTime.QuadPart -= 0x19db1ded53e8000;
wolfSSL 4:1b0d80432c79 244 /* to secs */
wolfSSL 4:1b0d80432c79 245 intTime.QuadPart /= 10000000;
wolfSSL 4:1b0d80432c79 246 *timer = (time_t)intTime.QuadPart;
wolfSSL 4:1b0d80432c79 247
wolfSSL 4:1b0d80432c79 248 return *timer;
wolfSSL 4:1b0d80432c79 249 }
wolfSSL 4:1b0d80432c79 250 #endif /* _WIN32_WCE */
wolfSSL 4:1b0d80432c79 251
wolfSSL 4:1b0d80432c79 252 #if defined(WOLFSSL_GMTIME)
wolfSSL 4:1b0d80432c79 253 struct tm* gmtime(const time_t* timer)
wolfSSL 4:1b0d80432c79 254 {
wolfSSL 4:1b0d80432c79 255 #define YEAR0 1900
wolfSSL 4:1b0d80432c79 256 #define EPOCH_YEAR 1970
wolfSSL 4:1b0d80432c79 257 #define SECS_DAY (24L * 60L * 60L)
wolfSSL 4:1b0d80432c79 258 #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400)))
wolfSSL 4:1b0d80432c79 259 #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
wolfSSL 4:1b0d80432c79 260
wolfSSL 4:1b0d80432c79 261 static const int _ytab[2][12] =
wolfSSL 4:1b0d80432c79 262 {
wolfSSL 4:1b0d80432c79 263 {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
wolfSSL 4:1b0d80432c79 264 {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
wolfSSL 4:1b0d80432c79 265 };
wolfSSL 4:1b0d80432c79 266
wolfSSL 4:1b0d80432c79 267 static struct tm st_time;
wolfSSL 4:1b0d80432c79 268 struct tm* ret = &st_time;
wolfSSL 4:1b0d80432c79 269 time_t secs = *timer;
wolfSSL 4:1b0d80432c79 270 unsigned long dayclock, dayno;
wolfSSL 4:1b0d80432c79 271 int year = EPOCH_YEAR;
wolfSSL 4:1b0d80432c79 272
wolfSSL 4:1b0d80432c79 273 dayclock = (unsigned long)secs % SECS_DAY;
wolfSSL 4:1b0d80432c79 274 dayno = (unsigned long)secs / SECS_DAY;
wolfSSL 4:1b0d80432c79 275
wolfSSL 4:1b0d80432c79 276 ret->tm_sec = (int) dayclock % 60;
wolfSSL 4:1b0d80432c79 277 ret->tm_min = (int)(dayclock % 3600) / 60;
wolfSSL 4:1b0d80432c79 278 ret->tm_hour = (int) dayclock / 3600;
wolfSSL 4:1b0d80432c79 279 ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */
wolfSSL 4:1b0d80432c79 280
wolfSSL 4:1b0d80432c79 281 while(dayno >= (unsigned long)YEARSIZE(year)) {
wolfSSL 4:1b0d80432c79 282 dayno -= YEARSIZE(year);
wolfSSL 4:1b0d80432c79 283 year++;
wolfSSL 4:1b0d80432c79 284 }
wolfSSL 4:1b0d80432c79 285
wolfSSL 4:1b0d80432c79 286 ret->tm_year = year - YEAR0;
wolfSSL 4:1b0d80432c79 287 ret->tm_yday = (int)dayno;
wolfSSL 4:1b0d80432c79 288 ret->tm_mon = 0;
wolfSSL 4:1b0d80432c79 289
wolfSSL 4:1b0d80432c79 290 while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
wolfSSL 4:1b0d80432c79 291 dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
wolfSSL 4:1b0d80432c79 292 ret->tm_mon++;
wolfSSL 4:1b0d80432c79 293 }
wolfSSL 4:1b0d80432c79 294
wolfSSL 4:1b0d80432c79 295 ret->tm_mday = (int)++dayno;
wolfSSL 4:1b0d80432c79 296 ret->tm_isdst = 0;
wolfSSL 4:1b0d80432c79 297
wolfSSL 4:1b0d80432c79 298 return ret;
wolfSSL 4:1b0d80432c79 299 }
wolfSSL 4:1b0d80432c79 300 #endif /* WOLFSSL_GMTIME */
wolfSSL 4:1b0d80432c79 301
wolfSSL 4:1b0d80432c79 302
wolfSSL 4:1b0d80432c79 303 #if defined(HAVE_RTP_SYS)
wolfSSL 4:1b0d80432c79 304 #define YEAR0 1900
wolfSSL 4:1b0d80432c79 305
wolfSSL 4:1b0d80432c79 306 struct tm* rtpsys_gmtime(const time_t* timer) /* has a gmtime() but hangs */
wolfSSL 4:1b0d80432c79 307 {
wolfSSL 4:1b0d80432c79 308 static struct tm st_time;
wolfSSL 4:1b0d80432c79 309 struct tm* ret = &st_time;
wolfSSL 4:1b0d80432c79 310
wolfSSL 4:1b0d80432c79 311 DC_RTC_CALENDAR cal;
wolfSSL 4:1b0d80432c79 312 dc_rtc_time_get(&cal, TRUE);
wolfSSL 4:1b0d80432c79 313
wolfSSL 4:1b0d80432c79 314 ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */
wolfSSL 4:1b0d80432c79 315 ret->tm_mon = cal.month - 1; /* gm starts at 0 */
wolfSSL 4:1b0d80432c79 316 ret->tm_mday = cal.day;
wolfSSL 4:1b0d80432c79 317 ret->tm_hour = cal.hour;
wolfSSL 4:1b0d80432c79 318 ret->tm_min = cal.minute;
wolfSSL 4:1b0d80432c79 319 ret->tm_sec = cal.second;
wolfSSL 4:1b0d80432c79 320
wolfSSL 4:1b0d80432c79 321 return ret;
wolfSSL 4:1b0d80432c79 322 }
wolfSSL 4:1b0d80432c79 323
wolfSSL 4:1b0d80432c79 324 #endif /* HAVE_RTP_SYS */
wolfSSL 4:1b0d80432c79 325
wolfSSL 4:1b0d80432c79 326
wolfSSL 4:1b0d80432c79 327 #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 4:1b0d80432c79 328
wolfSSL 4:1b0d80432c79 329 /*
wolfSSL 4:1b0d80432c79 330 * time() is just a stub in Microchip libraries. We need our own
wolfSSL 4:1b0d80432c79 331 * implementation. Use SNTP client to get seconds since epoch.
wolfSSL 4:1b0d80432c79 332 */
wolfSSL 4:1b0d80432c79 333 time_t pic32_time(time_t* timer)
wolfSSL 4:1b0d80432c79 334 {
wolfSSL 4:1b0d80432c79 335 #ifdef MICROCHIP_TCPIP_V5
wolfSSL 4:1b0d80432c79 336 DWORD sec = 0;
wolfSSL 4:1b0d80432c79 337 #else
wolfSSL 4:1b0d80432c79 338 uint32_t sec = 0;
wolfSSL 4:1b0d80432c79 339 #endif
wolfSSL 4:1b0d80432c79 340 time_t localTime;
wolfSSL 4:1b0d80432c79 341
wolfSSL 4:1b0d80432c79 342 if (timer == NULL)
wolfSSL 4:1b0d80432c79 343 timer = &localTime;
wolfSSL 4:1b0d80432c79 344
wolfSSL 4:1b0d80432c79 345 #ifdef MICROCHIP_MPLAB_HARMONY
wolfSSL 4:1b0d80432c79 346 sec = TCPIP_SNTP_UTCSecondsGet();
wolfSSL 4:1b0d80432c79 347 #else
wolfSSL 4:1b0d80432c79 348 sec = SNTPGetUTCSeconds();
wolfSSL 4:1b0d80432c79 349 #endif
wolfSSL 4:1b0d80432c79 350 *timer = (time_t) sec;
wolfSSL 4:1b0d80432c79 351
wolfSSL 4:1b0d80432c79 352 return *timer;
wolfSSL 4:1b0d80432c79 353 }
wolfSSL 4:1b0d80432c79 354
wolfSSL 4:1b0d80432c79 355 #endif /* MICROCHIP_TCPIP */
wolfSSL 4:1b0d80432c79 356
wolfSSL 4:1b0d80432c79 357
wolfSSL 4:1b0d80432c79 358 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 4:1b0d80432c79 359
wolfSSL 4:1b0d80432c79 360 time_t mqx_time(time_t* timer)
wolfSSL 4:1b0d80432c79 361 {
wolfSSL 4:1b0d80432c79 362 time_t localTime;
wolfSSL 4:1b0d80432c79 363 TIME_STRUCT time_s;
wolfSSL 4:1b0d80432c79 364
wolfSSL 4:1b0d80432c79 365 if (timer == NULL)
wolfSSL 4:1b0d80432c79 366 timer = &localTime;
wolfSSL 4:1b0d80432c79 367
wolfSSL 4:1b0d80432c79 368 _time_get(&time_s);
wolfSSL 4:1b0d80432c79 369 *timer = (time_t) time_s.SECONDS;
wolfSSL 4:1b0d80432c79 370
wolfSSL 4:1b0d80432c79 371 return *timer;
wolfSSL 4:1b0d80432c79 372 }
wolfSSL 4:1b0d80432c79 373
wolfSSL 4:1b0d80432c79 374 #endif /* FREESCALE_MQX */
wolfSSL 4:1b0d80432c79 375
wolfSSL 4:1b0d80432c79 376 #if defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
wolfSSL 4:1b0d80432c79 377
wolfSSL 4:1b0d80432c79 378 #include "fsl_pit_driver.h"
wolfSSL 4:1b0d80432c79 379
wolfSSL 4:1b0d80432c79 380 time_t ksdk_time(time_t* timer)
wolfSSL 4:1b0d80432c79 381 {
wolfSSL 4:1b0d80432c79 382 time_t localTime;
wolfSSL 4:1b0d80432c79 383
wolfSSL 4:1b0d80432c79 384 if (timer == NULL)
wolfSSL 4:1b0d80432c79 385 timer = &localTime;
wolfSSL 4:1b0d80432c79 386
wolfSSL 4:1b0d80432c79 387 *timer = (PIT_DRV_ReadTimerUs(PIT_INSTANCE, PIT_CHANNEL)) / 1000000;
wolfSSL 4:1b0d80432c79 388 return *timer;
wolfSSL 4:1b0d80432c79 389 }
wolfSSL 4:1b0d80432c79 390
wolfSSL 4:1b0d80432c79 391 #endif /* FREESCALE_KSDK_BM */
wolfSSL 4:1b0d80432c79 392
wolfSSL 4:1b0d80432c79 393 #if defined(WOLFSSL_TIRTOS)
wolfSSL 4:1b0d80432c79 394
wolfSSL 4:1b0d80432c79 395 time_t XTIME(time_t * timer)
wolfSSL 4:1b0d80432c79 396 {
wolfSSL 4:1b0d80432c79 397 time_t sec = 0;
wolfSSL 4:1b0d80432c79 398
wolfSSL 4:1b0d80432c79 399 sec = (time_t) Seconds_get();
wolfSSL 4:1b0d80432c79 400
wolfSSL 4:1b0d80432c79 401 if (timer != NULL)
wolfSSL 4:1b0d80432c79 402 *timer = sec;
wolfSSL 4:1b0d80432c79 403
wolfSSL 4:1b0d80432c79 404 return sec;
wolfSSL 4:1b0d80432c79 405 }
wolfSSL 4:1b0d80432c79 406
wolfSSL 4:1b0d80432c79 407 #endif /* WOLFSSL_TIRTOS */
wolfSSL 4:1b0d80432c79 408
wolfSSL 4:1b0d80432c79 409
wolfSSL 4:1b0d80432c79 410 static INLINE word32 btoi(byte b)
wolfSSL 4:1b0d80432c79 411 {
wolfSSL 4:1b0d80432c79 412 return b - 0x30;
wolfSSL 4:1b0d80432c79 413 }
wolfSSL 4:1b0d80432c79 414
wolfSSL 4:1b0d80432c79 415
wolfSSL 4:1b0d80432c79 416 /* two byte date/time, add to value */
wolfSSL 4:1b0d80432c79 417 static INLINE void GetTime(int* value, const byte* date, int* idx)
wolfSSL 4:1b0d80432c79 418 {
wolfSSL 4:1b0d80432c79 419 int i = *idx;
wolfSSL 4:1b0d80432c79 420
wolfSSL 4:1b0d80432c79 421 *value += btoi(date[i++]) * 10;
wolfSSL 4:1b0d80432c79 422 *value += btoi(date[i++]);
wolfSSL 4:1b0d80432c79 423
wolfSSL 4:1b0d80432c79 424 *idx = i;
wolfSSL 4:1b0d80432c79 425 }
wolfSSL 4:1b0d80432c79 426
wolfSSL 4:1b0d80432c79 427
wolfSSL 4:1b0d80432c79 428 #if defined(MICRIUM)
wolfSSL 4:1b0d80432c79 429
wolfSSL 4:1b0d80432c79 430 CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
wolfSSL 4:1b0d80432c79 431 CPU_INT08U dateType)
wolfSSL 4:1b0d80432c79 432 {
wolfSSL 4:1b0d80432c79 433 CPU_BOOLEAN rtn_code;
wolfSSL 4:1b0d80432c79 434 CPU_INT32S i;
wolfSSL 4:1b0d80432c79 435 CPU_INT32S val;
wolfSSL 4:1b0d80432c79 436 CPU_INT16U year;
wolfSSL 4:1b0d80432c79 437 CPU_INT08U month;
wolfSSL 4:1b0d80432c79 438 CPU_INT16U day;
wolfSSL 4:1b0d80432c79 439 CPU_INT08U hour;
wolfSSL 4:1b0d80432c79 440 CPU_INT08U min;
wolfSSL 4:1b0d80432c79 441 CPU_INT08U sec;
wolfSSL 4:1b0d80432c79 442
wolfSSL 4:1b0d80432c79 443 i = 0;
wolfSSL 4:1b0d80432c79 444 year = 0u;
wolfSSL 4:1b0d80432c79 445
wolfSSL 4:1b0d80432c79 446 if (format == ASN_UTC_TIME) {
wolfSSL 4:1b0d80432c79 447 if (btoi(date[0]) >= 5)
wolfSSL 4:1b0d80432c79 448 year = 1900;
wolfSSL 4:1b0d80432c79 449 else
wolfSSL 4:1b0d80432c79 450 year = 2000;
wolfSSL 4:1b0d80432c79 451 }
wolfSSL 4:1b0d80432c79 452 else { /* format == GENERALIZED_TIME */
wolfSSL 4:1b0d80432c79 453 year += btoi(date[i++]) * 1000;
wolfSSL 4:1b0d80432c79 454 year += btoi(date[i++]) * 100;
wolfSSL 4:1b0d80432c79 455 }
wolfSSL 4:1b0d80432c79 456
wolfSSL 4:1b0d80432c79 457 val = year;
wolfSSL 4:1b0d80432c79 458 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 459 year = (CPU_INT16U)val;
wolfSSL 4:1b0d80432c79 460
wolfSSL 4:1b0d80432c79 461 val = 0;
wolfSSL 4:1b0d80432c79 462 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 463 month = (CPU_INT08U)val;
wolfSSL 4:1b0d80432c79 464
wolfSSL 4:1b0d80432c79 465 val = 0;
wolfSSL 4:1b0d80432c79 466 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 467 day = (CPU_INT16U)val;
wolfSSL 4:1b0d80432c79 468
wolfSSL 4:1b0d80432c79 469 val = 0;
wolfSSL 4:1b0d80432c79 470 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 471 hour = (CPU_INT08U)val;
wolfSSL 4:1b0d80432c79 472
wolfSSL 4:1b0d80432c79 473 val = 0;
wolfSSL 4:1b0d80432c79 474 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 475 min = (CPU_INT08U)val;
wolfSSL 4:1b0d80432c79 476
wolfSSL 4:1b0d80432c79 477 val = 0;
wolfSSL 4:1b0d80432c79 478 GetTime(&val, date, &i);
wolfSSL 4:1b0d80432c79 479 sec = (CPU_INT08U)val;
wolfSSL 4:1b0d80432c79 480
wolfSSL 4:1b0d80432c79 481 return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType);
wolfSSL 4:1b0d80432c79 482 }
wolfSSL 4:1b0d80432c79 483
wolfSSL 4:1b0d80432c79 484 #endif /* MICRIUM */
wolfSSL 4:1b0d80432c79 485
wolfSSL 4:1b0d80432c79 486 #if defined(IDIRECT_DEV_TIME)
wolfSSL 4:1b0d80432c79 487
wolfSSL 4:1b0d80432c79 488 extern time_t getTimestamp();
wolfSSL 4:1b0d80432c79 489
wolfSSL 4:1b0d80432c79 490 time_t idirect_time(time_t * timer)
wolfSSL 4:1b0d80432c79 491 {
wolfSSL 4:1b0d80432c79 492 time_t sec = getTimestamp();
wolfSSL 4:1b0d80432c79 493
wolfSSL 4:1b0d80432c79 494 if (timer != NULL)
wolfSSL 4:1b0d80432c79 495 *timer = sec;
wolfSSL 4:1b0d80432c79 496
wolfSSL 4:1b0d80432c79 497 return sec;
wolfSSL 4:1b0d80432c79 498 }
wolfSSL 4:1b0d80432c79 499
wolfSSL 4:1b0d80432c79 500 #endif /* IDIRECT_DEV_TIME */
wolfSSL 4:1b0d80432c79 501
wolfSSL 4:1b0d80432c79 502 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 503
wolfSSL 4:1b0d80432c79 504 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
wolfSSL 4:1b0d80432c79 505 word32 maxIdx)
wolfSSL 4:1b0d80432c79 506 {
wolfSSL 4:1b0d80432c79 507 int length = 0;
wolfSSL 4:1b0d80432c79 508 word32 i = *inOutIdx;
wolfSSL 4:1b0d80432c79 509 byte b;
wolfSSL 4:1b0d80432c79 510
wolfSSL 4:1b0d80432c79 511 *len = 0; /* default length */
wolfSSL 4:1b0d80432c79 512
wolfSSL 4:1b0d80432c79 513 if ( (i+1) > maxIdx) { /* for first read */
wolfSSL 4:1b0d80432c79 514 WOLFSSL_MSG("GetLength bad index on input");
wolfSSL 4:1b0d80432c79 515 return BUFFER_E;
wolfSSL 4:1b0d80432c79 516 }
wolfSSL 4:1b0d80432c79 517
wolfSSL 4:1b0d80432c79 518 b = input[i++];
wolfSSL 4:1b0d80432c79 519 if (b >= ASN_LONG_LENGTH) {
wolfSSL 4:1b0d80432c79 520 word32 bytes = b & 0x7F;
wolfSSL 4:1b0d80432c79 521
wolfSSL 4:1b0d80432c79 522 if ( (i+bytes) > maxIdx) { /* for reading bytes */
wolfSSL 4:1b0d80432c79 523 WOLFSSL_MSG("GetLength bad long length");
wolfSSL 4:1b0d80432c79 524 return BUFFER_E;
wolfSSL 4:1b0d80432c79 525 }
wolfSSL 4:1b0d80432c79 526
wolfSSL 4:1b0d80432c79 527 while (bytes--) {
wolfSSL 4:1b0d80432c79 528 b = input[i++];
wolfSSL 4:1b0d80432c79 529 length = (length << 8) | b;
wolfSSL 4:1b0d80432c79 530 }
wolfSSL 4:1b0d80432c79 531 }
wolfSSL 4:1b0d80432c79 532 else
wolfSSL 4:1b0d80432c79 533 length = b;
wolfSSL 4:1b0d80432c79 534
wolfSSL 4:1b0d80432c79 535 if ( (i+length) > maxIdx) { /* for user of length */
wolfSSL 4:1b0d80432c79 536 WOLFSSL_MSG("GetLength value exceeds buffer length");
wolfSSL 4:1b0d80432c79 537 return BUFFER_E;
wolfSSL 4:1b0d80432c79 538 }
wolfSSL 4:1b0d80432c79 539
wolfSSL 4:1b0d80432c79 540 *inOutIdx = i;
wolfSSL 4:1b0d80432c79 541 if (length > 0)
wolfSSL 4:1b0d80432c79 542 *len = length;
wolfSSL 4:1b0d80432c79 543
wolfSSL 4:1b0d80432c79 544 return length;
wolfSSL 4:1b0d80432c79 545 }
wolfSSL 4:1b0d80432c79 546
wolfSSL 4:1b0d80432c79 547
wolfSSL 4:1b0d80432c79 548 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
wolfSSL 4:1b0d80432c79 549 word32 maxIdx)
wolfSSL 4:1b0d80432c79 550 {
wolfSSL 4:1b0d80432c79 551 int length = -1;
wolfSSL 4:1b0d80432c79 552 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 553
wolfSSL 4:1b0d80432c79 554 if (input[idx++] != (ASN_SEQUENCE | ASN_CONSTRUCTED) ||
wolfSSL 4:1b0d80432c79 555 GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 556 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 557
wolfSSL 4:1b0d80432c79 558 *len = length;
wolfSSL 4:1b0d80432c79 559 *inOutIdx = idx;
wolfSSL 4:1b0d80432c79 560
wolfSSL 4:1b0d80432c79 561 return length;
wolfSSL 4:1b0d80432c79 562 }
wolfSSL 4:1b0d80432c79 563
wolfSSL 4:1b0d80432c79 564
wolfSSL 4:1b0d80432c79 565 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
wolfSSL 4:1b0d80432c79 566 word32 maxIdx)
wolfSSL 4:1b0d80432c79 567 {
wolfSSL 4:1b0d80432c79 568 int length = -1;
wolfSSL 4:1b0d80432c79 569 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 570
wolfSSL 4:1b0d80432c79 571 if (input[idx++] != (ASN_SET | ASN_CONSTRUCTED) ||
wolfSSL 4:1b0d80432c79 572 GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 573 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 574
wolfSSL 4:1b0d80432c79 575 *len = length;
wolfSSL 4:1b0d80432c79 576 *inOutIdx = idx;
wolfSSL 4:1b0d80432c79 577
wolfSSL 4:1b0d80432c79 578 return length;
wolfSSL 4:1b0d80432c79 579 }
wolfSSL 4:1b0d80432c79 580
wolfSSL 4:1b0d80432c79 581
wolfSSL 4:1b0d80432c79 582 /* Windows header clash for WinCE using GetVersion */
wolfSSL 4:1b0d80432c79 583 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
wolfSSL 4:1b0d80432c79 584 int* version)
wolfSSL 4:1b0d80432c79 585 {
wolfSSL 4:1b0d80432c79 586 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 587
wolfSSL 4:1b0d80432c79 588 WOLFSSL_ENTER("GetMyVersion");
wolfSSL 4:1b0d80432c79 589
wolfSSL 4:1b0d80432c79 590 if (input[idx++] != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 591 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 592
wolfSSL 4:1b0d80432c79 593 if (input[idx++] != 0x01)
wolfSSL 4:1b0d80432c79 594 return ASN_VERSION_E;
wolfSSL 4:1b0d80432c79 595
wolfSSL 4:1b0d80432c79 596 *version = input[idx++];
wolfSSL 4:1b0d80432c79 597 *inOutIdx = idx;
wolfSSL 4:1b0d80432c79 598
wolfSSL 4:1b0d80432c79 599 return *version;
wolfSSL 4:1b0d80432c79 600 }
wolfSSL 4:1b0d80432c79 601
wolfSSL 4:1b0d80432c79 602
wolfSSL 4:1b0d80432c79 603 #ifndef NO_PWDBASED
wolfSSL 4:1b0d80432c79 604 /* Get small count integer, 32 bits or less */
wolfSSL 4:1b0d80432c79 605 static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
wolfSSL 4:1b0d80432c79 606 {
wolfSSL 4:1b0d80432c79 607 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 608 word32 len;
wolfSSL 4:1b0d80432c79 609
wolfSSL 4:1b0d80432c79 610 *number = 0;
wolfSSL 4:1b0d80432c79 611
wolfSSL 4:1b0d80432c79 612 if (input[idx++] != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 613 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 614
wolfSSL 4:1b0d80432c79 615 len = input[idx++];
wolfSSL 4:1b0d80432c79 616 if (len > 4)
wolfSSL 4:1b0d80432c79 617 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 618
wolfSSL 4:1b0d80432c79 619 while (len--) {
wolfSSL 4:1b0d80432c79 620 *number = *number << 8 | input[idx++];
wolfSSL 4:1b0d80432c79 621 }
wolfSSL 4:1b0d80432c79 622
wolfSSL 4:1b0d80432c79 623 *inOutIdx = idx;
wolfSSL 4:1b0d80432c79 624
wolfSSL 4:1b0d80432c79 625 return *number;
wolfSSL 4:1b0d80432c79 626 }
wolfSSL 4:1b0d80432c79 627 #endif /* !NO_PWDBASED */
wolfSSL 4:1b0d80432c79 628
wolfSSL 4:1b0d80432c79 629 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 630 /* May not have one, not an error */
wolfSSL 4:1b0d80432c79 631 static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
wolfSSL 4:1b0d80432c79 632 {
wolfSSL 4:1b0d80432c79 633 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 634
wolfSSL 4:1b0d80432c79 635 WOLFSSL_ENTER("GetExplicitVersion");
wolfSSL 4:1b0d80432c79 636 if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 4:1b0d80432c79 637 *inOutIdx = ++idx; /* eat header */
wolfSSL 4:1b0d80432c79 638 return GetMyVersion(input, inOutIdx, version);
wolfSSL 4:1b0d80432c79 639 }
wolfSSL 4:1b0d80432c79 640
wolfSSL 4:1b0d80432c79 641 /* go back as is */
wolfSSL 4:1b0d80432c79 642 *version = 0;
wolfSSL 4:1b0d80432c79 643
wolfSSL 4:1b0d80432c79 644 return 0;
wolfSSL 4:1b0d80432c79 645 }
wolfSSL 4:1b0d80432c79 646 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 647
wolfSSL 4:1b0d80432c79 648 WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
wolfSSL 4:1b0d80432c79 649 word32 maxIdx)
wolfSSL 4:1b0d80432c79 650 {
wolfSSL 4:1b0d80432c79 651 word32 i = *inOutIdx;
wolfSSL 4:1b0d80432c79 652 byte b = input[i++];
wolfSSL 4:1b0d80432c79 653 int length;
wolfSSL 4:1b0d80432c79 654
wolfSSL 4:1b0d80432c79 655 if (b != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 656 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 657
wolfSSL 4:1b0d80432c79 658 if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 659 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 660
wolfSSL 4:1b0d80432c79 661 if ( (b = input[i++]) == 0x00)
wolfSSL 4:1b0d80432c79 662 length--;
wolfSSL 4:1b0d80432c79 663 else
wolfSSL 4:1b0d80432c79 664 i--;
wolfSSL 4:1b0d80432c79 665
wolfSSL 4:1b0d80432c79 666 if (mp_init(mpi) != MP_OKAY)
wolfSSL 4:1b0d80432c79 667 return MP_INIT_E;
wolfSSL 4:1b0d80432c79 668
wolfSSL 4:1b0d80432c79 669 if (mp_read_unsigned_bin(mpi, (byte*)input + i, length) != 0) {
wolfSSL 4:1b0d80432c79 670 mp_clear(mpi);
wolfSSL 4:1b0d80432c79 671 return ASN_GETINT_E;
wolfSSL 4:1b0d80432c79 672 }
wolfSSL 4:1b0d80432c79 673
wolfSSL 4:1b0d80432c79 674 *inOutIdx = i + length;
wolfSSL 4:1b0d80432c79 675 return 0;
wolfSSL 4:1b0d80432c79 676 }
wolfSSL 4:1b0d80432c79 677
wolfSSL 4:1b0d80432c79 678
wolfSSL 4:1b0d80432c79 679 /* hashType */
wolfSSL 4:1b0d80432c79 680 static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2};
wolfSSL 4:1b0d80432c79 681 static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5};
wolfSSL 4:1b0d80432c79 682 static const byte hashSha1hOid[] = {43, 14, 3, 2, 26};
wolfSSL 4:1b0d80432c79 683 static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1};
wolfSSL 4:1b0d80432c79 684 static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2};
wolfSSL 4:1b0d80432c79 685 static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3};
wolfSSL 4:1b0d80432c79 686
wolfSSL 4:1b0d80432c79 687 /* sigType */
wolfSSL 4:1b0d80432c79 688 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 689 static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3};
wolfSSL 4:1b0d80432c79 690 #endif /* NO_DSA */
wolfSSL 4:1b0d80432c79 691 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 692 static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2};
wolfSSL 4:1b0d80432c79 693 static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4};
wolfSSL 4:1b0d80432c79 694 static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5};
wolfSSL 4:1b0d80432c79 695 static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11};
wolfSSL 4:1b0d80432c79 696 static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12};
wolfSSL 4:1b0d80432c79 697 static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13};
wolfSSL 4:1b0d80432c79 698 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 699 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 700 static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1};
wolfSSL 4:1b0d80432c79 701 static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2};
wolfSSL 4:1b0d80432c79 702 static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3};
wolfSSL 4:1b0d80432c79 703 static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4};
wolfSSL 4:1b0d80432c79 704 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 705
wolfSSL 4:1b0d80432c79 706 /* keyType */
wolfSSL 4:1b0d80432c79 707 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 708 static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1};
wolfSSL 4:1b0d80432c79 709 #endif /* NO_DSA */
wolfSSL 4:1b0d80432c79 710 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 711 static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1};
wolfSSL 4:1b0d80432c79 712 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 713 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 714 static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1};
wolfSSL 4:1b0d80432c79 715 #endif /* HAVE_NTRU */
wolfSSL 4:1b0d80432c79 716 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 717 static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1};
wolfSSL 4:1b0d80432c79 718 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 719
wolfSSL 4:1b0d80432c79 720 /* curveType */
wolfSSL 4:1b0d80432c79 721 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 722 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
wolfSSL 4:1b0d80432c79 723 static const byte curve192v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 1};
wolfSSL 4:1b0d80432c79 724 #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */
wolfSSL 4:1b0d80432c79 725 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
wolfSSL 4:1b0d80432c79 726 static const byte curve256v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 7};
wolfSSL 4:1b0d80432c79 727 #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */
wolfSSL 4:1b0d80432c79 728 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
wolfSSL 4:1b0d80432c79 729 static const byte curve160r1Oid[] = {43, 129, 4, 0, 2};
wolfSSL 4:1b0d80432c79 730 #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */
wolfSSL 4:1b0d80432c79 731 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
wolfSSL 4:1b0d80432c79 732 static const byte curve224r1Oid[] = {43, 129, 4, 0, 33};
wolfSSL 4:1b0d80432c79 733 #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */
wolfSSL 4:1b0d80432c79 734 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
wolfSSL 4:1b0d80432c79 735 static const byte curve384r1Oid[] = {43, 129, 4, 0, 34};
wolfSSL 4:1b0d80432c79 736 #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */
wolfSSL 4:1b0d80432c79 737 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
wolfSSL 4:1b0d80432c79 738 static const byte curve521r1Oid[] = {43, 129, 4, 0, 35};
wolfSSL 4:1b0d80432c79 739 #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */
wolfSSL 4:1b0d80432c79 740 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 741
wolfSSL 4:1b0d80432c79 742 /* blkType */
wolfSSL 4:1b0d80432c79 743 static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7};
wolfSSL 4:1b0d80432c79 744 static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7};
wolfSSL 4:1b0d80432c79 745
wolfSSL 4:1b0d80432c79 746 /* ocspType */
wolfSSL 4:1b0d80432c79 747 #ifdef HAVE_OCSP
wolfSSL 4:1b0d80432c79 748 static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
wolfSSL 4:1b0d80432c79 749 static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
wolfSSL 4:1b0d80432c79 750 #endif /* HAVE_OCSP */
wolfSSL 4:1b0d80432c79 751
wolfSSL 4:1b0d80432c79 752 /* certExtType */
wolfSSL 4:1b0d80432c79 753 static const byte extBasicCaOid[] = {85, 29, 19};
wolfSSL 4:1b0d80432c79 754 static const byte extAltNamesOid[] = {85, 29, 17};
wolfSSL 4:1b0d80432c79 755 static const byte extCrlDistOid[] = {85, 29, 31};
wolfSSL 4:1b0d80432c79 756 static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1};
wolfSSL 4:1b0d80432c79 757 static const byte extAuthKeyOid[] = {85, 29, 35};
wolfSSL 4:1b0d80432c79 758 static const byte extSubjKeyOid[] = {85, 29, 14};
wolfSSL 4:1b0d80432c79 759 static const byte extCertPolicyOid[] = {85, 29, 32};
wolfSSL 4:1b0d80432c79 760 static const byte extKeyUsageOid[] = {85, 29, 15};
wolfSSL 4:1b0d80432c79 761 static const byte extInhibitAnyOid[] = {85, 29, 54};
wolfSSL 4:1b0d80432c79 762 static const byte extExtKeyUsageOid[] = {85, 29, 37};
wolfSSL 4:1b0d80432c79 763 static const byte extNameConsOid[] = {85, 29, 30};
wolfSSL 4:1b0d80432c79 764
wolfSSL 4:1b0d80432c79 765 /* certAuthInfoType */
wolfSSL 4:1b0d80432c79 766 static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
wolfSSL 4:1b0d80432c79 767 static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
wolfSSL 4:1b0d80432c79 768
wolfSSL 4:1b0d80432c79 769 /* certPolicyType */
wolfSSL 4:1b0d80432c79 770 static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
wolfSSL 4:1b0d80432c79 771
wolfSSL 4:1b0d80432c79 772 /* certKeyUseType */
wolfSSL 4:1b0d80432c79 773 static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
wolfSSL 4:1b0d80432c79 774
wolfSSL 4:1b0d80432c79 775 /* certKeyUseType */
wolfSSL 4:1b0d80432c79 776 static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0};
wolfSSL 4:1b0d80432c79 777 static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1};
wolfSSL 4:1b0d80432c79 778 static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2};
wolfSSL 4:1b0d80432c79 779 static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
wolfSSL 4:1b0d80432c79 780
wolfSSL 4:1b0d80432c79 781 /* kdfType */
wolfSSL 4:1b0d80432c79 782 static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
wolfSSL 4:1b0d80432c79 783
wolfSSL 4:1b0d80432c79 784 static const byte* OidFromId(word32 id, word32 type, word32* oidSz)
wolfSSL 4:1b0d80432c79 785 {
wolfSSL 4:1b0d80432c79 786 const byte* oid = NULL;
wolfSSL 4:1b0d80432c79 787
wolfSSL 4:1b0d80432c79 788 *oidSz = 0;
wolfSSL 4:1b0d80432c79 789
wolfSSL 4:1b0d80432c79 790 switch (type) {
wolfSSL 4:1b0d80432c79 791
wolfSSL 4:1b0d80432c79 792 case hashType:
wolfSSL 4:1b0d80432c79 793 switch (id) {
wolfSSL 4:1b0d80432c79 794 case MD2h:
wolfSSL 4:1b0d80432c79 795 oid = hashMd2hOid;
wolfSSL 4:1b0d80432c79 796 *oidSz = sizeof(hashMd2hOid);
wolfSSL 4:1b0d80432c79 797 break;
wolfSSL 4:1b0d80432c79 798 case MD5h:
wolfSSL 4:1b0d80432c79 799 oid = hashMd5hOid;
wolfSSL 4:1b0d80432c79 800 *oidSz = sizeof(hashMd5hOid);
wolfSSL 4:1b0d80432c79 801 break;
wolfSSL 4:1b0d80432c79 802 case SHAh:
wolfSSL 4:1b0d80432c79 803 oid = hashSha1hOid;
wolfSSL 4:1b0d80432c79 804 *oidSz = sizeof(hashSha1hOid);
wolfSSL 4:1b0d80432c79 805 break;
wolfSSL 4:1b0d80432c79 806 case SHA256h:
wolfSSL 4:1b0d80432c79 807 oid = hashSha256hOid;
wolfSSL 4:1b0d80432c79 808 *oidSz = sizeof(hashSha256hOid);
wolfSSL 4:1b0d80432c79 809 break;
wolfSSL 4:1b0d80432c79 810 case SHA384h:
wolfSSL 4:1b0d80432c79 811 oid = hashSha384hOid;
wolfSSL 4:1b0d80432c79 812 *oidSz = sizeof(hashSha384hOid);
wolfSSL 4:1b0d80432c79 813 break;
wolfSSL 4:1b0d80432c79 814 case SHA512h:
wolfSSL 4:1b0d80432c79 815 oid = hashSha512hOid;
wolfSSL 4:1b0d80432c79 816 *oidSz = sizeof(hashSha512hOid);
wolfSSL 4:1b0d80432c79 817 break;
wolfSSL 4:1b0d80432c79 818 }
wolfSSL 4:1b0d80432c79 819 break;
wolfSSL 4:1b0d80432c79 820
wolfSSL 4:1b0d80432c79 821 case sigType:
wolfSSL 4:1b0d80432c79 822 switch (id) {
wolfSSL 4:1b0d80432c79 823 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 824 case CTC_SHAwDSA:
wolfSSL 4:1b0d80432c79 825 oid = sigSha1wDsaOid;
wolfSSL 4:1b0d80432c79 826 *oidSz = sizeof(sigSha1wDsaOid);
wolfSSL 4:1b0d80432c79 827 break;
wolfSSL 4:1b0d80432c79 828 #endif /* NO_DSA */
wolfSSL 4:1b0d80432c79 829 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 830 case CTC_MD2wRSA:
wolfSSL 4:1b0d80432c79 831 oid = sigMd2wRsaOid;
wolfSSL 4:1b0d80432c79 832 *oidSz = sizeof(sigMd2wRsaOid);
wolfSSL 4:1b0d80432c79 833 break;
wolfSSL 4:1b0d80432c79 834 case CTC_MD5wRSA:
wolfSSL 4:1b0d80432c79 835 oid = sigMd5wRsaOid;
wolfSSL 4:1b0d80432c79 836 *oidSz = sizeof(sigMd5wRsaOid);
wolfSSL 4:1b0d80432c79 837 break;
wolfSSL 4:1b0d80432c79 838 case CTC_SHAwRSA:
wolfSSL 4:1b0d80432c79 839 oid = sigSha1wRsaOid;
wolfSSL 4:1b0d80432c79 840 *oidSz = sizeof(sigSha1wRsaOid);
wolfSSL 4:1b0d80432c79 841 break;
wolfSSL 4:1b0d80432c79 842 case CTC_SHA256wRSA:
wolfSSL 4:1b0d80432c79 843 oid = sigSha256wRsaOid;
wolfSSL 4:1b0d80432c79 844 *oidSz = sizeof(sigSha256wRsaOid);
wolfSSL 4:1b0d80432c79 845 break;
wolfSSL 4:1b0d80432c79 846 case CTC_SHA384wRSA:
wolfSSL 4:1b0d80432c79 847 oid = sigSha384wRsaOid;
wolfSSL 4:1b0d80432c79 848 *oidSz = sizeof(sigSha384wRsaOid);
wolfSSL 4:1b0d80432c79 849 break;
wolfSSL 4:1b0d80432c79 850 case CTC_SHA512wRSA:
wolfSSL 4:1b0d80432c79 851 oid = sigSha512wRsaOid;
wolfSSL 4:1b0d80432c79 852 *oidSz = sizeof(sigSha512wRsaOid);
wolfSSL 4:1b0d80432c79 853 break;
wolfSSL 4:1b0d80432c79 854 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 855 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 856 case CTC_SHAwECDSA:
wolfSSL 4:1b0d80432c79 857 oid = sigSha1wEcdsaOid;
wolfSSL 4:1b0d80432c79 858 *oidSz = sizeof(sigSha1wEcdsaOid);
wolfSSL 4:1b0d80432c79 859 break;
wolfSSL 4:1b0d80432c79 860 case CTC_SHA256wECDSA:
wolfSSL 4:1b0d80432c79 861 oid = sigSha256wEcdsaOid;
wolfSSL 4:1b0d80432c79 862 *oidSz = sizeof(sigSha256wEcdsaOid);
wolfSSL 4:1b0d80432c79 863 break;
wolfSSL 4:1b0d80432c79 864 case CTC_SHA384wECDSA:
wolfSSL 4:1b0d80432c79 865 oid = sigSha384wEcdsaOid;
wolfSSL 4:1b0d80432c79 866 *oidSz = sizeof(sigSha384wEcdsaOid);
wolfSSL 4:1b0d80432c79 867 break;
wolfSSL 4:1b0d80432c79 868 case CTC_SHA512wECDSA:
wolfSSL 4:1b0d80432c79 869 oid = sigSha512wEcdsaOid;
wolfSSL 4:1b0d80432c79 870 *oidSz = sizeof(sigSha512wEcdsaOid);
wolfSSL 4:1b0d80432c79 871 break;
wolfSSL 4:1b0d80432c79 872 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 873 default:
wolfSSL 4:1b0d80432c79 874 break;
wolfSSL 4:1b0d80432c79 875 }
wolfSSL 4:1b0d80432c79 876 break;
wolfSSL 4:1b0d80432c79 877
wolfSSL 4:1b0d80432c79 878 case keyType:
wolfSSL 4:1b0d80432c79 879 switch (id) {
wolfSSL 4:1b0d80432c79 880 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 881 case DSAk:
wolfSSL 4:1b0d80432c79 882 oid = keyDsaOid;
wolfSSL 4:1b0d80432c79 883 *oidSz = sizeof(keyDsaOid);
wolfSSL 4:1b0d80432c79 884 break;
wolfSSL 4:1b0d80432c79 885 #endif /* NO_DSA */
wolfSSL 4:1b0d80432c79 886 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 887 case RSAk:
wolfSSL 4:1b0d80432c79 888 oid = keyRsaOid;
wolfSSL 4:1b0d80432c79 889 *oidSz = sizeof(keyRsaOid);
wolfSSL 4:1b0d80432c79 890 break;
wolfSSL 4:1b0d80432c79 891 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 892 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 893 case NTRUk:
wolfSSL 4:1b0d80432c79 894 oid = keyNtruOid;
wolfSSL 4:1b0d80432c79 895 *oidSz = sizeof(keyNtruOid);
wolfSSL 4:1b0d80432c79 896 break;
wolfSSL 4:1b0d80432c79 897 #endif /* HAVE_NTRU */
wolfSSL 4:1b0d80432c79 898 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 899 case ECDSAk:
wolfSSL 4:1b0d80432c79 900 oid = keyEcdsaOid;
wolfSSL 4:1b0d80432c79 901 *oidSz = sizeof(keyEcdsaOid);
wolfSSL 4:1b0d80432c79 902 break;
wolfSSL 4:1b0d80432c79 903 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 904 default:
wolfSSL 4:1b0d80432c79 905 break;
wolfSSL 4:1b0d80432c79 906 }
wolfSSL 4:1b0d80432c79 907 break;
wolfSSL 4:1b0d80432c79 908
wolfSSL 4:1b0d80432c79 909 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 910 case curveType:
wolfSSL 4:1b0d80432c79 911 switch (id) {
wolfSSL 4:1b0d80432c79 912 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
wolfSSL 4:1b0d80432c79 913 case ECC_256R1:
wolfSSL 4:1b0d80432c79 914 oid = curve256v1Oid;
wolfSSL 4:1b0d80432c79 915 *oidSz = sizeof(curve256v1Oid);
wolfSSL 4:1b0d80432c79 916 break;
wolfSSL 4:1b0d80432c79 917 #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */
wolfSSL 4:1b0d80432c79 918 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
wolfSSL 4:1b0d80432c79 919 case ECC_384R1:
wolfSSL 4:1b0d80432c79 920 oid = curve384r1Oid;
wolfSSL 4:1b0d80432c79 921 *oidSz = sizeof(curve384r1Oid);
wolfSSL 4:1b0d80432c79 922 break;
wolfSSL 4:1b0d80432c79 923 #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */
wolfSSL 4:1b0d80432c79 924 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
wolfSSL 4:1b0d80432c79 925 case ECC_521R1:
wolfSSL 4:1b0d80432c79 926 oid = curve521r1Oid;
wolfSSL 4:1b0d80432c79 927 *oidSz = sizeof(curve521r1Oid);
wolfSSL 4:1b0d80432c79 928 break;
wolfSSL 4:1b0d80432c79 929 #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */
wolfSSL 4:1b0d80432c79 930 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
wolfSSL 4:1b0d80432c79 931 case ECC_160R1:
wolfSSL 4:1b0d80432c79 932 oid = curve160r1Oid;
wolfSSL 4:1b0d80432c79 933 *oidSz = sizeof(curve160r1Oid);
wolfSSL 4:1b0d80432c79 934 break;
wolfSSL 4:1b0d80432c79 935 #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */
wolfSSL 4:1b0d80432c79 936 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
wolfSSL 4:1b0d80432c79 937 case ECC_192R1:
wolfSSL 4:1b0d80432c79 938 oid = curve192v1Oid;
wolfSSL 4:1b0d80432c79 939 *oidSz = sizeof(curve192v1Oid);
wolfSSL 4:1b0d80432c79 940 break;
wolfSSL 4:1b0d80432c79 941 #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */
wolfSSL 4:1b0d80432c79 942 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
wolfSSL 4:1b0d80432c79 943 case ECC_224R1:
wolfSSL 4:1b0d80432c79 944 oid = curve224r1Oid;
wolfSSL 4:1b0d80432c79 945 *oidSz = sizeof(curve224r1Oid);
wolfSSL 4:1b0d80432c79 946 break;
wolfSSL 4:1b0d80432c79 947 #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */
wolfSSL 4:1b0d80432c79 948 default:
wolfSSL 4:1b0d80432c79 949 break;
wolfSSL 4:1b0d80432c79 950 }
wolfSSL 4:1b0d80432c79 951 break;
wolfSSL 4:1b0d80432c79 952 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 953
wolfSSL 4:1b0d80432c79 954 case blkType:
wolfSSL 4:1b0d80432c79 955 switch (id) {
wolfSSL 4:1b0d80432c79 956 case DESb:
wolfSSL 4:1b0d80432c79 957 oid = blkDesCbcOid;
wolfSSL 4:1b0d80432c79 958 *oidSz = sizeof(blkDesCbcOid);
wolfSSL 4:1b0d80432c79 959 break;
wolfSSL 4:1b0d80432c79 960 case DES3b:
wolfSSL 4:1b0d80432c79 961 oid = blkDes3CbcOid;
wolfSSL 4:1b0d80432c79 962 *oidSz = sizeof(blkDes3CbcOid);
wolfSSL 4:1b0d80432c79 963 break;
wolfSSL 4:1b0d80432c79 964 }
wolfSSL 4:1b0d80432c79 965 break;
wolfSSL 4:1b0d80432c79 966
wolfSSL 4:1b0d80432c79 967 #ifdef HAVE_OCSP
wolfSSL 4:1b0d80432c79 968 case ocspType:
wolfSSL 4:1b0d80432c79 969 switch (id) {
wolfSSL 4:1b0d80432c79 970 case OCSP_BASIC_OID:
wolfSSL 4:1b0d80432c79 971 oid = ocspBasicOid;
wolfSSL 4:1b0d80432c79 972 *oidSz = sizeof(ocspBasicOid);
wolfSSL 4:1b0d80432c79 973 break;
wolfSSL 4:1b0d80432c79 974 case OCSP_NONCE_OID:
wolfSSL 4:1b0d80432c79 975 oid = ocspNonceOid;
wolfSSL 4:1b0d80432c79 976 *oidSz = sizeof(ocspNonceOid);
wolfSSL 4:1b0d80432c79 977 break;
wolfSSL 4:1b0d80432c79 978 }
wolfSSL 4:1b0d80432c79 979 break;
wolfSSL 4:1b0d80432c79 980 #endif /* HAVE_OCSP */
wolfSSL 4:1b0d80432c79 981
wolfSSL 4:1b0d80432c79 982 case certExtType:
wolfSSL 4:1b0d80432c79 983 switch (id) {
wolfSSL 4:1b0d80432c79 984 case BASIC_CA_OID:
wolfSSL 4:1b0d80432c79 985 oid = extBasicCaOid;
wolfSSL 4:1b0d80432c79 986 *oidSz = sizeof(extBasicCaOid);
wolfSSL 4:1b0d80432c79 987 break;
wolfSSL 4:1b0d80432c79 988 case ALT_NAMES_OID:
wolfSSL 4:1b0d80432c79 989 oid = extAltNamesOid;
wolfSSL 4:1b0d80432c79 990 *oidSz = sizeof(extAltNamesOid);
wolfSSL 4:1b0d80432c79 991 break;
wolfSSL 4:1b0d80432c79 992 case CRL_DIST_OID:
wolfSSL 4:1b0d80432c79 993 oid = extCrlDistOid;
wolfSSL 4:1b0d80432c79 994 *oidSz = sizeof(extCrlDistOid);
wolfSSL 4:1b0d80432c79 995 break;
wolfSSL 4:1b0d80432c79 996 case AUTH_INFO_OID:
wolfSSL 4:1b0d80432c79 997 oid = extAuthInfoOid;
wolfSSL 4:1b0d80432c79 998 *oidSz = sizeof(extAuthInfoOid);
wolfSSL 4:1b0d80432c79 999 break;
wolfSSL 4:1b0d80432c79 1000 case AUTH_KEY_OID:
wolfSSL 4:1b0d80432c79 1001 oid = extAuthKeyOid;
wolfSSL 4:1b0d80432c79 1002 *oidSz = sizeof(extAuthKeyOid);
wolfSSL 4:1b0d80432c79 1003 break;
wolfSSL 4:1b0d80432c79 1004 case SUBJ_KEY_OID:
wolfSSL 4:1b0d80432c79 1005 oid = extSubjKeyOid;
wolfSSL 4:1b0d80432c79 1006 *oidSz = sizeof(extSubjKeyOid);
wolfSSL 4:1b0d80432c79 1007 break;
wolfSSL 4:1b0d80432c79 1008 case CERT_POLICY_OID:
wolfSSL 4:1b0d80432c79 1009 oid = extCertPolicyOid;
wolfSSL 4:1b0d80432c79 1010 *oidSz = sizeof(extCertPolicyOid);
wolfSSL 4:1b0d80432c79 1011 break;
wolfSSL 4:1b0d80432c79 1012 case KEY_USAGE_OID:
wolfSSL 4:1b0d80432c79 1013 oid = extKeyUsageOid;
wolfSSL 4:1b0d80432c79 1014 *oidSz = sizeof(extKeyUsageOid);
wolfSSL 4:1b0d80432c79 1015 break;
wolfSSL 4:1b0d80432c79 1016 case INHIBIT_ANY_OID:
wolfSSL 4:1b0d80432c79 1017 oid = extInhibitAnyOid;
wolfSSL 4:1b0d80432c79 1018 *oidSz = sizeof(extInhibitAnyOid);
wolfSSL 4:1b0d80432c79 1019 break;
wolfSSL 4:1b0d80432c79 1020 case EXT_KEY_USAGE_OID:
wolfSSL 4:1b0d80432c79 1021 oid = extExtKeyUsageOid;
wolfSSL 4:1b0d80432c79 1022 *oidSz = sizeof(extExtKeyUsageOid);
wolfSSL 4:1b0d80432c79 1023 break;
wolfSSL 4:1b0d80432c79 1024 case NAME_CONS_OID:
wolfSSL 4:1b0d80432c79 1025 oid = extNameConsOid;
wolfSSL 4:1b0d80432c79 1026 *oidSz = sizeof(extNameConsOid);
wolfSSL 4:1b0d80432c79 1027 break;
wolfSSL 4:1b0d80432c79 1028 }
wolfSSL 4:1b0d80432c79 1029 break;
wolfSSL 4:1b0d80432c79 1030
wolfSSL 4:1b0d80432c79 1031 case certAuthInfoType:
wolfSSL 4:1b0d80432c79 1032 switch (id) {
wolfSSL 4:1b0d80432c79 1033 case AIA_OCSP_OID:
wolfSSL 4:1b0d80432c79 1034 oid = extAuthInfoOcspOid;
wolfSSL 4:1b0d80432c79 1035 *oidSz = sizeof(extAuthInfoOcspOid);
wolfSSL 4:1b0d80432c79 1036 break;
wolfSSL 4:1b0d80432c79 1037 case AIA_CA_ISSUER_OID:
wolfSSL 4:1b0d80432c79 1038 oid = extAuthInfoCaIssuerOid;
wolfSSL 4:1b0d80432c79 1039 *oidSz = sizeof(extAuthInfoCaIssuerOid);
wolfSSL 4:1b0d80432c79 1040 break;
wolfSSL 4:1b0d80432c79 1041 }
wolfSSL 4:1b0d80432c79 1042 break;
wolfSSL 4:1b0d80432c79 1043
wolfSSL 4:1b0d80432c79 1044 case certPolicyType:
wolfSSL 4:1b0d80432c79 1045 switch (id) {
wolfSSL 4:1b0d80432c79 1046 case CP_ANY_OID:
wolfSSL 4:1b0d80432c79 1047 oid = extCertPolicyAnyOid;
wolfSSL 4:1b0d80432c79 1048 *oidSz = sizeof(extCertPolicyAnyOid);
wolfSSL 4:1b0d80432c79 1049 break;
wolfSSL 4:1b0d80432c79 1050 }
wolfSSL 4:1b0d80432c79 1051 break;
wolfSSL 4:1b0d80432c79 1052
wolfSSL 4:1b0d80432c79 1053 case certAltNameType:
wolfSSL 4:1b0d80432c79 1054 switch (id) {
wolfSSL 4:1b0d80432c79 1055 case HW_NAME_OID:
wolfSSL 4:1b0d80432c79 1056 oid = extAltNamesHwNameOid;
wolfSSL 4:1b0d80432c79 1057 *oidSz = sizeof(extAltNamesHwNameOid);
wolfSSL 4:1b0d80432c79 1058 break;
wolfSSL 4:1b0d80432c79 1059 }
wolfSSL 4:1b0d80432c79 1060 break;
wolfSSL 4:1b0d80432c79 1061
wolfSSL 4:1b0d80432c79 1062 case certKeyUseType:
wolfSSL 4:1b0d80432c79 1063 switch (id) {
wolfSSL 4:1b0d80432c79 1064 case EKU_ANY_OID:
wolfSSL 4:1b0d80432c79 1065 oid = extExtKeyUsageAnyOid;
wolfSSL 4:1b0d80432c79 1066 *oidSz = sizeof(extExtKeyUsageAnyOid);
wolfSSL 4:1b0d80432c79 1067 break;
wolfSSL 4:1b0d80432c79 1068 case EKU_SERVER_AUTH_OID:
wolfSSL 4:1b0d80432c79 1069 oid = extExtKeyUsageServerAuthOid;
wolfSSL 4:1b0d80432c79 1070 *oidSz = sizeof(extExtKeyUsageServerAuthOid);
wolfSSL 4:1b0d80432c79 1071 break;
wolfSSL 4:1b0d80432c79 1072 case EKU_CLIENT_AUTH_OID:
wolfSSL 4:1b0d80432c79 1073 oid = extExtKeyUsageClientAuthOid;
wolfSSL 4:1b0d80432c79 1074 *oidSz = sizeof(extExtKeyUsageClientAuthOid);
wolfSSL 4:1b0d80432c79 1075 break;
wolfSSL 4:1b0d80432c79 1076 case EKU_OCSP_SIGN_OID:
wolfSSL 4:1b0d80432c79 1077 oid = extExtKeyUsageOcspSignOid;
wolfSSL 4:1b0d80432c79 1078 *oidSz = sizeof(extExtKeyUsageOcspSignOid);
wolfSSL 4:1b0d80432c79 1079 break;
wolfSSL 4:1b0d80432c79 1080 }
wolfSSL 4:1b0d80432c79 1081
wolfSSL 4:1b0d80432c79 1082 case kdfType:
wolfSSL 4:1b0d80432c79 1083 switch (id) {
wolfSSL 4:1b0d80432c79 1084 case PBKDF2_OID:
wolfSSL 4:1b0d80432c79 1085 oid = pbkdf2Oid;
wolfSSL 4:1b0d80432c79 1086 *oidSz = sizeof(pbkdf2Oid);
wolfSSL 4:1b0d80432c79 1087 break;
wolfSSL 4:1b0d80432c79 1088 }
wolfSSL 4:1b0d80432c79 1089 break;
wolfSSL 4:1b0d80432c79 1090
wolfSSL 4:1b0d80432c79 1091 case ignoreType:
wolfSSL 4:1b0d80432c79 1092 default:
wolfSSL 4:1b0d80432c79 1093 break;
wolfSSL 4:1b0d80432c79 1094 }
wolfSSL 4:1b0d80432c79 1095
wolfSSL 4:1b0d80432c79 1096 return oid;
wolfSSL 4:1b0d80432c79 1097 }
wolfSSL 4:1b0d80432c79 1098
wolfSSL 4:1b0d80432c79 1099
wolfSSL 4:1b0d80432c79 1100 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 4:1b0d80432c79 1101 word32 oidType, word32 maxIdx)
wolfSSL 4:1b0d80432c79 1102 {
wolfSSL 4:1b0d80432c79 1103 int length;
wolfSSL 4:1b0d80432c79 1104 word32 i = *inOutIdx;
wolfSSL 4:1b0d80432c79 1105 #ifndef NO_VERIFY_OID
wolfSSL 4:1b0d80432c79 1106 word32 actualOidSz = 0;
wolfSSL 4:1b0d80432c79 1107 const byte* actualOid;
wolfSSL 4:1b0d80432c79 1108 #endif /* NO_VERIFY_OID */
wolfSSL 4:1b0d80432c79 1109 byte b;
wolfSSL 4:1b0d80432c79 1110
wolfSSL 4:1b0d80432c79 1111 (void)oidType;
wolfSSL 4:1b0d80432c79 1112 WOLFSSL_ENTER("GetObjectId()");
wolfSSL 4:1b0d80432c79 1113 *oid = 0;
wolfSSL 4:1b0d80432c79 1114
wolfSSL 4:1b0d80432c79 1115 b = input[i++];
wolfSSL 4:1b0d80432c79 1116 if (b != ASN_OBJECT_ID)
wolfSSL 4:1b0d80432c79 1117 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 1118
wolfSSL 4:1b0d80432c79 1119 if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 1120 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1121
wolfSSL 4:1b0d80432c79 1122 #ifndef NO_VERIFY_OID
wolfSSL 4:1b0d80432c79 1123 actualOid = &input[i];
wolfSSL 4:1b0d80432c79 1124 if (length > 0)
wolfSSL 4:1b0d80432c79 1125 actualOidSz = (word32)length;
wolfSSL 4:1b0d80432c79 1126 #endif /* NO_VERIFY_OID */
wolfSSL 4:1b0d80432c79 1127
wolfSSL 4:1b0d80432c79 1128 while(length--) {
wolfSSL 4:1b0d80432c79 1129 /* odd HC08 compiler behavior here when input[i++] */
wolfSSL 4:1b0d80432c79 1130 *oid += input[i];
wolfSSL 4:1b0d80432c79 1131 i++;
wolfSSL 4:1b0d80432c79 1132 }
wolfSSL 4:1b0d80432c79 1133 /* just sum it up for now */
wolfSSL 4:1b0d80432c79 1134
wolfSSL 4:1b0d80432c79 1135 *inOutIdx = i;
wolfSSL 4:1b0d80432c79 1136
wolfSSL 4:1b0d80432c79 1137 #ifndef NO_VERIFY_OID
wolfSSL 4:1b0d80432c79 1138 {
wolfSSL 4:1b0d80432c79 1139 const byte* checkOid = NULL;
wolfSSL 4:1b0d80432c79 1140 word32 checkOidSz;
wolfSSL 4:1b0d80432c79 1141
wolfSSL 4:1b0d80432c79 1142 if (oidType != ignoreType) {
wolfSSL 4:1b0d80432c79 1143 checkOid = OidFromId(*oid, oidType, &checkOidSz);
wolfSSL 4:1b0d80432c79 1144
wolfSSL 4:1b0d80432c79 1145 if (checkOid != NULL &&
wolfSSL 4:1b0d80432c79 1146 (checkOidSz != actualOidSz ||
wolfSSL 4:1b0d80432c79 1147 XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) {
wolfSSL 4:1b0d80432c79 1148
wolfSSL 4:1b0d80432c79 1149 WOLFSSL_MSG("OID Check Failed");
wolfSSL 4:1b0d80432c79 1150 return ASN_UNKNOWN_OID_E;
wolfSSL 4:1b0d80432c79 1151 }
wolfSSL 4:1b0d80432c79 1152 }
wolfSSL 4:1b0d80432c79 1153 }
wolfSSL 4:1b0d80432c79 1154 #endif /* NO_VERIFY_OID */
wolfSSL 4:1b0d80432c79 1155
wolfSSL 4:1b0d80432c79 1156 return 0;
wolfSSL 4:1b0d80432c79 1157 }
wolfSSL 4:1b0d80432c79 1158
wolfSSL 4:1b0d80432c79 1159
wolfSSL 4:1b0d80432c79 1160 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 1161 #ifndef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 1162 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 4:1b0d80432c79 1163 static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 4:1b0d80432c79 1164 {
wolfSSL 4:1b0d80432c79 1165 int length;
wolfSSL 4:1b0d80432c79 1166
wolfSSL 4:1b0d80432c79 1167 if (input[(*inOutIdx)++] != ASN_OBJECT_ID)
wolfSSL 4:1b0d80432c79 1168 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 1169
wolfSSL 4:1b0d80432c79 1170 if (GetLength(input, inOutIdx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 1171 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1172
wolfSSL 4:1b0d80432c79 1173 *inOutIdx += length;
wolfSSL 4:1b0d80432c79 1174
wolfSSL 4:1b0d80432c79 1175 return 0;
wolfSSL 4:1b0d80432c79 1176 }
wolfSSL 4:1b0d80432c79 1177 #endif /* OPENSSL_EXTRA || RSA_DECODE_EXTRA */
wolfSSL 4:1b0d80432c79 1178 #endif /* !HAVE_USER_RSA */
wolfSSL 4:1b0d80432c79 1179 #endif /* !NO_RSA */
wolfSSL 4:1b0d80432c79 1180
wolfSSL 4:1b0d80432c79 1181 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 4:1b0d80432c79 1182 word32 oidType, word32 maxIdx)
wolfSSL 4:1b0d80432c79 1183 {
wolfSSL 4:1b0d80432c79 1184 int length;
wolfSSL 4:1b0d80432c79 1185 word32 i = *inOutIdx;
wolfSSL 4:1b0d80432c79 1186 byte b;
wolfSSL 4:1b0d80432c79 1187 *oid = 0;
wolfSSL 4:1b0d80432c79 1188
wolfSSL 4:1b0d80432c79 1189 WOLFSSL_ENTER("GetAlgoId");
wolfSSL 4:1b0d80432c79 1190
wolfSSL 4:1b0d80432c79 1191 if (GetSequence(input, &i, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 1192 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1193
wolfSSL 4:1b0d80432c79 1194 if (GetObjectId(input, &i, oid, oidType, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 1195 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 1196
wolfSSL 4:1b0d80432c79 1197 /* could have NULL tag and 0 terminator, but may not */
wolfSSL 4:1b0d80432c79 1198 b = input[i];
wolfSSL 4:1b0d80432c79 1199
wolfSSL 4:1b0d80432c79 1200 if (b == ASN_TAG_NULL) {
wolfSSL 4:1b0d80432c79 1201 i++;
wolfSSL 4:1b0d80432c79 1202 b = input[i++];
wolfSSL 4:1b0d80432c79 1203 if (b != 0)
wolfSSL 4:1b0d80432c79 1204 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 1205 }
wolfSSL 4:1b0d80432c79 1206
wolfSSL 4:1b0d80432c79 1207 *inOutIdx = i;
wolfSSL 4:1b0d80432c79 1208
wolfSSL 4:1b0d80432c79 1209 return 0;
wolfSSL 4:1b0d80432c79 1210 }
wolfSSL 4:1b0d80432c79 1211
wolfSSL 4:1b0d80432c79 1212 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 1213
wolfSSL 4:1b0d80432c79 1214
wolfSSL 4:1b0d80432c79 1215 #ifdef HAVE_CAVIUM
wolfSSL 4:1b0d80432c79 1216
wolfSSL 4:1b0d80432c79 1217 static int GetCaviumInt(byte** buff, word16* buffSz, const byte* input,
wolfSSL 4:1b0d80432c79 1218 word32* inOutIdx, word32 maxIdx, void* heap)
wolfSSL 4:1b0d80432c79 1219 {
wolfSSL 4:1b0d80432c79 1220 word32 i = *inOutIdx;
wolfSSL 4:1b0d80432c79 1221 byte b = input[i++];
wolfSSL 4:1b0d80432c79 1222 int length;
wolfSSL 4:1b0d80432c79 1223
wolfSSL 4:1b0d80432c79 1224 if (b != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 1225 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1226
wolfSSL 4:1b0d80432c79 1227 if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 1228 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1229
wolfSSL 4:1b0d80432c79 1230 if ( (b = input[i++]) == 0x00)
wolfSSL 4:1b0d80432c79 1231 length--;
wolfSSL 4:1b0d80432c79 1232 else
wolfSSL 4:1b0d80432c79 1233 i--;
wolfSSL 4:1b0d80432c79 1234
wolfSSL 4:1b0d80432c79 1235 *buffSz = (word16)length;
wolfSSL 4:1b0d80432c79 1236 *buff = XMALLOC(*buffSz, heap, DYNAMIC_TYPE_CAVIUM_RSA);
wolfSSL 4:1b0d80432c79 1237 if (*buff == NULL)
wolfSSL 4:1b0d80432c79 1238 return MEMORY_E;
wolfSSL 4:1b0d80432c79 1239
wolfSSL 4:1b0d80432c79 1240 XMEMCPY(*buff, input + i, *buffSz);
wolfSSL 4:1b0d80432c79 1241
wolfSSL 4:1b0d80432c79 1242 *inOutIdx = i + length;
wolfSSL 4:1b0d80432c79 1243 return 0;
wolfSSL 4:1b0d80432c79 1244 }
wolfSSL 4:1b0d80432c79 1245
wolfSSL 4:1b0d80432c79 1246 static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx,
wolfSSL 4:1b0d80432c79 1247 RsaKey* key, word32 inSz)
wolfSSL 4:1b0d80432c79 1248 {
wolfSSL 4:1b0d80432c79 1249 int version, length;
wolfSSL 4:1b0d80432c79 1250 void* h = key->heap;
wolfSSL 4:1b0d80432c79 1251
wolfSSL 4:1b0d80432c79 1252 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1253 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1254
wolfSSL 4:1b0d80432c79 1255 if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL 4:1b0d80432c79 1256 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1257
wolfSSL 4:1b0d80432c79 1258 key->type = RSA_PRIVATE;
wolfSSL 4:1b0d80432c79 1259
wolfSSL 4:1b0d80432c79 1260 if (GetCaviumInt(&key->c_n, &key->c_nSz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1261 GetCaviumInt(&key->c_e, &key->c_eSz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1262 GetCaviumInt(&key->c_d, &key->c_dSz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1263 GetCaviumInt(&key->c_p, &key->c_pSz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1264 GetCaviumInt(&key->c_q, &key->c_qSz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1265 GetCaviumInt(&key->c_dP, &key->c_dP_Sz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1266 GetCaviumInt(&key->c_dQ, &key->c_dQ_Sz, input, inOutIdx, inSz, h) < 0 ||
wolfSSL 4:1b0d80432c79 1267 GetCaviumInt(&key->c_u, &key->c_uSz, input, inOutIdx, inSz, h) < 0 )
wolfSSL 4:1b0d80432c79 1268 return ASN_RSA_KEY_E;
wolfSSL 4:1b0d80432c79 1269
wolfSSL 4:1b0d80432c79 1270 return 0;
wolfSSL 4:1b0d80432c79 1271 }
wolfSSL 4:1b0d80432c79 1272
wolfSSL 4:1b0d80432c79 1273
wolfSSL 4:1b0d80432c79 1274 #endif /* HAVE_CAVIUM */
wolfSSL 4:1b0d80432c79 1275
wolfSSL 4:1b0d80432c79 1276 #ifndef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 1277 int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 4:1b0d80432c79 1278 word32 inSz)
wolfSSL 4:1b0d80432c79 1279 {
wolfSSL 4:1b0d80432c79 1280 int version, length;
wolfSSL 4:1b0d80432c79 1281
wolfSSL 4:1b0d80432c79 1282 #ifdef HAVE_CAVIUM
wolfSSL 4:1b0d80432c79 1283 if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
wolfSSL 4:1b0d80432c79 1284 return CaviumRsaPrivateKeyDecode(input, inOutIdx, key, inSz);
wolfSSL 4:1b0d80432c79 1285 #endif
wolfSSL 4:1b0d80432c79 1286
wolfSSL 4:1b0d80432c79 1287 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1288 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1289
wolfSSL 4:1b0d80432c79 1290 if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL 4:1b0d80432c79 1291 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1292
wolfSSL 4:1b0d80432c79 1293 key->type = RSA_PRIVATE;
wolfSSL 4:1b0d80432c79 1294
wolfSSL 4:1b0d80432c79 1295 if (GetInt(&key->n, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1296 GetInt(&key->e, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1297 GetInt(&key->d, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1298 GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1299 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1300 GetInt(&key->dP, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1301 GetInt(&key->dQ, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1302 GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL 4:1b0d80432c79 1303
wolfSSL 4:1b0d80432c79 1304 return 0;
wolfSSL 4:1b0d80432c79 1305 }
wolfSSL 4:1b0d80432c79 1306 #endif /* HAVE_USER_RSA */
wolfSSL 4:1b0d80432c79 1307 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 1308
wolfSSL 4:1b0d80432c79 1309 /* Remove PKCS8 header, move beginning of traditional to beginning of input */
wolfSSL 4:1b0d80432c79 1310 int ToTraditional(byte* input, word32 sz)
wolfSSL 4:1b0d80432c79 1311 {
wolfSSL 4:1b0d80432c79 1312 word32 inOutIdx = 0, oid;
wolfSSL 4:1b0d80432c79 1313 int version, length;
wolfSSL 4:1b0d80432c79 1314
wolfSSL 4:1b0d80432c79 1315 if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1316 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1317
wolfSSL 4:1b0d80432c79 1318 if (GetMyVersion(input, &inOutIdx, &version) < 0)
wolfSSL 4:1b0d80432c79 1319 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1320
wolfSSL 4:1b0d80432c79 1321 if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0)
wolfSSL 4:1b0d80432c79 1322 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1323
wolfSSL 4:1b0d80432c79 1324 if (input[inOutIdx] == ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 1325 /* pkcs8 ecc uses slightly different format */
wolfSSL 4:1b0d80432c79 1326 inOutIdx++; /* past id */
wolfSSL 4:1b0d80432c79 1327 if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1328 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1329 inOutIdx += length; /* over sub id, key input will verify */
wolfSSL 4:1b0d80432c79 1330 }
wolfSSL 4:1b0d80432c79 1331
wolfSSL 4:1b0d80432c79 1332 if (input[inOutIdx++] != ASN_OCTET_STRING)
wolfSSL 4:1b0d80432c79 1333 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1334
wolfSSL 4:1b0d80432c79 1335 if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1336 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1337
wolfSSL 4:1b0d80432c79 1338 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 4:1b0d80432c79 1339
wolfSSL 4:1b0d80432c79 1340 return length;
wolfSSL 4:1b0d80432c79 1341 }
wolfSSL 4:1b0d80432c79 1342
wolfSSL 4:1b0d80432c79 1343
wolfSSL 4:1b0d80432c79 1344 #ifndef NO_PWDBASED
wolfSSL 4:1b0d80432c79 1345
wolfSSL 4:1b0d80432c79 1346 /* Check To see if PKCS version algo is supported, set id if it is return 0
wolfSSL 4:1b0d80432c79 1347 < 0 on error */
wolfSSL 4:1b0d80432c79 1348 static int CheckAlgo(int first, int second, int* id, int* version)
wolfSSL 4:1b0d80432c79 1349 {
wolfSSL 4:1b0d80432c79 1350 *id = ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1351 *version = PKCS5; /* default */
wolfSSL 4:1b0d80432c79 1352
wolfSSL 4:1b0d80432c79 1353 if (first == 1) {
wolfSSL 4:1b0d80432c79 1354 switch (second) {
wolfSSL 4:1b0d80432c79 1355 case 1:
wolfSSL 4:1b0d80432c79 1356 *id = PBE_SHA1_RC4_128;
wolfSSL 4:1b0d80432c79 1357 *version = PKCS12;
wolfSSL 4:1b0d80432c79 1358 return 0;
wolfSSL 4:1b0d80432c79 1359 case 3:
wolfSSL 4:1b0d80432c79 1360 *id = PBE_SHA1_DES3;
wolfSSL 4:1b0d80432c79 1361 *version = PKCS12;
wolfSSL 4:1b0d80432c79 1362 return 0;
wolfSSL 4:1b0d80432c79 1363 default:
wolfSSL 4:1b0d80432c79 1364 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1365 }
wolfSSL 4:1b0d80432c79 1366 }
wolfSSL 4:1b0d80432c79 1367
wolfSSL 4:1b0d80432c79 1368 if (first != PKCS5)
wolfSSL 4:1b0d80432c79 1369 return ASN_INPUT_E; /* VERSION ERROR */
wolfSSL 4:1b0d80432c79 1370
wolfSSL 4:1b0d80432c79 1371 if (second == PBES2) {
wolfSSL 4:1b0d80432c79 1372 *version = PKCS5v2;
wolfSSL 4:1b0d80432c79 1373 return 0;
wolfSSL 4:1b0d80432c79 1374 }
wolfSSL 4:1b0d80432c79 1375
wolfSSL 4:1b0d80432c79 1376 switch (second) {
wolfSSL 4:1b0d80432c79 1377 case 3: /* see RFC 2898 for ids */
wolfSSL 4:1b0d80432c79 1378 *id = PBE_MD5_DES;
wolfSSL 4:1b0d80432c79 1379 return 0;
wolfSSL 4:1b0d80432c79 1380 case 10:
wolfSSL 4:1b0d80432c79 1381 *id = PBE_SHA1_DES;
wolfSSL 4:1b0d80432c79 1382 return 0;
wolfSSL 4:1b0d80432c79 1383 default:
wolfSSL 4:1b0d80432c79 1384 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1385
wolfSSL 4:1b0d80432c79 1386 }
wolfSSL 4:1b0d80432c79 1387 }
wolfSSL 4:1b0d80432c79 1388
wolfSSL 4:1b0d80432c79 1389
wolfSSL 4:1b0d80432c79 1390 /* Check To see if PKCS v2 algo is supported, set id if it is return 0
wolfSSL 4:1b0d80432c79 1391 < 0 on error */
wolfSSL 4:1b0d80432c79 1392 static int CheckAlgoV2(int oid, int* id)
wolfSSL 4:1b0d80432c79 1393 {
wolfSSL 4:1b0d80432c79 1394 switch (oid) {
wolfSSL 4:1b0d80432c79 1395 case 69:
wolfSSL 4:1b0d80432c79 1396 *id = PBE_SHA1_DES;
wolfSSL 4:1b0d80432c79 1397 return 0;
wolfSSL 4:1b0d80432c79 1398 case 652:
wolfSSL 4:1b0d80432c79 1399 *id = PBE_SHA1_DES3;
wolfSSL 4:1b0d80432c79 1400 return 0;
wolfSSL 4:1b0d80432c79 1401 default:
wolfSSL 4:1b0d80432c79 1402 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1403
wolfSSL 4:1b0d80432c79 1404 }
wolfSSL 4:1b0d80432c79 1405 }
wolfSSL 4:1b0d80432c79 1406
wolfSSL 4:1b0d80432c79 1407
wolfSSL 4:1b0d80432c79 1408 /* Decrypt input in place from parameters based on id */
wolfSSL 4:1b0d80432c79 1409 static int DecryptKey(const char* password, int passwordSz, byte* salt,
wolfSSL 4:1b0d80432c79 1410 int saltSz, int iterations, int id, byte* input,
wolfSSL 4:1b0d80432c79 1411 int length, int version, byte* cbcIv)
wolfSSL 4:1b0d80432c79 1412 {
wolfSSL 4:1b0d80432c79 1413 int typeH;
wolfSSL 4:1b0d80432c79 1414 int derivedLen;
wolfSSL 4:1b0d80432c79 1415 int decryptionType;
wolfSSL 4:1b0d80432c79 1416 int ret = 0;
wolfSSL 4:1b0d80432c79 1417 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1418 byte* key;
wolfSSL 4:1b0d80432c79 1419 #else
wolfSSL 4:1b0d80432c79 1420 byte key[MAX_KEY_SIZE];
wolfSSL 4:1b0d80432c79 1421 #endif
wolfSSL 4:1b0d80432c79 1422
wolfSSL 4:1b0d80432c79 1423 (void)input;
wolfSSL 4:1b0d80432c79 1424 (void)length;
wolfSSL 4:1b0d80432c79 1425
wolfSSL 4:1b0d80432c79 1426 switch (id) {
wolfSSL 4:1b0d80432c79 1427 case PBE_MD5_DES:
wolfSSL 4:1b0d80432c79 1428 typeH = MD5;
wolfSSL 4:1b0d80432c79 1429 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 4:1b0d80432c79 1430 decryptionType = DES_TYPE;
wolfSSL 4:1b0d80432c79 1431 break;
wolfSSL 4:1b0d80432c79 1432
wolfSSL 4:1b0d80432c79 1433 case PBE_SHA1_DES:
wolfSSL 4:1b0d80432c79 1434 typeH = SHA;
wolfSSL 4:1b0d80432c79 1435 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 4:1b0d80432c79 1436 decryptionType = DES_TYPE;
wolfSSL 4:1b0d80432c79 1437 break;
wolfSSL 4:1b0d80432c79 1438
wolfSSL 4:1b0d80432c79 1439 case PBE_SHA1_DES3:
wolfSSL 4:1b0d80432c79 1440 typeH = SHA;
wolfSSL 4:1b0d80432c79 1441 derivedLen = 32; /* may need iv for v1.5 */
wolfSSL 4:1b0d80432c79 1442 decryptionType = DES3_TYPE;
wolfSSL 4:1b0d80432c79 1443 break;
wolfSSL 4:1b0d80432c79 1444
wolfSSL 4:1b0d80432c79 1445 case PBE_SHA1_RC4_128:
wolfSSL 4:1b0d80432c79 1446 typeH = SHA;
wolfSSL 4:1b0d80432c79 1447 derivedLen = 16;
wolfSSL 4:1b0d80432c79 1448 decryptionType = RC4_TYPE;
wolfSSL 4:1b0d80432c79 1449 break;
wolfSSL 4:1b0d80432c79 1450
wolfSSL 4:1b0d80432c79 1451 default:
wolfSSL 4:1b0d80432c79 1452 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1453 }
wolfSSL 4:1b0d80432c79 1454
wolfSSL 4:1b0d80432c79 1455 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1456 key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1457 if (key == NULL)
wolfSSL 4:1b0d80432c79 1458 return MEMORY_E;
wolfSSL 4:1b0d80432c79 1459 #endif
wolfSSL 4:1b0d80432c79 1460
wolfSSL 4:1b0d80432c79 1461 if (version == PKCS5v2)
wolfSSL 4:1b0d80432c79 1462 ret = wc_PBKDF2(key, (byte*)password, passwordSz,
wolfSSL 4:1b0d80432c79 1463 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 4:1b0d80432c79 1464 #ifndef NO_SHA
wolfSSL 4:1b0d80432c79 1465 else if (version == PKCS5)
wolfSSL 4:1b0d80432c79 1466 ret = wc_PBKDF1(key, (byte*)password, passwordSz,
wolfSSL 4:1b0d80432c79 1467 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 4:1b0d80432c79 1468 #endif
wolfSSL 4:1b0d80432c79 1469 else if (version == PKCS12) {
wolfSSL 4:1b0d80432c79 1470 int i, idx = 0;
wolfSSL 4:1b0d80432c79 1471 byte unicodePasswd[MAX_UNICODE_SZ];
wolfSSL 4:1b0d80432c79 1472
wolfSSL 4:1b0d80432c79 1473 if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
wolfSSL 4:1b0d80432c79 1474 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1475 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1476 #endif
wolfSSL 4:1b0d80432c79 1477 return UNICODE_SIZE_E;
wolfSSL 4:1b0d80432c79 1478 }
wolfSSL 4:1b0d80432c79 1479
wolfSSL 4:1b0d80432c79 1480 for (i = 0; i < passwordSz; i++) {
wolfSSL 4:1b0d80432c79 1481 unicodePasswd[idx++] = 0x00;
wolfSSL 4:1b0d80432c79 1482 unicodePasswd[idx++] = (byte)password[i];
wolfSSL 4:1b0d80432c79 1483 }
wolfSSL 4:1b0d80432c79 1484 /* add trailing NULL */
wolfSSL 4:1b0d80432c79 1485 unicodePasswd[idx++] = 0x00;
wolfSSL 4:1b0d80432c79 1486 unicodePasswd[idx++] = 0x00;
wolfSSL 4:1b0d80432c79 1487
wolfSSL 4:1b0d80432c79 1488 ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
wolfSSL 4:1b0d80432c79 1489 iterations, derivedLen, typeH, 1);
wolfSSL 4:1b0d80432c79 1490 if (decryptionType != RC4_TYPE)
wolfSSL 4:1b0d80432c79 1491 ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
wolfSSL 4:1b0d80432c79 1492 iterations, 8, typeH, 2);
wolfSSL 4:1b0d80432c79 1493 }
wolfSSL 4:1b0d80432c79 1494 else {
wolfSSL 4:1b0d80432c79 1495 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1496 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1497 #endif
wolfSSL 4:1b0d80432c79 1498 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1499 }
wolfSSL 4:1b0d80432c79 1500
wolfSSL 4:1b0d80432c79 1501 if (ret != 0) {
wolfSSL 4:1b0d80432c79 1502 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1503 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1504 #endif
wolfSSL 4:1b0d80432c79 1505 return ret;
wolfSSL 4:1b0d80432c79 1506 }
wolfSSL 4:1b0d80432c79 1507
wolfSSL 4:1b0d80432c79 1508 switch (decryptionType) {
wolfSSL 4:1b0d80432c79 1509 #ifndef NO_DES3
wolfSSL 4:1b0d80432c79 1510 case DES_TYPE:
wolfSSL 4:1b0d80432c79 1511 {
wolfSSL 4:1b0d80432c79 1512 Des dec;
wolfSSL 4:1b0d80432c79 1513 byte* desIv = key + 8;
wolfSSL 4:1b0d80432c79 1514
wolfSSL 4:1b0d80432c79 1515 if (version == PKCS5v2 || version == PKCS12)
wolfSSL 4:1b0d80432c79 1516 desIv = cbcIv;
wolfSSL 4:1b0d80432c79 1517
wolfSSL 4:1b0d80432c79 1518 ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 4:1b0d80432c79 1519 if (ret != 0) {
wolfSSL 4:1b0d80432c79 1520 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1521 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1522 #endif
wolfSSL 4:1b0d80432c79 1523 return ret;
wolfSSL 4:1b0d80432c79 1524 }
wolfSSL 4:1b0d80432c79 1525
wolfSSL 4:1b0d80432c79 1526 wc_Des_CbcDecrypt(&dec, input, input, length);
wolfSSL 4:1b0d80432c79 1527 break;
wolfSSL 4:1b0d80432c79 1528 }
wolfSSL 4:1b0d80432c79 1529
wolfSSL 4:1b0d80432c79 1530 case DES3_TYPE:
wolfSSL 4:1b0d80432c79 1531 {
wolfSSL 4:1b0d80432c79 1532 Des3 dec;
wolfSSL 4:1b0d80432c79 1533 byte* desIv = key + 24;
wolfSSL 4:1b0d80432c79 1534
wolfSSL 4:1b0d80432c79 1535 if (version == PKCS5v2 || version == PKCS12)
wolfSSL 4:1b0d80432c79 1536 desIv = cbcIv;
wolfSSL 4:1b0d80432c79 1537 ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 4:1b0d80432c79 1538 if (ret != 0) {
wolfSSL 4:1b0d80432c79 1539 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1540 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1541 #endif
wolfSSL 4:1b0d80432c79 1542 return ret;
wolfSSL 4:1b0d80432c79 1543 }
wolfSSL 4:1b0d80432c79 1544 ret = wc_Des3_CbcDecrypt(&dec, input, input, length);
wolfSSL 4:1b0d80432c79 1545 if (ret != 0) {
wolfSSL 4:1b0d80432c79 1546 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1547 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1548 #endif
wolfSSL 4:1b0d80432c79 1549 return ret;
wolfSSL 4:1b0d80432c79 1550 }
wolfSSL 4:1b0d80432c79 1551 break;
wolfSSL 4:1b0d80432c79 1552 }
wolfSSL 4:1b0d80432c79 1553 #endif
wolfSSL 4:1b0d80432c79 1554 #ifndef NO_RC4
wolfSSL 4:1b0d80432c79 1555 case RC4_TYPE:
wolfSSL 4:1b0d80432c79 1556 {
wolfSSL 4:1b0d80432c79 1557 Arc4 dec;
wolfSSL 4:1b0d80432c79 1558
wolfSSL 4:1b0d80432c79 1559 wc_Arc4SetKey(&dec, key, derivedLen);
wolfSSL 4:1b0d80432c79 1560 wc_Arc4Process(&dec, input, input, length);
wolfSSL 4:1b0d80432c79 1561 break;
wolfSSL 4:1b0d80432c79 1562 }
wolfSSL 4:1b0d80432c79 1563 #endif
wolfSSL 4:1b0d80432c79 1564
wolfSSL 4:1b0d80432c79 1565 default:
wolfSSL 4:1b0d80432c79 1566 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1567 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1568 #endif
wolfSSL 4:1b0d80432c79 1569 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 1570 }
wolfSSL 4:1b0d80432c79 1571
wolfSSL 4:1b0d80432c79 1572 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1573 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1574 #endif
wolfSSL 4:1b0d80432c79 1575
wolfSSL 4:1b0d80432c79 1576 return 0;
wolfSSL 4:1b0d80432c79 1577 }
wolfSSL 4:1b0d80432c79 1578
wolfSSL 4:1b0d80432c79 1579
wolfSSL 4:1b0d80432c79 1580 /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
wolfSSL 4:1b0d80432c79 1581 of input */
wolfSSL 4:1b0d80432c79 1582 int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL 4:1b0d80432c79 1583 {
wolfSSL 4:1b0d80432c79 1584 word32 inOutIdx = 0, oid;
wolfSSL 4:1b0d80432c79 1585 int first, second, length, version, saltSz, id;
wolfSSL 4:1b0d80432c79 1586 int iterations = 0;
wolfSSL 4:1b0d80432c79 1587 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1588 byte* salt = NULL;
wolfSSL 4:1b0d80432c79 1589 byte* cbcIv = NULL;
wolfSSL 4:1b0d80432c79 1590 #else
wolfSSL 4:1b0d80432c79 1591 byte salt[MAX_SALT_SIZE];
wolfSSL 4:1b0d80432c79 1592 byte cbcIv[MAX_IV_SIZE];
wolfSSL 4:1b0d80432c79 1593 #endif
wolfSSL 4:1b0d80432c79 1594
wolfSSL 4:1b0d80432c79 1595 if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1596 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1597
wolfSSL 4:1b0d80432c79 1598 if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0)
wolfSSL 4:1b0d80432c79 1599 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1600
wolfSSL 4:1b0d80432c79 1601 first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */
wolfSSL 4:1b0d80432c79 1602 second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL 4:1b0d80432c79 1603
wolfSSL 4:1b0d80432c79 1604 if (CheckAlgo(first, second, &id, &version) < 0)
wolfSSL 4:1b0d80432c79 1605 return ASN_INPUT_E; /* Algo ID error */
wolfSSL 4:1b0d80432c79 1606
wolfSSL 4:1b0d80432c79 1607 if (version == PKCS5v2) {
wolfSSL 4:1b0d80432c79 1608
wolfSSL 4:1b0d80432c79 1609 if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1610 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1611
wolfSSL 4:1b0d80432c79 1612 if (GetAlgoId(input, &inOutIdx, &oid, kdfType, sz) < 0)
wolfSSL 4:1b0d80432c79 1613 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1614
wolfSSL 4:1b0d80432c79 1615 if (oid != PBKDF2_OID)
wolfSSL 4:1b0d80432c79 1616 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1617 }
wolfSSL 4:1b0d80432c79 1618
wolfSSL 4:1b0d80432c79 1619 if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 1620 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1621
wolfSSL 4:1b0d80432c79 1622 if (input[inOutIdx++] != ASN_OCTET_STRING)
wolfSSL 4:1b0d80432c79 1623 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1624
wolfSSL 4:1b0d80432c79 1625 if (GetLength(input, &inOutIdx, &saltSz, sz) < 0)
wolfSSL 4:1b0d80432c79 1626 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1627
wolfSSL 4:1b0d80432c79 1628 if (saltSz > MAX_SALT_SIZE)
wolfSSL 4:1b0d80432c79 1629 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1630
wolfSSL 4:1b0d80432c79 1631 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1632 salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1633 if (salt == NULL)
wolfSSL 4:1b0d80432c79 1634 return MEMORY_E;
wolfSSL 4:1b0d80432c79 1635 #endif
wolfSSL 4:1b0d80432c79 1636
wolfSSL 4:1b0d80432c79 1637 XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL 4:1b0d80432c79 1638 inOutIdx += saltSz;
wolfSSL 4:1b0d80432c79 1639
wolfSSL 4:1b0d80432c79 1640 if (GetShortInt(input, &inOutIdx, &iterations) < 0) {
wolfSSL 4:1b0d80432c79 1641 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1642 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1643 #endif
wolfSSL 4:1b0d80432c79 1644 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1645 }
wolfSSL 4:1b0d80432c79 1646
wolfSSL 4:1b0d80432c79 1647 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1648 cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1649 if (cbcIv == NULL) {
wolfSSL 4:1b0d80432c79 1650 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1651 return MEMORY_E;
wolfSSL 4:1b0d80432c79 1652 }
wolfSSL 4:1b0d80432c79 1653 #endif
wolfSSL 4:1b0d80432c79 1654
wolfSSL 4:1b0d80432c79 1655 if (version == PKCS5v2) {
wolfSSL 4:1b0d80432c79 1656 /* get encryption algo */
wolfSSL 4:1b0d80432c79 1657 /* JOHN: New type. Need a little more research. */
wolfSSL 4:1b0d80432c79 1658 if (GetAlgoId(input, &inOutIdx, &oid, blkType, sz) < 0) {
wolfSSL 4:1b0d80432c79 1659 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1660 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1661 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1662 #endif
wolfSSL 4:1b0d80432c79 1663 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1664 }
wolfSSL 4:1b0d80432c79 1665
wolfSSL 4:1b0d80432c79 1666 if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL 4:1b0d80432c79 1667 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1668 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1669 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1670 #endif
wolfSSL 4:1b0d80432c79 1671 return ASN_PARSE_E; /* PKCS v2 algo id error */
wolfSSL 4:1b0d80432c79 1672 }
wolfSSL 4:1b0d80432c79 1673
wolfSSL 4:1b0d80432c79 1674 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 1675 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1676 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1677 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1678 #endif
wolfSSL 4:1b0d80432c79 1679 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1680 }
wolfSSL 4:1b0d80432c79 1681
wolfSSL 4:1b0d80432c79 1682 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 1683 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1684 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1685 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1686 #endif
wolfSSL 4:1b0d80432c79 1687 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1688 }
wolfSSL 4:1b0d80432c79 1689
wolfSSL 4:1b0d80432c79 1690 XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL 4:1b0d80432c79 1691 inOutIdx += length;
wolfSSL 4:1b0d80432c79 1692 }
wolfSSL 4:1b0d80432c79 1693
wolfSSL 4:1b0d80432c79 1694 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 1695 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1696 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1697 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1698 #endif
wolfSSL 4:1b0d80432c79 1699 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1700 }
wolfSSL 4:1b0d80432c79 1701
wolfSSL 4:1b0d80432c79 1702 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 1703 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1704 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1705 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1706 #endif
wolfSSL 4:1b0d80432c79 1707 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1708 }
wolfSSL 4:1b0d80432c79 1709
wolfSSL 4:1b0d80432c79 1710 if (DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL 4:1b0d80432c79 1711 input + inOutIdx, length, version, cbcIv) < 0) {
wolfSSL 4:1b0d80432c79 1712 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1713 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1714 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1715 #endif
wolfSSL 4:1b0d80432c79 1716 return ASN_INPUT_E; /* decrypt failure */
wolfSSL 4:1b0d80432c79 1717 }
wolfSSL 4:1b0d80432c79 1718
wolfSSL 4:1b0d80432c79 1719 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 1720 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1721 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 1722 #endif
wolfSSL 4:1b0d80432c79 1723
wolfSSL 4:1b0d80432c79 1724 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 4:1b0d80432c79 1725 return ToTraditional(input, length);
wolfSSL 4:1b0d80432c79 1726 }
wolfSSL 4:1b0d80432c79 1727
wolfSSL 4:1b0d80432c79 1728 #endif /* NO_PWDBASED */
wolfSSL 4:1b0d80432c79 1729
wolfSSL 4:1b0d80432c79 1730 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 1731
wolfSSL 4:1b0d80432c79 1732 #ifndef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 1733 int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 4:1b0d80432c79 1734 word32 inSz)
wolfSSL 4:1b0d80432c79 1735 {
wolfSSL 4:1b0d80432c79 1736 int length;
wolfSSL 4:1b0d80432c79 1737
wolfSSL 4:1b0d80432c79 1738 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1739 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1740
wolfSSL 4:1b0d80432c79 1741 key->type = RSA_PUBLIC;
wolfSSL 4:1b0d80432c79 1742
wolfSSL 4:1b0d80432c79 1743 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 4:1b0d80432c79 1744 {
wolfSSL 4:1b0d80432c79 1745 byte b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 1746 if (b != ASN_INTEGER) {
wolfSSL 4:1b0d80432c79 1747 /* not from decoded cert, will have algo id, skip past */
wolfSSL 4:1b0d80432c79 1748 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1749 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1750
wolfSSL 4:1b0d80432c79 1751 if (SkipObjectId(input, inOutIdx, inSz) < 0)
wolfSSL 4:1b0d80432c79 1752 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1753
wolfSSL 4:1b0d80432c79 1754 /* could have NULL tag and 0 terminator, but may not */
wolfSSL 4:1b0d80432c79 1755 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 1756
wolfSSL 4:1b0d80432c79 1757 if (b == ASN_TAG_NULL) {
wolfSSL 4:1b0d80432c79 1758 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 1759 if (b != 0)
wolfSSL 4:1b0d80432c79 1760 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 1761 }
wolfSSL 4:1b0d80432c79 1762 else
wolfSSL 4:1b0d80432c79 1763 /* go back, didn't have it */
wolfSSL 4:1b0d80432c79 1764 (*inOutIdx)--;
wolfSSL 4:1b0d80432c79 1765
wolfSSL 4:1b0d80432c79 1766 /* should have bit tag length and seq next */
wolfSSL 4:1b0d80432c79 1767 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 1768 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 1769 return ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 1770
wolfSSL 4:1b0d80432c79 1771 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1772 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1773
wolfSSL 4:1b0d80432c79 1774 /* could have 0 */
wolfSSL 4:1b0d80432c79 1775 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 1776 if (b != 0)
wolfSSL 4:1b0d80432c79 1777 (*inOutIdx)--;
wolfSSL 4:1b0d80432c79 1778
wolfSSL 4:1b0d80432c79 1779 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1780 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1781 } /* end if */
wolfSSL 4:1b0d80432c79 1782 } /* openssl var block */
wolfSSL 4:1b0d80432c79 1783 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 1784
wolfSSL 4:1b0d80432c79 1785 if (GetInt(&key->n, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1786 GetInt(&key->e, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL 4:1b0d80432c79 1787
wolfSSL 4:1b0d80432c79 1788 return 0;
wolfSSL 4:1b0d80432c79 1789 }
wolfSSL 4:1b0d80432c79 1790
wolfSSL 4:1b0d80432c79 1791 /* import RSA public key elements (n, e) into RsaKey structure (key) */
wolfSSL 4:1b0d80432c79 1792 int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
wolfSSL 4:1b0d80432c79 1793 word32 eSz, RsaKey* key)
wolfSSL 4:1b0d80432c79 1794 {
wolfSSL 4:1b0d80432c79 1795 if (n == NULL || e == NULL || key == NULL)
wolfSSL 4:1b0d80432c79 1796 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 1797
wolfSSL 4:1b0d80432c79 1798 key->type = RSA_PUBLIC;
wolfSSL 4:1b0d80432c79 1799
wolfSSL 4:1b0d80432c79 1800 if (mp_init(&key->n) != MP_OKAY)
wolfSSL 4:1b0d80432c79 1801 return MP_INIT_E;
wolfSSL 4:1b0d80432c79 1802
wolfSSL 4:1b0d80432c79 1803 if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) {
wolfSSL 4:1b0d80432c79 1804 mp_clear(&key->n);
wolfSSL 4:1b0d80432c79 1805 return ASN_GETINT_E;
wolfSSL 4:1b0d80432c79 1806 }
wolfSSL 4:1b0d80432c79 1807
wolfSSL 4:1b0d80432c79 1808 if (mp_init(&key->e) != MP_OKAY) {
wolfSSL 4:1b0d80432c79 1809 mp_clear(&key->n);
wolfSSL 4:1b0d80432c79 1810 return MP_INIT_E;
wolfSSL 4:1b0d80432c79 1811 }
wolfSSL 4:1b0d80432c79 1812
wolfSSL 4:1b0d80432c79 1813 if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) {
wolfSSL 4:1b0d80432c79 1814 mp_clear(&key->n);
wolfSSL 4:1b0d80432c79 1815 mp_clear(&key->e);
wolfSSL 4:1b0d80432c79 1816 return ASN_GETINT_E;
wolfSSL 4:1b0d80432c79 1817 }
wolfSSL 4:1b0d80432c79 1818
wolfSSL 4:1b0d80432c79 1819 return 0;
wolfSSL 4:1b0d80432c79 1820 }
wolfSSL 4:1b0d80432c79 1821 #endif /* HAVE_USER_RSA */
wolfSSL 4:1b0d80432c79 1822 #endif
wolfSSL 4:1b0d80432c79 1823
wolfSSL 4:1b0d80432c79 1824 #ifndef NO_DH
wolfSSL 4:1b0d80432c79 1825
wolfSSL 4:1b0d80432c79 1826 int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
wolfSSL 4:1b0d80432c79 1827 {
wolfSSL 4:1b0d80432c79 1828 int length;
wolfSSL 4:1b0d80432c79 1829
wolfSSL 4:1b0d80432c79 1830 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1831 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1832
wolfSSL 4:1b0d80432c79 1833 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1834 GetInt(&key->g, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E;
wolfSSL 4:1b0d80432c79 1835
wolfSSL 4:1b0d80432c79 1836 return 0;
wolfSSL 4:1b0d80432c79 1837 }
wolfSSL 4:1b0d80432c79 1838
wolfSSL 4:1b0d80432c79 1839
wolfSSL 4:1b0d80432c79 1840 int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
wolfSSL 4:1b0d80432c79 1841 byte* g, word32* gInOutSz)
wolfSSL 4:1b0d80432c79 1842 {
wolfSSL 4:1b0d80432c79 1843 word32 i = 0;
wolfSSL 4:1b0d80432c79 1844 byte b;
wolfSSL 4:1b0d80432c79 1845 int length;
wolfSSL 4:1b0d80432c79 1846
wolfSSL 4:1b0d80432c79 1847 if (GetSequence(input, &i, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1848 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1849
wolfSSL 4:1b0d80432c79 1850 b = input[i++];
wolfSSL 4:1b0d80432c79 1851 if (b != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 1852 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1853
wolfSSL 4:1b0d80432c79 1854 if (GetLength(input, &i, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1855 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1856
wolfSSL 4:1b0d80432c79 1857 if ( (b = input[i++]) == 0x00)
wolfSSL 4:1b0d80432c79 1858 length--;
wolfSSL 4:1b0d80432c79 1859 else
wolfSSL 4:1b0d80432c79 1860 i--;
wolfSSL 4:1b0d80432c79 1861
wolfSSL 4:1b0d80432c79 1862 if (length <= (int)*pInOutSz) {
wolfSSL 4:1b0d80432c79 1863 XMEMCPY(p, &input[i], length);
wolfSSL 4:1b0d80432c79 1864 *pInOutSz = length;
wolfSSL 4:1b0d80432c79 1865 }
wolfSSL 4:1b0d80432c79 1866 else
wolfSSL 4:1b0d80432c79 1867 return BUFFER_E;
wolfSSL 4:1b0d80432c79 1868
wolfSSL 4:1b0d80432c79 1869 i += length;
wolfSSL 4:1b0d80432c79 1870
wolfSSL 4:1b0d80432c79 1871 b = input[i++];
wolfSSL 4:1b0d80432c79 1872 if (b != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 1873 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1874
wolfSSL 4:1b0d80432c79 1875 if (GetLength(input, &i, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1876 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1877
wolfSSL 4:1b0d80432c79 1878 if (length <= (int)*gInOutSz) {
wolfSSL 4:1b0d80432c79 1879 XMEMCPY(g, &input[i], length);
wolfSSL 4:1b0d80432c79 1880 *gInOutSz = length;
wolfSSL 4:1b0d80432c79 1881 }
wolfSSL 4:1b0d80432c79 1882 else
wolfSSL 4:1b0d80432c79 1883 return BUFFER_E;
wolfSSL 4:1b0d80432c79 1884
wolfSSL 4:1b0d80432c79 1885 return 0;
wolfSSL 4:1b0d80432c79 1886 }
wolfSSL 4:1b0d80432c79 1887
wolfSSL 4:1b0d80432c79 1888 #endif /* NO_DH */
wolfSSL 4:1b0d80432c79 1889
wolfSSL 4:1b0d80432c79 1890
wolfSSL 4:1b0d80432c79 1891 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 1892
wolfSSL 4:1b0d80432c79 1893 int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 4:1b0d80432c79 1894 word32 inSz)
wolfSSL 4:1b0d80432c79 1895 {
wolfSSL 4:1b0d80432c79 1896 int length;
wolfSSL 4:1b0d80432c79 1897
wolfSSL 4:1b0d80432c79 1898 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1899 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1900
wolfSSL 4:1b0d80432c79 1901 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1902 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1903 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1904 GetInt(&key->y, input, inOutIdx, inSz) < 0 )
wolfSSL 4:1b0d80432c79 1905 return ASN_DH_KEY_E;
wolfSSL 4:1b0d80432c79 1906
wolfSSL 4:1b0d80432c79 1907 key->type = DSA_PUBLIC;
wolfSSL 4:1b0d80432c79 1908 return 0;
wolfSSL 4:1b0d80432c79 1909 }
wolfSSL 4:1b0d80432c79 1910
wolfSSL 4:1b0d80432c79 1911
wolfSSL 4:1b0d80432c79 1912 int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 4:1b0d80432c79 1913 word32 inSz)
wolfSSL 4:1b0d80432c79 1914 {
wolfSSL 4:1b0d80432c79 1915 int length, version;
wolfSSL 4:1b0d80432c79 1916
wolfSSL 4:1b0d80432c79 1917 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 1918 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1919
wolfSSL 4:1b0d80432c79 1920 if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL 4:1b0d80432c79 1921 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 1922
wolfSSL 4:1b0d80432c79 1923 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1924 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1925 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1926 GetInt(&key->y, input, inOutIdx, inSz) < 0 ||
wolfSSL 4:1b0d80432c79 1927 GetInt(&key->x, input, inOutIdx, inSz) < 0 )
wolfSSL 4:1b0d80432c79 1928 return ASN_DH_KEY_E;
wolfSSL 4:1b0d80432c79 1929
wolfSSL 4:1b0d80432c79 1930 key->type = DSA_PRIVATE;
wolfSSL 4:1b0d80432c79 1931 return 0;
wolfSSL 4:1b0d80432c79 1932 }
wolfSSL 4:1b0d80432c79 1933
wolfSSL 4:1b0d80432c79 1934 static mp_int* GetDsaInt(DsaKey* key, int idx)
wolfSSL 4:1b0d80432c79 1935 {
wolfSSL 4:1b0d80432c79 1936 if (idx == 0)
wolfSSL 4:1b0d80432c79 1937 return &key->p;
wolfSSL 4:1b0d80432c79 1938 if (idx == 1)
wolfSSL 4:1b0d80432c79 1939 return &key->q;
wolfSSL 4:1b0d80432c79 1940 if (idx == 2)
wolfSSL 4:1b0d80432c79 1941 return &key->g;
wolfSSL 4:1b0d80432c79 1942 if (idx == 3)
wolfSSL 4:1b0d80432c79 1943 return &key->y;
wolfSSL 4:1b0d80432c79 1944 if (idx == 4)
wolfSSL 4:1b0d80432c79 1945 return &key->x;
wolfSSL 4:1b0d80432c79 1946
wolfSSL 4:1b0d80432c79 1947 return NULL;
wolfSSL 4:1b0d80432c79 1948 }
wolfSSL 4:1b0d80432c79 1949
wolfSSL 4:1b0d80432c79 1950 /* Release Tmp DSA resources */
wolfSSL 4:1b0d80432c79 1951 static INLINE void FreeTmpDsas(byte** tmps)
wolfSSL 4:1b0d80432c79 1952 {
wolfSSL 4:1b0d80432c79 1953 int i;
wolfSSL 4:1b0d80432c79 1954
wolfSSL 4:1b0d80432c79 1955 for (i = 0; i < DSA_INTS; i++)
wolfSSL 4:1b0d80432c79 1956 XFREE(tmps[i], NULL, DYNAMIC_TYPE_DSA);
wolfSSL 4:1b0d80432c79 1957 }
wolfSSL 4:1b0d80432c79 1958
wolfSSL 4:1b0d80432c79 1959 /* Convert DsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 4:1b0d80432c79 1960 written */
wolfSSL 4:1b0d80432c79 1961 int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
wolfSSL 4:1b0d80432c79 1962 {
wolfSSL 4:1b0d80432c79 1963 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 4:1b0d80432c79 1964 word32 sizes[DSA_INTS];
wolfSSL 4:1b0d80432c79 1965 int i, j, outLen, ret = 0, lbit;
wolfSSL 4:1b0d80432c79 1966
wolfSSL 4:1b0d80432c79 1967 byte seq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 1968 byte ver[MAX_VERSION_SZ];
wolfSSL 4:1b0d80432c79 1969 byte* tmps[DSA_INTS];
wolfSSL 4:1b0d80432c79 1970
wolfSSL 4:1b0d80432c79 1971 if (!key || !output)
wolfSSL 4:1b0d80432c79 1972 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 1973
wolfSSL 4:1b0d80432c79 1974 if (key->type != DSA_PRIVATE)
wolfSSL 4:1b0d80432c79 1975 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 1976
wolfSSL 4:1b0d80432c79 1977 for (i = 0; i < DSA_INTS; i++)
wolfSSL 4:1b0d80432c79 1978 tmps[i] = NULL;
wolfSSL 4:1b0d80432c79 1979
wolfSSL 4:1b0d80432c79 1980 /* write all big ints from key to DER tmps */
wolfSSL 4:1b0d80432c79 1981 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 4:1b0d80432c79 1982 mp_int* keyInt = GetDsaInt(key, i);
wolfSSL 4:1b0d80432c79 1983
wolfSSL 4:1b0d80432c79 1984 /* leading zero */
wolfSSL 4:1b0d80432c79 1985 lbit = mp_leading_bit(keyInt);
wolfSSL 4:1b0d80432c79 1986 rawLen = mp_unsigned_bin_size(keyInt) + lbit;
wolfSSL 4:1b0d80432c79 1987
wolfSSL 4:1b0d80432c79 1988 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, NULL, DYNAMIC_TYPE_DSA);
wolfSSL 4:1b0d80432c79 1989 if (tmps[i] == NULL) {
wolfSSL 4:1b0d80432c79 1990 ret = MEMORY_E;
wolfSSL 4:1b0d80432c79 1991 break;
wolfSSL 4:1b0d80432c79 1992 }
wolfSSL 4:1b0d80432c79 1993
wolfSSL 4:1b0d80432c79 1994 tmps[i][0] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 1995 sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */
wolfSSL 4:1b0d80432c79 1996
wolfSSL 4:1b0d80432c79 1997 if (sizes[i] <= MAX_SEQ_SZ) {
wolfSSL 4:1b0d80432c79 1998 int err;
wolfSSL 4:1b0d80432c79 1999
wolfSSL 4:1b0d80432c79 2000 /* leading zero */
wolfSSL 4:1b0d80432c79 2001 if (lbit)
wolfSSL 4:1b0d80432c79 2002 tmps[i][sizes[i]-1] = 0x00;
wolfSSL 4:1b0d80432c79 2003
wolfSSL 4:1b0d80432c79 2004 err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
wolfSSL 4:1b0d80432c79 2005 if (err == MP_OKAY) {
wolfSSL 4:1b0d80432c79 2006 sizes[i] += (rawLen-lbit); /* lbit included in rawLen */
wolfSSL 4:1b0d80432c79 2007 intTotalLen += sizes[i];
wolfSSL 4:1b0d80432c79 2008 }
wolfSSL 4:1b0d80432c79 2009 else {
wolfSSL 4:1b0d80432c79 2010 ret = err;
wolfSSL 4:1b0d80432c79 2011 break;
wolfSSL 4:1b0d80432c79 2012 }
wolfSSL 4:1b0d80432c79 2013 }
wolfSSL 4:1b0d80432c79 2014 else {
wolfSSL 4:1b0d80432c79 2015 ret = ASN_INPUT_E;
wolfSSL 4:1b0d80432c79 2016 break;
wolfSSL 4:1b0d80432c79 2017 }
wolfSSL 4:1b0d80432c79 2018 }
wolfSSL 4:1b0d80432c79 2019
wolfSSL 4:1b0d80432c79 2020 if (ret != 0) {
wolfSSL 4:1b0d80432c79 2021 FreeTmpDsas(tmps);
wolfSSL 4:1b0d80432c79 2022 return ret;
wolfSSL 4:1b0d80432c79 2023 }
wolfSSL 4:1b0d80432c79 2024
wolfSSL 4:1b0d80432c79 2025 /* make headers */
wolfSSL 4:1b0d80432c79 2026 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 4:1b0d80432c79 2027 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 4:1b0d80432c79 2028
wolfSSL 4:1b0d80432c79 2029 outLen = seqSz + verSz + intTotalLen;
wolfSSL 4:1b0d80432c79 2030 if (outLen > (int)inLen)
wolfSSL 4:1b0d80432c79 2031 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 2032
wolfSSL 4:1b0d80432c79 2033 /* write to output */
wolfSSL 4:1b0d80432c79 2034 XMEMCPY(output, seq, seqSz);
wolfSSL 4:1b0d80432c79 2035 j = seqSz;
wolfSSL 4:1b0d80432c79 2036 XMEMCPY(output + j, ver, verSz);
wolfSSL 4:1b0d80432c79 2037 j += verSz;
wolfSSL 4:1b0d80432c79 2038
wolfSSL 4:1b0d80432c79 2039 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 4:1b0d80432c79 2040 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 4:1b0d80432c79 2041 j += sizes[i];
wolfSSL 4:1b0d80432c79 2042 }
wolfSSL 4:1b0d80432c79 2043 FreeTmpDsas(tmps);
wolfSSL 4:1b0d80432c79 2044
wolfSSL 4:1b0d80432c79 2045 return outLen;
wolfSSL 4:1b0d80432c79 2046 }
wolfSSL 4:1b0d80432c79 2047
wolfSSL 4:1b0d80432c79 2048 #endif /* NO_DSA */
wolfSSL 4:1b0d80432c79 2049
wolfSSL 4:1b0d80432c79 2050
wolfSSL 4:1b0d80432c79 2051 void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
wolfSSL 4:1b0d80432c79 2052 {
wolfSSL 4:1b0d80432c79 2053 cert->publicKey = 0;
wolfSSL 4:1b0d80432c79 2054 cert->pubKeySize = 0;
wolfSSL 4:1b0d80432c79 2055 cert->pubKeyStored = 0;
wolfSSL 4:1b0d80432c79 2056 cert->version = 0;
wolfSSL 4:1b0d80432c79 2057 cert->signature = 0;
wolfSSL 4:1b0d80432c79 2058 cert->subjectCN = 0;
wolfSSL 4:1b0d80432c79 2059 cert->subjectCNLen = 0;
wolfSSL 4:1b0d80432c79 2060 cert->subjectCNEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2061 cert->subjectCNStored = 0;
wolfSSL 4:1b0d80432c79 2062 cert->weOwnAltNames = 0;
wolfSSL 4:1b0d80432c79 2063 cert->altNames = NULL;
wolfSSL 4:1b0d80432c79 2064 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 2065 cert->altEmailNames = NULL;
wolfSSL 4:1b0d80432c79 2066 cert->permittedNames = NULL;
wolfSSL 4:1b0d80432c79 2067 cert->excludedNames = NULL;
wolfSSL 4:1b0d80432c79 2068 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 2069 cert->issuer[0] = '\0';
wolfSSL 4:1b0d80432c79 2070 cert->subject[0] = '\0';
wolfSSL 4:1b0d80432c79 2071 cert->source = source; /* don't own */
wolfSSL 4:1b0d80432c79 2072 cert->srcIdx = 0;
wolfSSL 4:1b0d80432c79 2073 cert->maxIdx = inSz; /* can't go over this index */
wolfSSL 4:1b0d80432c79 2074 cert->heap = heap;
wolfSSL 4:1b0d80432c79 2075 XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE);
wolfSSL 4:1b0d80432c79 2076 cert->serialSz = 0;
wolfSSL 4:1b0d80432c79 2077 cert->extensions = 0;
wolfSSL 4:1b0d80432c79 2078 cert->extensionsSz = 0;
wolfSSL 4:1b0d80432c79 2079 cert->extensionsIdx = 0;
wolfSSL 4:1b0d80432c79 2080 cert->extAuthInfo = NULL;
wolfSSL 4:1b0d80432c79 2081 cert->extAuthInfoSz = 0;
wolfSSL 4:1b0d80432c79 2082 cert->extCrlInfo = NULL;
wolfSSL 4:1b0d80432c79 2083 cert->extCrlInfoSz = 0;
wolfSSL 4:1b0d80432c79 2084 XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 2085 cert->extSubjKeyIdSet = 0;
wolfSSL 4:1b0d80432c79 2086 XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 2087 cert->extAuthKeyIdSet = 0;
wolfSSL 4:1b0d80432c79 2088 cert->extKeyUsageSet = 0;
wolfSSL 4:1b0d80432c79 2089 cert->extKeyUsage = 0;
wolfSSL 4:1b0d80432c79 2090 cert->extExtKeyUsageSet = 0;
wolfSSL 4:1b0d80432c79 2091 cert->extExtKeyUsage = 0;
wolfSSL 4:1b0d80432c79 2092 cert->isCA = 0;
wolfSSL 4:1b0d80432c79 2093 #ifdef HAVE_PKCS7
wolfSSL 4:1b0d80432c79 2094 cert->issuerRaw = NULL;
wolfSSL 4:1b0d80432c79 2095 cert->issuerRawLen = 0;
wolfSSL 4:1b0d80432c79 2096 #endif
wolfSSL 4:1b0d80432c79 2097 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2098 cert->subjectSN = 0;
wolfSSL 4:1b0d80432c79 2099 cert->subjectSNLen = 0;
wolfSSL 4:1b0d80432c79 2100 cert->subjectSNEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2101 cert->subjectC = 0;
wolfSSL 4:1b0d80432c79 2102 cert->subjectCLen = 0;
wolfSSL 4:1b0d80432c79 2103 cert->subjectCEnc = CTC_PRINTABLE;
wolfSSL 4:1b0d80432c79 2104 cert->subjectL = 0;
wolfSSL 4:1b0d80432c79 2105 cert->subjectLLen = 0;
wolfSSL 4:1b0d80432c79 2106 cert->subjectLEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2107 cert->subjectST = 0;
wolfSSL 4:1b0d80432c79 2108 cert->subjectSTLen = 0;
wolfSSL 4:1b0d80432c79 2109 cert->subjectSTEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2110 cert->subjectO = 0;
wolfSSL 4:1b0d80432c79 2111 cert->subjectOLen = 0;
wolfSSL 4:1b0d80432c79 2112 cert->subjectOEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2113 cert->subjectOU = 0;
wolfSSL 4:1b0d80432c79 2114 cert->subjectOULen = 0;
wolfSSL 4:1b0d80432c79 2115 cert->subjectOUEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 2116 cert->subjectEmail = 0;
wolfSSL 4:1b0d80432c79 2117 cert->subjectEmailLen = 0;
wolfSSL 4:1b0d80432c79 2118 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2119 cert->beforeDate = NULL;
wolfSSL 4:1b0d80432c79 2120 cert->beforeDateLen = 0;
wolfSSL 4:1b0d80432c79 2121 cert->afterDate = NULL;
wolfSSL 4:1b0d80432c79 2122 cert->afterDateLen = 0;
wolfSSL 4:1b0d80432c79 2123 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2124 XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
wolfSSL 4:1b0d80432c79 2125 XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
wolfSSL 4:1b0d80432c79 2126 cert->extBasicConstSet = 0;
wolfSSL 4:1b0d80432c79 2127 cert->extBasicConstCrit = 0;
wolfSSL 4:1b0d80432c79 2128 cert->extBasicConstPlSet = 0;
wolfSSL 4:1b0d80432c79 2129 cert->pathLength = 0;
wolfSSL 4:1b0d80432c79 2130 cert->extSubjAltNameSet = 0;
wolfSSL 4:1b0d80432c79 2131 cert->extSubjAltNameCrit = 0;
wolfSSL 4:1b0d80432c79 2132 cert->extAuthKeyIdCrit = 0;
wolfSSL 4:1b0d80432c79 2133 cert->extSubjKeyIdCrit = 0;
wolfSSL 4:1b0d80432c79 2134 cert->extKeyUsageCrit = 0;
wolfSSL 4:1b0d80432c79 2135 cert->extExtKeyUsageCrit = 0;
wolfSSL 4:1b0d80432c79 2136 cert->extExtKeyUsageSrc = NULL;
wolfSSL 4:1b0d80432c79 2137 cert->extExtKeyUsageSz = 0;
wolfSSL 4:1b0d80432c79 2138 cert->extExtKeyUsageCount = 0;
wolfSSL 4:1b0d80432c79 2139 cert->extAuthKeyIdSrc = NULL;
wolfSSL 4:1b0d80432c79 2140 cert->extAuthKeyIdSz = 0;
wolfSSL 4:1b0d80432c79 2141 cert->extSubjKeyIdSrc = NULL;
wolfSSL 4:1b0d80432c79 2142 cert->extSubjKeyIdSz = 0;
wolfSSL 4:1b0d80432c79 2143 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2144 #if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS)
wolfSSL 4:1b0d80432c79 2145 cert->extNameConstraintSet = 0;
wolfSSL 4:1b0d80432c79 2146 #endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 2147 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 2148 cert->pkCurveOID = 0;
wolfSSL 4:1b0d80432c79 2149 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 2150 #ifdef WOLFSSL_SEP
wolfSSL 4:1b0d80432c79 2151 cert->deviceTypeSz = 0;
wolfSSL 4:1b0d80432c79 2152 cert->deviceType = NULL;
wolfSSL 4:1b0d80432c79 2153 cert->hwTypeSz = 0;
wolfSSL 4:1b0d80432c79 2154 cert->hwType = NULL;
wolfSSL 4:1b0d80432c79 2155 cert->hwSerialNumSz = 0;
wolfSSL 4:1b0d80432c79 2156 cert->hwSerialNum = NULL;
wolfSSL 4:1b0d80432c79 2157 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2158 cert->extCertPolicySet = 0;
wolfSSL 4:1b0d80432c79 2159 cert->extCertPolicyCrit = 0;
wolfSSL 4:1b0d80432c79 2160 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2161 #endif /* WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 2162 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 2163 XMEMSET(cert->extCertPolicies, 0, MAX_CERTPOL_NB*MAX_CERTPOL_SZ);
wolfSSL 4:1b0d80432c79 2164 cert->extCertPoliciesNb = 0;
wolfSSL 4:1b0d80432c79 2165 #endif
wolfSSL 4:1b0d80432c79 2166 }
wolfSSL 4:1b0d80432c79 2167
wolfSSL 4:1b0d80432c79 2168
wolfSSL 4:1b0d80432c79 2169 void FreeAltNames(DNS_entry* altNames, void* heap)
wolfSSL 4:1b0d80432c79 2170 {
wolfSSL 4:1b0d80432c79 2171 (void)heap;
wolfSSL 4:1b0d80432c79 2172
wolfSSL 4:1b0d80432c79 2173 while (altNames) {
wolfSSL 4:1b0d80432c79 2174 DNS_entry* tmp = altNames->next;
wolfSSL 4:1b0d80432c79 2175
wolfSSL 4:1b0d80432c79 2176 XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2177 XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2178 altNames = tmp;
wolfSSL 4:1b0d80432c79 2179 }
wolfSSL 4:1b0d80432c79 2180 }
wolfSSL 4:1b0d80432c79 2181
wolfSSL 4:1b0d80432c79 2182 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 2183
wolfSSL 4:1b0d80432c79 2184 void FreeNameSubtrees(Base_entry* names, void* heap)
wolfSSL 4:1b0d80432c79 2185 {
wolfSSL 4:1b0d80432c79 2186 (void)heap;
wolfSSL 4:1b0d80432c79 2187
wolfSSL 4:1b0d80432c79 2188 while (names) {
wolfSSL 4:1b0d80432c79 2189 Base_entry* tmp = names->next;
wolfSSL 4:1b0d80432c79 2190
wolfSSL 4:1b0d80432c79 2191 XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2192 XFREE(names, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2193 names = tmp;
wolfSSL 4:1b0d80432c79 2194 }
wolfSSL 4:1b0d80432c79 2195 }
wolfSSL 4:1b0d80432c79 2196
wolfSSL 4:1b0d80432c79 2197 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 2198
wolfSSL 4:1b0d80432c79 2199 void FreeDecodedCert(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 2200 {
wolfSSL 4:1b0d80432c79 2201 if (cert->subjectCNStored == 1)
wolfSSL 4:1b0d80432c79 2202 XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 4:1b0d80432c79 2203 if (cert->pubKeyStored == 1)
wolfSSL 4:1b0d80432c79 2204 XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 4:1b0d80432c79 2205 if (cert->weOwnAltNames && cert->altNames)
wolfSSL 4:1b0d80432c79 2206 FreeAltNames(cert->altNames, cert->heap);
wolfSSL 4:1b0d80432c79 2207 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 2208 if (cert->altEmailNames)
wolfSSL 4:1b0d80432c79 2209 FreeAltNames(cert->altEmailNames, cert->heap);
wolfSSL 4:1b0d80432c79 2210 if (cert->permittedNames)
wolfSSL 4:1b0d80432c79 2211 FreeNameSubtrees(cert->permittedNames, cert->heap);
wolfSSL 4:1b0d80432c79 2212 if (cert->excludedNames)
wolfSSL 4:1b0d80432c79 2213 FreeNameSubtrees(cert->excludedNames, cert->heap);
wolfSSL 4:1b0d80432c79 2214 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 2215 #ifdef WOLFSSL_SEP
wolfSSL 4:1b0d80432c79 2216 XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 2217 XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 2218 XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 2219 #endif /* WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 2220 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2221 if (cert->issuerName.fullName != NULL)
wolfSSL 4:1b0d80432c79 2222 XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509);
wolfSSL 4:1b0d80432c79 2223 if (cert->subjectName.fullName != NULL)
wolfSSL 4:1b0d80432c79 2224 XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509);
wolfSSL 4:1b0d80432c79 2225 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2226 }
wolfSSL 4:1b0d80432c79 2227
wolfSSL 4:1b0d80432c79 2228 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 2229 static int GetCertHeader(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 2230 {
wolfSSL 4:1b0d80432c79 2231 int ret = 0, len;
wolfSSL 4:1b0d80432c79 2232 byte serialTmp[EXTERNAL_SERIAL_SIZE];
wolfSSL 4:1b0d80432c79 2233 #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL 4:1b0d80432c79 2234 mp_int* mpi = NULL;
wolfSSL 4:1b0d80432c79 2235 #else
wolfSSL 4:1b0d80432c79 2236 mp_int stack_mpi;
wolfSSL 4:1b0d80432c79 2237 mp_int* mpi = &stack_mpi;
wolfSSL 4:1b0d80432c79 2238 #endif
wolfSSL 4:1b0d80432c79 2239
wolfSSL 4:1b0d80432c79 2240 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2241 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2242
wolfSSL 4:1b0d80432c79 2243 cert->certBegin = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2244
wolfSSL 4:1b0d80432c79 2245 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2246 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2247 cert->sigIndex = len + cert->srcIdx;
wolfSSL 4:1b0d80432c79 2248
wolfSSL 4:1b0d80432c79 2249 if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0)
wolfSSL 4:1b0d80432c79 2250 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2251
wolfSSL 4:1b0d80432c79 2252 #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL 4:1b0d80432c79 2253 mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2254 if (mpi == NULL)
wolfSSL 4:1b0d80432c79 2255 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2256 #endif
wolfSSL 4:1b0d80432c79 2257
wolfSSL 4:1b0d80432c79 2258 if (GetInt(mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 2259 #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL 4:1b0d80432c79 2260 XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2261 #endif
wolfSSL 4:1b0d80432c79 2262 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2263 }
wolfSSL 4:1b0d80432c79 2264
wolfSSL 4:1b0d80432c79 2265 len = mp_unsigned_bin_size(mpi);
wolfSSL 4:1b0d80432c79 2266 if (len < (int)sizeof(serialTmp)) {
wolfSSL 4:1b0d80432c79 2267 if ( (ret = mp_to_unsigned_bin(mpi, serialTmp)) == MP_OKAY) {
wolfSSL 4:1b0d80432c79 2268 XMEMCPY(cert->serial, serialTmp, len);
wolfSSL 4:1b0d80432c79 2269 cert->serialSz = len;
wolfSSL 4:1b0d80432c79 2270 }
wolfSSL 4:1b0d80432c79 2271 }
wolfSSL 4:1b0d80432c79 2272 mp_clear(mpi);
wolfSSL 4:1b0d80432c79 2273
wolfSSL 4:1b0d80432c79 2274 #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL 4:1b0d80432c79 2275 XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2276 #endif
wolfSSL 4:1b0d80432c79 2277
wolfSSL 4:1b0d80432c79 2278 return ret;
wolfSSL 4:1b0d80432c79 2279 }
wolfSSL 4:1b0d80432c79 2280
wolfSSL 4:1b0d80432c79 2281 #if !defined(NO_RSA)
wolfSSL 4:1b0d80432c79 2282 /* Store Rsa Key, may save later, Dsa could use in future */
wolfSSL 4:1b0d80432c79 2283 static int StoreRsaKey(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 2284 {
wolfSSL 4:1b0d80432c79 2285 int length;
wolfSSL 4:1b0d80432c79 2286 word32 recvd = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2287
wolfSSL 4:1b0d80432c79 2288 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2289 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2290
wolfSSL 4:1b0d80432c79 2291 recvd = cert->srcIdx - recvd;
wolfSSL 4:1b0d80432c79 2292 length += recvd;
wolfSSL 4:1b0d80432c79 2293
wolfSSL 4:1b0d80432c79 2294 while (recvd--)
wolfSSL 4:1b0d80432c79 2295 cert->srcIdx--;
wolfSSL 4:1b0d80432c79 2296
wolfSSL 4:1b0d80432c79 2297 cert->pubKeySize = length;
wolfSSL 4:1b0d80432c79 2298 cert->publicKey = cert->source + cert->srcIdx;
wolfSSL 4:1b0d80432c79 2299 cert->srcIdx += length;
wolfSSL 4:1b0d80432c79 2300
wolfSSL 4:1b0d80432c79 2301 return 0;
wolfSSL 4:1b0d80432c79 2302 }
wolfSSL 4:1b0d80432c79 2303 #endif
wolfSSL 4:1b0d80432c79 2304 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 2305
wolfSSL 4:1b0d80432c79 2306
wolfSSL 4:1b0d80432c79 2307 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 2308
wolfSSL 4:1b0d80432c79 2309 /* return 0 on success if the ECC curve oid sum is supported */
wolfSSL 4:1b0d80432c79 2310 static int CheckCurve(word32 oid)
wolfSSL 4:1b0d80432c79 2311 {
wolfSSL 4:1b0d80432c79 2312 int ret = 0;
wolfSSL 4:1b0d80432c79 2313
wolfSSL 4:1b0d80432c79 2314 switch (oid) {
wolfSSL 4:1b0d80432c79 2315 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
wolfSSL 4:1b0d80432c79 2316 case ECC_160R1:
wolfSSL 4:1b0d80432c79 2317 #endif
wolfSSL 4:1b0d80432c79 2318 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
wolfSSL 4:1b0d80432c79 2319 case ECC_192R1:
wolfSSL 4:1b0d80432c79 2320 #endif
wolfSSL 4:1b0d80432c79 2321 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
wolfSSL 4:1b0d80432c79 2322 case ECC_224R1:
wolfSSL 4:1b0d80432c79 2323 #endif
wolfSSL 4:1b0d80432c79 2324 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
wolfSSL 4:1b0d80432c79 2325 case ECC_256R1:
wolfSSL 4:1b0d80432c79 2326 #endif
wolfSSL 4:1b0d80432c79 2327 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
wolfSSL 4:1b0d80432c79 2328 case ECC_384R1:
wolfSSL 4:1b0d80432c79 2329 #endif
wolfSSL 4:1b0d80432c79 2330 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
wolfSSL 4:1b0d80432c79 2331 case ECC_521R1:
wolfSSL 4:1b0d80432c79 2332 #endif
wolfSSL 4:1b0d80432c79 2333 break;
wolfSSL 4:1b0d80432c79 2334
wolfSSL 4:1b0d80432c79 2335 default:
wolfSSL 4:1b0d80432c79 2336 ret = ALGO_ID_E;
wolfSSL 4:1b0d80432c79 2337 }
wolfSSL 4:1b0d80432c79 2338
wolfSSL 4:1b0d80432c79 2339 return ret;
wolfSSL 4:1b0d80432c79 2340 }
wolfSSL 4:1b0d80432c79 2341
wolfSSL 4:1b0d80432c79 2342 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 2343
wolfSSL 4:1b0d80432c79 2344 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 2345 static int GetKey(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 2346 {
wolfSSL 4:1b0d80432c79 2347 int length;
wolfSSL 4:1b0d80432c79 2348 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 2349 int tmpIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2350 #endif
wolfSSL 4:1b0d80432c79 2351
wolfSSL 4:1b0d80432c79 2352 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2353 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2354
wolfSSL 4:1b0d80432c79 2355 if (GetAlgoId(cert->source, &cert->srcIdx,
wolfSSL 4:1b0d80432c79 2356 &cert->keyOID, keyType, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2357 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2358
wolfSSL 4:1b0d80432c79 2359 switch (cert->keyOID) {
wolfSSL 4:1b0d80432c79 2360 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 2361 case RSAk:
wolfSSL 4:1b0d80432c79 2362 {
wolfSSL 4:1b0d80432c79 2363 byte b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2364 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 2365 return ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 2366
wolfSSL 4:1b0d80432c79 2367 if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2368 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2369 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2370 if (b != 0x00)
wolfSSL 4:1b0d80432c79 2371 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 2372
wolfSSL 4:1b0d80432c79 2373 return StoreRsaKey(cert);
wolfSSL 4:1b0d80432c79 2374 }
wolfSSL 4:1b0d80432c79 2375
wolfSSL 4:1b0d80432c79 2376 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 2377 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 2378 case NTRUk:
wolfSSL 4:1b0d80432c79 2379 {
wolfSSL 4:1b0d80432c79 2380 const byte* key = &cert->source[tmpIdx];
wolfSSL 4:1b0d80432c79 2381 byte* next = (byte*)key;
wolfSSL 4:1b0d80432c79 2382 word16 keyLen;
wolfSSL 4:1b0d80432c79 2383 word32 rc;
wolfSSL 4:1b0d80432c79 2384 word32 remaining = cert->maxIdx - cert->srcIdx;
wolfSSL 4:1b0d80432c79 2385 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2386 byte* keyBlob = NULL;
wolfSSL 4:1b0d80432c79 2387 #else
wolfSSL 4:1b0d80432c79 2388 byte keyBlob[MAX_NTRU_KEY_SZ];
wolfSSL 4:1b0d80432c79 2389 #endif
wolfSSL 4:1b0d80432c79 2390 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 4:1b0d80432c79 2391 &keyLen, NULL, &next, &remaining);
wolfSSL 4:1b0d80432c79 2392 if (rc != NTRU_OK)
wolfSSL 4:1b0d80432c79 2393 return ASN_NTRU_KEY_E;
wolfSSL 4:1b0d80432c79 2394 if (keyLen > MAX_NTRU_KEY_SZ)
wolfSSL 4:1b0d80432c79 2395 return ASN_NTRU_KEY_E;
wolfSSL 4:1b0d80432c79 2396
wolfSSL 4:1b0d80432c79 2397 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2398 keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL,
wolfSSL 4:1b0d80432c79 2399 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2400 if (keyBlob == NULL)
wolfSSL 4:1b0d80432c79 2401 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2402 #endif
wolfSSL 4:1b0d80432c79 2403
wolfSSL 4:1b0d80432c79 2404 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 4:1b0d80432c79 2405 &keyLen, keyBlob, &next, &remaining);
wolfSSL 4:1b0d80432c79 2406 if (rc != NTRU_OK) {
wolfSSL 4:1b0d80432c79 2407 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2408 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2409 #endif
wolfSSL 4:1b0d80432c79 2410 return ASN_NTRU_KEY_E;
wolfSSL 4:1b0d80432c79 2411 }
wolfSSL 4:1b0d80432c79 2412
wolfSSL 4:1b0d80432c79 2413 if ( (next - key) < 0) {
wolfSSL 4:1b0d80432c79 2414 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2415 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2416 #endif
wolfSSL 4:1b0d80432c79 2417 return ASN_NTRU_KEY_E;
wolfSSL 4:1b0d80432c79 2418 }
wolfSSL 4:1b0d80432c79 2419
wolfSSL 4:1b0d80432c79 2420 cert->srcIdx = tmpIdx + (int)(next - key);
wolfSSL 4:1b0d80432c79 2421
wolfSSL 4:1b0d80432c79 2422 cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap,
wolfSSL 4:1b0d80432c79 2423 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 4:1b0d80432c79 2424 if (cert->publicKey == NULL) {
wolfSSL 4:1b0d80432c79 2425 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2426 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2427 #endif
wolfSSL 4:1b0d80432c79 2428 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2429 }
wolfSSL 4:1b0d80432c79 2430 XMEMCPY(cert->publicKey, keyBlob, keyLen);
wolfSSL 4:1b0d80432c79 2431 cert->pubKeyStored = 1;
wolfSSL 4:1b0d80432c79 2432 cert->pubKeySize = keyLen;
wolfSSL 4:1b0d80432c79 2433
wolfSSL 4:1b0d80432c79 2434 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 2435 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 2436 #endif
wolfSSL 4:1b0d80432c79 2437
wolfSSL 4:1b0d80432c79 2438 return 0;
wolfSSL 4:1b0d80432c79 2439 }
wolfSSL 4:1b0d80432c79 2440 #endif /* HAVE_NTRU */
wolfSSL 4:1b0d80432c79 2441 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 2442 case ECDSAk:
wolfSSL 4:1b0d80432c79 2443 {
wolfSSL 4:1b0d80432c79 2444 byte b;
wolfSSL 4:1b0d80432c79 2445
wolfSSL 4:1b0d80432c79 2446 if (GetObjectId(cert->source, &cert->srcIdx,
wolfSSL 4:1b0d80432c79 2447 &cert->pkCurveOID, curveType, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2448 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2449
wolfSSL 4:1b0d80432c79 2450 if (CheckCurve(cert->pkCurveOID) < 0)
wolfSSL 4:1b0d80432c79 2451 return ECC_CURVE_OID_E;
wolfSSL 4:1b0d80432c79 2452
wolfSSL 4:1b0d80432c79 2453 /* key header */
wolfSSL 4:1b0d80432c79 2454 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2455 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 2456 return ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 2457
wolfSSL 4:1b0d80432c79 2458 if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2459 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2460 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2461 if (b != 0x00)
wolfSSL 4:1b0d80432c79 2462 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 2463
wolfSSL 4:1b0d80432c79 2464 /* actual key, use length - 1 since ate preceding 0 */
wolfSSL 4:1b0d80432c79 2465 length -= 1;
wolfSSL 4:1b0d80432c79 2466
wolfSSL 4:1b0d80432c79 2467 cert->publicKey = (byte*) XMALLOC(length, cert->heap,
wolfSSL 4:1b0d80432c79 2468 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 4:1b0d80432c79 2469 if (cert->publicKey == NULL)
wolfSSL 4:1b0d80432c79 2470 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2471 XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
wolfSSL 4:1b0d80432c79 2472 cert->pubKeyStored = 1;
wolfSSL 4:1b0d80432c79 2473 cert->pubKeySize = length;
wolfSSL 4:1b0d80432c79 2474
wolfSSL 4:1b0d80432c79 2475 cert->srcIdx += length;
wolfSSL 4:1b0d80432c79 2476
wolfSSL 4:1b0d80432c79 2477 return 0;
wolfSSL 4:1b0d80432c79 2478 }
wolfSSL 4:1b0d80432c79 2479 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 2480 default:
wolfSSL 4:1b0d80432c79 2481 return ASN_UNKNOWN_OID_E;
wolfSSL 4:1b0d80432c79 2482 }
wolfSSL 4:1b0d80432c79 2483 }
wolfSSL 4:1b0d80432c79 2484
wolfSSL 4:1b0d80432c79 2485
wolfSSL 4:1b0d80432c79 2486 /* process NAME, either issuer or subject */
wolfSSL 4:1b0d80432c79 2487 static int GetName(DecodedCert* cert, int nameType)
wolfSSL 4:1b0d80432c79 2488 {
wolfSSL 4:1b0d80432c79 2489 int length; /* length of all distinguished names */
wolfSSL 4:1b0d80432c79 2490 int dummy;
wolfSSL 4:1b0d80432c79 2491 int ret;
wolfSSL 4:1b0d80432c79 2492 char* full;
wolfSSL 4:1b0d80432c79 2493 byte* hash;
wolfSSL 4:1b0d80432c79 2494 word32 idx;
wolfSSL 4:1b0d80432c79 2495 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2496 DecodedName* dName =
wolfSSL 4:1b0d80432c79 2497 (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
wolfSSL 4:1b0d80432c79 2498 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2499
wolfSSL 4:1b0d80432c79 2500 WOLFSSL_MSG("Getting Cert Name");
wolfSSL 4:1b0d80432c79 2501
wolfSSL 4:1b0d80432c79 2502 if (nameType == ISSUER) {
wolfSSL 4:1b0d80432c79 2503 full = cert->issuer;
wolfSSL 4:1b0d80432c79 2504 hash = cert->issuerHash;
wolfSSL 4:1b0d80432c79 2505 }
wolfSSL 4:1b0d80432c79 2506 else {
wolfSSL 4:1b0d80432c79 2507 full = cert->subject;
wolfSSL 4:1b0d80432c79 2508 hash = cert->subjectHash;
wolfSSL 4:1b0d80432c79 2509 }
wolfSSL 4:1b0d80432c79 2510
wolfSSL 4:1b0d80432c79 2511 if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 2512 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 4:1b0d80432c79 2513
wolfSSL 4:1b0d80432c79 2514 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2515 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2516
wolfSSL 4:1b0d80432c79 2517 cert->srcIdx += length;
wolfSSL 4:1b0d80432c79 2518 WOLFSSL_MSG("Got optional prefix");
wolfSSL 4:1b0d80432c79 2519 }
wolfSSL 4:1b0d80432c79 2520
wolfSSL 4:1b0d80432c79 2521 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 4:1b0d80432c79 2522 * calculated over the entire DER encoding of the Name field, including
wolfSSL 4:1b0d80432c79 2523 * the tag and length. */
wolfSSL 4:1b0d80432c79 2524 idx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2525 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2526 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2527
wolfSSL 4:1b0d80432c79 2528 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 2529 ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 4:1b0d80432c79 2530 #else
wolfSSL 4:1b0d80432c79 2531 ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 4:1b0d80432c79 2532 #endif
wolfSSL 4:1b0d80432c79 2533 if (ret != 0)
wolfSSL 4:1b0d80432c79 2534 return ret;
wolfSSL 4:1b0d80432c79 2535
wolfSSL 4:1b0d80432c79 2536 length += cert->srcIdx;
wolfSSL 4:1b0d80432c79 2537 idx = 0;
wolfSSL 4:1b0d80432c79 2538
wolfSSL 4:1b0d80432c79 2539 #ifdef HAVE_PKCS7
wolfSSL 4:1b0d80432c79 2540 /* store pointer to raw issuer */
wolfSSL 4:1b0d80432c79 2541 if (nameType == ISSUER) {
wolfSSL 4:1b0d80432c79 2542 cert->issuerRaw = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2543 cert->issuerRawLen = length - cert->srcIdx;
wolfSSL 4:1b0d80432c79 2544 }
wolfSSL 4:1b0d80432c79 2545 #endif
wolfSSL 4:1b0d80432c79 2546 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 2547 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2548 cert->subjectRaw = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2549 cert->subjectRawLen = length - cert->srcIdx;
wolfSSL 4:1b0d80432c79 2550 }
wolfSSL 4:1b0d80432c79 2551 #endif
wolfSSL 4:1b0d80432c79 2552
wolfSSL 4:1b0d80432c79 2553 while (cert->srcIdx < (word32)length) {
wolfSSL 4:1b0d80432c79 2554 byte b;
wolfSSL 4:1b0d80432c79 2555 byte joint[2];
wolfSSL 4:1b0d80432c79 2556 byte tooBig = FALSE;
wolfSSL 4:1b0d80432c79 2557 int oidSz;
wolfSSL 4:1b0d80432c79 2558
wolfSSL 4:1b0d80432c79 2559 if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 2560 WOLFSSL_MSG("Cert name lacks set header, trying sequence");
wolfSSL 4:1b0d80432c79 2561 }
wolfSSL 4:1b0d80432c79 2562
wolfSSL 4:1b0d80432c79 2563 if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2564 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2565
wolfSSL 4:1b0d80432c79 2566 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2567 if (b != ASN_OBJECT_ID)
wolfSSL 4:1b0d80432c79 2568 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 2569
wolfSSL 4:1b0d80432c79 2570 if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2571 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2572
wolfSSL 4:1b0d80432c79 2573 XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint));
wolfSSL 4:1b0d80432c79 2574
wolfSSL 4:1b0d80432c79 2575 /* v1 name types */
wolfSSL 4:1b0d80432c79 2576 if (joint[0] == 0x55 && joint[1] == 0x04) {
wolfSSL 4:1b0d80432c79 2577 byte id;
wolfSSL 4:1b0d80432c79 2578 byte copy = FALSE;
wolfSSL 4:1b0d80432c79 2579 int strLen;
wolfSSL 4:1b0d80432c79 2580
wolfSSL 4:1b0d80432c79 2581 cert->srcIdx += 2;
wolfSSL 4:1b0d80432c79 2582 id = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 2583 b = cert->source[cert->srcIdx++]; /* encoding */
wolfSSL 4:1b0d80432c79 2584
wolfSSL 4:1b0d80432c79 2585 if (GetLength(cert->source, &cert->srcIdx, &strLen,
wolfSSL 4:1b0d80432c79 2586 cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2587 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2588
wolfSSL 4:1b0d80432c79 2589 if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 4:1b0d80432c79 2590 /* include biggest pre fix header too 4 = "/serialNumber=" */
wolfSSL 4:1b0d80432c79 2591 WOLFSSL_MSG("ASN Name too big, skipping");
wolfSSL 4:1b0d80432c79 2592 tooBig = TRUE;
wolfSSL 4:1b0d80432c79 2593 }
wolfSSL 4:1b0d80432c79 2594
wolfSSL 4:1b0d80432c79 2595 if (id == ASN_COMMON_NAME) {
wolfSSL 4:1b0d80432c79 2596 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2597 cert->subjectCN = (char *)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2598 cert->subjectCNLen = strLen;
wolfSSL 4:1b0d80432c79 2599 cert->subjectCNEnc = b;
wolfSSL 4:1b0d80432c79 2600 }
wolfSSL 4:1b0d80432c79 2601
wolfSSL 4:1b0d80432c79 2602 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2603 XMEMCPY(&full[idx], "/CN=", 4);
wolfSSL 4:1b0d80432c79 2604 idx += 4;
wolfSSL 4:1b0d80432c79 2605 copy = TRUE;
wolfSSL 4:1b0d80432c79 2606 }
wolfSSL 4:1b0d80432c79 2607 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2608 dName->cnIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2609 dName->cnLen = strLen;
wolfSSL 4:1b0d80432c79 2610 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2611 }
wolfSSL 4:1b0d80432c79 2612 else if (id == ASN_SUR_NAME) {
wolfSSL 4:1b0d80432c79 2613 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2614 XMEMCPY(&full[idx], "/SN=", 4);
wolfSSL 4:1b0d80432c79 2615 idx += 4;
wolfSSL 4:1b0d80432c79 2616 copy = TRUE;
wolfSSL 4:1b0d80432c79 2617 }
wolfSSL 4:1b0d80432c79 2618 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2619 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2620 cert->subjectSN = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2621 cert->subjectSNLen = strLen;
wolfSSL 4:1b0d80432c79 2622 cert->subjectSNEnc = b;
wolfSSL 4:1b0d80432c79 2623 }
wolfSSL 4:1b0d80432c79 2624 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2625 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2626 dName->snIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2627 dName->snLen = strLen;
wolfSSL 4:1b0d80432c79 2628 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2629 }
wolfSSL 4:1b0d80432c79 2630 else if (id == ASN_COUNTRY_NAME) {
wolfSSL 4:1b0d80432c79 2631 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2632 XMEMCPY(&full[idx], "/C=", 3);
wolfSSL 4:1b0d80432c79 2633 idx += 3;
wolfSSL 4:1b0d80432c79 2634 copy = TRUE;
wolfSSL 4:1b0d80432c79 2635 }
wolfSSL 4:1b0d80432c79 2636 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2637 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2638 cert->subjectC = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2639 cert->subjectCLen = strLen;
wolfSSL 4:1b0d80432c79 2640 cert->subjectCEnc = b;
wolfSSL 4:1b0d80432c79 2641 }
wolfSSL 4:1b0d80432c79 2642 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2643 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2644 dName->cIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2645 dName->cLen = strLen;
wolfSSL 4:1b0d80432c79 2646 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2647 }
wolfSSL 4:1b0d80432c79 2648 else if (id == ASN_LOCALITY_NAME) {
wolfSSL 4:1b0d80432c79 2649 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2650 XMEMCPY(&full[idx], "/L=", 3);
wolfSSL 4:1b0d80432c79 2651 idx += 3;
wolfSSL 4:1b0d80432c79 2652 copy = TRUE;
wolfSSL 4:1b0d80432c79 2653 }
wolfSSL 4:1b0d80432c79 2654 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2655 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2656 cert->subjectL = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2657 cert->subjectLLen = strLen;
wolfSSL 4:1b0d80432c79 2658 cert->subjectLEnc = b;
wolfSSL 4:1b0d80432c79 2659 }
wolfSSL 4:1b0d80432c79 2660 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2661 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2662 dName->lIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2663 dName->lLen = strLen;
wolfSSL 4:1b0d80432c79 2664 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2665 }
wolfSSL 4:1b0d80432c79 2666 else if (id == ASN_STATE_NAME) {
wolfSSL 4:1b0d80432c79 2667 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2668 XMEMCPY(&full[idx], "/ST=", 4);
wolfSSL 4:1b0d80432c79 2669 idx += 4;
wolfSSL 4:1b0d80432c79 2670 copy = TRUE;
wolfSSL 4:1b0d80432c79 2671 }
wolfSSL 4:1b0d80432c79 2672 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2673 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2674 cert->subjectST = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2675 cert->subjectSTLen = strLen;
wolfSSL 4:1b0d80432c79 2676 cert->subjectSTEnc = b;
wolfSSL 4:1b0d80432c79 2677 }
wolfSSL 4:1b0d80432c79 2678 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2679 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2680 dName->stIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2681 dName->stLen = strLen;
wolfSSL 4:1b0d80432c79 2682 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2683 }
wolfSSL 4:1b0d80432c79 2684 else if (id == ASN_ORG_NAME) {
wolfSSL 4:1b0d80432c79 2685 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2686 XMEMCPY(&full[idx], "/O=", 3);
wolfSSL 4:1b0d80432c79 2687 idx += 3;
wolfSSL 4:1b0d80432c79 2688 copy = TRUE;
wolfSSL 4:1b0d80432c79 2689 }
wolfSSL 4:1b0d80432c79 2690 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2691 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2692 cert->subjectO = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2693 cert->subjectOLen = strLen;
wolfSSL 4:1b0d80432c79 2694 cert->subjectOEnc = b;
wolfSSL 4:1b0d80432c79 2695 }
wolfSSL 4:1b0d80432c79 2696 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2697 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2698 dName->oIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2699 dName->oLen = strLen;
wolfSSL 4:1b0d80432c79 2700 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2701 }
wolfSSL 4:1b0d80432c79 2702 else if (id == ASN_ORGUNIT_NAME) {
wolfSSL 4:1b0d80432c79 2703 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2704 XMEMCPY(&full[idx], "/OU=", 4);
wolfSSL 4:1b0d80432c79 2705 idx += 4;
wolfSSL 4:1b0d80432c79 2706 copy = TRUE;
wolfSSL 4:1b0d80432c79 2707 }
wolfSSL 4:1b0d80432c79 2708 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2709 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2710 cert->subjectOU = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2711 cert->subjectOULen = strLen;
wolfSSL 4:1b0d80432c79 2712 cert->subjectOUEnc = b;
wolfSSL 4:1b0d80432c79 2713 }
wolfSSL 4:1b0d80432c79 2714 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2715 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2716 dName->ouIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2717 dName->ouLen = strLen;
wolfSSL 4:1b0d80432c79 2718 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2719 }
wolfSSL 4:1b0d80432c79 2720 else if (id == ASN_SERIAL_NUMBER) {
wolfSSL 4:1b0d80432c79 2721 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2722 XMEMCPY(&full[idx], "/serialNumber=", 14);
wolfSSL 4:1b0d80432c79 2723 idx += 14;
wolfSSL 4:1b0d80432c79 2724 copy = TRUE;
wolfSSL 4:1b0d80432c79 2725 }
wolfSSL 4:1b0d80432c79 2726 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2727 dName->snIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2728 dName->snLen = strLen;
wolfSSL 4:1b0d80432c79 2729 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2730 }
wolfSSL 4:1b0d80432c79 2731
wolfSSL 4:1b0d80432c79 2732 if (copy && !tooBig) {
wolfSSL 4:1b0d80432c79 2733 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
wolfSSL 4:1b0d80432c79 2734 idx += strLen;
wolfSSL 4:1b0d80432c79 2735 }
wolfSSL 4:1b0d80432c79 2736
wolfSSL 4:1b0d80432c79 2737 cert->srcIdx += strLen;
wolfSSL 4:1b0d80432c79 2738 }
wolfSSL 4:1b0d80432c79 2739 else {
wolfSSL 4:1b0d80432c79 2740 /* skip */
wolfSSL 4:1b0d80432c79 2741 byte email = FALSE;
wolfSSL 4:1b0d80432c79 2742 byte uid = FALSE;
wolfSSL 4:1b0d80432c79 2743 int adv;
wolfSSL 4:1b0d80432c79 2744
wolfSSL 4:1b0d80432c79 2745 if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */
wolfSSL 4:1b0d80432c79 2746 email = TRUE;
wolfSSL 4:1b0d80432c79 2747
wolfSSL 4:1b0d80432c79 2748 if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */
wolfSSL 4:1b0d80432c79 2749 uid = TRUE;
wolfSSL 4:1b0d80432c79 2750
wolfSSL 4:1b0d80432c79 2751 cert->srcIdx += oidSz + 1;
wolfSSL 4:1b0d80432c79 2752
wolfSSL 4:1b0d80432c79 2753 if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 2754 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 2755
wolfSSL 4:1b0d80432c79 2756 if (adv > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 4:1b0d80432c79 2757 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 4:1b0d80432c79 2758 tooBig = TRUE;
wolfSSL 4:1b0d80432c79 2759 }
wolfSSL 4:1b0d80432c79 2760
wolfSSL 4:1b0d80432c79 2761 if (email) {
wolfSSL 4:1b0d80432c79 2762 if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 4:1b0d80432c79 2763 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 4:1b0d80432c79 2764 tooBig = TRUE;
wolfSSL 4:1b0d80432c79 2765 }
wolfSSL 4:1b0d80432c79 2766 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2767 XMEMCPY(&full[idx], "/emailAddress=", 14);
wolfSSL 4:1b0d80432c79 2768 idx += 14;
wolfSSL 4:1b0d80432c79 2769 }
wolfSSL 4:1b0d80432c79 2770
wolfSSL 4:1b0d80432c79 2771 #ifdef WOLFSSL_CERT_GEN
wolfSSL 4:1b0d80432c79 2772 if (nameType == SUBJECT) {
wolfSSL 4:1b0d80432c79 2773 cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 2774 cert->subjectEmailLen = adv;
wolfSSL 4:1b0d80432c79 2775 }
wolfSSL 4:1b0d80432c79 2776 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 2777 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2778 dName->emailIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2779 dName->emailLen = adv;
wolfSSL 4:1b0d80432c79 2780 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2781 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 2782 {
wolfSSL 4:1b0d80432c79 2783 DNS_entry* emailName = NULL;
wolfSSL 4:1b0d80432c79 2784
wolfSSL 4:1b0d80432c79 2785 emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry),
wolfSSL 4:1b0d80432c79 2786 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2787 if (emailName == NULL) {
wolfSSL 4:1b0d80432c79 2788 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 2789 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2790 }
wolfSSL 4:1b0d80432c79 2791 emailName->name = (char*)XMALLOC(adv + 1,
wolfSSL 4:1b0d80432c79 2792 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2793 if (emailName->name == NULL) {
wolfSSL 4:1b0d80432c79 2794 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 2795 XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 2796 return MEMORY_E;
wolfSSL 4:1b0d80432c79 2797 }
wolfSSL 4:1b0d80432c79 2798 XMEMCPY(emailName->name,
wolfSSL 4:1b0d80432c79 2799 &cert->source[cert->srcIdx], adv);
wolfSSL 4:1b0d80432c79 2800 emailName->name[adv] = 0;
wolfSSL 4:1b0d80432c79 2801
wolfSSL 4:1b0d80432c79 2802 emailName->next = cert->altEmailNames;
wolfSSL 4:1b0d80432c79 2803 cert->altEmailNames = emailName;
wolfSSL 4:1b0d80432c79 2804 }
wolfSSL 4:1b0d80432c79 2805 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 2806 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2807 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 4:1b0d80432c79 2808 idx += adv;
wolfSSL 4:1b0d80432c79 2809 }
wolfSSL 4:1b0d80432c79 2810 }
wolfSSL 4:1b0d80432c79 2811
wolfSSL 4:1b0d80432c79 2812 if (uid) {
wolfSSL 4:1b0d80432c79 2813 if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 4:1b0d80432c79 2814 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 4:1b0d80432c79 2815 tooBig = TRUE;
wolfSSL 4:1b0d80432c79 2816 }
wolfSSL 4:1b0d80432c79 2817 if (!tooBig) {
wolfSSL 4:1b0d80432c79 2818 XMEMCPY(&full[idx], "/UID=", 5);
wolfSSL 4:1b0d80432c79 2819 idx += 5;
wolfSSL 4:1b0d80432c79 2820
wolfSSL 4:1b0d80432c79 2821 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 4:1b0d80432c79 2822 idx += adv;
wolfSSL 4:1b0d80432c79 2823 }
wolfSSL 4:1b0d80432c79 2824 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2825 dName->uidIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 2826 dName->uidLen = adv;
wolfSSL 4:1b0d80432c79 2827 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2828 }
wolfSSL 4:1b0d80432c79 2829
wolfSSL 4:1b0d80432c79 2830 cert->srcIdx += adv;
wolfSSL 4:1b0d80432c79 2831 }
wolfSSL 4:1b0d80432c79 2832 }
wolfSSL 4:1b0d80432c79 2833 full[idx++] = 0;
wolfSSL 4:1b0d80432c79 2834
wolfSSL 4:1b0d80432c79 2835 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 2836 {
wolfSSL 4:1b0d80432c79 2837 int totalLen = 0;
wolfSSL 4:1b0d80432c79 2838
wolfSSL 4:1b0d80432c79 2839 if (dName->cnLen != 0)
wolfSSL 4:1b0d80432c79 2840 totalLen += dName->cnLen + 4;
wolfSSL 4:1b0d80432c79 2841 if (dName->snLen != 0)
wolfSSL 4:1b0d80432c79 2842 totalLen += dName->snLen + 4;
wolfSSL 4:1b0d80432c79 2843 if (dName->cLen != 0)
wolfSSL 4:1b0d80432c79 2844 totalLen += dName->cLen + 3;
wolfSSL 4:1b0d80432c79 2845 if (dName->lLen != 0)
wolfSSL 4:1b0d80432c79 2846 totalLen += dName->lLen + 3;
wolfSSL 4:1b0d80432c79 2847 if (dName->stLen != 0)
wolfSSL 4:1b0d80432c79 2848 totalLen += dName->stLen + 4;
wolfSSL 4:1b0d80432c79 2849 if (dName->oLen != 0)
wolfSSL 4:1b0d80432c79 2850 totalLen += dName->oLen + 3;
wolfSSL 4:1b0d80432c79 2851 if (dName->ouLen != 0)
wolfSSL 4:1b0d80432c79 2852 totalLen += dName->ouLen + 4;
wolfSSL 4:1b0d80432c79 2853 if (dName->emailLen != 0)
wolfSSL 4:1b0d80432c79 2854 totalLen += dName->emailLen + 14;
wolfSSL 4:1b0d80432c79 2855 if (dName->uidLen != 0)
wolfSSL 4:1b0d80432c79 2856 totalLen += dName->uidLen + 5;
wolfSSL 4:1b0d80432c79 2857 if (dName->serialLen != 0)
wolfSSL 4:1b0d80432c79 2858 totalLen += dName->serialLen + 14;
wolfSSL 4:1b0d80432c79 2859
wolfSSL 4:1b0d80432c79 2860 dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509);
wolfSSL 4:1b0d80432c79 2861 if (dName->fullName != NULL) {
wolfSSL 4:1b0d80432c79 2862 idx = 0;
wolfSSL 4:1b0d80432c79 2863
wolfSSL 4:1b0d80432c79 2864 if (dName->cnLen != 0) {
wolfSSL 4:1b0d80432c79 2865 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2866 XMEMCPY(&dName->fullName[idx], "/CN=", 4);
wolfSSL 4:1b0d80432c79 2867 idx += 4;
wolfSSL 4:1b0d80432c79 2868 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2869 &cert->source[dName->cnIdx], dName->cnLen);
wolfSSL 4:1b0d80432c79 2870 dName->cnIdx = idx;
wolfSSL 4:1b0d80432c79 2871 idx += dName->cnLen;
wolfSSL 4:1b0d80432c79 2872 }
wolfSSL 4:1b0d80432c79 2873 if (dName->snLen != 0) {
wolfSSL 4:1b0d80432c79 2874 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2875 XMEMCPY(&dName->fullName[idx], "/SN=", 4);
wolfSSL 4:1b0d80432c79 2876 idx += 4;
wolfSSL 4:1b0d80432c79 2877 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2878 &cert->source[dName->snIdx], dName->snLen);
wolfSSL 4:1b0d80432c79 2879 dName->snIdx = idx;
wolfSSL 4:1b0d80432c79 2880 idx += dName->snLen;
wolfSSL 4:1b0d80432c79 2881 }
wolfSSL 4:1b0d80432c79 2882 if (dName->cLen != 0) {
wolfSSL 4:1b0d80432c79 2883 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2884 XMEMCPY(&dName->fullName[idx], "/C=", 3);
wolfSSL 4:1b0d80432c79 2885 idx += 3;
wolfSSL 4:1b0d80432c79 2886 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2887 &cert->source[dName->cIdx], dName->cLen);
wolfSSL 4:1b0d80432c79 2888 dName->cIdx = idx;
wolfSSL 4:1b0d80432c79 2889 idx += dName->cLen;
wolfSSL 4:1b0d80432c79 2890 }
wolfSSL 4:1b0d80432c79 2891 if (dName->lLen != 0) {
wolfSSL 4:1b0d80432c79 2892 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2893 XMEMCPY(&dName->fullName[idx], "/L=", 3);
wolfSSL 4:1b0d80432c79 2894 idx += 3;
wolfSSL 4:1b0d80432c79 2895 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2896 &cert->source[dName->lIdx], dName->lLen);
wolfSSL 4:1b0d80432c79 2897 dName->lIdx = idx;
wolfSSL 4:1b0d80432c79 2898 idx += dName->lLen;
wolfSSL 4:1b0d80432c79 2899 }
wolfSSL 4:1b0d80432c79 2900 if (dName->stLen != 0) {
wolfSSL 4:1b0d80432c79 2901 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2902 XMEMCPY(&dName->fullName[idx], "/ST=", 4);
wolfSSL 4:1b0d80432c79 2903 idx += 4;
wolfSSL 4:1b0d80432c79 2904 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2905 &cert->source[dName->stIdx], dName->stLen);
wolfSSL 4:1b0d80432c79 2906 dName->stIdx = idx;
wolfSSL 4:1b0d80432c79 2907 idx += dName->stLen;
wolfSSL 4:1b0d80432c79 2908 }
wolfSSL 4:1b0d80432c79 2909 if (dName->oLen != 0) {
wolfSSL 4:1b0d80432c79 2910 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2911 XMEMCPY(&dName->fullName[idx], "/O=", 3);
wolfSSL 4:1b0d80432c79 2912 idx += 3;
wolfSSL 4:1b0d80432c79 2913 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2914 &cert->source[dName->oIdx], dName->oLen);
wolfSSL 4:1b0d80432c79 2915 dName->oIdx = idx;
wolfSSL 4:1b0d80432c79 2916 idx += dName->oLen;
wolfSSL 4:1b0d80432c79 2917 }
wolfSSL 4:1b0d80432c79 2918 if (dName->ouLen != 0) {
wolfSSL 4:1b0d80432c79 2919 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2920 XMEMCPY(&dName->fullName[idx], "/OU=", 4);
wolfSSL 4:1b0d80432c79 2921 idx += 4;
wolfSSL 4:1b0d80432c79 2922 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2923 &cert->source[dName->ouIdx], dName->ouLen);
wolfSSL 4:1b0d80432c79 2924 dName->ouIdx = idx;
wolfSSL 4:1b0d80432c79 2925 idx += dName->ouLen;
wolfSSL 4:1b0d80432c79 2926 }
wolfSSL 4:1b0d80432c79 2927 if (dName->emailLen != 0) {
wolfSSL 4:1b0d80432c79 2928 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2929 XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
wolfSSL 4:1b0d80432c79 2930 idx += 14;
wolfSSL 4:1b0d80432c79 2931 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2932 &cert->source[dName->emailIdx], dName->emailLen);
wolfSSL 4:1b0d80432c79 2933 dName->emailIdx = idx;
wolfSSL 4:1b0d80432c79 2934 idx += dName->emailLen;
wolfSSL 4:1b0d80432c79 2935 }
wolfSSL 4:1b0d80432c79 2936 if (dName->uidLen != 0) {
wolfSSL 4:1b0d80432c79 2937 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2938 XMEMCPY(&dName->fullName[idx], "/UID=", 5);
wolfSSL 4:1b0d80432c79 2939 idx += 5;
wolfSSL 4:1b0d80432c79 2940 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2941 &cert->source[dName->uidIdx], dName->uidLen);
wolfSSL 4:1b0d80432c79 2942 dName->uidIdx = idx;
wolfSSL 4:1b0d80432c79 2943 idx += dName->uidLen;
wolfSSL 4:1b0d80432c79 2944 }
wolfSSL 4:1b0d80432c79 2945 if (dName->serialLen != 0) {
wolfSSL 4:1b0d80432c79 2946 dName->entryCount++;
wolfSSL 4:1b0d80432c79 2947 XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
wolfSSL 4:1b0d80432c79 2948 idx += 14;
wolfSSL 4:1b0d80432c79 2949 XMEMCPY(&dName->fullName[idx],
wolfSSL 4:1b0d80432c79 2950 &cert->source[dName->serialIdx], dName->serialLen);
wolfSSL 4:1b0d80432c79 2951 dName->serialIdx = idx;
wolfSSL 4:1b0d80432c79 2952 idx += dName->serialLen;
wolfSSL 4:1b0d80432c79 2953 }
wolfSSL 4:1b0d80432c79 2954 dName->fullName[idx] = '\0';
wolfSSL 4:1b0d80432c79 2955 dName->fullNameLen = totalLen;
wolfSSL 4:1b0d80432c79 2956 }
wolfSSL 4:1b0d80432c79 2957 }
wolfSSL 4:1b0d80432c79 2958 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 2959
wolfSSL 4:1b0d80432c79 2960 return 0;
wolfSSL 4:1b0d80432c79 2961 }
wolfSSL 4:1b0d80432c79 2962
wolfSSL 4:1b0d80432c79 2963
wolfSSL 4:1b0d80432c79 2964 #if !defined(NO_TIME_H) && defined(USE_WOLF_VALIDDATE)
wolfSSL 4:1b0d80432c79 2965
wolfSSL 4:1b0d80432c79 2966 /* to the second */
wolfSSL 4:1b0d80432c79 2967 static int DateGreaterThan(const struct tm* a, const struct tm* b)
wolfSSL 4:1b0d80432c79 2968 {
wolfSSL 4:1b0d80432c79 2969 if (a->tm_year > b->tm_year)
wolfSSL 4:1b0d80432c79 2970 return 1;
wolfSSL 4:1b0d80432c79 2971
wolfSSL 4:1b0d80432c79 2972 if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon)
wolfSSL 4:1b0d80432c79 2973 return 1;
wolfSSL 4:1b0d80432c79 2974
wolfSSL 4:1b0d80432c79 2975 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 4:1b0d80432c79 2976 a->tm_mday > b->tm_mday)
wolfSSL 4:1b0d80432c79 2977 return 1;
wolfSSL 4:1b0d80432c79 2978
wolfSSL 4:1b0d80432c79 2979 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 4:1b0d80432c79 2980 a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour)
wolfSSL 4:1b0d80432c79 2981 return 1;
wolfSSL 4:1b0d80432c79 2982
wolfSSL 4:1b0d80432c79 2983 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 4:1b0d80432c79 2984 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 4:1b0d80432c79 2985 a->tm_min > b->tm_min)
wolfSSL 4:1b0d80432c79 2986 return 1;
wolfSSL 4:1b0d80432c79 2987
wolfSSL 4:1b0d80432c79 2988 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 4:1b0d80432c79 2989 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 4:1b0d80432c79 2990 a->tm_min == b->tm_min && a->tm_sec > b->tm_sec)
wolfSSL 4:1b0d80432c79 2991 return 1;
wolfSSL 4:1b0d80432c79 2992
wolfSSL 4:1b0d80432c79 2993 return 0; /* false */
wolfSSL 4:1b0d80432c79 2994 }
wolfSSL 4:1b0d80432c79 2995
wolfSSL 4:1b0d80432c79 2996
wolfSSL 4:1b0d80432c79 2997 static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
wolfSSL 4:1b0d80432c79 2998 {
wolfSSL 4:1b0d80432c79 2999 return DateGreaterThan(b,a);
wolfSSL 4:1b0d80432c79 3000 }
wolfSSL 4:1b0d80432c79 3001
wolfSSL 4:1b0d80432c79 3002 /* like atoi but only use first byte */
wolfSSL 4:1b0d80432c79 3003 /* Make sure before and after dates are valid */
wolfSSL 4:1b0d80432c79 3004 int ValidateDate(const byte* date, byte format, int dateType)
wolfSSL 4:1b0d80432c79 3005 {
wolfSSL 4:1b0d80432c79 3006 time_t ltime;
wolfSSL 4:1b0d80432c79 3007 struct tm certTime;
wolfSSL 4:1b0d80432c79 3008 struct tm* localTime;
wolfSSL 4:1b0d80432c79 3009 struct tm* tmpTime = NULL;
wolfSSL 4:1b0d80432c79 3010 int i = 0;
wolfSSL 4:1b0d80432c79 3011 int timeDiff = 0 ;
wolfSSL 4:1b0d80432c79 3012 int diffHH = 0 ; int diffMM = 0 ;
wolfSSL 4:1b0d80432c79 3013 int diffSign = 0 ;
wolfSSL 4:1b0d80432c79 3014
wolfSSL 4:1b0d80432c79 3015 #if defined(NEED_TMP_TIME)
wolfSSL 4:1b0d80432c79 3016 struct tm tmpTimeStorage;
wolfSSL 4:1b0d80432c79 3017 tmpTime = &tmpTimeStorage;
wolfSSL 4:1b0d80432c79 3018 #else
wolfSSL 4:1b0d80432c79 3019 (void)tmpTime;
wolfSSL 4:1b0d80432c79 3020 #endif
wolfSSL 4:1b0d80432c79 3021
wolfSSL 4:1b0d80432c79 3022 ltime = XTIME(0);
wolfSSL 4:1b0d80432c79 3023 XMEMSET(&certTime, 0, sizeof(certTime));
wolfSSL 4:1b0d80432c79 3024
wolfSSL 4:1b0d80432c79 3025 if (format == ASN_UTC_TIME) {
wolfSSL 4:1b0d80432c79 3026 if (btoi(date[0]) >= 5)
wolfSSL 4:1b0d80432c79 3027 certTime.tm_year = 1900;
wolfSSL 4:1b0d80432c79 3028 else
wolfSSL 4:1b0d80432c79 3029 certTime.tm_year = 2000;
wolfSSL 4:1b0d80432c79 3030 }
wolfSSL 4:1b0d80432c79 3031 else { /* format == GENERALIZED_TIME */
wolfSSL 4:1b0d80432c79 3032 certTime.tm_year += btoi(date[i++]) * 1000;
wolfSSL 4:1b0d80432c79 3033 certTime.tm_year += btoi(date[i++]) * 100;
wolfSSL 4:1b0d80432c79 3034 }
wolfSSL 4:1b0d80432c79 3035
wolfSSL 4:1b0d80432c79 3036 /* adjust tm_year, tm_mon */
wolfSSL 4:1b0d80432c79 3037 GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900;
wolfSSL 4:1b0d80432c79 3038 GetTime((int*)&certTime.tm_mon, date, &i); certTime.tm_mon -= 1;
wolfSSL 4:1b0d80432c79 3039 GetTime((int*)&certTime.tm_mday, date, &i);
wolfSSL 4:1b0d80432c79 3040 GetTime((int*)&certTime.tm_hour, date, &i);
wolfSSL 4:1b0d80432c79 3041 GetTime((int*)&certTime.tm_min, date, &i);
wolfSSL 4:1b0d80432c79 3042 GetTime((int*)&certTime.tm_sec, date, &i);
wolfSSL 4:1b0d80432c79 3043
wolfSSL 4:1b0d80432c79 3044 if ((date[i] == '+') || (date[i] == '-')) {
wolfSSL 4:1b0d80432c79 3045 WOLFSSL_MSG("Using time differential, not Zulu") ;
wolfSSL 4:1b0d80432c79 3046 diffSign = date[i++] == '+' ? 1 : -1 ;
wolfSSL 4:1b0d80432c79 3047 GetTime(&diffHH, date, &i);
wolfSSL 4:1b0d80432c79 3048 GetTime(&diffMM, date, &i);
wolfSSL 4:1b0d80432c79 3049 timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ;
wolfSSL 4:1b0d80432c79 3050 } else if (date[i] != 'Z') {
wolfSSL 4:1b0d80432c79 3051 WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ;
wolfSSL 4:1b0d80432c79 3052 return 0;
wolfSSL 4:1b0d80432c79 3053 }
wolfSSL 4:1b0d80432c79 3054
wolfSSL 4:1b0d80432c79 3055 ltime -= (time_t)timeDiff ;
wolfSSL 4:1b0d80432c79 3056 localTime = XGMTIME(&ltime, tmpTime);
wolfSSL 4:1b0d80432c79 3057
wolfSSL 4:1b0d80432c79 3058 if (localTime == NULL) {
wolfSSL 4:1b0d80432c79 3059 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 4:1b0d80432c79 3060 return 0;
wolfSSL 4:1b0d80432c79 3061 }
wolfSSL 4:1b0d80432c79 3062
wolfSSL 4:1b0d80432c79 3063 if (dateType == BEFORE) {
wolfSSL 4:1b0d80432c79 3064 if (DateLessThan(localTime, &certTime))
wolfSSL 4:1b0d80432c79 3065 return 0;
wolfSSL 4:1b0d80432c79 3066 }
wolfSSL 4:1b0d80432c79 3067 else
wolfSSL 4:1b0d80432c79 3068 if (DateGreaterThan(localTime, &certTime))
wolfSSL 4:1b0d80432c79 3069 return 0;
wolfSSL 4:1b0d80432c79 3070
wolfSSL 4:1b0d80432c79 3071 return 1;
wolfSSL 4:1b0d80432c79 3072 }
wolfSSL 4:1b0d80432c79 3073 #endif /* !NO_TIME_H && USE_WOLF_VALIDDATE */
wolfSSL 4:1b0d80432c79 3074
wolfSSL 4:1b0d80432c79 3075
wolfSSL 4:1b0d80432c79 3076 static int GetDate(DecodedCert* cert, int dateType)
wolfSSL 4:1b0d80432c79 3077 {
wolfSSL 4:1b0d80432c79 3078 int length;
wolfSSL 4:1b0d80432c79 3079 byte date[MAX_DATE_SIZE];
wolfSSL 4:1b0d80432c79 3080 byte b;
wolfSSL 4:1b0d80432c79 3081 word32 startIdx = 0;
wolfSSL 4:1b0d80432c79 3082
wolfSSL 4:1b0d80432c79 3083 if (dateType == BEFORE)
wolfSSL 4:1b0d80432c79 3084 cert->beforeDate = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 3085 else
wolfSSL 4:1b0d80432c79 3086 cert->afterDate = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 3087 startIdx = cert->srcIdx;
wolfSSL 4:1b0d80432c79 3088
wolfSSL 4:1b0d80432c79 3089 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 3090 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
wolfSSL 4:1b0d80432c79 3091 return ASN_TIME_E;
wolfSSL 4:1b0d80432c79 3092
wolfSSL 4:1b0d80432c79 3093 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 3094 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3095
wolfSSL 4:1b0d80432c79 3096 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 4:1b0d80432c79 3097 return ASN_DATE_SZ_E;
wolfSSL 4:1b0d80432c79 3098
wolfSSL 4:1b0d80432c79 3099 XMEMCPY(date, &cert->source[cert->srcIdx], length);
wolfSSL 4:1b0d80432c79 3100 cert->srcIdx += length;
wolfSSL 4:1b0d80432c79 3101
wolfSSL 4:1b0d80432c79 3102 if (dateType == BEFORE)
wolfSSL 4:1b0d80432c79 3103 cert->beforeDateLen = cert->srcIdx - startIdx;
wolfSSL 4:1b0d80432c79 3104 else
wolfSSL 4:1b0d80432c79 3105 cert->afterDateLen = cert->srcIdx - startIdx;
wolfSSL 4:1b0d80432c79 3106
wolfSSL 4:1b0d80432c79 3107 if (!XVALIDATE_DATE(date, b, dateType)) {
wolfSSL 4:1b0d80432c79 3108 if (dateType == BEFORE)
wolfSSL 4:1b0d80432c79 3109 return ASN_BEFORE_DATE_E;
wolfSSL 4:1b0d80432c79 3110 else
wolfSSL 4:1b0d80432c79 3111 return ASN_AFTER_DATE_E;
wolfSSL 4:1b0d80432c79 3112 }
wolfSSL 4:1b0d80432c79 3113
wolfSSL 4:1b0d80432c79 3114 return 0;
wolfSSL 4:1b0d80432c79 3115 }
wolfSSL 4:1b0d80432c79 3116
wolfSSL 4:1b0d80432c79 3117
wolfSSL 4:1b0d80432c79 3118 static int GetValidity(DecodedCert* cert, int verify)
wolfSSL 4:1b0d80432c79 3119 {
wolfSSL 4:1b0d80432c79 3120 int length;
wolfSSL 4:1b0d80432c79 3121 int badDate = 0;
wolfSSL 4:1b0d80432c79 3122
wolfSSL 4:1b0d80432c79 3123 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 3124 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3125
wolfSSL 4:1b0d80432c79 3126 if (GetDate(cert, BEFORE) < 0 && verify)
wolfSSL 4:1b0d80432c79 3127 badDate = ASN_BEFORE_DATE_E; /* continue parsing */
wolfSSL 4:1b0d80432c79 3128
wolfSSL 4:1b0d80432c79 3129 if (GetDate(cert, AFTER) < 0 && verify)
wolfSSL 4:1b0d80432c79 3130 return ASN_AFTER_DATE_E;
wolfSSL 4:1b0d80432c79 3131
wolfSSL 4:1b0d80432c79 3132 if (badDate != 0)
wolfSSL 4:1b0d80432c79 3133 return badDate;
wolfSSL 4:1b0d80432c79 3134
wolfSSL 4:1b0d80432c79 3135 return 0;
wolfSSL 4:1b0d80432c79 3136 }
wolfSSL 4:1b0d80432c79 3137
wolfSSL 4:1b0d80432c79 3138
wolfSSL 4:1b0d80432c79 3139 int DecodeToKey(DecodedCert* cert, int verify)
wolfSSL 4:1b0d80432c79 3140 {
wolfSSL 4:1b0d80432c79 3141 int badDate = 0;
wolfSSL 4:1b0d80432c79 3142 int ret;
wolfSSL 4:1b0d80432c79 3143
wolfSSL 4:1b0d80432c79 3144 if ( (ret = GetCertHeader(cert)) < 0)
wolfSSL 4:1b0d80432c79 3145 return ret;
wolfSSL 4:1b0d80432c79 3146
wolfSSL 4:1b0d80432c79 3147 WOLFSSL_MSG("Got Cert Header");
wolfSSL 4:1b0d80432c79 3148
wolfSSL 4:1b0d80432c79 3149 if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
wolfSSL 4:1b0d80432c79 3150 sigType, cert->maxIdx)) < 0)
wolfSSL 4:1b0d80432c79 3151 return ret;
wolfSSL 4:1b0d80432c79 3152
wolfSSL 4:1b0d80432c79 3153 WOLFSSL_MSG("Got Algo ID");
wolfSSL 4:1b0d80432c79 3154
wolfSSL 4:1b0d80432c79 3155 if ( (ret = GetName(cert, ISSUER)) < 0)
wolfSSL 4:1b0d80432c79 3156 return ret;
wolfSSL 4:1b0d80432c79 3157
wolfSSL 4:1b0d80432c79 3158 if ( (ret = GetValidity(cert, verify)) < 0)
wolfSSL 4:1b0d80432c79 3159 badDate = ret;
wolfSSL 4:1b0d80432c79 3160
wolfSSL 4:1b0d80432c79 3161 if ( (ret = GetName(cert, SUBJECT)) < 0)
wolfSSL 4:1b0d80432c79 3162 return ret;
wolfSSL 4:1b0d80432c79 3163
wolfSSL 4:1b0d80432c79 3164 WOLFSSL_MSG("Got Subject Name");
wolfSSL 4:1b0d80432c79 3165
wolfSSL 4:1b0d80432c79 3166 if ( (ret = GetKey(cert)) < 0)
wolfSSL 4:1b0d80432c79 3167 return ret;
wolfSSL 4:1b0d80432c79 3168
wolfSSL 4:1b0d80432c79 3169 WOLFSSL_MSG("Got Key");
wolfSSL 4:1b0d80432c79 3170
wolfSSL 4:1b0d80432c79 3171 if (badDate != 0)
wolfSSL 4:1b0d80432c79 3172 return badDate;
wolfSSL 4:1b0d80432c79 3173
wolfSSL 4:1b0d80432c79 3174 return ret;
wolfSSL 4:1b0d80432c79 3175 }
wolfSSL 4:1b0d80432c79 3176
wolfSSL 4:1b0d80432c79 3177
wolfSSL 4:1b0d80432c79 3178 static int GetSignature(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 3179 {
wolfSSL 4:1b0d80432c79 3180 int length;
wolfSSL 4:1b0d80432c79 3181 byte b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 3182
wolfSSL 4:1b0d80432c79 3183 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 3184 return ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 3185
wolfSSL 4:1b0d80432c79 3186 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 4:1b0d80432c79 3187 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3188
wolfSSL 4:1b0d80432c79 3189 cert->sigLength = length;
wolfSSL 4:1b0d80432c79 3190
wolfSSL 4:1b0d80432c79 3191 b = cert->source[cert->srcIdx++];
wolfSSL 4:1b0d80432c79 3192 if (b != 0x00)
wolfSSL 4:1b0d80432c79 3193 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 3194
wolfSSL 4:1b0d80432c79 3195 cert->sigLength--;
wolfSSL 4:1b0d80432c79 3196 cert->signature = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 3197 cert->srcIdx += cert->sigLength;
wolfSSL 4:1b0d80432c79 3198
wolfSSL 4:1b0d80432c79 3199 return 0;
wolfSSL 4:1b0d80432c79 3200 }
wolfSSL 4:1b0d80432c79 3201 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 3202
wolfSSL 4:1b0d80432c79 3203 static word32 SetDigest(const byte* digest, word32 digSz, byte* output)
wolfSSL 4:1b0d80432c79 3204 {
wolfSSL 4:1b0d80432c79 3205 output[0] = ASN_OCTET_STRING;
wolfSSL 4:1b0d80432c79 3206 output[1] = (byte)digSz;
wolfSSL 4:1b0d80432c79 3207 XMEMCPY(&output[2], digest, digSz);
wolfSSL 4:1b0d80432c79 3208
wolfSSL 4:1b0d80432c79 3209 return digSz + 2;
wolfSSL 4:1b0d80432c79 3210 }
wolfSSL 4:1b0d80432c79 3211
wolfSSL 4:1b0d80432c79 3212
wolfSSL 4:1b0d80432c79 3213 static word32 BytePrecision(word32 value)
wolfSSL 4:1b0d80432c79 3214 {
wolfSSL 4:1b0d80432c79 3215 word32 i;
wolfSSL 4:1b0d80432c79 3216 for (i = sizeof(value); i; --i)
wolfSSL 4:1b0d80432c79 3217 if (value >> ((i - 1) * WOLFSSL_BIT_SIZE))
wolfSSL 4:1b0d80432c79 3218 break;
wolfSSL 4:1b0d80432c79 3219
wolfSSL 4:1b0d80432c79 3220 return i;
wolfSSL 4:1b0d80432c79 3221 }
wolfSSL 4:1b0d80432c79 3222
wolfSSL 4:1b0d80432c79 3223
wolfSSL 4:1b0d80432c79 3224 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
wolfSSL 4:1b0d80432c79 3225 {
wolfSSL 4:1b0d80432c79 3226 word32 i = 0, j;
wolfSSL 4:1b0d80432c79 3227
wolfSSL 4:1b0d80432c79 3228 if (length < ASN_LONG_LENGTH)
wolfSSL 4:1b0d80432c79 3229 output[i++] = (byte)length;
wolfSSL 4:1b0d80432c79 3230 else {
wolfSSL 4:1b0d80432c79 3231 output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
wolfSSL 4:1b0d80432c79 3232
wolfSSL 4:1b0d80432c79 3233 for (j = BytePrecision(length); j; --j) {
wolfSSL 4:1b0d80432c79 3234 output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
wolfSSL 4:1b0d80432c79 3235 i++;
wolfSSL 4:1b0d80432c79 3236 }
wolfSSL 4:1b0d80432c79 3237 }
wolfSSL 4:1b0d80432c79 3238
wolfSSL 4:1b0d80432c79 3239 return i;
wolfSSL 4:1b0d80432c79 3240 }
wolfSSL 4:1b0d80432c79 3241
wolfSSL 4:1b0d80432c79 3242
wolfSSL 4:1b0d80432c79 3243 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
wolfSSL 4:1b0d80432c79 3244 {
wolfSSL 4:1b0d80432c79 3245 output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
wolfSSL 4:1b0d80432c79 3246 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 3247 }
wolfSSL 4:1b0d80432c79 3248
wolfSSL 4:1b0d80432c79 3249 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
wolfSSL 4:1b0d80432c79 3250 {
wolfSSL 4:1b0d80432c79 3251 output[0] = ASN_OCTET_STRING;
wolfSSL 4:1b0d80432c79 3252 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 3253 }
wolfSSL 4:1b0d80432c79 3254
wolfSSL 4:1b0d80432c79 3255 /* Write a set header to output */
wolfSSL 4:1b0d80432c79 3256 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output)
wolfSSL 4:1b0d80432c79 3257 {
wolfSSL 4:1b0d80432c79 3258 output[0] = ASN_SET | ASN_CONSTRUCTED;
wolfSSL 4:1b0d80432c79 3259 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 3260 }
wolfSSL 4:1b0d80432c79 3261
wolfSSL 4:1b0d80432c79 3262 WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
wolfSSL 4:1b0d80432c79 3263 {
wolfSSL 4:1b0d80432c79 3264
wolfSSL 4:1b0d80432c79 3265 output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
wolfSSL 4:1b0d80432c79 3266 | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 4:1b0d80432c79 3267 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 3268 }
wolfSSL 4:1b0d80432c79 3269
wolfSSL 4:1b0d80432c79 3270 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
wolfSSL 4:1b0d80432c79 3271 {
wolfSSL 4:1b0d80432c79 3272 output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 4:1b0d80432c79 3273 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 3274 }
wolfSSL 4:1b0d80432c79 3275
wolfSSL 4:1b0d80432c79 3276
wolfSSL 4:1b0d80432c79 3277 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
wolfSSL 4:1b0d80432c79 3278
wolfSSL 4:1b0d80432c79 3279 static int SetCurve(ecc_key* key, byte* output)
wolfSSL 4:1b0d80432c79 3280 {
wolfSSL 4:1b0d80432c79 3281
wolfSSL 4:1b0d80432c79 3282 /* curve types */
wolfSSL 4:1b0d80432c79 3283 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
wolfSSL 4:1b0d80432c79 3284 static const byte ECC_192v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL 4:1b0d80432c79 3285 0x03, 0x01, 0x01};
wolfSSL 4:1b0d80432c79 3286 #endif
wolfSSL 4:1b0d80432c79 3287 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
wolfSSL 4:1b0d80432c79 3288 static const byte ECC_256v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL 4:1b0d80432c79 3289 0x03, 0x01, 0x07};
wolfSSL 4:1b0d80432c79 3290 #endif
wolfSSL 4:1b0d80432c79 3291 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
wolfSSL 4:1b0d80432c79 3292 static const byte ECC_160r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL 4:1b0d80432c79 3293 0x02};
wolfSSL 4:1b0d80432c79 3294 #endif
wolfSSL 4:1b0d80432c79 3295 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
wolfSSL 4:1b0d80432c79 3296 static const byte ECC_224r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL 4:1b0d80432c79 3297 0x21};
wolfSSL 4:1b0d80432c79 3298 #endif
wolfSSL 4:1b0d80432c79 3299 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
wolfSSL 4:1b0d80432c79 3300 static const byte ECC_384r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL 4:1b0d80432c79 3301 0x22};
wolfSSL 4:1b0d80432c79 3302 #endif
wolfSSL 4:1b0d80432c79 3303 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
wolfSSL 4:1b0d80432c79 3304 static const byte ECC_521r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL 4:1b0d80432c79 3305 0x23};
wolfSSL 4:1b0d80432c79 3306 #endif
wolfSSL 4:1b0d80432c79 3307
wolfSSL 4:1b0d80432c79 3308 int oidSz = 0;
wolfSSL 4:1b0d80432c79 3309 int idx = 0;
wolfSSL 4:1b0d80432c79 3310 int lenSz = 0;
wolfSSL 4:1b0d80432c79 3311 const byte* oid = 0;
wolfSSL 4:1b0d80432c79 3312
wolfSSL 4:1b0d80432c79 3313 output[0] = ASN_OBJECT_ID;
wolfSSL 4:1b0d80432c79 3314 idx++;
wolfSSL 4:1b0d80432c79 3315
wolfSSL 4:1b0d80432c79 3316 switch (key->dp->size) {
wolfSSL 4:1b0d80432c79 3317 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
wolfSSL 4:1b0d80432c79 3318 case 20:
wolfSSL 4:1b0d80432c79 3319 oidSz = sizeof(ECC_160r1_AlgoID);
wolfSSL 4:1b0d80432c79 3320 oid = ECC_160r1_AlgoID;
wolfSSL 4:1b0d80432c79 3321 break;
wolfSSL 4:1b0d80432c79 3322 #endif
wolfSSL 4:1b0d80432c79 3323
wolfSSL 4:1b0d80432c79 3324 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
wolfSSL 4:1b0d80432c79 3325 case 24:
wolfSSL 4:1b0d80432c79 3326 oidSz = sizeof(ECC_192v1_AlgoID);
wolfSSL 4:1b0d80432c79 3327 oid = ECC_192v1_AlgoID;
wolfSSL 4:1b0d80432c79 3328 break;
wolfSSL 4:1b0d80432c79 3329 #endif
wolfSSL 4:1b0d80432c79 3330
wolfSSL 4:1b0d80432c79 3331 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
wolfSSL 4:1b0d80432c79 3332 case 28:
wolfSSL 4:1b0d80432c79 3333 oidSz = sizeof(ECC_224r1_AlgoID);
wolfSSL 4:1b0d80432c79 3334 oid = ECC_224r1_AlgoID;
wolfSSL 4:1b0d80432c79 3335 break;
wolfSSL 4:1b0d80432c79 3336 #endif
wolfSSL 4:1b0d80432c79 3337
wolfSSL 4:1b0d80432c79 3338 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
wolfSSL 4:1b0d80432c79 3339 case 32:
wolfSSL 4:1b0d80432c79 3340 oidSz = sizeof(ECC_256v1_AlgoID);
wolfSSL 4:1b0d80432c79 3341 oid = ECC_256v1_AlgoID;
wolfSSL 4:1b0d80432c79 3342 break;
wolfSSL 4:1b0d80432c79 3343 #endif
wolfSSL 4:1b0d80432c79 3344
wolfSSL 4:1b0d80432c79 3345 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
wolfSSL 4:1b0d80432c79 3346 case 48:
wolfSSL 4:1b0d80432c79 3347 oidSz = sizeof(ECC_384r1_AlgoID);
wolfSSL 4:1b0d80432c79 3348 oid = ECC_384r1_AlgoID;
wolfSSL 4:1b0d80432c79 3349 break;
wolfSSL 4:1b0d80432c79 3350 #endif
wolfSSL 4:1b0d80432c79 3351
wolfSSL 4:1b0d80432c79 3352 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
wolfSSL 4:1b0d80432c79 3353 case 66:
wolfSSL 4:1b0d80432c79 3354 oidSz = sizeof(ECC_521r1_AlgoID);
wolfSSL 4:1b0d80432c79 3355 oid = ECC_521r1_AlgoID;
wolfSSL 4:1b0d80432c79 3356 break;
wolfSSL 4:1b0d80432c79 3357 #endif
wolfSSL 4:1b0d80432c79 3358
wolfSSL 4:1b0d80432c79 3359 default:
wolfSSL 4:1b0d80432c79 3360 return ASN_UNKNOWN_OID_E;
wolfSSL 4:1b0d80432c79 3361 }
wolfSSL 4:1b0d80432c79 3362 lenSz = SetLength(oidSz, output+idx);
wolfSSL 4:1b0d80432c79 3363 idx += lenSz;
wolfSSL 4:1b0d80432c79 3364
wolfSSL 4:1b0d80432c79 3365 XMEMCPY(output+idx, oid, oidSz);
wolfSSL 4:1b0d80432c79 3366 idx += oidSz;
wolfSSL 4:1b0d80432c79 3367
wolfSSL 4:1b0d80432c79 3368 return idx;
wolfSSL 4:1b0d80432c79 3369 }
wolfSSL 4:1b0d80432c79 3370
wolfSSL 4:1b0d80432c79 3371 #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 3372
wolfSSL 4:1b0d80432c79 3373
wolfSSL 4:1b0d80432c79 3374 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
wolfSSL 4:1b0d80432c79 3375 {
wolfSSL 4:1b0d80432c79 3376 word32 tagSz, idSz, seqSz, algoSz = 0;
wolfSSL 4:1b0d80432c79 3377 const byte* algoName = 0;
wolfSSL 4:1b0d80432c79 3378 byte ID_Length[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 3379 byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
wolfSSL 4:1b0d80432c79 3380
wolfSSL 4:1b0d80432c79 3381 tagSz = (type == hashType || type == sigType ||
wolfSSL 4:1b0d80432c79 3382 (type == keyType && algoOID == RSAk)) ? 2 : 0;
wolfSSL 4:1b0d80432c79 3383
wolfSSL 4:1b0d80432c79 3384 algoName = OidFromId(algoOID, type, &algoSz);
wolfSSL 4:1b0d80432c79 3385
wolfSSL 4:1b0d80432c79 3386 if (algoName == NULL) {
wolfSSL 4:1b0d80432c79 3387 WOLFSSL_MSG("Unknown Algorithm");
wolfSSL 4:1b0d80432c79 3388 return 0;
wolfSSL 4:1b0d80432c79 3389 }
wolfSSL 4:1b0d80432c79 3390
wolfSSL 4:1b0d80432c79 3391 idSz = SetLength(algoSz, ID_Length);
wolfSSL 4:1b0d80432c79 3392 seqSz = SetSequence(idSz + algoSz + 1 + tagSz + curveSz, seqArray);
wolfSSL 4:1b0d80432c79 3393 /* +1 for object id, curveID of curveSz follows for ecc */
wolfSSL 4:1b0d80432c79 3394 seqArray[seqSz++] = ASN_OBJECT_ID;
wolfSSL 4:1b0d80432c79 3395
wolfSSL 4:1b0d80432c79 3396 XMEMCPY(output, seqArray, seqSz);
wolfSSL 4:1b0d80432c79 3397 XMEMCPY(output + seqSz, ID_Length, idSz);
wolfSSL 4:1b0d80432c79 3398 XMEMCPY(output + seqSz + idSz, algoName, algoSz);
wolfSSL 4:1b0d80432c79 3399 if (tagSz == 2) {
wolfSSL 4:1b0d80432c79 3400 output[seqSz + idSz + algoSz] = ASN_TAG_NULL;
wolfSSL 4:1b0d80432c79 3401 output[seqSz + idSz + algoSz + 1] = 0;
wolfSSL 4:1b0d80432c79 3402 }
wolfSSL 4:1b0d80432c79 3403
wolfSSL 4:1b0d80432c79 3404 return seqSz + idSz + algoSz + tagSz;
wolfSSL 4:1b0d80432c79 3405
wolfSSL 4:1b0d80432c79 3406 }
wolfSSL 4:1b0d80432c79 3407
wolfSSL 4:1b0d80432c79 3408
wolfSSL 4:1b0d80432c79 3409 word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
wolfSSL 4:1b0d80432c79 3410 int hashOID)
wolfSSL 4:1b0d80432c79 3411 {
wolfSSL 4:1b0d80432c79 3412 byte digArray[MAX_ENCODED_DIG_SZ];
wolfSSL 4:1b0d80432c79 3413 byte algoArray[MAX_ALGO_SZ];
wolfSSL 4:1b0d80432c79 3414 byte seqArray[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 3415 word32 encDigSz, algoSz, seqSz;
wolfSSL 4:1b0d80432c79 3416
wolfSSL 4:1b0d80432c79 3417 encDigSz = SetDigest(digest, digSz, digArray);
wolfSSL 4:1b0d80432c79 3418 algoSz = SetAlgoID(hashOID, algoArray, hashType, 0);
wolfSSL 4:1b0d80432c79 3419 seqSz = SetSequence(encDigSz + algoSz, seqArray);
wolfSSL 4:1b0d80432c79 3420
wolfSSL 4:1b0d80432c79 3421 XMEMCPY(out, seqArray, seqSz);
wolfSSL 4:1b0d80432c79 3422 XMEMCPY(out + seqSz, algoArray, algoSz);
wolfSSL 4:1b0d80432c79 3423 XMEMCPY(out + seqSz + algoSz, digArray, encDigSz);
wolfSSL 4:1b0d80432c79 3424
wolfSSL 4:1b0d80432c79 3425 return encDigSz + algoSz + seqSz;
wolfSSL 4:1b0d80432c79 3426 }
wolfSSL 4:1b0d80432c79 3427
wolfSSL 4:1b0d80432c79 3428
wolfSSL 4:1b0d80432c79 3429 int wc_GetCTC_HashOID(int type)
wolfSSL 4:1b0d80432c79 3430 {
wolfSSL 4:1b0d80432c79 3431 switch (type) {
wolfSSL 4:1b0d80432c79 3432 #ifdef WOLFSSL_MD2
wolfSSL 4:1b0d80432c79 3433 case MD2:
wolfSSL 4:1b0d80432c79 3434 return MD2h;
wolfSSL 4:1b0d80432c79 3435 #endif
wolfSSL 4:1b0d80432c79 3436 #ifndef NO_MD5
wolfSSL 4:1b0d80432c79 3437 case MD5:
wolfSSL 4:1b0d80432c79 3438 return MD5h;
wolfSSL 4:1b0d80432c79 3439 #endif
wolfSSL 4:1b0d80432c79 3440 #ifndef NO_SHA
wolfSSL 4:1b0d80432c79 3441 case SHA:
wolfSSL 4:1b0d80432c79 3442 return SHAh;
wolfSSL 4:1b0d80432c79 3443 #endif
wolfSSL 4:1b0d80432c79 3444 #ifndef NO_SHA256
wolfSSL 4:1b0d80432c79 3445 case SHA256:
wolfSSL 4:1b0d80432c79 3446 return SHA256h;
wolfSSL 4:1b0d80432c79 3447 #endif
wolfSSL 4:1b0d80432c79 3448 #ifdef WOLFSSL_SHA384
wolfSSL 4:1b0d80432c79 3449 case SHA384:
wolfSSL 4:1b0d80432c79 3450 return SHA384h;
wolfSSL 4:1b0d80432c79 3451 #endif
wolfSSL 4:1b0d80432c79 3452 #ifdef WOLFSSL_SHA512
wolfSSL 4:1b0d80432c79 3453 case SHA512:
wolfSSL 4:1b0d80432c79 3454 return SHA512h;
wolfSSL 4:1b0d80432c79 3455 #endif
wolfSSL 4:1b0d80432c79 3456 default:
wolfSSL 4:1b0d80432c79 3457 return 0;
wolfSSL 4:1b0d80432c79 3458 };
wolfSSL 4:1b0d80432c79 3459 }
wolfSSL 4:1b0d80432c79 3460
wolfSSL 4:1b0d80432c79 3461 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 3462 /* return true (1) or false (0) for Confirmation */
wolfSSL 4:1b0d80432c79 3463 static int ConfirmSignature(const byte* buf, word32 bufSz,
wolfSSL 4:1b0d80432c79 3464 const byte* key, word32 keySz, word32 keyOID,
wolfSSL 4:1b0d80432c79 3465 const byte* sig, word32 sigSz, word32 sigOID,
wolfSSL 4:1b0d80432c79 3466 void* heap)
wolfSSL 4:1b0d80432c79 3467 {
wolfSSL 4:1b0d80432c79 3468 int typeH = 0, digestSz = 0, ret = 0;
wolfSSL 4:1b0d80432c79 3469 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3470 byte* digest;
wolfSSL 4:1b0d80432c79 3471 #else
wolfSSL 4:1b0d80432c79 3472 byte digest[MAX_DIGEST_SIZE];
wolfSSL 4:1b0d80432c79 3473 #endif
wolfSSL 4:1b0d80432c79 3474
wolfSSL 4:1b0d80432c79 3475 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3476 digest = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3477 if (digest == NULL)
wolfSSL 4:1b0d80432c79 3478 return 0; /* not confirmed */
wolfSSL 4:1b0d80432c79 3479 #endif
wolfSSL 4:1b0d80432c79 3480
wolfSSL 4:1b0d80432c79 3481 (void)key;
wolfSSL 4:1b0d80432c79 3482 (void)keySz;
wolfSSL 4:1b0d80432c79 3483 (void)sig;
wolfSSL 4:1b0d80432c79 3484 (void)sigSz;
wolfSSL 4:1b0d80432c79 3485 (void)heap;
wolfSSL 4:1b0d80432c79 3486
wolfSSL 4:1b0d80432c79 3487 switch (sigOID) {
wolfSSL 4:1b0d80432c79 3488 #ifndef NO_MD5
wolfSSL 4:1b0d80432c79 3489 case CTC_MD5wRSA:
wolfSSL 4:1b0d80432c79 3490 if (wc_Md5Hash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3491 typeH = MD5h;
wolfSSL 4:1b0d80432c79 3492 digestSz = MD5_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3493 }
wolfSSL 4:1b0d80432c79 3494 break;
wolfSSL 4:1b0d80432c79 3495 #endif
wolfSSL 4:1b0d80432c79 3496 #if defined(WOLFSSL_MD2)
wolfSSL 4:1b0d80432c79 3497 case CTC_MD2wRSA:
wolfSSL 4:1b0d80432c79 3498 if (wc_Md2Hash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3499 typeH = MD2h;
wolfSSL 4:1b0d80432c79 3500 digestSz = MD2_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3501 }
wolfSSL 4:1b0d80432c79 3502 break;
wolfSSL 4:1b0d80432c79 3503 #endif
wolfSSL 4:1b0d80432c79 3504 #ifndef NO_SHA
wolfSSL 4:1b0d80432c79 3505 case CTC_SHAwRSA:
wolfSSL 4:1b0d80432c79 3506 case CTC_SHAwDSA:
wolfSSL 4:1b0d80432c79 3507 case CTC_SHAwECDSA:
wolfSSL 4:1b0d80432c79 3508 if (wc_ShaHash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3509 typeH = SHAh;
wolfSSL 4:1b0d80432c79 3510 digestSz = SHA_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3511 }
wolfSSL 4:1b0d80432c79 3512 break;
wolfSSL 4:1b0d80432c79 3513 #endif
wolfSSL 4:1b0d80432c79 3514 #ifndef NO_SHA256
wolfSSL 4:1b0d80432c79 3515 case CTC_SHA256wRSA:
wolfSSL 4:1b0d80432c79 3516 case CTC_SHA256wECDSA:
wolfSSL 4:1b0d80432c79 3517 if (wc_Sha256Hash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3518 typeH = SHA256h;
wolfSSL 4:1b0d80432c79 3519 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3520 }
wolfSSL 4:1b0d80432c79 3521 break;
wolfSSL 4:1b0d80432c79 3522 #endif
wolfSSL 4:1b0d80432c79 3523 #ifdef WOLFSSL_SHA512
wolfSSL 4:1b0d80432c79 3524 case CTC_SHA512wRSA:
wolfSSL 4:1b0d80432c79 3525 case CTC_SHA512wECDSA:
wolfSSL 4:1b0d80432c79 3526 if (wc_Sha512Hash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3527 typeH = SHA512h;
wolfSSL 4:1b0d80432c79 3528 digestSz = SHA512_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3529 }
wolfSSL 4:1b0d80432c79 3530 break;
wolfSSL 4:1b0d80432c79 3531 #endif
wolfSSL 4:1b0d80432c79 3532 #ifdef WOLFSSL_SHA384
wolfSSL 4:1b0d80432c79 3533 case CTC_SHA384wRSA:
wolfSSL 4:1b0d80432c79 3534 case CTC_SHA384wECDSA:
wolfSSL 4:1b0d80432c79 3535 if (wc_Sha384Hash(buf, bufSz, digest) == 0) {
wolfSSL 4:1b0d80432c79 3536 typeH = SHA384h;
wolfSSL 4:1b0d80432c79 3537 digestSz = SHA384_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 3538 }
wolfSSL 4:1b0d80432c79 3539 break;
wolfSSL 4:1b0d80432c79 3540 #endif
wolfSSL 4:1b0d80432c79 3541 default:
wolfSSL 4:1b0d80432c79 3542 WOLFSSL_MSG("Verify Signature has unsupported type");
wolfSSL 4:1b0d80432c79 3543 }
wolfSSL 4:1b0d80432c79 3544
wolfSSL 4:1b0d80432c79 3545 if (typeH == 0) {
wolfSSL 4:1b0d80432c79 3546 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3547 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3548 #endif
wolfSSL 4:1b0d80432c79 3549 return 0; /* not confirmed */
wolfSSL 4:1b0d80432c79 3550 }
wolfSSL 4:1b0d80432c79 3551
wolfSSL 4:1b0d80432c79 3552 switch (keyOID) {
wolfSSL 4:1b0d80432c79 3553 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 3554 case RSAk:
wolfSSL 4:1b0d80432c79 3555 {
wolfSSL 4:1b0d80432c79 3556 word32 idx = 0;
wolfSSL 4:1b0d80432c79 3557 int encodedSigSz, verifySz;
wolfSSL 4:1b0d80432c79 3558 byte* out;
wolfSSL 4:1b0d80432c79 3559 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3560 RsaKey* pubKey;
wolfSSL 4:1b0d80432c79 3561 byte* plain;
wolfSSL 4:1b0d80432c79 3562 byte* encodedSig;
wolfSSL 4:1b0d80432c79 3563 #else
wolfSSL 4:1b0d80432c79 3564 RsaKey pubKey[1];
wolfSSL 4:1b0d80432c79 3565 byte plain[MAX_ENCODED_SIG_SZ];
wolfSSL 4:1b0d80432c79 3566 byte encodedSig[MAX_ENCODED_SIG_SZ];
wolfSSL 4:1b0d80432c79 3567 #endif
wolfSSL 4:1b0d80432c79 3568
wolfSSL 4:1b0d80432c79 3569 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3570 pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
wolfSSL 4:1b0d80432c79 3571 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3572 plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL 4:1b0d80432c79 3573 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3574 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL 4:1b0d80432c79 3575 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3576
wolfSSL 4:1b0d80432c79 3577 if (pubKey == NULL || plain == NULL || encodedSig == NULL) {
wolfSSL 4:1b0d80432c79 3578 WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature");
wolfSSL 4:1b0d80432c79 3579
wolfSSL 4:1b0d80432c79 3580 if (pubKey)
wolfSSL 4:1b0d80432c79 3581 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3582 if (plain)
wolfSSL 4:1b0d80432c79 3583 XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3584 if (encodedSig)
wolfSSL 4:1b0d80432c79 3585 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3586
wolfSSL 4:1b0d80432c79 3587 break; /* not confirmed */
wolfSSL 4:1b0d80432c79 3588 }
wolfSSL 4:1b0d80432c79 3589 #endif
wolfSSL 4:1b0d80432c79 3590 if (wc_InitRsaKey(pubKey, heap) != 0) {
wolfSSL 4:1b0d80432c79 3591 WOLFSSL_MSG("InitRsaKey failed");
wolfSSL 4:1b0d80432c79 3592 }
wolfSSL 4:1b0d80432c79 3593 else if (sigSz > MAX_ENCODED_SIG_SZ) {
wolfSSL 4:1b0d80432c79 3594 WOLFSSL_MSG("Verify Signature is too big");
wolfSSL 4:1b0d80432c79 3595 }
wolfSSL 4:1b0d80432c79 3596 else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) {
wolfSSL 4:1b0d80432c79 3597 WOLFSSL_MSG("ASN Key decode error RSA");
wolfSSL 4:1b0d80432c79 3598 }
wolfSSL 4:1b0d80432c79 3599 else {
wolfSSL 4:1b0d80432c79 3600 XMEMCPY(plain, sig, sigSz);
wolfSSL 4:1b0d80432c79 3601
wolfSSL 4:1b0d80432c79 3602 if ((verifySz = wc_RsaSSL_VerifyInline(plain, sigSz, &out,
wolfSSL 4:1b0d80432c79 3603 pubKey)) < 0) {
wolfSSL 4:1b0d80432c79 3604 WOLFSSL_MSG("Rsa SSL verify error");
wolfSSL 4:1b0d80432c79 3605 }
wolfSSL 4:1b0d80432c79 3606 else {
wolfSSL 4:1b0d80432c79 3607 /* make sure we're right justified */
wolfSSL 4:1b0d80432c79 3608 encodedSigSz =
wolfSSL 4:1b0d80432c79 3609 wc_EncodeSignature(encodedSig, digest, digestSz, typeH);
wolfSSL 4:1b0d80432c79 3610 if (encodedSigSz != verifySz ||
wolfSSL 4:1b0d80432c79 3611 XMEMCMP(out, encodedSig, encodedSigSz) != 0) {
wolfSSL 4:1b0d80432c79 3612 WOLFSSL_MSG("Rsa SSL verify match encode error");
wolfSSL 4:1b0d80432c79 3613 }
wolfSSL 4:1b0d80432c79 3614 else
wolfSSL 4:1b0d80432c79 3615 ret = 1; /* match */
wolfSSL 4:1b0d80432c79 3616
wolfSSL 4:1b0d80432c79 3617 #ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL 4:1b0d80432c79 3618 {
wolfSSL 4:1b0d80432c79 3619 int x;
wolfSSL 4:1b0d80432c79 3620
wolfSSL 4:1b0d80432c79 3621 printf("wolfssl encodedSig:\n");
wolfSSL 4:1b0d80432c79 3622
wolfSSL 4:1b0d80432c79 3623 for (x = 0; x < encodedSigSz; x++) {
wolfSSL 4:1b0d80432c79 3624 printf("%02x ", encodedSig[x]);
wolfSSL 4:1b0d80432c79 3625 if ( (x % 16) == 15)
wolfSSL 4:1b0d80432c79 3626 printf("\n");
wolfSSL 4:1b0d80432c79 3627 }
wolfSSL 4:1b0d80432c79 3628
wolfSSL 4:1b0d80432c79 3629 printf("\n");
wolfSSL 4:1b0d80432c79 3630 printf("actual digest:\n");
wolfSSL 4:1b0d80432c79 3631
wolfSSL 4:1b0d80432c79 3632 for (x = 0; x < verifySz; x++) {
wolfSSL 4:1b0d80432c79 3633 printf("%02x ", out[x]);
wolfSSL 4:1b0d80432c79 3634 if ( (x % 16) == 15)
wolfSSL 4:1b0d80432c79 3635 printf("\n");
wolfSSL 4:1b0d80432c79 3636 }
wolfSSL 4:1b0d80432c79 3637
wolfSSL 4:1b0d80432c79 3638 printf("\n");
wolfSSL 4:1b0d80432c79 3639 }
wolfSSL 4:1b0d80432c79 3640 #endif /* WOLFSSL_DEBUG_ENCODING */
wolfSSL 4:1b0d80432c79 3641
wolfSSL 4:1b0d80432c79 3642 }
wolfSSL 4:1b0d80432c79 3643
wolfSSL 4:1b0d80432c79 3644 }
wolfSSL 4:1b0d80432c79 3645
wolfSSL 4:1b0d80432c79 3646 wc_FreeRsaKey(pubKey);
wolfSSL 4:1b0d80432c79 3647
wolfSSL 4:1b0d80432c79 3648 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3649 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3650 XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3651 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3652 #endif
wolfSSL 4:1b0d80432c79 3653 break;
wolfSSL 4:1b0d80432c79 3654 }
wolfSSL 4:1b0d80432c79 3655
wolfSSL 4:1b0d80432c79 3656 #endif /* NO_RSA */
wolfSSL 4:1b0d80432c79 3657 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 3658 case ECDSAk:
wolfSSL 4:1b0d80432c79 3659 {
wolfSSL 4:1b0d80432c79 3660 int verify = 0;
wolfSSL 4:1b0d80432c79 3661 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3662 ecc_key* pubKey;
wolfSSL 4:1b0d80432c79 3663 #else
wolfSSL 4:1b0d80432c79 3664 ecc_key pubKey[1];
wolfSSL 4:1b0d80432c79 3665 #endif
wolfSSL 4:1b0d80432c79 3666
wolfSSL 4:1b0d80432c79 3667 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3668 pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL,
wolfSSL 4:1b0d80432c79 3669 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3670 if (pubKey == NULL) {
wolfSSL 4:1b0d80432c79 3671 WOLFSSL_MSG("Failed to allocate pubKey");
wolfSSL 4:1b0d80432c79 3672 break; /* not confirmed */
wolfSSL 4:1b0d80432c79 3673 }
wolfSSL 4:1b0d80432c79 3674 #endif
wolfSSL 4:1b0d80432c79 3675
wolfSSL 4:1b0d80432c79 3676 if (wc_ecc_init(pubKey) < 0) {
wolfSSL 4:1b0d80432c79 3677 WOLFSSL_MSG("Failed to initialize key");
wolfSSL 4:1b0d80432c79 3678 break; /* not confirmed */
wolfSSL 4:1b0d80432c79 3679 }
wolfSSL 4:1b0d80432c79 3680 if (wc_ecc_import_x963(key, keySz, pubKey) < 0) {
wolfSSL 4:1b0d80432c79 3681 WOLFSSL_MSG("ASN Key import error ECC");
wolfSSL 4:1b0d80432c79 3682 }
wolfSSL 4:1b0d80432c79 3683 else {
wolfSSL 4:1b0d80432c79 3684 if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify,
wolfSSL 4:1b0d80432c79 3685 pubKey) != 0) {
wolfSSL 4:1b0d80432c79 3686 WOLFSSL_MSG("ECC verify hash error");
wolfSSL 4:1b0d80432c79 3687 }
wolfSSL 4:1b0d80432c79 3688 else if (1 != verify) {
wolfSSL 4:1b0d80432c79 3689 WOLFSSL_MSG("ECC Verify didn't match");
wolfSSL 4:1b0d80432c79 3690 } else
wolfSSL 4:1b0d80432c79 3691 ret = 1; /* match */
wolfSSL 4:1b0d80432c79 3692
wolfSSL 4:1b0d80432c79 3693 }
wolfSSL 4:1b0d80432c79 3694 wc_ecc_free(pubKey);
wolfSSL 4:1b0d80432c79 3695
wolfSSL 4:1b0d80432c79 3696 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3697 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3698 #endif
wolfSSL 4:1b0d80432c79 3699 break;
wolfSSL 4:1b0d80432c79 3700 }
wolfSSL 4:1b0d80432c79 3701 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 3702 default:
wolfSSL 4:1b0d80432c79 3703 WOLFSSL_MSG("Verify Key type unknown");
wolfSSL 4:1b0d80432c79 3704 }
wolfSSL 4:1b0d80432c79 3705
wolfSSL 4:1b0d80432c79 3706 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 3707 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 3708 #endif
wolfSSL 4:1b0d80432c79 3709
wolfSSL 4:1b0d80432c79 3710 return ret;
wolfSSL 4:1b0d80432c79 3711 }
wolfSSL 4:1b0d80432c79 3712
wolfSSL 4:1b0d80432c79 3713
wolfSSL 4:1b0d80432c79 3714 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 3715
wolfSSL 4:1b0d80432c79 3716 static int MatchBaseName(int type, const char* name, int nameSz,
wolfSSL 4:1b0d80432c79 3717 const char* base, int baseSz)
wolfSSL 4:1b0d80432c79 3718 {
wolfSSL 4:1b0d80432c79 3719 if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 ||
wolfSSL 4:1b0d80432c79 3720 name[0] == '.' || nameSz < baseSz ||
wolfSSL 4:1b0d80432c79 3721 (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE))
wolfSSL 4:1b0d80432c79 3722 return 0;
wolfSSL 4:1b0d80432c79 3723
wolfSSL 4:1b0d80432c79 3724 /* If an email type, handle special cases where the base is only
wolfSSL 4:1b0d80432c79 3725 * a domain, or is an email address itself. */
wolfSSL 4:1b0d80432c79 3726 if (type == ASN_RFC822_TYPE) {
wolfSSL 4:1b0d80432c79 3727 const char* p = NULL;
wolfSSL 4:1b0d80432c79 3728 int count = 0;
wolfSSL 4:1b0d80432c79 3729
wolfSSL 4:1b0d80432c79 3730 if (base[0] != '.') {
wolfSSL 4:1b0d80432c79 3731 p = base;
wolfSSL 4:1b0d80432c79 3732 count = 0;
wolfSSL 4:1b0d80432c79 3733
wolfSSL 4:1b0d80432c79 3734 /* find the '@' in the base */
wolfSSL 4:1b0d80432c79 3735 while (*p != '@' && count < baseSz) {
wolfSSL 4:1b0d80432c79 3736 count++;
wolfSSL 4:1b0d80432c79 3737 p++;
wolfSSL 4:1b0d80432c79 3738 }
wolfSSL 4:1b0d80432c79 3739
wolfSSL 4:1b0d80432c79 3740 /* No '@' in base, reset p to NULL */
wolfSSL 4:1b0d80432c79 3741 if (count >= baseSz)
wolfSSL 4:1b0d80432c79 3742 p = NULL;
wolfSSL 4:1b0d80432c79 3743 }
wolfSSL 4:1b0d80432c79 3744
wolfSSL 4:1b0d80432c79 3745 if (p == NULL) {
wolfSSL 4:1b0d80432c79 3746 /* Base isn't an email address, it is a domain name,
wolfSSL 4:1b0d80432c79 3747 * wind the name forward one character past its '@'. */
wolfSSL 4:1b0d80432c79 3748 p = name;
wolfSSL 4:1b0d80432c79 3749 count = 0;
wolfSSL 4:1b0d80432c79 3750 while (*p != '@' && count < baseSz) {
wolfSSL 4:1b0d80432c79 3751 count++;
wolfSSL 4:1b0d80432c79 3752 p++;
wolfSSL 4:1b0d80432c79 3753 }
wolfSSL 4:1b0d80432c79 3754
wolfSSL 4:1b0d80432c79 3755 if (count < baseSz && *p == '@') {
wolfSSL 4:1b0d80432c79 3756 name = p + 1;
wolfSSL 4:1b0d80432c79 3757 nameSz -= count + 1;
wolfSSL 4:1b0d80432c79 3758 }
wolfSSL 4:1b0d80432c79 3759 }
wolfSSL 4:1b0d80432c79 3760 }
wolfSSL 4:1b0d80432c79 3761
wolfSSL 4:1b0d80432c79 3762 if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') {
wolfSSL 4:1b0d80432c79 3763 int szAdjust = nameSz - baseSz;
wolfSSL 4:1b0d80432c79 3764 name += szAdjust;
wolfSSL 4:1b0d80432c79 3765 nameSz -= szAdjust;
wolfSSL 4:1b0d80432c79 3766 }
wolfSSL 4:1b0d80432c79 3767
wolfSSL 4:1b0d80432c79 3768 while (nameSz > 0) {
wolfSSL 4:1b0d80432c79 3769 if (XTOLOWER((unsigned char)*name++) !=
wolfSSL 4:1b0d80432c79 3770 XTOLOWER((unsigned char)*base++))
wolfSSL 4:1b0d80432c79 3771 return 0;
wolfSSL 4:1b0d80432c79 3772 nameSz--;
wolfSSL 4:1b0d80432c79 3773 }
wolfSSL 4:1b0d80432c79 3774
wolfSSL 4:1b0d80432c79 3775 return 1;
wolfSSL 4:1b0d80432c79 3776 }
wolfSSL 4:1b0d80432c79 3777
wolfSSL 4:1b0d80432c79 3778
wolfSSL 4:1b0d80432c79 3779 static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 3780 {
wolfSSL 4:1b0d80432c79 3781 if (signer == NULL || cert == NULL)
wolfSSL 4:1b0d80432c79 3782 return 0;
wolfSSL 4:1b0d80432c79 3783
wolfSSL 4:1b0d80432c79 3784 /* Check against the excluded list */
wolfSSL 4:1b0d80432c79 3785 if (signer->excludedNames) {
wolfSSL 4:1b0d80432c79 3786 Base_entry* base = signer->excludedNames;
wolfSSL 4:1b0d80432c79 3787
wolfSSL 4:1b0d80432c79 3788 while (base != NULL) {
wolfSSL 4:1b0d80432c79 3789 if (base->type == ASN_DNS_TYPE) {
wolfSSL 4:1b0d80432c79 3790 DNS_entry* name = cert->altNames;
wolfSSL 4:1b0d80432c79 3791 while (name != NULL) {
wolfSSL 4:1b0d80432c79 3792 if (MatchBaseName(ASN_DNS_TYPE,
wolfSSL 4:1b0d80432c79 3793 name->name, (int)XSTRLEN(name->name),
wolfSSL 4:1b0d80432c79 3794 base->name, base->nameSz))
wolfSSL 4:1b0d80432c79 3795 return 0;
wolfSSL 4:1b0d80432c79 3796 name = name->next;
wolfSSL 4:1b0d80432c79 3797 }
wolfSSL 4:1b0d80432c79 3798 }
wolfSSL 4:1b0d80432c79 3799 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 4:1b0d80432c79 3800 DNS_entry* name = cert->altEmailNames;
wolfSSL 4:1b0d80432c79 3801 while (name != NULL) {
wolfSSL 4:1b0d80432c79 3802 if (MatchBaseName(ASN_RFC822_TYPE,
wolfSSL 4:1b0d80432c79 3803 name->name, (int)XSTRLEN(name->name),
wolfSSL 4:1b0d80432c79 3804 base->name, base->nameSz))
wolfSSL 4:1b0d80432c79 3805 return 0;
wolfSSL 4:1b0d80432c79 3806
wolfSSL 4:1b0d80432c79 3807 name = name->next;
wolfSSL 4:1b0d80432c79 3808 }
wolfSSL 4:1b0d80432c79 3809 }
wolfSSL 4:1b0d80432c79 3810 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 4:1b0d80432c79 3811 if (cert->subjectRawLen == base->nameSz &&
wolfSSL 4:1b0d80432c79 3812 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 4:1b0d80432c79 3813
wolfSSL 4:1b0d80432c79 3814 return 0;
wolfSSL 4:1b0d80432c79 3815 }
wolfSSL 4:1b0d80432c79 3816 }
wolfSSL 4:1b0d80432c79 3817 base = base->next;
wolfSSL 4:1b0d80432c79 3818 }
wolfSSL 4:1b0d80432c79 3819 }
wolfSSL 4:1b0d80432c79 3820
wolfSSL 4:1b0d80432c79 3821 /* Check against the permitted list */
wolfSSL 4:1b0d80432c79 3822 if (signer->permittedNames != NULL) {
wolfSSL 4:1b0d80432c79 3823 int needDns = 0;
wolfSSL 4:1b0d80432c79 3824 int matchDns = 0;
wolfSSL 4:1b0d80432c79 3825 int needEmail = 0;
wolfSSL 4:1b0d80432c79 3826 int matchEmail = 0;
wolfSSL 4:1b0d80432c79 3827 int needDir = 0;
wolfSSL 4:1b0d80432c79 3828 int matchDir = 0;
wolfSSL 4:1b0d80432c79 3829 Base_entry* base = signer->permittedNames;
wolfSSL 4:1b0d80432c79 3830
wolfSSL 4:1b0d80432c79 3831 while (base != NULL) {
wolfSSL 4:1b0d80432c79 3832 if (base->type == ASN_DNS_TYPE) {
wolfSSL 4:1b0d80432c79 3833 DNS_entry* name = cert->altNames;
wolfSSL 4:1b0d80432c79 3834
wolfSSL 4:1b0d80432c79 3835 if (name != NULL)
wolfSSL 4:1b0d80432c79 3836 needDns = 1;
wolfSSL 4:1b0d80432c79 3837
wolfSSL 4:1b0d80432c79 3838 while (name != NULL) {
wolfSSL 4:1b0d80432c79 3839 matchDns = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 4:1b0d80432c79 3840 name->name, (int)XSTRLEN(name->name),
wolfSSL 4:1b0d80432c79 3841 base->name, base->nameSz);
wolfSSL 4:1b0d80432c79 3842 name = name->next;
wolfSSL 4:1b0d80432c79 3843 }
wolfSSL 4:1b0d80432c79 3844 }
wolfSSL 4:1b0d80432c79 3845 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 4:1b0d80432c79 3846 DNS_entry* name = cert->altEmailNames;
wolfSSL 4:1b0d80432c79 3847
wolfSSL 4:1b0d80432c79 3848 if (name != NULL)
wolfSSL 4:1b0d80432c79 3849 needEmail = 1;
wolfSSL 4:1b0d80432c79 3850
wolfSSL 4:1b0d80432c79 3851 while (name != NULL) {
wolfSSL 4:1b0d80432c79 3852 matchEmail = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 4:1b0d80432c79 3853 name->name, (int)XSTRLEN(name->name),
wolfSSL 4:1b0d80432c79 3854 base->name, base->nameSz);
wolfSSL 4:1b0d80432c79 3855 name = name->next;
wolfSSL 4:1b0d80432c79 3856 }
wolfSSL 4:1b0d80432c79 3857 }
wolfSSL 4:1b0d80432c79 3858 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 4:1b0d80432c79 3859 needDir = 1;
wolfSSL 4:1b0d80432c79 3860 if (cert->subjectRaw != NULL &&
wolfSSL 4:1b0d80432c79 3861 cert->subjectRawLen == base->nameSz &&
wolfSSL 4:1b0d80432c79 3862 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 4:1b0d80432c79 3863
wolfSSL 4:1b0d80432c79 3864 matchDir = 1;
wolfSSL 4:1b0d80432c79 3865 }
wolfSSL 4:1b0d80432c79 3866 }
wolfSSL 4:1b0d80432c79 3867 base = base->next;
wolfSSL 4:1b0d80432c79 3868 }
wolfSSL 4:1b0d80432c79 3869
wolfSSL 4:1b0d80432c79 3870 if ((needDns && !matchDns) || (needEmail && !matchEmail) ||
wolfSSL 4:1b0d80432c79 3871 (needDir && !matchDir)) {
wolfSSL 4:1b0d80432c79 3872
wolfSSL 4:1b0d80432c79 3873 return 0;
wolfSSL 4:1b0d80432c79 3874 }
wolfSSL 4:1b0d80432c79 3875 }
wolfSSL 4:1b0d80432c79 3876
wolfSSL 4:1b0d80432c79 3877 return 1;
wolfSSL 4:1b0d80432c79 3878 }
wolfSSL 4:1b0d80432c79 3879
wolfSSL 4:1b0d80432c79 3880 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 3881
wolfSSL 4:1b0d80432c79 3882
wolfSSL 4:1b0d80432c79 3883 static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 3884 {
wolfSSL 4:1b0d80432c79 3885 word32 idx = 0;
wolfSSL 4:1b0d80432c79 3886 int length = 0;
wolfSSL 4:1b0d80432c79 3887
wolfSSL 4:1b0d80432c79 3888 WOLFSSL_ENTER("DecodeAltNames");
wolfSSL 4:1b0d80432c79 3889
wolfSSL 4:1b0d80432c79 3890 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 3891 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 4:1b0d80432c79 3892 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3893 }
wolfSSL 4:1b0d80432c79 3894
wolfSSL 4:1b0d80432c79 3895 cert->weOwnAltNames = 1;
wolfSSL 4:1b0d80432c79 3896
wolfSSL 4:1b0d80432c79 3897 while (length > 0) {
wolfSSL 4:1b0d80432c79 3898 byte b = input[idx++];
wolfSSL 4:1b0d80432c79 3899
wolfSSL 4:1b0d80432c79 3900 length--;
wolfSSL 4:1b0d80432c79 3901
wolfSSL 4:1b0d80432c79 3902 /* Save DNS Type names in the altNames list. */
wolfSSL 4:1b0d80432c79 3903 /* Save Other Type names in the cert's OidMap */
wolfSSL 4:1b0d80432c79 3904 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
wolfSSL 4:1b0d80432c79 3905 DNS_entry* dnsEntry;
wolfSSL 4:1b0d80432c79 3906 int strLen;
wolfSSL 4:1b0d80432c79 3907 word32 lenStartIdx = idx;
wolfSSL 4:1b0d80432c79 3908
wolfSSL 4:1b0d80432c79 3909 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 3910 WOLFSSL_MSG("\tfail: str length");
wolfSSL 4:1b0d80432c79 3911 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3912 }
wolfSSL 4:1b0d80432c79 3913 length -= (idx - lenStartIdx);
wolfSSL 4:1b0d80432c79 3914
wolfSSL 4:1b0d80432c79 3915 dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 4:1b0d80432c79 3916 DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3917 if (dnsEntry == NULL) {
wolfSSL 4:1b0d80432c79 3918 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 3919 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3920 }
wolfSSL 4:1b0d80432c79 3921
wolfSSL 4:1b0d80432c79 3922 dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 4:1b0d80432c79 3923 DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3924 if (dnsEntry->name == NULL) {
wolfSSL 4:1b0d80432c79 3925 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 3926 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3927 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3928 }
wolfSSL 4:1b0d80432c79 3929
wolfSSL 4:1b0d80432c79 3930 XMEMCPY(dnsEntry->name, &input[idx], strLen);
wolfSSL 4:1b0d80432c79 3931 dnsEntry->name[strLen] = '\0';
wolfSSL 4:1b0d80432c79 3932
wolfSSL 4:1b0d80432c79 3933 dnsEntry->next = cert->altNames;
wolfSSL 4:1b0d80432c79 3934 cert->altNames = dnsEntry;
wolfSSL 4:1b0d80432c79 3935
wolfSSL 4:1b0d80432c79 3936 length -= strLen;
wolfSSL 4:1b0d80432c79 3937 idx += strLen;
wolfSSL 4:1b0d80432c79 3938 }
wolfSSL 4:1b0d80432c79 3939 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 3940 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
wolfSSL 4:1b0d80432c79 3941 DNS_entry* emailEntry;
wolfSSL 4:1b0d80432c79 3942 int strLen;
wolfSSL 4:1b0d80432c79 3943 word32 lenStartIdx = idx;
wolfSSL 4:1b0d80432c79 3944
wolfSSL 4:1b0d80432c79 3945 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 3946 WOLFSSL_MSG("\tfail: str length");
wolfSSL 4:1b0d80432c79 3947 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3948 }
wolfSSL 4:1b0d80432c79 3949 length -= (idx - lenStartIdx);
wolfSSL 4:1b0d80432c79 3950
wolfSSL 4:1b0d80432c79 3951 emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 4:1b0d80432c79 3952 DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3953 if (emailEntry == NULL) {
wolfSSL 4:1b0d80432c79 3954 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 3955 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3956 }
wolfSSL 4:1b0d80432c79 3957
wolfSSL 4:1b0d80432c79 3958 emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 4:1b0d80432c79 3959 DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3960 if (emailEntry->name == NULL) {
wolfSSL 4:1b0d80432c79 3961 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 3962 XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 3963 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3964 }
wolfSSL 4:1b0d80432c79 3965
wolfSSL 4:1b0d80432c79 3966 XMEMCPY(emailEntry->name, &input[idx], strLen);
wolfSSL 4:1b0d80432c79 3967 emailEntry->name[strLen] = '\0';
wolfSSL 4:1b0d80432c79 3968
wolfSSL 4:1b0d80432c79 3969 emailEntry->next = cert->altEmailNames;
wolfSSL 4:1b0d80432c79 3970 cert->altEmailNames = emailEntry;
wolfSSL 4:1b0d80432c79 3971
wolfSSL 4:1b0d80432c79 3972 length -= strLen;
wolfSSL 4:1b0d80432c79 3973 idx += strLen;
wolfSSL 4:1b0d80432c79 3974 }
wolfSSL 4:1b0d80432c79 3975 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 3976 #ifdef WOLFSSL_SEP
wolfSSL 4:1b0d80432c79 3977 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
wolfSSL 4:1b0d80432c79 3978 {
wolfSSL 4:1b0d80432c79 3979 int strLen;
wolfSSL 4:1b0d80432c79 3980 word32 lenStartIdx = idx;
wolfSSL 4:1b0d80432c79 3981 word32 oid = 0;
wolfSSL 4:1b0d80432c79 3982
wolfSSL 4:1b0d80432c79 3983 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 3984 WOLFSSL_MSG("\tfail: other name length");
wolfSSL 4:1b0d80432c79 3985 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3986 }
wolfSSL 4:1b0d80432c79 3987 /* Consume the rest of this sequence. */
wolfSSL 4:1b0d80432c79 3988 length -= (strLen + idx - lenStartIdx);
wolfSSL 4:1b0d80432c79 3989
wolfSSL 4:1b0d80432c79 3990 if (GetObjectId(input, &idx, &oid, certAltNameType, sz) < 0) {
wolfSSL 4:1b0d80432c79 3991 WOLFSSL_MSG("\tbad OID");
wolfSSL 4:1b0d80432c79 3992 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3993 }
wolfSSL 4:1b0d80432c79 3994
wolfSSL 4:1b0d80432c79 3995 if (oid != HW_NAME_OID) {
wolfSSL 4:1b0d80432c79 3996 WOLFSSL_MSG("\tincorrect OID");
wolfSSL 4:1b0d80432c79 3997 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 3998 }
wolfSSL 4:1b0d80432c79 3999
wolfSSL 4:1b0d80432c79 4000 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 4:1b0d80432c79 4001 WOLFSSL_MSG("\twrong type");
wolfSSL 4:1b0d80432c79 4002 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4003 }
wolfSSL 4:1b0d80432c79 4004
wolfSSL 4:1b0d80432c79 4005 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 4006 WOLFSSL_MSG("\tfail: str len");
wolfSSL 4:1b0d80432c79 4007 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4008 }
wolfSSL 4:1b0d80432c79 4009
wolfSSL 4:1b0d80432c79 4010 if (GetSequence(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 4011 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 4:1b0d80432c79 4012 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4013 }
wolfSSL 4:1b0d80432c79 4014
wolfSSL 4:1b0d80432c79 4015 if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 4016 WOLFSSL_MSG("\texpected OID");
wolfSSL 4:1b0d80432c79 4017 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4018 }
wolfSSL 4:1b0d80432c79 4019
wolfSSL 4:1b0d80432c79 4020 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 4021 WOLFSSL_MSG("\tfailed: str len");
wolfSSL 4:1b0d80432c79 4022 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4023 }
wolfSSL 4:1b0d80432c79 4024
wolfSSL 4:1b0d80432c79 4025 cert->hwType = (byte*)XMALLOC(strLen, cert->heap,
wolfSSL 4:1b0d80432c79 4026 DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 4027 if (cert->hwType == NULL) {
wolfSSL 4:1b0d80432c79 4028 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 4029 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4030 }
wolfSSL 4:1b0d80432c79 4031
wolfSSL 4:1b0d80432c79 4032 XMEMCPY(cert->hwType, &input[idx], strLen);
wolfSSL 4:1b0d80432c79 4033 cert->hwTypeSz = strLen;
wolfSSL 4:1b0d80432c79 4034 idx += strLen;
wolfSSL 4:1b0d80432c79 4035
wolfSSL 4:1b0d80432c79 4036 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 4037 WOLFSSL_MSG("\texpected Octet String");
wolfSSL 4:1b0d80432c79 4038 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4039 }
wolfSSL 4:1b0d80432c79 4040
wolfSSL 4:1b0d80432c79 4041 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 4042 WOLFSSL_MSG("\tfailed: str len");
wolfSSL 4:1b0d80432c79 4043 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4044 }
wolfSSL 4:1b0d80432c79 4045
wolfSSL 4:1b0d80432c79 4046 cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 4:1b0d80432c79 4047 DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 4048 if (cert->hwSerialNum == NULL) {
wolfSSL 4:1b0d80432c79 4049 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 4:1b0d80432c79 4050 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4051 }
wolfSSL 4:1b0d80432c79 4052
wolfSSL 4:1b0d80432c79 4053 XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
wolfSSL 4:1b0d80432c79 4054 cert->hwSerialNum[strLen] = '\0';
wolfSSL 4:1b0d80432c79 4055 cert->hwSerialNumSz = strLen;
wolfSSL 4:1b0d80432c79 4056 idx += strLen;
wolfSSL 4:1b0d80432c79 4057 }
wolfSSL 4:1b0d80432c79 4058 #endif /* WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 4059 else {
wolfSSL 4:1b0d80432c79 4060 int strLen;
wolfSSL 4:1b0d80432c79 4061 word32 lenStartIdx = idx;
wolfSSL 4:1b0d80432c79 4062
wolfSSL 4:1b0d80432c79 4063 WOLFSSL_MSG("\tUnsupported name type, skipping");
wolfSSL 4:1b0d80432c79 4064
wolfSSL 4:1b0d80432c79 4065 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 4:1b0d80432c79 4066 WOLFSSL_MSG("\tfail: unsupported name length");
wolfSSL 4:1b0d80432c79 4067 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4068 }
wolfSSL 4:1b0d80432c79 4069 length -= (strLen + idx - lenStartIdx);
wolfSSL 4:1b0d80432c79 4070 idx += strLen;
wolfSSL 4:1b0d80432c79 4071 }
wolfSSL 4:1b0d80432c79 4072 }
wolfSSL 4:1b0d80432c79 4073 return 0;
wolfSSL 4:1b0d80432c79 4074 }
wolfSSL 4:1b0d80432c79 4075
wolfSSL 4:1b0d80432c79 4076
wolfSSL 4:1b0d80432c79 4077 static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4078 {
wolfSSL 4:1b0d80432c79 4079 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4080 int length = 0;
wolfSSL 4:1b0d80432c79 4081
wolfSSL 4:1b0d80432c79 4082 WOLFSSL_ENTER("DecodeBasicCaConstraint");
wolfSSL 4:1b0d80432c79 4083 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4084 WOLFSSL_MSG("\tfail: bad SEQUENCE");
wolfSSL 4:1b0d80432c79 4085 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4086 }
wolfSSL 4:1b0d80432c79 4087
wolfSSL 4:1b0d80432c79 4088 if (length == 0)
wolfSSL 4:1b0d80432c79 4089 return 0;
wolfSSL 4:1b0d80432c79 4090
wolfSSL 4:1b0d80432c79 4091 /* If the basic ca constraint is false, this extension may be named, but
wolfSSL 4:1b0d80432c79 4092 * left empty. So, if the length is 0, just return. */
wolfSSL 4:1b0d80432c79 4093
wolfSSL 4:1b0d80432c79 4094 if (input[idx++] != ASN_BOOLEAN)
wolfSSL 4:1b0d80432c79 4095 {
wolfSSL 4:1b0d80432c79 4096 WOLFSSL_MSG("\tfail: constraint not BOOLEAN");
wolfSSL 4:1b0d80432c79 4097 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4098 }
wolfSSL 4:1b0d80432c79 4099
wolfSSL 4:1b0d80432c79 4100 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4101 {
wolfSSL 4:1b0d80432c79 4102 WOLFSSL_MSG("\tfail: length");
wolfSSL 4:1b0d80432c79 4103 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4104 }
wolfSSL 4:1b0d80432c79 4105
wolfSSL 4:1b0d80432c79 4106 if (input[idx++])
wolfSSL 4:1b0d80432c79 4107 cert->isCA = 1;
wolfSSL 4:1b0d80432c79 4108
wolfSSL 4:1b0d80432c79 4109 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4110 /* If there isn't any more data, return. */
wolfSSL 4:1b0d80432c79 4111 if (idx >= (word32)sz)
wolfSSL 4:1b0d80432c79 4112 return 0;
wolfSSL 4:1b0d80432c79 4113
wolfSSL 4:1b0d80432c79 4114 /* Anything left should be the optional pathlength */
wolfSSL 4:1b0d80432c79 4115 if (input[idx++] != ASN_INTEGER) {
wolfSSL 4:1b0d80432c79 4116 WOLFSSL_MSG("\tfail: pathlen not INTEGER");
wolfSSL 4:1b0d80432c79 4117 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4118 }
wolfSSL 4:1b0d80432c79 4119
wolfSSL 4:1b0d80432c79 4120 if (input[idx++] != 1) {
wolfSSL 4:1b0d80432c79 4121 WOLFSSL_MSG("\tfail: pathlen too long");
wolfSSL 4:1b0d80432c79 4122 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4123 }
wolfSSL 4:1b0d80432c79 4124
wolfSSL 4:1b0d80432c79 4125 cert->pathLength = input[idx];
wolfSSL 4:1b0d80432c79 4126 cert->extBasicConstPlSet = 1;
wolfSSL 4:1b0d80432c79 4127 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 4128
wolfSSL 4:1b0d80432c79 4129 return 0;
wolfSSL 4:1b0d80432c79 4130 }
wolfSSL 4:1b0d80432c79 4131
wolfSSL 4:1b0d80432c79 4132
wolfSSL 4:1b0d80432c79 4133 #define CRLDP_FULL_NAME 0
wolfSSL 4:1b0d80432c79 4134 /* From RFC3280 SS4.2.1.14, Distribution Point Name*/
wolfSSL 4:1b0d80432c79 4135 #define GENERALNAME_URI 6
wolfSSL 4:1b0d80432c79 4136 /* From RFC3280 SS4.2.1.7, GeneralName */
wolfSSL 4:1b0d80432c79 4137
wolfSSL 4:1b0d80432c79 4138 static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4139 {
wolfSSL 4:1b0d80432c79 4140 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4141 int length = 0;
wolfSSL 4:1b0d80432c79 4142
wolfSSL 4:1b0d80432c79 4143 WOLFSSL_ENTER("DecodeCrlDist");
wolfSSL 4:1b0d80432c79 4144
wolfSSL 4:1b0d80432c79 4145 /* Unwrap the list of Distribution Points*/
wolfSSL 4:1b0d80432c79 4146 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4147 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4148
wolfSSL 4:1b0d80432c79 4149 /* Unwrap a single Distribution Point */
wolfSSL 4:1b0d80432c79 4150 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4151 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4152
wolfSSL 4:1b0d80432c79 4153 /* The Distribution Point has three explicit optional members
wolfSSL 4:1b0d80432c79 4154 * First check for a DistributionPointName
wolfSSL 4:1b0d80432c79 4155 */
wolfSSL 4:1b0d80432c79 4156 if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
wolfSSL 4:1b0d80432c79 4157 {
wolfSSL 4:1b0d80432c79 4158 idx++;
wolfSSL 4:1b0d80432c79 4159 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4160 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4161
wolfSSL 4:1b0d80432c79 4162 if (input[idx] ==
wolfSSL 4:1b0d80432c79 4163 (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME))
wolfSSL 4:1b0d80432c79 4164 {
wolfSSL 4:1b0d80432c79 4165 idx++;
wolfSSL 4:1b0d80432c79 4166 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4167 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4168
wolfSSL 4:1b0d80432c79 4169 if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
wolfSSL 4:1b0d80432c79 4170 {
wolfSSL 4:1b0d80432c79 4171 idx++;
wolfSSL 4:1b0d80432c79 4172 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4173 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4174
wolfSSL 4:1b0d80432c79 4175 cert->extCrlInfoSz = length;
wolfSSL 4:1b0d80432c79 4176 cert->extCrlInfo = input + idx;
wolfSSL 4:1b0d80432c79 4177 idx += length;
wolfSSL 4:1b0d80432c79 4178 }
wolfSSL 4:1b0d80432c79 4179 else
wolfSSL 4:1b0d80432c79 4180 /* This isn't a URI, skip it. */
wolfSSL 4:1b0d80432c79 4181 idx += length;
wolfSSL 4:1b0d80432c79 4182 }
wolfSSL 4:1b0d80432c79 4183 else
wolfSSL 4:1b0d80432c79 4184 /* This isn't a FULLNAME, skip it. */
wolfSSL 4:1b0d80432c79 4185 idx += length;
wolfSSL 4:1b0d80432c79 4186 }
wolfSSL 4:1b0d80432c79 4187
wolfSSL 4:1b0d80432c79 4188 /* Check for reasonFlags */
wolfSSL 4:1b0d80432c79 4189 if (idx < (word32)sz &&
wolfSSL 4:1b0d80432c79 4190 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 4:1b0d80432c79 4191 {
wolfSSL 4:1b0d80432c79 4192 idx++;
wolfSSL 4:1b0d80432c79 4193 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4194 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4195 idx += length;
wolfSSL 4:1b0d80432c79 4196 }
wolfSSL 4:1b0d80432c79 4197
wolfSSL 4:1b0d80432c79 4198 /* Check for cRLIssuer */
wolfSSL 4:1b0d80432c79 4199 if (idx < (word32)sz &&
wolfSSL 4:1b0d80432c79 4200 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2))
wolfSSL 4:1b0d80432c79 4201 {
wolfSSL 4:1b0d80432c79 4202 idx++;
wolfSSL 4:1b0d80432c79 4203 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4204 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4205 idx += length;
wolfSSL 4:1b0d80432c79 4206 }
wolfSSL 4:1b0d80432c79 4207
wolfSSL 4:1b0d80432c79 4208 if (idx < (word32)sz)
wolfSSL 4:1b0d80432c79 4209 {
wolfSSL 4:1b0d80432c79 4210 WOLFSSL_MSG("\tThere are more CRL Distribution Point records, "
wolfSSL 4:1b0d80432c79 4211 "but we only use the first one.");
wolfSSL 4:1b0d80432c79 4212 }
wolfSSL 4:1b0d80432c79 4213
wolfSSL 4:1b0d80432c79 4214 return 0;
wolfSSL 4:1b0d80432c79 4215 }
wolfSSL 4:1b0d80432c79 4216
wolfSSL 4:1b0d80432c79 4217
wolfSSL 4:1b0d80432c79 4218 static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4219 /*
wolfSSL 4:1b0d80432c79 4220 * Read the first of the Authority Information Access records. If there are
wolfSSL 4:1b0d80432c79 4221 * any issues, return without saving the record.
wolfSSL 4:1b0d80432c79 4222 */
wolfSSL 4:1b0d80432c79 4223 {
wolfSSL 4:1b0d80432c79 4224 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4225 int length = 0;
wolfSSL 4:1b0d80432c79 4226 byte b;
wolfSSL 4:1b0d80432c79 4227 word32 oid;
wolfSSL 4:1b0d80432c79 4228
wolfSSL 4:1b0d80432c79 4229 WOLFSSL_ENTER("DecodeAuthInfo");
wolfSSL 4:1b0d80432c79 4230
wolfSSL 4:1b0d80432c79 4231 /* Unwrap the list of AIAs */
wolfSSL 4:1b0d80432c79 4232 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4233 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4234
wolfSSL 4:1b0d80432c79 4235 while (idx < (word32)sz) {
wolfSSL 4:1b0d80432c79 4236 /* Unwrap a single AIA */
wolfSSL 4:1b0d80432c79 4237 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4238 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4239
wolfSSL 4:1b0d80432c79 4240 oid = 0;
wolfSSL 4:1b0d80432c79 4241 if (GetObjectId(input, &idx, &oid, certAuthInfoType, sz) < 0)
wolfSSL 4:1b0d80432c79 4242 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4243
wolfSSL 4:1b0d80432c79 4244 /* Only supporting URIs right now. */
wolfSSL 4:1b0d80432c79 4245 b = input[idx++];
wolfSSL 4:1b0d80432c79 4246 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 4:1b0d80432c79 4247 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4248
wolfSSL 4:1b0d80432c79 4249 if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
wolfSSL 4:1b0d80432c79 4250 oid == AIA_OCSP_OID)
wolfSSL 4:1b0d80432c79 4251 {
wolfSSL 4:1b0d80432c79 4252 cert->extAuthInfoSz = length;
wolfSSL 4:1b0d80432c79 4253 cert->extAuthInfo = input + idx;
wolfSSL 4:1b0d80432c79 4254 break;
wolfSSL 4:1b0d80432c79 4255 }
wolfSSL 4:1b0d80432c79 4256 idx += length;
wolfSSL 4:1b0d80432c79 4257 }
wolfSSL 4:1b0d80432c79 4258
wolfSSL 4:1b0d80432c79 4259 return 0;
wolfSSL 4:1b0d80432c79 4260 }
wolfSSL 4:1b0d80432c79 4261
wolfSSL 4:1b0d80432c79 4262
wolfSSL 4:1b0d80432c79 4263 static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4264 {
wolfSSL 4:1b0d80432c79 4265 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4266 int length = 0, ret = 0;
wolfSSL 4:1b0d80432c79 4267
wolfSSL 4:1b0d80432c79 4268 WOLFSSL_ENTER("DecodeAuthKeyId");
wolfSSL 4:1b0d80432c79 4269
wolfSSL 4:1b0d80432c79 4270 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4271 WOLFSSL_MSG("\tfail: should be a SEQUENCE\n");
wolfSSL 4:1b0d80432c79 4272 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4273 }
wolfSSL 4:1b0d80432c79 4274
wolfSSL 4:1b0d80432c79 4275 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
wolfSSL 4:1b0d80432c79 4276 WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
wolfSSL 4:1b0d80432c79 4277 return 0;
wolfSSL 4:1b0d80432c79 4278 }
wolfSSL 4:1b0d80432c79 4279
wolfSSL 4:1b0d80432c79 4280 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4281 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 4:1b0d80432c79 4282 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4283 }
wolfSSL 4:1b0d80432c79 4284
wolfSSL 4:1b0d80432c79 4285 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4286 cert->extAuthKeyIdSrc = &input[idx];
wolfSSL 4:1b0d80432c79 4287 cert->extAuthKeyIdSz = length;
wolfSSL 4:1b0d80432c79 4288 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 4289
wolfSSL 4:1b0d80432c79 4290 if (length == KEYID_SIZE) {
wolfSSL 4:1b0d80432c79 4291 XMEMCPY(cert->extAuthKeyId, input + idx, length);
wolfSSL 4:1b0d80432c79 4292 }
wolfSSL 4:1b0d80432c79 4293 else {
wolfSSL 4:1b0d80432c79 4294 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 4295 ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId);
wolfSSL 4:1b0d80432c79 4296 #else
wolfSSL 4:1b0d80432c79 4297 ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId);
wolfSSL 4:1b0d80432c79 4298 #endif
wolfSSL 4:1b0d80432c79 4299 }
wolfSSL 4:1b0d80432c79 4300
wolfSSL 4:1b0d80432c79 4301 return ret;
wolfSSL 4:1b0d80432c79 4302 }
wolfSSL 4:1b0d80432c79 4303
wolfSSL 4:1b0d80432c79 4304
wolfSSL 4:1b0d80432c79 4305 static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4306 {
wolfSSL 4:1b0d80432c79 4307 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4308 int length = 0, ret = 0;
wolfSSL 4:1b0d80432c79 4309
wolfSSL 4:1b0d80432c79 4310 WOLFSSL_ENTER("DecodeSubjKeyId");
wolfSSL 4:1b0d80432c79 4311
wolfSSL 4:1b0d80432c79 4312 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 4313 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 4:1b0d80432c79 4314 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4315 }
wolfSSL 4:1b0d80432c79 4316
wolfSSL 4:1b0d80432c79 4317 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4318 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 4:1b0d80432c79 4319 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4320 }
wolfSSL 4:1b0d80432c79 4321
wolfSSL 4:1b0d80432c79 4322 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4323 cert->extSubjKeyIdSrc = &input[idx];
wolfSSL 4:1b0d80432c79 4324 cert->extSubjKeyIdSz = length;
wolfSSL 4:1b0d80432c79 4325 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 4326
wolfSSL 4:1b0d80432c79 4327 if (length == SIGNER_DIGEST_SIZE) {
wolfSSL 4:1b0d80432c79 4328 XMEMCPY(cert->extSubjKeyId, input + idx, length);
wolfSSL 4:1b0d80432c79 4329 }
wolfSSL 4:1b0d80432c79 4330 else {
wolfSSL 4:1b0d80432c79 4331 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 4332 ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId);
wolfSSL 4:1b0d80432c79 4333 #else
wolfSSL 4:1b0d80432c79 4334 ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId);
wolfSSL 4:1b0d80432c79 4335 #endif
wolfSSL 4:1b0d80432c79 4336 }
wolfSSL 4:1b0d80432c79 4337
wolfSSL 4:1b0d80432c79 4338 return ret;
wolfSSL 4:1b0d80432c79 4339 }
wolfSSL 4:1b0d80432c79 4340
wolfSSL 4:1b0d80432c79 4341
wolfSSL 4:1b0d80432c79 4342 static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4343 {
wolfSSL 4:1b0d80432c79 4344 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4345 int length;
wolfSSL 4:1b0d80432c79 4346 WOLFSSL_ENTER("DecodeKeyUsage");
wolfSSL 4:1b0d80432c79 4347
wolfSSL 4:1b0d80432c79 4348 if (input[idx++] != ASN_BIT_STRING) {
wolfSSL 4:1b0d80432c79 4349 WOLFSSL_MSG("\tfail: key usage expected bit string");
wolfSSL 4:1b0d80432c79 4350 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4351 }
wolfSSL 4:1b0d80432c79 4352
wolfSSL 4:1b0d80432c79 4353 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4354 WOLFSSL_MSG("\tfail: key usage bad length");
wolfSSL 4:1b0d80432c79 4355 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4356 }
wolfSSL 4:1b0d80432c79 4357
wolfSSL 4:1b0d80432c79 4358 /* pass the unusedBits value */
wolfSSL 4:1b0d80432c79 4359 idx++; length--;
wolfSSL 4:1b0d80432c79 4360
wolfSSL 4:1b0d80432c79 4361 cert->extKeyUsage = (word16)(input[idx]);
wolfSSL 4:1b0d80432c79 4362 if (length == 2)
wolfSSL 4:1b0d80432c79 4363 cert->extKeyUsage |= (word16)(input[idx+1] << 8);
wolfSSL 4:1b0d80432c79 4364
wolfSSL 4:1b0d80432c79 4365 return 0;
wolfSSL 4:1b0d80432c79 4366 }
wolfSSL 4:1b0d80432c79 4367
wolfSSL 4:1b0d80432c79 4368
wolfSSL 4:1b0d80432c79 4369 static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4370 {
wolfSSL 4:1b0d80432c79 4371 word32 idx = 0, oid;
wolfSSL 4:1b0d80432c79 4372 int length;
wolfSSL 4:1b0d80432c79 4373
wolfSSL 4:1b0d80432c79 4374 WOLFSSL_ENTER("DecodeExtKeyUsage");
wolfSSL 4:1b0d80432c79 4375
wolfSSL 4:1b0d80432c79 4376 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4377 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 4:1b0d80432c79 4378 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4379 }
wolfSSL 4:1b0d80432c79 4380
wolfSSL 4:1b0d80432c79 4381 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4382 cert->extExtKeyUsageSrc = input + idx;
wolfSSL 4:1b0d80432c79 4383 cert->extExtKeyUsageSz = length;
wolfSSL 4:1b0d80432c79 4384 #endif
wolfSSL 4:1b0d80432c79 4385
wolfSSL 4:1b0d80432c79 4386 while (idx < (word32)sz) {
wolfSSL 4:1b0d80432c79 4387 if (GetObjectId(input, &idx, &oid, certKeyUseType, sz) < 0)
wolfSSL 4:1b0d80432c79 4388 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4389
wolfSSL 4:1b0d80432c79 4390 switch (oid) {
wolfSSL 4:1b0d80432c79 4391 case EKU_ANY_OID:
wolfSSL 4:1b0d80432c79 4392 cert->extExtKeyUsage |= EXTKEYUSE_ANY;
wolfSSL 4:1b0d80432c79 4393 break;
wolfSSL 4:1b0d80432c79 4394 case EKU_SERVER_AUTH_OID:
wolfSSL 4:1b0d80432c79 4395 cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH;
wolfSSL 4:1b0d80432c79 4396 break;
wolfSSL 4:1b0d80432c79 4397 case EKU_CLIENT_AUTH_OID:
wolfSSL 4:1b0d80432c79 4398 cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
wolfSSL 4:1b0d80432c79 4399 break;
wolfSSL 4:1b0d80432c79 4400 case EKU_OCSP_SIGN_OID:
wolfSSL 4:1b0d80432c79 4401 cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
wolfSSL 4:1b0d80432c79 4402 break;
wolfSSL 4:1b0d80432c79 4403 }
wolfSSL 4:1b0d80432c79 4404
wolfSSL 4:1b0d80432c79 4405 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4406 cert->extExtKeyUsageCount++;
wolfSSL 4:1b0d80432c79 4407 #endif
wolfSSL 4:1b0d80432c79 4408 }
wolfSSL 4:1b0d80432c79 4409
wolfSSL 4:1b0d80432c79 4410 return 0;
wolfSSL 4:1b0d80432c79 4411 }
wolfSSL 4:1b0d80432c79 4412
wolfSSL 4:1b0d80432c79 4413
wolfSSL 4:1b0d80432c79 4414 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 4415 static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
wolfSSL 4:1b0d80432c79 4416 {
wolfSSL 4:1b0d80432c79 4417 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4418
wolfSSL 4:1b0d80432c79 4419 (void)heap;
wolfSSL 4:1b0d80432c79 4420
wolfSSL 4:1b0d80432c79 4421 while (idx < (word32)sz) {
wolfSSL 4:1b0d80432c79 4422 int seqLength, strLength;
wolfSSL 4:1b0d80432c79 4423 word32 nameIdx;
wolfSSL 4:1b0d80432c79 4424 byte b;
wolfSSL 4:1b0d80432c79 4425
wolfSSL 4:1b0d80432c79 4426 if (GetSequence(input, &idx, &seqLength, sz) < 0) {
wolfSSL 4:1b0d80432c79 4427 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 4:1b0d80432c79 4428 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4429 }
wolfSSL 4:1b0d80432c79 4430
wolfSSL 4:1b0d80432c79 4431 nameIdx = idx;
wolfSSL 4:1b0d80432c79 4432 b = input[nameIdx++];
wolfSSL 4:1b0d80432c79 4433 if (GetLength(input, &nameIdx, &strLength, sz) <= 0) {
wolfSSL 4:1b0d80432c79 4434 WOLFSSL_MSG("\tinvalid length");
wolfSSL 4:1b0d80432c79 4435 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4436 }
wolfSSL 4:1b0d80432c79 4437
wolfSSL 4:1b0d80432c79 4438 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
wolfSSL 4:1b0d80432c79 4439 b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) ||
wolfSSL 4:1b0d80432c79 4440 b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
wolfSSL 4:1b0d80432c79 4441
wolfSSL 4:1b0d80432c79 4442 Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
wolfSSL 4:1b0d80432c79 4443 heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 4444
wolfSSL 4:1b0d80432c79 4445 if (entry == NULL) {
wolfSSL 4:1b0d80432c79 4446 WOLFSSL_MSG("allocate error");
wolfSSL 4:1b0d80432c79 4447 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4448 }
wolfSSL 4:1b0d80432c79 4449
wolfSSL 4:1b0d80432c79 4450 entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 4451 if (entry->name == NULL) {
wolfSSL 4:1b0d80432c79 4452 WOLFSSL_MSG("allocate error");
wolfSSL 4:1b0d80432c79 4453 XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 4:1b0d80432c79 4454 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4455 }
wolfSSL 4:1b0d80432c79 4456
wolfSSL 4:1b0d80432c79 4457 XMEMCPY(entry->name, &input[nameIdx], strLength);
wolfSSL 4:1b0d80432c79 4458 entry->nameSz = strLength;
wolfSSL 4:1b0d80432c79 4459 entry->type = b & 0x0F;
wolfSSL 4:1b0d80432c79 4460
wolfSSL 4:1b0d80432c79 4461 entry->next = *head;
wolfSSL 4:1b0d80432c79 4462 *head = entry;
wolfSSL 4:1b0d80432c79 4463 }
wolfSSL 4:1b0d80432c79 4464
wolfSSL 4:1b0d80432c79 4465 idx += seqLength;
wolfSSL 4:1b0d80432c79 4466 }
wolfSSL 4:1b0d80432c79 4467
wolfSSL 4:1b0d80432c79 4468 return 0;
wolfSSL 4:1b0d80432c79 4469 }
wolfSSL 4:1b0d80432c79 4470
wolfSSL 4:1b0d80432c79 4471
wolfSSL 4:1b0d80432c79 4472 static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4473 {
wolfSSL 4:1b0d80432c79 4474 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4475 int length = 0;
wolfSSL 4:1b0d80432c79 4476
wolfSSL 4:1b0d80432c79 4477 WOLFSSL_ENTER("DecodeNameConstraints");
wolfSSL 4:1b0d80432c79 4478
wolfSSL 4:1b0d80432c79 4479 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4480 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 4:1b0d80432c79 4481 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4482 }
wolfSSL 4:1b0d80432c79 4483
wolfSSL 4:1b0d80432c79 4484 while (idx < (word32)sz) {
wolfSSL 4:1b0d80432c79 4485 byte b = input[idx++];
wolfSSL 4:1b0d80432c79 4486 Base_entry** subtree = NULL;
wolfSSL 4:1b0d80432c79 4487
wolfSSL 4:1b0d80432c79 4488 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 4:1b0d80432c79 4489 WOLFSSL_MSG("\tinvalid length");
wolfSSL 4:1b0d80432c79 4490 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4491 }
wolfSSL 4:1b0d80432c79 4492
wolfSSL 4:1b0d80432c79 4493 if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0))
wolfSSL 4:1b0d80432c79 4494 subtree = &cert->permittedNames;
wolfSSL 4:1b0d80432c79 4495 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1))
wolfSSL 4:1b0d80432c79 4496 subtree = &cert->excludedNames;
wolfSSL 4:1b0d80432c79 4497 else {
wolfSSL 4:1b0d80432c79 4498 WOLFSSL_MSG("\tinvalid subtree");
wolfSSL 4:1b0d80432c79 4499 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4500 }
wolfSSL 4:1b0d80432c79 4501
wolfSSL 4:1b0d80432c79 4502 DecodeSubtree(input + idx, length, subtree, cert->heap);
wolfSSL 4:1b0d80432c79 4503
wolfSSL 4:1b0d80432c79 4504 idx += length;
wolfSSL 4:1b0d80432c79 4505 }
wolfSSL 4:1b0d80432c79 4506
wolfSSL 4:1b0d80432c79 4507 return 0;
wolfSSL 4:1b0d80432c79 4508 }
wolfSSL 4:1b0d80432c79 4509 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 4510 #endif /* NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 4511
wolfSSL 4:1b0d80432c79 4512 #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)
wolfSSL 4:1b0d80432c79 4513
wolfSSL 4:1b0d80432c79 4514 static int Word32ToString(char* d, word32 number)
wolfSSL 4:1b0d80432c79 4515 {
wolfSSL 4:1b0d80432c79 4516 int i = 0;
wolfSSL 4:1b0d80432c79 4517
wolfSSL 4:1b0d80432c79 4518 if (d != NULL) {
wolfSSL 4:1b0d80432c79 4519 word32 order = 1000000000;
wolfSSL 4:1b0d80432c79 4520 word32 digit;
wolfSSL 4:1b0d80432c79 4521
wolfSSL 4:1b0d80432c79 4522 if (number == 0) {
wolfSSL 4:1b0d80432c79 4523 d[i++] = '0';
wolfSSL 4:1b0d80432c79 4524 }
wolfSSL 4:1b0d80432c79 4525 else {
wolfSSL 4:1b0d80432c79 4526 while (order) {
wolfSSL 4:1b0d80432c79 4527 digit = number / order;
wolfSSL 4:1b0d80432c79 4528 if (i > 0 || digit != 0) {
wolfSSL 4:1b0d80432c79 4529 d[i++] = (char)digit + '0';
wolfSSL 4:1b0d80432c79 4530 }
wolfSSL 4:1b0d80432c79 4531 if (digit != 0)
wolfSSL 4:1b0d80432c79 4532 number %= digit * order;
wolfSSL 4:1b0d80432c79 4533 if (order > 1)
wolfSSL 4:1b0d80432c79 4534 order /= 10;
wolfSSL 4:1b0d80432c79 4535 else
wolfSSL 4:1b0d80432c79 4536 order = 0;
wolfSSL 4:1b0d80432c79 4537 }
wolfSSL 4:1b0d80432c79 4538 }
wolfSSL 4:1b0d80432c79 4539 d[i] = 0;
wolfSSL 4:1b0d80432c79 4540 }
wolfSSL 4:1b0d80432c79 4541
wolfSSL 4:1b0d80432c79 4542 return i;
wolfSSL 4:1b0d80432c79 4543 }
wolfSSL 4:1b0d80432c79 4544
wolfSSL 4:1b0d80432c79 4545
wolfSSL 4:1b0d80432c79 4546 /* Decode ITU-T X.690 OID format to a string representation
wolfSSL 4:1b0d80432c79 4547 * return string length */
wolfSSL 4:1b0d80432c79 4548 static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
wolfSSL 4:1b0d80432c79 4549 {
wolfSSL 4:1b0d80432c79 4550 word32 val, idx = 0, nb_bytes;
wolfSSL 4:1b0d80432c79 4551 size_t w_bytes = 0;
wolfSSL 4:1b0d80432c79 4552
wolfSSL 4:1b0d80432c79 4553 if (out == NULL || in == NULL || outSz < 4 || inSz < 2)
wolfSSL 4:1b0d80432c79 4554 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 4555
wolfSSL 4:1b0d80432c79 4556 /* first two byte must be interpreted as : 40 * int1 + int2 */
wolfSSL 4:1b0d80432c79 4557 val = (word16)in[idx++];
wolfSSL 4:1b0d80432c79 4558
wolfSSL 4:1b0d80432c79 4559 w_bytes = Word32ToString(out, val / 40);
wolfSSL 4:1b0d80432c79 4560 out[w_bytes++] = '.';
wolfSSL 4:1b0d80432c79 4561 w_bytes += Word32ToString(out+w_bytes, val % 40);
wolfSSL 4:1b0d80432c79 4562
wolfSSL 4:1b0d80432c79 4563 while (idx < inSz) {
wolfSSL 4:1b0d80432c79 4564 /* init value */
wolfSSL 4:1b0d80432c79 4565 val = 0;
wolfSSL 4:1b0d80432c79 4566 nb_bytes = 0;
wolfSSL 4:1b0d80432c79 4567
wolfSSL 4:1b0d80432c79 4568 /* check that output size is ok */
wolfSSL 4:1b0d80432c79 4569 if (w_bytes > (outSz - 3))
wolfSSL 4:1b0d80432c79 4570 return BUFFER_E;
wolfSSL 4:1b0d80432c79 4571
wolfSSL 4:1b0d80432c79 4572 /* first bit is used to set if value is coded on 1 or multiple bytes */
wolfSSL 4:1b0d80432c79 4573 while ((in[idx+nb_bytes] & 0x80))
wolfSSL 4:1b0d80432c79 4574 nb_bytes++;
wolfSSL 4:1b0d80432c79 4575
wolfSSL 4:1b0d80432c79 4576 if (!nb_bytes)
wolfSSL 4:1b0d80432c79 4577 val = (word32)(in[idx++] & 0x7f);
wolfSSL 4:1b0d80432c79 4578 else {
wolfSSL 4:1b0d80432c79 4579 word32 base = 1, tmp = nb_bytes;
wolfSSL 4:1b0d80432c79 4580
wolfSSL 4:1b0d80432c79 4581 while (tmp != 0) {
wolfSSL 4:1b0d80432c79 4582 val += (word32)(in[idx+tmp] & 0x7f) * base;
wolfSSL 4:1b0d80432c79 4583 base *= 128;
wolfSSL 4:1b0d80432c79 4584 tmp--;
wolfSSL 4:1b0d80432c79 4585 }
wolfSSL 4:1b0d80432c79 4586 val += (word32)(in[idx++] & 0x7f) * base;
wolfSSL 4:1b0d80432c79 4587
wolfSSL 4:1b0d80432c79 4588 idx += nb_bytes;
wolfSSL 4:1b0d80432c79 4589 }
wolfSSL 4:1b0d80432c79 4590
wolfSSL 4:1b0d80432c79 4591 out[w_bytes++] = '.';
wolfSSL 4:1b0d80432c79 4592 w_bytes += Word32ToString(out+w_bytes, val);
wolfSSL 4:1b0d80432c79 4593 }
wolfSSL 4:1b0d80432c79 4594
wolfSSL 4:1b0d80432c79 4595 return 0;
wolfSSL 4:1b0d80432c79 4596 }
wolfSSL 4:1b0d80432c79 4597 #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 4598
wolfSSL 4:1b0d80432c79 4599 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 4:1b0d80432c79 4600 /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
wolfSSL 4:1b0d80432c79 4601 static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4602 {
wolfSSL 4:1b0d80432c79 4603 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4604 int total_length = 0, policy_length = 0, length = 0;
wolfSSL 4:1b0d80432c79 4605
wolfSSL 4:1b0d80432c79 4606 WOLFSSL_ENTER("DecodeCertPolicy");
wolfSSL 4:1b0d80432c79 4607
wolfSSL 4:1b0d80432c79 4608 if (GetSequence(input, &idx, &total_length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4609 WOLFSSL_MSG("\tGet CertPolicy total seq failed");
wolfSSL 4:1b0d80432c79 4610 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4611 }
wolfSSL 4:1b0d80432c79 4612
wolfSSL 4:1b0d80432c79 4613 /* Validate total length (2 is the CERT_POLICY_OID+SEQ) */
wolfSSL 4:1b0d80432c79 4614 if ((total_length + 2) != sz) {
wolfSSL 4:1b0d80432c79 4615 WOLFSSL_MSG("\tCertPolicy length mismatch");
wolfSSL 4:1b0d80432c79 4616 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4617 }
wolfSSL 4:1b0d80432c79 4618
wolfSSL 4:1b0d80432c79 4619 /* Unwrap certificatePolicies */
wolfSSL 4:1b0d80432c79 4620 do {
wolfSSL 4:1b0d80432c79 4621 if (GetSequence(input, &idx, &policy_length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4622 WOLFSSL_MSG("\tGet CertPolicy seq failed");
wolfSSL 4:1b0d80432c79 4623 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4624 }
wolfSSL 4:1b0d80432c79 4625
wolfSSL 4:1b0d80432c79 4626 if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 4627 WOLFSSL_MSG("\tCertPolicy isn't OID");
wolfSSL 4:1b0d80432c79 4628 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4629 }
wolfSSL 4:1b0d80432c79 4630 policy_length--;
wolfSSL 4:1b0d80432c79 4631
wolfSSL 4:1b0d80432c79 4632 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4633 WOLFSSL_MSG("\tGet CertPolicy length failed");
wolfSSL 4:1b0d80432c79 4634 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4635 }
wolfSSL 4:1b0d80432c79 4636 policy_length--;
wolfSSL 4:1b0d80432c79 4637
wolfSSL 4:1b0d80432c79 4638 if (length > 0) {
wolfSSL 4:1b0d80432c79 4639 /* Verify length won't overrun buffer */
wolfSSL 4:1b0d80432c79 4640 if (length > (sz - (int)idx)) {
wolfSSL 4:1b0d80432c79 4641 WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
wolfSSL 4:1b0d80432c79 4642 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4643 }
wolfSSL 4:1b0d80432c79 4644
wolfSSL 4:1b0d80432c79 4645 #if defined(WOLFSSL_SEP)
wolfSSL 4:1b0d80432c79 4646 cert->deviceType = (byte*)XMALLOC(length, cert->heap,
wolfSSL 4:1b0d80432c79 4647 DYNAMIC_TYPE_X509_EXT);
wolfSSL 4:1b0d80432c79 4648 if (cert->deviceType == NULL) {
wolfSSL 4:1b0d80432c79 4649 WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
wolfSSL 4:1b0d80432c79 4650 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4651 }
wolfSSL 4:1b0d80432c79 4652 cert->deviceTypeSz = length;
wolfSSL 4:1b0d80432c79 4653 XMEMCPY(cert->deviceType, input + idx, length);
wolfSSL 4:1b0d80432c79 4654 break;
wolfSSL 4:1b0d80432c79 4655 #elif defined(WOLFSSL_CERT_EXT)
wolfSSL 4:1b0d80432c79 4656 /* decode cert policy */
wolfSSL 4:1b0d80432c79 4657 if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
wolfSSL 4:1b0d80432c79 4658 input + idx, length) != 0) {
wolfSSL 4:1b0d80432c79 4659 WOLFSSL_MSG("\tCouldn't decode CertPolicy");
wolfSSL 4:1b0d80432c79 4660 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4661 }
wolfSSL 4:1b0d80432c79 4662 cert->extCertPoliciesNb++;
wolfSSL 4:1b0d80432c79 4663 #else
wolfSSL 4:1b0d80432c79 4664 WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
wolfSSL 4:1b0d80432c79 4665 return 0;
wolfSSL 4:1b0d80432c79 4666 #endif
wolfSSL 4:1b0d80432c79 4667 }
wolfSSL 4:1b0d80432c79 4668 idx += policy_length;
wolfSSL 4:1b0d80432c79 4669 } while((int)idx < total_length
wolfSSL 4:1b0d80432c79 4670 #if defined(WOLFSSL_CERT_EXT)
wolfSSL 4:1b0d80432c79 4671 && cert->extCertPoliciesNb < MAX_CERTPOL_NB
wolfSSL 4:1b0d80432c79 4672 #endif
wolfSSL 4:1b0d80432c79 4673 );
wolfSSL 4:1b0d80432c79 4674
wolfSSL 4:1b0d80432c79 4675 WOLFSSL_LEAVE("DecodeCertPolicy", 0);
wolfSSL 4:1b0d80432c79 4676 return 0;
wolfSSL 4:1b0d80432c79 4677 }
wolfSSL 4:1b0d80432c79 4678 #endif /* WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 4679
wolfSSL 4:1b0d80432c79 4680 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 4681 static int DecodeCertExtensions(DecodedCert* cert)
wolfSSL 4:1b0d80432c79 4682 /*
wolfSSL 4:1b0d80432c79 4683 * Processing the Certificate Extensions. This does not modify the current
wolfSSL 4:1b0d80432c79 4684 * index. It is works starting with the recorded extensions pointer.
wolfSSL 4:1b0d80432c79 4685 */
wolfSSL 4:1b0d80432c79 4686 {
wolfSSL 4:1b0d80432c79 4687 word32 idx = 0;
wolfSSL 4:1b0d80432c79 4688 int sz = cert->extensionsSz;
wolfSSL 4:1b0d80432c79 4689 byte* input = cert->extensions;
wolfSSL 4:1b0d80432c79 4690 int length;
wolfSSL 4:1b0d80432c79 4691 word32 oid;
wolfSSL 4:1b0d80432c79 4692 byte critical = 0;
wolfSSL 4:1b0d80432c79 4693 byte criticalFail = 0;
wolfSSL 4:1b0d80432c79 4694
wolfSSL 4:1b0d80432c79 4695 WOLFSSL_ENTER("DecodeCertExtensions");
wolfSSL 4:1b0d80432c79 4696
wolfSSL 4:1b0d80432c79 4697 if (input == NULL || sz == 0)
wolfSSL 4:1b0d80432c79 4698 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 4699
wolfSSL 4:1b0d80432c79 4700 if (input[idx++] != ASN_EXTENSIONS) {
wolfSSL 4:1b0d80432c79 4701 WOLFSSL_MSG("\tfail: should be an EXTENSIONS");
wolfSSL 4:1b0d80432c79 4702 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4703 }
wolfSSL 4:1b0d80432c79 4704
wolfSSL 4:1b0d80432c79 4705 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4706 WOLFSSL_MSG("\tfail: invalid length");
wolfSSL 4:1b0d80432c79 4707 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4708 }
wolfSSL 4:1b0d80432c79 4709
wolfSSL 4:1b0d80432c79 4710 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4711 WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)");
wolfSSL 4:1b0d80432c79 4712 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4713 }
wolfSSL 4:1b0d80432c79 4714
wolfSSL 4:1b0d80432c79 4715 while (idx < (word32)sz) {
wolfSSL 4:1b0d80432c79 4716 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4717 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 4:1b0d80432c79 4718 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4719 }
wolfSSL 4:1b0d80432c79 4720
wolfSSL 4:1b0d80432c79 4721 oid = 0;
wolfSSL 4:1b0d80432c79 4722 if (GetObjectId(input, &idx, &oid, certExtType, sz) < 0) {
wolfSSL 4:1b0d80432c79 4723 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 4:1b0d80432c79 4724 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4725 }
wolfSSL 4:1b0d80432c79 4726
wolfSSL 4:1b0d80432c79 4727 /* check for critical flag */
wolfSSL 4:1b0d80432c79 4728 critical = 0;
wolfSSL 4:1b0d80432c79 4729 if (input[idx] == ASN_BOOLEAN) {
wolfSSL 4:1b0d80432c79 4730 int boolLength = 0;
wolfSSL 4:1b0d80432c79 4731 idx++;
wolfSSL 4:1b0d80432c79 4732 if (GetLength(input, &idx, &boolLength, sz) < 0) {
wolfSSL 4:1b0d80432c79 4733 WOLFSSL_MSG("\tfail: critical boolean length");
wolfSSL 4:1b0d80432c79 4734 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4735 }
wolfSSL 4:1b0d80432c79 4736 if (input[idx++])
wolfSSL 4:1b0d80432c79 4737 critical = 1;
wolfSSL 4:1b0d80432c79 4738 }
wolfSSL 4:1b0d80432c79 4739
wolfSSL 4:1b0d80432c79 4740 /* process the extension based on the OID */
wolfSSL 4:1b0d80432c79 4741 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 4742 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 4:1b0d80432c79 4743 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4744 }
wolfSSL 4:1b0d80432c79 4745
wolfSSL 4:1b0d80432c79 4746 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 4747 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 4:1b0d80432c79 4748 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4749 }
wolfSSL 4:1b0d80432c79 4750
wolfSSL 4:1b0d80432c79 4751 switch (oid) {
wolfSSL 4:1b0d80432c79 4752 case BASIC_CA_OID:
wolfSSL 4:1b0d80432c79 4753 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4754 cert->extBasicConstSet = 1;
wolfSSL 4:1b0d80432c79 4755 cert->extBasicConstCrit = critical;
wolfSSL 4:1b0d80432c79 4756 #endif
wolfSSL 4:1b0d80432c79 4757 if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4758 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4759 break;
wolfSSL 4:1b0d80432c79 4760
wolfSSL 4:1b0d80432c79 4761 case CRL_DIST_OID:
wolfSSL 4:1b0d80432c79 4762 if (DecodeCrlDist(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4763 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4764 break;
wolfSSL 4:1b0d80432c79 4765
wolfSSL 4:1b0d80432c79 4766 case AUTH_INFO_OID:
wolfSSL 4:1b0d80432c79 4767 if (DecodeAuthInfo(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4768 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4769 break;
wolfSSL 4:1b0d80432c79 4770
wolfSSL 4:1b0d80432c79 4771 case ALT_NAMES_OID:
wolfSSL 4:1b0d80432c79 4772 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4773 cert->extSubjAltNameSet = 1;
wolfSSL 4:1b0d80432c79 4774 cert->extSubjAltNameCrit = critical;
wolfSSL 4:1b0d80432c79 4775 #endif
wolfSSL 4:1b0d80432c79 4776 if (DecodeAltNames(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4777 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4778 break;
wolfSSL 4:1b0d80432c79 4779
wolfSSL 4:1b0d80432c79 4780 case AUTH_KEY_OID:
wolfSSL 4:1b0d80432c79 4781 cert->extAuthKeyIdSet = 1;
wolfSSL 4:1b0d80432c79 4782 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4783 cert->extAuthKeyIdCrit = critical;
wolfSSL 4:1b0d80432c79 4784 #endif
wolfSSL 4:1b0d80432c79 4785 if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4786 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4787 break;
wolfSSL 4:1b0d80432c79 4788
wolfSSL 4:1b0d80432c79 4789 case SUBJ_KEY_OID:
wolfSSL 4:1b0d80432c79 4790 cert->extSubjKeyIdSet = 1;
wolfSSL 4:1b0d80432c79 4791 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4792 cert->extSubjKeyIdCrit = critical;
wolfSSL 4:1b0d80432c79 4793 #endif
wolfSSL 4:1b0d80432c79 4794 if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4795 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4796 break;
wolfSSL 4:1b0d80432c79 4797
wolfSSL 4:1b0d80432c79 4798 case CERT_POLICY_OID:
wolfSSL 4:1b0d80432c79 4799 #ifdef WOLFSSL_SEP
wolfSSL 4:1b0d80432c79 4800 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4801 cert->extCertPolicySet = 1;
wolfSSL 4:1b0d80432c79 4802 cert->extCertPolicyCrit = critical;
wolfSSL 4:1b0d80432c79 4803 #endif
wolfSSL 4:1b0d80432c79 4804 #endif
wolfSSL 4:1b0d80432c79 4805 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 4:1b0d80432c79 4806 if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
wolfSSL 4:1b0d80432c79 4807 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4808 }
wolfSSL 4:1b0d80432c79 4809 #else
wolfSSL 4:1b0d80432c79 4810 WOLFSSL_MSG("Certificate Policy extension not supported yet.");
wolfSSL 4:1b0d80432c79 4811 #endif
wolfSSL 4:1b0d80432c79 4812 break;
wolfSSL 4:1b0d80432c79 4813
wolfSSL 4:1b0d80432c79 4814 case KEY_USAGE_OID:
wolfSSL 4:1b0d80432c79 4815 cert->extKeyUsageSet = 1;
wolfSSL 4:1b0d80432c79 4816 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4817 cert->extKeyUsageCrit = critical;
wolfSSL 4:1b0d80432c79 4818 #endif
wolfSSL 4:1b0d80432c79 4819 if (DecodeKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4820 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4821 break;
wolfSSL 4:1b0d80432c79 4822
wolfSSL 4:1b0d80432c79 4823 case EXT_KEY_USAGE_OID:
wolfSSL 4:1b0d80432c79 4824 cert->extExtKeyUsageSet = 1;
wolfSSL 4:1b0d80432c79 4825 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4826 cert->extExtKeyUsageCrit = critical;
wolfSSL 4:1b0d80432c79 4827 #endif
wolfSSL 4:1b0d80432c79 4828 if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4829 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4830 break;
wolfSSL 4:1b0d80432c79 4831
wolfSSL 4:1b0d80432c79 4832 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 4833 case NAME_CONS_OID:
wolfSSL 4:1b0d80432c79 4834 cert->extNameConstraintSet = 1;
wolfSSL 4:1b0d80432c79 4835 #ifdef OPENSSL_EXTRA
wolfSSL 4:1b0d80432c79 4836 cert->extNameConstraintCrit = critical;
wolfSSL 4:1b0d80432c79 4837 #endif
wolfSSL 4:1b0d80432c79 4838 if (DecodeNameConstraints(&input[idx], length, cert) < 0)
wolfSSL 4:1b0d80432c79 4839 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 4840 break;
wolfSSL 4:1b0d80432c79 4841 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 4842
wolfSSL 4:1b0d80432c79 4843 case INHIBIT_ANY_OID:
wolfSSL 4:1b0d80432c79 4844 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
wolfSSL 4:1b0d80432c79 4845 break;
wolfSSL 4:1b0d80432c79 4846
wolfSSL 4:1b0d80432c79 4847 default:
wolfSSL 4:1b0d80432c79 4848 /* While it is a failure to not support critical extensions,
wolfSSL 4:1b0d80432c79 4849 * still parse the certificate ignoring the unsupported
wolfSSL 4:1b0d80432c79 4850 * extension to allow caller to accept it with the verify
wolfSSL 4:1b0d80432c79 4851 * callback. */
wolfSSL 4:1b0d80432c79 4852 if (critical)
wolfSSL 4:1b0d80432c79 4853 criticalFail = 1;
wolfSSL 4:1b0d80432c79 4854 break;
wolfSSL 4:1b0d80432c79 4855 }
wolfSSL 4:1b0d80432c79 4856 idx += length;
wolfSSL 4:1b0d80432c79 4857 }
wolfSSL 4:1b0d80432c79 4858
wolfSSL 4:1b0d80432c79 4859 return criticalFail ? ASN_CRIT_EXT_E : 0;
wolfSSL 4:1b0d80432c79 4860 }
wolfSSL 4:1b0d80432c79 4861
wolfSSL 4:1b0d80432c79 4862
wolfSSL 4:1b0d80432c79 4863 int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 4:1b0d80432c79 4864 {
wolfSSL 4:1b0d80432c79 4865 int ret;
wolfSSL 4:1b0d80432c79 4866 char* ptr;
wolfSSL 4:1b0d80432c79 4867
wolfSSL 4:1b0d80432c79 4868 ret = ParseCertRelative(cert, type, verify, cm);
wolfSSL 4:1b0d80432c79 4869 if (ret < 0)
wolfSSL 4:1b0d80432c79 4870 return ret;
wolfSSL 4:1b0d80432c79 4871
wolfSSL 4:1b0d80432c79 4872 if (cert->subjectCNLen > 0) {
wolfSSL 4:1b0d80432c79 4873 ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap,
wolfSSL 4:1b0d80432c79 4874 DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 4:1b0d80432c79 4875 if (ptr == NULL)
wolfSSL 4:1b0d80432c79 4876 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4877 XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen);
wolfSSL 4:1b0d80432c79 4878 ptr[cert->subjectCNLen] = '\0';
wolfSSL 4:1b0d80432c79 4879 cert->subjectCN = ptr;
wolfSSL 4:1b0d80432c79 4880 cert->subjectCNStored = 1;
wolfSSL 4:1b0d80432c79 4881 }
wolfSSL 4:1b0d80432c79 4882
wolfSSL 4:1b0d80432c79 4883 if (cert->keyOID == RSAk &&
wolfSSL 4:1b0d80432c79 4884 cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL 4:1b0d80432c79 4885 ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap,
wolfSSL 4:1b0d80432c79 4886 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 4:1b0d80432c79 4887 if (ptr == NULL)
wolfSSL 4:1b0d80432c79 4888 return MEMORY_E;
wolfSSL 4:1b0d80432c79 4889 XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
wolfSSL 4:1b0d80432c79 4890 cert->publicKey = (byte *)ptr;
wolfSSL 4:1b0d80432c79 4891 cert->pubKeyStored = 1;
wolfSSL 4:1b0d80432c79 4892 }
wolfSSL 4:1b0d80432c79 4893
wolfSSL 4:1b0d80432c79 4894 return ret;
wolfSSL 4:1b0d80432c79 4895 }
wolfSSL 4:1b0d80432c79 4896 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 4897
wolfSSL 4:1b0d80432c79 4898
wolfSSL 4:1b0d80432c79 4899 /* from SSL proper, for locking can't do find here anymore */
wolfSSL 4:1b0d80432c79 4900 #ifdef __cplusplus
wolfSSL 4:1b0d80432c79 4901 extern "C" {
wolfSSL 4:1b0d80432c79 4902 #endif
wolfSSL 4:1b0d80432c79 4903 WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
wolfSSL 4:1b0d80432c79 4904 #ifndef NO_SKID
wolfSSL 4:1b0d80432c79 4905 WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
wolfSSL 4:1b0d80432c79 4906 #endif
wolfSSL 4:1b0d80432c79 4907 #ifdef __cplusplus
wolfSSL 4:1b0d80432c79 4908 }
wolfSSL 4:1b0d80432c79 4909 #endif
wolfSSL 4:1b0d80432c79 4910
wolfSSL 4:1b0d80432c79 4911
wolfSSL 4:1b0d80432c79 4912 #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
wolfSSL 4:1b0d80432c79 4913
wolfSSL 4:1b0d80432c79 4914 /* dummy functions, not using wolfSSL so don't need actual ones */
wolfSSL 4:1b0d80432c79 4915 Signer* GetCA(void* signers, byte* hash)
wolfSSL 4:1b0d80432c79 4916 {
wolfSSL 4:1b0d80432c79 4917 (void)hash;
wolfSSL 4:1b0d80432c79 4918
wolfSSL 4:1b0d80432c79 4919 return (Signer*)signers;
wolfSSL 4:1b0d80432c79 4920 }
wolfSSL 4:1b0d80432c79 4921
wolfSSL 4:1b0d80432c79 4922 #ifndef NO_SKID
wolfSSL 4:1b0d80432c79 4923 Signer* GetCAByName(void* signers, byte* hash)
wolfSSL 4:1b0d80432c79 4924 {
wolfSSL 4:1b0d80432c79 4925 (void)hash;
wolfSSL 4:1b0d80432c79 4926
wolfSSL 4:1b0d80432c79 4927 return (Signer*)signers;
wolfSSL 4:1b0d80432c79 4928 }
wolfSSL 4:1b0d80432c79 4929 #endif /* NO_SKID */
wolfSSL 4:1b0d80432c79 4930
wolfSSL 4:1b0d80432c79 4931 #endif /* WOLFCRYPT_ONLY || NO_CERTS */
wolfSSL 4:1b0d80432c79 4932
wolfSSL 4:1b0d80432c79 4933 #ifndef NO_ASN_TIME
wolfSSL 4:1b0d80432c79 4934 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 4:1b0d80432c79 4935 {
wolfSSL 4:1b0d80432c79 4936 word32 confirmOID;
wolfSSL 4:1b0d80432c79 4937 int ret;
wolfSSL 4:1b0d80432c79 4938 int badDate = 0;
wolfSSL 4:1b0d80432c79 4939 int criticalExt = 0;
wolfSSL 4:1b0d80432c79 4940
wolfSSL 4:1b0d80432c79 4941 if ((ret = DecodeToKey(cert, verify)) < 0) {
wolfSSL 4:1b0d80432c79 4942 if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)
wolfSSL 4:1b0d80432c79 4943 badDate = ret;
wolfSSL 4:1b0d80432c79 4944 else
wolfSSL 4:1b0d80432c79 4945 return ret;
wolfSSL 4:1b0d80432c79 4946 }
wolfSSL 4:1b0d80432c79 4947
wolfSSL 4:1b0d80432c79 4948 WOLFSSL_MSG("Parsed Past Key");
wolfSSL 4:1b0d80432c79 4949
wolfSSL 4:1b0d80432c79 4950 if (cert->srcIdx < cert->sigIndex) {
wolfSSL 4:1b0d80432c79 4951 #ifndef ALLOW_V1_EXTENSIONS
wolfSSL 4:1b0d80432c79 4952 if (cert->version < 2) {
wolfSSL 4:1b0d80432c79 4953 WOLFSSL_MSG(" v1 and v2 certs not allowed extensions");
wolfSSL 4:1b0d80432c79 4954 return ASN_VERSION_E;
wolfSSL 4:1b0d80432c79 4955 }
wolfSSL 4:1b0d80432c79 4956 #endif
wolfSSL 4:1b0d80432c79 4957 /* save extensions */
wolfSSL 4:1b0d80432c79 4958 cert->extensions = &cert->source[cert->srcIdx];
wolfSSL 4:1b0d80432c79 4959 cert->extensionsSz = cert->sigIndex - cert->srcIdx;
wolfSSL 4:1b0d80432c79 4960 cert->extensionsIdx = cert->srcIdx; /* for potential later use */
wolfSSL 4:1b0d80432c79 4961
wolfSSL 4:1b0d80432c79 4962 if ((ret = DecodeCertExtensions(cert)) < 0) {
wolfSSL 4:1b0d80432c79 4963 if (ret == ASN_CRIT_EXT_E)
wolfSSL 4:1b0d80432c79 4964 criticalExt = ret;
wolfSSL 4:1b0d80432c79 4965 else
wolfSSL 4:1b0d80432c79 4966 return ret;
wolfSSL 4:1b0d80432c79 4967 }
wolfSSL 4:1b0d80432c79 4968
wolfSSL 4:1b0d80432c79 4969 /* advance past extensions */
wolfSSL 4:1b0d80432c79 4970 cert->srcIdx = cert->sigIndex;
wolfSSL 4:1b0d80432c79 4971 }
wolfSSL 4:1b0d80432c79 4972
wolfSSL 4:1b0d80432c79 4973 if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
wolfSSL 4:1b0d80432c79 4974 sigType, cert->maxIdx)) < 0)
wolfSSL 4:1b0d80432c79 4975 return ret;
wolfSSL 4:1b0d80432c79 4976
wolfSSL 4:1b0d80432c79 4977 if ((ret = GetSignature(cert)) < 0)
wolfSSL 4:1b0d80432c79 4978 return ret;
wolfSSL 4:1b0d80432c79 4979
wolfSSL 4:1b0d80432c79 4980 if (confirmOID != cert->signatureOID)
wolfSSL 4:1b0d80432c79 4981 return ASN_SIG_OID_E;
wolfSSL 4:1b0d80432c79 4982
wolfSSL 4:1b0d80432c79 4983 #ifndef NO_SKID
wolfSSL 4:1b0d80432c79 4984 if (cert->extSubjKeyIdSet == 0
wolfSSL 4:1b0d80432c79 4985 && cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL 4:1b0d80432c79 4986 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 4987 ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize,
wolfSSL 4:1b0d80432c79 4988 cert->extSubjKeyId);
wolfSSL 4:1b0d80432c79 4989 #else
wolfSSL 4:1b0d80432c79 4990 ret = wc_ShaHash(cert->publicKey, cert->pubKeySize,
wolfSSL 4:1b0d80432c79 4991 cert->extSubjKeyId);
wolfSSL 4:1b0d80432c79 4992 #endif
wolfSSL 4:1b0d80432c79 4993 if (ret != 0)
wolfSSL 4:1b0d80432c79 4994 return ret;
wolfSSL 4:1b0d80432c79 4995 }
wolfSSL 4:1b0d80432c79 4996 #endif
wolfSSL 4:1b0d80432c79 4997
wolfSSL 4:1b0d80432c79 4998 if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
wolfSSL 4:1b0d80432c79 4999 Signer* ca = NULL;
wolfSSL 4:1b0d80432c79 5000 #ifndef NO_SKID
wolfSSL 4:1b0d80432c79 5001 if (cert->extAuthKeyIdSet)
wolfSSL 4:1b0d80432c79 5002 ca = GetCA(cm, cert->extAuthKeyId);
wolfSSL 4:1b0d80432c79 5003 if (ca == NULL)
wolfSSL 4:1b0d80432c79 5004 ca = GetCAByName(cm, cert->issuerHash);
wolfSSL 4:1b0d80432c79 5005 #else /* NO_SKID */
wolfSSL 4:1b0d80432c79 5006 ca = GetCA(cm, cert->issuerHash);
wolfSSL 4:1b0d80432c79 5007 #endif /* NO SKID */
wolfSSL 4:1b0d80432c79 5008 WOLFSSL_MSG("About to verify certificate signature");
wolfSSL 4:1b0d80432c79 5009
wolfSSL 4:1b0d80432c79 5010 if (ca) {
wolfSSL 4:1b0d80432c79 5011 #ifdef HAVE_OCSP
wolfSSL 4:1b0d80432c79 5012 /* Need the ca's public key hash for OCSP */
wolfSSL 4:1b0d80432c79 5013 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 5014 ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize,
wolfSSL 4:1b0d80432c79 5015 cert->issuerKeyHash);
wolfSSL 4:1b0d80432c79 5016 #else /* NO_SHA */
wolfSSL 4:1b0d80432c79 5017 ret = wc_ShaHash(ca->publicKey, ca->pubKeySize,
wolfSSL 4:1b0d80432c79 5018 cert->issuerKeyHash);
wolfSSL 4:1b0d80432c79 5019 #endif /* NO_SHA */
wolfSSL 4:1b0d80432c79 5020 if (ret != 0)
wolfSSL 4:1b0d80432c79 5021 return ret;
wolfSSL 4:1b0d80432c79 5022 #endif /* HAVE_OCSP */
wolfSSL 4:1b0d80432c79 5023 /* try to confirm/verify signature */
wolfSSL 4:1b0d80432c79 5024 if (!ConfirmSignature(cert->source + cert->certBegin,
wolfSSL 4:1b0d80432c79 5025 cert->sigIndex - cert->certBegin,
wolfSSL 4:1b0d80432c79 5026 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 4:1b0d80432c79 5027 cert->signature, cert->sigLength, cert->signatureOID,
wolfSSL 4:1b0d80432c79 5028 cert->heap)) {
wolfSSL 4:1b0d80432c79 5029 WOLFSSL_MSG("Confirm signature failed");
wolfSSL 4:1b0d80432c79 5030 return ASN_SIG_CONFIRM_E;
wolfSSL 4:1b0d80432c79 5031 }
wolfSSL 4:1b0d80432c79 5032 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 5033 /* check that this cert's name is permitted by the signer's
wolfSSL 4:1b0d80432c79 5034 * name constraints */
wolfSSL 4:1b0d80432c79 5035 if (!ConfirmNameConstraints(ca, cert)) {
wolfSSL 4:1b0d80432c79 5036 WOLFSSL_MSG("Confirm name constraint failed");
wolfSSL 4:1b0d80432c79 5037 return ASN_NAME_INVALID_E;
wolfSSL 4:1b0d80432c79 5038 }
wolfSSL 4:1b0d80432c79 5039 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 5040 }
wolfSSL 4:1b0d80432c79 5041 else {
wolfSSL 4:1b0d80432c79 5042 /* no signer */
wolfSSL 4:1b0d80432c79 5043 WOLFSSL_MSG("No CA signer to verify with");
wolfSSL 4:1b0d80432c79 5044 return ASN_NO_SIGNER_E;
wolfSSL 4:1b0d80432c79 5045 }
wolfSSL 4:1b0d80432c79 5046 }
wolfSSL 4:1b0d80432c79 5047
wolfSSL 4:1b0d80432c79 5048 if (badDate != 0)
wolfSSL 4:1b0d80432c79 5049 return badDate;
wolfSSL 4:1b0d80432c79 5050
wolfSSL 4:1b0d80432c79 5051 if (criticalExt != 0)
wolfSSL 4:1b0d80432c79 5052 return criticalExt;
wolfSSL 4:1b0d80432c79 5053
wolfSSL 4:1b0d80432c79 5054 return 0;
wolfSSL 4:1b0d80432c79 5055 }
wolfSSL 4:1b0d80432c79 5056 #endif /* !NO_ASN_TIME */
wolfSSL 4:1b0d80432c79 5057
wolfSSL 4:1b0d80432c79 5058 /* Create and init an new signer */
wolfSSL 4:1b0d80432c79 5059 Signer* MakeSigner(void* heap)
wolfSSL 4:1b0d80432c79 5060 {
wolfSSL 4:1b0d80432c79 5061 Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap,
wolfSSL 4:1b0d80432c79 5062 DYNAMIC_TYPE_SIGNER);
wolfSSL 4:1b0d80432c79 5063 if (signer) {
wolfSSL 4:1b0d80432c79 5064 signer->pubKeySize = 0;
wolfSSL 4:1b0d80432c79 5065 signer->keyOID = 0;
wolfSSL 4:1b0d80432c79 5066 signer->publicKey = NULL;
wolfSSL 4:1b0d80432c79 5067 signer->nameLen = 0;
wolfSSL 4:1b0d80432c79 5068 signer->name = NULL;
wolfSSL 4:1b0d80432c79 5069 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 5070 signer->permittedNames = NULL;
wolfSSL 4:1b0d80432c79 5071 signer->excludedNames = NULL;
wolfSSL 4:1b0d80432c79 5072 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 4:1b0d80432c79 5073 signer->next = NULL;
wolfSSL 4:1b0d80432c79 5074 }
wolfSSL 4:1b0d80432c79 5075 (void)heap;
wolfSSL 4:1b0d80432c79 5076
wolfSSL 4:1b0d80432c79 5077 return signer;
wolfSSL 4:1b0d80432c79 5078 }
wolfSSL 4:1b0d80432c79 5079
wolfSSL 4:1b0d80432c79 5080
wolfSSL 4:1b0d80432c79 5081 /* Free an individual signer */
wolfSSL 4:1b0d80432c79 5082 void FreeSigner(Signer* signer, void* heap)
wolfSSL 4:1b0d80432c79 5083 {
wolfSSL 4:1b0d80432c79 5084 XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 4:1b0d80432c79 5085 XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 4:1b0d80432c79 5086 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 5087 if (signer->permittedNames)
wolfSSL 4:1b0d80432c79 5088 FreeNameSubtrees(signer->permittedNames, heap);
wolfSSL 4:1b0d80432c79 5089 if (signer->excludedNames)
wolfSSL 4:1b0d80432c79 5090 FreeNameSubtrees(signer->excludedNames, heap);
wolfSSL 4:1b0d80432c79 5091 #endif
wolfSSL 4:1b0d80432c79 5092 XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
wolfSSL 4:1b0d80432c79 5093
wolfSSL 4:1b0d80432c79 5094 (void)heap;
wolfSSL 4:1b0d80432c79 5095 }
wolfSSL 4:1b0d80432c79 5096
wolfSSL 4:1b0d80432c79 5097
wolfSSL 4:1b0d80432c79 5098 /* Free the whole singer table with number of rows */
wolfSSL 4:1b0d80432c79 5099 void FreeSignerTable(Signer** table, int rows, void* heap)
wolfSSL 4:1b0d80432c79 5100 {
wolfSSL 4:1b0d80432c79 5101 int i;
wolfSSL 4:1b0d80432c79 5102
wolfSSL 4:1b0d80432c79 5103 for (i = 0; i < rows; i++) {
wolfSSL 4:1b0d80432c79 5104 Signer* signer = table[i];
wolfSSL 4:1b0d80432c79 5105 while (signer) {
wolfSSL 4:1b0d80432c79 5106 Signer* next = signer->next;
wolfSSL 4:1b0d80432c79 5107 FreeSigner(signer, heap);
wolfSSL 4:1b0d80432c79 5108 signer = next;
wolfSSL 4:1b0d80432c79 5109 }
wolfSSL 4:1b0d80432c79 5110 table[i] = NULL;
wolfSSL 4:1b0d80432c79 5111 }
wolfSSL 4:1b0d80432c79 5112 }
wolfSSL 4:1b0d80432c79 5113
wolfSSL 4:1b0d80432c79 5114 #ifdef WOLFSSL_TRUST_PEER_CERT
wolfSSL 4:1b0d80432c79 5115 /* Free an individual trusted peer cert */
wolfSSL 4:1b0d80432c79 5116 void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
wolfSSL 4:1b0d80432c79 5117 {
wolfSSL 4:1b0d80432c79 5118 if (tp == NULL) {
wolfSSL 4:1b0d80432c79 5119 return;
wolfSSL 4:1b0d80432c79 5120 }
wolfSSL 4:1b0d80432c79 5121
wolfSSL 4:1b0d80432c79 5122 if (tp->name) {
wolfSSL 4:1b0d80432c79 5123 XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 4:1b0d80432c79 5124 }
wolfSSL 4:1b0d80432c79 5125
wolfSSL 4:1b0d80432c79 5126 if (tp->sig) {
wolfSSL 4:1b0d80432c79 5127 XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 4:1b0d80432c79 5128 }
wolfSSL 4:1b0d80432c79 5129 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 4:1b0d80432c79 5130 if (tp->permittedNames)
wolfSSL 4:1b0d80432c79 5131 FreeNameSubtrees(tp->permittedNames, heap);
wolfSSL 4:1b0d80432c79 5132 if (tp->excludedNames)
wolfSSL 4:1b0d80432c79 5133 FreeNameSubtrees(tp->excludedNames, heap);
wolfSSL 4:1b0d80432c79 5134 #endif
wolfSSL 4:1b0d80432c79 5135 XFREE(tp, heap, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 5136
wolfSSL 4:1b0d80432c79 5137 (void)heap;
wolfSSL 4:1b0d80432c79 5138 }
wolfSSL 4:1b0d80432c79 5139
wolfSSL 4:1b0d80432c79 5140 /* Free the whole Trusted Peer linked list */
wolfSSL 4:1b0d80432c79 5141 void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
wolfSSL 4:1b0d80432c79 5142 {
wolfSSL 4:1b0d80432c79 5143 int i;
wolfSSL 4:1b0d80432c79 5144
wolfSSL 4:1b0d80432c79 5145 for (i = 0; i < rows; i++) {
wolfSSL 4:1b0d80432c79 5146 TrustedPeerCert* tp = table[i];
wolfSSL 4:1b0d80432c79 5147 while (tp) {
wolfSSL 4:1b0d80432c79 5148 TrustedPeerCert* next = tp->next;
wolfSSL 4:1b0d80432c79 5149 FreeTrustedPeer(tp, heap);
wolfSSL 4:1b0d80432c79 5150 tp = next;
wolfSSL 4:1b0d80432c79 5151 }
wolfSSL 4:1b0d80432c79 5152 table[i] = NULL;
wolfSSL 4:1b0d80432c79 5153 }
wolfSSL 4:1b0d80432c79 5154 }
wolfSSL 4:1b0d80432c79 5155 #endif /* WOLFSSL_TRUST_PEER_CERT */
wolfSSL 4:1b0d80432c79 5156
wolfSSL 4:1b0d80432c79 5157 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
wolfSSL 4:1b0d80432c79 5158 {
wolfSSL 4:1b0d80432c79 5159 int i = 0;
wolfSSL 4:1b0d80432c79 5160
wolfSSL 4:1b0d80432c79 5161 if (output == NULL)
wolfSSL 4:1b0d80432c79 5162 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5163
wolfSSL 4:1b0d80432c79 5164 if (header) {
wolfSSL 4:1b0d80432c79 5165 output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED;
wolfSSL 4:1b0d80432c79 5166 output[i++] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 5167 }
wolfSSL 4:1b0d80432c79 5168 output[i++] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5169 output[i++] = 0x01;
wolfSSL 4:1b0d80432c79 5170 output[i++] = (byte)version;
wolfSSL 4:1b0d80432c79 5171
wolfSSL 4:1b0d80432c79 5172 return i;
wolfSSL 4:1b0d80432c79 5173 }
wolfSSL 4:1b0d80432c79 5174
wolfSSL 4:1b0d80432c79 5175
wolfSSL 4:1b0d80432c79 5176 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
wolfSSL 4:1b0d80432c79 5177 {
wolfSSL 4:1b0d80432c79 5178 int result = 0;
wolfSSL 4:1b0d80432c79 5179
wolfSSL 4:1b0d80432c79 5180 WOLFSSL_ENTER("SetSerialNumber");
wolfSSL 4:1b0d80432c79 5181
wolfSSL 4:1b0d80432c79 5182 if (sn == NULL || output == NULL)
wolfSSL 4:1b0d80432c79 5183 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5184
wolfSSL 4:1b0d80432c79 5185 if (snSz <= EXTERNAL_SERIAL_SIZE) {
wolfSSL 4:1b0d80432c79 5186 output[0] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5187 /* The serial number is always positive. When encoding the
wolfSSL 4:1b0d80432c79 5188 * INTEGER, if the MSB is 1, add a padding zero to keep the
wolfSSL 4:1b0d80432c79 5189 * number positive. */
wolfSSL 4:1b0d80432c79 5190 if (sn[0] & 0x80) {
wolfSSL 4:1b0d80432c79 5191 output[1] = (byte)snSz + 1;
wolfSSL 4:1b0d80432c79 5192 output[2] = 0;
wolfSSL 4:1b0d80432c79 5193 XMEMCPY(&output[3], sn, snSz);
wolfSSL 4:1b0d80432c79 5194 result = snSz + 3;
wolfSSL 4:1b0d80432c79 5195 }
wolfSSL 4:1b0d80432c79 5196 else {
wolfSSL 4:1b0d80432c79 5197 output[1] = (byte)snSz;
wolfSSL 4:1b0d80432c79 5198 XMEMCPY(&output[2], sn, snSz);
wolfSSL 4:1b0d80432c79 5199 result = snSz + 2;
wolfSSL 4:1b0d80432c79 5200 }
wolfSSL 4:1b0d80432c79 5201 }
wolfSSL 4:1b0d80432c79 5202 return result;
wolfSSL 4:1b0d80432c79 5203 }
wolfSSL 4:1b0d80432c79 5204
wolfSSL 4:1b0d80432c79 5205
wolfSSL 4:1b0d80432c79 5206
wolfSSL 4:1b0d80432c79 5207 const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
wolfSSL 4:1b0d80432c79 5208 const char* END_CERT = "-----END CERTIFICATE-----";
wolfSSL 4:1b0d80432c79 5209 const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----";
wolfSSL 4:1b0d80432c79 5210 const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----";
wolfSSL 4:1b0d80432c79 5211 const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----";
wolfSSL 4:1b0d80432c79 5212 const char* END_DH_PARAM = "-----END DH PARAMETERS-----";
wolfSSL 4:1b0d80432c79 5213 const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----";
wolfSSL 4:1b0d80432c79 5214 const char* END_X509_CRL = "-----END X509 CRL-----";
wolfSSL 4:1b0d80432c79 5215 const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5216 const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5217 const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5218 const char* END_PRIV_KEY = "-----END PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5219 const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5220 const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5221 const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5222 const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5223 const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5224 const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----";
wolfSSL 4:1b0d80432c79 5225 const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
wolfSSL 4:1b0d80432c79 5226 const char* END_PUB_KEY = "-----END PUBLIC KEY-----";
wolfSSL 4:1b0d80432c79 5227
wolfSSL 4:1b0d80432c79 5228 #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)
wolfSSL 4:1b0d80432c79 5229
wolfSSL 4:1b0d80432c79 5230 /* Used for compatibility API */
wolfSSL 4:1b0d80432c79 5231 int wc_DerToPem(const byte* der, word32 derSz,
wolfSSL 4:1b0d80432c79 5232 byte* output, word32 outSz, int type)
wolfSSL 4:1b0d80432c79 5233 {
wolfSSL 4:1b0d80432c79 5234 return wc_DerToPemEx(der, derSz, output, outSz, NULL, type);
wolfSSL 4:1b0d80432c79 5235 }
wolfSSL 4:1b0d80432c79 5236
wolfSSL 4:1b0d80432c79 5237 /* convert der buffer to pem into output, can't do inplace, der and output
wolfSSL 4:1b0d80432c79 5238 need to be different */
wolfSSL 4:1b0d80432c79 5239 int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
wolfSSL 4:1b0d80432c79 5240 byte *cipher_info, int type)
wolfSSL 4:1b0d80432c79 5241 {
wolfSSL 4:1b0d80432c79 5242 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5243 char* header = NULL;
wolfSSL 4:1b0d80432c79 5244 char* footer = NULL;
wolfSSL 4:1b0d80432c79 5245 #else
wolfSSL 4:1b0d80432c79 5246 char header[40 + HEADER_ENCRYPTED_KEY_SIZE];
wolfSSL 4:1b0d80432c79 5247 char footer[40];
wolfSSL 4:1b0d80432c79 5248 #endif
wolfSSL 4:1b0d80432c79 5249
wolfSSL 4:1b0d80432c79 5250 int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE;
wolfSSL 4:1b0d80432c79 5251 int footerLen = 40;
wolfSSL 4:1b0d80432c79 5252 int i;
wolfSSL 4:1b0d80432c79 5253 int err;
wolfSSL 4:1b0d80432c79 5254 int outLen; /* return length or error */
wolfSSL 4:1b0d80432c79 5255
wolfSSL 4:1b0d80432c79 5256 if (der == output) /* no in place conversion */
wolfSSL 4:1b0d80432c79 5257 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5258
wolfSSL 4:1b0d80432c79 5259 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5260 header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5261 if (header == NULL)
wolfSSL 4:1b0d80432c79 5262 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5263
wolfSSL 4:1b0d80432c79 5264 footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5265 if (footer == NULL) {
wolfSSL 4:1b0d80432c79 5266 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5267 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5268 }
wolfSSL 4:1b0d80432c79 5269 #endif
wolfSSL 4:1b0d80432c79 5270 if (type == CERT_TYPE) {
wolfSSL 4:1b0d80432c79 5271 XSTRNCPY(header, BEGIN_CERT, headerLen);
wolfSSL 4:1b0d80432c79 5272 XSTRNCAT(header, "\n", 1);
wolfSSL 4:1b0d80432c79 5273
wolfSSL 4:1b0d80432c79 5274 XSTRNCPY(footer, END_CERT, footerLen);
wolfSSL 4:1b0d80432c79 5275 XSTRNCAT(footer, "\n", 1);
wolfSSL 4:1b0d80432c79 5276 }
wolfSSL 4:1b0d80432c79 5277 else if (type == PRIVATEKEY_TYPE) {
wolfSSL 4:1b0d80432c79 5278 XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen);
wolfSSL 4:1b0d80432c79 5279 XSTRNCAT(header, "\n", 1);
wolfSSL 4:1b0d80432c79 5280
wolfSSL 4:1b0d80432c79 5281 XSTRNCPY(footer, END_RSA_PRIV, footerLen);
wolfSSL 4:1b0d80432c79 5282 XSTRNCAT(footer, "\n", 1);
wolfSSL 4:1b0d80432c79 5283 }
wolfSSL 4:1b0d80432c79 5284 #ifndef NO_DSA
wolfSSL 4:1b0d80432c79 5285 else if (type == DSA_PRIVATEKEY_TYPE) {
wolfSSL 4:1b0d80432c79 5286 XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen);
wolfSSL 4:1b0d80432c79 5287 XSTRNCAT(header, "\n", 1);
wolfSSL 4:1b0d80432c79 5288
wolfSSL 4:1b0d80432c79 5289 XSTRNCPY(footer, END_DSA_PRIV, footerLen);
wolfSSL 4:1b0d80432c79 5290 XSTRNCAT(footer, "\n", 1);
wolfSSL 4:1b0d80432c79 5291 }
wolfSSL 4:1b0d80432c79 5292 #endif
wolfSSL 4:1b0d80432c79 5293 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 5294 else if (type == ECC_PRIVATEKEY_TYPE) {
wolfSSL 4:1b0d80432c79 5295 XSTRNCPY(header, BEGIN_EC_PRIV, headerLen);
wolfSSL 4:1b0d80432c79 5296 XSTRNCAT(header, "\n", 1);
wolfSSL 4:1b0d80432c79 5297
wolfSSL 4:1b0d80432c79 5298 XSTRNCPY(footer, END_EC_PRIV, footerLen);
wolfSSL 4:1b0d80432c79 5299 XSTRNCAT(footer, "\n", 1);
wolfSSL 4:1b0d80432c79 5300 }
wolfSSL 4:1b0d80432c79 5301 #endif
wolfSSL 4:1b0d80432c79 5302 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 5303 else if (type == CERTREQ_TYPE)
wolfSSL 4:1b0d80432c79 5304 {
wolfSSL 4:1b0d80432c79 5305 XSTRNCPY(header, BEGIN_CERT_REQ, headerLen);
wolfSSL 4:1b0d80432c79 5306 XSTRNCAT(header, "\n", 1);
wolfSSL 4:1b0d80432c79 5307
wolfSSL 4:1b0d80432c79 5308 XSTRNCPY(footer, END_CERT_REQ, footerLen);
wolfSSL 4:1b0d80432c79 5309 XSTRNCAT(footer, "\n", 1);
wolfSSL 4:1b0d80432c79 5310 }
wolfSSL 4:1b0d80432c79 5311 #endif
wolfSSL 4:1b0d80432c79 5312 else {
wolfSSL 4:1b0d80432c79 5313 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5314 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5315 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5316 #endif
wolfSSL 4:1b0d80432c79 5317 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5318 }
wolfSSL 4:1b0d80432c79 5319
wolfSSL 4:1b0d80432c79 5320 /* extra header information for encrypted key */
wolfSSL 4:1b0d80432c79 5321 if (cipher_info != NULL) {
wolfSSL 4:1b0d80432c79 5322 XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23);
wolfSSL 4:1b0d80432c79 5323 XSTRNCAT(header, "DEK-Info: ", 10);
wolfSSL 4:1b0d80432c79 5324 XSTRNCAT(header, (char*)cipher_info, XSTRLEN((char*)cipher_info));
wolfSSL 4:1b0d80432c79 5325 XSTRNCAT(header, "\n\n", 2);
wolfSSL 4:1b0d80432c79 5326 }
wolfSSL 4:1b0d80432c79 5327
wolfSSL 4:1b0d80432c79 5328 headerLen = (int)XSTRLEN(header);
wolfSSL 4:1b0d80432c79 5329 footerLen = (int)XSTRLEN(footer);
wolfSSL 4:1b0d80432c79 5330
wolfSSL 4:1b0d80432c79 5331 if (!der || !output) {
wolfSSL 4:1b0d80432c79 5332 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5333 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5334 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5335 #endif
wolfSSL 4:1b0d80432c79 5336 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5337 }
wolfSSL 4:1b0d80432c79 5338
wolfSSL 4:1b0d80432c79 5339 /* don't even try if outSz too short */
wolfSSL 4:1b0d80432c79 5340 if (outSz < headerLen + footerLen + derSz) {
wolfSSL 4:1b0d80432c79 5341 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5342 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5343 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5344 #endif
wolfSSL 4:1b0d80432c79 5345 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5346 }
wolfSSL 4:1b0d80432c79 5347
wolfSSL 4:1b0d80432c79 5348 /* header */
wolfSSL 4:1b0d80432c79 5349 XMEMCPY(output, header, headerLen);
wolfSSL 4:1b0d80432c79 5350 i = headerLen;
wolfSSL 4:1b0d80432c79 5351
wolfSSL 4:1b0d80432c79 5352 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5353 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5354 #endif
wolfSSL 4:1b0d80432c79 5355
wolfSSL 4:1b0d80432c79 5356 /* body */
wolfSSL 4:1b0d80432c79 5357 outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */
wolfSSL 4:1b0d80432c79 5358 if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) {
wolfSSL 4:1b0d80432c79 5359 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5360 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5361 #endif
wolfSSL 4:1b0d80432c79 5362 return err;
wolfSSL 4:1b0d80432c79 5363 }
wolfSSL 4:1b0d80432c79 5364 i += outLen;
wolfSSL 4:1b0d80432c79 5365
wolfSSL 4:1b0d80432c79 5366 /* footer */
wolfSSL 4:1b0d80432c79 5367 if ( (i + footerLen) > (int)outSz) {
wolfSSL 4:1b0d80432c79 5368 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5369 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5370 #endif
wolfSSL 4:1b0d80432c79 5371 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5372 }
wolfSSL 4:1b0d80432c79 5373 XMEMCPY(output + i, footer, footerLen);
wolfSSL 4:1b0d80432c79 5374
wolfSSL 4:1b0d80432c79 5375 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5376 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5377 #endif
wolfSSL 4:1b0d80432c79 5378
wolfSSL 4:1b0d80432c79 5379 return outLen + headerLen + footerLen;
wolfSSL 4:1b0d80432c79 5380 }
wolfSSL 4:1b0d80432c79 5381
wolfSSL 4:1b0d80432c79 5382 #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 5383
wolfSSL 4:1b0d80432c79 5384 #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
wolfSSL 4:1b0d80432c79 5385 /* USER RSA ifdef portions used instead of refactor in consideration for
wolfSSL 4:1b0d80432c79 5386 possible fips build */
wolfSSL 4:1b0d80432c79 5387 /* Write a public RSA key to output */
wolfSSL 4:1b0d80432c79 5388 static int SetRsaPublicKey(byte* output, RsaKey* key,
wolfSSL 4:1b0d80432c79 5389 int outLen, int with_header)
wolfSSL 4:1b0d80432c79 5390 {
wolfSSL 4:1b0d80432c79 5391 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5392 byte* n = NULL;
wolfSSL 4:1b0d80432c79 5393 byte* e = NULL;
wolfSSL 4:1b0d80432c79 5394 #else
wolfSSL 4:1b0d80432c79 5395 byte n[MAX_RSA_INT_SZ];
wolfSSL 4:1b0d80432c79 5396 byte e[MAX_RSA_E_SZ];
wolfSSL 4:1b0d80432c79 5397 #endif
wolfSSL 4:1b0d80432c79 5398 byte seq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 5399 byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */
wolfSSL 4:1b0d80432c79 5400 int nSz;
wolfSSL 4:1b0d80432c79 5401 int eSz;
wolfSSL 4:1b0d80432c79 5402 int seqSz;
wolfSSL 4:1b0d80432c79 5403 int lenSz;
wolfSSL 4:1b0d80432c79 5404 int idx;
wolfSSL 4:1b0d80432c79 5405 int rawLen;
wolfSSL 4:1b0d80432c79 5406 int leadingBit;
wolfSSL 4:1b0d80432c79 5407 int err;
wolfSSL 4:1b0d80432c79 5408
wolfSSL 4:1b0d80432c79 5409 if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ)
wolfSSL 4:1b0d80432c79 5410 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5411
wolfSSL 4:1b0d80432c79 5412 /* n */
wolfSSL 4:1b0d80432c79 5413 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5414 n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5415 if (n == NULL)
wolfSSL 4:1b0d80432c79 5416 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5417 #endif
wolfSSL 4:1b0d80432c79 5418
wolfSSL 4:1b0d80432c79 5419 #ifdef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 5420 leadingBit = wc_Rsa_leading_bit(key->n);
wolfSSL 4:1b0d80432c79 5421 rawLen = wc_Rsa_unsigned_bin_size(key->n) + leadingBit;
wolfSSL 4:1b0d80432c79 5422 #else
wolfSSL 4:1b0d80432c79 5423 leadingBit = mp_leading_bit(&key->n);
wolfSSL 4:1b0d80432c79 5424 rawLen = mp_unsigned_bin_size(&key->n) + leadingBit;
wolfSSL 4:1b0d80432c79 5425 #endif
wolfSSL 4:1b0d80432c79 5426 n[0] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5427 nSz = SetLength(rawLen, n + 1) + 1; /* int tag */
wolfSSL 4:1b0d80432c79 5428
wolfSSL 4:1b0d80432c79 5429 if ( (nSz + rawLen) < MAX_RSA_INT_SZ) {
wolfSSL 4:1b0d80432c79 5430 if (leadingBit)
wolfSSL 4:1b0d80432c79 5431 n[nSz] = 0;
wolfSSL 4:1b0d80432c79 5432 #ifdef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 5433 err = wc_Rsa_to_unsigned_bin(key->n, n + nSz, rawLen);
wolfSSL 4:1b0d80432c79 5434 #else
wolfSSL 4:1b0d80432c79 5435 err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit);
wolfSSL 4:1b0d80432c79 5436 #endif
wolfSSL 4:1b0d80432c79 5437 if (err == MP_OKAY)
wolfSSL 4:1b0d80432c79 5438 nSz += rawLen;
wolfSSL 4:1b0d80432c79 5439 else {
wolfSSL 4:1b0d80432c79 5440 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5441 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5442 #endif
wolfSSL 4:1b0d80432c79 5443 return MP_TO_E;
wolfSSL 4:1b0d80432c79 5444 }
wolfSSL 4:1b0d80432c79 5445 }
wolfSSL 4:1b0d80432c79 5446 else {
wolfSSL 4:1b0d80432c79 5447 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5448 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5449 #endif
wolfSSL 4:1b0d80432c79 5450 return BUFFER_E;
wolfSSL 4:1b0d80432c79 5451 }
wolfSSL 4:1b0d80432c79 5452
wolfSSL 4:1b0d80432c79 5453 /* e */
wolfSSL 4:1b0d80432c79 5454 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5455 e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5456 if (e == NULL) {
wolfSSL 4:1b0d80432c79 5457 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5458 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5459 #endif
wolfSSL 4:1b0d80432c79 5460 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5461 }
wolfSSL 4:1b0d80432c79 5462 #endif
wolfSSL 4:1b0d80432c79 5463
wolfSSL 4:1b0d80432c79 5464 #ifdef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 5465 leadingBit = wc_Rsa_leading_bit(key->e);
wolfSSL 4:1b0d80432c79 5466 rawLen = wc_Rsa_unsigned_bin_size(key->e) + leadingBit;
wolfSSL 4:1b0d80432c79 5467 #else
wolfSSL 4:1b0d80432c79 5468 leadingBit = mp_leading_bit(&key->e);
wolfSSL 4:1b0d80432c79 5469 rawLen = mp_unsigned_bin_size(&key->e) + leadingBit;
wolfSSL 4:1b0d80432c79 5470 #endif
wolfSSL 4:1b0d80432c79 5471 e[0] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5472 eSz = SetLength(rawLen, e + 1) + 1; /* int tag */
wolfSSL 4:1b0d80432c79 5473
wolfSSL 4:1b0d80432c79 5474 if ( (eSz + rawLen) < MAX_RSA_E_SZ) {
wolfSSL 4:1b0d80432c79 5475 if (leadingBit)
wolfSSL 4:1b0d80432c79 5476 e[eSz] = 0;
wolfSSL 4:1b0d80432c79 5477 #ifdef HAVE_USER_RSA
wolfSSL 4:1b0d80432c79 5478 err = wc_Rsa_to_unsigned_bin(key->e, e + eSz, rawLen);
wolfSSL 4:1b0d80432c79 5479 #else
wolfSSL 4:1b0d80432c79 5480 err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit);
wolfSSL 4:1b0d80432c79 5481 #endif
wolfSSL 4:1b0d80432c79 5482 if (err == MP_OKAY)
wolfSSL 4:1b0d80432c79 5483 eSz += rawLen;
wolfSSL 4:1b0d80432c79 5484 else {
wolfSSL 4:1b0d80432c79 5485 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5486 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5487 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5488 #endif
wolfSSL 4:1b0d80432c79 5489 return MP_TO_E;
wolfSSL 4:1b0d80432c79 5490 }
wolfSSL 4:1b0d80432c79 5491 }
wolfSSL 4:1b0d80432c79 5492 else {
wolfSSL 4:1b0d80432c79 5493 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5494 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5495 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5496 #endif
wolfSSL 4:1b0d80432c79 5497 return BUFFER_E;
wolfSSL 4:1b0d80432c79 5498 }
wolfSSL 4:1b0d80432c79 5499
wolfSSL 4:1b0d80432c79 5500 seqSz = SetSequence(nSz + eSz, seq);
wolfSSL 4:1b0d80432c79 5501
wolfSSL 4:1b0d80432c79 5502 /* check output size */
wolfSSL 4:1b0d80432c79 5503 if ( (seqSz + nSz + eSz) > outLen) {
wolfSSL 4:1b0d80432c79 5504 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5505 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5506 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5507 #endif
wolfSSL 4:1b0d80432c79 5508 return BUFFER_E;
wolfSSL 4:1b0d80432c79 5509 }
wolfSSL 4:1b0d80432c79 5510
wolfSSL 4:1b0d80432c79 5511 /* headers */
wolfSSL 4:1b0d80432c79 5512 if (with_header) {
wolfSSL 4:1b0d80432c79 5513 int algoSz;
wolfSSL 4:1b0d80432c79 5514 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5515 byte* algo = NULL;
wolfSSL 4:1b0d80432c79 5516
wolfSSL 4:1b0d80432c79 5517 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5518 if (algo == NULL) {
wolfSSL 4:1b0d80432c79 5519 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5520 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5521 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5522 }
wolfSSL 4:1b0d80432c79 5523 #else
wolfSSL 4:1b0d80432c79 5524 byte algo[MAX_ALGO_SZ];
wolfSSL 4:1b0d80432c79 5525 #endif
wolfSSL 4:1b0d80432c79 5526 algoSz = SetAlgoID(RSAk, algo, keyType, 0);
wolfSSL 4:1b0d80432c79 5527 lenSz = SetLength(seqSz + nSz + eSz + 1, len);
wolfSSL 4:1b0d80432c79 5528 len[lenSz++] = 0; /* trailing 0 */
wolfSSL 4:1b0d80432c79 5529
wolfSSL 4:1b0d80432c79 5530 /* write, 1 is for ASN_BIT_STRING */
wolfSSL 4:1b0d80432c79 5531 idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output);
wolfSSL 4:1b0d80432c79 5532
wolfSSL 4:1b0d80432c79 5533 /* check output size */
wolfSSL 4:1b0d80432c79 5534 if ( (idx + algoSz + 1 + lenSz + seqSz + nSz + eSz) > outLen) {
wolfSSL 4:1b0d80432c79 5535 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5536 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5537 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5538 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5539 #endif
wolfSSL 4:1b0d80432c79 5540
wolfSSL 4:1b0d80432c79 5541 return BUFFER_E;
wolfSSL 4:1b0d80432c79 5542 }
wolfSSL 4:1b0d80432c79 5543
wolfSSL 4:1b0d80432c79 5544 /* algo */
wolfSSL 4:1b0d80432c79 5545 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 4:1b0d80432c79 5546 idx += algoSz;
wolfSSL 4:1b0d80432c79 5547 /* bit string */
wolfSSL 4:1b0d80432c79 5548 output[idx++] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 5549 /* length */
wolfSSL 4:1b0d80432c79 5550 XMEMCPY(output + idx, len, lenSz);
wolfSSL 4:1b0d80432c79 5551 idx += lenSz;
wolfSSL 4:1b0d80432c79 5552 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5553 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5554 #endif
wolfSSL 4:1b0d80432c79 5555 }
wolfSSL 4:1b0d80432c79 5556 else
wolfSSL 4:1b0d80432c79 5557 idx = 0;
wolfSSL 4:1b0d80432c79 5558
wolfSSL 4:1b0d80432c79 5559 /* seq */
wolfSSL 4:1b0d80432c79 5560 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 4:1b0d80432c79 5561 idx += seqSz;
wolfSSL 4:1b0d80432c79 5562 /* n */
wolfSSL 4:1b0d80432c79 5563 XMEMCPY(output + idx, n, nSz);
wolfSSL 4:1b0d80432c79 5564 idx += nSz;
wolfSSL 4:1b0d80432c79 5565 /* e */
wolfSSL 4:1b0d80432c79 5566 XMEMCPY(output + idx, e, eSz);
wolfSSL 4:1b0d80432c79 5567 idx += eSz;
wolfSSL 4:1b0d80432c79 5568
wolfSSL 4:1b0d80432c79 5569 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5570 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5571 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5572 #endif
wolfSSL 4:1b0d80432c79 5573
wolfSSL 4:1b0d80432c79 5574 return idx;
wolfSSL 4:1b0d80432c79 5575 }
wolfSSL 4:1b0d80432c79 5576 #endif /* !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) ||
wolfSSL 4:1b0d80432c79 5577 defined(WOLFSSL_KEY_GEN)) */
wolfSSL 4:1b0d80432c79 5578
wolfSSL 4:1b0d80432c79 5579
wolfSSL 4:1b0d80432c79 5580 #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
wolfSSL 4:1b0d80432c79 5581
wolfSSL 4:1b0d80432c79 5582
wolfSSL 4:1b0d80432c79 5583 static mp_int* GetRsaInt(RsaKey* key, int idx)
wolfSSL 4:1b0d80432c79 5584 {
wolfSSL 4:1b0d80432c79 5585 if (idx == 0)
wolfSSL 4:1b0d80432c79 5586 return &key->n;
wolfSSL 4:1b0d80432c79 5587 if (idx == 1)
wolfSSL 4:1b0d80432c79 5588 return &key->e;
wolfSSL 4:1b0d80432c79 5589 if (idx == 2)
wolfSSL 4:1b0d80432c79 5590 return &key->d;
wolfSSL 4:1b0d80432c79 5591 if (idx == 3)
wolfSSL 4:1b0d80432c79 5592 return &key->p;
wolfSSL 4:1b0d80432c79 5593 if (idx == 4)
wolfSSL 4:1b0d80432c79 5594 return &key->q;
wolfSSL 4:1b0d80432c79 5595 if (idx == 5)
wolfSSL 4:1b0d80432c79 5596 return &key->dP;
wolfSSL 4:1b0d80432c79 5597 if (idx == 6)
wolfSSL 4:1b0d80432c79 5598 return &key->dQ;
wolfSSL 4:1b0d80432c79 5599 if (idx == 7)
wolfSSL 4:1b0d80432c79 5600 return &key->u;
wolfSSL 4:1b0d80432c79 5601
wolfSSL 4:1b0d80432c79 5602 return NULL;
wolfSSL 4:1b0d80432c79 5603 }
wolfSSL 4:1b0d80432c79 5604
wolfSSL 4:1b0d80432c79 5605
wolfSSL 4:1b0d80432c79 5606 /* Release Tmp RSA resources */
wolfSSL 4:1b0d80432c79 5607 static INLINE void FreeTmpRsas(byte** tmps, void* heap)
wolfSSL 4:1b0d80432c79 5608 {
wolfSSL 4:1b0d80432c79 5609 int i;
wolfSSL 4:1b0d80432c79 5610
wolfSSL 4:1b0d80432c79 5611 (void)heap;
wolfSSL 4:1b0d80432c79 5612
wolfSSL 4:1b0d80432c79 5613 for (i = 0; i < RSA_INTS; i++)
wolfSSL 4:1b0d80432c79 5614 XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 5615 }
wolfSSL 4:1b0d80432c79 5616
wolfSSL 4:1b0d80432c79 5617
wolfSSL 4:1b0d80432c79 5618 /* Convert RsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 4:1b0d80432c79 5619 written */
wolfSSL 4:1b0d80432c79 5620 int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 4:1b0d80432c79 5621 {
wolfSSL 4:1b0d80432c79 5622 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 4:1b0d80432c79 5623 word32 sizes[RSA_INTS];
wolfSSL 4:1b0d80432c79 5624 int i, j, outLen, ret = 0, lbit;
wolfSSL 4:1b0d80432c79 5625
wolfSSL 4:1b0d80432c79 5626 byte seq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 5627 byte ver[MAX_VERSION_SZ];
wolfSSL 4:1b0d80432c79 5628 byte* tmps[RSA_INTS];
wolfSSL 4:1b0d80432c79 5629
wolfSSL 4:1b0d80432c79 5630 if (!key || !output)
wolfSSL 4:1b0d80432c79 5631 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5632
wolfSSL 4:1b0d80432c79 5633 if (key->type != RSA_PRIVATE)
wolfSSL 4:1b0d80432c79 5634 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5635
wolfSSL 4:1b0d80432c79 5636 for (i = 0; i < RSA_INTS; i++)
wolfSSL 4:1b0d80432c79 5637 tmps[i] = NULL;
wolfSSL 4:1b0d80432c79 5638
wolfSSL 4:1b0d80432c79 5639 /* write all big ints from key to DER tmps */
wolfSSL 4:1b0d80432c79 5640 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 4:1b0d80432c79 5641 mp_int* keyInt = GetRsaInt(key, i);
wolfSSL 4:1b0d80432c79 5642
wolfSSL 4:1b0d80432c79 5643 /* leading zero */
wolfSSL 4:1b0d80432c79 5644 lbit = mp_leading_bit(keyInt);
wolfSSL 4:1b0d80432c79 5645 rawLen = mp_unsigned_bin_size(keyInt) + lbit;
wolfSSL 4:1b0d80432c79 5646
wolfSSL 4:1b0d80432c79 5647 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL 4:1b0d80432c79 5648 DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 5649 if (tmps[i] == NULL) {
wolfSSL 4:1b0d80432c79 5650 ret = MEMORY_E;
wolfSSL 4:1b0d80432c79 5651 break;
wolfSSL 4:1b0d80432c79 5652 }
wolfSSL 4:1b0d80432c79 5653
wolfSSL 4:1b0d80432c79 5654 tmps[i][0] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5655 sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */
wolfSSL 4:1b0d80432c79 5656
wolfSSL 4:1b0d80432c79 5657 if (sizes[i] <= MAX_SEQ_SZ) {
wolfSSL 4:1b0d80432c79 5658 int err;
wolfSSL 4:1b0d80432c79 5659
wolfSSL 4:1b0d80432c79 5660 /* leading zero */
wolfSSL 4:1b0d80432c79 5661 if (lbit)
wolfSSL 4:1b0d80432c79 5662 tmps[i][sizes[i]-1] = 0x00;
wolfSSL 4:1b0d80432c79 5663
wolfSSL 4:1b0d80432c79 5664 err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
wolfSSL 4:1b0d80432c79 5665 if (err == MP_OKAY) {
wolfSSL 4:1b0d80432c79 5666 sizes[i] += (rawLen-lbit); /* lbit included in rawLen */
wolfSSL 4:1b0d80432c79 5667 intTotalLen += sizes[i];
wolfSSL 4:1b0d80432c79 5668 }
wolfSSL 4:1b0d80432c79 5669 else {
wolfSSL 4:1b0d80432c79 5670 ret = err;
wolfSSL 4:1b0d80432c79 5671 break;
wolfSSL 4:1b0d80432c79 5672 }
wolfSSL 4:1b0d80432c79 5673 }
wolfSSL 4:1b0d80432c79 5674 else {
wolfSSL 4:1b0d80432c79 5675 ret = ASN_INPUT_E;
wolfSSL 4:1b0d80432c79 5676 break;
wolfSSL 4:1b0d80432c79 5677 }
wolfSSL 4:1b0d80432c79 5678 }
wolfSSL 4:1b0d80432c79 5679
wolfSSL 4:1b0d80432c79 5680 if (ret != 0) {
wolfSSL 4:1b0d80432c79 5681 FreeTmpRsas(tmps, key->heap);
wolfSSL 4:1b0d80432c79 5682 return ret;
wolfSSL 4:1b0d80432c79 5683 }
wolfSSL 4:1b0d80432c79 5684
wolfSSL 4:1b0d80432c79 5685 /* make headers */
wolfSSL 4:1b0d80432c79 5686 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 4:1b0d80432c79 5687 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 4:1b0d80432c79 5688
wolfSSL 4:1b0d80432c79 5689 outLen = seqSz + verSz + intTotalLen;
wolfSSL 4:1b0d80432c79 5690 if (outLen > (int)inLen)
wolfSSL 4:1b0d80432c79 5691 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 5692
wolfSSL 4:1b0d80432c79 5693 /* write to output */
wolfSSL 4:1b0d80432c79 5694 XMEMCPY(output, seq, seqSz);
wolfSSL 4:1b0d80432c79 5695 j = seqSz;
wolfSSL 4:1b0d80432c79 5696 XMEMCPY(output + j, ver, verSz);
wolfSSL 4:1b0d80432c79 5697 j += verSz;
wolfSSL 4:1b0d80432c79 5698
wolfSSL 4:1b0d80432c79 5699 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 4:1b0d80432c79 5700 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 4:1b0d80432c79 5701 j += sizes[i];
wolfSSL 4:1b0d80432c79 5702 }
wolfSSL 4:1b0d80432c79 5703 FreeTmpRsas(tmps, key->heap);
wolfSSL 4:1b0d80432c79 5704
wolfSSL 4:1b0d80432c79 5705 return outLen;
wolfSSL 4:1b0d80432c79 5706 }
wolfSSL 4:1b0d80432c79 5707
wolfSSL 4:1b0d80432c79 5708
wolfSSL 4:1b0d80432c79 5709 /* Convert Rsa Public key to DER format, write to output (inLen), return bytes
wolfSSL 4:1b0d80432c79 5710 written */
wolfSSL 4:1b0d80432c79 5711 int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 4:1b0d80432c79 5712 {
wolfSSL 4:1b0d80432c79 5713 return SetRsaPublicKey(output, key, inLen, 1);
wolfSSL 4:1b0d80432c79 5714 }
wolfSSL 4:1b0d80432c79 5715
wolfSSL 4:1b0d80432c79 5716 #endif /* WOLFSSL_KEY_GEN && !NO_RSA */
wolfSSL 4:1b0d80432c79 5717
wolfSSL 4:1b0d80432c79 5718
wolfSSL 4:1b0d80432c79 5719 #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL 4:1b0d80432c79 5720
wolfSSL 4:1b0d80432c79 5721
wolfSSL 4:1b0d80432c79 5722 #ifndef WOLFSSL_HAVE_MIN
wolfSSL 4:1b0d80432c79 5723 #define WOLFSSL_HAVE_MIN
wolfSSL 4:1b0d80432c79 5724
wolfSSL 4:1b0d80432c79 5725 static INLINE word32 min(word32 a, word32 b)
wolfSSL 4:1b0d80432c79 5726 {
wolfSSL 4:1b0d80432c79 5727 return a > b ? b : a;
wolfSSL 4:1b0d80432c79 5728 }
wolfSSL 4:1b0d80432c79 5729
wolfSSL 4:1b0d80432c79 5730 #endif /* WOLFSSL_HAVE_MIN */
wolfSSL 4:1b0d80432c79 5731
wolfSSL 4:1b0d80432c79 5732
wolfSSL 4:1b0d80432c79 5733 /* Initialize and Set Certificate defaults:
wolfSSL 4:1b0d80432c79 5734 version = 3 (0x2)
wolfSSL 4:1b0d80432c79 5735 serial = 0
wolfSSL 4:1b0d80432c79 5736 sigType = SHA_WITH_RSA
wolfSSL 4:1b0d80432c79 5737 issuer = blank
wolfSSL 4:1b0d80432c79 5738 daysValid = 500
wolfSSL 4:1b0d80432c79 5739 selfSigned = 1 (true) use subject as issuer
wolfSSL 4:1b0d80432c79 5740 subject = blank
wolfSSL 4:1b0d80432c79 5741 */
wolfSSL 4:1b0d80432c79 5742 void wc_InitCert(Cert* cert)
wolfSSL 4:1b0d80432c79 5743 {
wolfSSL 4:1b0d80432c79 5744 cert->version = 2; /* version 3 is hex 2 */
wolfSSL 4:1b0d80432c79 5745 cert->sigType = CTC_SHAwRSA;
wolfSSL 4:1b0d80432c79 5746 cert->daysValid = 500;
wolfSSL 4:1b0d80432c79 5747 cert->selfSigned = 1;
wolfSSL 4:1b0d80432c79 5748 cert->isCA = 0;
wolfSSL 4:1b0d80432c79 5749 cert->bodySz = 0;
wolfSSL 4:1b0d80432c79 5750 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 5751 cert->altNamesSz = 0;
wolfSSL 4:1b0d80432c79 5752 cert->beforeDateSz = 0;
wolfSSL 4:1b0d80432c79 5753 cert->afterDateSz = 0;
wolfSSL 4:1b0d80432c79 5754 #endif
wolfSSL 4:1b0d80432c79 5755 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 5756 cert->skidSz = 0;
wolfSSL 4:1b0d80432c79 5757 cert->akidSz = 0;
wolfSSL 4:1b0d80432c79 5758 cert->keyUsage = 0;
wolfSSL 4:1b0d80432c79 5759 cert->certPoliciesNb = 0;
wolfSSL 4:1b0d80432c79 5760 XMEMSET(cert->akid, 0, CTC_MAX_AKID_SIZE);
wolfSSL 4:1b0d80432c79 5761 XMEMSET(cert->skid, 0, CTC_MAX_SKID_SIZE);
wolfSSL 4:1b0d80432c79 5762 XMEMSET(cert->certPolicies, 0, CTC_MAX_CERTPOL_NB*CTC_MAX_CERTPOL_SZ);
wolfSSL 4:1b0d80432c79 5763 #endif
wolfSSL 4:1b0d80432c79 5764 cert->keyType = RSA_KEY;
wolfSSL 4:1b0d80432c79 5765 XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE);
wolfSSL 4:1b0d80432c79 5766
wolfSSL 4:1b0d80432c79 5767 cert->issuer.country[0] = '\0';
wolfSSL 4:1b0d80432c79 5768 cert->issuer.countryEnc = CTC_PRINTABLE;
wolfSSL 4:1b0d80432c79 5769 cert->issuer.state[0] = '\0';
wolfSSL 4:1b0d80432c79 5770 cert->issuer.stateEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5771 cert->issuer.locality[0] = '\0';
wolfSSL 4:1b0d80432c79 5772 cert->issuer.localityEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5773 cert->issuer.sur[0] = '\0';
wolfSSL 4:1b0d80432c79 5774 cert->issuer.surEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5775 cert->issuer.org[0] = '\0';
wolfSSL 4:1b0d80432c79 5776 cert->issuer.orgEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5777 cert->issuer.unit[0] = '\0';
wolfSSL 4:1b0d80432c79 5778 cert->issuer.unitEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5779 cert->issuer.commonName[0] = '\0';
wolfSSL 4:1b0d80432c79 5780 cert->issuer.commonNameEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5781 cert->issuer.email[0] = '\0';
wolfSSL 4:1b0d80432c79 5782
wolfSSL 4:1b0d80432c79 5783 cert->subject.country[0] = '\0';
wolfSSL 4:1b0d80432c79 5784 cert->subject.countryEnc = CTC_PRINTABLE;
wolfSSL 4:1b0d80432c79 5785 cert->subject.state[0] = '\0';
wolfSSL 4:1b0d80432c79 5786 cert->subject.stateEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5787 cert->subject.locality[0] = '\0';
wolfSSL 4:1b0d80432c79 5788 cert->subject.localityEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5789 cert->subject.sur[0] = '\0';
wolfSSL 4:1b0d80432c79 5790 cert->subject.surEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5791 cert->subject.org[0] = '\0';
wolfSSL 4:1b0d80432c79 5792 cert->subject.orgEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5793 cert->subject.unit[0] = '\0';
wolfSSL 4:1b0d80432c79 5794 cert->subject.unitEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5795 cert->subject.commonName[0] = '\0';
wolfSSL 4:1b0d80432c79 5796 cert->subject.commonNameEnc = CTC_UTF8;
wolfSSL 4:1b0d80432c79 5797 cert->subject.email[0] = '\0';
wolfSSL 4:1b0d80432c79 5798
wolfSSL 4:1b0d80432c79 5799 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 5800 cert->challengePw[0] ='\0';
wolfSSL 4:1b0d80432c79 5801 #endif
wolfSSL 4:1b0d80432c79 5802 }
wolfSSL 4:1b0d80432c79 5803
wolfSSL 4:1b0d80432c79 5804
wolfSSL 4:1b0d80432c79 5805 /* DER encoded x509 Certificate */
wolfSSL 4:1b0d80432c79 5806 typedef struct DerCert {
wolfSSL 4:1b0d80432c79 5807 byte size[MAX_LENGTH_SZ]; /* length encoded */
wolfSSL 4:1b0d80432c79 5808 byte version[MAX_VERSION_SZ]; /* version encoded */
wolfSSL 4:1b0d80432c79 5809 byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */
wolfSSL 4:1b0d80432c79 5810 byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */
wolfSSL 4:1b0d80432c79 5811 byte issuer[ASN_NAME_MAX]; /* issuer encoded */
wolfSSL 4:1b0d80432c79 5812 byte subject[ASN_NAME_MAX]; /* subject encoded */
wolfSSL 4:1b0d80432c79 5813 byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */
wolfSSL 4:1b0d80432c79 5814 byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
wolfSSL 4:1b0d80432c79 5815 byte ca[MAX_CA_SZ]; /* basic constraint CA true size */
wolfSSL 4:1b0d80432c79 5816 byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
wolfSSL 4:1b0d80432c79 5817 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 5818 byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */
wolfSSL 4:1b0d80432c79 5819 byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */
wolfSSL 4:1b0d80432c79 5820 byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */
wolfSSL 4:1b0d80432c79 5821 byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */
wolfSSL 4:1b0d80432c79 5822 #endif
wolfSSL 4:1b0d80432c79 5823 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 5824 byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */
wolfSSL 4:1b0d80432c79 5825 #endif
wolfSSL 4:1b0d80432c79 5826 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 5827 byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */
wolfSSL 4:1b0d80432c79 5828 #endif
wolfSSL 4:1b0d80432c79 5829 int sizeSz; /* encoded size length */
wolfSSL 4:1b0d80432c79 5830 int versionSz; /* encoded version length */
wolfSSL 4:1b0d80432c79 5831 int serialSz; /* encoded serial length */
wolfSSL 4:1b0d80432c79 5832 int sigAlgoSz; /* encoded sig alog length */
wolfSSL 4:1b0d80432c79 5833 int issuerSz; /* encoded issuer length */
wolfSSL 4:1b0d80432c79 5834 int subjectSz; /* encoded subject length */
wolfSSL 4:1b0d80432c79 5835 int validitySz; /* encoded validity length */
wolfSSL 4:1b0d80432c79 5836 int publicKeySz; /* encoded public key length */
wolfSSL 4:1b0d80432c79 5837 int caSz; /* encoded CA extension length */
wolfSSL 4:1b0d80432c79 5838 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 5839 int skidSz; /* encoded SKID extension length */
wolfSSL 4:1b0d80432c79 5840 int akidSz; /* encoded SKID extension length */
wolfSSL 4:1b0d80432c79 5841 int keyUsageSz; /* encoded KeyUsage extension length */
wolfSSL 4:1b0d80432c79 5842 int certPoliciesSz; /* encoded CertPolicies extension length*/
wolfSSL 4:1b0d80432c79 5843 #endif
wolfSSL 4:1b0d80432c79 5844 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 5845 int altNamesSz; /* encoded AltNames extension length */
wolfSSL 4:1b0d80432c79 5846 #endif
wolfSSL 4:1b0d80432c79 5847 int extensionsSz; /* encoded extensions total length */
wolfSSL 4:1b0d80432c79 5848 int total; /* total encoded lengths */
wolfSSL 4:1b0d80432c79 5849 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 5850 int attribSz;
wolfSSL 4:1b0d80432c79 5851 #endif
wolfSSL 4:1b0d80432c79 5852 } DerCert;
wolfSSL 4:1b0d80432c79 5853
wolfSSL 4:1b0d80432c79 5854
wolfSSL 4:1b0d80432c79 5855 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 5856
wolfSSL 4:1b0d80432c79 5857 /* Write a set header to output */
wolfSSL 4:1b0d80432c79 5858 static word32 SetUTF8String(word32 len, byte* output)
wolfSSL 4:1b0d80432c79 5859 {
wolfSSL 4:1b0d80432c79 5860 output[0] = ASN_UTF8STRING;
wolfSSL 4:1b0d80432c79 5861 return SetLength(len, output + 1) + 1;
wolfSSL 4:1b0d80432c79 5862 }
wolfSSL 4:1b0d80432c79 5863
wolfSSL 4:1b0d80432c79 5864 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 4:1b0d80432c79 5865
wolfSSL 4:1b0d80432c79 5866
wolfSSL 4:1b0d80432c79 5867 /* Write a serial number to output */
wolfSSL 4:1b0d80432c79 5868 static int SetSerial(const byte* serial, byte* output)
wolfSSL 4:1b0d80432c79 5869 {
wolfSSL 4:1b0d80432c79 5870 int length = 0;
wolfSSL 4:1b0d80432c79 5871
wolfSSL 4:1b0d80432c79 5872 output[length++] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 5873 length += SetLength(CTC_SERIAL_SIZE, &output[length]);
wolfSSL 4:1b0d80432c79 5874 XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE);
wolfSSL 4:1b0d80432c79 5875
wolfSSL 4:1b0d80432c79 5876 return length + CTC_SERIAL_SIZE;
wolfSSL 4:1b0d80432c79 5877 }
wolfSSL 4:1b0d80432c79 5878
wolfSSL 4:1b0d80432c79 5879
wolfSSL 4:1b0d80432c79 5880 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 5881
wolfSSL 4:1b0d80432c79 5882
wolfSSL 4:1b0d80432c79 5883 /* Write a public ECC key to output */
wolfSSL 4:1b0d80432c79 5884 static int SetEccPublicKey(byte* output, ecc_key* key, int with_header)
wolfSSL 4:1b0d80432c79 5885 {
wolfSSL 4:1b0d80432c79 5886 byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */
wolfSSL 4:1b0d80432c79 5887 int algoSz;
wolfSSL 4:1b0d80432c79 5888 int curveSz;
wolfSSL 4:1b0d80432c79 5889 int lenSz;
wolfSSL 4:1b0d80432c79 5890 int idx;
wolfSSL 4:1b0d80432c79 5891 word32 pubSz = ECC_BUFSIZE;
wolfSSL 4:1b0d80432c79 5892 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5893 byte* algo = NULL;
wolfSSL 4:1b0d80432c79 5894 byte* curve = NULL;
wolfSSL 4:1b0d80432c79 5895 byte* pub = NULL;
wolfSSL 4:1b0d80432c79 5896 #else
wolfSSL 4:1b0d80432c79 5897 byte algo[MAX_ALGO_SZ];
wolfSSL 4:1b0d80432c79 5898 byte curve[MAX_ALGO_SZ];
wolfSSL 4:1b0d80432c79 5899 byte pub[ECC_BUFSIZE];
wolfSSL 4:1b0d80432c79 5900 #endif
wolfSSL 4:1b0d80432c79 5901
wolfSSL 4:1b0d80432c79 5902 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5903 pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5904 if (pub == NULL)
wolfSSL 4:1b0d80432c79 5905 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5906 #endif
wolfSSL 4:1b0d80432c79 5907
wolfSSL 4:1b0d80432c79 5908 int ret = wc_ecc_export_x963(key, pub, &pubSz);
wolfSSL 4:1b0d80432c79 5909 if (ret != 0) {
wolfSSL 4:1b0d80432c79 5910 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5911 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5912 #endif
wolfSSL 4:1b0d80432c79 5913 return ret;
wolfSSL 4:1b0d80432c79 5914 }
wolfSSL 4:1b0d80432c79 5915
wolfSSL 4:1b0d80432c79 5916 /* headers */
wolfSSL 4:1b0d80432c79 5917 if (with_header) {
wolfSSL 4:1b0d80432c79 5918 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5919 curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5920 if (curve == NULL) {
wolfSSL 4:1b0d80432c79 5921 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5922 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5923 }
wolfSSL 4:1b0d80432c79 5924 #endif
wolfSSL 4:1b0d80432c79 5925 curveSz = SetCurve(key, curve);
wolfSSL 4:1b0d80432c79 5926 if (curveSz <= 0) {
wolfSSL 4:1b0d80432c79 5927 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5928 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5929 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5930 #endif
wolfSSL 4:1b0d80432c79 5931 return curveSz;
wolfSSL 4:1b0d80432c79 5932 }
wolfSSL 4:1b0d80432c79 5933
wolfSSL 4:1b0d80432c79 5934 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5935 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5936 if (algo == NULL) {
wolfSSL 4:1b0d80432c79 5937 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5938 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5939 return MEMORY_E;
wolfSSL 4:1b0d80432c79 5940 }
wolfSSL 4:1b0d80432c79 5941 #endif
wolfSSL 4:1b0d80432c79 5942 algoSz = SetAlgoID(ECDSAk, algo, keyType, curveSz);
wolfSSL 4:1b0d80432c79 5943
wolfSSL 4:1b0d80432c79 5944 lenSz = SetLength(pubSz + 1, len);
wolfSSL 4:1b0d80432c79 5945 len[lenSz++] = 0; /* trailing 0 */
wolfSSL 4:1b0d80432c79 5946
wolfSSL 4:1b0d80432c79 5947 /* write, 1 is for ASN_BIT_STRING */
wolfSSL 4:1b0d80432c79 5948 idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output);
wolfSSL 4:1b0d80432c79 5949 /* algo */
wolfSSL 4:1b0d80432c79 5950 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 4:1b0d80432c79 5951 idx += algoSz;
wolfSSL 4:1b0d80432c79 5952 /* curve */
wolfSSL 4:1b0d80432c79 5953 XMEMCPY(output + idx, curve, curveSz);
wolfSSL 4:1b0d80432c79 5954 idx += curveSz;
wolfSSL 4:1b0d80432c79 5955 /* bit string */
wolfSSL 4:1b0d80432c79 5956 output[idx++] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 5957 /* length */
wolfSSL 4:1b0d80432c79 5958 XMEMCPY(output + idx, len, lenSz);
wolfSSL 4:1b0d80432c79 5959 idx += lenSz;
wolfSSL 4:1b0d80432c79 5960 }
wolfSSL 4:1b0d80432c79 5961 else
wolfSSL 4:1b0d80432c79 5962 idx = 0;
wolfSSL 4:1b0d80432c79 5963
wolfSSL 4:1b0d80432c79 5964 /* pub */
wolfSSL 4:1b0d80432c79 5965 XMEMCPY(output + idx, pub, pubSz);
wolfSSL 4:1b0d80432c79 5966 idx += pubSz;
wolfSSL 4:1b0d80432c79 5967
wolfSSL 4:1b0d80432c79 5968 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 5969 if (with_header) {
wolfSSL 4:1b0d80432c79 5970 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5971 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5972 }
wolfSSL 4:1b0d80432c79 5973 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 5974 #endif
wolfSSL 4:1b0d80432c79 5975
wolfSSL 4:1b0d80432c79 5976 return idx;
wolfSSL 4:1b0d80432c79 5977 }
wolfSSL 4:1b0d80432c79 5978
wolfSSL 4:1b0d80432c79 5979
wolfSSL 4:1b0d80432c79 5980 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 5981
wolfSSL 4:1b0d80432c79 5982
wolfSSL 4:1b0d80432c79 5983 static INLINE byte itob(int number)
wolfSSL 4:1b0d80432c79 5984 {
wolfSSL 4:1b0d80432c79 5985 return (byte)number + 0x30;
wolfSSL 4:1b0d80432c79 5986 }
wolfSSL 4:1b0d80432c79 5987
wolfSSL 4:1b0d80432c79 5988
wolfSSL 4:1b0d80432c79 5989 /* write time to output, format */
wolfSSL 4:1b0d80432c79 5990 static void SetTime(struct tm* date, byte* output)
wolfSSL 4:1b0d80432c79 5991 {
wolfSSL 4:1b0d80432c79 5992 int i = 0;
wolfSSL 4:1b0d80432c79 5993
wolfSSL 4:1b0d80432c79 5994 output[i++] = itob((date->tm_year % 10000) / 1000);
wolfSSL 4:1b0d80432c79 5995 output[i++] = itob((date->tm_year % 1000) / 100);
wolfSSL 4:1b0d80432c79 5996 output[i++] = itob((date->tm_year % 100) / 10);
wolfSSL 4:1b0d80432c79 5997 output[i++] = itob( date->tm_year % 10);
wolfSSL 4:1b0d80432c79 5998
wolfSSL 4:1b0d80432c79 5999 output[i++] = itob(date->tm_mon / 10);
wolfSSL 4:1b0d80432c79 6000 output[i++] = itob(date->tm_mon % 10);
wolfSSL 4:1b0d80432c79 6001
wolfSSL 4:1b0d80432c79 6002 output[i++] = itob(date->tm_mday / 10);
wolfSSL 4:1b0d80432c79 6003 output[i++] = itob(date->tm_mday % 10);
wolfSSL 4:1b0d80432c79 6004
wolfSSL 4:1b0d80432c79 6005 output[i++] = itob(date->tm_hour / 10);
wolfSSL 4:1b0d80432c79 6006 output[i++] = itob(date->tm_hour % 10);
wolfSSL 4:1b0d80432c79 6007
wolfSSL 4:1b0d80432c79 6008 output[i++] = itob(date->tm_min / 10);
wolfSSL 4:1b0d80432c79 6009 output[i++] = itob(date->tm_min % 10);
wolfSSL 4:1b0d80432c79 6010
wolfSSL 4:1b0d80432c79 6011 output[i++] = itob(date->tm_sec / 10);
wolfSSL 4:1b0d80432c79 6012 output[i++] = itob(date->tm_sec % 10);
wolfSSL 4:1b0d80432c79 6013
wolfSSL 4:1b0d80432c79 6014 output[i] = 'Z'; /* Zulu profile */
wolfSSL 4:1b0d80432c79 6015 }
wolfSSL 4:1b0d80432c79 6016
wolfSSL 4:1b0d80432c79 6017
wolfSSL 4:1b0d80432c79 6018 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 6019
wolfSSL 4:1b0d80432c79 6020 /* Copy Dates from cert, return bytes written */
wolfSSL 4:1b0d80432c79 6021 static int CopyValidity(byte* output, Cert* cert)
wolfSSL 4:1b0d80432c79 6022 {
wolfSSL 4:1b0d80432c79 6023 int seqSz;
wolfSSL 4:1b0d80432c79 6024
wolfSSL 4:1b0d80432c79 6025 WOLFSSL_ENTER("CopyValidity");
wolfSSL 4:1b0d80432c79 6026
wolfSSL 4:1b0d80432c79 6027 /* headers and output */
wolfSSL 4:1b0d80432c79 6028 seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
wolfSSL 4:1b0d80432c79 6029 XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
wolfSSL 4:1b0d80432c79 6030 XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
wolfSSL 4:1b0d80432c79 6031 cert->afterDateSz);
wolfSSL 4:1b0d80432c79 6032 return seqSz + cert->beforeDateSz + cert->afterDateSz;
wolfSSL 4:1b0d80432c79 6033 }
wolfSSL 4:1b0d80432c79 6034
wolfSSL 4:1b0d80432c79 6035 #endif
wolfSSL 4:1b0d80432c79 6036
wolfSSL 4:1b0d80432c79 6037
wolfSSL 4:1b0d80432c79 6038 /* for systems where mktime() doesn't normalize fully */
wolfSSL 4:1b0d80432c79 6039 static void RebuildTime(time_t* in, struct tm* out)
wolfSSL 4:1b0d80432c79 6040 {
wolfSSL 4:1b0d80432c79 6041 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 4:1b0d80432c79 6042 out = localtime_r(in, out);
wolfSSL 4:1b0d80432c79 6043 #else
wolfSSL 4:1b0d80432c79 6044 (void)in;
wolfSSL 4:1b0d80432c79 6045 (void)out;
wolfSSL 4:1b0d80432c79 6046 #endif
wolfSSL 4:1b0d80432c79 6047 }
wolfSSL 4:1b0d80432c79 6048
wolfSSL 4:1b0d80432c79 6049
wolfSSL 4:1b0d80432c79 6050 /* Set Date validity from now until now + daysValid
wolfSSL 4:1b0d80432c79 6051 * return size in bytes written to output, 0 on error */
wolfSSL 4:1b0d80432c79 6052 static int SetValidity(byte* output, int daysValid)
wolfSSL 4:1b0d80432c79 6053 {
wolfSSL 4:1b0d80432c79 6054 byte before[MAX_DATE_SIZE];
wolfSSL 4:1b0d80432c79 6055 byte after[MAX_DATE_SIZE];
wolfSSL 4:1b0d80432c79 6056
wolfSSL 4:1b0d80432c79 6057 int beforeSz;
wolfSSL 4:1b0d80432c79 6058 int afterSz;
wolfSSL 4:1b0d80432c79 6059 int seqSz;
wolfSSL 4:1b0d80432c79 6060
wolfSSL 4:1b0d80432c79 6061 time_t ticks;
wolfSSL 4:1b0d80432c79 6062 time_t normalTime;
wolfSSL 4:1b0d80432c79 6063 struct tm* now;
wolfSSL 4:1b0d80432c79 6064 struct tm* tmpTime = NULL;
wolfSSL 4:1b0d80432c79 6065 struct tm local;
wolfSSL 4:1b0d80432c79 6066
wolfSSL 4:1b0d80432c79 6067 #if defined(NEED_TMP_TIME)
wolfSSL 4:1b0d80432c79 6068 /* for use with gmtime_r */
wolfSSL 4:1b0d80432c79 6069 struct tm tmpTimeStorage;
wolfSSL 4:1b0d80432c79 6070 tmpTime = &tmpTimeStorage;
wolfSSL 4:1b0d80432c79 6071 #else
wolfSSL 4:1b0d80432c79 6072 (void)tmpTime;
wolfSSL 4:1b0d80432c79 6073 #endif
wolfSSL 4:1b0d80432c79 6074
wolfSSL 4:1b0d80432c79 6075 ticks = XTIME(0);
wolfSSL 4:1b0d80432c79 6076 now = XGMTIME(&ticks, tmpTime);
wolfSSL 4:1b0d80432c79 6077
wolfSSL 4:1b0d80432c79 6078 if (now == NULL) {
wolfSSL 4:1b0d80432c79 6079 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 4:1b0d80432c79 6080 return 0; /* error */
wolfSSL 4:1b0d80432c79 6081 }
wolfSSL 4:1b0d80432c79 6082
wolfSSL 4:1b0d80432c79 6083 /* before now */
wolfSSL 4:1b0d80432c79 6084 local = *now;
wolfSSL 4:1b0d80432c79 6085 before[0] = ASN_GENERALIZED_TIME;
wolfSSL 4:1b0d80432c79 6086 beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */
wolfSSL 4:1b0d80432c79 6087
wolfSSL 4:1b0d80432c79 6088 /* subtract 1 day for more compliance */
wolfSSL 4:1b0d80432c79 6089 local.tm_mday -= 1;
wolfSSL 4:1b0d80432c79 6090 normalTime = mktime(&local);
wolfSSL 4:1b0d80432c79 6091 RebuildTime(&normalTime, &local);
wolfSSL 4:1b0d80432c79 6092
wolfSSL 4:1b0d80432c79 6093 /* adjust */
wolfSSL 4:1b0d80432c79 6094 local.tm_year += 1900;
wolfSSL 4:1b0d80432c79 6095 local.tm_mon += 1;
wolfSSL 4:1b0d80432c79 6096
wolfSSL 4:1b0d80432c79 6097 SetTime(&local, before + beforeSz);
wolfSSL 4:1b0d80432c79 6098 beforeSz += ASN_GEN_TIME_SZ;
wolfSSL 4:1b0d80432c79 6099
wolfSSL 4:1b0d80432c79 6100 /* after now + daysValid */
wolfSSL 4:1b0d80432c79 6101 local = *now;
wolfSSL 4:1b0d80432c79 6102 after[0] = ASN_GENERALIZED_TIME;
wolfSSL 4:1b0d80432c79 6103 afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */
wolfSSL 4:1b0d80432c79 6104
wolfSSL 4:1b0d80432c79 6105 /* add daysValid */
wolfSSL 4:1b0d80432c79 6106 local.tm_mday += daysValid;
wolfSSL 4:1b0d80432c79 6107 normalTime = mktime(&local);
wolfSSL 4:1b0d80432c79 6108 RebuildTime(&normalTime, &local);
wolfSSL 4:1b0d80432c79 6109
wolfSSL 4:1b0d80432c79 6110 /* adjust */
wolfSSL 4:1b0d80432c79 6111 local.tm_year += 1900;
wolfSSL 4:1b0d80432c79 6112 local.tm_mon += 1;
wolfSSL 4:1b0d80432c79 6113
wolfSSL 4:1b0d80432c79 6114 SetTime(&local, after + afterSz);
wolfSSL 4:1b0d80432c79 6115 afterSz += ASN_GEN_TIME_SZ;
wolfSSL 4:1b0d80432c79 6116
wolfSSL 4:1b0d80432c79 6117 /* headers and output */
wolfSSL 4:1b0d80432c79 6118 seqSz = SetSequence(beforeSz + afterSz, output);
wolfSSL 4:1b0d80432c79 6119 XMEMCPY(output + seqSz, before, beforeSz);
wolfSSL 4:1b0d80432c79 6120 XMEMCPY(output + seqSz + beforeSz, after, afterSz);
wolfSSL 4:1b0d80432c79 6121
wolfSSL 4:1b0d80432c79 6122 return seqSz + beforeSz + afterSz;
wolfSSL 4:1b0d80432c79 6123 }
wolfSSL 4:1b0d80432c79 6124
wolfSSL 4:1b0d80432c79 6125
wolfSSL 4:1b0d80432c79 6126 /* ASN Encoded Name field */
wolfSSL 4:1b0d80432c79 6127 typedef struct EncodedName {
wolfSSL 4:1b0d80432c79 6128 int nameLen; /* actual string value length */
wolfSSL 4:1b0d80432c79 6129 int totalLen; /* total encoded length */
wolfSSL 4:1b0d80432c79 6130 int type; /* type of name */
wolfSSL 4:1b0d80432c79 6131 int used; /* are we actually using this one */
wolfSSL 4:1b0d80432c79 6132 byte encoded[CTC_NAME_SIZE * 2]; /* encoding */
wolfSSL 4:1b0d80432c79 6133 } EncodedName;
wolfSSL 4:1b0d80432c79 6134
wolfSSL 4:1b0d80432c79 6135
wolfSSL 4:1b0d80432c79 6136 /* Get Which Name from index */
wolfSSL 4:1b0d80432c79 6137 static const char* GetOneName(CertName* name, int idx)
wolfSSL 4:1b0d80432c79 6138 {
wolfSSL 4:1b0d80432c79 6139 switch (idx) {
wolfSSL 4:1b0d80432c79 6140 case 0:
wolfSSL 4:1b0d80432c79 6141 return name->country;
wolfSSL 4:1b0d80432c79 6142
wolfSSL 4:1b0d80432c79 6143 case 1:
wolfSSL 4:1b0d80432c79 6144 return name->state;
wolfSSL 4:1b0d80432c79 6145
wolfSSL 4:1b0d80432c79 6146 case 2:
wolfSSL 4:1b0d80432c79 6147 return name->locality;
wolfSSL 4:1b0d80432c79 6148
wolfSSL 4:1b0d80432c79 6149 case 3:
wolfSSL 4:1b0d80432c79 6150 return name->sur;
wolfSSL 4:1b0d80432c79 6151
wolfSSL 4:1b0d80432c79 6152 case 4:
wolfSSL 4:1b0d80432c79 6153 return name->org;
wolfSSL 4:1b0d80432c79 6154
wolfSSL 4:1b0d80432c79 6155 case 5:
wolfSSL 4:1b0d80432c79 6156 return name->unit;
wolfSSL 4:1b0d80432c79 6157
wolfSSL 4:1b0d80432c79 6158 case 6:
wolfSSL 4:1b0d80432c79 6159 return name->commonName;
wolfSSL 4:1b0d80432c79 6160
wolfSSL 4:1b0d80432c79 6161 case 7:
wolfSSL 4:1b0d80432c79 6162 return name->email;
wolfSSL 4:1b0d80432c79 6163
wolfSSL 4:1b0d80432c79 6164 default:
wolfSSL 4:1b0d80432c79 6165 return 0;
wolfSSL 4:1b0d80432c79 6166 }
wolfSSL 4:1b0d80432c79 6167 }
wolfSSL 4:1b0d80432c79 6168
wolfSSL 4:1b0d80432c79 6169
wolfSSL 4:1b0d80432c79 6170 /* Get Which Name Encoding from index */
wolfSSL 4:1b0d80432c79 6171 static char GetNameType(CertName* name, int idx)
wolfSSL 4:1b0d80432c79 6172 {
wolfSSL 4:1b0d80432c79 6173 switch (idx) {
wolfSSL 4:1b0d80432c79 6174 case 0:
wolfSSL 4:1b0d80432c79 6175 return name->countryEnc;
wolfSSL 4:1b0d80432c79 6176
wolfSSL 4:1b0d80432c79 6177 case 1:
wolfSSL 4:1b0d80432c79 6178 return name->stateEnc;
wolfSSL 4:1b0d80432c79 6179
wolfSSL 4:1b0d80432c79 6180 case 2:
wolfSSL 4:1b0d80432c79 6181 return name->localityEnc;
wolfSSL 4:1b0d80432c79 6182
wolfSSL 4:1b0d80432c79 6183 case 3:
wolfSSL 4:1b0d80432c79 6184 return name->surEnc;
wolfSSL 4:1b0d80432c79 6185
wolfSSL 4:1b0d80432c79 6186 case 4:
wolfSSL 4:1b0d80432c79 6187 return name->orgEnc;
wolfSSL 4:1b0d80432c79 6188
wolfSSL 4:1b0d80432c79 6189 case 5:
wolfSSL 4:1b0d80432c79 6190 return name->unitEnc;
wolfSSL 4:1b0d80432c79 6191
wolfSSL 4:1b0d80432c79 6192 case 6:
wolfSSL 4:1b0d80432c79 6193 return name->commonNameEnc;
wolfSSL 4:1b0d80432c79 6194
wolfSSL 4:1b0d80432c79 6195 default:
wolfSSL 4:1b0d80432c79 6196 return 0;
wolfSSL 4:1b0d80432c79 6197 }
wolfSSL 4:1b0d80432c79 6198 }
wolfSSL 4:1b0d80432c79 6199
wolfSSL 4:1b0d80432c79 6200
wolfSSL 4:1b0d80432c79 6201 /* Get ASN Name from index */
wolfSSL 4:1b0d80432c79 6202 static byte GetNameId(int idx)
wolfSSL 4:1b0d80432c79 6203 {
wolfSSL 4:1b0d80432c79 6204 switch (idx) {
wolfSSL 4:1b0d80432c79 6205 case 0:
wolfSSL 4:1b0d80432c79 6206 return ASN_COUNTRY_NAME;
wolfSSL 4:1b0d80432c79 6207
wolfSSL 4:1b0d80432c79 6208 case 1:
wolfSSL 4:1b0d80432c79 6209 return ASN_STATE_NAME;
wolfSSL 4:1b0d80432c79 6210
wolfSSL 4:1b0d80432c79 6211 case 2:
wolfSSL 4:1b0d80432c79 6212 return ASN_LOCALITY_NAME;
wolfSSL 4:1b0d80432c79 6213
wolfSSL 4:1b0d80432c79 6214 case 3:
wolfSSL 4:1b0d80432c79 6215 return ASN_SUR_NAME;
wolfSSL 4:1b0d80432c79 6216
wolfSSL 4:1b0d80432c79 6217 case 4:
wolfSSL 4:1b0d80432c79 6218 return ASN_ORG_NAME;
wolfSSL 4:1b0d80432c79 6219
wolfSSL 4:1b0d80432c79 6220 case 5:
wolfSSL 4:1b0d80432c79 6221 return ASN_ORGUNIT_NAME;
wolfSSL 4:1b0d80432c79 6222
wolfSSL 4:1b0d80432c79 6223 case 6:
wolfSSL 4:1b0d80432c79 6224 return ASN_COMMON_NAME;
wolfSSL 4:1b0d80432c79 6225
wolfSSL 4:1b0d80432c79 6226 case 7:
wolfSSL 4:1b0d80432c79 6227 /* email uses different id type */
wolfSSL 4:1b0d80432c79 6228 return 0;
wolfSSL 4:1b0d80432c79 6229
wolfSSL 4:1b0d80432c79 6230 default:
wolfSSL 4:1b0d80432c79 6231 return 0;
wolfSSL 4:1b0d80432c79 6232 }
wolfSSL 4:1b0d80432c79 6233 }
wolfSSL 4:1b0d80432c79 6234
wolfSSL 4:1b0d80432c79 6235 /*
wolfSSL 4:1b0d80432c79 6236 Extensions ::= SEQUENCE OF Extension
wolfSSL 4:1b0d80432c79 6237
wolfSSL 4:1b0d80432c79 6238 Extension ::= SEQUENCE {
wolfSSL 4:1b0d80432c79 6239 extnId OBJECT IDENTIFIER,
wolfSSL 4:1b0d80432c79 6240 critical BOOLEAN DEFAULT FALSE,
wolfSSL 4:1b0d80432c79 6241 extnValue OCTET STRING }
wolfSSL 4:1b0d80432c79 6242 */
wolfSSL 4:1b0d80432c79 6243
wolfSSL 4:1b0d80432c79 6244 /* encode all extensions, return total bytes written */
wolfSSL 4:1b0d80432c79 6245 static int SetExtensions(byte* out, word32 outSz, int *IdxInOut,
wolfSSL 4:1b0d80432c79 6246 const byte* ext, int extSz)
wolfSSL 4:1b0d80432c79 6247 {
wolfSSL 4:1b0d80432c79 6248 if (out == NULL || IdxInOut == NULL || ext == NULL)
wolfSSL 4:1b0d80432c79 6249 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6250
wolfSSL 4:1b0d80432c79 6251 if (outSz < (word32)(*IdxInOut+extSz))
wolfSSL 4:1b0d80432c79 6252 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6253
wolfSSL 4:1b0d80432c79 6254 XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */
wolfSSL 4:1b0d80432c79 6255 *IdxInOut += extSz;
wolfSSL 4:1b0d80432c79 6256
wolfSSL 4:1b0d80432c79 6257 return *IdxInOut;
wolfSSL 4:1b0d80432c79 6258 }
wolfSSL 4:1b0d80432c79 6259
wolfSSL 4:1b0d80432c79 6260 /* encode extensions header, return total bytes written */
wolfSSL 4:1b0d80432c79 6261 static int SetExtensionsHeader(byte* out, word32 outSz, int extSz)
wolfSSL 4:1b0d80432c79 6262 {
wolfSSL 4:1b0d80432c79 6263 byte sequence[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 6264 byte len[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 6265 int seqSz, lenSz, idx = 0;
wolfSSL 4:1b0d80432c79 6266
wolfSSL 4:1b0d80432c79 6267 if (out == NULL)
wolfSSL 4:1b0d80432c79 6268 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6269
wolfSSL 4:1b0d80432c79 6270 if (outSz < 3)
wolfSSL 4:1b0d80432c79 6271 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6272
wolfSSL 4:1b0d80432c79 6273 seqSz = SetSequence(extSz, sequence);
wolfSSL 4:1b0d80432c79 6274
wolfSSL 4:1b0d80432c79 6275 /* encode extensions length provided */
wolfSSL 4:1b0d80432c79 6276 lenSz = SetLength(extSz+seqSz, len);
wolfSSL 4:1b0d80432c79 6277
wolfSSL 4:1b0d80432c79 6278 if (outSz < (word32)(lenSz+seqSz+1))
wolfSSL 4:1b0d80432c79 6279 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6280
wolfSSL 4:1b0d80432c79 6281 out[idx++] = ASN_EXTENSIONS; /* extensions id */
wolfSSL 4:1b0d80432c79 6282 XMEMCPY(&out[idx], len, lenSz); /* length */
wolfSSL 4:1b0d80432c79 6283 idx += lenSz;
wolfSSL 4:1b0d80432c79 6284
wolfSSL 4:1b0d80432c79 6285 XMEMCPY(&out[idx], sequence, seqSz); /* sequence */
wolfSSL 4:1b0d80432c79 6286 idx += seqSz;
wolfSSL 4:1b0d80432c79 6287
wolfSSL 4:1b0d80432c79 6288 return idx;
wolfSSL 4:1b0d80432c79 6289 }
wolfSSL 4:1b0d80432c79 6290
wolfSSL 4:1b0d80432c79 6291
wolfSSL 4:1b0d80432c79 6292 /* encode CA basic constraint true, return total bytes written */
wolfSSL 4:1b0d80432c79 6293 static int SetCa(byte* out, word32 outSz)
wolfSSL 4:1b0d80432c79 6294 {
wolfSSL 4:1b0d80432c79 6295 static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
wolfSSL 4:1b0d80432c79 6296 0x05, 0x30, 0x03, 0x01, 0x01, 0xff };
wolfSSL 4:1b0d80432c79 6297
wolfSSL 4:1b0d80432c79 6298 if (out == NULL)
wolfSSL 4:1b0d80432c79 6299 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6300
wolfSSL 4:1b0d80432c79 6301 if (outSz < sizeof(ca))
wolfSSL 4:1b0d80432c79 6302 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6303
wolfSSL 4:1b0d80432c79 6304 XMEMCPY(out, ca, sizeof(ca));
wolfSSL 4:1b0d80432c79 6305
wolfSSL 4:1b0d80432c79 6306 return (int)sizeof(ca);
wolfSSL 4:1b0d80432c79 6307 }
wolfSSL 4:1b0d80432c79 6308
wolfSSL 4:1b0d80432c79 6309
wolfSSL 4:1b0d80432c79 6310 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 6311 /* encode OID and associated value, return total bytes written */
wolfSSL 4:1b0d80432c79 6312 static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz,
wolfSSL 4:1b0d80432c79 6313 byte *in, word32 inSz)
wolfSSL 4:1b0d80432c79 6314 {
wolfSSL 4:1b0d80432c79 6315 int idx = 0;
wolfSSL 4:1b0d80432c79 6316
wolfSSL 4:1b0d80432c79 6317 if (out == NULL || oid == NULL || in == NULL)
wolfSSL 4:1b0d80432c79 6318 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6319
wolfSSL 4:1b0d80432c79 6320 if (outSz < 3)
wolfSSL 4:1b0d80432c79 6321 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6322
wolfSSL 4:1b0d80432c79 6323 /* sequence, + 1 => byte to put value size */
wolfSSL 4:1b0d80432c79 6324 idx = SetSequence(inSz + oidSz + 1, out);
wolfSSL 4:1b0d80432c79 6325
wolfSSL 4:1b0d80432c79 6326 if (outSz < idx + inSz + oidSz + 1)
wolfSSL 4:1b0d80432c79 6327 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6328
wolfSSL 4:1b0d80432c79 6329 XMEMCPY(out+idx, oid, oidSz);
wolfSSL 4:1b0d80432c79 6330 idx += oidSz;
wolfSSL 4:1b0d80432c79 6331 out[idx++] = (byte)inSz;
wolfSSL 4:1b0d80432c79 6332 XMEMCPY(out+idx, in, inSz);
wolfSSL 4:1b0d80432c79 6333
wolfSSL 4:1b0d80432c79 6334 return (idx+inSz);
wolfSSL 4:1b0d80432c79 6335 }
wolfSSL 4:1b0d80432c79 6336
wolfSSL 4:1b0d80432c79 6337 /* encode Subject Key Identifier, return total bytes written
wolfSSL 4:1b0d80432c79 6338 * RFC5280 : non-critical */
wolfSSL 4:1b0d80432c79 6339 static int SetSKID(byte* output, word32 outSz, byte *input, word32 length)
wolfSSL 4:1b0d80432c79 6340 {
wolfSSL 4:1b0d80432c79 6341 byte skid_len[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 6342 byte skid_enc_len[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 6343 int idx = 0, skid_lenSz, skid_enc_lenSz;
wolfSSL 4:1b0d80432c79 6344 static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 };
wolfSSL 4:1b0d80432c79 6345
wolfSSL 4:1b0d80432c79 6346 if (output == NULL || input == NULL)
wolfSSL 4:1b0d80432c79 6347 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6348
wolfSSL 4:1b0d80432c79 6349 /* length of value */
wolfSSL 4:1b0d80432c79 6350 skid_lenSz = SetLength(length, skid_len);
wolfSSL 4:1b0d80432c79 6351
wolfSSL 4:1b0d80432c79 6352 /* length of encoded value */
wolfSSL 4:1b0d80432c79 6353 skid_enc_lenSz = SetLength(length + skid_lenSz + 1, skid_enc_len);
wolfSSL 4:1b0d80432c79 6354
wolfSSL 4:1b0d80432c79 6355 if (outSz < 3)
wolfSSL 4:1b0d80432c79 6356 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6357
wolfSSL 4:1b0d80432c79 6358 /* sequence, + 1 => byte to put type size */
wolfSSL 4:1b0d80432c79 6359 idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz+1,
wolfSSL 4:1b0d80432c79 6360 output);
wolfSSL 4:1b0d80432c79 6361
wolfSSL 4:1b0d80432c79 6362 if (outSz < length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz + 1)
wolfSSL 4:1b0d80432c79 6363 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6364
wolfSSL 4:1b0d80432c79 6365 /* put oid */
wolfSSL 4:1b0d80432c79 6366 XMEMCPY(output+idx, skid_oid, sizeof(skid_oid));
wolfSSL 4:1b0d80432c79 6367 idx += sizeof(skid_oid);
wolfSSL 4:1b0d80432c79 6368
wolfSSL 4:1b0d80432c79 6369 /* put encoded len */
wolfSSL 4:1b0d80432c79 6370 XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz);
wolfSSL 4:1b0d80432c79 6371 idx += skid_enc_lenSz;
wolfSSL 4:1b0d80432c79 6372
wolfSSL 4:1b0d80432c79 6373 /* put type */
wolfSSL 4:1b0d80432c79 6374 output[idx++] = ASN_OCTET_STRING;
wolfSSL 4:1b0d80432c79 6375
wolfSSL 4:1b0d80432c79 6376 /* put value len */
wolfSSL 4:1b0d80432c79 6377 XMEMCPY(output+idx, skid_len, skid_lenSz);
wolfSSL 4:1b0d80432c79 6378 idx += skid_lenSz;
wolfSSL 4:1b0d80432c79 6379
wolfSSL 4:1b0d80432c79 6380 /* put value */
wolfSSL 4:1b0d80432c79 6381 XMEMCPY(output+idx, input, length);
wolfSSL 4:1b0d80432c79 6382 idx += length;
wolfSSL 4:1b0d80432c79 6383
wolfSSL 4:1b0d80432c79 6384 return idx;
wolfSSL 4:1b0d80432c79 6385 }
wolfSSL 4:1b0d80432c79 6386
wolfSSL 4:1b0d80432c79 6387 /* encode Authority Key Identifier, return total bytes written
wolfSSL 4:1b0d80432c79 6388 * RFC5280 : non-critical */
wolfSSL 4:1b0d80432c79 6389 static int SetAKID(byte* output, word32 outSz, byte *input, word32 length)
wolfSSL 4:1b0d80432c79 6390 {
wolfSSL 4:1b0d80432c79 6391 byte *enc_val;
wolfSSL 4:1b0d80432c79 6392 int ret, enc_valSz;
wolfSSL 4:1b0d80432c79 6393 static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04};
wolfSSL 4:1b0d80432c79 6394 static const byte akid_cs[] = { 0x80 };
wolfSSL 4:1b0d80432c79 6395
wolfSSL 4:1b0d80432c79 6396 if (output == NULL || input == NULL)
wolfSSL 4:1b0d80432c79 6397 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6398
wolfSSL 4:1b0d80432c79 6399 enc_val = (byte *)XMALLOC(length+3+sizeof(akid_cs), NULL,
wolfSSL 4:1b0d80432c79 6400 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6401 if (enc_val == NULL)
wolfSSL 4:1b0d80432c79 6402 return MEMORY_E;
wolfSSL 4:1b0d80432c79 6403
wolfSSL 4:1b0d80432c79 6404 /* sequence for ContentSpec & value */
wolfSSL 4:1b0d80432c79 6405 enc_valSz = SetOidValue(enc_val, length+3+sizeof(akid_cs),
wolfSSL 4:1b0d80432c79 6406 akid_cs, sizeof(akid_cs), input, length);
wolfSSL 4:1b0d80432c79 6407 if (enc_valSz == 0) {
wolfSSL 4:1b0d80432c79 6408 XFREE(enc_val, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6409 return 0;
wolfSSL 4:1b0d80432c79 6410 }
wolfSSL 4:1b0d80432c79 6411
wolfSSL 4:1b0d80432c79 6412 ret = SetOidValue(output, outSz, akid_oid,
wolfSSL 4:1b0d80432c79 6413 sizeof(akid_oid), enc_val, enc_valSz);
wolfSSL 4:1b0d80432c79 6414
wolfSSL 4:1b0d80432c79 6415 XFREE(enc_val, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6416 return ret;
wolfSSL 4:1b0d80432c79 6417 }
wolfSSL 4:1b0d80432c79 6418
wolfSSL 4:1b0d80432c79 6419 /* encode Key Usage, return total bytes written
wolfSSL 4:1b0d80432c79 6420 * RFC5280 : critical */
wolfSSL 4:1b0d80432c79 6421 static int SetKeyUsage(byte* output, word32 outSz, word16 input)
wolfSSL 4:1b0d80432c79 6422 {
wolfSSL 4:1b0d80432c79 6423 byte ku[5];
wolfSSL 4:1b0d80432c79 6424 int unusedBits = 0;
wolfSSL 4:1b0d80432c79 6425 static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f,
wolfSSL 4:1b0d80432c79 6426 0x01, 0x01, 0xff, 0x04};
wolfSSL 4:1b0d80432c79 6427
wolfSSL 4:1b0d80432c79 6428 if (output == NULL)
wolfSSL 4:1b0d80432c79 6429 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6430
wolfSSL 4:1b0d80432c79 6431 /* Key Usage is a BitString */
wolfSSL 4:1b0d80432c79 6432 ku[0] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 6433
wolfSSL 4:1b0d80432c79 6434 /* put the Bit String size */
wolfSSL 4:1b0d80432c79 6435 if (input > 255) {
wolfSSL 4:1b0d80432c79 6436 ku[1] = (byte)3;
wolfSSL 4:1b0d80432c79 6437
wolfSSL 4:1b0d80432c79 6438 /* compute unused bits */
wolfSSL 4:1b0d80432c79 6439 while (((((input >> 8) & 0xff) >> unusedBits) & 0x01) == 0)
wolfSSL 4:1b0d80432c79 6440 unusedBits++;
wolfSSL 4:1b0d80432c79 6441 }
wolfSSL 4:1b0d80432c79 6442 else {
wolfSSL 4:1b0d80432c79 6443 ku[1] = (byte)2;
wolfSSL 4:1b0d80432c79 6444
wolfSSL 4:1b0d80432c79 6445 /* compute unused bits */
wolfSSL 4:1b0d80432c79 6446 while (((input >> unusedBits) & 0x01) == 0)
wolfSSL 4:1b0d80432c79 6447 unusedBits++;
wolfSSL 4:1b0d80432c79 6448 }
wolfSSL 4:1b0d80432c79 6449
wolfSSL 4:1b0d80432c79 6450 /* put unused bits value */
wolfSSL 4:1b0d80432c79 6451 ku[2] = (byte)unusedBits;
wolfSSL 4:1b0d80432c79 6452
wolfSSL 4:1b0d80432c79 6453 /* compute byte value */
wolfSSL 4:1b0d80432c79 6454 ku[3] = (byte)(input & 0xff);
wolfSSL 4:1b0d80432c79 6455 if (input > 255)
wolfSSL 4:1b0d80432c79 6456 ku[4] = (byte)((input >> 8) & 0xff);
wolfSSL 4:1b0d80432c79 6457
wolfSSL 4:1b0d80432c79 6458 return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid),
wolfSSL 4:1b0d80432c79 6459 ku, (int)ku[1]+2);
wolfSSL 4:1b0d80432c79 6460 }
wolfSSL 4:1b0d80432c79 6461
wolfSSL 4:1b0d80432c79 6462 /* Encode OID string representation to ITU-T X.690 format */
wolfSSL 4:1b0d80432c79 6463 static int EncodePolicyOID(byte *out, word32 *outSz, const char *in)
wolfSSL 4:1b0d80432c79 6464 {
wolfSSL 4:1b0d80432c79 6465 word32 val, idx = 0, nb_val;
wolfSSL 4:1b0d80432c79 6466 char *token, *str, *ptr;
wolfSSL 4:1b0d80432c79 6467 word32 len;
wolfSSL 4:1b0d80432c79 6468
wolfSSL 4:1b0d80432c79 6469 if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL)
wolfSSL 4:1b0d80432c79 6470 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6471
wolfSSL 4:1b0d80432c79 6472 len = (word32)XSTRLEN(in);
wolfSSL 4:1b0d80432c79 6473
wolfSSL 4:1b0d80432c79 6474 str = (char *)XMALLOC(len+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6475 if (str == NULL)
wolfSSL 4:1b0d80432c79 6476 return MEMORY_E;
wolfSSL 4:1b0d80432c79 6477
wolfSSL 4:1b0d80432c79 6478 XSTRNCPY(str, in, len);
wolfSSL 4:1b0d80432c79 6479 str[len] = 0x00;
wolfSSL 4:1b0d80432c79 6480
wolfSSL 4:1b0d80432c79 6481 nb_val = 0;
wolfSSL 4:1b0d80432c79 6482
wolfSSL 4:1b0d80432c79 6483 /* parse value, and set corresponding Policy OID value */
wolfSSL 4:1b0d80432c79 6484 token = XSTRTOK(str, ".", &ptr);
wolfSSL 4:1b0d80432c79 6485 while (token != NULL)
wolfSSL 4:1b0d80432c79 6486 {
wolfSSL 4:1b0d80432c79 6487 val = (word32)atoi(token);
wolfSSL 4:1b0d80432c79 6488
wolfSSL 4:1b0d80432c79 6489 if (nb_val == 0) {
wolfSSL 4:1b0d80432c79 6490 if (val > 2) {
wolfSSL 4:1b0d80432c79 6491 XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6492 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 6493 }
wolfSSL 4:1b0d80432c79 6494
wolfSSL 4:1b0d80432c79 6495 out[idx] = (byte)(40 * val);
wolfSSL 4:1b0d80432c79 6496 }
wolfSSL 4:1b0d80432c79 6497 else if (nb_val == 1) {
wolfSSL 4:1b0d80432c79 6498 if (val > 127) {
wolfSSL 4:1b0d80432c79 6499 XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6500 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 6501 }
wolfSSL 4:1b0d80432c79 6502
wolfSSL 4:1b0d80432c79 6503 if (idx > *outSz) {
wolfSSL 4:1b0d80432c79 6504 XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6505 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6506 }
wolfSSL 4:1b0d80432c79 6507
wolfSSL 4:1b0d80432c79 6508 out[idx++] += (byte)val;
wolfSSL 4:1b0d80432c79 6509 }
wolfSSL 4:1b0d80432c79 6510 else {
wolfSSL 4:1b0d80432c79 6511 word32 tb = 0, x;
wolfSSL 4:1b0d80432c79 6512 int i = 0;
wolfSSL 4:1b0d80432c79 6513 byte oid[MAX_OID_SZ];
wolfSSL 4:1b0d80432c79 6514
wolfSSL 4:1b0d80432c79 6515 while (val >= 128) {
wolfSSL 4:1b0d80432c79 6516 x = val % 128;
wolfSSL 4:1b0d80432c79 6517 val /= 128;
wolfSSL 4:1b0d80432c79 6518 oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x);
wolfSSL 4:1b0d80432c79 6519 }
wolfSSL 4:1b0d80432c79 6520
wolfSSL 4:1b0d80432c79 6521 if ((idx+(word32)i) > *outSz) {
wolfSSL 4:1b0d80432c79 6522 XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6523 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6524 }
wolfSSL 4:1b0d80432c79 6525
wolfSSL 4:1b0d80432c79 6526 oid[i] = (byte) (((tb++) ? 0x80 : 0) | val);
wolfSSL 4:1b0d80432c79 6527
wolfSSL 4:1b0d80432c79 6528 /* push value in the right order */
wolfSSL 4:1b0d80432c79 6529 while (i >= 0)
wolfSSL 4:1b0d80432c79 6530 out[idx++] = oid[i--];
wolfSSL 4:1b0d80432c79 6531 }
wolfSSL 4:1b0d80432c79 6532
wolfSSL 4:1b0d80432c79 6533 token = XSTRTOK(NULL, ".", &ptr);
wolfSSL 4:1b0d80432c79 6534 nb_val++;
wolfSSL 4:1b0d80432c79 6535 }
wolfSSL 4:1b0d80432c79 6536
wolfSSL 4:1b0d80432c79 6537 *outSz = idx;
wolfSSL 4:1b0d80432c79 6538
wolfSSL 4:1b0d80432c79 6539 XFREE(str, NUL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6540 return 0;
wolfSSL 4:1b0d80432c79 6541 }
wolfSSL 4:1b0d80432c79 6542
wolfSSL 4:1b0d80432c79 6543 /* encode Certificate Policies, return total bytes written
wolfSSL 4:1b0d80432c79 6544 * each input value must be ITU-T X.690 formatted : a.b.c...
wolfSSL 4:1b0d80432c79 6545 * input must be an array of values with a NULL terminated for the latest
wolfSSL 4:1b0d80432c79 6546 * RFC5280 : non-critical */
wolfSSL 4:1b0d80432c79 6547 static int SetCertificatePolicies(byte *output,
wolfSSL 4:1b0d80432c79 6548 word32 outputSz,
wolfSSL 4:1b0d80432c79 6549 char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ],
wolfSSL 4:1b0d80432c79 6550 word16 nb_certpol)
wolfSSL 4:1b0d80432c79 6551 {
wolfSSL 4:1b0d80432c79 6552 byte oid[MAX_OID_SZ],
wolfSSL 4:1b0d80432c79 6553 der_oid[MAX_CERTPOL_NB][MAX_OID_SZ],
wolfSSL 4:1b0d80432c79 6554 out[MAX_CERTPOL_SZ];
wolfSSL 4:1b0d80432c79 6555 word32 oidSz;
wolfSSL 4:1b0d80432c79 6556 word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB];
wolfSSL 4:1b0d80432c79 6557 int ret;
wolfSSL 4:1b0d80432c79 6558
wolfSSL 4:1b0d80432c79 6559 static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 };
wolfSSL 4:1b0d80432c79 6560 static const byte oid_oid[] = { 0x06 };
wolfSSL 4:1b0d80432c79 6561
wolfSSL 4:1b0d80432c79 6562 if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB)
wolfSSL 4:1b0d80432c79 6563 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6564
wolfSSL 4:1b0d80432c79 6565 for (i = 0; i < nb_certpol; i++) {
wolfSSL 4:1b0d80432c79 6566 oidSz = sizeof(oid);
wolfSSL 4:1b0d80432c79 6567 XMEMSET(oid, 0, oidSz);
wolfSSL 4:1b0d80432c79 6568
wolfSSL 4:1b0d80432c79 6569 ret = EncodePolicyOID(oid, &oidSz, input[i]);
wolfSSL 4:1b0d80432c79 6570 if (ret != 0)
wolfSSL 4:1b0d80432c79 6571 return ret;
wolfSSL 4:1b0d80432c79 6572
wolfSSL 4:1b0d80432c79 6573 /* compute sequence value for the oid */
wolfSSL 4:1b0d80432c79 6574 ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid,
wolfSSL 4:1b0d80432c79 6575 sizeof(oid_oid), oid, oidSz);
wolfSSL 4:1b0d80432c79 6576 if (ret <= 0)
wolfSSL 4:1b0d80432c79 6577 return ret;
wolfSSL 4:1b0d80432c79 6578 else
wolfSSL 4:1b0d80432c79 6579 der_oidSz[i] = (word32)ret;
wolfSSL 4:1b0d80432c79 6580 }
wolfSSL 4:1b0d80432c79 6581
wolfSSL 4:1b0d80432c79 6582 /* concatenate oid, keep two byte for sequence/size of the created value */
wolfSSL 4:1b0d80432c79 6583 for (i = 0, outSz = 2; i < nb_certpol; i++) {
wolfSSL 4:1b0d80432c79 6584 XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]);
wolfSSL 4:1b0d80432c79 6585 outSz += der_oidSz[i];
wolfSSL 4:1b0d80432c79 6586 }
wolfSSL 4:1b0d80432c79 6587
wolfSSL 4:1b0d80432c79 6588 /* add sequence */
wolfSSL 4:1b0d80432c79 6589 ret = SetSequence(outSz-2, out);
wolfSSL 4:1b0d80432c79 6590 if (ret <= 0)
wolfSSL 4:1b0d80432c79 6591 return ret;
wolfSSL 4:1b0d80432c79 6592
wolfSSL 4:1b0d80432c79 6593 /* add Policy OID to compute final value */
wolfSSL 4:1b0d80432c79 6594 return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid),
wolfSSL 4:1b0d80432c79 6595 out, outSz);
wolfSSL 4:1b0d80432c79 6596 }
wolfSSL 4:1b0d80432c79 6597 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 6598
wolfSSL 4:1b0d80432c79 6599 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 6600 /* encode Alternative Names, return total bytes written */
wolfSSL 4:1b0d80432c79 6601 static int SetAltNames(byte *out, word32 outSz, byte *input, word32 length)
wolfSSL 4:1b0d80432c79 6602 {
wolfSSL 4:1b0d80432c79 6603 if (out == NULL || input == NULL)
wolfSSL 4:1b0d80432c79 6604 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6605
wolfSSL 4:1b0d80432c79 6606 if (outSz < length)
wolfSSL 4:1b0d80432c79 6607 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6608
wolfSSL 4:1b0d80432c79 6609 /* Alternative Names come from certificate or computed by
wolfSSL 4:1b0d80432c79 6610 * external function, so already encoded. Just copy value */
wolfSSL 4:1b0d80432c79 6611 XMEMCPY(out, input, length);
wolfSSL 4:1b0d80432c79 6612 return length;
wolfSSL 4:1b0d80432c79 6613 }
wolfSSL 4:1b0d80432c79 6614 #endif /* WOLFSL_ALT_NAMES */
wolfSSL 4:1b0d80432c79 6615
wolfSSL 4:1b0d80432c79 6616
wolfSSL 4:1b0d80432c79 6617 /* encode CertName into output, return total bytes written */
wolfSSL 4:1b0d80432c79 6618 static int SetName(byte* output, word32 outputSz, CertName* name)
wolfSSL 4:1b0d80432c79 6619 {
wolfSSL 4:1b0d80432c79 6620 int totalBytes = 0, i, idx;
wolfSSL 4:1b0d80432c79 6621 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6622 EncodedName* names = NULL;
wolfSSL 4:1b0d80432c79 6623 #else
wolfSSL 4:1b0d80432c79 6624 EncodedName names[NAME_ENTRIES];
wolfSSL 4:1b0d80432c79 6625 #endif
wolfSSL 4:1b0d80432c79 6626
wolfSSL 4:1b0d80432c79 6627 if (output == NULL || name == NULL)
wolfSSL 4:1b0d80432c79 6628 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6629
wolfSSL 4:1b0d80432c79 6630 if (outputSz < 3)
wolfSSL 4:1b0d80432c79 6631 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6632
wolfSSL 4:1b0d80432c79 6633 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6634 names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL,
wolfSSL 4:1b0d80432c79 6635 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6636 if (names == NULL)
wolfSSL 4:1b0d80432c79 6637 return MEMORY_E;
wolfSSL 4:1b0d80432c79 6638 #endif
wolfSSL 4:1b0d80432c79 6639
wolfSSL 4:1b0d80432c79 6640 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 4:1b0d80432c79 6641 const char* nameStr = GetOneName(name, i);
wolfSSL 4:1b0d80432c79 6642 if (nameStr) {
wolfSSL 4:1b0d80432c79 6643 /* bottom up */
wolfSSL 4:1b0d80432c79 6644 byte firstLen[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 6645 byte secondLen[MAX_LENGTH_SZ];
wolfSSL 4:1b0d80432c79 6646 byte sequence[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 6647 byte set[MAX_SET_SZ];
wolfSSL 4:1b0d80432c79 6648
wolfSSL 4:1b0d80432c79 6649 int email = i == (NAME_ENTRIES - 1) ? 1 : 0;
wolfSSL 4:1b0d80432c79 6650 int strLen = (int)XSTRLEN(nameStr);
wolfSSL 4:1b0d80432c79 6651 int thisLen = strLen;
wolfSSL 4:1b0d80432c79 6652 int firstSz, secondSz, seqSz, setSz;
wolfSSL 4:1b0d80432c79 6653
wolfSSL 4:1b0d80432c79 6654 if (strLen == 0) { /* no user data for this item */
wolfSSL 4:1b0d80432c79 6655 names[i].used = 0;
wolfSSL 4:1b0d80432c79 6656 continue;
wolfSSL 4:1b0d80432c79 6657 }
wolfSSL 4:1b0d80432c79 6658
wolfSSL 4:1b0d80432c79 6659 secondSz = SetLength(strLen, secondLen);
wolfSSL 4:1b0d80432c79 6660 thisLen += secondSz;
wolfSSL 4:1b0d80432c79 6661 if (email) {
wolfSSL 4:1b0d80432c79 6662 thisLen += EMAIL_JOINT_LEN;
wolfSSL 4:1b0d80432c79 6663 thisLen ++; /* id type */
wolfSSL 4:1b0d80432c79 6664 firstSz = SetLength(EMAIL_JOINT_LEN, firstLen);
wolfSSL 4:1b0d80432c79 6665 }
wolfSSL 4:1b0d80432c79 6666 else {
wolfSSL 4:1b0d80432c79 6667 thisLen++; /* str type */
wolfSSL 4:1b0d80432c79 6668 thisLen++; /* id type */
wolfSSL 4:1b0d80432c79 6669 thisLen += JOINT_LEN;
wolfSSL 4:1b0d80432c79 6670 firstSz = SetLength(JOINT_LEN + 1, firstLen);
wolfSSL 4:1b0d80432c79 6671 }
wolfSSL 4:1b0d80432c79 6672 thisLen += firstSz;
wolfSSL 4:1b0d80432c79 6673 thisLen++; /* object id */
wolfSSL 4:1b0d80432c79 6674
wolfSSL 4:1b0d80432c79 6675 seqSz = SetSequence(thisLen, sequence);
wolfSSL 4:1b0d80432c79 6676 thisLen += seqSz;
wolfSSL 4:1b0d80432c79 6677 setSz = SetSet(thisLen, set);
wolfSSL 4:1b0d80432c79 6678 thisLen += setSz;
wolfSSL 4:1b0d80432c79 6679
wolfSSL 4:1b0d80432c79 6680 if (thisLen > (int)sizeof(names[i].encoded)) {
wolfSSL 4:1b0d80432c79 6681 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6682 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6683 #endif
wolfSSL 4:1b0d80432c79 6684 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6685 }
wolfSSL 4:1b0d80432c79 6686
wolfSSL 4:1b0d80432c79 6687 /* store it */
wolfSSL 4:1b0d80432c79 6688 idx = 0;
wolfSSL 4:1b0d80432c79 6689 /* set */
wolfSSL 4:1b0d80432c79 6690 XMEMCPY(names[i].encoded, set, setSz);
wolfSSL 4:1b0d80432c79 6691 idx += setSz;
wolfSSL 4:1b0d80432c79 6692 /* seq */
wolfSSL 4:1b0d80432c79 6693 XMEMCPY(names[i].encoded + idx, sequence, seqSz);
wolfSSL 4:1b0d80432c79 6694 idx += seqSz;
wolfSSL 4:1b0d80432c79 6695 /* asn object id */
wolfSSL 4:1b0d80432c79 6696 names[i].encoded[idx++] = ASN_OBJECT_ID;
wolfSSL 4:1b0d80432c79 6697 /* first length */
wolfSSL 4:1b0d80432c79 6698 XMEMCPY(names[i].encoded + idx, firstLen, firstSz);
wolfSSL 4:1b0d80432c79 6699 idx += firstSz;
wolfSSL 4:1b0d80432c79 6700 if (email) {
wolfSSL 4:1b0d80432c79 6701 const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL 4:1b0d80432c79 6702 0x01, 0x09, 0x01, 0x16 };
wolfSSL 4:1b0d80432c79 6703 /* email joint id */
wolfSSL 4:1b0d80432c79 6704 XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
wolfSSL 4:1b0d80432c79 6705 idx += (int)sizeof(EMAIL_OID);
wolfSSL 4:1b0d80432c79 6706 }
wolfSSL 4:1b0d80432c79 6707 else {
wolfSSL 4:1b0d80432c79 6708 /* joint id */
wolfSSL 4:1b0d80432c79 6709 byte bType = GetNameId(i);
wolfSSL 4:1b0d80432c79 6710 names[i].encoded[idx++] = 0x55;
wolfSSL 4:1b0d80432c79 6711 names[i].encoded[idx++] = 0x04;
wolfSSL 4:1b0d80432c79 6712 /* id type */
wolfSSL 4:1b0d80432c79 6713 names[i].encoded[idx++] = bType;
wolfSSL 4:1b0d80432c79 6714 /* str type */
wolfSSL 4:1b0d80432c79 6715 names[i].encoded[idx++] = GetNameType(name, i);
wolfSSL 4:1b0d80432c79 6716 }
wolfSSL 4:1b0d80432c79 6717 /* second length */
wolfSSL 4:1b0d80432c79 6718 XMEMCPY(names[i].encoded + idx, secondLen, secondSz);
wolfSSL 4:1b0d80432c79 6719 idx += secondSz;
wolfSSL 4:1b0d80432c79 6720 /* str value */
wolfSSL 4:1b0d80432c79 6721 XMEMCPY(names[i].encoded + idx, nameStr, strLen);
wolfSSL 4:1b0d80432c79 6722 idx += strLen;
wolfSSL 4:1b0d80432c79 6723
wolfSSL 4:1b0d80432c79 6724 totalBytes += idx;
wolfSSL 4:1b0d80432c79 6725 names[i].totalLen = idx;
wolfSSL 4:1b0d80432c79 6726 names[i].used = 1;
wolfSSL 4:1b0d80432c79 6727 }
wolfSSL 4:1b0d80432c79 6728 else
wolfSSL 4:1b0d80432c79 6729 names[i].used = 0;
wolfSSL 4:1b0d80432c79 6730 }
wolfSSL 4:1b0d80432c79 6731
wolfSSL 4:1b0d80432c79 6732 /* header */
wolfSSL 4:1b0d80432c79 6733 idx = SetSequence(totalBytes, output);
wolfSSL 4:1b0d80432c79 6734 totalBytes += idx;
wolfSSL 4:1b0d80432c79 6735 if (totalBytes > ASN_NAME_MAX) {
wolfSSL 4:1b0d80432c79 6736 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6737 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6738 #endif
wolfSSL 4:1b0d80432c79 6739 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6740 }
wolfSSL 4:1b0d80432c79 6741
wolfSSL 4:1b0d80432c79 6742 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 4:1b0d80432c79 6743 if (names[i].used) {
wolfSSL 4:1b0d80432c79 6744 if (outputSz < (word32)(idx+names[i].totalLen)) {
wolfSSL 4:1b0d80432c79 6745 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6746 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6747 #endif
wolfSSL 4:1b0d80432c79 6748 return BUFFER_E;
wolfSSL 4:1b0d80432c79 6749 }
wolfSSL 4:1b0d80432c79 6750
wolfSSL 4:1b0d80432c79 6751 XMEMCPY(output + idx, names[i].encoded, names[i].totalLen);
wolfSSL 4:1b0d80432c79 6752 idx += names[i].totalLen;
wolfSSL 4:1b0d80432c79 6753 }
wolfSSL 4:1b0d80432c79 6754 }
wolfSSL 4:1b0d80432c79 6755
wolfSSL 4:1b0d80432c79 6756 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 6757 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 6758 #endif
wolfSSL 4:1b0d80432c79 6759
wolfSSL 4:1b0d80432c79 6760 return totalBytes;
wolfSSL 4:1b0d80432c79 6761 }
wolfSSL 4:1b0d80432c79 6762
wolfSSL 4:1b0d80432c79 6763 /* encode info from cert into DER encoded format */
wolfSSL 4:1b0d80432c79 6764 static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
wolfSSL 4:1b0d80432c79 6765 WC_RNG* rng, const byte* ntruKey, word16 ntruSz)
wolfSSL 4:1b0d80432c79 6766 {
wolfSSL 4:1b0d80432c79 6767 int ret;
wolfSSL 4:1b0d80432c79 6768
wolfSSL 4:1b0d80432c79 6769 (void)eccKey;
wolfSSL 4:1b0d80432c79 6770 (void)ntruKey;
wolfSSL 4:1b0d80432c79 6771 (void)ntruSz;
wolfSSL 4:1b0d80432c79 6772
wolfSSL 4:1b0d80432c79 6773 if (cert == NULL || der == NULL || rng == NULL)
wolfSSL 4:1b0d80432c79 6774 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 6775
wolfSSL 4:1b0d80432c79 6776 /* init */
wolfSSL 4:1b0d80432c79 6777 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 4:1b0d80432c79 6778
wolfSSL 4:1b0d80432c79 6779 /* version */
wolfSSL 4:1b0d80432c79 6780 der->versionSz = SetMyVersion(cert->version, der->version, TRUE);
wolfSSL 4:1b0d80432c79 6781
wolfSSL 4:1b0d80432c79 6782 /* serial number */
wolfSSL 4:1b0d80432c79 6783 ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE);
wolfSSL 4:1b0d80432c79 6784 if (ret != 0)
wolfSSL 4:1b0d80432c79 6785 return ret;
wolfSSL 4:1b0d80432c79 6786
wolfSSL 4:1b0d80432c79 6787 cert->serial[0] = 0x01; /* ensure positive */
wolfSSL 4:1b0d80432c79 6788 der->serialSz = SetSerial(cert->serial, der->serial);
wolfSSL 4:1b0d80432c79 6789
wolfSSL 4:1b0d80432c79 6790 /* signature algo */
wolfSSL 4:1b0d80432c79 6791 der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, sigType, 0);
wolfSSL 4:1b0d80432c79 6792 if (der->sigAlgoSz == 0)
wolfSSL 4:1b0d80432c79 6793 return ALGO_ID_E;
wolfSSL 4:1b0d80432c79 6794
wolfSSL 4:1b0d80432c79 6795 /* public key */
wolfSSL 4:1b0d80432c79 6796 if (cert->keyType == RSA_KEY) {
wolfSSL 4:1b0d80432c79 6797 if (rsaKey == NULL)
wolfSSL 4:1b0d80432c79 6798 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6799 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 4:1b0d80432c79 6800 sizeof(der->publicKey), 1);
wolfSSL 4:1b0d80432c79 6801 if (der->publicKeySz <= 0)
wolfSSL 4:1b0d80432c79 6802 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6803 }
wolfSSL 4:1b0d80432c79 6804
wolfSSL 4:1b0d80432c79 6805 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 6806 if (cert->keyType == ECC_KEY) {
wolfSSL 4:1b0d80432c79 6807 if (eccKey == NULL)
wolfSSL 4:1b0d80432c79 6808 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6809 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 4:1b0d80432c79 6810 if (der->publicKeySz <= 0)
wolfSSL 4:1b0d80432c79 6811 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6812 }
wolfSSL 4:1b0d80432c79 6813 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 6814
wolfSSL 4:1b0d80432c79 6815 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 6816 if (cert->keyType == NTRU_KEY) {
wolfSSL 4:1b0d80432c79 6817 word32 rc;
wolfSSL 4:1b0d80432c79 6818 word16 encodedSz;
wolfSSL 4:1b0d80432c79 6819
wolfSSL 4:1b0d80432c79 6820 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 4:1b0d80432c79 6821 ntruKey, &encodedSz, NULL);
wolfSSL 4:1b0d80432c79 6822 if (rc != NTRU_OK)
wolfSSL 4:1b0d80432c79 6823 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6824 if (encodedSz > MAX_PUBLIC_KEY_SZ)
wolfSSL 4:1b0d80432c79 6825 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6826
wolfSSL 4:1b0d80432c79 6827 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 4:1b0d80432c79 6828 ntruKey, &encodedSz, der->publicKey);
wolfSSL 4:1b0d80432c79 6829 if (rc != NTRU_OK)
wolfSSL 4:1b0d80432c79 6830 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 6831
wolfSSL 4:1b0d80432c79 6832 der->publicKeySz = encodedSz;
wolfSSL 4:1b0d80432c79 6833 }
wolfSSL 4:1b0d80432c79 6834 #endif /* HAVE_NTRU */
wolfSSL 4:1b0d80432c79 6835
wolfSSL 4:1b0d80432c79 6836 der->validitySz = 0;
wolfSSL 4:1b0d80432c79 6837 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 6838 /* date validity copy ? */
wolfSSL 4:1b0d80432c79 6839 if (cert->beforeDateSz && cert->afterDateSz) {
wolfSSL 4:1b0d80432c79 6840 der->validitySz = CopyValidity(der->validity, cert);
wolfSSL 4:1b0d80432c79 6841 if (der->validitySz == 0)
wolfSSL 4:1b0d80432c79 6842 return DATE_E;
wolfSSL 4:1b0d80432c79 6843 }
wolfSSL 4:1b0d80432c79 6844 #endif
wolfSSL 4:1b0d80432c79 6845
wolfSSL 4:1b0d80432c79 6846 /* date validity */
wolfSSL 4:1b0d80432c79 6847 if (der->validitySz == 0) {
wolfSSL 4:1b0d80432c79 6848 der->validitySz = SetValidity(der->validity, cert->daysValid);
wolfSSL 4:1b0d80432c79 6849 if (der->validitySz == 0)
wolfSSL 4:1b0d80432c79 6850 return DATE_E;
wolfSSL 4:1b0d80432c79 6851 }
wolfSSL 4:1b0d80432c79 6852
wolfSSL 4:1b0d80432c79 6853 /* subject name */
wolfSSL 4:1b0d80432c79 6854 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 4:1b0d80432c79 6855 if (der->subjectSz == 0)
wolfSSL 4:1b0d80432c79 6856 return SUBJECT_E;
wolfSSL 4:1b0d80432c79 6857
wolfSSL 4:1b0d80432c79 6858 /* issuer name */
wolfSSL 4:1b0d80432c79 6859 der->issuerSz = SetName(der->issuer, sizeof(der->issuer), cert->selfSigned ?
wolfSSL 4:1b0d80432c79 6860 &cert->subject : &cert->issuer);
wolfSSL 4:1b0d80432c79 6861 if (der->issuerSz == 0)
wolfSSL 4:1b0d80432c79 6862 return ISSUER_E;
wolfSSL 4:1b0d80432c79 6863
wolfSSL 4:1b0d80432c79 6864 /* set the extensions */
wolfSSL 4:1b0d80432c79 6865 der->extensionsSz = 0;
wolfSSL 4:1b0d80432c79 6866
wolfSSL 4:1b0d80432c79 6867 /* CA */
wolfSSL 4:1b0d80432c79 6868 if (cert->isCA) {
wolfSSL 4:1b0d80432c79 6869 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 4:1b0d80432c79 6870 if (der->caSz == 0)
wolfSSL 4:1b0d80432c79 6871 return CA_TRUE_E;
wolfSSL 4:1b0d80432c79 6872
wolfSSL 4:1b0d80432c79 6873 der->extensionsSz += der->caSz;
wolfSSL 4:1b0d80432c79 6874 }
wolfSSL 4:1b0d80432c79 6875 else
wolfSSL 4:1b0d80432c79 6876 der->caSz = 0;
wolfSSL 4:1b0d80432c79 6877
wolfSSL 4:1b0d80432c79 6878 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 6879 /* Alternative Name */
wolfSSL 4:1b0d80432c79 6880 if (cert->altNamesSz) {
wolfSSL 4:1b0d80432c79 6881 der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
wolfSSL 4:1b0d80432c79 6882 cert->altNames, cert->altNamesSz);
wolfSSL 4:1b0d80432c79 6883 if (der->altNamesSz == 0)
wolfSSL 4:1b0d80432c79 6884 return ALT_NAME_E;
wolfSSL 4:1b0d80432c79 6885
wolfSSL 4:1b0d80432c79 6886 der->extensionsSz += der->altNamesSz;
wolfSSL 4:1b0d80432c79 6887 }
wolfSSL 4:1b0d80432c79 6888 else
wolfSSL 4:1b0d80432c79 6889 der->altNamesSz = 0;
wolfSSL 4:1b0d80432c79 6890 #endif
wolfSSL 4:1b0d80432c79 6891
wolfSSL 4:1b0d80432c79 6892 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 6893 /* SKID */
wolfSSL 4:1b0d80432c79 6894 if (cert->skidSz) {
wolfSSL 4:1b0d80432c79 6895 /* check the provided SKID size */
wolfSSL 4:1b0d80432c79 6896 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 4:1b0d80432c79 6897 return SKID_E;
wolfSSL 4:1b0d80432c79 6898
wolfSSL 4:1b0d80432c79 6899 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 4:1b0d80432c79 6900 cert->skid, cert->skidSz);
wolfSSL 4:1b0d80432c79 6901 if (der->skidSz == 0)
wolfSSL 4:1b0d80432c79 6902 return SKID_E;
wolfSSL 4:1b0d80432c79 6903
wolfSSL 4:1b0d80432c79 6904 der->extensionsSz += der->skidSz;
wolfSSL 4:1b0d80432c79 6905 }
wolfSSL 4:1b0d80432c79 6906 else
wolfSSL 4:1b0d80432c79 6907 der->skidSz = 0;
wolfSSL 4:1b0d80432c79 6908
wolfSSL 4:1b0d80432c79 6909 /* AKID */
wolfSSL 4:1b0d80432c79 6910 if (cert->akidSz) {
wolfSSL 4:1b0d80432c79 6911 /* check the provided AKID size */
wolfSSL 4:1b0d80432c79 6912 if (cert->akidSz > (int)sizeof(der->akid))
wolfSSL 4:1b0d80432c79 6913 return AKID_E;
wolfSSL 4:1b0d80432c79 6914
wolfSSL 4:1b0d80432c79 6915 der->akidSz = SetAKID(der->akid, sizeof(der->akid),
wolfSSL 4:1b0d80432c79 6916 cert->akid, cert->akidSz);
wolfSSL 4:1b0d80432c79 6917 if (der->akidSz == 0)
wolfSSL 4:1b0d80432c79 6918 return AKID_E;
wolfSSL 4:1b0d80432c79 6919
wolfSSL 4:1b0d80432c79 6920 der->extensionsSz += der->akidSz;
wolfSSL 4:1b0d80432c79 6921 }
wolfSSL 4:1b0d80432c79 6922 else
wolfSSL 4:1b0d80432c79 6923 der->akidSz = 0;
wolfSSL 4:1b0d80432c79 6924
wolfSSL 4:1b0d80432c79 6925 /* Key Usage */
wolfSSL 4:1b0d80432c79 6926 if (cert->keyUsage != 0){
wolfSSL 4:1b0d80432c79 6927 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 4:1b0d80432c79 6928 cert->keyUsage);
wolfSSL 4:1b0d80432c79 6929 if (der->keyUsageSz == 0)
wolfSSL 4:1b0d80432c79 6930 return KEYUSAGE_E;
wolfSSL 4:1b0d80432c79 6931
wolfSSL 4:1b0d80432c79 6932 der->extensionsSz += der->keyUsageSz;
wolfSSL 4:1b0d80432c79 6933 }
wolfSSL 4:1b0d80432c79 6934 else
wolfSSL 4:1b0d80432c79 6935 der->keyUsageSz = 0;
wolfSSL 4:1b0d80432c79 6936
wolfSSL 4:1b0d80432c79 6937 /* Certificate Policies */
wolfSSL 4:1b0d80432c79 6938 if (cert->certPoliciesNb != 0) {
wolfSSL 4:1b0d80432c79 6939 der->certPoliciesSz = SetCertificatePolicies(der->certPolicies,
wolfSSL 4:1b0d80432c79 6940 sizeof(der->certPolicies),
wolfSSL 4:1b0d80432c79 6941 cert->certPolicies,
wolfSSL 4:1b0d80432c79 6942 cert->certPoliciesNb);
wolfSSL 4:1b0d80432c79 6943 if (der->certPoliciesSz == 0)
wolfSSL 4:1b0d80432c79 6944 return CERTPOLICIES_E;
wolfSSL 4:1b0d80432c79 6945
wolfSSL 4:1b0d80432c79 6946 der->extensionsSz += der->certPoliciesSz;
wolfSSL 4:1b0d80432c79 6947 }
wolfSSL 4:1b0d80432c79 6948 else
wolfSSL 4:1b0d80432c79 6949 der->certPoliciesSz = 0;
wolfSSL 4:1b0d80432c79 6950 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 6951
wolfSSL 4:1b0d80432c79 6952 /* put extensions */
wolfSSL 4:1b0d80432c79 6953 if (der->extensionsSz > 0) {
wolfSSL 4:1b0d80432c79 6954
wolfSSL 4:1b0d80432c79 6955 /* put the start of extensions sequence (ID, Size) */
wolfSSL 4:1b0d80432c79 6956 der->extensionsSz = SetExtensionsHeader(der->extensions,
wolfSSL 4:1b0d80432c79 6957 sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 6958 der->extensionsSz);
wolfSSL 4:1b0d80432c79 6959 if (der->extensionsSz == 0)
wolfSSL 4:1b0d80432c79 6960 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 6961
wolfSSL 4:1b0d80432c79 6962 /* put CA */
wolfSSL 4:1b0d80432c79 6963 if (der->caSz) {
wolfSSL 4:1b0d80432c79 6964 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 6965 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 6966 der->ca, der->caSz);
wolfSSL 4:1b0d80432c79 6967 if (ret == 0)
wolfSSL 4:1b0d80432c79 6968 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 6969 }
wolfSSL 4:1b0d80432c79 6970
wolfSSL 4:1b0d80432c79 6971 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 6972 /* put Alternative Names */
wolfSSL 4:1b0d80432c79 6973 if (der->altNamesSz) {
wolfSSL 4:1b0d80432c79 6974 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 6975 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 6976 der->altNames, der->altNamesSz);
wolfSSL 4:1b0d80432c79 6977 if (ret == 0)
wolfSSL 4:1b0d80432c79 6978 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 6979 }
wolfSSL 4:1b0d80432c79 6980 #endif
wolfSSL 4:1b0d80432c79 6981
wolfSSL 4:1b0d80432c79 6982 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 6983 /* put SKID */
wolfSSL 4:1b0d80432c79 6984 if (der->skidSz) {
wolfSSL 4:1b0d80432c79 6985 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 6986 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 6987 der->skid, der->skidSz);
wolfSSL 4:1b0d80432c79 6988 if (ret == 0)
wolfSSL 4:1b0d80432c79 6989 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 6990 }
wolfSSL 4:1b0d80432c79 6991
wolfSSL 4:1b0d80432c79 6992 /* put AKID */
wolfSSL 4:1b0d80432c79 6993 if (der->akidSz) {
wolfSSL 4:1b0d80432c79 6994 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 6995 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 6996 der->akid, der->akidSz);
wolfSSL 4:1b0d80432c79 6997 if (ret == 0)
wolfSSL 4:1b0d80432c79 6998 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 6999 }
wolfSSL 4:1b0d80432c79 7000
wolfSSL 4:1b0d80432c79 7001 /* put KeyUsage */
wolfSSL 4:1b0d80432c79 7002 if (der->keyUsageSz) {
wolfSSL 4:1b0d80432c79 7003 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7004 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7005 der->keyUsage, der->keyUsageSz);
wolfSSL 4:1b0d80432c79 7006 if (ret == 0)
wolfSSL 4:1b0d80432c79 7007 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7008 }
wolfSSL 4:1b0d80432c79 7009
wolfSSL 4:1b0d80432c79 7010 /* put Certificate Policies */
wolfSSL 4:1b0d80432c79 7011 if (der->certPoliciesSz) {
wolfSSL 4:1b0d80432c79 7012 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7013 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7014 der->certPolicies, der->certPoliciesSz);
wolfSSL 4:1b0d80432c79 7015 if (ret == 0)
wolfSSL 4:1b0d80432c79 7016 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7017 }
wolfSSL 4:1b0d80432c79 7018 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 7019 }
wolfSSL 4:1b0d80432c79 7020
wolfSSL 4:1b0d80432c79 7021 der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
wolfSSL 4:1b0d80432c79 7022 der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz +
wolfSSL 4:1b0d80432c79 7023 der->extensionsSz;
wolfSSL 4:1b0d80432c79 7024
wolfSSL 4:1b0d80432c79 7025 return 0;
wolfSSL 4:1b0d80432c79 7026 }
wolfSSL 4:1b0d80432c79 7027
wolfSSL 4:1b0d80432c79 7028
wolfSSL 4:1b0d80432c79 7029 /* write DER encoded cert to buffer, size already checked */
wolfSSL 4:1b0d80432c79 7030 static int WriteCertBody(DerCert* der, byte* buffer)
wolfSSL 4:1b0d80432c79 7031 {
wolfSSL 4:1b0d80432c79 7032 int idx;
wolfSSL 4:1b0d80432c79 7033
wolfSSL 4:1b0d80432c79 7034 /* signed part header */
wolfSSL 4:1b0d80432c79 7035 idx = SetSequence(der->total, buffer);
wolfSSL 4:1b0d80432c79 7036 /* version */
wolfSSL 4:1b0d80432c79 7037 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 4:1b0d80432c79 7038 idx += der->versionSz;
wolfSSL 4:1b0d80432c79 7039 /* serial */
wolfSSL 4:1b0d80432c79 7040 XMEMCPY(buffer + idx, der->serial, der->serialSz);
wolfSSL 4:1b0d80432c79 7041 idx += der->serialSz;
wolfSSL 4:1b0d80432c79 7042 /* sig algo */
wolfSSL 4:1b0d80432c79 7043 XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz);
wolfSSL 4:1b0d80432c79 7044 idx += der->sigAlgoSz;
wolfSSL 4:1b0d80432c79 7045 /* issuer */
wolfSSL 4:1b0d80432c79 7046 XMEMCPY(buffer + idx, der->issuer, der->issuerSz);
wolfSSL 4:1b0d80432c79 7047 idx += der->issuerSz;
wolfSSL 4:1b0d80432c79 7048 /* validity */
wolfSSL 4:1b0d80432c79 7049 XMEMCPY(buffer + idx, der->validity, der->validitySz);
wolfSSL 4:1b0d80432c79 7050 idx += der->validitySz;
wolfSSL 4:1b0d80432c79 7051 /* subject */
wolfSSL 4:1b0d80432c79 7052 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 4:1b0d80432c79 7053 idx += der->subjectSz;
wolfSSL 4:1b0d80432c79 7054 /* public key */
wolfSSL 4:1b0d80432c79 7055 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 4:1b0d80432c79 7056 idx += der->publicKeySz;
wolfSSL 4:1b0d80432c79 7057 if (der->extensionsSz) {
wolfSSL 4:1b0d80432c79 7058 /* extensions */
wolfSSL 4:1b0d80432c79 7059 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 4:1b0d80432c79 7060 sizeof(der->extensions)));
wolfSSL 4:1b0d80432c79 7061 idx += der->extensionsSz;
wolfSSL 4:1b0d80432c79 7062 }
wolfSSL 4:1b0d80432c79 7063
wolfSSL 4:1b0d80432c79 7064 return idx;
wolfSSL 4:1b0d80432c79 7065 }
wolfSSL 4:1b0d80432c79 7066
wolfSSL 4:1b0d80432c79 7067
wolfSSL 4:1b0d80432c79 7068 /* Make RSA signature from buffer (sz), write to sig (sigSz) */
wolfSSL 4:1b0d80432c79 7069 static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz,
wolfSSL 4:1b0d80432c79 7070 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 4:1b0d80432c79 7071 int sigAlgoType)
wolfSSL 4:1b0d80432c79 7072 {
wolfSSL 4:1b0d80432c79 7073 int encSigSz, digestSz, typeH = 0, ret = 0;
wolfSSL 4:1b0d80432c79 7074 byte digest[MAX_DIGEST_SIZE]; /* max size */
wolfSSL 4:1b0d80432c79 7075 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7076 byte* encSig;
wolfSSL 4:1b0d80432c79 7077 #else
wolfSSL 4:1b0d80432c79 7078 byte encSig[MAX_DER_DIGEST_SZ];
wolfSSL 4:1b0d80432c79 7079 #endif
wolfSSL 4:1b0d80432c79 7080
wolfSSL 4:1b0d80432c79 7081 (void)digest;
wolfSSL 4:1b0d80432c79 7082 (void)digestSz;
wolfSSL 4:1b0d80432c79 7083 (void)encSig;
wolfSSL 4:1b0d80432c79 7084 (void)encSigSz;
wolfSSL 4:1b0d80432c79 7085 (void)typeH;
wolfSSL 4:1b0d80432c79 7086
wolfSSL 4:1b0d80432c79 7087 (void)buffer;
wolfSSL 4:1b0d80432c79 7088 (void)sz;
wolfSSL 4:1b0d80432c79 7089 (void)sig;
wolfSSL 4:1b0d80432c79 7090 (void)sigSz;
wolfSSL 4:1b0d80432c79 7091 (void)rsaKey;
wolfSSL 4:1b0d80432c79 7092 (void)eccKey;
wolfSSL 4:1b0d80432c79 7093 (void)rng;
wolfSSL 4:1b0d80432c79 7094
wolfSSL 4:1b0d80432c79 7095 switch (sigAlgoType) {
wolfSSL 4:1b0d80432c79 7096 #ifndef NO_MD5
wolfSSL 4:1b0d80432c79 7097 case CTC_MD5wRSA:
wolfSSL 4:1b0d80432c79 7098 if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) {
wolfSSL 4:1b0d80432c79 7099 typeH = MD5h;
wolfSSL 4:1b0d80432c79 7100 digestSz = MD5_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7101 }
wolfSSL 4:1b0d80432c79 7102 break;
wolfSSL 4:1b0d80432c79 7103 #endif
wolfSSL 4:1b0d80432c79 7104 #ifndef NO_SHA
wolfSSL 4:1b0d80432c79 7105 case CTC_SHAwRSA:
wolfSSL 4:1b0d80432c79 7106 case CTC_SHAwECDSA:
wolfSSL 4:1b0d80432c79 7107 if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) {
wolfSSL 4:1b0d80432c79 7108 typeH = SHAh;
wolfSSL 4:1b0d80432c79 7109 digestSz = SHA_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7110 }
wolfSSL 4:1b0d80432c79 7111 break;
wolfSSL 4:1b0d80432c79 7112 #endif
wolfSSL 4:1b0d80432c79 7113 #ifndef NO_SHA256
wolfSSL 4:1b0d80432c79 7114 case CTC_SHA256wRSA:
wolfSSL 4:1b0d80432c79 7115 case CTC_SHA256wECDSA:
wolfSSL 4:1b0d80432c79 7116 if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) {
wolfSSL 4:1b0d80432c79 7117 typeH = SHA256h;
wolfSSL 4:1b0d80432c79 7118 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7119 }
wolfSSL 4:1b0d80432c79 7120 break;
wolfSSL 4:1b0d80432c79 7121 #endif
wolfSSL 4:1b0d80432c79 7122 #ifdef WOLFSSL_SHA512
wolfSSL 4:1b0d80432c79 7123 case CTC_SHA512wRSA:
wolfSSL 4:1b0d80432c79 7124 case CTC_SHA512wECDSA:
wolfSSL 4:1b0d80432c79 7125 if ((ret = wc_Sha512Hash(buffer, sz, digest)) == 0) {
wolfSSL 4:1b0d80432c79 7126 typeH = SHA256h;
wolfSSL 4:1b0d80432c79 7127 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7128 }
wolfSSL 4:1b0d80432c79 7129 break;
wolfSSL 4:1b0d80432c79 7130 #endif
wolfSSL 4:1b0d80432c79 7131 default:
wolfSSL 4:1b0d80432c79 7132 WOLFSSL_MSG("MakeSignautre called with unsupported type");
wolfSSL 4:1b0d80432c79 7133 ret = ALGO_ID_E;
wolfSSL 4:1b0d80432c79 7134 }
wolfSSL 4:1b0d80432c79 7135
wolfSSL 4:1b0d80432c79 7136 if (ret != 0)
wolfSSL 4:1b0d80432c79 7137 return ret;
wolfSSL 4:1b0d80432c79 7138
wolfSSL 4:1b0d80432c79 7139 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7140 encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ,
wolfSSL 4:1b0d80432c79 7141 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7142 if (encSig == NULL)
wolfSSL 4:1b0d80432c79 7143 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7144 #endif
wolfSSL 4:1b0d80432c79 7145
wolfSSL 4:1b0d80432c79 7146 ret = ALGO_ID_E;
wolfSSL 4:1b0d80432c79 7147
wolfSSL 4:1b0d80432c79 7148 #ifndef NO_RSA
wolfSSL 4:1b0d80432c79 7149 if (rsaKey) {
wolfSSL 4:1b0d80432c79 7150 /* signature */
wolfSSL 4:1b0d80432c79 7151 encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH);
wolfSSL 4:1b0d80432c79 7152 ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng);
wolfSSL 4:1b0d80432c79 7153 }
wolfSSL 4:1b0d80432c79 7154 #endif
wolfSSL 4:1b0d80432c79 7155
wolfSSL 4:1b0d80432c79 7156 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 7157 if (!rsaKey && eccKey) {
wolfSSL 4:1b0d80432c79 7158 word32 outSz = sigSz;
wolfSSL 4:1b0d80432c79 7159 ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey);
wolfSSL 4:1b0d80432c79 7160
wolfSSL 4:1b0d80432c79 7161 if (ret == 0)
wolfSSL 4:1b0d80432c79 7162 ret = outSz;
wolfSSL 4:1b0d80432c79 7163 }
wolfSSL 4:1b0d80432c79 7164 #endif
wolfSSL 4:1b0d80432c79 7165
wolfSSL 4:1b0d80432c79 7166 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7167 XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7168 #endif
wolfSSL 4:1b0d80432c79 7169
wolfSSL 4:1b0d80432c79 7170 return ret;
wolfSSL 4:1b0d80432c79 7171 }
wolfSSL 4:1b0d80432c79 7172
wolfSSL 4:1b0d80432c79 7173
wolfSSL 4:1b0d80432c79 7174 /* add signature to end of buffer, size of buffer assumed checked, return
wolfSSL 4:1b0d80432c79 7175 new length */
wolfSSL 4:1b0d80432c79 7176 static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
wolfSSL 4:1b0d80432c79 7177 int sigAlgoType)
wolfSSL 4:1b0d80432c79 7178 {
wolfSSL 4:1b0d80432c79 7179 byte seq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 7180 int idx = bodySz, seqSz;
wolfSSL 4:1b0d80432c79 7181
wolfSSL 4:1b0d80432c79 7182 /* algo */
wolfSSL 4:1b0d80432c79 7183 idx += SetAlgoID(sigAlgoType, buffer + idx, sigType, 0);
wolfSSL 4:1b0d80432c79 7184 /* bit string */
wolfSSL 4:1b0d80432c79 7185 buffer[idx++] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 7186 /* length */
wolfSSL 4:1b0d80432c79 7187 idx += SetLength(sigSz + 1, buffer + idx);
wolfSSL 4:1b0d80432c79 7188 buffer[idx++] = 0; /* trailing 0 */
wolfSSL 4:1b0d80432c79 7189 /* signature */
wolfSSL 4:1b0d80432c79 7190 XMEMCPY(buffer + idx, sig, sigSz);
wolfSSL 4:1b0d80432c79 7191 idx += sigSz;
wolfSSL 4:1b0d80432c79 7192
wolfSSL 4:1b0d80432c79 7193 /* make room for overall header */
wolfSSL 4:1b0d80432c79 7194 seqSz = SetSequence(idx, seq);
wolfSSL 4:1b0d80432c79 7195 XMEMMOVE(buffer + seqSz, buffer, idx);
wolfSSL 4:1b0d80432c79 7196 XMEMCPY(buffer, seq, seqSz);
wolfSSL 4:1b0d80432c79 7197
wolfSSL 4:1b0d80432c79 7198 return idx + seqSz;
wolfSSL 4:1b0d80432c79 7199 }
wolfSSL 4:1b0d80432c79 7200
wolfSSL 4:1b0d80432c79 7201
wolfSSL 4:1b0d80432c79 7202 /* Make an x509 Certificate v3 any key type from cert input, write to buffer */
wolfSSL 4:1b0d80432c79 7203 static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 4:1b0d80432c79 7204 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 4:1b0d80432c79 7205 const byte* ntruKey, word16 ntruSz)
wolfSSL 4:1b0d80432c79 7206 {
wolfSSL 4:1b0d80432c79 7207 int ret;
wolfSSL 4:1b0d80432c79 7208 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7209 DerCert* der;
wolfSSL 4:1b0d80432c79 7210 #else
wolfSSL 4:1b0d80432c79 7211 DerCert der[1];
wolfSSL 4:1b0d80432c79 7212 #endif
wolfSSL 4:1b0d80432c79 7213
wolfSSL 4:1b0d80432c79 7214 cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY);
wolfSSL 4:1b0d80432c79 7215
wolfSSL 4:1b0d80432c79 7216 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7217 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7218 if (der == NULL)
wolfSSL 4:1b0d80432c79 7219 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7220 #endif
wolfSSL 4:1b0d80432c79 7221
wolfSSL 4:1b0d80432c79 7222 ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz);
wolfSSL 4:1b0d80432c79 7223 if (ret == 0) {
wolfSSL 4:1b0d80432c79 7224 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 4:1b0d80432c79 7225 ret = BUFFER_E;
wolfSSL 4:1b0d80432c79 7226 else
wolfSSL 4:1b0d80432c79 7227 ret = cert->bodySz = WriteCertBody(der, derBuffer);
wolfSSL 4:1b0d80432c79 7228 }
wolfSSL 4:1b0d80432c79 7229
wolfSSL 4:1b0d80432c79 7230 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7231 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7232 #endif
wolfSSL 4:1b0d80432c79 7233
wolfSSL 4:1b0d80432c79 7234 return ret;
wolfSSL 4:1b0d80432c79 7235 }
wolfSSL 4:1b0d80432c79 7236
wolfSSL 4:1b0d80432c79 7237
wolfSSL 4:1b0d80432c79 7238 /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
wolfSSL 4:1b0d80432c79 7239 int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey,
wolfSSL 4:1b0d80432c79 7240 ecc_key* eccKey, WC_RNG* rng)
wolfSSL 4:1b0d80432c79 7241 {
wolfSSL 4:1b0d80432c79 7242 return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0);
wolfSSL 4:1b0d80432c79 7243 }
wolfSSL 4:1b0d80432c79 7244
wolfSSL 4:1b0d80432c79 7245
wolfSSL 4:1b0d80432c79 7246 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 7247
wolfSSL 4:1b0d80432c79 7248 int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 4:1b0d80432c79 7249 const byte* ntruKey, word16 keySz, WC_RNG* rng)
wolfSSL 4:1b0d80432c79 7250 {
wolfSSL 4:1b0d80432c79 7251 return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz);
wolfSSL 4:1b0d80432c79 7252 }
wolfSSL 4:1b0d80432c79 7253
wolfSSL 4:1b0d80432c79 7254 #endif /* HAVE_NTRU */
wolfSSL 4:1b0d80432c79 7255
wolfSSL 4:1b0d80432c79 7256
wolfSSL 4:1b0d80432c79 7257 #ifdef WOLFSSL_CERT_REQ
wolfSSL 4:1b0d80432c79 7258
wolfSSL 4:1b0d80432c79 7259 static int SetReqAttrib(byte* output, char* pw, int extSz)
wolfSSL 4:1b0d80432c79 7260 {
wolfSSL 4:1b0d80432c79 7261 static const byte cpOid[] =
wolfSSL 4:1b0d80432c79 7262 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 4:1b0d80432c79 7263 0x09, 0x07 };
wolfSSL 4:1b0d80432c79 7264 static const byte erOid[] =
wolfSSL 4:1b0d80432c79 7265 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 4:1b0d80432c79 7266 0x09, 0x0e };
wolfSSL 4:1b0d80432c79 7267
wolfSSL 4:1b0d80432c79 7268 int sz = 0; /* overall size */
wolfSSL 4:1b0d80432c79 7269 int cpSz = 0; /* Challenge Password section size */
wolfSSL 4:1b0d80432c79 7270 int cpSeqSz = 0;
wolfSSL 4:1b0d80432c79 7271 int cpSetSz = 0;
wolfSSL 4:1b0d80432c79 7272 int cpStrSz = 0;
wolfSSL 4:1b0d80432c79 7273 int pwSz = 0;
wolfSSL 4:1b0d80432c79 7274 int erSz = 0; /* Extension Request section size */
wolfSSL 4:1b0d80432c79 7275 int erSeqSz = 0;
wolfSSL 4:1b0d80432c79 7276 int erSetSz = 0;
wolfSSL 4:1b0d80432c79 7277 byte cpSeq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 7278 byte cpSet[MAX_SET_SZ];
wolfSSL 4:1b0d80432c79 7279 byte cpStr[MAX_PRSTR_SZ];
wolfSSL 4:1b0d80432c79 7280 byte erSeq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 7281 byte erSet[MAX_SET_SZ];
wolfSSL 4:1b0d80432c79 7282
wolfSSL 4:1b0d80432c79 7283 output[0] = 0xa0;
wolfSSL 4:1b0d80432c79 7284 sz++;
wolfSSL 4:1b0d80432c79 7285
wolfSSL 4:1b0d80432c79 7286 if (pw && pw[0]) {
wolfSSL 4:1b0d80432c79 7287 pwSz = (int)XSTRLEN(pw);
wolfSSL 4:1b0d80432c79 7288 cpStrSz = SetUTF8String(pwSz, cpStr);
wolfSSL 4:1b0d80432c79 7289 cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
wolfSSL 4:1b0d80432c79 7290 cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
wolfSSL 4:1b0d80432c79 7291 cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
wolfSSL 4:1b0d80432c79 7292 }
wolfSSL 4:1b0d80432c79 7293
wolfSSL 4:1b0d80432c79 7294 if (extSz) {
wolfSSL 4:1b0d80432c79 7295 erSetSz = SetSet(extSz, erSet);
wolfSSL 4:1b0d80432c79 7296 erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq);
wolfSSL 4:1b0d80432c79 7297 erSz = extSz + erSetSz + erSeqSz + sizeof(erOid);
wolfSSL 4:1b0d80432c79 7298 }
wolfSSL 4:1b0d80432c79 7299
wolfSSL 4:1b0d80432c79 7300 /* Put the pieces together. */
wolfSSL 4:1b0d80432c79 7301 sz += SetLength(cpSz + erSz, &output[sz]);
wolfSSL 4:1b0d80432c79 7302
wolfSSL 4:1b0d80432c79 7303 if (cpSz) {
wolfSSL 4:1b0d80432c79 7304 XMEMCPY(&output[sz], cpSeq, cpSeqSz);
wolfSSL 4:1b0d80432c79 7305 sz += cpSeqSz;
wolfSSL 4:1b0d80432c79 7306 XMEMCPY(&output[sz], cpOid, sizeof(cpOid));
wolfSSL 4:1b0d80432c79 7307 sz += sizeof(cpOid);
wolfSSL 4:1b0d80432c79 7308 XMEMCPY(&output[sz], cpSet, cpSetSz);
wolfSSL 4:1b0d80432c79 7309 sz += cpSetSz;
wolfSSL 4:1b0d80432c79 7310 XMEMCPY(&output[sz], cpStr, cpStrSz);
wolfSSL 4:1b0d80432c79 7311 sz += cpStrSz;
wolfSSL 4:1b0d80432c79 7312 XMEMCPY(&output[sz], pw, pwSz);
wolfSSL 4:1b0d80432c79 7313 sz += pwSz;
wolfSSL 4:1b0d80432c79 7314 }
wolfSSL 4:1b0d80432c79 7315
wolfSSL 4:1b0d80432c79 7316 if (erSz) {
wolfSSL 4:1b0d80432c79 7317 XMEMCPY(&output[sz], erSeq, erSeqSz);
wolfSSL 4:1b0d80432c79 7318 sz += erSeqSz;
wolfSSL 4:1b0d80432c79 7319 XMEMCPY(&output[sz], erOid, sizeof(erOid));
wolfSSL 4:1b0d80432c79 7320 sz += sizeof(erOid);
wolfSSL 4:1b0d80432c79 7321 XMEMCPY(&output[sz], erSet, erSetSz);
wolfSSL 4:1b0d80432c79 7322 sz += erSetSz;
wolfSSL 4:1b0d80432c79 7323 /* The actual extension data will be tacked onto the output later. */
wolfSSL 4:1b0d80432c79 7324 }
wolfSSL 4:1b0d80432c79 7325
wolfSSL 4:1b0d80432c79 7326 return sz;
wolfSSL 4:1b0d80432c79 7327 }
wolfSSL 4:1b0d80432c79 7328
wolfSSL 4:1b0d80432c79 7329
wolfSSL 4:1b0d80432c79 7330 /* encode info from cert into DER encoded format */
wolfSSL 4:1b0d80432c79 7331 static int EncodeCertReq(Cert* cert, DerCert* der,
wolfSSL 4:1b0d80432c79 7332 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 4:1b0d80432c79 7333 {
wolfSSL 4:1b0d80432c79 7334 (void)eccKey;
wolfSSL 4:1b0d80432c79 7335
wolfSSL 4:1b0d80432c79 7336 if (cert == NULL || der == NULL)
wolfSSL 4:1b0d80432c79 7337 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7338
wolfSSL 4:1b0d80432c79 7339 /* init */
wolfSSL 4:1b0d80432c79 7340 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 4:1b0d80432c79 7341
wolfSSL 4:1b0d80432c79 7342 /* version */
wolfSSL 4:1b0d80432c79 7343 der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
wolfSSL 4:1b0d80432c79 7344
wolfSSL 4:1b0d80432c79 7345 /* subject name */
wolfSSL 4:1b0d80432c79 7346 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 4:1b0d80432c79 7347 if (der->subjectSz == 0)
wolfSSL 4:1b0d80432c79 7348 return SUBJECT_E;
wolfSSL 4:1b0d80432c79 7349
wolfSSL 4:1b0d80432c79 7350 /* public key */
wolfSSL 4:1b0d80432c79 7351 if (cert->keyType == RSA_KEY) {
wolfSSL 4:1b0d80432c79 7352 if (rsaKey == NULL)
wolfSSL 4:1b0d80432c79 7353 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7354 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 4:1b0d80432c79 7355 sizeof(der->publicKey), 1);
wolfSSL 4:1b0d80432c79 7356 if (der->publicKeySz <= 0)
wolfSSL 4:1b0d80432c79 7357 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7358 }
wolfSSL 4:1b0d80432c79 7359
wolfSSL 4:1b0d80432c79 7360 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 7361 if (cert->keyType == ECC_KEY) {
wolfSSL 4:1b0d80432c79 7362 if (eccKey == NULL)
wolfSSL 4:1b0d80432c79 7363 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7364 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 4:1b0d80432c79 7365 if (der->publicKeySz <= 0)
wolfSSL 4:1b0d80432c79 7366 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7367 }
wolfSSL 4:1b0d80432c79 7368 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 7369
wolfSSL 4:1b0d80432c79 7370 /* set the extensions */
wolfSSL 4:1b0d80432c79 7371 der->extensionsSz = 0;
wolfSSL 4:1b0d80432c79 7372
wolfSSL 4:1b0d80432c79 7373 /* CA */
wolfSSL 4:1b0d80432c79 7374 if (cert->isCA) {
wolfSSL 4:1b0d80432c79 7375 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 4:1b0d80432c79 7376 if (der->caSz == 0)
wolfSSL 4:1b0d80432c79 7377 return CA_TRUE_E;
wolfSSL 4:1b0d80432c79 7378
wolfSSL 4:1b0d80432c79 7379 der->extensionsSz += der->caSz;
wolfSSL 4:1b0d80432c79 7380 }
wolfSSL 4:1b0d80432c79 7381 else
wolfSSL 4:1b0d80432c79 7382 der->caSz = 0;
wolfSSL 4:1b0d80432c79 7383
wolfSSL 4:1b0d80432c79 7384 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 7385 /* SKID */
wolfSSL 4:1b0d80432c79 7386 if (cert->skidSz) {
wolfSSL 4:1b0d80432c79 7387 /* check the provided SKID size */
wolfSSL 4:1b0d80432c79 7388 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 4:1b0d80432c79 7389 return SKID_E;
wolfSSL 4:1b0d80432c79 7390
wolfSSL 4:1b0d80432c79 7391 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 4:1b0d80432c79 7392 cert->skid, cert->skidSz);
wolfSSL 4:1b0d80432c79 7393 if (der->skidSz == 0)
wolfSSL 4:1b0d80432c79 7394 return SKID_E;
wolfSSL 4:1b0d80432c79 7395
wolfSSL 4:1b0d80432c79 7396 der->extensionsSz += der->skidSz;
wolfSSL 4:1b0d80432c79 7397 }
wolfSSL 4:1b0d80432c79 7398 else
wolfSSL 4:1b0d80432c79 7399 der->skidSz = 0;
wolfSSL 4:1b0d80432c79 7400
wolfSSL 4:1b0d80432c79 7401 /* Key Usage */
wolfSSL 4:1b0d80432c79 7402 if (cert->keyUsage != 0){
wolfSSL 4:1b0d80432c79 7403 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 4:1b0d80432c79 7404 cert->keyUsage);
wolfSSL 4:1b0d80432c79 7405 if (der->keyUsageSz == 0)
wolfSSL 4:1b0d80432c79 7406 return KEYUSAGE_E;
wolfSSL 4:1b0d80432c79 7407
wolfSSL 4:1b0d80432c79 7408 der->extensionsSz += der->keyUsageSz;
wolfSSL 4:1b0d80432c79 7409 }
wolfSSL 4:1b0d80432c79 7410 else
wolfSSL 4:1b0d80432c79 7411 der->keyUsageSz = 0;
wolfSSL 4:1b0d80432c79 7412 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 7413
wolfSSL 4:1b0d80432c79 7414 /* put extensions */
wolfSSL 4:1b0d80432c79 7415 if (der->extensionsSz > 0) {
wolfSSL 4:1b0d80432c79 7416 int ret;
wolfSSL 4:1b0d80432c79 7417
wolfSSL 4:1b0d80432c79 7418 /* put the start of sequence (ID, Size) */
wolfSSL 4:1b0d80432c79 7419 der->extensionsSz = SetSequence(der->extensionsSz, der->extensions);
wolfSSL 4:1b0d80432c79 7420 if (der->extensionsSz == 0)
wolfSSL 4:1b0d80432c79 7421 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7422
wolfSSL 4:1b0d80432c79 7423 /* put CA */
wolfSSL 4:1b0d80432c79 7424 if (der->caSz) {
wolfSSL 4:1b0d80432c79 7425 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7426 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7427 der->ca, der->caSz);
wolfSSL 4:1b0d80432c79 7428 if (ret == 0)
wolfSSL 4:1b0d80432c79 7429 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7430 }
wolfSSL 4:1b0d80432c79 7431
wolfSSL 4:1b0d80432c79 7432 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 7433 /* put SKID */
wolfSSL 4:1b0d80432c79 7434 if (der->skidSz) {
wolfSSL 4:1b0d80432c79 7435 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7436 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7437 der->skid, der->skidSz);
wolfSSL 4:1b0d80432c79 7438 if (ret == 0)
wolfSSL 4:1b0d80432c79 7439 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7440 }
wolfSSL 4:1b0d80432c79 7441
wolfSSL 4:1b0d80432c79 7442 /* put AKID */
wolfSSL 4:1b0d80432c79 7443 if (der->akidSz) {
wolfSSL 4:1b0d80432c79 7444 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7445 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7446 der->akid, der->akidSz);
wolfSSL 4:1b0d80432c79 7447 if (ret == 0)
wolfSSL 4:1b0d80432c79 7448 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7449 }
wolfSSL 4:1b0d80432c79 7450
wolfSSL 4:1b0d80432c79 7451 /* put KeyUsage */
wolfSSL 4:1b0d80432c79 7452 if (der->keyUsageSz) {
wolfSSL 4:1b0d80432c79 7453 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 4:1b0d80432c79 7454 &der->extensionsSz,
wolfSSL 4:1b0d80432c79 7455 der->keyUsage, der->keyUsageSz);
wolfSSL 4:1b0d80432c79 7456 if (ret == 0)
wolfSSL 4:1b0d80432c79 7457 return EXTENSIONS_E;
wolfSSL 4:1b0d80432c79 7458 }
wolfSSL 4:1b0d80432c79 7459
wolfSSL 4:1b0d80432c79 7460 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 7461 }
wolfSSL 4:1b0d80432c79 7462
wolfSSL 4:1b0d80432c79 7463 der->attribSz = SetReqAttrib(der->attrib,
wolfSSL 4:1b0d80432c79 7464 cert->challengePw, der->extensionsSz);
wolfSSL 4:1b0d80432c79 7465 if (der->attribSz == 0)
wolfSSL 4:1b0d80432c79 7466 return REQ_ATTRIBUTE_E;
wolfSSL 4:1b0d80432c79 7467
wolfSSL 4:1b0d80432c79 7468 der->total = der->versionSz + der->subjectSz + der->publicKeySz +
wolfSSL 4:1b0d80432c79 7469 der->extensionsSz + der->attribSz;
wolfSSL 4:1b0d80432c79 7470
wolfSSL 4:1b0d80432c79 7471 return 0;
wolfSSL 4:1b0d80432c79 7472 }
wolfSSL 4:1b0d80432c79 7473
wolfSSL 4:1b0d80432c79 7474
wolfSSL 4:1b0d80432c79 7475 /* write DER encoded cert req to buffer, size already checked */
wolfSSL 4:1b0d80432c79 7476 static int WriteCertReqBody(DerCert* der, byte* buffer)
wolfSSL 4:1b0d80432c79 7477 {
wolfSSL 4:1b0d80432c79 7478 int idx;
wolfSSL 4:1b0d80432c79 7479
wolfSSL 4:1b0d80432c79 7480 /* signed part header */
wolfSSL 4:1b0d80432c79 7481 idx = SetSequence(der->total, buffer);
wolfSSL 4:1b0d80432c79 7482 /* version */
wolfSSL 4:1b0d80432c79 7483 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 4:1b0d80432c79 7484 idx += der->versionSz;
wolfSSL 4:1b0d80432c79 7485 /* subject */
wolfSSL 4:1b0d80432c79 7486 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 4:1b0d80432c79 7487 idx += der->subjectSz;
wolfSSL 4:1b0d80432c79 7488 /* public key */
wolfSSL 4:1b0d80432c79 7489 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 4:1b0d80432c79 7490 idx += der->publicKeySz;
wolfSSL 4:1b0d80432c79 7491 /* attributes */
wolfSSL 4:1b0d80432c79 7492 XMEMCPY(buffer + idx, der->attrib, der->attribSz);
wolfSSL 4:1b0d80432c79 7493 idx += der->attribSz;
wolfSSL 4:1b0d80432c79 7494 /* extensions */
wolfSSL 4:1b0d80432c79 7495 if (der->extensionsSz) {
wolfSSL 4:1b0d80432c79 7496 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 4:1b0d80432c79 7497 sizeof(der->extensions)));
wolfSSL 4:1b0d80432c79 7498 idx += der->extensionsSz;
wolfSSL 4:1b0d80432c79 7499 }
wolfSSL 4:1b0d80432c79 7500
wolfSSL 4:1b0d80432c79 7501 return idx;
wolfSSL 4:1b0d80432c79 7502 }
wolfSSL 4:1b0d80432c79 7503
wolfSSL 4:1b0d80432c79 7504
wolfSSL 4:1b0d80432c79 7505 int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 4:1b0d80432c79 7506 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 4:1b0d80432c79 7507 {
wolfSSL 4:1b0d80432c79 7508 int ret;
wolfSSL 4:1b0d80432c79 7509 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7510 DerCert* der;
wolfSSL 4:1b0d80432c79 7511 #else
wolfSSL 4:1b0d80432c79 7512 DerCert der[1];
wolfSSL 4:1b0d80432c79 7513 #endif
wolfSSL 4:1b0d80432c79 7514
wolfSSL 4:1b0d80432c79 7515 cert->keyType = eccKey ? ECC_KEY : RSA_KEY;
wolfSSL 4:1b0d80432c79 7516
wolfSSL 4:1b0d80432c79 7517 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7518 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7519 if (der == NULL)
wolfSSL 4:1b0d80432c79 7520 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7521 #endif
wolfSSL 4:1b0d80432c79 7522
wolfSSL 4:1b0d80432c79 7523 ret = EncodeCertReq(cert, der, rsaKey, eccKey);
wolfSSL 4:1b0d80432c79 7524
wolfSSL 4:1b0d80432c79 7525 if (ret == 0) {
wolfSSL 4:1b0d80432c79 7526 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 4:1b0d80432c79 7527 ret = BUFFER_E;
wolfSSL 4:1b0d80432c79 7528 else
wolfSSL 4:1b0d80432c79 7529 ret = cert->bodySz = WriteCertReqBody(der, derBuffer);
wolfSSL 4:1b0d80432c79 7530 }
wolfSSL 4:1b0d80432c79 7531
wolfSSL 4:1b0d80432c79 7532 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7533 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7534 #endif
wolfSSL 4:1b0d80432c79 7535
wolfSSL 4:1b0d80432c79 7536 return ret;
wolfSSL 4:1b0d80432c79 7537 }
wolfSSL 4:1b0d80432c79 7538
wolfSSL 4:1b0d80432c79 7539 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 4:1b0d80432c79 7540
wolfSSL 4:1b0d80432c79 7541
wolfSSL 4:1b0d80432c79 7542 int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
wolfSSL 4:1b0d80432c79 7543 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng)
wolfSSL 4:1b0d80432c79 7544 {
wolfSSL 4:1b0d80432c79 7545 int sigSz;
wolfSSL 4:1b0d80432c79 7546 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7547 byte* sig;
wolfSSL 4:1b0d80432c79 7548 #else
wolfSSL 4:1b0d80432c79 7549 byte sig[MAX_ENCODED_SIG_SZ];
wolfSSL 4:1b0d80432c79 7550 #endif
wolfSSL 4:1b0d80432c79 7551
wolfSSL 4:1b0d80432c79 7552 if (requestSz < 0)
wolfSSL 4:1b0d80432c79 7553 return requestSz;
wolfSSL 4:1b0d80432c79 7554
wolfSSL 4:1b0d80432c79 7555 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7556 sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7557 if (sig == NULL)
wolfSSL 4:1b0d80432c79 7558 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7559 #endif
wolfSSL 4:1b0d80432c79 7560
wolfSSL 4:1b0d80432c79 7561 sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey,
wolfSSL 4:1b0d80432c79 7562 eccKey, rng, sType);
wolfSSL 4:1b0d80432c79 7563
wolfSSL 4:1b0d80432c79 7564 if (sigSz >= 0) {
wolfSSL 4:1b0d80432c79 7565 if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
wolfSSL 4:1b0d80432c79 7566 sigSz = BUFFER_E;
wolfSSL 4:1b0d80432c79 7567 else
wolfSSL 4:1b0d80432c79 7568 sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType);
wolfSSL 4:1b0d80432c79 7569 }
wolfSSL 4:1b0d80432c79 7570
wolfSSL 4:1b0d80432c79 7571 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7572 XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7573 #endif
wolfSSL 4:1b0d80432c79 7574
wolfSSL 4:1b0d80432c79 7575 return sigSz;
wolfSSL 4:1b0d80432c79 7576 }
wolfSSL 4:1b0d80432c79 7577
wolfSSL 4:1b0d80432c79 7578
wolfSSL 4:1b0d80432c79 7579 int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz,
wolfSSL 4:1b0d80432c79 7580 RsaKey* key, WC_RNG* rng)
wolfSSL 4:1b0d80432c79 7581 {
wolfSSL 4:1b0d80432c79 7582 int ret;
wolfSSL 4:1b0d80432c79 7583
wolfSSL 4:1b0d80432c79 7584 ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng);
wolfSSL 4:1b0d80432c79 7585 if (ret < 0)
wolfSSL 4:1b0d80432c79 7586 return ret;
wolfSSL 4:1b0d80432c79 7587
wolfSSL 4:1b0d80432c79 7588 return wc_SignCert(cert->bodySz, cert->sigType,
wolfSSL 4:1b0d80432c79 7589 buffer, buffSz, key, NULL, rng);
wolfSSL 4:1b0d80432c79 7590 }
wolfSSL 4:1b0d80432c79 7591
wolfSSL 4:1b0d80432c79 7592
wolfSSL 4:1b0d80432c79 7593 #ifdef WOLFSSL_CERT_EXT
wolfSSL 4:1b0d80432c79 7594
wolfSSL 4:1b0d80432c79 7595 /* Set KID from RSA or ECC public key */
wolfSSL 4:1b0d80432c79 7596 static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
wolfSSL 4:1b0d80432c79 7597 byte *ntruKey, word16 ntruKeySz, int kid_type)
wolfSSL 4:1b0d80432c79 7598 {
wolfSSL 4:1b0d80432c79 7599 byte *buffer;
wolfSSL 4:1b0d80432c79 7600 int bufferSz, ret;
wolfSSL 4:1b0d80432c79 7601
wolfSSL 4:1b0d80432c79 7602 #ifndef HAVE_NTRU
wolfSSL 4:1b0d80432c79 7603 (void)ntruKeySz;
wolfSSL 4:1b0d80432c79 7604 #endif
wolfSSL 4:1b0d80432c79 7605
wolfSSL 4:1b0d80432c79 7606 if (cert == NULL || (rsakey == NULL && eckey == NULL && ntruKey == NULL) ||
wolfSSL 4:1b0d80432c79 7607 (rsakey != NULL && eckey != NULL) ||
wolfSSL 4:1b0d80432c79 7608 (rsakey != NULL && ntruKey != NULL) ||
wolfSSL 4:1b0d80432c79 7609 (ntruKey != NULL && eckey != NULL) ||
wolfSSL 4:1b0d80432c79 7610 (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
wolfSSL 4:1b0d80432c79 7611 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7612
wolfSSL 4:1b0d80432c79 7613 buffer = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7614 if (buffer == NULL)
wolfSSL 4:1b0d80432c79 7615 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7616
wolfSSL 4:1b0d80432c79 7617 /* RSA public key */
wolfSSL 4:1b0d80432c79 7618 if (rsakey != NULL)
wolfSSL 4:1b0d80432c79 7619 bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0);
wolfSSL 4:1b0d80432c79 7620 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 7621 /* ECC public key */
wolfSSL 4:1b0d80432c79 7622 else if (eckey != NULL)
wolfSSL 4:1b0d80432c79 7623 bufferSz = SetEccPublicKey(buffer, eckey, 0);
wolfSSL 4:1b0d80432c79 7624 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 7625 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 7626 /* NTRU public key */
wolfSSL 4:1b0d80432c79 7627 else if (ntruKey != NULL) {
wolfSSL 4:1b0d80432c79 7628 bufferSz = MAX_PUBLIC_KEY_SZ;
wolfSSL 4:1b0d80432c79 7629 ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
wolfSSL 4:1b0d80432c79 7630 ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer);
wolfSSL 4:1b0d80432c79 7631 if (ret != NTRU_OK)
wolfSSL 4:1b0d80432c79 7632 bufferSz = -1;
wolfSSL 4:1b0d80432c79 7633 }
wolfSSL 4:1b0d80432c79 7634 #endif
wolfSSL 4:1b0d80432c79 7635 else
wolfSSL 4:1b0d80432c79 7636 bufferSz = -1;
wolfSSL 4:1b0d80432c79 7637
wolfSSL 4:1b0d80432c79 7638 if (bufferSz <= 0) {
wolfSSL 4:1b0d80432c79 7639 XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7640 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7641 }
wolfSSL 4:1b0d80432c79 7642
wolfSSL 4:1b0d80432c79 7643 /* Compute SKID by hashing public key */
wolfSSL 4:1b0d80432c79 7644 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 7645 if (kid_type == SKID_TYPE) {
wolfSSL 4:1b0d80432c79 7646 ret = wc_Sha256Hash(buffer, bufferSz, cert->skid);
wolfSSL 4:1b0d80432c79 7647 cert->skidSz = SHA256_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7648 }
wolfSSL 4:1b0d80432c79 7649 else if (kid_type == AKID_TYPE) {
wolfSSL 4:1b0d80432c79 7650 ret = wc_Sha256Hash(buffer, bufferSz, cert->akid);
wolfSSL 4:1b0d80432c79 7651 cert->akidSz = SHA256_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7652 }
wolfSSL 4:1b0d80432c79 7653 else
wolfSSL 4:1b0d80432c79 7654 ret = BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7655 #else /* NO_SHA */
wolfSSL 4:1b0d80432c79 7656 if (kid_type == SKID_TYPE) {
wolfSSL 4:1b0d80432c79 7657 ret = wc_ShaHash(buffer, bufferSz, cert->skid);
wolfSSL 4:1b0d80432c79 7658 cert->skidSz = SHA_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7659 }
wolfSSL 4:1b0d80432c79 7660 else if (kid_type == AKID_TYPE) {
wolfSSL 4:1b0d80432c79 7661 ret = wc_ShaHash(buffer, bufferSz, cert->akid);
wolfSSL 4:1b0d80432c79 7662 cert->akidSz = SHA_DIGEST_SIZE;
wolfSSL 4:1b0d80432c79 7663 }
wolfSSL 4:1b0d80432c79 7664 else
wolfSSL 4:1b0d80432c79 7665 ret = BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7666 #endif /* NO_SHA */
wolfSSL 4:1b0d80432c79 7667
wolfSSL 4:1b0d80432c79 7668 XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7669 return ret;
wolfSSL 4:1b0d80432c79 7670 }
wolfSSL 4:1b0d80432c79 7671
wolfSSL 4:1b0d80432c79 7672 /* Set SKID from RSA or ECC public key */
wolfSSL 4:1b0d80432c79 7673 int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 4:1b0d80432c79 7674 {
wolfSSL 4:1b0d80432c79 7675 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, SKID_TYPE);
wolfSSL 4:1b0d80432c79 7676 }
wolfSSL 4:1b0d80432c79 7677
wolfSSL 4:1b0d80432c79 7678 #ifdef HAVE_NTRU
wolfSSL 4:1b0d80432c79 7679 /* Set SKID from NTRU public key */
wolfSSL 4:1b0d80432c79 7680 int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert,
wolfSSL 4:1b0d80432c79 7681 byte *ntruKey, word16 ntruKeySz)
wolfSSL 4:1b0d80432c79 7682 {
wolfSSL 4:1b0d80432c79 7683 return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, SKID_TYPE);
wolfSSL 4:1b0d80432c79 7684 }
wolfSSL 4:1b0d80432c79 7685 #endif
wolfSSL 4:1b0d80432c79 7686
wolfSSL 4:1b0d80432c79 7687 /* Set SKID from RSA or ECC public key */
wolfSSL 4:1b0d80432c79 7688 int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 4:1b0d80432c79 7689 {
wolfSSL 4:1b0d80432c79 7690 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, AKID_TYPE);
wolfSSL 4:1b0d80432c79 7691 }
wolfSSL 4:1b0d80432c79 7692
wolfSSL 4:1b0d80432c79 7693
wolfSSL 4:1b0d80432c79 7694 #ifndef NO_FILESYSTEM
wolfSSL 4:1b0d80432c79 7695
wolfSSL 4:1b0d80432c79 7696 /* Set SKID from public key file in PEM */
wolfSSL 4:1b0d80432c79 7697 int wc_SetSubjectKeyId(Cert *cert, const char* file)
wolfSSL 4:1b0d80432c79 7698 {
wolfSSL 4:1b0d80432c79 7699 int ret, derSz;
wolfSSL 4:1b0d80432c79 7700 byte* der;
wolfSSL 4:1b0d80432c79 7701 word32 idx;
wolfSSL 4:1b0d80432c79 7702 RsaKey *rsakey = NULL;
wolfSSL 4:1b0d80432c79 7703 ecc_key *eckey = NULL;
wolfSSL 4:1b0d80432c79 7704
wolfSSL 4:1b0d80432c79 7705 if (cert == NULL || file == NULL)
wolfSSL 4:1b0d80432c79 7706 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7707
wolfSSL 4:1b0d80432c79 7708 der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7709 if (der == NULL) {
wolfSSL 4:1b0d80432c79 7710 WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem");
wolfSSL 4:1b0d80432c79 7711 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7712 }
wolfSSL 4:1b0d80432c79 7713
wolfSSL 4:1b0d80432c79 7714 derSz = wolfSSL_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ);
wolfSSL 4:1b0d80432c79 7715 if (derSz <= 0)
wolfSSL 4:1b0d80432c79 7716 {
wolfSSL 4:1b0d80432c79 7717 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7718 return derSz;
wolfSSL 4:1b0d80432c79 7719 }
wolfSSL 4:1b0d80432c79 7720
wolfSSL 4:1b0d80432c79 7721 /* Load PubKey in internal structure */
wolfSSL 4:1b0d80432c79 7722 rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 7723 if (rsakey == NULL) {
wolfSSL 4:1b0d80432c79 7724 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7725 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7726 }
wolfSSL 4:1b0d80432c79 7727
wolfSSL 4:1b0d80432c79 7728 if (wc_InitRsaKey(rsakey, NULL) != 0) {
wolfSSL 4:1b0d80432c79 7729 WOLFSSL_MSG("wc_InitRsaKey failure");
wolfSSL 4:1b0d80432c79 7730 XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 7731 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7732 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7733 }
wolfSSL 4:1b0d80432c79 7734
wolfSSL 4:1b0d80432c79 7735 idx = 0;
wolfSSL 4:1b0d80432c79 7736 ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
wolfSSL 4:1b0d80432c79 7737 if (ret != 0) {
wolfSSL 4:1b0d80432c79 7738 WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
wolfSSL 4:1b0d80432c79 7739 wc_FreeRsaKey(rsakey);
wolfSSL 4:1b0d80432c79 7740 XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 7741 rsakey = NULL;
wolfSSL 4:1b0d80432c79 7742 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 7743 /* Check to load ecc public key */
wolfSSL 4:1b0d80432c79 7744 eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC);
wolfSSL 4:1b0d80432c79 7745 if (eckey == NULL) {
wolfSSL 4:1b0d80432c79 7746 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7747 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7748 }
wolfSSL 4:1b0d80432c79 7749
wolfSSL 4:1b0d80432c79 7750 if (wc_ecc_init(eckey) != 0) {
wolfSSL 4:1b0d80432c79 7751 WOLFSSL_MSG("wc_ecc_init failure");
wolfSSL 4:1b0d80432c79 7752 wc_ecc_free(eckey);
wolfSSL 4:1b0d80432c79 7753 XFREE(eckey, NULL, DYNAMIC_TYPE_ECC);
wolfSSL 4:1b0d80432c79 7754 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7755 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7756 }
wolfSSL 4:1b0d80432c79 7757
wolfSSL 4:1b0d80432c79 7758 idx = 0;
wolfSSL 4:1b0d80432c79 7759 ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz);
wolfSSL 4:1b0d80432c79 7760 if (ret != 0) {
wolfSSL 4:1b0d80432c79 7761 WOLFSSL_MSG("wc_EccPublicKeyDecode failed");
wolfSSL 4:1b0d80432c79 7762 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7763 wc_ecc_free(eckey);
wolfSSL 4:1b0d80432c79 7764 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7765 }
wolfSSL 4:1b0d80432c79 7766 #else
wolfSSL 4:1b0d80432c79 7767 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7768 return PUBLIC_KEY_E;
wolfSSL 4:1b0d80432c79 7769 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 7770 }
wolfSSL 4:1b0d80432c79 7771
wolfSSL 4:1b0d80432c79 7772 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7773
wolfSSL 4:1b0d80432c79 7774 ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
wolfSSL 4:1b0d80432c79 7775
wolfSSL 4:1b0d80432c79 7776 wc_FreeRsaKey(rsakey);
wolfSSL 4:1b0d80432c79 7777 XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA);
wolfSSL 4:1b0d80432c79 7778 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 7779 wc_ecc_free(eckey);
wolfSSL 4:1b0d80432c79 7780 XFREE(eckey, NULL, DYNAMIC_TYPE_ECC);
wolfSSL 4:1b0d80432c79 7781 #endif
wolfSSL 4:1b0d80432c79 7782 return ret;
wolfSSL 4:1b0d80432c79 7783 }
wolfSSL 4:1b0d80432c79 7784
wolfSSL 4:1b0d80432c79 7785 #endif /* NO_FILESYSTEM */
wolfSSL 4:1b0d80432c79 7786
wolfSSL 4:1b0d80432c79 7787 /* Set AKID from certificate contains in buffer (DER encoded) */
wolfSSL 4:1b0d80432c79 7788 int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
wolfSSL 4:1b0d80432c79 7789 {
wolfSSL 4:1b0d80432c79 7790 int ret;
wolfSSL 4:1b0d80432c79 7791
wolfSSL 4:1b0d80432c79 7792 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7793 DecodedCert* decoded;
wolfSSL 4:1b0d80432c79 7794 #else
wolfSSL 4:1b0d80432c79 7795 DecodedCert decoded[1];
wolfSSL 4:1b0d80432c79 7796 #endif
wolfSSL 4:1b0d80432c79 7797
wolfSSL 4:1b0d80432c79 7798 if (cert == NULL || der == NULL || derSz <= 0)
wolfSSL 4:1b0d80432c79 7799 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7800
wolfSSL 4:1b0d80432c79 7801 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7802 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert),
wolfSSL 4:1b0d80432c79 7803 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7804 if (decoded == NULL)
wolfSSL 4:1b0d80432c79 7805 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7806 #endif
wolfSSL 4:1b0d80432c79 7807
wolfSSL 4:1b0d80432c79 7808 /* decode certificate and get SKID that will be AKID of current cert */
wolfSSL 4:1b0d80432c79 7809 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 4:1b0d80432c79 7810 ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0);
wolfSSL 4:1b0d80432c79 7811 if (ret != 0) {
wolfSSL 4:1b0d80432c79 7812 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 7813 return ret;
wolfSSL 4:1b0d80432c79 7814 }
wolfSSL 4:1b0d80432c79 7815
wolfSSL 4:1b0d80432c79 7816 /* Subject Key Id not found !! */
wolfSSL 4:1b0d80432c79 7817 if (decoded->extSubjKeyIdSet == 0) {
wolfSSL 4:1b0d80432c79 7818 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 7819 return ASN_NO_SKID;
wolfSSL 4:1b0d80432c79 7820 }
wolfSSL 4:1b0d80432c79 7821
wolfSSL 4:1b0d80432c79 7822 /* SKID invalid size */
wolfSSL 4:1b0d80432c79 7823 if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) {
wolfSSL 4:1b0d80432c79 7824 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 7825 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7826 }
wolfSSL 4:1b0d80432c79 7827
wolfSSL 4:1b0d80432c79 7828 /* Put the SKID of CA to AKID of certificate */
wolfSSL 4:1b0d80432c79 7829 XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 7830 cert->akidSz = KEYID_SIZE;
wolfSSL 4:1b0d80432c79 7831
wolfSSL 4:1b0d80432c79 7832 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 7833 return 0;
wolfSSL 4:1b0d80432c79 7834 }
wolfSSL 4:1b0d80432c79 7835
wolfSSL 4:1b0d80432c79 7836
wolfSSL 4:1b0d80432c79 7837 #ifndef NO_FILESYSTEM
wolfSSL 4:1b0d80432c79 7838
wolfSSL 4:1b0d80432c79 7839 /* Set AKID from certificate file in PEM */
wolfSSL 4:1b0d80432c79 7840 int wc_SetAuthKeyId(Cert *cert, const char* file)
wolfSSL 4:1b0d80432c79 7841 {
wolfSSL 4:1b0d80432c79 7842 int ret;
wolfSSL 4:1b0d80432c79 7843 int derSz;
wolfSSL 4:1b0d80432c79 7844 byte* der;
wolfSSL 4:1b0d80432c79 7845
wolfSSL 4:1b0d80432c79 7846 if (cert == NULL || file == NULL)
wolfSSL 4:1b0d80432c79 7847 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7848
wolfSSL 4:1b0d80432c79 7849 der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7850 if (der == NULL) {
wolfSSL 4:1b0d80432c79 7851 WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem");
wolfSSL 4:1b0d80432c79 7852 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7853 }
wolfSSL 4:1b0d80432c79 7854
wolfSSL 4:1b0d80432c79 7855 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 4:1b0d80432c79 7856 if (derSz <= 0)
wolfSSL 4:1b0d80432c79 7857 {
wolfSSL 4:1b0d80432c79 7858 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7859 return derSz;
wolfSSL 4:1b0d80432c79 7860 }
wolfSSL 4:1b0d80432c79 7861
wolfSSL 4:1b0d80432c79 7862 ret = wc_SetAuthKeyIdFromCert(cert, der, derSz);
wolfSSL 4:1b0d80432c79 7863 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 7864
wolfSSL 4:1b0d80432c79 7865 return ret;
wolfSSL 4:1b0d80432c79 7866 }
wolfSSL 4:1b0d80432c79 7867
wolfSSL 4:1b0d80432c79 7868 #endif /* NO_FILESYSTEM */
wolfSSL 4:1b0d80432c79 7869
wolfSSL 4:1b0d80432c79 7870 /* Set KeyUsage from human readable string */
wolfSSL 4:1b0d80432c79 7871 int wc_SetKeyUsage(Cert *cert, const char *value)
wolfSSL 4:1b0d80432c79 7872 {
wolfSSL 4:1b0d80432c79 7873 char *token, *str, *ptr;
wolfSSL 4:1b0d80432c79 7874 word32 len;
wolfSSL 4:1b0d80432c79 7875
wolfSSL 4:1b0d80432c79 7876 if (cert == NULL || value == NULL)
wolfSSL 4:1b0d80432c79 7877 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 7878
wolfSSL 4:1b0d80432c79 7879 cert->keyUsage = 0;
wolfSSL 4:1b0d80432c79 7880
wolfSSL 4:1b0d80432c79 7881 str = (char *)XMALLOC(XSTRLEN(value)+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7882 if (str == NULL)
wolfSSL 4:1b0d80432c79 7883 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7884
wolfSSL 4:1b0d80432c79 7885 XMEMSET(str, 0, XSTRLEN(value)+1);
wolfSSL 4:1b0d80432c79 7886 XSTRNCPY(str, value, XSTRLEN(value));
wolfSSL 4:1b0d80432c79 7887
wolfSSL 4:1b0d80432c79 7888 /* parse value, and set corresponding Key Usage value */
wolfSSL 4:1b0d80432c79 7889 token = XSTRTOK(str, ",", &ptr);
wolfSSL 4:1b0d80432c79 7890 while (token != NULL)
wolfSSL 4:1b0d80432c79 7891 {
wolfSSL 4:1b0d80432c79 7892 len = (word32)XSTRLEN(token);
wolfSSL 4:1b0d80432c79 7893
wolfSSL 4:1b0d80432c79 7894 if (!XSTRNCASECMP(token, "digitalSignature", len))
wolfSSL 4:1b0d80432c79 7895 cert->keyUsage |= KEYUSE_DIGITAL_SIG;
wolfSSL 4:1b0d80432c79 7896 else if (!XSTRNCASECMP(token, "nonRepudiation", len) ||
wolfSSL 4:1b0d80432c79 7897 !XSTRNCASECMP(token, "contentCommitment", len))
wolfSSL 4:1b0d80432c79 7898 cert->keyUsage |= KEYUSE_CONTENT_COMMIT;
wolfSSL 4:1b0d80432c79 7899 else if (!XSTRNCASECMP(token, "keyEncipherment", len))
wolfSSL 4:1b0d80432c79 7900 cert->keyUsage |= KEYUSE_KEY_ENCIPHER;
wolfSSL 4:1b0d80432c79 7901 else if (!XSTRNCASECMP(token, "dataEncipherment", len))
wolfSSL 4:1b0d80432c79 7902 cert->keyUsage |= KEYUSE_DATA_ENCIPHER;
wolfSSL 4:1b0d80432c79 7903 else if (!XSTRNCASECMP(token, "keyAgreement", len))
wolfSSL 4:1b0d80432c79 7904 cert->keyUsage |= KEYUSE_KEY_AGREE;
wolfSSL 4:1b0d80432c79 7905 else if (!XSTRNCASECMP(token, "keyCertSign", len))
wolfSSL 4:1b0d80432c79 7906 cert->keyUsage |= KEYUSE_KEY_CERT_SIGN;
wolfSSL 4:1b0d80432c79 7907 else if (!XSTRNCASECMP(token, "cRLSign", len))
wolfSSL 4:1b0d80432c79 7908 cert->keyUsage |= KEYUSE_CRL_SIGN;
wolfSSL 4:1b0d80432c79 7909 else if (!XSTRNCASECMP(token, "encipherOnly", len))
wolfSSL 4:1b0d80432c79 7910 cert->keyUsage |= KEYUSE_ENCIPHER_ONLY;
wolfSSL 4:1b0d80432c79 7911 else if (!XSTRNCASECMP(token, "decipherOnly", len))
wolfSSL 4:1b0d80432c79 7912 cert->keyUsage |= KEYUSE_DECIPHER_ONLY;
wolfSSL 4:1b0d80432c79 7913 else
wolfSSL 4:1b0d80432c79 7914 return KEYUSAGE_E;
wolfSSL 4:1b0d80432c79 7915
wolfSSL 4:1b0d80432c79 7916 token = XSTRTOK(NULL, ",", &ptr);
wolfSSL 4:1b0d80432c79 7917 }
wolfSSL 4:1b0d80432c79 7918
wolfSSL 4:1b0d80432c79 7919 XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7920 return 0;
wolfSSL 4:1b0d80432c79 7921 }
wolfSSL 4:1b0d80432c79 7922 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 4:1b0d80432c79 7923
wolfSSL 4:1b0d80432c79 7924
wolfSSL 4:1b0d80432c79 7925 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 7926
wolfSSL 4:1b0d80432c79 7927 /* Set Alt Names from der cert, return 0 on success */
wolfSSL 4:1b0d80432c79 7928 static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 7929 {
wolfSSL 4:1b0d80432c79 7930 int ret;
wolfSSL 4:1b0d80432c79 7931 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7932 DecodedCert* decoded;
wolfSSL 4:1b0d80432c79 7933 #else
wolfSSL 4:1b0d80432c79 7934 DecodedCert decoded[1];
wolfSSL 4:1b0d80432c79 7935 #endif
wolfSSL 4:1b0d80432c79 7936
wolfSSL 4:1b0d80432c79 7937 if (derSz < 0)
wolfSSL 4:1b0d80432c79 7938 return derSz;
wolfSSL 4:1b0d80432c79 7939
wolfSSL 4:1b0d80432c79 7940 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 7941 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 4:1b0d80432c79 7942 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 7943 if (decoded == NULL)
wolfSSL 4:1b0d80432c79 7944 return MEMORY_E;
wolfSSL 4:1b0d80432c79 7945 #endif
wolfSSL 4:1b0d80432c79 7946
wolfSSL 4:1b0d80432c79 7947 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 4:1b0d80432c79 7948 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 4:1b0d80432c79 7949
wolfSSL 4:1b0d80432c79 7950 if (ret < 0) {
wolfSSL 4:1b0d80432c79 7951 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 4:1b0d80432c79 7952 }
wolfSSL 4:1b0d80432c79 7953 else if (decoded->extensions) {
wolfSSL 4:1b0d80432c79 7954 byte b;
wolfSSL 4:1b0d80432c79 7955 int length;
wolfSSL 4:1b0d80432c79 7956 word32 maxExtensionsIdx;
wolfSSL 4:1b0d80432c79 7957
wolfSSL 4:1b0d80432c79 7958 decoded->srcIdx = decoded->extensionsIdx;
wolfSSL 4:1b0d80432c79 7959 b = decoded->source[decoded->srcIdx++];
wolfSSL 4:1b0d80432c79 7960
wolfSSL 4:1b0d80432c79 7961 if (b != ASN_EXTENSIONS) {
wolfSSL 4:1b0d80432c79 7962 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 7963 }
wolfSSL 4:1b0d80432c79 7964 else if (GetLength(decoded->source, &decoded->srcIdx, &length,
wolfSSL 4:1b0d80432c79 7965 decoded->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 7966 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 7967 }
wolfSSL 4:1b0d80432c79 7968 else if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 4:1b0d80432c79 7969 decoded->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 7970 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 7971 }
wolfSSL 4:1b0d80432c79 7972 else {
wolfSSL 4:1b0d80432c79 7973 maxExtensionsIdx = decoded->srcIdx + length;
wolfSSL 4:1b0d80432c79 7974
wolfSSL 4:1b0d80432c79 7975 while (decoded->srcIdx < maxExtensionsIdx) {
wolfSSL 4:1b0d80432c79 7976 word32 oid;
wolfSSL 4:1b0d80432c79 7977 word32 startIdx = decoded->srcIdx;
wolfSSL 4:1b0d80432c79 7978 word32 tmpIdx;
wolfSSL 4:1b0d80432c79 7979
wolfSSL 4:1b0d80432c79 7980 if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 4:1b0d80432c79 7981 decoded->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 7982 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 7983 break;
wolfSSL 4:1b0d80432c79 7984 }
wolfSSL 4:1b0d80432c79 7985
wolfSSL 4:1b0d80432c79 7986 tmpIdx = decoded->srcIdx;
wolfSSL 4:1b0d80432c79 7987 decoded->srcIdx = startIdx;
wolfSSL 4:1b0d80432c79 7988
wolfSSL 4:1b0d80432c79 7989 if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
wolfSSL 4:1b0d80432c79 7990 certExtType, decoded->maxIdx) < 0) {
wolfSSL 4:1b0d80432c79 7991 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 7992 break;
wolfSSL 4:1b0d80432c79 7993 }
wolfSSL 4:1b0d80432c79 7994
wolfSSL 4:1b0d80432c79 7995 if (oid == ALT_NAMES_OID) {
wolfSSL 4:1b0d80432c79 7996 cert->altNamesSz = length + (tmpIdx - startIdx);
wolfSSL 4:1b0d80432c79 7997
wolfSSL 4:1b0d80432c79 7998 if (cert->altNamesSz < (int)sizeof(cert->altNames))
wolfSSL 4:1b0d80432c79 7999 XMEMCPY(cert->altNames, &decoded->source[startIdx],
wolfSSL 4:1b0d80432c79 8000 cert->altNamesSz);
wolfSSL 4:1b0d80432c79 8001 else {
wolfSSL 4:1b0d80432c79 8002 cert->altNamesSz = 0;
wolfSSL 4:1b0d80432c79 8003 WOLFSSL_MSG("AltNames extensions too big");
wolfSSL 4:1b0d80432c79 8004 ret = ALT_NAME_E;
wolfSSL 4:1b0d80432c79 8005 break;
wolfSSL 4:1b0d80432c79 8006 }
wolfSSL 4:1b0d80432c79 8007 }
wolfSSL 4:1b0d80432c79 8008 decoded->srcIdx = tmpIdx + length;
wolfSSL 4:1b0d80432c79 8009 }
wolfSSL 4:1b0d80432c79 8010 }
wolfSSL 4:1b0d80432c79 8011 }
wolfSSL 4:1b0d80432c79 8012
wolfSSL 4:1b0d80432c79 8013 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 8014 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8015 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8016 #endif
wolfSSL 4:1b0d80432c79 8017
wolfSSL 4:1b0d80432c79 8018 return ret < 0 ? ret : 0;
wolfSSL 4:1b0d80432c79 8019 }
wolfSSL 4:1b0d80432c79 8020
wolfSSL 4:1b0d80432c79 8021
wolfSSL 4:1b0d80432c79 8022 /* Set Dates from der cert, return 0 on success */
wolfSSL 4:1b0d80432c79 8023 static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8024 {
wolfSSL 4:1b0d80432c79 8025 int ret;
wolfSSL 4:1b0d80432c79 8026 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8027 DecodedCert* decoded;
wolfSSL 4:1b0d80432c79 8028 #else
wolfSSL 4:1b0d80432c79 8029 DecodedCert decoded[1];
wolfSSL 4:1b0d80432c79 8030 #endif
wolfSSL 4:1b0d80432c79 8031
wolfSSL 4:1b0d80432c79 8032 WOLFSSL_ENTER("SetDatesFromCert");
wolfSSL 4:1b0d80432c79 8033 if (derSz < 0)
wolfSSL 4:1b0d80432c79 8034 return derSz;
wolfSSL 4:1b0d80432c79 8035
wolfSSL 4:1b0d80432c79 8036 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8037 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 4:1b0d80432c79 8038 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8039 if (decoded == NULL)
wolfSSL 4:1b0d80432c79 8040 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8041 #endif
wolfSSL 4:1b0d80432c79 8042
wolfSSL 4:1b0d80432c79 8043 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 4:1b0d80432c79 8044 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 4:1b0d80432c79 8045
wolfSSL 4:1b0d80432c79 8046 if (ret < 0) {
wolfSSL 4:1b0d80432c79 8047 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 4:1b0d80432c79 8048 }
wolfSSL 4:1b0d80432c79 8049 else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) {
wolfSSL 4:1b0d80432c79 8050 WOLFSSL_MSG("Couldn't extract dates");
wolfSSL 4:1b0d80432c79 8051 ret = -1;
wolfSSL 4:1b0d80432c79 8052 }
wolfSSL 4:1b0d80432c79 8053 else if (decoded->beforeDateLen > MAX_DATE_SIZE ||
wolfSSL 4:1b0d80432c79 8054 decoded->afterDateLen > MAX_DATE_SIZE) {
wolfSSL 4:1b0d80432c79 8055 WOLFSSL_MSG("Bad date size");
wolfSSL 4:1b0d80432c79 8056 ret = -1;
wolfSSL 4:1b0d80432c79 8057 }
wolfSSL 4:1b0d80432c79 8058 else {
wolfSSL 4:1b0d80432c79 8059 XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen);
wolfSSL 4:1b0d80432c79 8060 XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen);
wolfSSL 4:1b0d80432c79 8061
wolfSSL 4:1b0d80432c79 8062 cert->beforeDateSz = decoded->beforeDateLen;
wolfSSL 4:1b0d80432c79 8063 cert->afterDateSz = decoded->afterDateLen;
wolfSSL 4:1b0d80432c79 8064 }
wolfSSL 4:1b0d80432c79 8065
wolfSSL 4:1b0d80432c79 8066 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 8067
wolfSSL 4:1b0d80432c79 8068 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8069 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8070 #endif
wolfSSL 4:1b0d80432c79 8071
wolfSSL 4:1b0d80432c79 8072 return ret < 0 ? ret : 0;
wolfSSL 4:1b0d80432c79 8073 }
wolfSSL 4:1b0d80432c79 8074
wolfSSL 4:1b0d80432c79 8075
wolfSSL 4:1b0d80432c79 8076 #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
wolfSSL 4:1b0d80432c79 8077
wolfSSL 4:1b0d80432c79 8078
wolfSSL 4:1b0d80432c79 8079 /* Set cn name from der buffer, return 0 on success */
wolfSSL 4:1b0d80432c79 8080 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8081 {
wolfSSL 4:1b0d80432c79 8082 int ret, sz;
wolfSSL 4:1b0d80432c79 8083 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8084 DecodedCert* decoded;
wolfSSL 4:1b0d80432c79 8085 #else
wolfSSL 4:1b0d80432c79 8086 DecodedCert decoded[1];
wolfSSL 4:1b0d80432c79 8087 #endif
wolfSSL 4:1b0d80432c79 8088
wolfSSL 4:1b0d80432c79 8089 if (derSz < 0)
wolfSSL 4:1b0d80432c79 8090 return derSz;
wolfSSL 4:1b0d80432c79 8091
wolfSSL 4:1b0d80432c79 8092 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8093 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 4:1b0d80432c79 8094 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8095 if (decoded == NULL)
wolfSSL 4:1b0d80432c79 8096 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8097 #endif
wolfSSL 4:1b0d80432c79 8098
wolfSSL 4:1b0d80432c79 8099 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 4:1b0d80432c79 8100 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 4:1b0d80432c79 8101
wolfSSL 4:1b0d80432c79 8102 if (ret < 0) {
wolfSSL 4:1b0d80432c79 8103 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 4:1b0d80432c79 8104 }
wolfSSL 4:1b0d80432c79 8105 else {
wolfSSL 4:1b0d80432c79 8106 if (decoded->subjectCN) {
wolfSSL 4:1b0d80432c79 8107 sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
wolfSSL 4:1b0d80432c79 8108 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8109 strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8110 cn->commonName[sz] = 0;
wolfSSL 4:1b0d80432c79 8111 cn->commonNameEnc = decoded->subjectCNEnc;
wolfSSL 4:1b0d80432c79 8112 }
wolfSSL 4:1b0d80432c79 8113 if (decoded->subjectC) {
wolfSSL 4:1b0d80432c79 8114 sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
wolfSSL 4:1b0d80432c79 8115 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8116 strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8117 cn->country[sz] = 0;
wolfSSL 4:1b0d80432c79 8118 cn->countryEnc = decoded->subjectCEnc;
wolfSSL 4:1b0d80432c79 8119 }
wolfSSL 4:1b0d80432c79 8120 if (decoded->subjectST) {
wolfSSL 4:1b0d80432c79 8121 sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
wolfSSL 4:1b0d80432c79 8122 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8123 strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8124 cn->state[sz] = 0;
wolfSSL 4:1b0d80432c79 8125 cn->stateEnc = decoded->subjectSTEnc;
wolfSSL 4:1b0d80432c79 8126 }
wolfSSL 4:1b0d80432c79 8127 if (decoded->subjectL) {
wolfSSL 4:1b0d80432c79 8128 sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
wolfSSL 4:1b0d80432c79 8129 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8130 strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8131 cn->locality[sz] = 0;
wolfSSL 4:1b0d80432c79 8132 cn->localityEnc = decoded->subjectLEnc;
wolfSSL 4:1b0d80432c79 8133 }
wolfSSL 4:1b0d80432c79 8134 if (decoded->subjectO) {
wolfSSL 4:1b0d80432c79 8135 sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
wolfSSL 4:1b0d80432c79 8136 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8137 strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8138 cn->org[sz] = 0;
wolfSSL 4:1b0d80432c79 8139 cn->orgEnc = decoded->subjectOEnc;
wolfSSL 4:1b0d80432c79 8140 }
wolfSSL 4:1b0d80432c79 8141 if (decoded->subjectOU) {
wolfSSL 4:1b0d80432c79 8142 sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
wolfSSL 4:1b0d80432c79 8143 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8144 strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8145 cn->unit[sz] = 0;
wolfSSL 4:1b0d80432c79 8146 cn->unitEnc = decoded->subjectOUEnc;
wolfSSL 4:1b0d80432c79 8147 }
wolfSSL 4:1b0d80432c79 8148 if (decoded->subjectSN) {
wolfSSL 4:1b0d80432c79 8149 sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
wolfSSL 4:1b0d80432c79 8150 : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8151 strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8152 cn->sur[sz] = 0;
wolfSSL 4:1b0d80432c79 8153 cn->surEnc = decoded->subjectSNEnc;
wolfSSL 4:1b0d80432c79 8154 }
wolfSSL 4:1b0d80432c79 8155 if (decoded->subjectEmail) {
wolfSSL 4:1b0d80432c79 8156 sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
wolfSSL 4:1b0d80432c79 8157 ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
wolfSSL 4:1b0d80432c79 8158 strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE);
wolfSSL 4:1b0d80432c79 8159 cn->email[sz] = 0;
wolfSSL 4:1b0d80432c79 8160 }
wolfSSL 4:1b0d80432c79 8161 }
wolfSSL 4:1b0d80432c79 8162
wolfSSL 4:1b0d80432c79 8163 FreeDecodedCert(decoded);
wolfSSL 4:1b0d80432c79 8164
wolfSSL 4:1b0d80432c79 8165 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8166 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8167 #endif
wolfSSL 4:1b0d80432c79 8168
wolfSSL 4:1b0d80432c79 8169 return ret < 0 ? ret : 0;
wolfSSL 4:1b0d80432c79 8170 }
wolfSSL 4:1b0d80432c79 8171
wolfSSL 4:1b0d80432c79 8172
wolfSSL 4:1b0d80432c79 8173 #ifndef NO_FILESYSTEM
wolfSSL 4:1b0d80432c79 8174
wolfSSL 4:1b0d80432c79 8175 /* Set cert issuer from issuerFile in PEM */
wolfSSL 4:1b0d80432c79 8176 int wc_SetIssuer(Cert* cert, const char* issuerFile)
wolfSSL 4:1b0d80432c79 8177 {
wolfSSL 4:1b0d80432c79 8178 int ret;
wolfSSL 4:1b0d80432c79 8179 int derSz;
wolfSSL 4:1b0d80432c79 8180 byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8181
wolfSSL 4:1b0d80432c79 8182 if (der == NULL) {
wolfSSL 4:1b0d80432c79 8183 WOLFSSL_MSG("wc_SetIssuer OOF Problem");
wolfSSL 4:1b0d80432c79 8184 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8185 }
wolfSSL 4:1b0d80432c79 8186 derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF);
wolfSSL 4:1b0d80432c79 8187 cert->selfSigned = 0;
wolfSSL 4:1b0d80432c79 8188 ret = SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 4:1b0d80432c79 8189 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8190
wolfSSL 4:1b0d80432c79 8191 return ret;
wolfSSL 4:1b0d80432c79 8192 }
wolfSSL 4:1b0d80432c79 8193
wolfSSL 4:1b0d80432c79 8194
wolfSSL 4:1b0d80432c79 8195 /* Set cert subject from subjectFile in PEM */
wolfSSL 4:1b0d80432c79 8196 int wc_SetSubject(Cert* cert, const char* subjectFile)
wolfSSL 4:1b0d80432c79 8197 {
wolfSSL 4:1b0d80432c79 8198 int ret;
wolfSSL 4:1b0d80432c79 8199 int derSz;
wolfSSL 4:1b0d80432c79 8200 byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8201
wolfSSL 4:1b0d80432c79 8202 if (der == NULL) {
wolfSSL 4:1b0d80432c79 8203 WOLFSSL_MSG("wc_SetSubject OOF Problem");
wolfSSL 4:1b0d80432c79 8204 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8205 }
wolfSSL 4:1b0d80432c79 8206 derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF);
wolfSSL 4:1b0d80432c79 8207 ret = SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 4:1b0d80432c79 8208 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8209
wolfSSL 4:1b0d80432c79 8210 return ret;
wolfSSL 4:1b0d80432c79 8211 }
wolfSSL 4:1b0d80432c79 8212
wolfSSL 4:1b0d80432c79 8213
wolfSSL 4:1b0d80432c79 8214 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 8215
wolfSSL 4:1b0d80432c79 8216 /* Set atl names from file in PEM */
wolfSSL 4:1b0d80432c79 8217 int wc_SetAltNames(Cert* cert, const char* file)
wolfSSL 4:1b0d80432c79 8218 {
wolfSSL 4:1b0d80432c79 8219 int ret;
wolfSSL 4:1b0d80432c79 8220 int derSz;
wolfSSL 4:1b0d80432c79 8221 byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8222
wolfSSL 4:1b0d80432c79 8223 if (der == NULL) {
wolfSSL 4:1b0d80432c79 8224 WOLFSSL_MSG("wc_SetAltNames OOF Problem");
wolfSSL 4:1b0d80432c79 8225 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8226 }
wolfSSL 4:1b0d80432c79 8227 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 4:1b0d80432c79 8228 ret = SetAltNamesFromCert(cert, der, derSz);
wolfSSL 4:1b0d80432c79 8229 XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL 4:1b0d80432c79 8230
wolfSSL 4:1b0d80432c79 8231 return ret;
wolfSSL 4:1b0d80432c79 8232 }
wolfSSL 4:1b0d80432c79 8233
wolfSSL 4:1b0d80432c79 8234 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 4:1b0d80432c79 8235
wolfSSL 4:1b0d80432c79 8236 #endif /* NO_FILESYSTEM */
wolfSSL 4:1b0d80432c79 8237
wolfSSL 4:1b0d80432c79 8238 /* Set cert issuer from DER buffer */
wolfSSL 4:1b0d80432c79 8239 int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8240 {
wolfSSL 4:1b0d80432c79 8241 cert->selfSigned = 0;
wolfSSL 4:1b0d80432c79 8242 return SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 4:1b0d80432c79 8243 }
wolfSSL 4:1b0d80432c79 8244
wolfSSL 4:1b0d80432c79 8245
wolfSSL 4:1b0d80432c79 8246 /* Set cert subject from DER buffer */
wolfSSL 4:1b0d80432c79 8247 int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8248 {
wolfSSL 4:1b0d80432c79 8249 return SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 4:1b0d80432c79 8250 }
wolfSSL 4:1b0d80432c79 8251
wolfSSL 4:1b0d80432c79 8252
wolfSSL 4:1b0d80432c79 8253 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 4:1b0d80432c79 8254
wolfSSL 4:1b0d80432c79 8255 /* Set cert alt names from DER buffer */
wolfSSL 4:1b0d80432c79 8256 int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8257 {
wolfSSL 4:1b0d80432c79 8258 return SetAltNamesFromCert(cert, der, derSz);
wolfSSL 4:1b0d80432c79 8259 }
wolfSSL 4:1b0d80432c79 8260
wolfSSL 4:1b0d80432c79 8261 /* Set cert dates from DER buffer */
wolfSSL 4:1b0d80432c79 8262 int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 4:1b0d80432c79 8263 {
wolfSSL 4:1b0d80432c79 8264 return SetDatesFromCert(cert, der, derSz);
wolfSSL 4:1b0d80432c79 8265 }
wolfSSL 4:1b0d80432c79 8266
wolfSSL 4:1b0d80432c79 8267 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 4:1b0d80432c79 8268
wolfSSL 4:1b0d80432c79 8269 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 4:1b0d80432c79 8270
wolfSSL 4:1b0d80432c79 8271
wolfSSL 4:1b0d80432c79 8272 #ifdef HAVE_ECC
wolfSSL 4:1b0d80432c79 8273
wolfSSL 4:1b0d80432c79 8274 /* Der Encode r & s ints into out, outLen is (in/out) size */
wolfSSL 4:1b0d80432c79 8275 int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
wolfSSL 4:1b0d80432c79 8276 {
wolfSSL 4:1b0d80432c79 8277 word32 idx = 0;
wolfSSL 4:1b0d80432c79 8278 word32 rSz; /* encoding size */
wolfSSL 4:1b0d80432c79 8279 word32 sSz;
wolfSSL 4:1b0d80432c79 8280 word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */
wolfSSL 4:1b0d80432c79 8281
wolfSSL 4:1b0d80432c79 8282 /* If the leading bit on the INTEGER is a 1, add a leading zero */
wolfSSL 4:1b0d80432c79 8283 int rLeadingZero = mp_leading_bit(r);
wolfSSL 4:1b0d80432c79 8284 int sLeadingZero = mp_leading_bit(s);
wolfSSL 4:1b0d80432c79 8285 int rLen = mp_unsigned_bin_size(r); /* big int size */
wolfSSL 4:1b0d80432c79 8286 int sLen = mp_unsigned_bin_size(s);
wolfSSL 4:1b0d80432c79 8287 int err;
wolfSSL 4:1b0d80432c79 8288
wolfSSL 4:1b0d80432c79 8289 if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
wolfSSL 4:1b0d80432c79 8290 headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
wolfSSL 4:1b0d80432c79 8291 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 8292
wolfSSL 4:1b0d80432c79 8293 idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out);
wolfSSL 4:1b0d80432c79 8294
wolfSSL 4:1b0d80432c79 8295 /* store r */
wolfSSL 4:1b0d80432c79 8296 out[idx++] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 8297 rSz = SetLength(rLen + rLeadingZero, &out[idx]);
wolfSSL 4:1b0d80432c79 8298 idx += rSz;
wolfSSL 4:1b0d80432c79 8299 if (rLeadingZero)
wolfSSL 4:1b0d80432c79 8300 out[idx++] = 0;
wolfSSL 4:1b0d80432c79 8301 err = mp_to_unsigned_bin(r, &out[idx]);
wolfSSL 4:1b0d80432c79 8302 if (err != MP_OKAY) return err;
wolfSSL 4:1b0d80432c79 8303 idx += rLen;
wolfSSL 4:1b0d80432c79 8304
wolfSSL 4:1b0d80432c79 8305 /* store s */
wolfSSL 4:1b0d80432c79 8306 out[idx++] = ASN_INTEGER;
wolfSSL 4:1b0d80432c79 8307 sSz = SetLength(sLen + sLeadingZero, &out[idx]);
wolfSSL 4:1b0d80432c79 8308 idx += sSz;
wolfSSL 4:1b0d80432c79 8309 if (sLeadingZero)
wolfSSL 4:1b0d80432c79 8310 out[idx++] = 0;
wolfSSL 4:1b0d80432c79 8311 err = mp_to_unsigned_bin(s, &out[idx]);
wolfSSL 4:1b0d80432c79 8312 if (err != MP_OKAY) return err;
wolfSSL 4:1b0d80432c79 8313 idx += sLen;
wolfSSL 4:1b0d80432c79 8314
wolfSSL 4:1b0d80432c79 8315 *outLen = idx;
wolfSSL 4:1b0d80432c79 8316
wolfSSL 4:1b0d80432c79 8317 return 0;
wolfSSL 4:1b0d80432c79 8318 }
wolfSSL 4:1b0d80432c79 8319
wolfSSL 4:1b0d80432c79 8320
wolfSSL 4:1b0d80432c79 8321 /* Der Decode ECC-DSA Signature, r & s stored as big ints */
wolfSSL 4:1b0d80432c79 8322 int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
wolfSSL 4:1b0d80432c79 8323 {
wolfSSL 4:1b0d80432c79 8324 word32 idx = 0;
wolfSSL 4:1b0d80432c79 8325 int len = 0;
wolfSSL 4:1b0d80432c79 8326
wolfSSL 4:1b0d80432c79 8327 if (GetSequence(sig, &idx, &len, sigLen) < 0)
wolfSSL 4:1b0d80432c79 8328 return ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8329
wolfSSL 4:1b0d80432c79 8330 if ((word32)len > (sigLen - idx))
wolfSSL 4:1b0d80432c79 8331 return ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8332
wolfSSL 4:1b0d80432c79 8333 if (GetInt(r, sig, &idx, sigLen) < 0)
wolfSSL 4:1b0d80432c79 8334 return ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8335
wolfSSL 4:1b0d80432c79 8336 if (GetInt(s, sig, &idx, sigLen) < 0)
wolfSSL 4:1b0d80432c79 8337 return ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8338
wolfSSL 4:1b0d80432c79 8339 return 0;
wolfSSL 4:1b0d80432c79 8340 }
wolfSSL 4:1b0d80432c79 8341
wolfSSL 4:1b0d80432c79 8342
wolfSSL 4:1b0d80432c79 8343 int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
wolfSSL 4:1b0d80432c79 8344 word32 inSz)
wolfSSL 4:1b0d80432c79 8345 {
wolfSSL 4:1b0d80432c79 8346 word32 oid = 0;
wolfSSL 4:1b0d80432c79 8347 int version, length;
wolfSSL 4:1b0d80432c79 8348 int privSz, pubSz;
wolfSSL 4:1b0d80432c79 8349 byte b;
wolfSSL 4:1b0d80432c79 8350 int ret = 0;
wolfSSL 4:1b0d80432c79 8351 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8352 byte* priv;
wolfSSL 4:1b0d80432c79 8353 byte* pub;
wolfSSL 4:1b0d80432c79 8354 #else
wolfSSL 4:1b0d80432c79 8355 byte priv[ECC_MAXSIZE+1];
wolfSSL 4:1b0d80432c79 8356 byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */
wolfSSL 4:1b0d80432c79 8357 #endif
wolfSSL 4:1b0d80432c79 8358
wolfSSL 4:1b0d80432c79 8359 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 4:1b0d80432c79 8360 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 8361
wolfSSL 4:1b0d80432c79 8362 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8363 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8364
wolfSSL 4:1b0d80432c79 8365 if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL 4:1b0d80432c79 8366 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8367
wolfSSL 4:1b0d80432c79 8368 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8369 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8370
wolfSSL 4:1b0d80432c79 8371 /* priv type */
wolfSSL 4:1b0d80432c79 8372 if (b != 4 && b != 6 && b != 7)
wolfSSL 4:1b0d80432c79 8373 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8374
wolfSSL 4:1b0d80432c79 8375 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8376 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8377
wolfSSL 4:1b0d80432c79 8378 if (length > ECC_MAXSIZE)
wolfSSL 4:1b0d80432c79 8379 return BUFFER_E;
wolfSSL 4:1b0d80432c79 8380
wolfSSL 4:1b0d80432c79 8381 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8382 priv = (byte*)XMALLOC(ECC_MAXSIZE+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8383 if (priv == NULL)
wolfSSL 4:1b0d80432c79 8384 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8385
wolfSSL 4:1b0d80432c79 8386 pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8387 if (pub == NULL) {
wolfSSL 4:1b0d80432c79 8388 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8389 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8390 }
wolfSSL 4:1b0d80432c79 8391 #endif
wolfSSL 4:1b0d80432c79 8392
wolfSSL 4:1b0d80432c79 8393 /* priv key */
wolfSSL 4:1b0d80432c79 8394 privSz = length;
wolfSSL 4:1b0d80432c79 8395 XMEMCPY(priv, &input[*inOutIdx], privSz);
wolfSSL 4:1b0d80432c79 8396 *inOutIdx += length;
wolfSSL 4:1b0d80432c79 8397
wolfSSL 4:1b0d80432c79 8398 /* prefix 0, may have */
wolfSSL 4:1b0d80432c79 8399 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8400 if (b == ECC_PREFIX_0) {
wolfSSL 4:1b0d80432c79 8401 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8402
wolfSSL 4:1b0d80432c79 8403 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8404 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8405 else {
wolfSSL 4:1b0d80432c79 8406 /* object id */
wolfSSL 4:1b0d80432c79 8407 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8408 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8409
wolfSSL 4:1b0d80432c79 8410 if (b != ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 8411 ret = ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 8412 }
wolfSSL 4:1b0d80432c79 8413 else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL 4:1b0d80432c79 8414 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8415 }
wolfSSL 4:1b0d80432c79 8416 else {
wolfSSL 4:1b0d80432c79 8417 while(length--) {
wolfSSL 4:1b0d80432c79 8418 oid += input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8419 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8420 }
wolfSSL 4:1b0d80432c79 8421 if (CheckCurve(oid) < 0)
wolfSSL 4:1b0d80432c79 8422 ret = ECC_CURVE_OID_E;
wolfSSL 4:1b0d80432c79 8423 }
wolfSSL 4:1b0d80432c79 8424 }
wolfSSL 4:1b0d80432c79 8425 }
wolfSSL 4:1b0d80432c79 8426
wolfSSL 4:1b0d80432c79 8427 if (ret == 0) {
wolfSSL 4:1b0d80432c79 8428 /* prefix 1 */
wolfSSL 4:1b0d80432c79 8429 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8430 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8431
wolfSSL 4:1b0d80432c79 8432 if (b != ECC_PREFIX_1) {
wolfSSL 4:1b0d80432c79 8433 ret = ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8434 }
wolfSSL 4:1b0d80432c79 8435 else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL 4:1b0d80432c79 8436 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8437 }
wolfSSL 4:1b0d80432c79 8438 else {
wolfSSL 4:1b0d80432c79 8439 /* key header */
wolfSSL 4:1b0d80432c79 8440 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8441 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8442
wolfSSL 4:1b0d80432c79 8443 if (b != ASN_BIT_STRING) {
wolfSSL 4:1b0d80432c79 8444 ret = ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 8445 }
wolfSSL 4:1b0d80432c79 8446 else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL 4:1b0d80432c79 8447 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8448 }
wolfSSL 4:1b0d80432c79 8449 else if (length <= 0) {
wolfSSL 4:1b0d80432c79 8450 /* pubkey needs some size */
wolfSSL 4:1b0d80432c79 8451 ret = ASN_INPUT_E;
wolfSSL 4:1b0d80432c79 8452 }
wolfSSL 4:1b0d80432c79 8453 else {
wolfSSL 4:1b0d80432c79 8454 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8455 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8456
wolfSSL 4:1b0d80432c79 8457 if (b != 0x00) {
wolfSSL 4:1b0d80432c79 8458 ret = ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 8459 }
wolfSSL 4:1b0d80432c79 8460 else {
wolfSSL 4:1b0d80432c79 8461 /* pub key */
wolfSSL 4:1b0d80432c79 8462 pubSz = length - 1; /* null prefix */
wolfSSL 4:1b0d80432c79 8463 if (pubSz < 2*(ECC_MAXSIZE+1)) {
wolfSSL 4:1b0d80432c79 8464 XMEMCPY(pub, &input[*inOutIdx], pubSz);
wolfSSL 4:1b0d80432c79 8465 *inOutIdx += length;
wolfSSL 4:1b0d80432c79 8466 ret = wc_ecc_import_private_key(priv, privSz, pub, pubSz,
wolfSSL 4:1b0d80432c79 8467 key);
wolfSSL 4:1b0d80432c79 8468 } else
wolfSSL 4:1b0d80432c79 8469 ret = BUFFER_E;
wolfSSL 4:1b0d80432c79 8470 }
wolfSSL 4:1b0d80432c79 8471 }
wolfSSL 4:1b0d80432c79 8472 }
wolfSSL 4:1b0d80432c79 8473 }
wolfSSL 4:1b0d80432c79 8474
wolfSSL 4:1b0d80432c79 8475 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 4:1b0d80432c79 8476 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8477 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8478 #endif
wolfSSL 4:1b0d80432c79 8479
wolfSSL 4:1b0d80432c79 8480 return ret;
wolfSSL 4:1b0d80432c79 8481 }
wolfSSL 4:1b0d80432c79 8482
wolfSSL 4:1b0d80432c79 8483 int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
wolfSSL 4:1b0d80432c79 8484 ecc_key* key, word32 inSz)
wolfSSL 4:1b0d80432c79 8485 {
wolfSSL 4:1b0d80432c79 8486 int length;
wolfSSL 4:1b0d80432c79 8487 int ret = 0;
wolfSSL 4:1b0d80432c79 8488
wolfSSL 4:1b0d80432c79 8489 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 4:1b0d80432c79 8490 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 8491
wolfSSL 4:1b0d80432c79 8492 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8493 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8494
wolfSSL 4:1b0d80432c79 8495 #if defined(OPENSSL_EXTRA) || defined(ECC_DECODE_EXTRA)
wolfSSL 4:1b0d80432c79 8496 {
wolfSSL 4:1b0d80432c79 8497 byte b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8498 if (b != ASN_INTEGER) {
wolfSSL 4:1b0d80432c79 8499 /* not from decoded cert, will have algo id, skip past */
wolfSSL 4:1b0d80432c79 8500 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8501 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8502
wolfSSL 4:1b0d80432c79 8503 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 8504 if (b != ASN_OBJECT_ID)
wolfSSL 4:1b0d80432c79 8505 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 8506
wolfSSL 4:1b0d80432c79 8507 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8508 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8509
wolfSSL 4:1b0d80432c79 8510 *inOutIdx += length; /* skip past */
wolfSSL 4:1b0d80432c79 8511
wolfSSL 4:1b0d80432c79 8512 /* ecc params information */
wolfSSL 4:1b0d80432c79 8513 b = input[(*inOutIdx)++];
wolfSSL 4:1b0d80432c79 8514 if (b != ASN_OBJECT_ID)
wolfSSL 4:1b0d80432c79 8515 return ASN_OBJECT_ID_E;
wolfSSL 4:1b0d80432c79 8516
wolfSSL 4:1b0d80432c79 8517 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8518 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8519
wolfSSL 4:1b0d80432c79 8520 *inOutIdx += length; /* skip past */
wolfSSL 4:1b0d80432c79 8521
wolfSSL 4:1b0d80432c79 8522 /* key header */
wolfSSL 4:1b0d80432c79 8523 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8524 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8525
wolfSSL 4:1b0d80432c79 8526 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 8527 ret = ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 8528 else if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 4:1b0d80432c79 8529 ret = ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8530 else {
wolfSSL 4:1b0d80432c79 8531 b = input[*inOutIdx];
wolfSSL 4:1b0d80432c79 8532 *inOutIdx += 1;
wolfSSL 4:1b0d80432c79 8533
wolfSSL 4:1b0d80432c79 8534 if (b != 0x00)
wolfSSL 4:1b0d80432c79 8535 ret = ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 8536 }
wolfSSL 4:1b0d80432c79 8537 }
wolfSSL 4:1b0d80432c79 8538 } /* openssl var block */
wolfSSL 4:1b0d80432c79 8539 #endif /* OPENSSL_EXTRA */
wolfSSL 4:1b0d80432c79 8540
wolfSSL 4:1b0d80432c79 8541 if (wc_ecc_import_x963(input+*inOutIdx, inSz - *inOutIdx, key) != 0)
wolfSSL 4:1b0d80432c79 8542 return ASN_ECC_KEY_E;
wolfSSL 4:1b0d80432c79 8543
wolfSSL 4:1b0d80432c79 8544 return ret;
wolfSSL 4:1b0d80432c79 8545 }
wolfSSL 4:1b0d80432c79 8546
wolfSSL 4:1b0d80432c79 8547
wolfSSL 4:1b0d80432c79 8548 #ifdef WOLFSSL_KEY_GEN
wolfSSL 4:1b0d80432c79 8549
wolfSSL 4:1b0d80432c79 8550 /* Write a Private ecc key to DER format, length on success else < 0 */
wolfSSL 4:1b0d80432c79 8551 int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
wolfSSL 4:1b0d80432c79 8552 {
wolfSSL 4:1b0d80432c79 8553 byte curve[MAX_ALGO_SZ+2];
wolfSSL 4:1b0d80432c79 8554 byte ver[MAX_VERSION_SZ];
wolfSSL 4:1b0d80432c79 8555 byte seq[MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 8556 byte *prv, *pub;
wolfSSL 4:1b0d80432c79 8557 int ret, totalSz, curveSz, verSz;
wolfSSL 4:1b0d80432c79 8558 int privHdrSz = ASN_ECC_HEADER_SZ;
wolfSSL 4:1b0d80432c79 8559 int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ;
wolfSSL 4:1b0d80432c79 8560
wolfSSL 4:1b0d80432c79 8561 word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0;
wolfSSL 4:1b0d80432c79 8562 word32 seqSz, privSz, pubSz = ECC_BUFSIZE;
wolfSSL 4:1b0d80432c79 8563
wolfSSL 4:1b0d80432c79 8564 if (key == NULL || output == NULL || inLen == 0)
wolfSSL 4:1b0d80432c79 8565 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 8566
wolfSSL 4:1b0d80432c79 8567 /* curve */
wolfSSL 4:1b0d80432c79 8568 curve[curveidx++] = ECC_PREFIX_0;
wolfSSL 4:1b0d80432c79 8569 curveidx++ /* to put the size after computation */;
wolfSSL 4:1b0d80432c79 8570 curveSz = SetCurve(key, curve+curveidx);
wolfSSL 4:1b0d80432c79 8571 if (curveSz < 0)
wolfSSL 4:1b0d80432c79 8572 return curveSz;
wolfSSL 4:1b0d80432c79 8573 /* set computed size */
wolfSSL 4:1b0d80432c79 8574 curve[1] = (byte)curveSz;
wolfSSL 4:1b0d80432c79 8575 curveidx += curveSz;
wolfSSL 4:1b0d80432c79 8576
wolfSSL 4:1b0d80432c79 8577 /* private */
wolfSSL 4:1b0d80432c79 8578 privSz = key->dp->size;
wolfSSL 4:1b0d80432c79 8579 prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ,
wolfSSL 4:1b0d80432c79 8580 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8581 if (prv == NULL) {
wolfSSL 4:1b0d80432c79 8582 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8583 }
wolfSSL 4:1b0d80432c79 8584 prv[prvidx++] = ASN_OCTET_STRING;
wolfSSL 4:1b0d80432c79 8585 prv[prvidx++] = (byte)key->dp->size;
wolfSSL 4:1b0d80432c79 8586 ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz);
wolfSSL 4:1b0d80432c79 8587 if (ret < 0) {
wolfSSL 4:1b0d80432c79 8588 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8589 return ret;
wolfSSL 4:1b0d80432c79 8590 }
wolfSSL 4:1b0d80432c79 8591 prvidx += privSz;
wolfSSL 4:1b0d80432c79 8592
wolfSSL 4:1b0d80432c79 8593 /* public */
wolfSSL 4:1b0d80432c79 8594 ret = wc_ecc_export_x963(key, NULL, &pubSz);
wolfSSL 4:1b0d80432c79 8595 if (ret != LENGTH_ONLY_E) {
wolfSSL 4:1b0d80432c79 8596 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8597 return ret;
wolfSSL 4:1b0d80432c79 8598 }
wolfSSL 4:1b0d80432c79 8599
wolfSSL 4:1b0d80432c79 8600 pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ,
wolfSSL 4:1b0d80432c79 8601 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8602 if (pub == NULL) {
wolfSSL 4:1b0d80432c79 8603 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8604 return MEMORY_E;
wolfSSL 4:1b0d80432c79 8605 }
wolfSSL 4:1b0d80432c79 8606
wolfSSL 4:1b0d80432c79 8607 pub[pubidx++] = ECC_PREFIX_1;
wolfSSL 4:1b0d80432c79 8608 if (pubSz > 128) /* leading zero + extra size byte */
wolfSSL 4:1b0d80432c79 8609 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx);
wolfSSL 4:1b0d80432c79 8610 else /* leading zero */
wolfSSL 4:1b0d80432c79 8611 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx);
wolfSSL 4:1b0d80432c79 8612 pub[pubidx++] = ASN_BIT_STRING;
wolfSSL 4:1b0d80432c79 8613 pubidx += SetLength(pubSz + 1, pub+pubidx);
wolfSSL 4:1b0d80432c79 8614 pub[pubidx++] = (byte)0; /* leading zero */
wolfSSL 4:1b0d80432c79 8615 ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz);
wolfSSL 4:1b0d80432c79 8616 if (ret != 0) {
wolfSSL 4:1b0d80432c79 8617 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8618 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8619 return ret;
wolfSSL 4:1b0d80432c79 8620 }
wolfSSL 4:1b0d80432c79 8621 pubidx += pubSz;
wolfSSL 4:1b0d80432c79 8622
wolfSSL 4:1b0d80432c79 8623 /* make headers */
wolfSSL 4:1b0d80432c79 8624 verSz = SetMyVersion(1, ver, FALSE);
wolfSSL 4:1b0d80432c79 8625 seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq);
wolfSSL 4:1b0d80432c79 8626
wolfSSL 4:1b0d80432c79 8627 totalSz = prvidx + pubidx + curveidx + verSz + seqSz;
wolfSSL 4:1b0d80432c79 8628 if (totalSz > (int)inLen) {
wolfSSL 4:1b0d80432c79 8629 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8630 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8631 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 8632 }
wolfSSL 4:1b0d80432c79 8633
wolfSSL 4:1b0d80432c79 8634 /* write out */
wolfSSL 4:1b0d80432c79 8635 /* seq */
wolfSSL 4:1b0d80432c79 8636 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 4:1b0d80432c79 8637 idx = seqSz;
wolfSSL 4:1b0d80432c79 8638
wolfSSL 4:1b0d80432c79 8639 /* ver */
wolfSSL 4:1b0d80432c79 8640 XMEMCPY(output + idx, ver, verSz);
wolfSSL 4:1b0d80432c79 8641 idx += verSz;
wolfSSL 4:1b0d80432c79 8642
wolfSSL 4:1b0d80432c79 8643 /* private */
wolfSSL 4:1b0d80432c79 8644 XMEMCPY(output + idx, prv, prvidx);
wolfSSL 4:1b0d80432c79 8645 idx += prvidx;
wolfSSL 4:1b0d80432c79 8646 XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8647
wolfSSL 4:1b0d80432c79 8648 /* curve */
wolfSSL 4:1b0d80432c79 8649 XMEMCPY(output + idx, curve, curveidx);
wolfSSL 4:1b0d80432c79 8650 idx += curveidx;
wolfSSL 4:1b0d80432c79 8651
wolfSSL 4:1b0d80432c79 8652 /* public */
wolfSSL 4:1b0d80432c79 8653 XMEMCPY(output + idx, pub, pubidx);
wolfSSL 4:1b0d80432c79 8654 /* idx += pubidx; not used after write, if more data remove comment */
wolfSSL 4:1b0d80432c79 8655 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 4:1b0d80432c79 8656
wolfSSL 4:1b0d80432c79 8657 return totalSz;
wolfSSL 4:1b0d80432c79 8658 }
wolfSSL 4:1b0d80432c79 8659
wolfSSL 4:1b0d80432c79 8660 #endif /* WOLFSSL_KEY_GEN */
wolfSSL 4:1b0d80432c79 8661
wolfSSL 4:1b0d80432c79 8662 #endif /* HAVE_ECC */
wolfSSL 4:1b0d80432c79 8663
wolfSSL 4:1b0d80432c79 8664
wolfSSL 4:1b0d80432c79 8665 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
wolfSSL 4:1b0d80432c79 8666
wolfSSL 4:1b0d80432c79 8667 /* Get raw Date only, no processing, 0 on success */
wolfSSL 4:1b0d80432c79 8668 static int GetBasicDate(const byte* source, word32* idx, byte* date,
wolfSSL 4:1b0d80432c79 8669 byte* format, int maxIdx)
wolfSSL 4:1b0d80432c79 8670 {
wolfSSL 4:1b0d80432c79 8671 int length;
wolfSSL 4:1b0d80432c79 8672
wolfSSL 4:1b0d80432c79 8673 WOLFSSL_ENTER("GetBasicDate");
wolfSSL 4:1b0d80432c79 8674
wolfSSL 4:1b0d80432c79 8675 *format = source[*idx];
wolfSSL 4:1b0d80432c79 8676 *idx += 1;
wolfSSL 4:1b0d80432c79 8677 if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
wolfSSL 4:1b0d80432c79 8678 return ASN_TIME_E;
wolfSSL 4:1b0d80432c79 8679
wolfSSL 4:1b0d80432c79 8680 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 8681 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8682
wolfSSL 4:1b0d80432c79 8683 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 4:1b0d80432c79 8684 return ASN_DATE_SZ_E;
wolfSSL 4:1b0d80432c79 8685
wolfSSL 4:1b0d80432c79 8686 XMEMCPY(date, &source[*idx], length);
wolfSSL 4:1b0d80432c79 8687 *idx += length;
wolfSSL 4:1b0d80432c79 8688
wolfSSL 4:1b0d80432c79 8689 return 0;
wolfSSL 4:1b0d80432c79 8690 }
wolfSSL 4:1b0d80432c79 8691
wolfSSL 4:1b0d80432c79 8692 #endif
wolfSSL 4:1b0d80432c79 8693
wolfSSL 4:1b0d80432c79 8694
wolfSSL 4:1b0d80432c79 8695 #ifdef HAVE_OCSP
wolfSSL 4:1b0d80432c79 8696
wolfSSL 4:1b0d80432c79 8697 static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
wolfSSL 4:1b0d80432c79 8698 {
wolfSSL 4:1b0d80432c79 8699 word32 idx = *inOutIdx;
wolfSSL 4:1b0d80432c79 8700 word32 len;
wolfSSL 4:1b0d80432c79 8701
wolfSSL 4:1b0d80432c79 8702 WOLFSSL_ENTER("GetEnumerated");
wolfSSL 4:1b0d80432c79 8703
wolfSSL 4:1b0d80432c79 8704 *value = 0;
wolfSSL 4:1b0d80432c79 8705
wolfSSL 4:1b0d80432c79 8706 if (input[idx++] != ASN_ENUMERATED)
wolfSSL 4:1b0d80432c79 8707 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8708
wolfSSL 4:1b0d80432c79 8709 len = input[idx++];
wolfSSL 4:1b0d80432c79 8710 if (len > 4)
wolfSSL 4:1b0d80432c79 8711 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8712
wolfSSL 4:1b0d80432c79 8713 while (len--) {
wolfSSL 4:1b0d80432c79 8714 *value = *value << 8 | input[idx++];
wolfSSL 4:1b0d80432c79 8715 }
wolfSSL 4:1b0d80432c79 8716
wolfSSL 4:1b0d80432c79 8717 *inOutIdx = idx;
wolfSSL 4:1b0d80432c79 8718
wolfSSL 4:1b0d80432c79 8719 return *value;
wolfSSL 4:1b0d80432c79 8720 }
wolfSSL 4:1b0d80432c79 8721
wolfSSL 4:1b0d80432c79 8722
wolfSSL 4:1b0d80432c79 8723 static int DecodeSingleResponse(byte* source,
wolfSSL 4:1b0d80432c79 8724 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 4:1b0d80432c79 8725 {
wolfSSL 4:1b0d80432c79 8726 word32 idx = *ioIndex, prevIndex, oid;
wolfSSL 4:1b0d80432c79 8727 int length, wrapperSz;
wolfSSL 4:1b0d80432c79 8728 CertStatus* cs = resp->status;
wolfSSL 4:1b0d80432c79 8729
wolfSSL 4:1b0d80432c79 8730 WOLFSSL_ENTER("DecodeSingleResponse");
wolfSSL 4:1b0d80432c79 8731
wolfSSL 4:1b0d80432c79 8732 /* Outer wrapper of the SEQUENCE OF Single Responses. */
wolfSSL 4:1b0d80432c79 8733 if (GetSequence(source, &idx, &wrapperSz, size) < 0)
wolfSSL 4:1b0d80432c79 8734 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8735
wolfSSL 4:1b0d80432c79 8736 prevIndex = idx;
wolfSSL 4:1b0d80432c79 8737
wolfSSL 4:1b0d80432c79 8738 /* When making a request, we only request one status on one certificate
wolfSSL 4:1b0d80432c79 8739 * at a time. There should only be one SingleResponse */
wolfSSL 4:1b0d80432c79 8740
wolfSSL 4:1b0d80432c79 8741 /* Wrapper around the Single Response */
wolfSSL 4:1b0d80432c79 8742 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8743 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8744
wolfSSL 4:1b0d80432c79 8745 /* Wrapper around the CertID */
wolfSSL 4:1b0d80432c79 8746 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8747 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8748 /* Skip the hash algorithm */
wolfSSL 4:1b0d80432c79 8749 if (GetAlgoId(source, &idx, &oid, ignoreType, size) < 0)
wolfSSL 4:1b0d80432c79 8750 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8751 /* Save reference to the hash of CN */
wolfSSL 4:1b0d80432c79 8752 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 4:1b0d80432c79 8753 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8754 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8755 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8756 resp->issuerHash = source + idx;
wolfSSL 4:1b0d80432c79 8757 idx += length;
wolfSSL 4:1b0d80432c79 8758 /* Save reference to the hash of the issuer public key */
wolfSSL 4:1b0d80432c79 8759 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 4:1b0d80432c79 8760 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8761 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8762 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8763 resp->issuerKeyHash = source + idx;
wolfSSL 4:1b0d80432c79 8764 idx += length;
wolfSSL 4:1b0d80432c79 8765
wolfSSL 4:1b0d80432c79 8766 /* Read the serial number, it is handled as a string, not as a
wolfSSL 4:1b0d80432c79 8767 * proper number. Just XMEMCPY the data over, rather than load it
wolfSSL 4:1b0d80432c79 8768 * as an mp_int. */
wolfSSL 4:1b0d80432c79 8769 if (source[idx++] != ASN_INTEGER)
wolfSSL 4:1b0d80432c79 8770 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8771 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8772 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8773 if (length <= EXTERNAL_SERIAL_SIZE)
wolfSSL 4:1b0d80432c79 8774 {
wolfSSL 4:1b0d80432c79 8775 if (source[idx] == 0)
wolfSSL 4:1b0d80432c79 8776 {
wolfSSL 4:1b0d80432c79 8777 idx++;
wolfSSL 4:1b0d80432c79 8778 length--;
wolfSSL 4:1b0d80432c79 8779 }
wolfSSL 4:1b0d80432c79 8780 XMEMCPY(cs->serial, source + idx, length);
wolfSSL 4:1b0d80432c79 8781 cs->serialSz = length;
wolfSSL 4:1b0d80432c79 8782 }
wolfSSL 4:1b0d80432c79 8783 else
wolfSSL 4:1b0d80432c79 8784 {
wolfSSL 4:1b0d80432c79 8785 return ASN_GETINT_E;
wolfSSL 4:1b0d80432c79 8786 }
wolfSSL 4:1b0d80432c79 8787 idx += length;
wolfSSL 4:1b0d80432c79 8788
wolfSSL 4:1b0d80432c79 8789 /* CertStatus */
wolfSSL 4:1b0d80432c79 8790 switch (source[idx++])
wolfSSL 4:1b0d80432c79 8791 {
wolfSSL 4:1b0d80432c79 8792 case (ASN_CONTEXT_SPECIFIC | CERT_GOOD):
wolfSSL 4:1b0d80432c79 8793 cs->status = CERT_GOOD;
wolfSSL 4:1b0d80432c79 8794 idx++;
wolfSSL 4:1b0d80432c79 8795 break;
wolfSSL 4:1b0d80432c79 8796 case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED):
wolfSSL 4:1b0d80432c79 8797 cs->status = CERT_REVOKED;
wolfSSL 4:1b0d80432c79 8798 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8799 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8800 idx += length;
wolfSSL 4:1b0d80432c79 8801 break;
wolfSSL 4:1b0d80432c79 8802 case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN):
wolfSSL 4:1b0d80432c79 8803 cs->status = CERT_UNKNOWN;
wolfSSL 4:1b0d80432c79 8804 idx++;
wolfSSL 4:1b0d80432c79 8805 break;
wolfSSL 4:1b0d80432c79 8806 default:
wolfSSL 4:1b0d80432c79 8807 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8808 }
wolfSSL 4:1b0d80432c79 8809
wolfSSL 4:1b0d80432c79 8810 if (GetBasicDate(source, &idx, cs->thisDate,
wolfSSL 4:1b0d80432c79 8811 &cs->thisDateFormat, size) < 0)
wolfSSL 4:1b0d80432c79 8812 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8813 if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
wolfSSL 4:1b0d80432c79 8814 return ASN_BEFORE_DATE_E;
wolfSSL 4:1b0d80432c79 8815
wolfSSL 4:1b0d80432c79 8816 /* The following items are optional. Only check for them if there is more
wolfSSL 4:1b0d80432c79 8817 * unprocessed data in the singleResponse wrapper. */
wolfSSL 4:1b0d80432c79 8818
wolfSSL 4:1b0d80432c79 8819 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 4:1b0d80432c79 8820 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)))
wolfSSL 4:1b0d80432c79 8821 {
wolfSSL 4:1b0d80432c79 8822 idx++;
wolfSSL 4:1b0d80432c79 8823 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8824 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8825 if (GetBasicDate(source, &idx, cs->nextDate,
wolfSSL 4:1b0d80432c79 8826 &cs->nextDateFormat, size) < 0)
wolfSSL 4:1b0d80432c79 8827 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8828 if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
wolfSSL 4:1b0d80432c79 8829 return ASN_AFTER_DATE_E;
wolfSSL 4:1b0d80432c79 8830 }
wolfSSL 4:1b0d80432c79 8831 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 4:1b0d80432c79 8832 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
wolfSSL 4:1b0d80432c79 8833 {
wolfSSL 4:1b0d80432c79 8834 idx++;
wolfSSL 4:1b0d80432c79 8835 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8836 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8837 idx += length;
wolfSSL 4:1b0d80432c79 8838 }
wolfSSL 4:1b0d80432c79 8839
wolfSSL 4:1b0d80432c79 8840 *ioIndex = idx;
wolfSSL 4:1b0d80432c79 8841
wolfSSL 4:1b0d80432c79 8842 return 0;
wolfSSL 4:1b0d80432c79 8843 }
wolfSSL 4:1b0d80432c79 8844
wolfSSL 4:1b0d80432c79 8845 static int DecodeOcspRespExtensions(byte* source,
wolfSSL 4:1b0d80432c79 8846 word32* ioIndex, OcspResponse* resp, word32 sz)
wolfSSL 4:1b0d80432c79 8847 {
wolfSSL 4:1b0d80432c79 8848 word32 idx = *ioIndex;
wolfSSL 4:1b0d80432c79 8849 int length;
wolfSSL 4:1b0d80432c79 8850 int ext_bound; /* boundary index for the sequence of extensions */
wolfSSL 4:1b0d80432c79 8851 word32 oid;
wolfSSL 4:1b0d80432c79 8852
wolfSSL 4:1b0d80432c79 8853 WOLFSSL_ENTER("DecodeOcspRespExtensions");
wolfSSL 4:1b0d80432c79 8854
wolfSSL 4:1b0d80432c79 8855 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 4:1b0d80432c79 8856 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8857
wolfSSL 4:1b0d80432c79 8858 if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8859
wolfSSL 4:1b0d80432c79 8860 if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8861
wolfSSL 4:1b0d80432c79 8862 ext_bound = idx + length;
wolfSSL 4:1b0d80432c79 8863
wolfSSL 4:1b0d80432c79 8864 while (idx < (word32)ext_bound) {
wolfSSL 4:1b0d80432c79 8865 if (GetSequence(source, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 8866 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 4:1b0d80432c79 8867 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8868 }
wolfSSL 4:1b0d80432c79 8869
wolfSSL 4:1b0d80432c79 8870 oid = 0;
wolfSSL 4:1b0d80432c79 8871 if (GetObjectId(source, &idx, &oid, ocspType, sz) < 0) {
wolfSSL 4:1b0d80432c79 8872 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 4:1b0d80432c79 8873 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8874 }
wolfSSL 4:1b0d80432c79 8875
wolfSSL 4:1b0d80432c79 8876 /* check for critical flag */
wolfSSL 4:1b0d80432c79 8877 if (source[idx] == ASN_BOOLEAN) {
wolfSSL 4:1b0d80432c79 8878 WOLFSSL_MSG("\tfound optional critical flag, moving past");
wolfSSL 4:1b0d80432c79 8879 idx += (ASN_BOOL_SIZE + 1);
wolfSSL 4:1b0d80432c79 8880 }
wolfSSL 4:1b0d80432c79 8881
wolfSSL 4:1b0d80432c79 8882 /* process the extension based on the OID */
wolfSSL 4:1b0d80432c79 8883 if (source[idx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 8884 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 4:1b0d80432c79 8885 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8886 }
wolfSSL 4:1b0d80432c79 8887
wolfSSL 4:1b0d80432c79 8888 if (GetLength(source, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 8889 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 4:1b0d80432c79 8890 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8891 }
wolfSSL 4:1b0d80432c79 8892
wolfSSL 4:1b0d80432c79 8893 if (oid == OCSP_NONCE_OID) {
wolfSSL 4:1b0d80432c79 8894 /* get data inside extra OCTET_STRING */
wolfSSL 4:1b0d80432c79 8895 if (source[idx++] != ASN_OCTET_STRING) {
wolfSSL 4:1b0d80432c79 8896 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 4:1b0d80432c79 8897 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8898 }
wolfSSL 4:1b0d80432c79 8899
wolfSSL 4:1b0d80432c79 8900 if (GetLength(source, &idx, &length, sz) < 0) {
wolfSSL 4:1b0d80432c79 8901 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 4:1b0d80432c79 8902 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8903 }
wolfSSL 4:1b0d80432c79 8904
wolfSSL 4:1b0d80432c79 8905 resp->nonce = source + idx;
wolfSSL 4:1b0d80432c79 8906 resp->nonceSz = length;
wolfSSL 4:1b0d80432c79 8907 }
wolfSSL 4:1b0d80432c79 8908
wolfSSL 4:1b0d80432c79 8909 idx += length;
wolfSSL 4:1b0d80432c79 8910 }
wolfSSL 4:1b0d80432c79 8911
wolfSSL 4:1b0d80432c79 8912 *ioIndex = idx;
wolfSSL 4:1b0d80432c79 8913 return 0;
wolfSSL 4:1b0d80432c79 8914 }
wolfSSL 4:1b0d80432c79 8915
wolfSSL 4:1b0d80432c79 8916
wolfSSL 4:1b0d80432c79 8917 static int DecodeResponseData(byte* source,
wolfSSL 4:1b0d80432c79 8918 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 4:1b0d80432c79 8919 {
wolfSSL 4:1b0d80432c79 8920 word32 idx = *ioIndex, prev_idx;
wolfSSL 4:1b0d80432c79 8921 int length;
wolfSSL 4:1b0d80432c79 8922 int version;
wolfSSL 4:1b0d80432c79 8923 word32 responderId = 0;
wolfSSL 4:1b0d80432c79 8924
wolfSSL 4:1b0d80432c79 8925 WOLFSSL_ENTER("DecodeResponseData");
wolfSSL 4:1b0d80432c79 8926
wolfSSL 4:1b0d80432c79 8927 resp->response = source + idx;
wolfSSL 4:1b0d80432c79 8928 prev_idx = idx;
wolfSSL 4:1b0d80432c79 8929 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8930 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8931 resp->responseSz = length + idx - prev_idx;
wolfSSL 4:1b0d80432c79 8932
wolfSSL 4:1b0d80432c79 8933 /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
wolfSSL 4:1b0d80432c79 8934 * item isn't an EXPLICIT[0], then set version to zero and move
wolfSSL 4:1b0d80432c79 8935 * onto the next item.
wolfSSL 4:1b0d80432c79 8936 */
wolfSSL 4:1b0d80432c79 8937 if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
wolfSSL 4:1b0d80432c79 8938 {
wolfSSL 4:1b0d80432c79 8939 idx += 2; /* Eat the value and length */
wolfSSL 4:1b0d80432c79 8940 if (GetMyVersion(source, &idx, &version) < 0)
wolfSSL 4:1b0d80432c79 8941 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8942 } else
wolfSSL 4:1b0d80432c79 8943 version = 0;
wolfSSL 4:1b0d80432c79 8944
wolfSSL 4:1b0d80432c79 8945 responderId = source[idx++];
wolfSSL 4:1b0d80432c79 8946 if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
wolfSSL 4:1b0d80432c79 8947 (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
wolfSSL 4:1b0d80432c79 8948 {
wolfSSL 4:1b0d80432c79 8949 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8950 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8951 idx += length;
wolfSSL 4:1b0d80432c79 8952 }
wolfSSL 4:1b0d80432c79 8953 else
wolfSSL 4:1b0d80432c79 8954 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8955
wolfSSL 4:1b0d80432c79 8956 /* save pointer to the producedAt time */
wolfSSL 4:1b0d80432c79 8957 if (GetBasicDate(source, &idx, resp->producedDate,
wolfSSL 4:1b0d80432c79 8958 &resp->producedDateFormat, size) < 0)
wolfSSL 4:1b0d80432c79 8959 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8960
wolfSSL 4:1b0d80432c79 8961 if (DecodeSingleResponse(source, &idx, resp, size) < 0)
wolfSSL 4:1b0d80432c79 8962 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8963
wolfSSL 4:1b0d80432c79 8964 /*
wolfSSL 4:1b0d80432c79 8965 * Check the length of the ResponseData against the current index to
wolfSSL 4:1b0d80432c79 8966 * see if there are extensions, they are optional.
wolfSSL 4:1b0d80432c79 8967 */
wolfSSL 4:1b0d80432c79 8968 if (idx - prev_idx < resp->responseSz)
wolfSSL 4:1b0d80432c79 8969 if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
wolfSSL 4:1b0d80432c79 8970 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8971
wolfSSL 4:1b0d80432c79 8972 *ioIndex = idx;
wolfSSL 4:1b0d80432c79 8973 return 0;
wolfSSL 4:1b0d80432c79 8974 }
wolfSSL 4:1b0d80432c79 8975
wolfSSL 4:1b0d80432c79 8976
wolfSSL 4:1b0d80432c79 8977 static int DecodeCerts(byte* source,
wolfSSL 4:1b0d80432c79 8978 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 4:1b0d80432c79 8979 {
wolfSSL 4:1b0d80432c79 8980 word32 idx = *ioIndex;
wolfSSL 4:1b0d80432c79 8981
wolfSSL 4:1b0d80432c79 8982 WOLFSSL_ENTER("DecodeCerts");
wolfSSL 4:1b0d80432c79 8983
wolfSSL 4:1b0d80432c79 8984 if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 4:1b0d80432c79 8985 {
wolfSSL 4:1b0d80432c79 8986 int length;
wolfSSL 4:1b0d80432c79 8987
wolfSSL 4:1b0d80432c79 8988 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8989 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8990
wolfSSL 4:1b0d80432c79 8991 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 8992 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 8993
wolfSSL 4:1b0d80432c79 8994 resp->cert = source + idx;
wolfSSL 4:1b0d80432c79 8995 resp->certSz = length;
wolfSSL 4:1b0d80432c79 8996
wolfSSL 4:1b0d80432c79 8997 idx += length;
wolfSSL 4:1b0d80432c79 8998 }
wolfSSL 4:1b0d80432c79 8999 *ioIndex = idx;
wolfSSL 4:1b0d80432c79 9000 return 0;
wolfSSL 4:1b0d80432c79 9001 }
wolfSSL 4:1b0d80432c79 9002
wolfSSL 4:1b0d80432c79 9003 static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
wolfSSL 4:1b0d80432c79 9004 OcspResponse* resp, word32 size, void* cm)
wolfSSL 4:1b0d80432c79 9005 {
wolfSSL 4:1b0d80432c79 9006 int length;
wolfSSL 4:1b0d80432c79 9007 word32 idx = *ioIndex;
wolfSSL 4:1b0d80432c79 9008 word32 end_index;
wolfSSL 4:1b0d80432c79 9009 int ret = -1;
wolfSSL 4:1b0d80432c79 9010
wolfSSL 4:1b0d80432c79 9011 WOLFSSL_ENTER("DecodeBasicOcspResponse");
wolfSSL 4:1b0d80432c79 9012
wolfSSL 4:1b0d80432c79 9013 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 9014 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9015
wolfSSL 4:1b0d80432c79 9016 if (idx + length > size)
wolfSSL 4:1b0d80432c79 9017 return ASN_INPUT_E;
wolfSSL 4:1b0d80432c79 9018 end_index = idx + length;
wolfSSL 4:1b0d80432c79 9019
wolfSSL 4:1b0d80432c79 9020 if (DecodeResponseData(source, &idx, resp, size) < 0)
wolfSSL 4:1b0d80432c79 9021 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9022
wolfSSL 4:1b0d80432c79 9023 /* Get the signature algorithm */
wolfSSL 4:1b0d80432c79 9024 if (GetAlgoId(source, &idx, &resp->sigOID, sigType, size) < 0)
wolfSSL 4:1b0d80432c79 9025 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9026
wolfSSL 4:1b0d80432c79 9027 /* Obtain pointer to the start of the signature, and save the size */
wolfSSL 4:1b0d80432c79 9028 if (source[idx++] == ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 9029 {
wolfSSL 4:1b0d80432c79 9030 int sigLength = 0;
wolfSSL 4:1b0d80432c79 9031 if (GetLength(source, &idx, &sigLength, size) < 0)
wolfSSL 4:1b0d80432c79 9032 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9033 resp->sigSz = sigLength;
wolfSSL 4:1b0d80432c79 9034 resp->sig = source + idx;
wolfSSL 4:1b0d80432c79 9035 idx += sigLength;
wolfSSL 4:1b0d80432c79 9036 }
wolfSSL 4:1b0d80432c79 9037
wolfSSL 4:1b0d80432c79 9038 /*
wolfSSL 4:1b0d80432c79 9039 * Check the length of the BasicOcspResponse against the current index to
wolfSSL 4:1b0d80432c79 9040 * see if there are certificates, they are optional.
wolfSSL 4:1b0d80432c79 9041 */
wolfSSL 4:1b0d80432c79 9042 if (idx < end_index)
wolfSSL 4:1b0d80432c79 9043 {
wolfSSL 4:1b0d80432c79 9044 DecodedCert cert;
wolfSSL 4:1b0d80432c79 9045
wolfSSL 4:1b0d80432c79 9046 if (DecodeCerts(source, &idx, resp, size) < 0)
wolfSSL 4:1b0d80432c79 9047 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9048
wolfSSL 4:1b0d80432c79 9049 InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
wolfSSL 4:1b0d80432c79 9050 ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
wolfSSL 4:1b0d80432c79 9051 if (ret < 0)
wolfSSL 4:1b0d80432c79 9052 return ret;
wolfSSL 4:1b0d80432c79 9053
wolfSSL 4:1b0d80432c79 9054 ret = ConfirmSignature(resp->response, resp->responseSz,
wolfSSL 4:1b0d80432c79 9055 cert.publicKey, cert.pubKeySize, cert.keyOID,
wolfSSL 4:1b0d80432c79 9056 resp->sig, resp->sigSz, resp->sigOID, NULL);
wolfSSL 4:1b0d80432c79 9057 FreeDecodedCert(&cert);
wolfSSL 4:1b0d80432c79 9058
wolfSSL 4:1b0d80432c79 9059 if (ret == 0)
wolfSSL 4:1b0d80432c79 9060 {
wolfSSL 4:1b0d80432c79 9061 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 4:1b0d80432c79 9062 return ASN_OCSP_CONFIRM_E;
wolfSSL 4:1b0d80432c79 9063 }
wolfSSL 4:1b0d80432c79 9064 }
wolfSSL 4:1b0d80432c79 9065 else {
wolfSSL 4:1b0d80432c79 9066 Signer* ca = GetCA(cm, resp->issuerHash);
wolfSSL 4:1b0d80432c79 9067
wolfSSL 4:1b0d80432c79 9068 if (!ca || !ConfirmSignature(resp->response, resp->responseSz,
wolfSSL 4:1b0d80432c79 9069 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 4:1b0d80432c79 9070 resp->sig, resp->sigSz, resp->sigOID, NULL)) {
wolfSSL 4:1b0d80432c79 9071 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 4:1b0d80432c79 9072 return ASN_OCSP_CONFIRM_E;
wolfSSL 4:1b0d80432c79 9073 }
wolfSSL 4:1b0d80432c79 9074 }
wolfSSL 4:1b0d80432c79 9075
wolfSSL 4:1b0d80432c79 9076 *ioIndex = idx;
wolfSSL 4:1b0d80432c79 9077 return 0;
wolfSSL 4:1b0d80432c79 9078 }
wolfSSL 4:1b0d80432c79 9079
wolfSSL 4:1b0d80432c79 9080
wolfSSL 4:1b0d80432c79 9081 void InitOcspResponse(OcspResponse* resp, CertStatus* status,
wolfSSL 4:1b0d80432c79 9082 byte* source, word32 inSz)
wolfSSL 4:1b0d80432c79 9083 {
wolfSSL 4:1b0d80432c79 9084 WOLFSSL_ENTER("InitOcspResponse");
wolfSSL 4:1b0d80432c79 9085
wolfSSL 4:1b0d80432c79 9086 XMEMSET(status, 0, sizeof(CertStatus));
wolfSSL 4:1b0d80432c79 9087 XMEMSET(resp, 0, sizeof(OcspResponse));
wolfSSL 4:1b0d80432c79 9088
wolfSSL 4:1b0d80432c79 9089 resp->responseStatus = -1;
wolfSSL 4:1b0d80432c79 9090 resp->status = status;
wolfSSL 4:1b0d80432c79 9091 resp->source = source;
wolfSSL 4:1b0d80432c79 9092 resp->maxIdx = inSz;
wolfSSL 4:1b0d80432c79 9093 }
wolfSSL 4:1b0d80432c79 9094
wolfSSL 4:1b0d80432c79 9095
wolfSSL 4:1b0d80432c79 9096 int OcspResponseDecode(OcspResponse* resp, void* cm)
wolfSSL 4:1b0d80432c79 9097 {
wolfSSL 4:1b0d80432c79 9098 int length = 0;
wolfSSL 4:1b0d80432c79 9099 word32 idx = 0;
wolfSSL 4:1b0d80432c79 9100 byte* source = resp->source;
wolfSSL 4:1b0d80432c79 9101 word32 size = resp->maxIdx;
wolfSSL 4:1b0d80432c79 9102 word32 oid;
wolfSSL 4:1b0d80432c79 9103
wolfSSL 4:1b0d80432c79 9104 WOLFSSL_ENTER("OcspResponseDecode");
wolfSSL 4:1b0d80432c79 9105
wolfSSL 4:1b0d80432c79 9106 /* peel the outer SEQUENCE wrapper */
wolfSSL 4:1b0d80432c79 9107 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 9108 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9109
wolfSSL 4:1b0d80432c79 9110 /* First get the responseStatus, an ENUMERATED */
wolfSSL 4:1b0d80432c79 9111 if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
wolfSSL 4:1b0d80432c79 9112 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9113
wolfSSL 4:1b0d80432c79 9114 if (resp->responseStatus != OCSP_SUCCESSFUL)
wolfSSL 4:1b0d80432c79 9115 return 0;
wolfSSL 4:1b0d80432c79 9116
wolfSSL 4:1b0d80432c79 9117 /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
wolfSSL 4:1b0d80432c79 9118 if (idx >= size)
wolfSSL 4:1b0d80432c79 9119 return ASN_INPUT_E;
wolfSSL 4:1b0d80432c79 9120 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 4:1b0d80432c79 9121 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9122 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 9123 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9124
wolfSSL 4:1b0d80432c79 9125 /* Get the responseBytes SEQUENCE */
wolfSSL 4:1b0d80432c79 9126 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 9127 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9128
wolfSSL 4:1b0d80432c79 9129 /* Check ObjectID for the resposeBytes */
wolfSSL 4:1b0d80432c79 9130 if (GetObjectId(source, &idx, &oid, ocspType, size) < 0)
wolfSSL 4:1b0d80432c79 9131 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9132 if (oid != OCSP_BASIC_OID)
wolfSSL 4:1b0d80432c79 9133 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9134 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 4:1b0d80432c79 9135 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9136
wolfSSL 4:1b0d80432c79 9137 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 4:1b0d80432c79 9138 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9139
wolfSSL 4:1b0d80432c79 9140 if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0)
wolfSSL 4:1b0d80432c79 9141 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9142
wolfSSL 4:1b0d80432c79 9143 return 0;
wolfSSL 4:1b0d80432c79 9144 }
wolfSSL 4:1b0d80432c79 9145
wolfSSL 4:1b0d80432c79 9146
wolfSSL 4:1b0d80432c79 9147 word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
wolfSSL 4:1b0d80432c79 9148 {
wolfSSL 4:1b0d80432c79 9149 static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
wolfSSL 4:1b0d80432c79 9150 0x30, 0x01, 0x02 };
wolfSSL 4:1b0d80432c79 9151 byte seqArray[6][MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 9152 word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId);
wolfSSL 4:1b0d80432c79 9153
wolfSSL 4:1b0d80432c79 9154 WOLFSSL_ENTER("SetOcspReqExtensions");
wolfSSL 4:1b0d80432c79 9155
wolfSSL 4:1b0d80432c79 9156 if (!req || !output || !req->nonceSz)
wolfSSL 4:1b0d80432c79 9157 return 0;
wolfSSL 4:1b0d80432c79 9158
wolfSSL 4:1b0d80432c79 9159 totalSz += req->nonceSz;
wolfSSL 4:1b0d80432c79 9160 totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]);
wolfSSL 4:1b0d80432c79 9161 totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]);
wolfSSL 4:1b0d80432c79 9162 seqArray[2][0] = ASN_OBJECT_ID;
wolfSSL 4:1b0d80432c79 9163 totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]);
wolfSSL 4:1b0d80432c79 9164 totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
wolfSSL 4:1b0d80432c79 9165 totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
wolfSSL 4:1b0d80432c79 9166 totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]);
wolfSSL 4:1b0d80432c79 9167
wolfSSL 4:1b0d80432c79 9168 if (totalSz > size)
wolfSSL 4:1b0d80432c79 9169 return 0;
wolfSSL 4:1b0d80432c79 9170
wolfSSL 4:1b0d80432c79 9171 totalSz = 0;
wolfSSL 4:1b0d80432c79 9172
wolfSSL 4:1b0d80432c79 9173 XMEMCPY(output + totalSz, seqArray[5], seqSz[5]);
wolfSSL 4:1b0d80432c79 9174 totalSz += seqSz[5];
wolfSSL 4:1b0d80432c79 9175
wolfSSL 4:1b0d80432c79 9176 XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
wolfSSL 4:1b0d80432c79 9177 totalSz += seqSz[4];
wolfSSL 4:1b0d80432c79 9178
wolfSSL 4:1b0d80432c79 9179 XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
wolfSSL 4:1b0d80432c79 9180 totalSz += seqSz[3];
wolfSSL 4:1b0d80432c79 9181
wolfSSL 4:1b0d80432c79 9182 XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
wolfSSL 4:1b0d80432c79 9183 totalSz += seqSz[2];
wolfSSL 4:1b0d80432c79 9184
wolfSSL 4:1b0d80432c79 9185 XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
wolfSSL 4:1b0d80432c79 9186 totalSz += (word32)sizeof(NonceObjId);
wolfSSL 4:1b0d80432c79 9187
wolfSSL 4:1b0d80432c79 9188 XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
wolfSSL 4:1b0d80432c79 9189 totalSz += seqSz[1];
wolfSSL 4:1b0d80432c79 9190
wolfSSL 4:1b0d80432c79 9191 XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
wolfSSL 4:1b0d80432c79 9192 totalSz += seqSz[0];
wolfSSL 4:1b0d80432c79 9193
wolfSSL 4:1b0d80432c79 9194 XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
wolfSSL 4:1b0d80432c79 9195 totalSz += req->nonceSz;
wolfSSL 4:1b0d80432c79 9196
wolfSSL 4:1b0d80432c79 9197 return totalSz;
wolfSSL 4:1b0d80432c79 9198 }
wolfSSL 4:1b0d80432c79 9199
wolfSSL 4:1b0d80432c79 9200
wolfSSL 4:1b0d80432c79 9201 int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
wolfSSL 4:1b0d80432c79 9202 {
wolfSSL 4:1b0d80432c79 9203 byte seqArray[5][MAX_SEQ_SZ];
wolfSSL 4:1b0d80432c79 9204 /* The ASN.1 of the OCSP Request is an onion of sequences */
wolfSSL 4:1b0d80432c79 9205 byte algoArray[MAX_ALGO_SZ];
wolfSSL 4:1b0d80432c79 9206 byte issuerArray[MAX_ENCODED_DIG_SZ];
wolfSSL 4:1b0d80432c79 9207 byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
wolfSSL 4:1b0d80432c79 9208 byte snArray[MAX_SN_SZ];
wolfSSL 4:1b0d80432c79 9209 byte extArray[MAX_OCSP_EXT_SZ];
wolfSSL 4:1b0d80432c79 9210 word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
wolfSSL 4:1b0d80432c79 9211 int i;
wolfSSL 4:1b0d80432c79 9212
wolfSSL 4:1b0d80432c79 9213 WOLFSSL_ENTER("EncodeOcspRequest");
wolfSSL 4:1b0d80432c79 9214
wolfSSL 4:1b0d80432c79 9215 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 9216 algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0);
wolfSSL 4:1b0d80432c79 9217 #else
wolfSSL 4:1b0d80432c79 9218 algoSz = SetAlgoID(SHAh, algoArray, hashType, 0);
wolfSSL 4:1b0d80432c79 9219 #endif
wolfSSL 4:1b0d80432c79 9220
wolfSSL 4:1b0d80432c79 9221 issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray);
wolfSSL 4:1b0d80432c79 9222 issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray);
wolfSSL 4:1b0d80432c79 9223 snSz = SetSerialNumber(req->serial, req->serialSz, snArray);
wolfSSL 4:1b0d80432c79 9224 extSz = 0;
wolfSSL 4:1b0d80432c79 9225
wolfSSL 4:1b0d80432c79 9226 if (req->nonceSz)
wolfSSL 4:1b0d80432c79 9227 extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ);
wolfSSL 4:1b0d80432c79 9228
wolfSSL 4:1b0d80432c79 9229 totalSz = algoSz + issuerSz + issuerKeySz + snSz;
wolfSSL 4:1b0d80432c79 9230 for (i = 4; i >= 0; i--) {
wolfSSL 4:1b0d80432c79 9231 seqSz[i] = SetSequence(totalSz, seqArray[i]);
wolfSSL 4:1b0d80432c79 9232 totalSz += seqSz[i];
wolfSSL 4:1b0d80432c79 9233 if (i == 2) totalSz += extSz;
wolfSSL 4:1b0d80432c79 9234 }
wolfSSL 4:1b0d80432c79 9235
wolfSSL 4:1b0d80432c79 9236 if (totalSz > size)
wolfSSL 4:1b0d80432c79 9237 return BUFFER_E;
wolfSSL 4:1b0d80432c79 9238
wolfSSL 4:1b0d80432c79 9239 totalSz = 0;
wolfSSL 4:1b0d80432c79 9240 for (i = 0; i < 5; i++) {
wolfSSL 4:1b0d80432c79 9241 XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
wolfSSL 4:1b0d80432c79 9242 totalSz += seqSz[i];
wolfSSL 4:1b0d80432c79 9243 }
wolfSSL 4:1b0d80432c79 9244
wolfSSL 4:1b0d80432c79 9245 XMEMCPY(output + totalSz, algoArray, algoSz);
wolfSSL 4:1b0d80432c79 9246 totalSz += algoSz;
wolfSSL 4:1b0d80432c79 9247
wolfSSL 4:1b0d80432c79 9248 XMEMCPY(output + totalSz, issuerArray, issuerSz);
wolfSSL 4:1b0d80432c79 9249 totalSz += issuerSz;
wolfSSL 4:1b0d80432c79 9250
wolfSSL 4:1b0d80432c79 9251 XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
wolfSSL 4:1b0d80432c79 9252 totalSz += issuerKeySz;
wolfSSL 4:1b0d80432c79 9253
wolfSSL 4:1b0d80432c79 9254 XMEMCPY(output + totalSz, snArray, snSz);
wolfSSL 4:1b0d80432c79 9255 totalSz += snSz;
wolfSSL 4:1b0d80432c79 9256
wolfSSL 4:1b0d80432c79 9257 if (extSz != 0) {
wolfSSL 4:1b0d80432c79 9258 XMEMCPY(output + totalSz, extArray, extSz);
wolfSSL 4:1b0d80432c79 9259 totalSz += extSz;
wolfSSL 4:1b0d80432c79 9260 }
wolfSSL 4:1b0d80432c79 9261
wolfSSL 4:1b0d80432c79 9262 return totalSz;
wolfSSL 4:1b0d80432c79 9263 }
wolfSSL 4:1b0d80432c79 9264
wolfSSL 4:1b0d80432c79 9265
wolfSSL 4:1b0d80432c79 9266 int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce)
wolfSSL 4:1b0d80432c79 9267 {
wolfSSL 4:1b0d80432c79 9268 WOLFSSL_ENTER("InitOcspRequest");
wolfSSL 4:1b0d80432c79 9269
wolfSSL 4:1b0d80432c79 9270 if (req == NULL)
wolfSSL 4:1b0d80432c79 9271 return BAD_FUNC_ARG;
wolfSSL 4:1b0d80432c79 9272
wolfSSL 4:1b0d80432c79 9273 ForceZero(req, sizeof(OcspRequest));
wolfSSL 4:1b0d80432c79 9274
wolfSSL 4:1b0d80432c79 9275 if (cert) {
wolfSSL 4:1b0d80432c79 9276 XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 9277 XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 9278
wolfSSL 4:1b0d80432c79 9279 req->serial = (byte*)XMALLOC(cert->serialSz, NULL,
wolfSSL 4:1b0d80432c79 9280 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 4:1b0d80432c79 9281 if (req->serial == NULL)
wolfSSL 4:1b0d80432c79 9282 return MEMORY_E;
wolfSSL 4:1b0d80432c79 9283
wolfSSL 4:1b0d80432c79 9284 XMEMCPY(req->serial, cert->serial, cert->serialSz);
wolfSSL 4:1b0d80432c79 9285 req->serialSz = cert->serialSz;
wolfSSL 4:1b0d80432c79 9286
wolfSSL 4:1b0d80432c79 9287 if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
wolfSSL 4:1b0d80432c79 9288 req->url = (byte*)XMALLOC(cert->extAuthInfoSz, NULL,
wolfSSL 4:1b0d80432c79 9289 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 4:1b0d80432c79 9290 if (req->url == NULL) {
wolfSSL 4:1b0d80432c79 9291 XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP);
wolfSSL 4:1b0d80432c79 9292 return MEMORY_E;
wolfSSL 4:1b0d80432c79 9293 }
wolfSSL 4:1b0d80432c79 9294
wolfSSL 4:1b0d80432c79 9295 XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
wolfSSL 4:1b0d80432c79 9296 req->urlSz = cert->extAuthInfoSz;
wolfSSL 4:1b0d80432c79 9297 }
wolfSSL 4:1b0d80432c79 9298
wolfSSL 4:1b0d80432c79 9299 }
wolfSSL 4:1b0d80432c79 9300
wolfSSL 4:1b0d80432c79 9301 if (useNonce) {
wolfSSL 4:1b0d80432c79 9302 WC_RNG rng;
wolfSSL 4:1b0d80432c79 9303
wolfSSL 4:1b0d80432c79 9304 if (wc_InitRng(&rng) != 0) {
wolfSSL 4:1b0d80432c79 9305 WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
wolfSSL 4:1b0d80432c79 9306 } else {
wolfSSL 4:1b0d80432c79 9307 if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
wolfSSL 4:1b0d80432c79 9308 WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
wolfSSL 4:1b0d80432c79 9309 else
wolfSSL 4:1b0d80432c79 9310 req->nonceSz = MAX_OCSP_NONCE_SZ;
wolfSSL 4:1b0d80432c79 9311
wolfSSL 4:1b0d80432c79 9312 wc_FreeRng(&rng);
wolfSSL 4:1b0d80432c79 9313 }
wolfSSL 4:1b0d80432c79 9314 }
wolfSSL 4:1b0d80432c79 9315
wolfSSL 4:1b0d80432c79 9316 return 0;
wolfSSL 4:1b0d80432c79 9317 }
wolfSSL 4:1b0d80432c79 9318
wolfSSL 4:1b0d80432c79 9319 void FreeOcspRequest(OcspRequest* req)
wolfSSL 4:1b0d80432c79 9320 {
wolfSSL 4:1b0d80432c79 9321 WOLFSSL_ENTER("FreeOcspRequest");
wolfSSL 4:1b0d80432c79 9322
wolfSSL 4:1b0d80432c79 9323 if (req) {
wolfSSL 4:1b0d80432c79 9324 if (req->serial)
wolfSSL 4:1b0d80432c79 9325 XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 4:1b0d80432c79 9326
wolfSSL 4:1b0d80432c79 9327 if (req->url)
wolfSSL 4:1b0d80432c79 9328 XFREE(req->url, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 4:1b0d80432c79 9329 }
wolfSSL 4:1b0d80432c79 9330 }
wolfSSL 4:1b0d80432c79 9331
wolfSSL 4:1b0d80432c79 9332
wolfSSL 4:1b0d80432c79 9333 int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
wolfSSL 4:1b0d80432c79 9334 {
wolfSSL 4:1b0d80432c79 9335 int cmp;
wolfSSL 4:1b0d80432c79 9336
wolfSSL 4:1b0d80432c79 9337 WOLFSSL_ENTER("CompareOcspReqResp");
wolfSSL 4:1b0d80432c79 9338
wolfSSL 4:1b0d80432c79 9339 if (req == NULL)
wolfSSL 4:1b0d80432c79 9340 {
wolfSSL 4:1b0d80432c79 9341 WOLFSSL_MSG("\tReq missing");
wolfSSL 4:1b0d80432c79 9342 return -1;
wolfSSL 4:1b0d80432c79 9343 }
wolfSSL 4:1b0d80432c79 9344
wolfSSL 4:1b0d80432c79 9345 if (resp == NULL)
wolfSSL 4:1b0d80432c79 9346 {
wolfSSL 4:1b0d80432c79 9347 WOLFSSL_MSG("\tResp missing");
wolfSSL 4:1b0d80432c79 9348 return 1;
wolfSSL 4:1b0d80432c79 9349 }
wolfSSL 4:1b0d80432c79 9350
wolfSSL 4:1b0d80432c79 9351 /* Nonces are not critical. The responder may not necessarily add
wolfSSL 4:1b0d80432c79 9352 * the nonce to the response. */
wolfSSL 4:1b0d80432c79 9353 if (req->nonceSz && resp->nonceSz != 0) {
wolfSSL 4:1b0d80432c79 9354 cmp = req->nonceSz - resp->nonceSz;
wolfSSL 4:1b0d80432c79 9355 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9356 {
wolfSSL 4:1b0d80432c79 9357 WOLFSSL_MSG("\tnonceSz mismatch");
wolfSSL 4:1b0d80432c79 9358 return cmp;
wolfSSL 4:1b0d80432c79 9359 }
wolfSSL 4:1b0d80432c79 9360
wolfSSL 4:1b0d80432c79 9361 cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
wolfSSL 4:1b0d80432c79 9362 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9363 {
wolfSSL 4:1b0d80432c79 9364 WOLFSSL_MSG("\tnonce mismatch");
wolfSSL 4:1b0d80432c79 9365 return cmp;
wolfSSL 4:1b0d80432c79 9366 }
wolfSSL 4:1b0d80432c79 9367 }
wolfSSL 4:1b0d80432c79 9368
wolfSSL 4:1b0d80432c79 9369 cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 9370 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9371 {
wolfSSL 4:1b0d80432c79 9372 WOLFSSL_MSG("\tissuerHash mismatch");
wolfSSL 4:1b0d80432c79 9373 return cmp;
wolfSSL 4:1b0d80432c79 9374 }
wolfSSL 4:1b0d80432c79 9375
wolfSSL 4:1b0d80432c79 9376 cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
wolfSSL 4:1b0d80432c79 9377 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9378 {
wolfSSL 4:1b0d80432c79 9379 WOLFSSL_MSG("\tissuerKeyHash mismatch");
wolfSSL 4:1b0d80432c79 9380 return cmp;
wolfSSL 4:1b0d80432c79 9381 }
wolfSSL 4:1b0d80432c79 9382
wolfSSL 4:1b0d80432c79 9383 cmp = req->serialSz - resp->status->serialSz;
wolfSSL 4:1b0d80432c79 9384 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9385 {
wolfSSL 4:1b0d80432c79 9386 WOLFSSL_MSG("\tserialSz mismatch");
wolfSSL 4:1b0d80432c79 9387 return cmp;
wolfSSL 4:1b0d80432c79 9388 }
wolfSSL 4:1b0d80432c79 9389
wolfSSL 4:1b0d80432c79 9390 cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz);
wolfSSL 4:1b0d80432c79 9391 if (cmp != 0)
wolfSSL 4:1b0d80432c79 9392 {
wolfSSL 4:1b0d80432c79 9393 WOLFSSL_MSG("\tserial mismatch");
wolfSSL 4:1b0d80432c79 9394 return cmp;
wolfSSL 4:1b0d80432c79 9395 }
wolfSSL 4:1b0d80432c79 9396
wolfSSL 4:1b0d80432c79 9397 return 0;
wolfSSL 4:1b0d80432c79 9398 }
wolfSSL 4:1b0d80432c79 9399
wolfSSL 4:1b0d80432c79 9400 #endif
wolfSSL 4:1b0d80432c79 9401
wolfSSL 4:1b0d80432c79 9402
wolfSSL 4:1b0d80432c79 9403 /* store SHA hash of NAME */
wolfSSL 4:1b0d80432c79 9404 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
wolfSSL 4:1b0d80432c79 9405 int maxIdx)
wolfSSL 4:1b0d80432c79 9406 {
wolfSSL 4:1b0d80432c79 9407 int length; /* length of all distinguished names */
wolfSSL 4:1b0d80432c79 9408 int ret;
wolfSSL 4:1b0d80432c79 9409 word32 dummy;
wolfSSL 4:1b0d80432c79 9410
wolfSSL 4:1b0d80432c79 9411 WOLFSSL_ENTER("GetNameHash");
wolfSSL 4:1b0d80432c79 9412
wolfSSL 4:1b0d80432c79 9413 if (source[*idx] == ASN_OBJECT_ID) {
wolfSSL 4:1b0d80432c79 9414 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 4:1b0d80432c79 9415
wolfSSL 4:1b0d80432c79 9416 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9417 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9418
wolfSSL 4:1b0d80432c79 9419 *idx += length;
wolfSSL 4:1b0d80432c79 9420 WOLFSSL_MSG("Got optional prefix");
wolfSSL 4:1b0d80432c79 9421 }
wolfSSL 4:1b0d80432c79 9422
wolfSSL 4:1b0d80432c79 9423 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 4:1b0d80432c79 9424 * calculated over the entire DER encoding of the Name field, including
wolfSSL 4:1b0d80432c79 9425 * the tag and length. */
wolfSSL 4:1b0d80432c79 9426 dummy = *idx;
wolfSSL 4:1b0d80432c79 9427 if (GetSequence(source, idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9428 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9429
wolfSSL 4:1b0d80432c79 9430 #ifdef NO_SHA
wolfSSL 4:1b0d80432c79 9431 ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash);
wolfSSL 4:1b0d80432c79 9432 #else
wolfSSL 4:1b0d80432c79 9433 ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash);
wolfSSL 4:1b0d80432c79 9434 #endif
wolfSSL 4:1b0d80432c79 9435
wolfSSL 4:1b0d80432c79 9436 *idx += length;
wolfSSL 4:1b0d80432c79 9437
wolfSSL 4:1b0d80432c79 9438 return ret;
wolfSSL 4:1b0d80432c79 9439 }
wolfSSL 4:1b0d80432c79 9440
wolfSSL 4:1b0d80432c79 9441
wolfSSL 4:1b0d80432c79 9442 #ifdef HAVE_CRL
wolfSSL 4:1b0d80432c79 9443
wolfSSL 4:1b0d80432c79 9444 /* initialize decoded CRL */
wolfSSL 4:1b0d80432c79 9445 void InitDecodedCRL(DecodedCRL* dcrl)
wolfSSL 4:1b0d80432c79 9446 {
wolfSSL 4:1b0d80432c79 9447 WOLFSSL_MSG("InitDecodedCRL");
wolfSSL 4:1b0d80432c79 9448
wolfSSL 4:1b0d80432c79 9449 dcrl->certBegin = 0;
wolfSSL 4:1b0d80432c79 9450 dcrl->sigIndex = 0;
wolfSSL 4:1b0d80432c79 9451 dcrl->sigLength = 0;
wolfSSL 4:1b0d80432c79 9452 dcrl->signatureOID = 0;
wolfSSL 4:1b0d80432c79 9453 dcrl->certs = NULL;
wolfSSL 4:1b0d80432c79 9454 dcrl->totalCerts = 0;
wolfSSL 4:1b0d80432c79 9455 }
wolfSSL 4:1b0d80432c79 9456
wolfSSL 4:1b0d80432c79 9457
wolfSSL 4:1b0d80432c79 9458 /* free decoded CRL resources */
wolfSSL 4:1b0d80432c79 9459 void FreeDecodedCRL(DecodedCRL* dcrl)
wolfSSL 4:1b0d80432c79 9460 {
wolfSSL 4:1b0d80432c79 9461 RevokedCert* tmp = dcrl->certs;
wolfSSL 4:1b0d80432c79 9462
wolfSSL 4:1b0d80432c79 9463 WOLFSSL_MSG("FreeDecodedCRL");
wolfSSL 4:1b0d80432c79 9464
wolfSSL 4:1b0d80432c79 9465 while(tmp) {
wolfSSL 4:1b0d80432c79 9466 RevokedCert* next = tmp->next;
wolfSSL 4:1b0d80432c79 9467 XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
wolfSSL 4:1b0d80432c79 9468 tmp = next;
wolfSSL 4:1b0d80432c79 9469 }
wolfSSL 4:1b0d80432c79 9470 }
wolfSSL 4:1b0d80432c79 9471
wolfSSL 4:1b0d80432c79 9472
wolfSSL 4:1b0d80432c79 9473 /* Get Revoked Cert list, 0 on success */
wolfSSL 4:1b0d80432c79 9474 static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
wolfSSL 4:1b0d80432c79 9475 int maxIdx)
wolfSSL 4:1b0d80432c79 9476 {
wolfSSL 4:1b0d80432c79 9477 int len;
wolfSSL 4:1b0d80432c79 9478 word32 end;
wolfSSL 4:1b0d80432c79 9479 byte b;
wolfSSL 4:1b0d80432c79 9480 RevokedCert* rc;
wolfSSL 4:1b0d80432c79 9481
wolfSSL 4:1b0d80432c79 9482 WOLFSSL_ENTER("GetRevoked");
wolfSSL 4:1b0d80432c79 9483
wolfSSL 4:1b0d80432c79 9484 if (GetSequence(buff, idx, &len, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9485 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9486
wolfSSL 4:1b0d80432c79 9487 end = *idx + len;
wolfSSL 4:1b0d80432c79 9488
wolfSSL 4:1b0d80432c79 9489 /* get serial number */
wolfSSL 4:1b0d80432c79 9490 b = buff[*idx];
wolfSSL 4:1b0d80432c79 9491 *idx += 1;
wolfSSL 4:1b0d80432c79 9492
wolfSSL 4:1b0d80432c79 9493 if (b != ASN_INTEGER) {
wolfSSL 4:1b0d80432c79 9494 WOLFSSL_MSG("Expecting Integer");
wolfSSL 4:1b0d80432c79 9495 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9496 }
wolfSSL 4:1b0d80432c79 9497
wolfSSL 4:1b0d80432c79 9498 if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9499 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9500
wolfSSL 4:1b0d80432c79 9501 if (len > EXTERNAL_SERIAL_SIZE) {
wolfSSL 4:1b0d80432c79 9502 WOLFSSL_MSG("Serial Size too big");
wolfSSL 4:1b0d80432c79 9503 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9504 }
wolfSSL 4:1b0d80432c79 9505
wolfSSL 4:1b0d80432c79 9506 rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
wolfSSL 4:1b0d80432c79 9507 if (rc == NULL) {
wolfSSL 4:1b0d80432c79 9508 WOLFSSL_MSG("Alloc Revoked Cert failed");
wolfSSL 4:1b0d80432c79 9509 return MEMORY_E;
wolfSSL 4:1b0d80432c79 9510 }
wolfSSL 4:1b0d80432c79 9511
wolfSSL 4:1b0d80432c79 9512 XMEMCPY(rc->serialNumber, &buff[*idx], len);
wolfSSL 4:1b0d80432c79 9513 rc->serialSz = len;
wolfSSL 4:1b0d80432c79 9514
wolfSSL 4:1b0d80432c79 9515 /* add to list */
wolfSSL 4:1b0d80432c79 9516 rc->next = dcrl->certs;
wolfSSL 4:1b0d80432c79 9517 dcrl->certs = rc;
wolfSSL 4:1b0d80432c79 9518 dcrl->totalCerts++;
wolfSSL 4:1b0d80432c79 9519
wolfSSL 4:1b0d80432c79 9520 *idx += len;
wolfSSL 4:1b0d80432c79 9521
wolfSSL 4:1b0d80432c79 9522 /* get date */
wolfSSL 4:1b0d80432c79 9523 b = buff[*idx];
wolfSSL 4:1b0d80432c79 9524 *idx += 1;
wolfSSL 4:1b0d80432c79 9525
wolfSSL 4:1b0d80432c79 9526 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
wolfSSL 4:1b0d80432c79 9527 WOLFSSL_MSG("Expecting Date");
wolfSSL 4:1b0d80432c79 9528 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9529 }
wolfSSL 4:1b0d80432c79 9530
wolfSSL 4:1b0d80432c79 9531 if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9532 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9533
wolfSSL 4:1b0d80432c79 9534 /* skip for now */
wolfSSL 4:1b0d80432c79 9535 *idx += len;
wolfSSL 4:1b0d80432c79 9536
wolfSSL 4:1b0d80432c79 9537 if (*idx != end) /* skip extensions */
wolfSSL 4:1b0d80432c79 9538 *idx = end;
wolfSSL 4:1b0d80432c79 9539
wolfSSL 4:1b0d80432c79 9540 return 0;
wolfSSL 4:1b0d80432c79 9541 }
wolfSSL 4:1b0d80432c79 9542
wolfSSL 4:1b0d80432c79 9543
wolfSSL 4:1b0d80432c79 9544 /* Get CRL Signature, 0 on success */
wolfSSL 4:1b0d80432c79 9545 static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
wolfSSL 4:1b0d80432c79 9546 int maxIdx)
wolfSSL 4:1b0d80432c79 9547 {
wolfSSL 4:1b0d80432c79 9548 int length;
wolfSSL 4:1b0d80432c79 9549 byte b;
wolfSSL 4:1b0d80432c79 9550
wolfSSL 4:1b0d80432c79 9551 WOLFSSL_ENTER("GetCRL_Signature");
wolfSSL 4:1b0d80432c79 9552
wolfSSL 4:1b0d80432c79 9553 b = source[*idx];
wolfSSL 4:1b0d80432c79 9554 *idx += 1;
wolfSSL 4:1b0d80432c79 9555 if (b != ASN_BIT_STRING)
wolfSSL 4:1b0d80432c79 9556 return ASN_BITSTR_E;
wolfSSL 4:1b0d80432c79 9557
wolfSSL 4:1b0d80432c79 9558 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 4:1b0d80432c79 9559 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9560
wolfSSL 4:1b0d80432c79 9561 dcrl->sigLength = length;
wolfSSL 4:1b0d80432c79 9562
wolfSSL 4:1b0d80432c79 9563 b = source[*idx];
wolfSSL 4:1b0d80432c79 9564 *idx += 1;
wolfSSL 4:1b0d80432c79 9565 if (b != 0x00)
wolfSSL 4:1b0d80432c79 9566 return ASN_EXPECT_0_E;
wolfSSL 4:1b0d80432c79 9567
wolfSSL 4:1b0d80432c79 9568 dcrl->sigLength--;
wolfSSL 4:1b0d80432c79 9569 dcrl->signature = (byte*)&source[*idx];
wolfSSL 4:1b0d80432c79 9570
wolfSSL 4:1b0d80432c79 9571 *idx += dcrl->sigLength;
wolfSSL 4:1b0d80432c79 9572
wolfSSL 4:1b0d80432c79 9573 return 0;
wolfSSL 4:1b0d80432c79 9574 }
wolfSSL 4:1b0d80432c79 9575
wolfSSL 4:1b0d80432c79 9576
wolfSSL 4:1b0d80432c79 9577 /* prase crl buffer into decoded state, 0 on success */
wolfSSL 4:1b0d80432c79 9578 int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
wolfSSL 4:1b0d80432c79 9579 {
wolfSSL 4:1b0d80432c79 9580 int version, len, doNextDate = 1;
wolfSSL 4:1b0d80432c79 9581 word32 oid, idx = 0, dateIdx;
wolfSSL 4:1b0d80432c79 9582 Signer* ca = NULL;
wolfSSL 4:1b0d80432c79 9583
wolfSSL 4:1b0d80432c79 9584 WOLFSSL_MSG("ParseCRL");
wolfSSL 4:1b0d80432c79 9585
wolfSSL 4:1b0d80432c79 9586 /* raw crl hash */
wolfSSL 4:1b0d80432c79 9587 /* hash here if needed for optimized comparisons
wolfSSL 4:1b0d80432c79 9588 * Sha sha;
wolfSSL 4:1b0d80432c79 9589 * wc_InitSha(&sha);
wolfSSL 4:1b0d80432c79 9590 * wc_ShaUpdate(&sha, buff, sz);
wolfSSL 4:1b0d80432c79 9591 * wc_ShaFinal(&sha, dcrl->crlHash); */
wolfSSL 4:1b0d80432c79 9592
wolfSSL 4:1b0d80432c79 9593 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 4:1b0d80432c79 9594 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9595
wolfSSL 4:1b0d80432c79 9596 dcrl->certBegin = idx;
wolfSSL 4:1b0d80432c79 9597
wolfSSL 4:1b0d80432c79 9598 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 4:1b0d80432c79 9599 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9600 dcrl->sigIndex = len + idx;
wolfSSL 4:1b0d80432c79 9601
wolfSSL 4:1b0d80432c79 9602 /* may have version */
wolfSSL 4:1b0d80432c79 9603 if (buff[idx] == ASN_INTEGER) {
wolfSSL 4:1b0d80432c79 9604 if (GetMyVersion(buff, &idx, &version) < 0)
wolfSSL 4:1b0d80432c79 9605 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9606 }
wolfSSL 4:1b0d80432c79 9607
wolfSSL 4:1b0d80432c79 9608 if (GetAlgoId(buff, &idx, &oid, ignoreType, sz) < 0)
wolfSSL 4:1b0d80432c79 9609 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9610
wolfSSL 4:1b0d80432c79 9611 if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
wolfSSL 4:1b0d80432c79 9612 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9613
wolfSSL 4:1b0d80432c79 9614 if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
wolfSSL 4:1b0d80432c79 9615 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9616
wolfSSL 4:1b0d80432c79 9617 dateIdx = idx;
wolfSSL 4:1b0d80432c79 9618
wolfSSL 4:1b0d80432c79 9619 if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
wolfSSL 4:1b0d80432c79 9620 {
wolfSSL 4:1b0d80432c79 9621 #ifndef WOLFSSL_NO_CRL_NEXT_DATE
wolfSSL 4:1b0d80432c79 9622 (void)dateIdx;
wolfSSL 4:1b0d80432c79 9623 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9624 #else
wolfSSL 4:1b0d80432c79 9625 dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */
wolfSSL 4:1b0d80432c79 9626 doNextDate = 0;
wolfSSL 4:1b0d80432c79 9627 idx = dateIdx;
wolfSSL 4:1b0d80432c79 9628 #endif
wolfSSL 4:1b0d80432c79 9629 }
wolfSSL 4:1b0d80432c79 9630
wolfSSL 4:1b0d80432c79 9631 if (doNextDate && !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat,
wolfSSL 4:1b0d80432c79 9632 AFTER)) {
wolfSSL 4:1b0d80432c79 9633 WOLFSSL_MSG("CRL after date is no longer valid");
wolfSSL 4:1b0d80432c79 9634 return ASN_AFTER_DATE_E;
wolfSSL 4:1b0d80432c79 9635 }
wolfSSL 4:1b0d80432c79 9636
wolfSSL 4:1b0d80432c79 9637 if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
wolfSSL 4:1b0d80432c79 9638 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 4:1b0d80432c79 9639 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9640
wolfSSL 4:1b0d80432c79 9641 len += idx;
wolfSSL 4:1b0d80432c79 9642
wolfSSL 4:1b0d80432c79 9643 while (idx < (word32)len) {
wolfSSL 4:1b0d80432c79 9644 if (GetRevoked(buff, &idx, dcrl, sz) < 0)
wolfSSL 4:1b0d80432c79 9645 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9646 }
wolfSSL 4:1b0d80432c79 9647 }
wolfSSL 4:1b0d80432c79 9648
wolfSSL 4:1b0d80432c79 9649 if (idx != dcrl->sigIndex)
wolfSSL 4:1b0d80432c79 9650 idx = dcrl->sigIndex; /* skip extensions */
wolfSSL 4:1b0d80432c79 9651
wolfSSL 4:1b0d80432c79 9652 if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sigType, sz) < 0)
wolfSSL 4:1b0d80432c79 9653 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9654
wolfSSL 4:1b0d80432c79 9655 if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
wolfSSL 4:1b0d80432c79 9656 return ASN_PARSE_E;
wolfSSL 4:1b0d80432c79 9657
wolfSSL 4:1b0d80432c79 9658 /* openssl doesn't add skid by default for CRLs cause firefox chokes
wolfSSL 4:1b0d80432c79 9659 we're not assuming it's available yet */
wolfSSL 4:1b0d80432c79 9660 #if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL 4:1b0d80432c79 9661 if (dcrl->extAuthKeyIdSet)
wolfSSL 4:1b0d80432c79 9662 ca = GetCA(cm, dcrl->extAuthKeyId);
wolfSSL 4:1b0d80432c79 9663 if (ca == NULL)
wolfSSL 4:1b0d80432c79 9664 ca = GetCAByName(cm, dcrl->issuerHash);
wolfSSL 4:1b0d80432c79 9665 #else /* NO_SKID */
wolfSSL 4:1b0d80432c79 9666 ca = GetCA(cm, dcrl->issuerHash);
wolfSSL 4:1b0d80432c79 9667 #endif /* NO_SKID */
wolfSSL 4:1b0d80432c79 9668 WOLFSSL_MSG("About to verify CRL signature");
wolfSSL 4:1b0d80432c79 9669
wolfSSL 4:1b0d80432c79 9670 if (ca) {
wolfSSL 4:1b0d80432c79 9671 WOLFSSL_MSG("Found CRL issuer CA");
wolfSSL 4:1b0d80432c79 9672 /* try to confirm/verify signature */
wolfSSL 4:1b0d80432c79 9673 #ifndef IGNORE_KEY_EXTENSIONS
wolfSSL 4:1b0d80432c79 9674 if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
wolfSSL 4:1b0d80432c79 9675 WOLFSSL_MSG("CA cannot sign CRLs");
wolfSSL 4:1b0d80432c79 9676 return ASN_CRL_NO_SIGNER_E;
wolfSSL 4:1b0d80432c79 9677 }
wolfSSL 4:1b0d80432c79 9678 #endif /* IGNORE_KEY_EXTENSIONS */
wolfSSL 4:1b0d80432c79 9679 if (!ConfirmSignature(buff + dcrl->certBegin,
wolfSSL 4:1b0d80432c79 9680 dcrl->sigIndex - dcrl->certBegin,
wolfSSL 4:1b0d80432c79 9681 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 4:1b0d80432c79 9682 dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
wolfSSL 4:1b0d80432c79 9683 WOLFSSL_MSG("CRL Confirm signature failed");
wolfSSL 4:1b0d80432c79 9684 return ASN_CRL_CONFIRM_E;
wolfSSL 4:1b0d80432c79 9685 }
wolfSSL 4:1b0d80432c79 9686 }
wolfSSL 4:1b0d80432c79 9687 else {
wolfSSL 4:1b0d80432c79 9688 WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL 4:1b0d80432c79 9689 return ASN_CRL_NO_SIGNER_E;
wolfSSL 4:1b0d80432c79 9690 }
wolfSSL 4:1b0d80432c79 9691
wolfSSL 4:1b0d80432c79 9692 return 0;
wolfSSL 4:1b0d80432c79 9693 }
wolfSSL 4:1b0d80432c79 9694
wolfSSL 4:1b0d80432c79 9695 #endif /* HAVE_CRL */
wolfSSL 4:1b0d80432c79 9696 #endif /* !NO_ASN */
wolfSSL 4:1b0d80432c79 9697
wolfSSL 4:1b0d80432c79 9698 #ifdef WOLFSSL_SEP
wolfSSL 4:1b0d80432c79 9699
wolfSSL 4:1b0d80432c79 9700
wolfSSL 4:1b0d80432c79 9701
wolfSSL 4:1b0d80432c79 9702 #endif /* WOLFSSL_SEP */
wolfSSL 4:1b0d80432c79 9703