wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/asn.c@7:481bce714567, 2017-05-02 (annotated)

Committer:
wolfSSL
Date:
Tue May 02 08:44:47 2017 +0000
Revision:
7:481bce714567
wolfSSL3.10.2

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 7:481bce714567 1 /* asn.c
wolfSSL 7:481bce714567 2 *
wolfSSL 7:481bce714567 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 7:481bce714567 4 *
wolfSSL 7:481bce714567 5 * This file is part of wolfSSL.
wolfSSL 7:481bce714567 6 *
wolfSSL 7:481bce714567 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 7:481bce714567 8 * it under the terms of the GNU General Public License as published by
wolfSSL 7:481bce714567 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 7:481bce714567 10 * (at your option) any later version.
wolfSSL 7:481bce714567 11 *
wolfSSL 7:481bce714567 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 7:481bce714567 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 7:481bce714567 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 7:481bce714567 15 * GNU General Public License for more details.
wolfSSL 7:481bce714567 16 *
wolfSSL 7:481bce714567 17 * You should have received a copy of the GNU General Public License
wolfSSL 7:481bce714567 18 * along with this program; if not, write to the Free Software
wolfSSL 7:481bce714567 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 7:481bce714567 20 */
wolfSSL 7:481bce714567 21
wolfSSL 7:481bce714567 22
wolfSSL 7:481bce714567 23 #ifdef HAVE_CONFIG_H
wolfSSL 7:481bce714567 24 #include <config.h>
wolfSSL 7:481bce714567 25 #endif
wolfSSL 7:481bce714567 26
wolfSSL 7:481bce714567 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 7:481bce714567 28
wolfSSL 7:481bce714567 29 /*
wolfSSL 7:481bce714567 30 ASN Options:
wolfSSL 7:481bce714567 31 * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
wolfSSL 7:481bce714567 32 or wishing to save space.
wolfSSL 7:481bce714567 33 * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
wolfSSL 7:481bce714567 34 * ASN_DUMP_OID: Allows dump of OID information for debugging.
wolfSSL 7:481bce714567 35 * RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
wolfSSL 7:481bce714567 36 * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
wolfSSL 7:481bce714567 37 */
wolfSSL 7:481bce714567 38
wolfSSL 7:481bce714567 39 #ifndef NO_ASN
wolfSSL 7:481bce714567 40
wolfSSL 7:481bce714567 41 #ifdef HAVE_RTP_SYS
wolfSSL 7:481bce714567 42 #include "os.h" /* dc_rtc_api needs */
wolfSSL 7:481bce714567 43 #include "dc_rtc_api.h" /* to get current time */
wolfSSL 7:481bce714567 44 #endif
wolfSSL 7:481bce714567 45
wolfSSL 7:481bce714567 46 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 7:481bce714567 47 #include <wolfssl/wolfcrypt/coding.h>
wolfSSL 7:481bce714567 48 #include <wolfssl/wolfcrypt/md2.h>
wolfSSL 7:481bce714567 49 #include <wolfssl/wolfcrypt/hmac.h>
wolfSSL 7:481bce714567 50 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 7:481bce714567 51 #include <wolfssl/wolfcrypt/pwdbased.h>
wolfSSL 7:481bce714567 52 #include <wolfssl/wolfcrypt/des3.h>
wolfSSL 7:481bce714567 53 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 7:481bce714567 54
wolfSSL 7:481bce714567 55 #include <wolfssl/wolfcrypt/random.h>
wolfSSL 7:481bce714567 56 #include <wolfssl/wolfcrypt/hash.h>
wolfSSL 7:481bce714567 57 #ifdef NO_INLINE
wolfSSL 7:481bce714567 58 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 7:481bce714567 59 #else
wolfSSL 7:481bce714567 60 #define WOLFSSL_MISC_INCLUDED
wolfSSL 7:481bce714567 61 #include <wolfcrypt/src/misc.c>
wolfSSL 7:481bce714567 62 #endif
wolfSSL 7:481bce714567 63
wolfSSL 7:481bce714567 64 #ifndef NO_RC4
wolfSSL 7:481bce714567 65 #include <wolfssl/wolfcrypt/arc4.h>
wolfSSL 7:481bce714567 66 #endif
wolfSSL 7:481bce714567 67
wolfSSL 7:481bce714567 68 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 69 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 7:481bce714567 70 #endif
wolfSSL 7:481bce714567 71
wolfSSL 7:481bce714567 72 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
wolfSSL 7:481bce714567 73 #include <wolfssl/wolfcrypt/sha512.h>
wolfSSL 7:481bce714567 74 #endif
wolfSSL 7:481bce714567 75
wolfSSL 7:481bce714567 76 #ifndef NO_SHA256
wolfSSL 7:481bce714567 77 #include <wolfssl/wolfcrypt/sha256.h>
wolfSSL 7:481bce714567 78 #endif
wolfSSL 7:481bce714567 79
wolfSSL 7:481bce714567 80 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 81 #include <wolfssl/wolfcrypt/ecc.h>
wolfSSL 7:481bce714567 82 #endif
wolfSSL 7:481bce714567 83
wolfSSL 7:481bce714567 84 #ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL 7:481bce714567 85 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 7:481bce714567 86 #if MQX_USE_IO_OLD
wolfSSL 7:481bce714567 87 #include <fio.h>
wolfSSL 7:481bce714567 88 #else
wolfSSL 7:481bce714567 89 #include <nio.h>
wolfSSL 7:481bce714567 90 #endif
wolfSSL 7:481bce714567 91 #else
wolfSSL 7:481bce714567 92 #include <stdio.h>
wolfSSL 7:481bce714567 93 #endif
wolfSSL 7:481bce714567 94 #endif
wolfSSL 7:481bce714567 95
wolfSSL 7:481bce714567 96 #ifdef _MSC_VER
wolfSSL 7:481bce714567 97 /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
wolfSSL 7:481bce714567 98 #pragma warning(disable: 4996)
wolfSSL 7:481bce714567 99 #endif
wolfSSL 7:481bce714567 100
wolfSSL 7:481bce714567 101 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL 7:481bce714567 102
wolfSSL 7:481bce714567 103 #ifndef NO_ASN_TIME
wolfSSL 7:481bce714567 104 #if defined(USER_TIME)
wolfSSL 7:481bce714567 105 /* Use our gmtime and time_t/struct tm types.
wolfSSL 7:481bce714567 106 Only needs seconds since EPOCH using XTIME function.
wolfSSL 7:481bce714567 107 time_t XTIME(time_t * timer) {}
wolfSSL 7:481bce714567 108 */
wolfSSL 7:481bce714567 109 #define WOLFSSL_GMTIME
wolfSSL 7:481bce714567 110 #define USE_WOLF_TM
wolfSSL 7:481bce714567 111 #define USE_WOLF_TIME_T
wolfSSL 7:481bce714567 112
wolfSSL 7:481bce714567 113 #elif defined(TIME_OVERRIDES)
wolfSSL 7:481bce714567 114 /* Override XTIME() and XGMTIME() functionality.
wolfSSL 7:481bce714567 115 Requires user to provide these functions:
wolfSSL 7:481bce714567 116 time_t XTIME(time_t * timer) {}
wolfSSL 7:481bce714567 117 struct tm* XGMTIME(const time_t* timer, struct tm* tmp) {}
wolfSSL 7:481bce714567 118 */
wolfSSL 7:481bce714567 119 #ifndef HAVE_TIME_T_TYPE
wolfSSL 7:481bce714567 120 #define USE_WOLF_TIME_T
wolfSSL 7:481bce714567 121 #endif
wolfSSL 7:481bce714567 122 #ifndef HAVE_TM_TYPE
wolfSSL 7:481bce714567 123 #define USE_WOLF_TM
wolfSSL 7:481bce714567 124 #endif
wolfSSL 7:481bce714567 125 #define NEED_TMP_TIME
wolfSSL 7:481bce714567 126
wolfSSL 7:481bce714567 127 #elif defined(HAVE_RTP_SYS)
wolfSSL 7:481bce714567 128 /* uses parital <time.h> structures */
wolfSSL 7:481bce714567 129 #define XTIME(tl) (0)
wolfSSL 7:481bce714567 130 #define XGMTIME(c, t) rtpsys_gmtime((c))
wolfSSL 7:481bce714567 131
wolfSSL 7:481bce714567 132 #elif defined(MICRIUM)
wolfSSL 7:481bce714567 133 #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL 7:481bce714567 134 #define XVALIDATE_DATE(d, f, t) NetSecure_ValidateDateHandler((d), (f), (t))
wolfSSL 7:481bce714567 135 #else
wolfSSL 7:481bce714567 136 #define XVALIDATE_DATE(d, f, t) (0)
wolfSSL 7:481bce714567 137 #endif
wolfSSL 7:481bce714567 138 #define NO_TIME_H
wolfSSL 7:481bce714567 139 /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
wolfSSL 7:481bce714567 140
wolfSSL 7:481bce714567 141 #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 7:481bce714567 142 #include <time.h>
wolfSSL 7:481bce714567 143 #define XTIME(t1) pic32_time((t1))
wolfSSL 7:481bce714567 144 #define XGMTIME(c, t) gmtime((c))
wolfSSL 7:481bce714567 145
wolfSSL 7:481bce714567 146 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 7:481bce714567 147 #define XTIME(t1) mqx_time((t1))
wolfSSL 7:481bce714567 148 #define HAVE_GMTIME_R
wolfSSL 7:481bce714567 149
wolfSSL 7:481bce714567 150 #elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
wolfSSL 7:481bce714567 151 #include <time.h>
wolfSSL 7:481bce714567 152 #ifndef XTIME
wolfSSL 7:481bce714567 153 #define XTIME(t1) ksdk_time((t1))
wolfSSL 7:481bce714567 154 #endif
wolfSSL 7:481bce714567 155 #define XGMTIME(c, t) gmtime((c))
wolfSSL 7:481bce714567 156
wolfSSL 7:481bce714567 157 #elif defined(WOLFSSL_ATMEL)
wolfSSL 7:481bce714567 158 #define XTIME(t1) atmel_get_curr_time_and_date((t1))
wolfSSL 7:481bce714567 159 #define WOLFSSL_GMTIME
wolfSSL 7:481bce714567 160 #define USE_WOLF_TM
wolfSSL 7:481bce714567 161 #define USE_WOLF_TIME_T
wolfSSL 7:481bce714567 162
wolfSSL 7:481bce714567 163 #elif defined(IDIRECT_DEV_TIME)
wolfSSL 7:481bce714567 164 /*Gets the timestamp from cloak software owned by VT iDirect
wolfSSL 7:481bce714567 165 in place of time() from <time.h> */
wolfSSL 7:481bce714567 166 #include <time.h>
wolfSSL 7:481bce714567 167 #define XTIME(t1) idirect_time((t1))
wolfSSL 7:481bce714567 168 #define XGMTIME(c, t) gmtime((c))
wolfSSL 7:481bce714567 169
wolfSSL 7:481bce714567 170 #elif defined(_WIN32_WCE)
wolfSSL 7:481bce714567 171 #include <windows.h>
wolfSSL 7:481bce714567 172 #define XTIME(t1) windows_time((t1))
wolfSSL 7:481bce714567 173 #define WOLFSSL_GMTIME
wolfSSL 7:481bce714567 174
wolfSSL 7:481bce714567 175 #else
wolfSSL 7:481bce714567 176 /* default */
wolfSSL 7:481bce714567 177 /* uses complete <time.h> facility */
wolfSSL 7:481bce714567 178 #include <time.h>
wolfSSL 7:481bce714567 179 #endif
wolfSSL 7:481bce714567 180
wolfSSL 7:481bce714567 181
wolfSSL 7:481bce714567 182 /* Map default time functions */
wolfSSL 7:481bce714567 183 #if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME)
wolfSSL 7:481bce714567 184 #define XTIME(tl) time((tl))
wolfSSL 7:481bce714567 185 #endif
wolfSSL 7:481bce714567 186 #if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
wolfSSL 7:481bce714567 187 #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R)
wolfSSL 7:481bce714567 188 #define XGMTIME(c, t) gmtime((c))
wolfSSL 7:481bce714567 189 #else
wolfSSL 7:481bce714567 190 #define XGMTIME(c, t) gmtime_r((c), (t))
wolfSSL 7:481bce714567 191 #define NEED_TMP_TIME
wolfSSL 7:481bce714567 192 #endif
wolfSSL 7:481bce714567 193 #endif
wolfSSL 7:481bce714567 194 #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE)
wolfSSL 7:481bce714567 195 #define USE_WOLF_VALIDDATE
wolfSSL 7:481bce714567 196 #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL 7:481bce714567 197 #endif
wolfSSL 7:481bce714567 198
wolfSSL 7:481bce714567 199 /* wolf struct tm and time_t */
wolfSSL 7:481bce714567 200 #if defined(USE_WOLF_TM)
wolfSSL 7:481bce714567 201 struct tm {
wolfSSL 7:481bce714567 202 int tm_sec; /* seconds after the minute [0-60] */
wolfSSL 7:481bce714567 203 int tm_min; /* minutes after the hour [0-59] */
wolfSSL 7:481bce714567 204 int tm_hour; /* hours since midnight [0-23] */
wolfSSL 7:481bce714567 205 int tm_mday; /* day of the month [1-31] */
wolfSSL 7:481bce714567 206 int tm_mon; /* months since January [0-11] */
wolfSSL 7:481bce714567 207 int tm_year; /* years since 1900 */
wolfSSL 7:481bce714567 208 int tm_wday; /* days since Sunday [0-6] */
wolfSSL 7:481bce714567 209 int tm_yday; /* days since January 1 [0-365] */
wolfSSL 7:481bce714567 210 int tm_isdst; /* Daylight Savings Time flag */
wolfSSL 7:481bce714567 211 long tm_gmtoff; /* offset from CUT in seconds */
wolfSSL 7:481bce714567 212 char *tm_zone; /* timezone abbreviation */
wolfSSL 7:481bce714567 213 };
wolfSSL 7:481bce714567 214 #endif /* USE_WOLF_TM */
wolfSSL 7:481bce714567 215 #if defined(USE_WOLF_TIME_T)
wolfSSL 7:481bce714567 216 typedef long time_t;
wolfSSL 7:481bce714567 217 #endif
wolfSSL 7:481bce714567 218
wolfSSL 7:481bce714567 219 /* forward declarations */
wolfSSL 7:481bce714567 220 #if defined(USER_TIME)
wolfSSL 7:481bce714567 221 struct tm* gmtime(const time_t* timer);
wolfSSL 7:481bce714567 222 extern time_t XTIME(time_t * timer);
wolfSSL 7:481bce714567 223
wolfSSL 7:481bce714567 224 #ifdef STACK_TRAP
wolfSSL 7:481bce714567 225 /* for stack trap tracking, don't call os gmtime on OS X/linux,
wolfSSL 7:481bce714567 226 uses a lot of stack spce */
wolfSSL 7:481bce714567 227 extern time_t time(time_t * timer);
wolfSSL 7:481bce714567 228 #define XTIME(tl) time((tl))
wolfSSL 7:481bce714567 229 #endif /* STACK_TRAP */
wolfSSL 7:481bce714567 230
wolfSSL 7:481bce714567 231 #elif defined(TIME_OVERRIDES)
wolfSSL 7:481bce714567 232 extern time_t XTIME(time_t * timer);
wolfSSL 7:481bce714567 233 extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp);
wolfSSL 7:481bce714567 234 #elif defined(WOLFSSL_GMTIME)
wolfSSL 7:481bce714567 235 struct tm* gmtime(const time_t* timer);
wolfSSL 7:481bce714567 236 #endif
wolfSSL 7:481bce714567 237
wolfSSL 7:481bce714567 238 #if defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
wolfSSL 7:481bce714567 239 /* extern time_t ksdk_time(time_t* timer); */
wolfSSL 7:481bce714567 240 #endif /* FREESCALE_KSDK_BM || FREESCALE_FREE_RTOS */
wolfSSL 7:481bce714567 241
wolfSSL 7:481bce714567 242
wolfSSL 7:481bce714567 243 #if defined(_WIN32_WCE)
wolfSSL 7:481bce714567 244 time_t windows_time(time_t* timer)
wolfSSL 7:481bce714567 245 {
wolfSSL 7:481bce714567 246 SYSTEMTIME sysTime;
wolfSSL 7:481bce714567 247 FILETIME fTime;
wolfSSL 7:481bce714567 248 ULARGE_INTEGER intTime;
wolfSSL 7:481bce714567 249 time_t localTime;
wolfSSL 7:481bce714567 250
wolfSSL 7:481bce714567 251 if (timer == NULL)
wolfSSL 7:481bce714567 252 timer = &localTime;
wolfSSL 7:481bce714567 253
wolfSSL 7:481bce714567 254 GetSystemTime(&sysTime);
wolfSSL 7:481bce714567 255 SystemTimeToFileTime(&sysTime, &fTime);
wolfSSL 7:481bce714567 256
wolfSSL 7:481bce714567 257 XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
wolfSSL 7:481bce714567 258 /* subtract EPOCH */
wolfSSL 7:481bce714567 259 intTime.QuadPart -= 0x19db1ded53e8000;
wolfSSL 7:481bce714567 260 /* to secs */
wolfSSL 7:481bce714567 261 intTime.QuadPart /= 10000000;
wolfSSL 7:481bce714567 262 *timer = (time_t)intTime.QuadPart;
wolfSSL 7:481bce714567 263
wolfSSL 7:481bce714567 264 return *timer;
wolfSSL 7:481bce714567 265 }
wolfSSL 7:481bce714567 266 #endif /* _WIN32_WCE */
wolfSSL 7:481bce714567 267
wolfSSL 7:481bce714567 268 #if defined(WOLFSSL_GMTIME)
wolfSSL 7:481bce714567 269 struct tm* gmtime(const time_t* timer)
wolfSSL 7:481bce714567 270 {
wolfSSL 7:481bce714567 271 #define YEAR0 1900
wolfSSL 7:481bce714567 272 #define EPOCH_YEAR 1970
wolfSSL 7:481bce714567 273 #define SECS_DAY (24L * 60L * 60L)
wolfSSL 7:481bce714567 274 #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400)))
wolfSSL 7:481bce714567 275 #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
wolfSSL 7:481bce714567 276
wolfSSL 7:481bce714567 277 static const int _ytab[2][12] =
wolfSSL 7:481bce714567 278 {
wolfSSL 7:481bce714567 279 {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
wolfSSL 7:481bce714567 280 {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
wolfSSL 7:481bce714567 281 };
wolfSSL 7:481bce714567 282
wolfSSL 7:481bce714567 283 static struct tm st_time;
wolfSSL 7:481bce714567 284 struct tm* ret = &st_time;
wolfSSL 7:481bce714567 285 time_t secs = *timer;
wolfSSL 7:481bce714567 286 unsigned long dayclock, dayno;
wolfSSL 7:481bce714567 287 int year = EPOCH_YEAR;
wolfSSL 7:481bce714567 288
wolfSSL 7:481bce714567 289 dayclock = (unsigned long)secs % SECS_DAY;
wolfSSL 7:481bce714567 290 dayno = (unsigned long)secs / SECS_DAY;
wolfSSL 7:481bce714567 291
wolfSSL 7:481bce714567 292 ret->tm_sec = (int) dayclock % 60;
wolfSSL 7:481bce714567 293 ret->tm_min = (int)(dayclock % 3600) / 60;
wolfSSL 7:481bce714567 294 ret->tm_hour = (int) dayclock / 3600;
wolfSSL 7:481bce714567 295 ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */
wolfSSL 7:481bce714567 296
wolfSSL 7:481bce714567 297 while(dayno >= (unsigned long)YEARSIZE(year)) {
wolfSSL 7:481bce714567 298 dayno -= YEARSIZE(year);
wolfSSL 7:481bce714567 299 year++;
wolfSSL 7:481bce714567 300 }
wolfSSL 7:481bce714567 301
wolfSSL 7:481bce714567 302 ret->tm_year = year - YEAR0;
wolfSSL 7:481bce714567 303 ret->tm_yday = (int)dayno;
wolfSSL 7:481bce714567 304 ret->tm_mon = 0;
wolfSSL 7:481bce714567 305
wolfSSL 7:481bce714567 306 while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
wolfSSL 7:481bce714567 307 dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
wolfSSL 7:481bce714567 308 ret->tm_mon++;
wolfSSL 7:481bce714567 309 }
wolfSSL 7:481bce714567 310
wolfSSL 7:481bce714567 311 ret->tm_mday = (int)++dayno;
wolfSSL 7:481bce714567 312 ret->tm_isdst = 0;
wolfSSL 7:481bce714567 313
wolfSSL 7:481bce714567 314 return ret;
wolfSSL 7:481bce714567 315 }
wolfSSL 7:481bce714567 316 #endif /* WOLFSSL_GMTIME */
wolfSSL 7:481bce714567 317
wolfSSL 7:481bce714567 318
wolfSSL 7:481bce714567 319 #if defined(HAVE_RTP_SYS)
wolfSSL 7:481bce714567 320 #define YEAR0 1900
wolfSSL 7:481bce714567 321
wolfSSL 7:481bce714567 322 struct tm* rtpsys_gmtime(const time_t* timer) /* has a gmtime() but hangs */
wolfSSL 7:481bce714567 323 {
wolfSSL 7:481bce714567 324 static struct tm st_time;
wolfSSL 7:481bce714567 325 struct tm* ret = &st_time;
wolfSSL 7:481bce714567 326
wolfSSL 7:481bce714567 327 DC_RTC_CALENDAR cal;
wolfSSL 7:481bce714567 328 dc_rtc_time_get(&cal, TRUE);
wolfSSL 7:481bce714567 329
wolfSSL 7:481bce714567 330 ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */
wolfSSL 7:481bce714567 331 ret->tm_mon = cal.month - 1; /* gm starts at 0 */
wolfSSL 7:481bce714567 332 ret->tm_mday = cal.day;
wolfSSL 7:481bce714567 333 ret->tm_hour = cal.hour;
wolfSSL 7:481bce714567 334 ret->tm_min = cal.minute;
wolfSSL 7:481bce714567 335 ret->tm_sec = cal.second;
wolfSSL 7:481bce714567 336
wolfSSL 7:481bce714567 337 return ret;
wolfSSL 7:481bce714567 338 }
wolfSSL 7:481bce714567 339
wolfSSL 7:481bce714567 340 #endif /* HAVE_RTP_SYS */
wolfSSL 7:481bce714567 341
wolfSSL 7:481bce714567 342
wolfSSL 7:481bce714567 343 #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
wolfSSL 7:481bce714567 344
wolfSSL 7:481bce714567 345 /*
wolfSSL 7:481bce714567 346 * time() is just a stub in Microchip libraries. We need our own
wolfSSL 7:481bce714567 347 * implementation. Use SNTP client to get seconds since epoch.
wolfSSL 7:481bce714567 348 */
wolfSSL 7:481bce714567 349 time_t pic32_time(time_t* timer)
wolfSSL 7:481bce714567 350 {
wolfSSL 7:481bce714567 351 #ifdef MICROCHIP_TCPIP_V5
wolfSSL 7:481bce714567 352 DWORD sec = 0;
wolfSSL 7:481bce714567 353 #else
wolfSSL 7:481bce714567 354 uint32_t sec = 0;
wolfSSL 7:481bce714567 355 #endif
wolfSSL 7:481bce714567 356 time_t localTime;
wolfSSL 7:481bce714567 357
wolfSSL 7:481bce714567 358 if (timer == NULL)
wolfSSL 7:481bce714567 359 timer = &localTime;
wolfSSL 7:481bce714567 360
wolfSSL 7:481bce714567 361 #ifdef MICROCHIP_MPLAB_HARMONY
wolfSSL 7:481bce714567 362 sec = TCPIP_SNTP_UTCSecondsGet();
wolfSSL 7:481bce714567 363 #else
wolfSSL 7:481bce714567 364 sec = SNTPGetUTCSeconds();
wolfSSL 7:481bce714567 365 #endif
wolfSSL 7:481bce714567 366 *timer = (time_t) sec;
wolfSSL 7:481bce714567 367
wolfSSL 7:481bce714567 368 return *timer;
wolfSSL 7:481bce714567 369 }
wolfSSL 7:481bce714567 370
wolfSSL 7:481bce714567 371 #endif /* MICROCHIP_TCPIP || MICROCHIP_TCPIP_V5 */
wolfSSL 7:481bce714567 372
wolfSSL 7:481bce714567 373
wolfSSL 7:481bce714567 374 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 7:481bce714567 375
wolfSSL 7:481bce714567 376 time_t mqx_time(time_t* timer)
wolfSSL 7:481bce714567 377 {
wolfSSL 7:481bce714567 378 time_t localTime;
wolfSSL 7:481bce714567 379 TIME_STRUCT time_s;
wolfSSL 7:481bce714567 380
wolfSSL 7:481bce714567 381 if (timer == NULL)
wolfSSL 7:481bce714567 382 timer = &localTime;
wolfSSL 7:481bce714567 383
wolfSSL 7:481bce714567 384 _time_get(&time_s);
wolfSSL 7:481bce714567 385 *timer = (time_t) time_s.SECONDS;
wolfSSL 7:481bce714567 386
wolfSSL 7:481bce714567 387 return *timer;
wolfSSL 7:481bce714567 388 }
wolfSSL 7:481bce714567 389
wolfSSL 7:481bce714567 390 #endif /* FREESCALE_MQX || FREESCALE_KSDK_MQX */
wolfSSL 7:481bce714567 391
wolfSSL 7:481bce714567 392
wolfSSL 7:481bce714567 393 #if defined(WOLFSSL_TIRTOS)
wolfSSL 7:481bce714567 394
wolfSSL 7:481bce714567 395 time_t XTIME(time_t * timer)
wolfSSL 7:481bce714567 396 {
wolfSSL 7:481bce714567 397 time_t sec = 0;
wolfSSL 7:481bce714567 398
wolfSSL 7:481bce714567 399 sec = (time_t) Seconds_get();
wolfSSL 7:481bce714567 400
wolfSSL 7:481bce714567 401 if (timer != NULL)
wolfSSL 7:481bce714567 402 *timer = sec;
wolfSSL 7:481bce714567 403
wolfSSL 7:481bce714567 404 return sec;
wolfSSL 7:481bce714567 405 }
wolfSSL 7:481bce714567 406
wolfSSL 7:481bce714567 407 #endif /* WOLFSSL_TIRTOS */
wolfSSL 7:481bce714567 408
wolfSSL 7:481bce714567 409
wolfSSL 7:481bce714567 410 static INLINE word32 btoi(byte b)
wolfSSL 7:481bce714567 411 {
wolfSSL 7:481bce714567 412 return (word32)(b - 0x30);
wolfSSL 7:481bce714567 413 }
wolfSSL 7:481bce714567 414
wolfSSL 7:481bce714567 415
wolfSSL 7:481bce714567 416 /* two byte date/time, add to value */
wolfSSL 7:481bce714567 417 static INLINE void GetTime(int* value, const byte* date, int* idx)
wolfSSL 7:481bce714567 418 {
wolfSSL 7:481bce714567 419 int i = *idx;
wolfSSL 7:481bce714567 420
wolfSSL 7:481bce714567 421 *value += btoi(date[i++]) * 10;
wolfSSL 7:481bce714567 422 *value += btoi(date[i++]);
wolfSSL 7:481bce714567 423
wolfSSL 7:481bce714567 424 *idx = i;
wolfSSL 7:481bce714567 425 }
wolfSSL 7:481bce714567 426
wolfSSL 7:481bce714567 427
wolfSSL 7:481bce714567 428 #if defined(MICRIUM)
wolfSSL 7:481bce714567 429
wolfSSL 7:481bce714567 430 CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
wolfSSL 7:481bce714567 431 CPU_INT08U dateType)
wolfSSL 7:481bce714567 432 {
wolfSSL 7:481bce714567 433 CPU_BOOLEAN rtn_code;
wolfSSL 7:481bce714567 434 CPU_INT32S i;
wolfSSL 7:481bce714567 435 CPU_INT32S val;
wolfSSL 7:481bce714567 436 CPU_INT16U year;
wolfSSL 7:481bce714567 437 CPU_INT08U month;
wolfSSL 7:481bce714567 438 CPU_INT16U day;
wolfSSL 7:481bce714567 439 CPU_INT08U hour;
wolfSSL 7:481bce714567 440 CPU_INT08U min;
wolfSSL 7:481bce714567 441 CPU_INT08U sec;
wolfSSL 7:481bce714567 442
wolfSSL 7:481bce714567 443 i = 0;
wolfSSL 7:481bce714567 444 year = 0u;
wolfSSL 7:481bce714567 445
wolfSSL 7:481bce714567 446 if (format == ASN_UTC_TIME) {
wolfSSL 7:481bce714567 447 if (btoi(date[0]) >= 5)
wolfSSL 7:481bce714567 448 year = 1900;
wolfSSL 7:481bce714567 449 else
wolfSSL 7:481bce714567 450 year = 2000;
wolfSSL 7:481bce714567 451 }
wolfSSL 7:481bce714567 452 else { /* format == GENERALIZED_TIME */
wolfSSL 7:481bce714567 453 year += btoi(date[i++]) * 1000;
wolfSSL 7:481bce714567 454 year += btoi(date[i++]) * 100;
wolfSSL 7:481bce714567 455 }
wolfSSL 7:481bce714567 456
wolfSSL 7:481bce714567 457 val = year;
wolfSSL 7:481bce714567 458 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 459 year = (CPU_INT16U)val;
wolfSSL 7:481bce714567 460
wolfSSL 7:481bce714567 461 val = 0;
wolfSSL 7:481bce714567 462 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 463 month = (CPU_INT08U)val;
wolfSSL 7:481bce714567 464
wolfSSL 7:481bce714567 465 val = 0;
wolfSSL 7:481bce714567 466 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 467 day = (CPU_INT16U)val;
wolfSSL 7:481bce714567 468
wolfSSL 7:481bce714567 469 val = 0;
wolfSSL 7:481bce714567 470 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 471 hour = (CPU_INT08U)val;
wolfSSL 7:481bce714567 472
wolfSSL 7:481bce714567 473 val = 0;
wolfSSL 7:481bce714567 474 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 475 min = (CPU_INT08U)val;
wolfSSL 7:481bce714567 476
wolfSSL 7:481bce714567 477 val = 0;
wolfSSL 7:481bce714567 478 GetTime(&val, date, &i);
wolfSSL 7:481bce714567 479 sec = (CPU_INT08U)val;
wolfSSL 7:481bce714567 480
wolfSSL 7:481bce714567 481 return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType);
wolfSSL 7:481bce714567 482 }
wolfSSL 7:481bce714567 483
wolfSSL 7:481bce714567 484 #endif /* MICRIUM */
wolfSSL 7:481bce714567 485
wolfSSL 7:481bce714567 486
wolfSSL 7:481bce714567 487 #if defined(IDIRECT_DEV_TIME)
wolfSSL 7:481bce714567 488
wolfSSL 7:481bce714567 489 extern time_t getTimestamp();
wolfSSL 7:481bce714567 490
wolfSSL 7:481bce714567 491 time_t idirect_time(time_t * timer)
wolfSSL 7:481bce714567 492 {
wolfSSL 7:481bce714567 493 time_t sec = getTimestamp();
wolfSSL 7:481bce714567 494
wolfSSL 7:481bce714567 495 if (timer != NULL)
wolfSSL 7:481bce714567 496 *timer = sec;
wolfSSL 7:481bce714567 497
wolfSSL 7:481bce714567 498 return sec;
wolfSSL 7:481bce714567 499 }
wolfSSL 7:481bce714567 500
wolfSSL 7:481bce714567 501 #endif /* IDIRECT_DEV_TIME */
wolfSSL 7:481bce714567 502
wolfSSL 7:481bce714567 503 #endif /* !NO_ASN_TIME */
wolfSSL 7:481bce714567 504
wolfSSL 7:481bce714567 505
wolfSSL 7:481bce714567 506 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
wolfSSL 7:481bce714567 507 word32 maxIdx)
wolfSSL 7:481bce714567 508 {
wolfSSL 7:481bce714567 509 int length = 0;
wolfSSL 7:481bce714567 510 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 511 byte b;
wolfSSL 7:481bce714567 512
wolfSSL 7:481bce714567 513 *len = 0; /* default length */
wolfSSL 7:481bce714567 514
wolfSSL 7:481bce714567 515 if ((idx + 1) > maxIdx) { /* for first read */
wolfSSL 7:481bce714567 516 WOLFSSL_MSG("GetLength bad index on input");
wolfSSL 7:481bce714567 517 return BUFFER_E;
wolfSSL 7:481bce714567 518 }
wolfSSL 7:481bce714567 519
wolfSSL 7:481bce714567 520 b = input[idx++];
wolfSSL 7:481bce714567 521 if (b >= ASN_LONG_LENGTH) {
wolfSSL 7:481bce714567 522 word32 bytes = b & 0x7F;
wolfSSL 7:481bce714567 523
wolfSSL 7:481bce714567 524 if ((idx + bytes) > maxIdx) { /* for reading bytes */
wolfSSL 7:481bce714567 525 WOLFSSL_MSG("GetLength bad long length");
wolfSSL 7:481bce714567 526 return BUFFER_E;
wolfSSL 7:481bce714567 527 }
wolfSSL 7:481bce714567 528
wolfSSL 7:481bce714567 529 while (bytes--) {
wolfSSL 7:481bce714567 530 b = input[idx++];
wolfSSL 7:481bce714567 531 length = (length << 8) | b;
wolfSSL 7:481bce714567 532 }
wolfSSL 7:481bce714567 533 }
wolfSSL 7:481bce714567 534 else
wolfSSL 7:481bce714567 535 length = b;
wolfSSL 7:481bce714567 536
wolfSSL 7:481bce714567 537 if ((idx + length) > maxIdx) { /* for user of length */
wolfSSL 7:481bce714567 538 WOLFSSL_MSG("GetLength value exceeds buffer length");
wolfSSL 7:481bce714567 539 return BUFFER_E;
wolfSSL 7:481bce714567 540 }
wolfSSL 7:481bce714567 541
wolfSSL 7:481bce714567 542 *inOutIdx = idx;
wolfSSL 7:481bce714567 543 if (length > 0)
wolfSSL 7:481bce714567 544 *len = length;
wolfSSL 7:481bce714567 545
wolfSSL 7:481bce714567 546 return length;
wolfSSL 7:481bce714567 547 }
wolfSSL 7:481bce714567 548
wolfSSL 7:481bce714567 549
wolfSSL 7:481bce714567 550 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
wolfSSL 7:481bce714567 551 word32 maxIdx)
wolfSSL 7:481bce714567 552 {
wolfSSL 7:481bce714567 553 int length = -1;
wolfSSL 7:481bce714567 554 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 555
wolfSSL 7:481bce714567 556 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 557 return BUFFER_E;
wolfSSL 7:481bce714567 558
wolfSSL 7:481bce714567 559 if (input[idx++] != (ASN_SEQUENCE | ASN_CONSTRUCTED) ||
wolfSSL 7:481bce714567 560 GetLength(input, &idx, &length, maxIdx) < 0) {
wolfSSL 7:481bce714567 561 return ASN_PARSE_E;
wolfSSL 7:481bce714567 562 }
wolfSSL 7:481bce714567 563
wolfSSL 7:481bce714567 564 /* make sure length exists in buffer */
wolfSSL 7:481bce714567 565 if ((idx + length) > maxIdx)
wolfSSL 7:481bce714567 566 return BUFFER_E;
wolfSSL 7:481bce714567 567
wolfSSL 7:481bce714567 568 *len = length;
wolfSSL 7:481bce714567 569 *inOutIdx = idx;
wolfSSL 7:481bce714567 570
wolfSSL 7:481bce714567 571 return length;
wolfSSL 7:481bce714567 572 }
wolfSSL 7:481bce714567 573
wolfSSL 7:481bce714567 574
wolfSSL 7:481bce714567 575 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
wolfSSL 7:481bce714567 576 word32 maxIdx)
wolfSSL 7:481bce714567 577 {
wolfSSL 7:481bce714567 578 int length = -1;
wolfSSL 7:481bce714567 579 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 580
wolfSSL 7:481bce714567 581 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 582 return BUFFER_E;
wolfSSL 7:481bce714567 583
wolfSSL 7:481bce714567 584 if (input[idx++] != (ASN_SET | ASN_CONSTRUCTED) ||
wolfSSL 7:481bce714567 585 GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 586 return ASN_PARSE_E;
wolfSSL 7:481bce714567 587
wolfSSL 7:481bce714567 588 /* make sure length exists in buffer */
wolfSSL 7:481bce714567 589 if ((idx + length) > maxIdx)
wolfSSL 7:481bce714567 590 return BUFFER_E;
wolfSSL 7:481bce714567 591
wolfSSL 7:481bce714567 592 *len = length;
wolfSSL 7:481bce714567 593 *inOutIdx = idx;
wolfSSL 7:481bce714567 594
wolfSSL 7:481bce714567 595 return length;
wolfSSL 7:481bce714567 596 }
wolfSSL 7:481bce714567 597
wolfSSL 7:481bce714567 598
wolfSSL 7:481bce714567 599 /* Windows header clash for WinCE using GetVersion */
wolfSSL 7:481bce714567 600 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
wolfSSL 7:481bce714567 601 int* version, word32 maxIdx)
wolfSSL 7:481bce714567 602 {
wolfSSL 7:481bce714567 603 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 604
wolfSSL 7:481bce714567 605 WOLFSSL_ENTER("GetMyVersion");
wolfSSL 7:481bce714567 606
wolfSSL 7:481bce714567 607 if ((idx + MIN_VERSION_SZ) > maxIdx)
wolfSSL 7:481bce714567 608 return ASN_PARSE_E;
wolfSSL 7:481bce714567 609
wolfSSL 7:481bce714567 610 if (input[idx++] != ASN_INTEGER)
wolfSSL 7:481bce714567 611 return ASN_PARSE_E;
wolfSSL 7:481bce714567 612
wolfSSL 7:481bce714567 613 if (input[idx++] != 0x01)
wolfSSL 7:481bce714567 614 return ASN_VERSION_E;
wolfSSL 7:481bce714567 615
wolfSSL 7:481bce714567 616 *version = input[idx++];
wolfSSL 7:481bce714567 617 *inOutIdx = idx;
wolfSSL 7:481bce714567 618
wolfSSL 7:481bce714567 619 return *version;
wolfSSL 7:481bce714567 620 }
wolfSSL 7:481bce714567 621
wolfSSL 7:481bce714567 622
wolfSSL 7:481bce714567 623 #ifndef NO_PWDBASED
wolfSSL 7:481bce714567 624 /* Get small count integer, 32 bits or less */
wolfSSL 7:481bce714567 625 int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx)
wolfSSL 7:481bce714567 626 {
wolfSSL 7:481bce714567 627 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 628 word32 len;
wolfSSL 7:481bce714567 629
wolfSSL 7:481bce714567 630 *number = 0;
wolfSSL 7:481bce714567 631
wolfSSL 7:481bce714567 632 /* check for type and length bytes */
wolfSSL 7:481bce714567 633 if ((idx + 2) > maxIdx)
wolfSSL 7:481bce714567 634 return BUFFER_E;
wolfSSL 7:481bce714567 635
wolfSSL 7:481bce714567 636 if (input[idx++] != ASN_INTEGER)
wolfSSL 7:481bce714567 637 return ASN_PARSE_E;
wolfSSL 7:481bce714567 638
wolfSSL 7:481bce714567 639 len = input[idx++];
wolfSSL 7:481bce714567 640 if (len > 4)
wolfSSL 7:481bce714567 641 return ASN_PARSE_E;
wolfSSL 7:481bce714567 642
wolfSSL 7:481bce714567 643 if (len + idx > maxIdx)
wolfSSL 7:481bce714567 644 return ASN_PARSE_E;
wolfSSL 7:481bce714567 645
wolfSSL 7:481bce714567 646 while (len--) {
wolfSSL 7:481bce714567 647 *number = *number << 8 | input[idx++];
wolfSSL 7:481bce714567 648 }
wolfSSL 7:481bce714567 649
wolfSSL 7:481bce714567 650 *inOutIdx = idx;
wolfSSL 7:481bce714567 651
wolfSSL 7:481bce714567 652 return *number;
wolfSSL 7:481bce714567 653 }
wolfSSL 7:481bce714567 654 #endif /* !NO_PWDBASED */
wolfSSL 7:481bce714567 655
wolfSSL 7:481bce714567 656 /* May not have one, not an error */
wolfSSL 7:481bce714567 657 static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version,
wolfSSL 7:481bce714567 658 word32 maxIdx)
wolfSSL 7:481bce714567 659 {
wolfSSL 7:481bce714567 660 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 661
wolfSSL 7:481bce714567 662 WOLFSSL_ENTER("GetExplicitVersion");
wolfSSL 7:481bce714567 663
wolfSSL 7:481bce714567 664 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 665 return BUFFER_E;
wolfSSL 7:481bce714567 666
wolfSSL 7:481bce714567 667 if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 7:481bce714567 668 *inOutIdx = ++idx; /* skip header */
wolfSSL 7:481bce714567 669 return GetMyVersion(input, inOutIdx, version, maxIdx);
wolfSSL 7:481bce714567 670 }
wolfSSL 7:481bce714567 671
wolfSSL 7:481bce714567 672 /* go back as is */
wolfSSL 7:481bce714567 673 *version = 0;
wolfSSL 7:481bce714567 674
wolfSSL 7:481bce714567 675 return 0;
wolfSSL 7:481bce714567 676 }
wolfSSL 7:481bce714567 677
wolfSSL 7:481bce714567 678 int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
wolfSSL 7:481bce714567 679 word32 maxIdx)
wolfSSL 7:481bce714567 680 {
wolfSSL 7:481bce714567 681 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 682 byte b;
wolfSSL 7:481bce714567 683 int length;
wolfSSL 7:481bce714567 684
wolfSSL 7:481bce714567 685 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 686 return BUFFER_E;
wolfSSL 7:481bce714567 687
wolfSSL 7:481bce714567 688 b = input[idx++];
wolfSSL 7:481bce714567 689 if (b != ASN_INTEGER)
wolfSSL 7:481bce714567 690 return ASN_PARSE_E;
wolfSSL 7:481bce714567 691
wolfSSL 7:481bce714567 692 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 693 return ASN_PARSE_E;
wolfSSL 7:481bce714567 694
wolfSSL 7:481bce714567 695 if (length > 0) {
wolfSSL 7:481bce714567 696 /* remove leading zero */
wolfSSL 7:481bce714567 697 if ( (b = input[idx++]) == 0x00)
wolfSSL 7:481bce714567 698 length--;
wolfSSL 7:481bce714567 699 else
wolfSSL 7:481bce714567 700 idx--;
wolfSSL 7:481bce714567 701 }
wolfSSL 7:481bce714567 702
wolfSSL 7:481bce714567 703 if (mp_init(mpi) != MP_OKAY)
wolfSSL 7:481bce714567 704 return MP_INIT_E;
wolfSSL 7:481bce714567 705
wolfSSL 7:481bce714567 706 if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) {
wolfSSL 7:481bce714567 707 mp_clear(mpi);
wolfSSL 7:481bce714567 708 return ASN_GETINT_E;
wolfSSL 7:481bce714567 709 }
wolfSSL 7:481bce714567 710
wolfSSL 7:481bce714567 711 *inOutIdx = idx + length;
wolfSSL 7:481bce714567 712 return 0;
wolfSSL 7:481bce714567 713 }
wolfSSL 7:481bce714567 714
wolfSSL 7:481bce714567 715 #if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
wolfSSL 7:481bce714567 716 static int GetIntRsa(RsaKey* key, mp_int* mpi, const byte* input,
wolfSSL 7:481bce714567 717 word32* inOutIdx, word32 maxIdx)
wolfSSL 7:481bce714567 718 {
wolfSSL 7:481bce714567 719 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 720 byte b;
wolfSSL 7:481bce714567 721 int length;
wolfSSL 7:481bce714567 722
wolfSSL 7:481bce714567 723 (void)key;
wolfSSL 7:481bce714567 724
wolfSSL 7:481bce714567 725 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 726 return BUFFER_E;
wolfSSL 7:481bce714567 727
wolfSSL 7:481bce714567 728 b = input[idx++];
wolfSSL 7:481bce714567 729 if (b != ASN_INTEGER)
wolfSSL 7:481bce714567 730 return ASN_PARSE_E;
wolfSSL 7:481bce714567 731
wolfSSL 7:481bce714567 732 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 733 return ASN_PARSE_E;
wolfSSL 7:481bce714567 734
wolfSSL 7:481bce714567 735 if (length > 0) {
wolfSSL 7:481bce714567 736 /* remove leading zero */
wolfSSL 7:481bce714567 737 if ( (b = input[idx++]) == 0x00)
wolfSSL 7:481bce714567 738 length--;
wolfSSL 7:481bce714567 739 else
wolfSSL 7:481bce714567 740 idx--;
wolfSSL 7:481bce714567 741 }
wolfSSL 7:481bce714567 742
wolfSSL 7:481bce714567 743 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_CAVIUM)
wolfSSL 7:481bce714567 744 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
wolfSSL 7:481bce714567 745 XMEMSET(mpi, 0, sizeof(mp_int));
wolfSSL 7:481bce714567 746 mpi->used = length;
wolfSSL 7:481bce714567 747 #ifdef USE_FAST_MATH
wolfSSL 7:481bce714567 748 if (length > (FP_SIZE * (int)sizeof(fp_digit))) {
wolfSSL 7:481bce714567 749 return MEMORY_E;
wolfSSL 7:481bce714567 750 }
wolfSSL 7:481bce714567 751 mpi->dpraw = (byte*)mpi->dp;
wolfSSL 7:481bce714567 752 #else
wolfSSL 7:481bce714567 753 mpi->dpraw = (byte*)XMALLOC(length, key->heap, DYNAMIC_TYPE_ASYNC_RSA);
wolfSSL 7:481bce714567 754 #endif
wolfSSL 7:481bce714567 755 if (mpi->dpraw == NULL) {
wolfSSL 7:481bce714567 756 return MEMORY_E;
wolfSSL 7:481bce714567 757 }
wolfSSL 7:481bce714567 758
wolfSSL 7:481bce714567 759 XMEMCPY(mpi->dpraw, input + idx, length);
wolfSSL 7:481bce714567 760 }
wolfSSL 7:481bce714567 761 else
wolfSSL 7:481bce714567 762 #endif /* WOLFSSL_ASYNC_CRYPT && HAVE_CAVIUM */
wolfSSL 7:481bce714567 763 {
wolfSSL 7:481bce714567 764 if (mp_init(mpi) != MP_OKAY)
wolfSSL 7:481bce714567 765 return MP_INIT_E;
wolfSSL 7:481bce714567 766
wolfSSL 7:481bce714567 767 if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) {
wolfSSL 7:481bce714567 768 mp_clear(mpi);
wolfSSL 7:481bce714567 769 return ASN_GETINT_E;
wolfSSL 7:481bce714567 770 }
wolfSSL 7:481bce714567 771 }
wolfSSL 7:481bce714567 772
wolfSSL 7:481bce714567 773 *inOutIdx = idx + length;
wolfSSL 7:481bce714567 774 return 0;
wolfSSL 7:481bce714567 775 }
wolfSSL 7:481bce714567 776 #endif /* !NO_RSA && !HAVE_USER_RSA */
wolfSSL 7:481bce714567 777
wolfSSL 7:481bce714567 778
wolfSSL 7:481bce714567 779 /* hashType */
wolfSSL 7:481bce714567 780 static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2};
wolfSSL 7:481bce714567 781 static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5};
wolfSSL 7:481bce714567 782 static const byte hashSha1hOid[] = {43, 14, 3, 2, 26};
wolfSSL 7:481bce714567 783 static const byte hashSha224hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 4};
wolfSSL 7:481bce714567 784 static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1};
wolfSSL 7:481bce714567 785 static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2};
wolfSSL 7:481bce714567 786 static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3};
wolfSSL 7:481bce714567 787
wolfSSL 7:481bce714567 788 /* sigType */
wolfSSL 7:481bce714567 789 #ifndef NO_DSA
wolfSSL 7:481bce714567 790 static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3};
wolfSSL 7:481bce714567 791 #endif /* NO_DSA */
wolfSSL 7:481bce714567 792 #ifndef NO_RSA
wolfSSL 7:481bce714567 793 static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2};
wolfSSL 7:481bce714567 794 static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4};
wolfSSL 7:481bce714567 795 static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5};
wolfSSL 7:481bce714567 796 static const byte sigSha224wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,14};
wolfSSL 7:481bce714567 797 static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11};
wolfSSL 7:481bce714567 798 static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12};
wolfSSL 7:481bce714567 799 static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13};
wolfSSL 7:481bce714567 800 #endif /* NO_RSA */
wolfSSL 7:481bce714567 801 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 802 static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1};
wolfSSL 7:481bce714567 803 static const byte sigSha224wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 1};
wolfSSL 7:481bce714567 804 static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2};
wolfSSL 7:481bce714567 805 static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3};
wolfSSL 7:481bce714567 806 static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4};
wolfSSL 7:481bce714567 807 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 808
wolfSSL 7:481bce714567 809 /* keyType */
wolfSSL 7:481bce714567 810 #ifndef NO_DSA
wolfSSL 7:481bce714567 811 static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1};
wolfSSL 7:481bce714567 812 #endif /* NO_DSA */
wolfSSL 7:481bce714567 813 #ifndef NO_RSA
wolfSSL 7:481bce714567 814 static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1};
wolfSSL 7:481bce714567 815 #endif /* NO_RSA */
wolfSSL 7:481bce714567 816 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 817 static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1};
wolfSSL 7:481bce714567 818 #endif /* HAVE_NTRU */
wolfSSL 7:481bce714567 819 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 820 static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1};
wolfSSL 7:481bce714567 821 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 822
wolfSSL 7:481bce714567 823 /* curveType */
wolfSSL 7:481bce714567 824 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 825 /* See "ecc_sets" table in ecc.c */
wolfSSL 7:481bce714567 826 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 827
wolfSSL 7:481bce714567 828 /* blkType */
wolfSSL 7:481bce714567 829 static const byte blkAes128CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 2};
wolfSSL 7:481bce714567 830 static const byte blkAes192CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 22};
wolfSSL 7:481bce714567 831 static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42};
wolfSSL 7:481bce714567 832 static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7};
wolfSSL 7:481bce714567 833 static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7};
wolfSSL 7:481bce714567 834
wolfSSL 7:481bce714567 835 /* keyWrapType */
wolfSSL 7:481bce714567 836 static const byte wrapAes128Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 5};
wolfSSL 7:481bce714567 837 static const byte wrapAes192Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 25};
wolfSSL 7:481bce714567 838 static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45};
wolfSSL 7:481bce714567 839
wolfSSL 7:481bce714567 840 /* cmsKeyAgreeType */
wolfSSL 7:481bce714567 841 static const byte dhSinglePass_stdDH_sha1kdf_Oid[] =
wolfSSL 7:481bce714567 842 {43, 129, 5, 16, 134, 72, 63, 0, 2};
wolfSSL 7:481bce714567 843 static const byte dhSinglePass_stdDH_sha224kdf_Oid[] = {43, 129, 4, 1, 11, 0};
wolfSSL 7:481bce714567 844 static const byte dhSinglePass_stdDH_sha256kdf_Oid[] = {43, 129, 4, 1, 11, 1};
wolfSSL 7:481bce714567 845 static const byte dhSinglePass_stdDH_sha384kdf_Oid[] = {43, 129, 4, 1, 11, 2};
wolfSSL 7:481bce714567 846 static const byte dhSinglePass_stdDH_sha512kdf_Oid[] = {43, 129, 4, 1, 11, 3};
wolfSSL 7:481bce714567 847
wolfSSL 7:481bce714567 848 /* ocspType */
wolfSSL 7:481bce714567 849 #ifdef HAVE_OCSP
wolfSSL 7:481bce714567 850 static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
wolfSSL 7:481bce714567 851 static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
wolfSSL 7:481bce714567 852 #endif /* HAVE_OCSP */
wolfSSL 7:481bce714567 853
wolfSSL 7:481bce714567 854 /* certExtType */
wolfSSL 7:481bce714567 855 static const byte extBasicCaOid[] = {85, 29, 19};
wolfSSL 7:481bce714567 856 static const byte extAltNamesOid[] = {85, 29, 17};
wolfSSL 7:481bce714567 857 static const byte extCrlDistOid[] = {85, 29, 31};
wolfSSL 7:481bce714567 858 static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1};
wolfSSL 7:481bce714567 859 static const byte extAuthKeyOid[] = {85, 29, 35};
wolfSSL 7:481bce714567 860 static const byte extSubjKeyOid[] = {85, 29, 14};
wolfSSL 7:481bce714567 861 static const byte extCertPolicyOid[] = {85, 29, 32};
wolfSSL 7:481bce714567 862 static const byte extKeyUsageOid[] = {85, 29, 15};
wolfSSL 7:481bce714567 863 static const byte extInhibitAnyOid[] = {85, 29, 54};
wolfSSL 7:481bce714567 864 static const byte extExtKeyUsageOid[] = {85, 29, 37};
wolfSSL 7:481bce714567 865 static const byte extNameConsOid[] = {85, 29, 30};
wolfSSL 7:481bce714567 866
wolfSSL 7:481bce714567 867 /* certAuthInfoType */
wolfSSL 7:481bce714567 868 static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
wolfSSL 7:481bce714567 869 static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
wolfSSL 7:481bce714567 870
wolfSSL 7:481bce714567 871 /* certPolicyType */
wolfSSL 7:481bce714567 872 static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
wolfSSL 7:481bce714567 873
wolfSSL 7:481bce714567 874 /* certKeyUseType */
wolfSSL 7:481bce714567 875 static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
wolfSSL 7:481bce714567 876
wolfSSL 7:481bce714567 877 /* certKeyUseType */
wolfSSL 7:481bce714567 878 static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0};
wolfSSL 7:481bce714567 879 static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1};
wolfSSL 7:481bce714567 880 static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2};
wolfSSL 7:481bce714567 881 static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
wolfSSL 7:481bce714567 882
wolfSSL 7:481bce714567 883 /* kdfType */
wolfSSL 7:481bce714567 884 static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
wolfSSL 7:481bce714567 885
wolfSSL 7:481bce714567 886 static const byte* OidFromId(word32 id, word32 type, word32* oidSz)
wolfSSL 7:481bce714567 887 {
wolfSSL 7:481bce714567 888 const byte* oid = NULL;
wolfSSL 7:481bce714567 889
wolfSSL 7:481bce714567 890 *oidSz = 0;
wolfSSL 7:481bce714567 891
wolfSSL 7:481bce714567 892 switch (type) {
wolfSSL 7:481bce714567 893
wolfSSL 7:481bce714567 894 case oidHashType:
wolfSSL 7:481bce714567 895 switch (id) {
wolfSSL 7:481bce714567 896 case MD2h:
wolfSSL 7:481bce714567 897 oid = hashMd2hOid;
wolfSSL 7:481bce714567 898 *oidSz = sizeof(hashMd2hOid);
wolfSSL 7:481bce714567 899 break;
wolfSSL 7:481bce714567 900 case MD5h:
wolfSSL 7:481bce714567 901 oid = hashMd5hOid;
wolfSSL 7:481bce714567 902 *oidSz = sizeof(hashMd5hOid);
wolfSSL 7:481bce714567 903 break;
wolfSSL 7:481bce714567 904 case SHAh:
wolfSSL 7:481bce714567 905 oid = hashSha1hOid;
wolfSSL 7:481bce714567 906 *oidSz = sizeof(hashSha1hOid);
wolfSSL 7:481bce714567 907 break;
wolfSSL 7:481bce714567 908 case SHA224h:
wolfSSL 7:481bce714567 909 oid = hashSha224hOid;
wolfSSL 7:481bce714567 910 *oidSz = sizeof(hashSha224hOid);
wolfSSL 7:481bce714567 911 break;
wolfSSL 7:481bce714567 912 case SHA256h:
wolfSSL 7:481bce714567 913 oid = hashSha256hOid;
wolfSSL 7:481bce714567 914 *oidSz = sizeof(hashSha256hOid);
wolfSSL 7:481bce714567 915 break;
wolfSSL 7:481bce714567 916 case SHA384h:
wolfSSL 7:481bce714567 917 oid = hashSha384hOid;
wolfSSL 7:481bce714567 918 *oidSz = sizeof(hashSha384hOid);
wolfSSL 7:481bce714567 919 break;
wolfSSL 7:481bce714567 920 case SHA512h:
wolfSSL 7:481bce714567 921 oid = hashSha512hOid;
wolfSSL 7:481bce714567 922 *oidSz = sizeof(hashSha512hOid);
wolfSSL 7:481bce714567 923 break;
wolfSSL 7:481bce714567 924 }
wolfSSL 7:481bce714567 925 break;
wolfSSL 7:481bce714567 926
wolfSSL 7:481bce714567 927 case oidSigType:
wolfSSL 7:481bce714567 928 switch (id) {
wolfSSL 7:481bce714567 929 #ifndef NO_DSA
wolfSSL 7:481bce714567 930 case CTC_SHAwDSA:
wolfSSL 7:481bce714567 931 oid = sigSha1wDsaOid;
wolfSSL 7:481bce714567 932 *oidSz = sizeof(sigSha1wDsaOid);
wolfSSL 7:481bce714567 933 break;
wolfSSL 7:481bce714567 934 #endif /* NO_DSA */
wolfSSL 7:481bce714567 935 #ifndef NO_RSA
wolfSSL 7:481bce714567 936 case CTC_MD2wRSA:
wolfSSL 7:481bce714567 937 oid = sigMd2wRsaOid;
wolfSSL 7:481bce714567 938 *oidSz = sizeof(sigMd2wRsaOid);
wolfSSL 7:481bce714567 939 break;
wolfSSL 7:481bce714567 940 case CTC_MD5wRSA:
wolfSSL 7:481bce714567 941 oid = sigMd5wRsaOid;
wolfSSL 7:481bce714567 942 *oidSz = sizeof(sigMd5wRsaOid);
wolfSSL 7:481bce714567 943 break;
wolfSSL 7:481bce714567 944 case CTC_SHAwRSA:
wolfSSL 7:481bce714567 945 oid = sigSha1wRsaOid;
wolfSSL 7:481bce714567 946 *oidSz = sizeof(sigSha1wRsaOid);
wolfSSL 7:481bce714567 947 break;
wolfSSL 7:481bce714567 948 case CTC_SHA224wRSA:
wolfSSL 7:481bce714567 949 oid = sigSha224wRsaOid;
wolfSSL 7:481bce714567 950 *oidSz = sizeof(sigSha224wRsaOid);
wolfSSL 7:481bce714567 951 break;
wolfSSL 7:481bce714567 952 case CTC_SHA256wRSA:
wolfSSL 7:481bce714567 953 oid = sigSha256wRsaOid;
wolfSSL 7:481bce714567 954 *oidSz = sizeof(sigSha256wRsaOid);
wolfSSL 7:481bce714567 955 break;
wolfSSL 7:481bce714567 956 case CTC_SHA384wRSA:
wolfSSL 7:481bce714567 957 oid = sigSha384wRsaOid;
wolfSSL 7:481bce714567 958 *oidSz = sizeof(sigSha384wRsaOid);
wolfSSL 7:481bce714567 959 break;
wolfSSL 7:481bce714567 960 case CTC_SHA512wRSA:
wolfSSL 7:481bce714567 961 oid = sigSha512wRsaOid;
wolfSSL 7:481bce714567 962 *oidSz = sizeof(sigSha512wRsaOid);
wolfSSL 7:481bce714567 963 break;
wolfSSL 7:481bce714567 964 #endif /* NO_RSA */
wolfSSL 7:481bce714567 965 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 966 case CTC_SHAwECDSA:
wolfSSL 7:481bce714567 967 oid = sigSha1wEcdsaOid;
wolfSSL 7:481bce714567 968 *oidSz = sizeof(sigSha1wEcdsaOid);
wolfSSL 7:481bce714567 969 break;
wolfSSL 7:481bce714567 970 case CTC_SHA224wECDSA:
wolfSSL 7:481bce714567 971 oid = sigSha224wEcdsaOid;
wolfSSL 7:481bce714567 972 *oidSz = sizeof(sigSha224wEcdsaOid);
wolfSSL 7:481bce714567 973 break;
wolfSSL 7:481bce714567 974 case CTC_SHA256wECDSA:
wolfSSL 7:481bce714567 975 oid = sigSha256wEcdsaOid;
wolfSSL 7:481bce714567 976 *oidSz = sizeof(sigSha256wEcdsaOid);
wolfSSL 7:481bce714567 977 break;
wolfSSL 7:481bce714567 978 case CTC_SHA384wECDSA:
wolfSSL 7:481bce714567 979 oid = sigSha384wEcdsaOid;
wolfSSL 7:481bce714567 980 *oidSz = sizeof(sigSha384wEcdsaOid);
wolfSSL 7:481bce714567 981 break;
wolfSSL 7:481bce714567 982 case CTC_SHA512wECDSA:
wolfSSL 7:481bce714567 983 oid = sigSha512wEcdsaOid;
wolfSSL 7:481bce714567 984 *oidSz = sizeof(sigSha512wEcdsaOid);
wolfSSL 7:481bce714567 985 break;
wolfSSL 7:481bce714567 986 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 987 default:
wolfSSL 7:481bce714567 988 break;
wolfSSL 7:481bce714567 989 }
wolfSSL 7:481bce714567 990 break;
wolfSSL 7:481bce714567 991
wolfSSL 7:481bce714567 992 case oidKeyType:
wolfSSL 7:481bce714567 993 switch (id) {
wolfSSL 7:481bce714567 994 #ifndef NO_DSA
wolfSSL 7:481bce714567 995 case DSAk:
wolfSSL 7:481bce714567 996 oid = keyDsaOid;
wolfSSL 7:481bce714567 997 *oidSz = sizeof(keyDsaOid);
wolfSSL 7:481bce714567 998 break;
wolfSSL 7:481bce714567 999 #endif /* NO_DSA */
wolfSSL 7:481bce714567 1000 #ifndef NO_RSA
wolfSSL 7:481bce714567 1001 case RSAk:
wolfSSL 7:481bce714567 1002 oid = keyRsaOid;
wolfSSL 7:481bce714567 1003 *oidSz = sizeof(keyRsaOid);
wolfSSL 7:481bce714567 1004 break;
wolfSSL 7:481bce714567 1005 #endif /* NO_RSA */
wolfSSL 7:481bce714567 1006 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 1007 case NTRUk:
wolfSSL 7:481bce714567 1008 oid = keyNtruOid;
wolfSSL 7:481bce714567 1009 *oidSz = sizeof(keyNtruOid);
wolfSSL 7:481bce714567 1010 break;
wolfSSL 7:481bce714567 1011 #endif /* HAVE_NTRU */
wolfSSL 7:481bce714567 1012 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 1013 case ECDSAk:
wolfSSL 7:481bce714567 1014 oid = keyEcdsaOid;
wolfSSL 7:481bce714567 1015 *oidSz = sizeof(keyEcdsaOid);
wolfSSL 7:481bce714567 1016 break;
wolfSSL 7:481bce714567 1017 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 1018 default:
wolfSSL 7:481bce714567 1019 break;
wolfSSL 7:481bce714567 1020 }
wolfSSL 7:481bce714567 1021 break;
wolfSSL 7:481bce714567 1022
wolfSSL 7:481bce714567 1023 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 1024 case oidCurveType:
wolfSSL 7:481bce714567 1025 if (wc_ecc_get_oid(id, &oid, oidSz) < 0) {
wolfSSL 7:481bce714567 1026 WOLFSSL_MSG("ECC OID not found");
wolfSSL 7:481bce714567 1027 }
wolfSSL 7:481bce714567 1028 break;
wolfSSL 7:481bce714567 1029 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 1030
wolfSSL 7:481bce714567 1031 case oidBlkType:
wolfSSL 7:481bce714567 1032 switch (id) {
wolfSSL 7:481bce714567 1033 case AES128CBCb:
wolfSSL 7:481bce714567 1034 oid = blkAes128CbcOid;
wolfSSL 7:481bce714567 1035 *oidSz = sizeof(blkAes128CbcOid);
wolfSSL 7:481bce714567 1036 break;
wolfSSL 7:481bce714567 1037 case AES192CBCb:
wolfSSL 7:481bce714567 1038 oid = blkAes192CbcOid;
wolfSSL 7:481bce714567 1039 *oidSz = sizeof(blkAes192CbcOid);
wolfSSL 7:481bce714567 1040 break;
wolfSSL 7:481bce714567 1041 case AES256CBCb:
wolfSSL 7:481bce714567 1042 oid = blkAes256CbcOid;
wolfSSL 7:481bce714567 1043 *oidSz = sizeof(blkAes256CbcOid);
wolfSSL 7:481bce714567 1044 break;
wolfSSL 7:481bce714567 1045 case DESb:
wolfSSL 7:481bce714567 1046 oid = blkDesCbcOid;
wolfSSL 7:481bce714567 1047 *oidSz = sizeof(blkDesCbcOid);
wolfSSL 7:481bce714567 1048 break;
wolfSSL 7:481bce714567 1049 case DES3b:
wolfSSL 7:481bce714567 1050 oid = blkDes3CbcOid;
wolfSSL 7:481bce714567 1051 *oidSz = sizeof(blkDes3CbcOid);
wolfSSL 7:481bce714567 1052 break;
wolfSSL 7:481bce714567 1053 }
wolfSSL 7:481bce714567 1054 break;
wolfSSL 7:481bce714567 1055
wolfSSL 7:481bce714567 1056 #ifdef HAVE_OCSP
wolfSSL 7:481bce714567 1057 case oidOcspType:
wolfSSL 7:481bce714567 1058 switch (id) {
wolfSSL 7:481bce714567 1059 case OCSP_BASIC_OID:
wolfSSL 7:481bce714567 1060 oid = ocspBasicOid;
wolfSSL 7:481bce714567 1061 *oidSz = sizeof(ocspBasicOid);
wolfSSL 7:481bce714567 1062 break;
wolfSSL 7:481bce714567 1063 case OCSP_NONCE_OID:
wolfSSL 7:481bce714567 1064 oid = ocspNonceOid;
wolfSSL 7:481bce714567 1065 *oidSz = sizeof(ocspNonceOid);
wolfSSL 7:481bce714567 1066 break;
wolfSSL 7:481bce714567 1067 }
wolfSSL 7:481bce714567 1068 break;
wolfSSL 7:481bce714567 1069 #endif /* HAVE_OCSP */
wolfSSL 7:481bce714567 1070
wolfSSL 7:481bce714567 1071 case oidCertExtType:
wolfSSL 7:481bce714567 1072 switch (id) {
wolfSSL 7:481bce714567 1073 case BASIC_CA_OID:
wolfSSL 7:481bce714567 1074 oid = extBasicCaOid;
wolfSSL 7:481bce714567 1075 *oidSz = sizeof(extBasicCaOid);
wolfSSL 7:481bce714567 1076 break;
wolfSSL 7:481bce714567 1077 case ALT_NAMES_OID:
wolfSSL 7:481bce714567 1078 oid = extAltNamesOid;
wolfSSL 7:481bce714567 1079 *oidSz = sizeof(extAltNamesOid);
wolfSSL 7:481bce714567 1080 break;
wolfSSL 7:481bce714567 1081 case CRL_DIST_OID:
wolfSSL 7:481bce714567 1082 oid = extCrlDistOid;
wolfSSL 7:481bce714567 1083 *oidSz = sizeof(extCrlDistOid);
wolfSSL 7:481bce714567 1084 break;
wolfSSL 7:481bce714567 1085 case AUTH_INFO_OID:
wolfSSL 7:481bce714567 1086 oid = extAuthInfoOid;
wolfSSL 7:481bce714567 1087 *oidSz = sizeof(extAuthInfoOid);
wolfSSL 7:481bce714567 1088 break;
wolfSSL 7:481bce714567 1089 case AUTH_KEY_OID:
wolfSSL 7:481bce714567 1090 oid = extAuthKeyOid;
wolfSSL 7:481bce714567 1091 *oidSz = sizeof(extAuthKeyOid);
wolfSSL 7:481bce714567 1092 break;
wolfSSL 7:481bce714567 1093 case SUBJ_KEY_OID:
wolfSSL 7:481bce714567 1094 oid = extSubjKeyOid;
wolfSSL 7:481bce714567 1095 *oidSz = sizeof(extSubjKeyOid);
wolfSSL 7:481bce714567 1096 break;
wolfSSL 7:481bce714567 1097 case CERT_POLICY_OID:
wolfSSL 7:481bce714567 1098 oid = extCertPolicyOid;
wolfSSL 7:481bce714567 1099 *oidSz = sizeof(extCertPolicyOid);
wolfSSL 7:481bce714567 1100 break;
wolfSSL 7:481bce714567 1101 case KEY_USAGE_OID:
wolfSSL 7:481bce714567 1102 oid = extKeyUsageOid;
wolfSSL 7:481bce714567 1103 *oidSz = sizeof(extKeyUsageOid);
wolfSSL 7:481bce714567 1104 break;
wolfSSL 7:481bce714567 1105 case INHIBIT_ANY_OID:
wolfSSL 7:481bce714567 1106 oid = extInhibitAnyOid;
wolfSSL 7:481bce714567 1107 *oidSz = sizeof(extInhibitAnyOid);
wolfSSL 7:481bce714567 1108 break;
wolfSSL 7:481bce714567 1109 case EXT_KEY_USAGE_OID:
wolfSSL 7:481bce714567 1110 oid = extExtKeyUsageOid;
wolfSSL 7:481bce714567 1111 *oidSz = sizeof(extExtKeyUsageOid);
wolfSSL 7:481bce714567 1112 break;
wolfSSL 7:481bce714567 1113 case NAME_CONS_OID:
wolfSSL 7:481bce714567 1114 oid = extNameConsOid;
wolfSSL 7:481bce714567 1115 *oidSz = sizeof(extNameConsOid);
wolfSSL 7:481bce714567 1116 break;
wolfSSL 7:481bce714567 1117 }
wolfSSL 7:481bce714567 1118 break;
wolfSSL 7:481bce714567 1119
wolfSSL 7:481bce714567 1120 case oidCertAuthInfoType:
wolfSSL 7:481bce714567 1121 switch (id) {
wolfSSL 7:481bce714567 1122 case AIA_OCSP_OID:
wolfSSL 7:481bce714567 1123 oid = extAuthInfoOcspOid;
wolfSSL 7:481bce714567 1124 *oidSz = sizeof(extAuthInfoOcspOid);
wolfSSL 7:481bce714567 1125 break;
wolfSSL 7:481bce714567 1126 case AIA_CA_ISSUER_OID:
wolfSSL 7:481bce714567 1127 oid = extAuthInfoCaIssuerOid;
wolfSSL 7:481bce714567 1128 *oidSz = sizeof(extAuthInfoCaIssuerOid);
wolfSSL 7:481bce714567 1129 break;
wolfSSL 7:481bce714567 1130 }
wolfSSL 7:481bce714567 1131 break;
wolfSSL 7:481bce714567 1132
wolfSSL 7:481bce714567 1133 case oidCertPolicyType:
wolfSSL 7:481bce714567 1134 switch (id) {
wolfSSL 7:481bce714567 1135 case CP_ANY_OID:
wolfSSL 7:481bce714567 1136 oid = extCertPolicyAnyOid;
wolfSSL 7:481bce714567 1137 *oidSz = sizeof(extCertPolicyAnyOid);
wolfSSL 7:481bce714567 1138 break;
wolfSSL 7:481bce714567 1139 }
wolfSSL 7:481bce714567 1140 break;
wolfSSL 7:481bce714567 1141
wolfSSL 7:481bce714567 1142 case oidCertAltNameType:
wolfSSL 7:481bce714567 1143 switch (id) {
wolfSSL 7:481bce714567 1144 case HW_NAME_OID:
wolfSSL 7:481bce714567 1145 oid = extAltNamesHwNameOid;
wolfSSL 7:481bce714567 1146 *oidSz = sizeof(extAltNamesHwNameOid);
wolfSSL 7:481bce714567 1147 break;
wolfSSL 7:481bce714567 1148 }
wolfSSL 7:481bce714567 1149 break;
wolfSSL 7:481bce714567 1150
wolfSSL 7:481bce714567 1151 case oidCertKeyUseType:
wolfSSL 7:481bce714567 1152 switch (id) {
wolfSSL 7:481bce714567 1153 case EKU_ANY_OID:
wolfSSL 7:481bce714567 1154 oid = extExtKeyUsageAnyOid;
wolfSSL 7:481bce714567 1155 *oidSz = sizeof(extExtKeyUsageAnyOid);
wolfSSL 7:481bce714567 1156 break;
wolfSSL 7:481bce714567 1157 case EKU_SERVER_AUTH_OID:
wolfSSL 7:481bce714567 1158 oid = extExtKeyUsageServerAuthOid;
wolfSSL 7:481bce714567 1159 *oidSz = sizeof(extExtKeyUsageServerAuthOid);
wolfSSL 7:481bce714567 1160 break;
wolfSSL 7:481bce714567 1161 case EKU_CLIENT_AUTH_OID:
wolfSSL 7:481bce714567 1162 oid = extExtKeyUsageClientAuthOid;
wolfSSL 7:481bce714567 1163 *oidSz = sizeof(extExtKeyUsageClientAuthOid);
wolfSSL 7:481bce714567 1164 break;
wolfSSL 7:481bce714567 1165 case EKU_OCSP_SIGN_OID:
wolfSSL 7:481bce714567 1166 oid = extExtKeyUsageOcspSignOid;
wolfSSL 7:481bce714567 1167 *oidSz = sizeof(extExtKeyUsageOcspSignOid);
wolfSSL 7:481bce714567 1168 break;
wolfSSL 7:481bce714567 1169 }
wolfSSL 7:481bce714567 1170 break;
wolfSSL 7:481bce714567 1171
wolfSSL 7:481bce714567 1172 case oidKdfType:
wolfSSL 7:481bce714567 1173 switch (id) {
wolfSSL 7:481bce714567 1174 case PBKDF2_OID:
wolfSSL 7:481bce714567 1175 oid = pbkdf2Oid;
wolfSSL 7:481bce714567 1176 *oidSz = sizeof(pbkdf2Oid);
wolfSSL 7:481bce714567 1177 break;
wolfSSL 7:481bce714567 1178 }
wolfSSL 7:481bce714567 1179 break;
wolfSSL 7:481bce714567 1180
wolfSSL 7:481bce714567 1181 case oidKeyWrapType:
wolfSSL 7:481bce714567 1182 switch (id) {
wolfSSL 7:481bce714567 1183 case AES128_WRAP:
wolfSSL 7:481bce714567 1184 oid = wrapAes128Oid;
wolfSSL 7:481bce714567 1185 *oidSz = sizeof(wrapAes128Oid);
wolfSSL 7:481bce714567 1186 break;
wolfSSL 7:481bce714567 1187 case AES192_WRAP:
wolfSSL 7:481bce714567 1188 oid = wrapAes192Oid;
wolfSSL 7:481bce714567 1189 *oidSz = sizeof(wrapAes192Oid);
wolfSSL 7:481bce714567 1190 break;
wolfSSL 7:481bce714567 1191 case AES256_WRAP:
wolfSSL 7:481bce714567 1192 oid = wrapAes256Oid;
wolfSSL 7:481bce714567 1193 *oidSz = sizeof(wrapAes256Oid);
wolfSSL 7:481bce714567 1194 break;
wolfSSL 7:481bce714567 1195 }
wolfSSL 7:481bce714567 1196 break;
wolfSSL 7:481bce714567 1197
wolfSSL 7:481bce714567 1198 case oidCmsKeyAgreeType:
wolfSSL 7:481bce714567 1199 switch (id) {
wolfSSL 7:481bce714567 1200 case dhSinglePass_stdDH_sha1kdf_scheme:
wolfSSL 7:481bce714567 1201 oid = dhSinglePass_stdDH_sha1kdf_Oid;
wolfSSL 7:481bce714567 1202 *oidSz = sizeof(dhSinglePass_stdDH_sha1kdf_Oid);
wolfSSL 7:481bce714567 1203 break;
wolfSSL 7:481bce714567 1204 case dhSinglePass_stdDH_sha224kdf_scheme:
wolfSSL 7:481bce714567 1205 oid = dhSinglePass_stdDH_sha224kdf_Oid;
wolfSSL 7:481bce714567 1206 *oidSz = sizeof(dhSinglePass_stdDH_sha224kdf_Oid);
wolfSSL 7:481bce714567 1207 break;
wolfSSL 7:481bce714567 1208 case dhSinglePass_stdDH_sha256kdf_scheme:
wolfSSL 7:481bce714567 1209 oid = dhSinglePass_stdDH_sha256kdf_Oid;
wolfSSL 7:481bce714567 1210 *oidSz = sizeof(dhSinglePass_stdDH_sha256kdf_Oid);
wolfSSL 7:481bce714567 1211 break;
wolfSSL 7:481bce714567 1212 case dhSinglePass_stdDH_sha384kdf_scheme:
wolfSSL 7:481bce714567 1213 oid = dhSinglePass_stdDH_sha384kdf_Oid;
wolfSSL 7:481bce714567 1214 *oidSz = sizeof(dhSinglePass_stdDH_sha384kdf_Oid);
wolfSSL 7:481bce714567 1215 break;
wolfSSL 7:481bce714567 1216 case dhSinglePass_stdDH_sha512kdf_scheme:
wolfSSL 7:481bce714567 1217 oid = dhSinglePass_stdDH_sha512kdf_Oid;
wolfSSL 7:481bce714567 1218 *oidSz = sizeof(dhSinglePass_stdDH_sha512kdf_Oid);
wolfSSL 7:481bce714567 1219 break;
wolfSSL 7:481bce714567 1220 }
wolfSSL 7:481bce714567 1221 break;
wolfSSL 7:481bce714567 1222
wolfSSL 7:481bce714567 1223 case oidIgnoreType:
wolfSSL 7:481bce714567 1224 default:
wolfSSL 7:481bce714567 1225 break;
wolfSSL 7:481bce714567 1226 }
wolfSSL 7:481bce714567 1227
wolfSSL 7:481bce714567 1228 return oid;
wolfSSL 7:481bce714567 1229 }
wolfSSL 7:481bce714567 1230
wolfSSL 7:481bce714567 1231 #ifdef HAVE_OID_ENCODING
wolfSSL 7:481bce714567 1232 int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
wolfSSL 7:481bce714567 1233 {
wolfSSL 7:481bce714567 1234 int i, x, len;
wolfSSL 7:481bce714567 1235 word32 d, t;
wolfSSL 7:481bce714567 1236
wolfSSL 7:481bce714567 1237 /* check args */
wolfSSL 7:481bce714567 1238 if (in == NULL || outSz == NULL) {
wolfSSL 7:481bce714567 1239 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 1240 }
wolfSSL 7:481bce714567 1241
wolfSSL 7:481bce714567 1242 /* compute length of encoded OID */
wolfSSL 7:481bce714567 1243 d = (in[0] * 40) + in[1];
wolfSSL 7:481bce714567 1244 len = 0;
wolfSSL 7:481bce714567 1245 for (i = 1; i < (int)inSz; i++) {
wolfSSL 7:481bce714567 1246 x = 0;
wolfSSL 7:481bce714567 1247 t = d;
wolfSSL 7:481bce714567 1248 while (t) {
wolfSSL 7:481bce714567 1249 x++;
wolfSSL 7:481bce714567 1250 t >>= 1;
wolfSSL 7:481bce714567 1251 }
wolfSSL 7:481bce714567 1252 len += (x / 7) + ((x % 7) ? 1 : 0) + (d == 0 ? 1 : 0);
wolfSSL 7:481bce714567 1253
wolfSSL 7:481bce714567 1254 if (i < (int)inSz - 1) {
wolfSSL 7:481bce714567 1255 d = in[i + 1];
wolfSSL 7:481bce714567 1256 }
wolfSSL 7:481bce714567 1257 }
wolfSSL 7:481bce714567 1258
wolfSSL 7:481bce714567 1259 if (out) {
wolfSSL 7:481bce714567 1260 /* verify length */
wolfSSL 7:481bce714567 1261 if ((int)*outSz < len) {
wolfSSL 7:481bce714567 1262 return BUFFER_E; /* buffer provided is not large enough */
wolfSSL 7:481bce714567 1263 }
wolfSSL 7:481bce714567 1264
wolfSSL 7:481bce714567 1265 /* calc first byte */
wolfSSL 7:481bce714567 1266 d = (in[0] * 40) + in[1];
wolfSSL 7:481bce714567 1267
wolfSSL 7:481bce714567 1268 /* encode bytes */
wolfSSL 7:481bce714567 1269 x = 0;
wolfSSL 7:481bce714567 1270 for (i = 1; i < (int)inSz; i++) {
wolfSSL 7:481bce714567 1271 if (d) {
wolfSSL 7:481bce714567 1272 int y = x, z;
wolfSSL 7:481bce714567 1273 byte mask = 0;
wolfSSL 7:481bce714567 1274 while (d) {
wolfSSL 7:481bce714567 1275 out[x++] = (byte)((d & 0x7F) | mask);
wolfSSL 7:481bce714567 1276 d >>= 7;
wolfSSL 7:481bce714567 1277 mask |= 0x80; /* upper bit is set on all but the last byte */
wolfSSL 7:481bce714567 1278 }
wolfSSL 7:481bce714567 1279 /* now swap bytes y...x-1 */
wolfSSL 7:481bce714567 1280 z = x - 1;
wolfSSL 7:481bce714567 1281 while (y < z) {
wolfSSL 7:481bce714567 1282 mask = out[y];
wolfSSL 7:481bce714567 1283 out[y] = out[z];
wolfSSL 7:481bce714567 1284 out[z] = mask;
wolfSSL 7:481bce714567 1285 ++y;
wolfSSL 7:481bce714567 1286 --z;
wolfSSL 7:481bce714567 1287 }
wolfSSL 7:481bce714567 1288 }
wolfSSL 7:481bce714567 1289 else {
wolfSSL 7:481bce714567 1290 out[x++] = 0x00; /* zero value */
wolfSSL 7:481bce714567 1291 }
wolfSSL 7:481bce714567 1292
wolfSSL 7:481bce714567 1293 /* next word */
wolfSSL 7:481bce714567 1294 if (i < (int)inSz - 1) {
wolfSSL 7:481bce714567 1295 d = in[i + 1];
wolfSSL 7:481bce714567 1296 }
wolfSSL 7:481bce714567 1297 }
wolfSSL 7:481bce714567 1298 }
wolfSSL 7:481bce714567 1299
wolfSSL 7:481bce714567 1300 /* return length */
wolfSSL 7:481bce714567 1301 *outSz = len;
wolfSSL 7:481bce714567 1302
wolfSSL 7:481bce714567 1303 return 0;
wolfSSL 7:481bce714567 1304 }
wolfSSL 7:481bce714567 1305 #endif /* HAVE_OID_ENCODING */
wolfSSL 7:481bce714567 1306
wolfSSL 7:481bce714567 1307 #ifdef HAVE_OID_DECODING
wolfSSL 7:481bce714567 1308 int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
wolfSSL 7:481bce714567 1309 {
wolfSSL 7:481bce714567 1310 int x = 0, y = 0;
wolfSSL 7:481bce714567 1311 word32 t = 0;
wolfSSL 7:481bce714567 1312
wolfSSL 7:481bce714567 1313 /* check args */
wolfSSL 7:481bce714567 1314 if (in == NULL || outSz == NULL) {
wolfSSL 7:481bce714567 1315 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 1316 }
wolfSSL 7:481bce714567 1317
wolfSSL 7:481bce714567 1318 /* decode bytes */
wolfSSL 7:481bce714567 1319 while (inSz--) {
wolfSSL 7:481bce714567 1320 t = (t << 7) | (in[x] & 0x7F);
wolfSSL 7:481bce714567 1321 if (!(in[x] & 0x80)) {
wolfSSL 7:481bce714567 1322 if (y >= (int)*outSz) {
wolfSSL 7:481bce714567 1323 return BUFFER_E;
wolfSSL 7:481bce714567 1324 }
wolfSSL 7:481bce714567 1325 if (y == 0) {
wolfSSL 7:481bce714567 1326 out[0] = (t / 40);
wolfSSL 7:481bce714567 1327 out[1] = (t % 40);
wolfSSL 7:481bce714567 1328 y = 2;
wolfSSL 7:481bce714567 1329 }
wolfSSL 7:481bce714567 1330 else {
wolfSSL 7:481bce714567 1331 out[y++] = t;
wolfSSL 7:481bce714567 1332 }
wolfSSL 7:481bce714567 1333 t = 0; /* reset tmp */
wolfSSL 7:481bce714567 1334 }
wolfSSL 7:481bce714567 1335 x++;
wolfSSL 7:481bce714567 1336 }
wolfSSL 7:481bce714567 1337
wolfSSL 7:481bce714567 1338 /* return length */
wolfSSL 7:481bce714567 1339 *outSz = y;
wolfSSL 7:481bce714567 1340
wolfSSL 7:481bce714567 1341 return 0;
wolfSSL 7:481bce714567 1342 }
wolfSSL 7:481bce714567 1343 #endif /* HAVE_OID_DECODING */
wolfSSL 7:481bce714567 1344
wolfSSL 7:481bce714567 1345 int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 7:481bce714567 1346 word32 oidType, word32 maxIdx)
wolfSSL 7:481bce714567 1347 {
wolfSSL 7:481bce714567 1348 int ret = 0, length;
wolfSSL 7:481bce714567 1349 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 1350 #ifndef NO_VERIFY_OID
wolfSSL 7:481bce714567 1351 word32 actualOidSz = 0;
wolfSSL 7:481bce714567 1352 const byte* actualOid;
wolfSSL 7:481bce714567 1353 #endif /* NO_VERIFY_OID */
wolfSSL 7:481bce714567 1354 byte b;
wolfSSL 7:481bce714567 1355
wolfSSL 7:481bce714567 1356 (void)oidType;
wolfSSL 7:481bce714567 1357 WOLFSSL_ENTER("GetObjectId()");
wolfSSL 7:481bce714567 1358 *oid = 0;
wolfSSL 7:481bce714567 1359
wolfSSL 7:481bce714567 1360 b = input[idx++];
wolfSSL 7:481bce714567 1361 if (b != ASN_OBJECT_ID)
wolfSSL 7:481bce714567 1362 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 1363
wolfSSL 7:481bce714567 1364 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 1365 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1366
wolfSSL 7:481bce714567 1367 #ifndef NO_VERIFY_OID
wolfSSL 7:481bce714567 1368 actualOid = &input[idx];
wolfSSL 7:481bce714567 1369 if (length > 0)
wolfSSL 7:481bce714567 1370 actualOidSz = (word32)length;
wolfSSL 7:481bce714567 1371 #endif /* NO_VERIFY_OID */
wolfSSL 7:481bce714567 1372
wolfSSL 7:481bce714567 1373 while (length--) {
wolfSSL 7:481bce714567 1374 /* odd HC08 compiler behavior here when input[idx++] */
wolfSSL 7:481bce714567 1375 *oid += (word32)input[idx];
wolfSSL 7:481bce714567 1376 idx++;
wolfSSL 7:481bce714567 1377 }
wolfSSL 7:481bce714567 1378 /* just sum it up for now */
wolfSSL 7:481bce714567 1379
wolfSSL 7:481bce714567 1380 *inOutIdx = idx;
wolfSSL 7:481bce714567 1381
wolfSSL 7:481bce714567 1382 #ifndef NO_VERIFY_OID
wolfSSL 7:481bce714567 1383 {
wolfSSL 7:481bce714567 1384 const byte* checkOid = NULL;
wolfSSL 7:481bce714567 1385 word32 checkOidSz;
wolfSSL 7:481bce714567 1386 #ifdef ASN_DUMP_OID
wolfSSL 7:481bce714567 1387 int i;
wolfSSL 7:481bce714567 1388 #endif
wolfSSL 7:481bce714567 1389
wolfSSL 7:481bce714567 1390 if (oidType != oidIgnoreType) {
wolfSSL 7:481bce714567 1391 checkOid = OidFromId(*oid, oidType, &checkOidSz);
wolfSSL 7:481bce714567 1392
wolfSSL 7:481bce714567 1393 #ifdef ASN_DUMP_OID
wolfSSL 7:481bce714567 1394 /* support for dumping OID information */
wolfSSL 7:481bce714567 1395 printf("OID (Type %d, Sz %d, Sum %d): ", oidType, actualOidSz, *oid);
wolfSSL 7:481bce714567 1396 for (i=0; i<actualOidSz; i++) {
wolfSSL 7:481bce714567 1397 printf("%d, ", actualOid[i]);
wolfSSL 7:481bce714567 1398 }
wolfSSL 7:481bce714567 1399 printf("\n");
wolfSSL 7:481bce714567 1400 #ifdef HAVE_OID_DECODING
wolfSSL 7:481bce714567 1401 {
wolfSSL 7:481bce714567 1402 word16 decOid[16];
wolfSSL 7:481bce714567 1403 word32 decOidSz = sizeof(decOid);
wolfSSL 7:481bce714567 1404 ret = DecodeObjectId(actualOid, actualOidSz, decOid, &decOidSz);
wolfSSL 7:481bce714567 1405 if (ret == 0) {
wolfSSL 7:481bce714567 1406 printf(" Decoded (Sz %d): ", decOidSz);
wolfSSL 7:481bce714567 1407 for (i=0; i<decOidSz; i++) {
wolfSSL 7:481bce714567 1408 printf("%d.", decOid[i]);
wolfSSL 7:481bce714567 1409 }
wolfSSL 7:481bce714567 1410 printf("\n");
wolfSSL 7:481bce714567 1411 }
wolfSSL 7:481bce714567 1412 else {
wolfSSL 7:481bce714567 1413 printf("DecodeObjectId failed: %d\n", ret);
wolfSSL 7:481bce714567 1414 }
wolfSSL 7:481bce714567 1415 }
wolfSSL 7:481bce714567 1416 #endif /* HAVE_OID_DECODING */
wolfSSL 7:481bce714567 1417 #endif /* ASN_DUMP_OID */
wolfSSL 7:481bce714567 1418
wolfSSL 7:481bce714567 1419 if (checkOid != NULL &&
wolfSSL 7:481bce714567 1420 (checkOidSz != actualOidSz ||
wolfSSL 7:481bce714567 1421 XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) {
wolfSSL 7:481bce714567 1422 WOLFSSL_MSG("OID Check Failed");
wolfSSL 7:481bce714567 1423 return ASN_UNKNOWN_OID_E;
wolfSSL 7:481bce714567 1424 }
wolfSSL 7:481bce714567 1425 }
wolfSSL 7:481bce714567 1426 }
wolfSSL 7:481bce714567 1427 #endif /* NO_VERIFY_OID */
wolfSSL 7:481bce714567 1428
wolfSSL 7:481bce714567 1429 return ret;
wolfSSL 7:481bce714567 1430 }
wolfSSL 7:481bce714567 1431
wolfSSL 7:481bce714567 1432
wolfSSL 7:481bce714567 1433 #ifndef NO_RSA
wolfSSL 7:481bce714567 1434 #ifndef HAVE_USER_RSA
wolfSSL 7:481bce714567 1435 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 7:481bce714567 1436 static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
wolfSSL 7:481bce714567 1437 {
wolfSSL 7:481bce714567 1438 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 1439 int length;
wolfSSL 7:481bce714567 1440
wolfSSL 7:481bce714567 1441 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 1442 return BUFFER_E;
wolfSSL 7:481bce714567 1443
wolfSSL 7:481bce714567 1444 if (input[idx++] != ASN_OBJECT_ID)
wolfSSL 7:481bce714567 1445 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 1446
wolfSSL 7:481bce714567 1447 if (GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 1448 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1449
wolfSSL 7:481bce714567 1450 idx += length;
wolfSSL 7:481bce714567 1451 *inOutIdx = idx;
wolfSSL 7:481bce714567 1452
wolfSSL 7:481bce714567 1453 return 0;
wolfSSL 7:481bce714567 1454 }
wolfSSL 7:481bce714567 1455 #endif /* OPENSSL_EXTRA || RSA_DECODE_EXTRA */
wolfSSL 7:481bce714567 1456 #endif /* !HAVE_USER_RSA */
wolfSSL 7:481bce714567 1457 #endif /* !NO_RSA */
wolfSSL 7:481bce714567 1458
wolfSSL 7:481bce714567 1459 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL 7:481bce714567 1460 word32 oidType, word32 maxIdx)
wolfSSL 7:481bce714567 1461 {
wolfSSL 7:481bce714567 1462 int length;
wolfSSL 7:481bce714567 1463 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 1464 byte b;
wolfSSL 7:481bce714567 1465 *oid = 0;
wolfSSL 7:481bce714567 1466
wolfSSL 7:481bce714567 1467 WOLFSSL_ENTER("GetAlgoId");
wolfSSL 7:481bce714567 1468
wolfSSL 7:481bce714567 1469 if (GetSequence(input, &idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 1470 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1471
wolfSSL 7:481bce714567 1472 if (GetObjectId(input, &idx, oid, oidType, maxIdx) < 0)
wolfSSL 7:481bce714567 1473 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 1474
wolfSSL 7:481bce714567 1475 /* could have NULL tag and 0 terminator, but may not */
wolfSSL 7:481bce714567 1476 b = input[idx];
wolfSSL 7:481bce714567 1477
wolfSSL 7:481bce714567 1478 if (b == ASN_TAG_NULL) {
wolfSSL 7:481bce714567 1479 if ((idx + 1) > maxIdx)
wolfSSL 7:481bce714567 1480 return BUFFER_E;
wolfSSL 7:481bce714567 1481
wolfSSL 7:481bce714567 1482 idx++;
wolfSSL 7:481bce714567 1483 b = input[idx++];
wolfSSL 7:481bce714567 1484 if (b != 0)
wolfSSL 7:481bce714567 1485 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 1486 }
wolfSSL 7:481bce714567 1487
wolfSSL 7:481bce714567 1488 *inOutIdx = idx;
wolfSSL 7:481bce714567 1489
wolfSSL 7:481bce714567 1490 return 0;
wolfSSL 7:481bce714567 1491 }
wolfSSL 7:481bce714567 1492
wolfSSL 7:481bce714567 1493 #ifndef NO_RSA
wolfSSL 7:481bce714567 1494
wolfSSL 7:481bce714567 1495 #ifndef HAVE_USER_RSA
wolfSSL 7:481bce714567 1496 int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 7:481bce714567 1497 word32 inSz)
wolfSSL 7:481bce714567 1498 {
wolfSSL 7:481bce714567 1499 int version, length;
wolfSSL 7:481bce714567 1500
wolfSSL 7:481bce714567 1501 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 1502 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1503
wolfSSL 7:481bce714567 1504 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 7:481bce714567 1505 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1506
wolfSSL 7:481bce714567 1507 key->type = RSA_PRIVATE;
wolfSSL 7:481bce714567 1508
wolfSSL 7:481bce714567 1509 if (GetIntRsa(key, &key->n, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1510 GetIntRsa(key, &key->e, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1511 GetIntRsa(key, &key->d, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1512 GetIntRsa(key, &key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1513 GetIntRsa(key, &key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1514 GetIntRsa(key, &key->dP, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1515 GetIntRsa(key, &key->dQ, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 1516 GetIntRsa(key, &key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL 7:481bce714567 1517
wolfSSL 7:481bce714567 1518 return 0;
wolfSSL 7:481bce714567 1519 }
wolfSSL 7:481bce714567 1520 #endif /* HAVE_USER_RSA */
wolfSSL 7:481bce714567 1521 #endif /* NO_RSA */
wolfSSL 7:481bce714567 1522
wolfSSL 7:481bce714567 1523 /* Remove PKCS8 header, move beginning of traditional to beginning of input */
wolfSSL 7:481bce714567 1524 int ToTraditional(byte* input, word32 sz)
wolfSSL 7:481bce714567 1525 {
wolfSSL 7:481bce714567 1526 word32 inOutIdx = 0, oid;
wolfSSL 7:481bce714567 1527 int version, length;
wolfSSL 7:481bce714567 1528
wolfSSL 7:481bce714567 1529 if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL 7:481bce714567 1530 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1531
wolfSSL 7:481bce714567 1532 if (GetMyVersion(input, &inOutIdx, &version, sz) < 0)
wolfSSL 7:481bce714567 1533 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1534
wolfSSL 7:481bce714567 1535 if (GetAlgoId(input, &inOutIdx, &oid, oidKeyType, sz) < 0)
wolfSSL 7:481bce714567 1536 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1537
wolfSSL 7:481bce714567 1538 if (input[inOutIdx] == ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 1539 /* pkcs8 ecc uses slightly different format */
wolfSSL 7:481bce714567 1540 inOutIdx++; /* past id */
wolfSSL 7:481bce714567 1541 if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL 7:481bce714567 1542 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1543 inOutIdx += length; /* over sub id, key input will verify */
wolfSSL 7:481bce714567 1544 }
wolfSSL 7:481bce714567 1545
wolfSSL 7:481bce714567 1546 if (input[inOutIdx++] != ASN_OCTET_STRING)
wolfSSL 7:481bce714567 1547 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1548
wolfSSL 7:481bce714567 1549 if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL 7:481bce714567 1550 return ASN_PARSE_E;
wolfSSL 7:481bce714567 1551
wolfSSL 7:481bce714567 1552 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 7:481bce714567 1553
wolfSSL 7:481bce714567 1554 return length;
wolfSSL 7:481bce714567 1555 }
wolfSSL 7:481bce714567 1556
wolfSSL 7:481bce714567 1557
wolfSSL 7:481bce714567 1558 /* check that the private key is a pair for the public key in certificate
wolfSSL 7:481bce714567 1559 * return 1 (true) on match
wolfSSL 7:481bce714567 1560 * return 0 or negative value on failure/error
wolfSSL 7:481bce714567 1561 *
wolfSSL 7:481bce714567 1562 * key : buffer holding DER fromat key
wolfSSL 7:481bce714567 1563 * keySz : size of key buffer
wolfSSL 7:481bce714567 1564 * der : a initialized and parsed DecodedCert holding a certificate */
wolfSSL 7:481bce714567 1565 int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
wolfSSL 7:481bce714567 1566 {
wolfSSL 7:481bce714567 1567 if (key == NULL || der == NULL) {
wolfSSL 7:481bce714567 1568 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 1569 }
wolfSSL 7:481bce714567 1570
wolfSSL 7:481bce714567 1571 #if !defined(NO_RSA)
wolfSSL 7:481bce714567 1572 {
wolfSSL 7:481bce714567 1573 RsaKey a, b;
wolfSSL 7:481bce714567 1574 word32 keyIdx = 0;
wolfSSL 7:481bce714567 1575 int ret = 0;
wolfSSL 7:481bce714567 1576
wolfSSL 7:481bce714567 1577 /* test if RSA key */
wolfSSL 7:481bce714567 1578 if (der->keyOID == RSAk) {
wolfSSL 7:481bce714567 1579 if (wc_InitRsaKey(&a, NULL) == 0 &&
wolfSSL 7:481bce714567 1580 wc_RsaPrivateKeyDecode(key, &keyIdx, &a, keySz) == 0) {
wolfSSL 7:481bce714567 1581 WOLFSSL_MSG("Checking RSA key pair");
wolfSSL 7:481bce714567 1582 keyIdx = 0; /* reset to 0 for parsing public key */
wolfSSL 7:481bce714567 1583
wolfSSL 7:481bce714567 1584 if (wc_InitRsaKey(&b, NULL) == 0) {
wolfSSL 7:481bce714567 1585 if ((ret = wc_RsaPublicKeyDecode(der->publicKey, &keyIdx,
wolfSSL 7:481bce714567 1586 &b, der->pubKeySize)) == 0) {
wolfSSL 7:481bce714567 1587 /* limit for user RSA crypto because of RsaKey
wolfSSL 7:481bce714567 1588 * dereference. */
wolfSSL 7:481bce714567 1589 #if defined(HAVE_USER_RSA)
wolfSSL 7:481bce714567 1590 WOLFSSL_MSG("Cannot verify RSA pair with user RSA");
wolfSSL 7:481bce714567 1591 wc_FreeRsaKey(&b);
wolfSSL 7:481bce714567 1592 wc_FreeRsaKey(&a);
wolfSSL 7:481bce714567 1593 return 1; /* return first RSA cert as match */
wolfSSL 7:481bce714567 1594 #else
wolfSSL 7:481bce714567 1595 /* both keys extracted successfully now check n and e
wolfSSL 7:481bce714567 1596 * values are the same. This is dereferencing RsaKey */
wolfSSL 7:481bce714567 1597 if (mp_cmp(&(a.n), &(b.n)) != MP_EQ ||
wolfSSL 7:481bce714567 1598 mp_cmp(&(a.e), &(b.e)) != MP_EQ) {
wolfSSL 7:481bce714567 1599 ret = MP_CMP_E;
wolfSSL 7:481bce714567 1600 }
wolfSSL 7:481bce714567 1601 else {
wolfSSL 7:481bce714567 1602 /* match found, free keys and return success */
wolfSSL 7:481bce714567 1603 wc_FreeRsaKey(&b);
wolfSSL 7:481bce714567 1604 wc_FreeRsaKey(&a);
wolfSSL 7:481bce714567 1605 return 1;
wolfSSL 7:481bce714567 1606 }
wolfSSL 7:481bce714567 1607 #endif
wolfSSL 7:481bce714567 1608 }
wolfSSL 7:481bce714567 1609 wc_FreeRsaKey(&b);
wolfSSL 7:481bce714567 1610 }
wolfSSL 7:481bce714567 1611 }
wolfSSL 7:481bce714567 1612 wc_FreeRsaKey(&a);
wolfSSL 7:481bce714567 1613 }
wolfSSL 7:481bce714567 1614
wolfSSL 7:481bce714567 1615 /* if ret is not 0 then there was a failed comparision attempt */
wolfSSL 7:481bce714567 1616 if (ret != 0) {
wolfSSL 7:481bce714567 1617 return ret;
wolfSSL 7:481bce714567 1618 }
wolfSSL 7:481bce714567 1619 }
wolfSSL 7:481bce714567 1620 #endif /* NO_RSA */
wolfSSL 7:481bce714567 1621
wolfSSL 7:481bce714567 1622 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 1623 {
wolfSSL 7:481bce714567 1624 int ret = 0;
wolfSSL 7:481bce714567 1625 word32 keyIdx = 0;
wolfSSL 7:481bce714567 1626 ecc_key key_pair;
wolfSSL 7:481bce714567 1627
wolfSSL 7:481bce714567 1628 if (der->keyOID == ECDSAk) {
wolfSSL 7:481bce714567 1629 if ((ret = wc_ecc_init(&key_pair)) == 0 &&
wolfSSL 7:481bce714567 1630 wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, keySz) == 0) {
wolfSSL 7:481bce714567 1631 WOLFSSL_MSG("Checking ECC key pair");
wolfSSL 7:481bce714567 1632 keyIdx = 0;
wolfSSL 7:481bce714567 1633 if ((ret = wc_ecc_import_x963(der->publicKey, der->pubKeySize,
wolfSSL 7:481bce714567 1634 &key_pair)) == 0) {
wolfSSL 7:481bce714567 1635 /* public and private extracted successfuly no check if is
wolfSSL 7:481bce714567 1636 * a pair and also do sanity checks on key. wc_ecc_check_key
wolfSSL 7:481bce714567 1637 * checks that private * base generator equals pubkey */
wolfSSL 7:481bce714567 1638 if ((ret = wc_ecc_check_key(&key_pair)) == 0) {
wolfSSL 7:481bce714567 1639 /* found a match */
wolfSSL 7:481bce714567 1640 wc_ecc_free(&key_pair);
wolfSSL 7:481bce714567 1641 return 1;
wolfSSL 7:481bce714567 1642 }
wolfSSL 7:481bce714567 1643
wolfSSL 7:481bce714567 1644 }
wolfSSL 7:481bce714567 1645 }
wolfSSL 7:481bce714567 1646 wc_ecc_free(&key_pair);
wolfSSL 7:481bce714567 1647 }
wolfSSL 7:481bce714567 1648
wolfSSL 7:481bce714567 1649 /* error on attempt to match */
wolfSSL 7:481bce714567 1650 if (ret != 0) {
wolfSSL 7:481bce714567 1651 return ret;
wolfSSL 7:481bce714567 1652 }
wolfSSL 7:481bce714567 1653 }
wolfSSL 7:481bce714567 1654 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 1655
wolfSSL 7:481bce714567 1656 /* no match found */
wolfSSL 7:481bce714567 1657 return 0;
wolfSSL 7:481bce714567 1658 }
wolfSSL 7:481bce714567 1659
wolfSSL 7:481bce714567 1660 #ifndef NO_PWDBASED
wolfSSL 7:481bce714567 1661
wolfSSL 7:481bce714567 1662 /* Check To see if PKCS version algo is supported, set id if it is return 0
wolfSSL 7:481bce714567 1663 < 0 on error */
wolfSSL 7:481bce714567 1664 static int CheckAlgo(int first, int second, int* id, int* version)
wolfSSL 7:481bce714567 1665 {
wolfSSL 7:481bce714567 1666 *id = ALGO_ID_E;
wolfSSL 7:481bce714567 1667 *version = PKCS5; /* default */
wolfSSL 7:481bce714567 1668
wolfSSL 7:481bce714567 1669 if (first == 1) {
wolfSSL 7:481bce714567 1670 switch (second) {
wolfSSL 7:481bce714567 1671 case 1:
wolfSSL 7:481bce714567 1672 *id = PBE_SHA1_RC4_128;
wolfSSL 7:481bce714567 1673 *version = PKCS12;
wolfSSL 7:481bce714567 1674 return 0;
wolfSSL 7:481bce714567 1675 case 3:
wolfSSL 7:481bce714567 1676 *id = PBE_SHA1_DES3;
wolfSSL 7:481bce714567 1677 *version = PKCS12;
wolfSSL 7:481bce714567 1678 return 0;
wolfSSL 7:481bce714567 1679 default:
wolfSSL 7:481bce714567 1680 return ALGO_ID_E;
wolfSSL 7:481bce714567 1681 }
wolfSSL 7:481bce714567 1682 }
wolfSSL 7:481bce714567 1683
wolfSSL 7:481bce714567 1684 if (first != PKCS5)
wolfSSL 7:481bce714567 1685 return ASN_INPUT_E; /* VERSION ERROR */
wolfSSL 7:481bce714567 1686
wolfSSL 7:481bce714567 1687 if (second == PBES2) {
wolfSSL 7:481bce714567 1688 *version = PKCS5v2;
wolfSSL 7:481bce714567 1689 return 0;
wolfSSL 7:481bce714567 1690 }
wolfSSL 7:481bce714567 1691
wolfSSL 7:481bce714567 1692 switch (second) {
wolfSSL 7:481bce714567 1693 case 3: /* see RFC 2898 for ids */
wolfSSL 7:481bce714567 1694 *id = PBE_MD5_DES;
wolfSSL 7:481bce714567 1695 return 0;
wolfSSL 7:481bce714567 1696 case 10:
wolfSSL 7:481bce714567 1697 *id = PBE_SHA1_DES;
wolfSSL 7:481bce714567 1698 return 0;
wolfSSL 7:481bce714567 1699 default:
wolfSSL 7:481bce714567 1700 return ALGO_ID_E;
wolfSSL 7:481bce714567 1701
wolfSSL 7:481bce714567 1702 }
wolfSSL 7:481bce714567 1703 }
wolfSSL 7:481bce714567 1704
wolfSSL 7:481bce714567 1705
wolfSSL 7:481bce714567 1706 /* Check To see if PKCS v2 algo is supported, set id if it is return 0
wolfSSL 7:481bce714567 1707 < 0 on error */
wolfSSL 7:481bce714567 1708 static int CheckAlgoV2(int oid, int* id)
wolfSSL 7:481bce714567 1709 {
wolfSSL 7:481bce714567 1710 switch (oid) {
wolfSSL 7:481bce714567 1711 case 69:
wolfSSL 7:481bce714567 1712 *id = PBE_SHA1_DES;
wolfSSL 7:481bce714567 1713 return 0;
wolfSSL 7:481bce714567 1714 case 652:
wolfSSL 7:481bce714567 1715 *id = PBE_SHA1_DES3;
wolfSSL 7:481bce714567 1716 return 0;
wolfSSL 7:481bce714567 1717 default:
wolfSSL 7:481bce714567 1718 return ALGO_ID_E;
wolfSSL 7:481bce714567 1719
wolfSSL 7:481bce714567 1720 }
wolfSSL 7:481bce714567 1721 }
wolfSSL 7:481bce714567 1722
wolfSSL 7:481bce714567 1723
wolfSSL 7:481bce714567 1724 /* Decrypt input in place from parameters based on id */
wolfSSL 7:481bce714567 1725 static int DecryptKey(const char* password, int passwordSz, byte* salt,
wolfSSL 7:481bce714567 1726 int saltSz, int iterations, int id, byte* input,
wolfSSL 7:481bce714567 1727 int length, int version, byte* cbcIv)
wolfSSL 7:481bce714567 1728 {
wolfSSL 7:481bce714567 1729 int typeH;
wolfSSL 7:481bce714567 1730 int derivedLen;
wolfSSL 7:481bce714567 1731 int decryptionType;
wolfSSL 7:481bce714567 1732 int ret = 0;
wolfSSL 7:481bce714567 1733 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1734 byte* key;
wolfSSL 7:481bce714567 1735 #else
wolfSSL 7:481bce714567 1736 byte key[MAX_KEY_SIZE];
wolfSSL 7:481bce714567 1737 #endif
wolfSSL 7:481bce714567 1738
wolfSSL 7:481bce714567 1739 (void)input;
wolfSSL 7:481bce714567 1740 (void)length;
wolfSSL 7:481bce714567 1741
wolfSSL 7:481bce714567 1742 switch (id) {
wolfSSL 7:481bce714567 1743 case PBE_MD5_DES:
wolfSSL 7:481bce714567 1744 typeH = MD5;
wolfSSL 7:481bce714567 1745 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 7:481bce714567 1746 decryptionType = DES_TYPE;
wolfSSL 7:481bce714567 1747 break;
wolfSSL 7:481bce714567 1748
wolfSSL 7:481bce714567 1749 case PBE_SHA1_DES:
wolfSSL 7:481bce714567 1750 typeH = SHA;
wolfSSL 7:481bce714567 1751 derivedLen = 16; /* may need iv for v1.5 */
wolfSSL 7:481bce714567 1752 decryptionType = DES_TYPE;
wolfSSL 7:481bce714567 1753 break;
wolfSSL 7:481bce714567 1754
wolfSSL 7:481bce714567 1755 case PBE_SHA1_DES3:
wolfSSL 7:481bce714567 1756 typeH = SHA;
wolfSSL 7:481bce714567 1757 derivedLen = 32; /* may need iv for v1.5 */
wolfSSL 7:481bce714567 1758 decryptionType = DES3_TYPE;
wolfSSL 7:481bce714567 1759 break;
wolfSSL 7:481bce714567 1760
wolfSSL 7:481bce714567 1761 case PBE_SHA1_RC4_128:
wolfSSL 7:481bce714567 1762 typeH = SHA;
wolfSSL 7:481bce714567 1763 derivedLen = 16;
wolfSSL 7:481bce714567 1764 decryptionType = RC4_TYPE;
wolfSSL 7:481bce714567 1765 break;
wolfSSL 7:481bce714567 1766
wolfSSL 7:481bce714567 1767 default:
wolfSSL 7:481bce714567 1768 return ALGO_ID_E;
wolfSSL 7:481bce714567 1769 }
wolfSSL 7:481bce714567 1770
wolfSSL 7:481bce714567 1771 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1772 key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1773 if (key == NULL)
wolfSSL 7:481bce714567 1774 return MEMORY_E;
wolfSSL 7:481bce714567 1775 #endif
wolfSSL 7:481bce714567 1776
wolfSSL 7:481bce714567 1777 if (version == PKCS5v2)
wolfSSL 7:481bce714567 1778 ret = wc_PBKDF2(key, (byte*)password, passwordSz,
wolfSSL 7:481bce714567 1779 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 7:481bce714567 1780 #ifndef NO_SHA
wolfSSL 7:481bce714567 1781 else if (version == PKCS5)
wolfSSL 7:481bce714567 1782 ret = wc_PBKDF1(key, (byte*)password, passwordSz,
wolfSSL 7:481bce714567 1783 salt, saltSz, iterations, derivedLen, typeH);
wolfSSL 7:481bce714567 1784 #endif
wolfSSL 7:481bce714567 1785 else if (version == PKCS12) {
wolfSSL 7:481bce714567 1786 int i, idx = 0;
wolfSSL 7:481bce714567 1787 byte unicodePasswd[MAX_UNICODE_SZ];
wolfSSL 7:481bce714567 1788
wolfSSL 7:481bce714567 1789 if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
wolfSSL 7:481bce714567 1790 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1791 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1792 #endif
wolfSSL 7:481bce714567 1793 return UNICODE_SIZE_E;
wolfSSL 7:481bce714567 1794 }
wolfSSL 7:481bce714567 1795
wolfSSL 7:481bce714567 1796 for (i = 0; i < passwordSz; i++) {
wolfSSL 7:481bce714567 1797 unicodePasswd[idx++] = 0x00;
wolfSSL 7:481bce714567 1798 unicodePasswd[idx++] = (byte)password[i];
wolfSSL 7:481bce714567 1799 }
wolfSSL 7:481bce714567 1800 /* add trailing NULL */
wolfSSL 7:481bce714567 1801 unicodePasswd[idx++] = 0x00;
wolfSSL 7:481bce714567 1802 unicodePasswd[idx++] = 0x00;
wolfSSL 7:481bce714567 1803
wolfSSL 7:481bce714567 1804 ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
wolfSSL 7:481bce714567 1805 iterations, derivedLen, typeH, 1);
wolfSSL 7:481bce714567 1806 if (decryptionType != RC4_TYPE)
wolfSSL 7:481bce714567 1807 ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
wolfSSL 7:481bce714567 1808 iterations, 8, typeH, 2);
wolfSSL 7:481bce714567 1809 }
wolfSSL 7:481bce714567 1810 else {
wolfSSL 7:481bce714567 1811 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1812 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1813 #endif
wolfSSL 7:481bce714567 1814 return ALGO_ID_E;
wolfSSL 7:481bce714567 1815 }
wolfSSL 7:481bce714567 1816
wolfSSL 7:481bce714567 1817 if (ret != 0) {
wolfSSL 7:481bce714567 1818 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1819 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1820 #endif
wolfSSL 7:481bce714567 1821 return ret;
wolfSSL 7:481bce714567 1822 }
wolfSSL 7:481bce714567 1823
wolfSSL 7:481bce714567 1824 switch (decryptionType) {
wolfSSL 7:481bce714567 1825 #ifndef NO_DES3
wolfSSL 7:481bce714567 1826 case DES_TYPE:
wolfSSL 7:481bce714567 1827 {
wolfSSL 7:481bce714567 1828 Des dec;
wolfSSL 7:481bce714567 1829 byte* desIv = key + 8;
wolfSSL 7:481bce714567 1830
wolfSSL 7:481bce714567 1831 if (version == PKCS5v2 || version == PKCS12)
wolfSSL 7:481bce714567 1832 desIv = cbcIv;
wolfSSL 7:481bce714567 1833
wolfSSL 7:481bce714567 1834 ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 7:481bce714567 1835 if (ret != 0) {
wolfSSL 7:481bce714567 1836 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1837 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1838 #endif
wolfSSL 7:481bce714567 1839 return ret;
wolfSSL 7:481bce714567 1840 }
wolfSSL 7:481bce714567 1841
wolfSSL 7:481bce714567 1842 wc_Des_CbcDecrypt(&dec, input, input, length);
wolfSSL 7:481bce714567 1843 break;
wolfSSL 7:481bce714567 1844 }
wolfSSL 7:481bce714567 1845
wolfSSL 7:481bce714567 1846 case DES3_TYPE:
wolfSSL 7:481bce714567 1847 {
wolfSSL 7:481bce714567 1848 Des3 dec;
wolfSSL 7:481bce714567 1849 byte* desIv = key + 24;
wolfSSL 7:481bce714567 1850
wolfSSL 7:481bce714567 1851 if (version == PKCS5v2 || version == PKCS12)
wolfSSL 7:481bce714567 1852 desIv = cbcIv;
wolfSSL 7:481bce714567 1853 ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL 7:481bce714567 1854 if (ret != 0) {
wolfSSL 7:481bce714567 1855 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1856 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1857 #endif
wolfSSL 7:481bce714567 1858 return ret;
wolfSSL 7:481bce714567 1859 }
wolfSSL 7:481bce714567 1860 ret = wc_Des3_CbcDecrypt(&dec, input, input, length);
wolfSSL 7:481bce714567 1861 if (ret != 0) {
wolfSSL 7:481bce714567 1862 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1863 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1864 #endif
wolfSSL 7:481bce714567 1865 return ret;
wolfSSL 7:481bce714567 1866 }
wolfSSL 7:481bce714567 1867 break;
wolfSSL 7:481bce714567 1868 }
wolfSSL 7:481bce714567 1869 #endif
wolfSSL 7:481bce714567 1870 #ifndef NO_RC4
wolfSSL 7:481bce714567 1871 case RC4_TYPE:
wolfSSL 7:481bce714567 1872 {
wolfSSL 7:481bce714567 1873 Arc4 dec;
wolfSSL 7:481bce714567 1874
wolfSSL 7:481bce714567 1875 wc_Arc4SetKey(&dec, key, derivedLen);
wolfSSL 7:481bce714567 1876 wc_Arc4Process(&dec, input, input, length);
wolfSSL 7:481bce714567 1877 break;
wolfSSL 7:481bce714567 1878 }
wolfSSL 7:481bce714567 1879 #endif
wolfSSL 7:481bce714567 1880
wolfSSL 7:481bce714567 1881 default:
wolfSSL 7:481bce714567 1882 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1883 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1884 #endif
wolfSSL 7:481bce714567 1885 return ALGO_ID_E;
wolfSSL 7:481bce714567 1886 }
wolfSSL 7:481bce714567 1887
wolfSSL 7:481bce714567 1888 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1889 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1890 #endif
wolfSSL 7:481bce714567 1891
wolfSSL 7:481bce714567 1892 return 0;
wolfSSL 7:481bce714567 1893 }
wolfSSL 7:481bce714567 1894
wolfSSL 7:481bce714567 1895
wolfSSL 7:481bce714567 1896 /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
wolfSSL 7:481bce714567 1897 of input */
wolfSSL 7:481bce714567 1898 int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL 7:481bce714567 1899 {
wolfSSL 7:481bce714567 1900 word32 inOutIdx = 0, oid;
wolfSSL 7:481bce714567 1901 int ret = 0, first, second, length = 0, version, saltSz, id;
wolfSSL 7:481bce714567 1902 int iterations = 0;
wolfSSL 7:481bce714567 1903 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1904 byte* salt = NULL;
wolfSSL 7:481bce714567 1905 byte* cbcIv = NULL;
wolfSSL 7:481bce714567 1906 #else
wolfSSL 7:481bce714567 1907 byte salt[MAX_SALT_SIZE];
wolfSSL 7:481bce714567 1908 byte cbcIv[MAX_IV_SIZE];
wolfSSL 7:481bce714567 1909 #endif
wolfSSL 7:481bce714567 1910
wolfSSL 7:481bce714567 1911 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 1912 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1913 }
wolfSSL 7:481bce714567 1914
wolfSSL 7:481bce714567 1915 if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) {
wolfSSL 7:481bce714567 1916 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1917 }
wolfSSL 7:481bce714567 1918
wolfSSL 7:481bce714567 1919 first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */
wolfSSL 7:481bce714567 1920 second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL 7:481bce714567 1921
wolfSSL 7:481bce714567 1922 if (CheckAlgo(first, second, &id, &version) < 0) {
wolfSSL 7:481bce714567 1923 ERROR_OUT(ASN_INPUT_E, exit_tte); /* Algo ID error */
wolfSSL 7:481bce714567 1924 }
wolfSSL 7:481bce714567 1925
wolfSSL 7:481bce714567 1926 if (version == PKCS5v2) {
wolfSSL 7:481bce714567 1927 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 1928 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1929 }
wolfSSL 7:481bce714567 1930
wolfSSL 7:481bce714567 1931 if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) {
wolfSSL 7:481bce714567 1932 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1933 }
wolfSSL 7:481bce714567 1934
wolfSSL 7:481bce714567 1935 if (oid != PBKDF2_OID) {
wolfSSL 7:481bce714567 1936 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1937 }
wolfSSL 7:481bce714567 1938 }
wolfSSL 7:481bce714567 1939
wolfSSL 7:481bce714567 1940 if (GetSequence(input, &inOutIdx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 1941 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1942 }
wolfSSL 7:481bce714567 1943
wolfSSL 7:481bce714567 1944 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 1945 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1946 }
wolfSSL 7:481bce714567 1947
wolfSSL 7:481bce714567 1948 if (GetLength(input, &inOutIdx, &saltSz, sz) < 0) {
wolfSSL 7:481bce714567 1949 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1950 }
wolfSSL 7:481bce714567 1951
wolfSSL 7:481bce714567 1952 if (saltSz > MAX_SALT_SIZE) {
wolfSSL 7:481bce714567 1953 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1954 }
wolfSSL 7:481bce714567 1955
wolfSSL 7:481bce714567 1956 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1957 salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1958 if (salt == NULL) {
wolfSSL 7:481bce714567 1959 ERROR_OUT(MEMORY_E, exit_tte);
wolfSSL 7:481bce714567 1960 }
wolfSSL 7:481bce714567 1961 #endif
wolfSSL 7:481bce714567 1962
wolfSSL 7:481bce714567 1963 XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL 7:481bce714567 1964 inOutIdx += saltSz;
wolfSSL 7:481bce714567 1965
wolfSSL 7:481bce714567 1966 if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) {
wolfSSL 7:481bce714567 1967 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1968 }
wolfSSL 7:481bce714567 1969
wolfSSL 7:481bce714567 1970 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 1971 cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 1972 if (cbcIv == NULL) {
wolfSSL 7:481bce714567 1973 ERROR_OUT(MEMORY_E, exit_tte);
wolfSSL 7:481bce714567 1974 }
wolfSSL 7:481bce714567 1975 #endif
wolfSSL 7:481bce714567 1976
wolfSSL 7:481bce714567 1977 if (version == PKCS5v2) {
wolfSSL 7:481bce714567 1978 /* get encryption algo */
wolfSSL 7:481bce714567 1979 /* JOHN: New type. Need a little more research. */
wolfSSL 7:481bce714567 1980 if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) {
wolfSSL 7:481bce714567 1981 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1982 }
wolfSSL 7:481bce714567 1983
wolfSSL 7:481bce714567 1984 if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL 7:481bce714567 1985 ERROR_OUT(ASN_PARSE_E, exit_tte); /* PKCS v2 algo id error */
wolfSSL 7:481bce714567 1986 }
wolfSSL 7:481bce714567 1987
wolfSSL 7:481bce714567 1988 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 1989 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1990 }
wolfSSL 7:481bce714567 1991
wolfSSL 7:481bce714567 1992 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 1993 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1994 }
wolfSSL 7:481bce714567 1995
wolfSSL 7:481bce714567 1996 if (length > MAX_IV_SIZE) {
wolfSSL 7:481bce714567 1997 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 1998 }
wolfSSL 7:481bce714567 1999
wolfSSL 7:481bce714567 2000 XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL 7:481bce714567 2001 inOutIdx += length;
wolfSSL 7:481bce714567 2002 }
wolfSSL 7:481bce714567 2003
wolfSSL 7:481bce714567 2004 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 2005 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 2006 }
wolfSSL 7:481bce714567 2007
wolfSSL 7:481bce714567 2008 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 2009 ERROR_OUT(ASN_PARSE_E, exit_tte);
wolfSSL 7:481bce714567 2010 }
wolfSSL 7:481bce714567 2011
wolfSSL 7:481bce714567 2012 ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL 7:481bce714567 2013 input + inOutIdx, length, version, cbcIv);
wolfSSL 7:481bce714567 2014
wolfSSL 7:481bce714567 2015 exit_tte:
wolfSSL 7:481bce714567 2016 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2017 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2018 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2019 #endif
wolfSSL 7:481bce714567 2020
wolfSSL 7:481bce714567 2021 if (ret == 0) {
wolfSSL 7:481bce714567 2022 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 7:481bce714567 2023 ret = ToTraditional(input, length);
wolfSSL 7:481bce714567 2024 }
wolfSSL 7:481bce714567 2025
wolfSSL 7:481bce714567 2026 return ret;
wolfSSL 7:481bce714567 2027 }
wolfSSL 7:481bce714567 2028
wolfSSL 7:481bce714567 2029 /* decrypt PKCS */
wolfSSL 7:481bce714567 2030 int DecryptContent(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL 7:481bce714567 2031 {
wolfSSL 7:481bce714567 2032 word32 inOutIdx = 0, oid;
wolfSSL 7:481bce714567 2033 int ret = 0;
wolfSSL 7:481bce714567 2034 int first, second, length = 0, version, saltSz, id;
wolfSSL 7:481bce714567 2035 int iterations = 0;
wolfSSL 7:481bce714567 2036 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2037 byte* salt = NULL;
wolfSSL 7:481bce714567 2038 byte* cbcIv = NULL;
wolfSSL 7:481bce714567 2039 #else
wolfSSL 7:481bce714567 2040 byte salt[MAX_SALT_SIZE];
wolfSSL 7:481bce714567 2041 byte cbcIv[MAX_IV_SIZE];
wolfSSL 7:481bce714567 2042 #endif
wolfSSL 7:481bce714567 2043
wolfSSL 7:481bce714567 2044 if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) {
wolfSSL 7:481bce714567 2045 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2046 }
wolfSSL 7:481bce714567 2047
wolfSSL 7:481bce714567 2048 first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */
wolfSSL 7:481bce714567 2049 second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL 7:481bce714567 2050
wolfSSL 7:481bce714567 2051 if (CheckAlgo(first, second, &id, &version) < 0) {
wolfSSL 7:481bce714567 2052 ERROR_OUT(ASN_INPUT_E, exit_dc); /* Algo ID error */
wolfSSL 7:481bce714567 2053 }
wolfSSL 7:481bce714567 2054
wolfSSL 7:481bce714567 2055 if (version == PKCS5v2) {
wolfSSL 7:481bce714567 2056 if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 2057 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2058 }
wolfSSL 7:481bce714567 2059
wolfSSL 7:481bce714567 2060 if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) {
wolfSSL 7:481bce714567 2061 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2062 }
wolfSSL 7:481bce714567 2063
wolfSSL 7:481bce714567 2064 if (oid != PBKDF2_OID) {
wolfSSL 7:481bce714567 2065 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2066 }
wolfSSL 7:481bce714567 2067 }
wolfSSL 7:481bce714567 2068
wolfSSL 7:481bce714567 2069 if (GetSequence(input, &inOutIdx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 2070 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2071 }
wolfSSL 7:481bce714567 2072
wolfSSL 7:481bce714567 2073 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 2074 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2075 }
wolfSSL 7:481bce714567 2076
wolfSSL 7:481bce714567 2077 if (GetLength(input, &inOutIdx, &saltSz, sz) < 0) {
wolfSSL 7:481bce714567 2078 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2079 }
wolfSSL 7:481bce714567 2080
wolfSSL 7:481bce714567 2081 if (saltSz > MAX_SALT_SIZE) {
wolfSSL 7:481bce714567 2082 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2083 }
wolfSSL 7:481bce714567 2084
wolfSSL 7:481bce714567 2085 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2086 salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2087 if (salt == NULL) {
wolfSSL 7:481bce714567 2088 ERROR_OUT(MEMORY_E, exit_dc);
wolfSSL 7:481bce714567 2089 }
wolfSSL 7:481bce714567 2090 #endif
wolfSSL 7:481bce714567 2091
wolfSSL 7:481bce714567 2092 XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL 7:481bce714567 2093 inOutIdx += saltSz;
wolfSSL 7:481bce714567 2094
wolfSSL 7:481bce714567 2095 if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) {
wolfSSL 7:481bce714567 2096 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2097 }
wolfSSL 7:481bce714567 2098
wolfSSL 7:481bce714567 2099 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2100 cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2101 if (cbcIv == NULL) {
wolfSSL 7:481bce714567 2102 ERROR_OUT(MEMORY_E, exit_dc);
wolfSSL 7:481bce714567 2103 }
wolfSSL 7:481bce714567 2104 #endif
wolfSSL 7:481bce714567 2105
wolfSSL 7:481bce714567 2106 if (version == PKCS5v2) {
wolfSSL 7:481bce714567 2107 /* get encryption algo */
wolfSSL 7:481bce714567 2108 /* JOHN: New type. Need a little more research. */
wolfSSL 7:481bce714567 2109 if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) {
wolfSSL 7:481bce714567 2110 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2111 }
wolfSSL 7:481bce714567 2112
wolfSSL 7:481bce714567 2113 if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL 7:481bce714567 2114 ERROR_OUT(ASN_PARSE_E, exit_dc); /* PKCS v2 algo id error */
wolfSSL 7:481bce714567 2115 }
wolfSSL 7:481bce714567 2116
wolfSSL 7:481bce714567 2117 if ((inOutIdx + 1) > sz) {
wolfSSL 7:481bce714567 2118 ERROR_OUT(BUFFER_E, exit_dc);
wolfSSL 7:481bce714567 2119 }
wolfSSL 7:481bce714567 2120
wolfSSL 7:481bce714567 2121 if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 2122 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2123 }
wolfSSL 7:481bce714567 2124
wolfSSL 7:481bce714567 2125 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 2126 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2127 }
wolfSSL 7:481bce714567 2128
wolfSSL 7:481bce714567 2129 XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL 7:481bce714567 2130 inOutIdx += length;
wolfSSL 7:481bce714567 2131 }
wolfSSL 7:481bce714567 2132
wolfSSL 7:481bce714567 2133 if (input[inOutIdx++] != ASN_LONG_LENGTH) {
wolfSSL 7:481bce714567 2134 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2135 }
wolfSSL 7:481bce714567 2136
wolfSSL 7:481bce714567 2137 if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL 7:481bce714567 2138 ERROR_OUT(ASN_PARSE_E, exit_dc);
wolfSSL 7:481bce714567 2139 }
wolfSSL 7:481bce714567 2140
wolfSSL 7:481bce714567 2141 ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL 7:481bce714567 2142 input + inOutIdx, length, version, cbcIv);
wolfSSL 7:481bce714567 2143
wolfSSL 7:481bce714567 2144 exit_dc:
wolfSSL 7:481bce714567 2145
wolfSSL 7:481bce714567 2146 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2147 XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2148 XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2149 #endif
wolfSSL 7:481bce714567 2150
wolfSSL 7:481bce714567 2151 if (ret == 0) {
wolfSSL 7:481bce714567 2152 XMEMMOVE(input, input + inOutIdx, length);
wolfSSL 7:481bce714567 2153 ret = length;
wolfSSL 7:481bce714567 2154 }
wolfSSL 7:481bce714567 2155
wolfSSL 7:481bce714567 2156 return ret;
wolfSSL 7:481bce714567 2157 }
wolfSSL 7:481bce714567 2158 #endif /* NO_PWDBASED */
wolfSSL 7:481bce714567 2159
wolfSSL 7:481bce714567 2160 #ifndef NO_RSA
wolfSSL 7:481bce714567 2161
wolfSSL 7:481bce714567 2162 #ifndef HAVE_USER_RSA
wolfSSL 7:481bce714567 2163 int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL 7:481bce714567 2164 word32 inSz)
wolfSSL 7:481bce714567 2165 {
wolfSSL 7:481bce714567 2166 int length;
wolfSSL 7:481bce714567 2167 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 7:481bce714567 2168 byte b;
wolfSSL 7:481bce714567 2169 #endif
wolfSSL 7:481bce714567 2170
wolfSSL 7:481bce714567 2171 if (input == NULL || inOutIdx == NULL || key == NULL)
wolfSSL 7:481bce714567 2172 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 2173
wolfSSL 7:481bce714567 2174 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2175 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2176
wolfSSL 7:481bce714567 2177 key->type = RSA_PUBLIC;
wolfSSL 7:481bce714567 2178
wolfSSL 7:481bce714567 2179 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
wolfSSL 7:481bce714567 2180 if ((*inOutIdx + 1) > inSz)
wolfSSL 7:481bce714567 2181 return BUFFER_E;
wolfSSL 7:481bce714567 2182
wolfSSL 7:481bce714567 2183 b = input[*inOutIdx];
wolfSSL 7:481bce714567 2184 if (b != ASN_INTEGER) {
wolfSSL 7:481bce714567 2185 /* not from decoded cert, will have algo id, skip past */
wolfSSL 7:481bce714567 2186 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2187 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2188
wolfSSL 7:481bce714567 2189 if (SkipObjectId(input, inOutIdx, inSz) < 0)
wolfSSL 7:481bce714567 2190 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2191
wolfSSL 7:481bce714567 2192 /* could have NULL tag and 0 terminator, but may not */
wolfSSL 7:481bce714567 2193 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 2194
wolfSSL 7:481bce714567 2195 if (b == ASN_TAG_NULL) {
wolfSSL 7:481bce714567 2196 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 2197 if (b != 0)
wolfSSL 7:481bce714567 2198 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 2199 }
wolfSSL 7:481bce714567 2200 else {
wolfSSL 7:481bce714567 2201 /* go back, didn't have it */
wolfSSL 7:481bce714567 2202 (*inOutIdx)--;
wolfSSL 7:481bce714567 2203 }
wolfSSL 7:481bce714567 2204
wolfSSL 7:481bce714567 2205 /* should have bit tag length and seq next */
wolfSSL 7:481bce714567 2206 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 2207 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 2208 return ASN_BITSTR_E;
wolfSSL 7:481bce714567 2209
wolfSSL 7:481bce714567 2210 if (GetLength(input, inOutIdx, &length, inSz) <= 0)
wolfSSL 7:481bce714567 2211 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2212
wolfSSL 7:481bce714567 2213 /* could have 0 */
wolfSSL 7:481bce714567 2214 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 2215 if (b != 0)
wolfSSL 7:481bce714567 2216 (*inOutIdx)--;
wolfSSL 7:481bce714567 2217
wolfSSL 7:481bce714567 2218 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2219 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2220 }
wolfSSL 7:481bce714567 2221 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 2222
wolfSSL 7:481bce714567 2223 if (GetInt(&key->n, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2224 GetInt(&key->e, input, inOutIdx, inSz) < 0) {
wolfSSL 7:481bce714567 2225 return ASN_RSA_KEY_E;
wolfSSL 7:481bce714567 2226 }
wolfSSL 7:481bce714567 2227
wolfSSL 7:481bce714567 2228 return 0;
wolfSSL 7:481bce714567 2229 }
wolfSSL 7:481bce714567 2230
wolfSSL 7:481bce714567 2231 /* import RSA public key elements (n, e) into RsaKey structure (key) */
wolfSSL 7:481bce714567 2232 int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
wolfSSL 7:481bce714567 2233 word32 eSz, RsaKey* key)
wolfSSL 7:481bce714567 2234 {
wolfSSL 7:481bce714567 2235 if (n == NULL || e == NULL || key == NULL)
wolfSSL 7:481bce714567 2236 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 2237
wolfSSL 7:481bce714567 2238 key->type = RSA_PUBLIC;
wolfSSL 7:481bce714567 2239
wolfSSL 7:481bce714567 2240 if (mp_init(&key->n) != MP_OKAY)
wolfSSL 7:481bce714567 2241 return MP_INIT_E;
wolfSSL 7:481bce714567 2242
wolfSSL 7:481bce714567 2243 if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) {
wolfSSL 7:481bce714567 2244 mp_clear(&key->n);
wolfSSL 7:481bce714567 2245 return ASN_GETINT_E;
wolfSSL 7:481bce714567 2246 }
wolfSSL 7:481bce714567 2247
wolfSSL 7:481bce714567 2248 if (mp_init(&key->e) != MP_OKAY) {
wolfSSL 7:481bce714567 2249 mp_clear(&key->n);
wolfSSL 7:481bce714567 2250 return MP_INIT_E;
wolfSSL 7:481bce714567 2251 }
wolfSSL 7:481bce714567 2252
wolfSSL 7:481bce714567 2253 if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) {
wolfSSL 7:481bce714567 2254 mp_clear(&key->n);
wolfSSL 7:481bce714567 2255 mp_clear(&key->e);
wolfSSL 7:481bce714567 2256 return ASN_GETINT_E;
wolfSSL 7:481bce714567 2257 }
wolfSSL 7:481bce714567 2258
wolfSSL 7:481bce714567 2259 return 0;
wolfSSL 7:481bce714567 2260 }
wolfSSL 7:481bce714567 2261 #endif /* HAVE_USER_RSA */
wolfSSL 7:481bce714567 2262 #endif
wolfSSL 7:481bce714567 2263
wolfSSL 7:481bce714567 2264 #ifndef NO_DH
wolfSSL 7:481bce714567 2265
wolfSSL 7:481bce714567 2266 int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
wolfSSL 7:481bce714567 2267 {
wolfSSL 7:481bce714567 2268 int length;
wolfSSL 7:481bce714567 2269
wolfSSL 7:481bce714567 2270 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2271 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2272
wolfSSL 7:481bce714567 2273 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2274 GetInt(&key->g, input, inOutIdx, inSz) < 0) {
wolfSSL 7:481bce714567 2275 return ASN_DH_KEY_E;
wolfSSL 7:481bce714567 2276 }
wolfSSL 7:481bce714567 2277
wolfSSL 7:481bce714567 2278 return 0;
wolfSSL 7:481bce714567 2279 }
wolfSSL 7:481bce714567 2280
wolfSSL 7:481bce714567 2281
wolfSSL 7:481bce714567 2282 int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
wolfSSL 7:481bce714567 2283 byte* g, word32* gInOutSz)
wolfSSL 7:481bce714567 2284 {
wolfSSL 7:481bce714567 2285 word32 idx = 0;
wolfSSL 7:481bce714567 2286 byte b;
wolfSSL 7:481bce714567 2287 int length;
wolfSSL 7:481bce714567 2288
wolfSSL 7:481bce714567 2289 if (GetSequence(input, &idx, &length, inSz) <= 0)
wolfSSL 7:481bce714567 2290 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2291
wolfSSL 7:481bce714567 2292 b = input[idx++];
wolfSSL 7:481bce714567 2293 if (b != ASN_INTEGER)
wolfSSL 7:481bce714567 2294 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2295
wolfSSL 7:481bce714567 2296 if (GetLength(input, &idx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2297 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2298
wolfSSL 7:481bce714567 2299 if (length > 0) {
wolfSSL 7:481bce714567 2300 /* remove leading zero */
wolfSSL 7:481bce714567 2301 if ((b = input[idx++]) == 0x00)
wolfSSL 7:481bce714567 2302 length--;
wolfSSL 7:481bce714567 2303 else
wolfSSL 7:481bce714567 2304 idx--;
wolfSSL 7:481bce714567 2305 }
wolfSSL 7:481bce714567 2306
wolfSSL 7:481bce714567 2307 if (length <= (int)*pInOutSz) {
wolfSSL 7:481bce714567 2308 XMEMCPY(p, &input[idx], length);
wolfSSL 7:481bce714567 2309 *pInOutSz = length;
wolfSSL 7:481bce714567 2310 }
wolfSSL 7:481bce714567 2311 else {
wolfSSL 7:481bce714567 2312 return BUFFER_E;
wolfSSL 7:481bce714567 2313 }
wolfSSL 7:481bce714567 2314 idx += length;
wolfSSL 7:481bce714567 2315
wolfSSL 7:481bce714567 2316 if ((idx + 1) > inSz)
wolfSSL 7:481bce714567 2317 return BUFFER_E;
wolfSSL 7:481bce714567 2318
wolfSSL 7:481bce714567 2319 b = input[idx++];
wolfSSL 7:481bce714567 2320 if (b != ASN_INTEGER)
wolfSSL 7:481bce714567 2321 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2322
wolfSSL 7:481bce714567 2323 if (GetLength(input, &idx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2324 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2325
wolfSSL 7:481bce714567 2326 if (length <= (int)*gInOutSz) {
wolfSSL 7:481bce714567 2327 XMEMCPY(g, &input[idx], length);
wolfSSL 7:481bce714567 2328 *gInOutSz = length;
wolfSSL 7:481bce714567 2329 }
wolfSSL 7:481bce714567 2330 else {
wolfSSL 7:481bce714567 2331 return BUFFER_E;
wolfSSL 7:481bce714567 2332 }
wolfSSL 7:481bce714567 2333
wolfSSL 7:481bce714567 2334 return 0;
wolfSSL 7:481bce714567 2335 }
wolfSSL 7:481bce714567 2336
wolfSSL 7:481bce714567 2337 #endif /* NO_DH */
wolfSSL 7:481bce714567 2338
wolfSSL 7:481bce714567 2339
wolfSSL 7:481bce714567 2340 #ifndef NO_DSA
wolfSSL 7:481bce714567 2341
wolfSSL 7:481bce714567 2342 int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 7:481bce714567 2343 word32 inSz)
wolfSSL 7:481bce714567 2344 {
wolfSSL 7:481bce714567 2345 int length;
wolfSSL 7:481bce714567 2346
wolfSSL 7:481bce714567 2347 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2348 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2349
wolfSSL 7:481bce714567 2350 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2351 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2352 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2353 GetInt(&key->y, input, inOutIdx, inSz) < 0 )
wolfSSL 7:481bce714567 2354 return ASN_DH_KEY_E;
wolfSSL 7:481bce714567 2355
wolfSSL 7:481bce714567 2356 key->type = DSA_PUBLIC;
wolfSSL 7:481bce714567 2357 return 0;
wolfSSL 7:481bce714567 2358 }
wolfSSL 7:481bce714567 2359
wolfSSL 7:481bce714567 2360
wolfSSL 7:481bce714567 2361 int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL 7:481bce714567 2362 word32 inSz)
wolfSSL 7:481bce714567 2363 {
wolfSSL 7:481bce714567 2364 int length, version;
wolfSSL 7:481bce714567 2365
wolfSSL 7:481bce714567 2366 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 2367 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2368
wolfSSL 7:481bce714567 2369 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 7:481bce714567 2370 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2371
wolfSSL 7:481bce714567 2372 if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2373 GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2374 GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2375 GetInt(&key->y, input, inOutIdx, inSz) < 0 ||
wolfSSL 7:481bce714567 2376 GetInt(&key->x, input, inOutIdx, inSz) < 0 )
wolfSSL 7:481bce714567 2377 return ASN_DH_KEY_E;
wolfSSL 7:481bce714567 2378
wolfSSL 7:481bce714567 2379 key->type = DSA_PRIVATE;
wolfSSL 7:481bce714567 2380 return 0;
wolfSSL 7:481bce714567 2381 }
wolfSSL 7:481bce714567 2382
wolfSSL 7:481bce714567 2383 static mp_int* GetDsaInt(DsaKey* key, int idx)
wolfSSL 7:481bce714567 2384 {
wolfSSL 7:481bce714567 2385 if (idx == 0)
wolfSSL 7:481bce714567 2386 return &key->p;
wolfSSL 7:481bce714567 2387 if (idx == 1)
wolfSSL 7:481bce714567 2388 return &key->q;
wolfSSL 7:481bce714567 2389 if (idx == 2)
wolfSSL 7:481bce714567 2390 return &key->g;
wolfSSL 7:481bce714567 2391 if (idx == 3)
wolfSSL 7:481bce714567 2392 return &key->y;
wolfSSL 7:481bce714567 2393 if (idx == 4)
wolfSSL 7:481bce714567 2394 return &key->x;
wolfSSL 7:481bce714567 2395
wolfSSL 7:481bce714567 2396 return NULL;
wolfSSL 7:481bce714567 2397 }
wolfSSL 7:481bce714567 2398
wolfSSL 7:481bce714567 2399 /* Release Tmp DSA resources */
wolfSSL 7:481bce714567 2400 static INLINE void FreeTmpDsas(byte** tmps, void* heap)
wolfSSL 7:481bce714567 2401 {
wolfSSL 7:481bce714567 2402 int i;
wolfSSL 7:481bce714567 2403
wolfSSL 7:481bce714567 2404 for (i = 0; i < DSA_INTS; i++)
wolfSSL 7:481bce714567 2405 XFREE(tmps[i], heap, DYNAMIC_TYPE_DSA);
wolfSSL 7:481bce714567 2406
wolfSSL 7:481bce714567 2407 (void)heap;
wolfSSL 7:481bce714567 2408 }
wolfSSL 7:481bce714567 2409
wolfSSL 7:481bce714567 2410 /* Convert DsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 7:481bce714567 2411 written */
wolfSSL 7:481bce714567 2412 int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
wolfSSL 7:481bce714567 2413 {
wolfSSL 7:481bce714567 2414 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 7:481bce714567 2415 word32 sizes[DSA_INTS];
wolfSSL 7:481bce714567 2416 int i, j, outLen, ret = 0, lbit;
wolfSSL 7:481bce714567 2417
wolfSSL 7:481bce714567 2418 byte seq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 2419 byte ver[MAX_VERSION_SZ];
wolfSSL 7:481bce714567 2420 byte* tmps[DSA_INTS];
wolfSSL 7:481bce714567 2421
wolfSSL 7:481bce714567 2422 if (!key || !output)
wolfSSL 7:481bce714567 2423 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 2424
wolfSSL 7:481bce714567 2425 if (key->type != DSA_PRIVATE)
wolfSSL 7:481bce714567 2426 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 2427
wolfSSL 7:481bce714567 2428 for (i = 0; i < DSA_INTS; i++)
wolfSSL 7:481bce714567 2429 tmps[i] = NULL;
wolfSSL 7:481bce714567 2430
wolfSSL 7:481bce714567 2431 /* write all big ints from key to DER tmps */
wolfSSL 7:481bce714567 2432 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 7:481bce714567 2433 mp_int* keyInt = GetDsaInt(key, i);
wolfSSL 7:481bce714567 2434
wolfSSL 7:481bce714567 2435 /* leading zero */
wolfSSL 7:481bce714567 2436 lbit = mp_leading_bit(keyInt);
wolfSSL 7:481bce714567 2437 rawLen = mp_unsigned_bin_size(keyInt) + lbit;
wolfSSL 7:481bce714567 2438
wolfSSL 7:481bce714567 2439 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL 7:481bce714567 2440 DYNAMIC_TYPE_DSA);
wolfSSL 7:481bce714567 2441 if (tmps[i] == NULL) {
wolfSSL 7:481bce714567 2442 ret = MEMORY_E;
wolfSSL 7:481bce714567 2443 break;
wolfSSL 7:481bce714567 2444 }
wolfSSL 7:481bce714567 2445
wolfSSL 7:481bce714567 2446 tmps[i][0] = ASN_INTEGER;
wolfSSL 7:481bce714567 2447 sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */
wolfSSL 7:481bce714567 2448
wolfSSL 7:481bce714567 2449 if (sizes[i] <= MAX_SEQ_SZ) {
wolfSSL 7:481bce714567 2450 int err;
wolfSSL 7:481bce714567 2451
wolfSSL 7:481bce714567 2452 /* leading zero */
wolfSSL 7:481bce714567 2453 if (lbit)
wolfSSL 7:481bce714567 2454 tmps[i][sizes[i]-1] = 0x00;
wolfSSL 7:481bce714567 2455
wolfSSL 7:481bce714567 2456 err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
wolfSSL 7:481bce714567 2457 if (err == MP_OKAY) {
wolfSSL 7:481bce714567 2458 sizes[i] += (rawLen-lbit); /* lbit included in rawLen */
wolfSSL 7:481bce714567 2459 intTotalLen += sizes[i];
wolfSSL 7:481bce714567 2460 }
wolfSSL 7:481bce714567 2461 else {
wolfSSL 7:481bce714567 2462 ret = err;
wolfSSL 7:481bce714567 2463 break;
wolfSSL 7:481bce714567 2464 }
wolfSSL 7:481bce714567 2465 }
wolfSSL 7:481bce714567 2466 else {
wolfSSL 7:481bce714567 2467 ret = ASN_INPUT_E;
wolfSSL 7:481bce714567 2468 break;
wolfSSL 7:481bce714567 2469 }
wolfSSL 7:481bce714567 2470 }
wolfSSL 7:481bce714567 2471
wolfSSL 7:481bce714567 2472 if (ret != 0) {
wolfSSL 7:481bce714567 2473 FreeTmpDsas(tmps, key->heap);
wolfSSL 7:481bce714567 2474 return ret;
wolfSSL 7:481bce714567 2475 }
wolfSSL 7:481bce714567 2476
wolfSSL 7:481bce714567 2477 /* make headers */
wolfSSL 7:481bce714567 2478 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 7:481bce714567 2479 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 7:481bce714567 2480
wolfSSL 7:481bce714567 2481 outLen = seqSz + verSz + intTotalLen;
wolfSSL 7:481bce714567 2482 if (outLen > (int)inLen)
wolfSSL 7:481bce714567 2483 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 2484
wolfSSL 7:481bce714567 2485 /* write to output */
wolfSSL 7:481bce714567 2486 XMEMCPY(output, seq, seqSz);
wolfSSL 7:481bce714567 2487 j = seqSz;
wolfSSL 7:481bce714567 2488 XMEMCPY(output + j, ver, verSz);
wolfSSL 7:481bce714567 2489 j += verSz;
wolfSSL 7:481bce714567 2490
wolfSSL 7:481bce714567 2491 for (i = 0; i < DSA_INTS; i++) {
wolfSSL 7:481bce714567 2492 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 7:481bce714567 2493 j += sizes[i];
wolfSSL 7:481bce714567 2494 }
wolfSSL 7:481bce714567 2495 FreeTmpDsas(tmps, key->heap);
wolfSSL 7:481bce714567 2496
wolfSSL 7:481bce714567 2497 return outLen;
wolfSSL 7:481bce714567 2498 }
wolfSSL 7:481bce714567 2499
wolfSSL 7:481bce714567 2500 #endif /* NO_DSA */
wolfSSL 7:481bce714567 2501
wolfSSL 7:481bce714567 2502
wolfSSL 7:481bce714567 2503 void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
wolfSSL 7:481bce714567 2504 {
wolfSSL 7:481bce714567 2505 cert->publicKey = 0;
wolfSSL 7:481bce714567 2506 cert->pubKeySize = 0;
wolfSSL 7:481bce714567 2507 cert->pubKeyStored = 0;
wolfSSL 7:481bce714567 2508 cert->keyOID = 0;
wolfSSL 7:481bce714567 2509 cert->version = 0;
wolfSSL 7:481bce714567 2510 cert->signature = 0;
wolfSSL 7:481bce714567 2511 cert->subjectCN = 0;
wolfSSL 7:481bce714567 2512 cert->subjectCNLen = 0;
wolfSSL 7:481bce714567 2513 cert->subjectCNEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2514 cert->subjectCNStored = 0;
wolfSSL 7:481bce714567 2515 cert->weOwnAltNames = 0;
wolfSSL 7:481bce714567 2516 cert->altNames = NULL;
wolfSSL 7:481bce714567 2517 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 2518 cert->altEmailNames = NULL;
wolfSSL 7:481bce714567 2519 cert->permittedNames = NULL;
wolfSSL 7:481bce714567 2520 cert->excludedNames = NULL;
wolfSSL 7:481bce714567 2521 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 2522 cert->issuer[0] = '\0';
wolfSSL 7:481bce714567 2523 cert->subject[0] = '\0';
wolfSSL 7:481bce714567 2524 cert->source = source; /* don't own */
wolfSSL 7:481bce714567 2525 cert->srcIdx = 0;
wolfSSL 7:481bce714567 2526 cert->maxIdx = inSz; /* can't go over this index */
wolfSSL 7:481bce714567 2527 cert->heap = heap;
wolfSSL 7:481bce714567 2528 XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE);
wolfSSL 7:481bce714567 2529 cert->serialSz = 0;
wolfSSL 7:481bce714567 2530 cert->extensions = 0;
wolfSSL 7:481bce714567 2531 cert->extensionsSz = 0;
wolfSSL 7:481bce714567 2532 cert->extensionsIdx = 0;
wolfSSL 7:481bce714567 2533 cert->extAuthInfo = NULL;
wolfSSL 7:481bce714567 2534 cert->extAuthInfoSz = 0;
wolfSSL 7:481bce714567 2535 cert->extCrlInfo = NULL;
wolfSSL 7:481bce714567 2536 cert->extCrlInfoSz = 0;
wolfSSL 7:481bce714567 2537 XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE);
wolfSSL 7:481bce714567 2538 cert->extSubjKeyIdSet = 0;
wolfSSL 7:481bce714567 2539 XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE);
wolfSSL 7:481bce714567 2540 cert->extAuthKeyIdSet = 0;
wolfSSL 7:481bce714567 2541 cert->extKeyUsageSet = 0;
wolfSSL 7:481bce714567 2542 cert->extKeyUsage = 0;
wolfSSL 7:481bce714567 2543 cert->extExtKeyUsageSet = 0;
wolfSSL 7:481bce714567 2544 cert->extExtKeyUsage = 0;
wolfSSL 7:481bce714567 2545 cert->isCA = 0;
wolfSSL 7:481bce714567 2546 cert->pathLengthSet = 0;
wolfSSL 7:481bce714567 2547 cert->pathLength = 0;
wolfSSL 7:481bce714567 2548 #ifdef HAVE_PKCS7
wolfSSL 7:481bce714567 2549 cert->issuerRaw = NULL;
wolfSSL 7:481bce714567 2550 cert->issuerRawLen = 0;
wolfSSL 7:481bce714567 2551 #endif
wolfSSL 7:481bce714567 2552 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 2553 cert->subjectSN = 0;
wolfSSL 7:481bce714567 2554 cert->subjectSNLen = 0;
wolfSSL 7:481bce714567 2555 cert->subjectSNEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2556 cert->subjectC = 0;
wolfSSL 7:481bce714567 2557 cert->subjectCLen = 0;
wolfSSL 7:481bce714567 2558 cert->subjectCEnc = CTC_PRINTABLE;
wolfSSL 7:481bce714567 2559 cert->subjectL = 0;
wolfSSL 7:481bce714567 2560 cert->subjectLLen = 0;
wolfSSL 7:481bce714567 2561 cert->subjectLEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2562 cert->subjectST = 0;
wolfSSL 7:481bce714567 2563 cert->subjectSTLen = 0;
wolfSSL 7:481bce714567 2564 cert->subjectSTEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2565 cert->subjectO = 0;
wolfSSL 7:481bce714567 2566 cert->subjectOLen = 0;
wolfSSL 7:481bce714567 2567 cert->subjectOEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2568 cert->subjectOU = 0;
wolfSSL 7:481bce714567 2569 cert->subjectOULen = 0;
wolfSSL 7:481bce714567 2570 cert->subjectOUEnc = CTC_UTF8;
wolfSSL 7:481bce714567 2571 cert->subjectEmail = 0;
wolfSSL 7:481bce714567 2572 cert->subjectEmailLen = 0;
wolfSSL 7:481bce714567 2573 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 2574 cert->beforeDate = NULL;
wolfSSL 7:481bce714567 2575 cert->beforeDateLen = 0;
wolfSSL 7:481bce714567 2576 cert->afterDate = NULL;
wolfSSL 7:481bce714567 2577 cert->afterDateLen = 0;
wolfSSL 7:481bce714567 2578 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 2579 XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
wolfSSL 7:481bce714567 2580 XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
wolfSSL 7:481bce714567 2581 cert->extCRLdistSet = 0;
wolfSSL 7:481bce714567 2582 cert->extCRLdistCrit = 0;
wolfSSL 7:481bce714567 2583 cert->extAuthInfoSet = 0;
wolfSSL 7:481bce714567 2584 cert->extAuthInfoCrit = 0;
wolfSSL 7:481bce714567 2585 cert->extBasicConstSet = 0;
wolfSSL 7:481bce714567 2586 cert->extBasicConstCrit = 0;
wolfSSL 7:481bce714567 2587 cert->extSubjAltNameSet = 0;
wolfSSL 7:481bce714567 2588 cert->extSubjAltNameCrit = 0;
wolfSSL 7:481bce714567 2589 cert->extAuthKeyIdCrit = 0;
wolfSSL 7:481bce714567 2590 cert->extSubjKeyIdCrit = 0;
wolfSSL 7:481bce714567 2591 cert->extKeyUsageCrit = 0;
wolfSSL 7:481bce714567 2592 cert->extExtKeyUsageCrit = 0;
wolfSSL 7:481bce714567 2593 cert->extExtKeyUsageSrc = NULL;
wolfSSL 7:481bce714567 2594 cert->extExtKeyUsageSz = 0;
wolfSSL 7:481bce714567 2595 cert->extExtKeyUsageCount = 0;
wolfSSL 7:481bce714567 2596 cert->extAuthKeyIdSrc = NULL;
wolfSSL 7:481bce714567 2597 cert->extAuthKeyIdSz = 0;
wolfSSL 7:481bce714567 2598 cert->extSubjKeyIdSrc = NULL;
wolfSSL 7:481bce714567 2599 cert->extSubjKeyIdSz = 0;
wolfSSL 7:481bce714567 2600 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 2601 #if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS)
wolfSSL 7:481bce714567 2602 cert->extNameConstraintSet = 0;
wolfSSL 7:481bce714567 2603 #endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 2604 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 2605 cert->pkCurveOID = 0;
wolfSSL 7:481bce714567 2606 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 2607 #ifdef WOLFSSL_SEP
wolfSSL 7:481bce714567 2608 cert->deviceTypeSz = 0;
wolfSSL 7:481bce714567 2609 cert->deviceType = NULL;
wolfSSL 7:481bce714567 2610 cert->hwTypeSz = 0;
wolfSSL 7:481bce714567 2611 cert->hwType = NULL;
wolfSSL 7:481bce714567 2612 cert->hwSerialNumSz = 0;
wolfSSL 7:481bce714567 2613 cert->hwSerialNum = NULL;
wolfSSL 7:481bce714567 2614 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 2615 cert->extCertPolicySet = 0;
wolfSSL 7:481bce714567 2616 cert->extCertPolicyCrit = 0;
wolfSSL 7:481bce714567 2617 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 2618 #endif /* WOLFSSL_SEP */
wolfSSL 7:481bce714567 2619 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 2620 XMEMSET(cert->extCertPolicies, 0, MAX_CERTPOL_NB*MAX_CERTPOL_SZ);
wolfSSL 7:481bce714567 2621 cert->extCertPoliciesNb = 0;
wolfSSL 7:481bce714567 2622 #endif
wolfSSL 7:481bce714567 2623 }
wolfSSL 7:481bce714567 2624
wolfSSL 7:481bce714567 2625
wolfSSL 7:481bce714567 2626 void FreeAltNames(DNS_entry* altNames, void* heap)
wolfSSL 7:481bce714567 2627 {
wolfSSL 7:481bce714567 2628 (void)heap;
wolfSSL 7:481bce714567 2629
wolfSSL 7:481bce714567 2630 while (altNames) {
wolfSSL 7:481bce714567 2631 DNS_entry* tmp = altNames->next;
wolfSSL 7:481bce714567 2632
wolfSSL 7:481bce714567 2633 XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 2634 XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 2635 altNames = tmp;
wolfSSL 7:481bce714567 2636 }
wolfSSL 7:481bce714567 2637 }
wolfSSL 7:481bce714567 2638
wolfSSL 7:481bce714567 2639 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 2640
wolfSSL 7:481bce714567 2641 void FreeNameSubtrees(Base_entry* names, void* heap)
wolfSSL 7:481bce714567 2642 {
wolfSSL 7:481bce714567 2643 (void)heap;
wolfSSL 7:481bce714567 2644
wolfSSL 7:481bce714567 2645 while (names) {
wolfSSL 7:481bce714567 2646 Base_entry* tmp = names->next;
wolfSSL 7:481bce714567 2647
wolfSSL 7:481bce714567 2648 XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 2649 XFREE(names, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 2650 names = tmp;
wolfSSL 7:481bce714567 2651 }
wolfSSL 7:481bce714567 2652 }
wolfSSL 7:481bce714567 2653
wolfSSL 7:481bce714567 2654 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 2655
wolfSSL 7:481bce714567 2656 void FreeDecodedCert(DecodedCert* cert)
wolfSSL 7:481bce714567 2657 {
wolfSSL 7:481bce714567 2658 if (cert->subjectCNStored == 1)
wolfSSL 7:481bce714567 2659 XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 7:481bce714567 2660 if (cert->pubKeyStored == 1)
wolfSSL 7:481bce714567 2661 XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 7:481bce714567 2662 if (cert->weOwnAltNames && cert->altNames)
wolfSSL 7:481bce714567 2663 FreeAltNames(cert->altNames, cert->heap);
wolfSSL 7:481bce714567 2664 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 2665 if (cert->altEmailNames)
wolfSSL 7:481bce714567 2666 FreeAltNames(cert->altEmailNames, cert->heap);
wolfSSL 7:481bce714567 2667 if (cert->permittedNames)
wolfSSL 7:481bce714567 2668 FreeNameSubtrees(cert->permittedNames, cert->heap);
wolfSSL 7:481bce714567 2669 if (cert->excludedNames)
wolfSSL 7:481bce714567 2670 FreeNameSubtrees(cert->excludedNames, cert->heap);
wolfSSL 7:481bce714567 2671 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 2672 #ifdef WOLFSSL_SEP
wolfSSL 7:481bce714567 2673 XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 2674 XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 2675 XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 2676 #endif /* WOLFSSL_SEP */
wolfSSL 7:481bce714567 2677 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 2678 if (cert->issuerName.fullName != NULL)
wolfSSL 7:481bce714567 2679 XFREE(cert->issuerName.fullName, cert->heap, DYNAMIC_TYPE_X509);
wolfSSL 7:481bce714567 2680 if (cert->subjectName.fullName != NULL)
wolfSSL 7:481bce714567 2681 XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);
wolfSSL 7:481bce714567 2682 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 2683 }
wolfSSL 7:481bce714567 2684
wolfSSL 7:481bce714567 2685 static int GetCertHeader(DecodedCert* cert)
wolfSSL 7:481bce714567 2686 {
wolfSSL 7:481bce714567 2687 int ret = 0, len;
wolfSSL 7:481bce714567 2688
wolfSSL 7:481bce714567 2689 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2690 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2691
wolfSSL 7:481bce714567 2692 cert->certBegin = cert->srcIdx;
wolfSSL 7:481bce714567 2693
wolfSSL 7:481bce714567 2694 if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2695 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2696 cert->sigIndex = len + cert->srcIdx;
wolfSSL 7:481bce714567 2697
wolfSSL 7:481bce714567 2698 if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version,
wolfSSL 7:481bce714567 2699 cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2700 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2701
wolfSSL 7:481bce714567 2702 if (GetSerialNumber(cert->source, &cert->srcIdx, cert->serial,
wolfSSL 7:481bce714567 2703 &cert->serialSz, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2704 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2705
wolfSSL 7:481bce714567 2706 return ret;
wolfSSL 7:481bce714567 2707 }
wolfSSL 7:481bce714567 2708
wolfSSL 7:481bce714567 2709 #if !defined(NO_RSA)
wolfSSL 7:481bce714567 2710 /* Store Rsa Key, may save later, Dsa could use in future */
wolfSSL 7:481bce714567 2711 static int StoreRsaKey(DecodedCert* cert)
wolfSSL 7:481bce714567 2712 {
wolfSSL 7:481bce714567 2713 int length;
wolfSSL 7:481bce714567 2714 word32 recvd = cert->srcIdx;
wolfSSL 7:481bce714567 2715
wolfSSL 7:481bce714567 2716 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2717 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2718
wolfSSL 7:481bce714567 2719 recvd = cert->srcIdx - recvd;
wolfSSL 7:481bce714567 2720 length += recvd;
wolfSSL 7:481bce714567 2721
wolfSSL 7:481bce714567 2722 while (recvd--)
wolfSSL 7:481bce714567 2723 cert->srcIdx--;
wolfSSL 7:481bce714567 2724
wolfSSL 7:481bce714567 2725 cert->pubKeySize = length;
wolfSSL 7:481bce714567 2726 cert->publicKey = cert->source + cert->srcIdx;
wolfSSL 7:481bce714567 2727 cert->srcIdx += length;
wolfSSL 7:481bce714567 2728
wolfSSL 7:481bce714567 2729 return 0;
wolfSSL 7:481bce714567 2730 }
wolfSSL 7:481bce714567 2731 #endif /* !NO_RSA */
wolfSSL 7:481bce714567 2732
wolfSSL 7:481bce714567 2733 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 2734
wolfSSL 7:481bce714567 2735 /* return 0 on success if the ECC curve oid sum is supported */
wolfSSL 7:481bce714567 2736 static int CheckCurve(word32 oid)
wolfSSL 7:481bce714567 2737 {
wolfSSL 7:481bce714567 2738 int ret = 0;
wolfSSL 7:481bce714567 2739 word32 oidSz = 0;
wolfSSL 7:481bce714567 2740
wolfSSL 7:481bce714567 2741 ret = wc_ecc_get_oid(oid, NULL, &oidSz);
wolfSSL 7:481bce714567 2742 if (ret < 0 || oidSz <= 0) {
wolfSSL 7:481bce714567 2743 WOLFSSL_MSG("CheckCurve not found");
wolfSSL 7:481bce714567 2744 ret = ALGO_ID_E;
wolfSSL 7:481bce714567 2745 }
wolfSSL 7:481bce714567 2746
wolfSSL 7:481bce714567 2747 return ret;
wolfSSL 7:481bce714567 2748 }
wolfSSL 7:481bce714567 2749
wolfSSL 7:481bce714567 2750 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 2751
wolfSSL 7:481bce714567 2752 static int GetKey(DecodedCert* cert)
wolfSSL 7:481bce714567 2753 {
wolfSSL 7:481bce714567 2754 int length;
wolfSSL 7:481bce714567 2755 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 2756 int tmpIdx = cert->srcIdx;
wolfSSL 7:481bce714567 2757 #endif
wolfSSL 7:481bce714567 2758
wolfSSL 7:481bce714567 2759 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2760 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2761
wolfSSL 7:481bce714567 2762 if (GetAlgoId(cert->source, &cert->srcIdx,
wolfSSL 7:481bce714567 2763 &cert->keyOID, oidKeyType, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2764 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2765
wolfSSL 7:481bce714567 2766 switch (cert->keyOID) {
wolfSSL 7:481bce714567 2767 #ifndef NO_RSA
wolfSSL 7:481bce714567 2768 case RSAk:
wolfSSL 7:481bce714567 2769 {
wolfSSL 7:481bce714567 2770 byte b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2771 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 2772 return ASN_BITSTR_E;
wolfSSL 7:481bce714567 2773
wolfSSL 7:481bce714567 2774 if (GetLength(cert->source, &cert->srcIdx, &length,
wolfSSL 7:481bce714567 2775 cert->maxIdx) <= 0) {
wolfSSL 7:481bce714567 2776 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2777 }
wolfSSL 7:481bce714567 2778
wolfSSL 7:481bce714567 2779 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2780 if (b != 0x00)
wolfSSL 7:481bce714567 2781 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 2782
wolfSSL 7:481bce714567 2783 return StoreRsaKey(cert);
wolfSSL 7:481bce714567 2784 }
wolfSSL 7:481bce714567 2785
wolfSSL 7:481bce714567 2786 #endif /* NO_RSA */
wolfSSL 7:481bce714567 2787 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 2788 case NTRUk:
wolfSSL 7:481bce714567 2789 {
wolfSSL 7:481bce714567 2790 const byte* key = &cert->source[tmpIdx];
wolfSSL 7:481bce714567 2791 byte* next = (byte*)key;
wolfSSL 7:481bce714567 2792 word16 keyLen;
wolfSSL 7:481bce714567 2793 word32 rc;
wolfSSL 7:481bce714567 2794 word32 remaining = cert->maxIdx - cert->srcIdx;
wolfSSL 7:481bce714567 2795 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2796 byte* keyBlob = NULL;
wolfSSL 7:481bce714567 2797 #else
wolfSSL 7:481bce714567 2798 byte keyBlob[MAX_NTRU_KEY_SZ];
wolfSSL 7:481bce714567 2799 #endif
wolfSSL 7:481bce714567 2800 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 7:481bce714567 2801 &keyLen, NULL, &next, &remaining);
wolfSSL 7:481bce714567 2802 if (rc != NTRU_OK)
wolfSSL 7:481bce714567 2803 return ASN_NTRU_KEY_E;
wolfSSL 7:481bce714567 2804 if (keyLen > MAX_NTRU_KEY_SZ)
wolfSSL 7:481bce714567 2805 return ASN_NTRU_KEY_E;
wolfSSL 7:481bce714567 2806
wolfSSL 7:481bce714567 2807 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2808 keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL,
wolfSSL 7:481bce714567 2809 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2810 if (keyBlob == NULL)
wolfSSL 7:481bce714567 2811 return MEMORY_E;
wolfSSL 7:481bce714567 2812 #endif
wolfSSL 7:481bce714567 2813
wolfSSL 7:481bce714567 2814 rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL 7:481bce714567 2815 &keyLen, keyBlob, &next, &remaining);
wolfSSL 7:481bce714567 2816 if (rc != NTRU_OK) {
wolfSSL 7:481bce714567 2817 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2818 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2819 #endif
wolfSSL 7:481bce714567 2820 return ASN_NTRU_KEY_E;
wolfSSL 7:481bce714567 2821 }
wolfSSL 7:481bce714567 2822
wolfSSL 7:481bce714567 2823 if ( (next - key) < 0) {
wolfSSL 7:481bce714567 2824 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2825 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2826 #endif
wolfSSL 7:481bce714567 2827 return ASN_NTRU_KEY_E;
wolfSSL 7:481bce714567 2828 }
wolfSSL 7:481bce714567 2829
wolfSSL 7:481bce714567 2830 cert->srcIdx = tmpIdx + (int)(next - key);
wolfSSL 7:481bce714567 2831
wolfSSL 7:481bce714567 2832 cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap,
wolfSSL 7:481bce714567 2833 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 7:481bce714567 2834 if (cert->publicKey == NULL) {
wolfSSL 7:481bce714567 2835 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2836 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2837 #endif
wolfSSL 7:481bce714567 2838 return MEMORY_E;
wolfSSL 7:481bce714567 2839 }
wolfSSL 7:481bce714567 2840 XMEMCPY(cert->publicKey, keyBlob, keyLen);
wolfSSL 7:481bce714567 2841 cert->pubKeyStored = 1;
wolfSSL 7:481bce714567 2842 cert->pubKeySize = keyLen;
wolfSSL 7:481bce714567 2843
wolfSSL 7:481bce714567 2844 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 2845 XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 2846 #endif
wolfSSL 7:481bce714567 2847
wolfSSL 7:481bce714567 2848 return 0;
wolfSSL 7:481bce714567 2849 }
wolfSSL 7:481bce714567 2850 #endif /* HAVE_NTRU */
wolfSSL 7:481bce714567 2851 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 2852 case ECDSAk:
wolfSSL 7:481bce714567 2853 {
wolfSSL 7:481bce714567 2854 byte b;
wolfSSL 7:481bce714567 2855
wolfSSL 7:481bce714567 2856 if (GetObjectId(cert->source, &cert->srcIdx,
wolfSSL 7:481bce714567 2857 &cert->pkCurveOID, oidCurveType, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2858 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2859
wolfSSL 7:481bce714567 2860 if (CheckCurve(cert->pkCurveOID) < 0)
wolfSSL 7:481bce714567 2861 return ECC_CURVE_OID_E;
wolfSSL 7:481bce714567 2862
wolfSSL 7:481bce714567 2863 /* key header */
wolfSSL 7:481bce714567 2864 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2865 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 2866 return ASN_BITSTR_E;
wolfSSL 7:481bce714567 2867
wolfSSL 7:481bce714567 2868 if (GetLength(cert->source, &cert->srcIdx, &length,
wolfSSL 7:481bce714567 2869 cert->maxIdx) <= 0) {
wolfSSL 7:481bce714567 2870 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2871 }
wolfSSL 7:481bce714567 2872
wolfSSL 7:481bce714567 2873 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2874 if (b != 0x00)
wolfSSL 7:481bce714567 2875 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 2876
wolfSSL 7:481bce714567 2877 /* actual key, use length - 1 since ate preceding 0 */
wolfSSL 7:481bce714567 2878 length -= 1;
wolfSSL 7:481bce714567 2879
wolfSSL 7:481bce714567 2880 cert->publicKey = (byte*) XMALLOC(length, cert->heap,
wolfSSL 7:481bce714567 2881 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 7:481bce714567 2882 if (cert->publicKey == NULL)
wolfSSL 7:481bce714567 2883 return MEMORY_E;
wolfSSL 7:481bce714567 2884 XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
wolfSSL 7:481bce714567 2885 cert->pubKeyStored = 1;
wolfSSL 7:481bce714567 2886 cert->pubKeySize = length;
wolfSSL 7:481bce714567 2887
wolfSSL 7:481bce714567 2888 cert->srcIdx += length;
wolfSSL 7:481bce714567 2889
wolfSSL 7:481bce714567 2890 return 0;
wolfSSL 7:481bce714567 2891 }
wolfSSL 7:481bce714567 2892 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 2893 default:
wolfSSL 7:481bce714567 2894 return ASN_UNKNOWN_OID_E;
wolfSSL 7:481bce714567 2895 }
wolfSSL 7:481bce714567 2896 }
wolfSSL 7:481bce714567 2897
wolfSSL 7:481bce714567 2898 /* process NAME, either issuer or subject */
wolfSSL 7:481bce714567 2899 static int GetName(DecodedCert* cert, int nameType)
wolfSSL 7:481bce714567 2900 {
wolfSSL 7:481bce714567 2901 int length; /* length of all distinguished names */
wolfSSL 7:481bce714567 2902 int dummy;
wolfSSL 7:481bce714567 2903 int ret;
wolfSSL 7:481bce714567 2904 char* full;
wolfSSL 7:481bce714567 2905 byte* hash;
wolfSSL 7:481bce714567 2906 word32 idx;
wolfSSL 7:481bce714567 2907 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 2908 DecodedName* dName =
wolfSSL 7:481bce714567 2909 (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
wolfSSL 7:481bce714567 2910 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 2911
wolfSSL 7:481bce714567 2912 WOLFSSL_MSG("Getting Cert Name");
wolfSSL 7:481bce714567 2913
wolfSSL 7:481bce714567 2914 if (nameType == ISSUER) {
wolfSSL 7:481bce714567 2915 full = cert->issuer;
wolfSSL 7:481bce714567 2916 hash = cert->issuerHash;
wolfSSL 7:481bce714567 2917 }
wolfSSL 7:481bce714567 2918 else {
wolfSSL 7:481bce714567 2919 full = cert->subject;
wolfSSL 7:481bce714567 2920 hash = cert->subjectHash;
wolfSSL 7:481bce714567 2921 }
wolfSSL 7:481bce714567 2922
wolfSSL 7:481bce714567 2923 if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 2924 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 7:481bce714567 2925
wolfSSL 7:481bce714567 2926 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2927 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2928
wolfSSL 7:481bce714567 2929 cert->srcIdx += length;
wolfSSL 7:481bce714567 2930 WOLFSSL_MSG("Got optional prefix");
wolfSSL 7:481bce714567 2931 }
wolfSSL 7:481bce714567 2932
wolfSSL 7:481bce714567 2933 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 7:481bce714567 2934 * calculated over the entire DER encoding of the Name field, including
wolfSSL 7:481bce714567 2935 * the tag and length. */
wolfSSL 7:481bce714567 2936 idx = cert->srcIdx;
wolfSSL 7:481bce714567 2937 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2938 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2939
wolfSSL 7:481bce714567 2940 #ifdef NO_SHA
wolfSSL 7:481bce714567 2941 ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 7:481bce714567 2942 #else
wolfSSL 7:481bce714567 2943 ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL 7:481bce714567 2944 #endif
wolfSSL 7:481bce714567 2945 if (ret != 0)
wolfSSL 7:481bce714567 2946 return ret;
wolfSSL 7:481bce714567 2947
wolfSSL 7:481bce714567 2948 length += cert->srcIdx;
wolfSSL 7:481bce714567 2949 idx = 0;
wolfSSL 7:481bce714567 2950
wolfSSL 7:481bce714567 2951 #ifdef HAVE_PKCS7
wolfSSL 7:481bce714567 2952 /* store pointer to raw issuer */
wolfSSL 7:481bce714567 2953 if (nameType == ISSUER) {
wolfSSL 7:481bce714567 2954 cert->issuerRaw = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 2955 cert->issuerRawLen = length - cert->srcIdx;
wolfSSL 7:481bce714567 2956 }
wolfSSL 7:481bce714567 2957 #endif
wolfSSL 7:481bce714567 2958 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 2959 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 2960 cert->subjectRaw = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 2961 cert->subjectRawLen = length - cert->srcIdx;
wolfSSL 7:481bce714567 2962 }
wolfSSL 7:481bce714567 2963 #endif
wolfSSL 7:481bce714567 2964
wolfSSL 7:481bce714567 2965 while (cert->srcIdx < (word32)length) {
wolfSSL 7:481bce714567 2966 byte b;
wolfSSL 7:481bce714567 2967 byte joint[2];
wolfSSL 7:481bce714567 2968 byte tooBig = FALSE;
wolfSSL 7:481bce714567 2969 int oidSz;
wolfSSL 7:481bce714567 2970
wolfSSL 7:481bce714567 2971 if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) {
wolfSSL 7:481bce714567 2972 WOLFSSL_MSG("Cert name lacks set header, trying sequence");
wolfSSL 7:481bce714567 2973 }
wolfSSL 7:481bce714567 2974
wolfSSL 7:481bce714567 2975 if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) <= 0)
wolfSSL 7:481bce714567 2976 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2977
wolfSSL 7:481bce714567 2978 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2979 if (b != ASN_OBJECT_ID)
wolfSSL 7:481bce714567 2980 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 2981
wolfSSL 7:481bce714567 2982 if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 2983 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2984
wolfSSL 7:481bce714567 2985 /* make sure there is room for joint */
wolfSSL 7:481bce714567 2986 if ((cert->srcIdx + sizeof(joint)) > cert->maxIdx)
wolfSSL 7:481bce714567 2987 return ASN_PARSE_E;
wolfSSL 7:481bce714567 2988
wolfSSL 7:481bce714567 2989 XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint));
wolfSSL 7:481bce714567 2990
wolfSSL 7:481bce714567 2991 /* v1 name types */
wolfSSL 7:481bce714567 2992 if (joint[0] == 0x55 && joint[1] == 0x04) {
wolfSSL 7:481bce714567 2993 byte id;
wolfSSL 7:481bce714567 2994 byte copy = FALSE;
wolfSSL 7:481bce714567 2995 int strLen;
wolfSSL 7:481bce714567 2996
wolfSSL 7:481bce714567 2997 cert->srcIdx += 2;
wolfSSL 7:481bce714567 2998 id = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 2999 b = cert->source[cert->srcIdx++]; /* encoding */
wolfSSL 7:481bce714567 3000
wolfSSL 7:481bce714567 3001 if (GetLength(cert->source, &cert->srcIdx, &strLen,
wolfSSL 7:481bce714567 3002 cert->maxIdx) < 0)
wolfSSL 7:481bce714567 3003 return ASN_PARSE_E;
wolfSSL 7:481bce714567 3004
wolfSSL 7:481bce714567 3005 if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 7:481bce714567 3006 /* include biggest pre fix header too 4 = "/serialNumber=" */
wolfSSL 7:481bce714567 3007 WOLFSSL_MSG("ASN Name too big, skipping");
wolfSSL 7:481bce714567 3008 tooBig = TRUE;
wolfSSL 7:481bce714567 3009 }
wolfSSL 7:481bce714567 3010
wolfSSL 7:481bce714567 3011 if (id == ASN_COMMON_NAME) {
wolfSSL 7:481bce714567 3012 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3013 cert->subjectCN = (char *)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3014 cert->subjectCNLen = strLen;
wolfSSL 7:481bce714567 3015 cert->subjectCNEnc = b;
wolfSSL 7:481bce714567 3016 }
wolfSSL 7:481bce714567 3017
wolfSSL 7:481bce714567 3018 if (!tooBig) {
wolfSSL 7:481bce714567 3019 XMEMCPY(&full[idx], "/CN=", 4);
wolfSSL 7:481bce714567 3020 idx += 4;
wolfSSL 7:481bce714567 3021 copy = TRUE;
wolfSSL 7:481bce714567 3022 }
wolfSSL 7:481bce714567 3023 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3024 dName->cnIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3025 dName->cnLen = strLen;
wolfSSL 7:481bce714567 3026 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3027 }
wolfSSL 7:481bce714567 3028 else if (id == ASN_SUR_NAME) {
wolfSSL 7:481bce714567 3029 if (!tooBig) {
wolfSSL 7:481bce714567 3030 XMEMCPY(&full[idx], "/SN=", 4);
wolfSSL 7:481bce714567 3031 idx += 4;
wolfSSL 7:481bce714567 3032 copy = TRUE;
wolfSSL 7:481bce714567 3033 }
wolfSSL 7:481bce714567 3034 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3035 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3036 cert->subjectSN = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3037 cert->subjectSNLen = strLen;
wolfSSL 7:481bce714567 3038 cert->subjectSNEnc = b;
wolfSSL 7:481bce714567 3039 }
wolfSSL 7:481bce714567 3040 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3041 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3042 dName->snIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3043 dName->snLen = strLen;
wolfSSL 7:481bce714567 3044 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3045 }
wolfSSL 7:481bce714567 3046 else if (id == ASN_COUNTRY_NAME) {
wolfSSL 7:481bce714567 3047 if (!tooBig) {
wolfSSL 7:481bce714567 3048 XMEMCPY(&full[idx], "/C=", 3);
wolfSSL 7:481bce714567 3049 idx += 3;
wolfSSL 7:481bce714567 3050 copy = TRUE;
wolfSSL 7:481bce714567 3051 }
wolfSSL 7:481bce714567 3052 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3053 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3054 cert->subjectC = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3055 cert->subjectCLen = strLen;
wolfSSL 7:481bce714567 3056 cert->subjectCEnc = b;
wolfSSL 7:481bce714567 3057 }
wolfSSL 7:481bce714567 3058 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3059 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3060 dName->cIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3061 dName->cLen = strLen;
wolfSSL 7:481bce714567 3062 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3063 }
wolfSSL 7:481bce714567 3064 else if (id == ASN_LOCALITY_NAME) {
wolfSSL 7:481bce714567 3065 if (!tooBig) {
wolfSSL 7:481bce714567 3066 XMEMCPY(&full[idx], "/L=", 3);
wolfSSL 7:481bce714567 3067 idx += 3;
wolfSSL 7:481bce714567 3068 copy = TRUE;
wolfSSL 7:481bce714567 3069 }
wolfSSL 7:481bce714567 3070 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3071 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3072 cert->subjectL = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3073 cert->subjectLLen = strLen;
wolfSSL 7:481bce714567 3074 cert->subjectLEnc = b;
wolfSSL 7:481bce714567 3075 }
wolfSSL 7:481bce714567 3076 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3077 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3078 dName->lIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3079 dName->lLen = strLen;
wolfSSL 7:481bce714567 3080 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3081 }
wolfSSL 7:481bce714567 3082 else if (id == ASN_STATE_NAME) {
wolfSSL 7:481bce714567 3083 if (!tooBig) {
wolfSSL 7:481bce714567 3084 XMEMCPY(&full[idx], "/ST=", 4);
wolfSSL 7:481bce714567 3085 idx += 4;
wolfSSL 7:481bce714567 3086 copy = TRUE;
wolfSSL 7:481bce714567 3087 }
wolfSSL 7:481bce714567 3088 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3089 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3090 cert->subjectST = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3091 cert->subjectSTLen = strLen;
wolfSSL 7:481bce714567 3092 cert->subjectSTEnc = b;
wolfSSL 7:481bce714567 3093 }
wolfSSL 7:481bce714567 3094 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3095 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3096 dName->stIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3097 dName->stLen = strLen;
wolfSSL 7:481bce714567 3098 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3099 }
wolfSSL 7:481bce714567 3100 else if (id == ASN_ORG_NAME) {
wolfSSL 7:481bce714567 3101 if (!tooBig) {
wolfSSL 7:481bce714567 3102 XMEMCPY(&full[idx], "/O=", 3);
wolfSSL 7:481bce714567 3103 idx += 3;
wolfSSL 7:481bce714567 3104 copy = TRUE;
wolfSSL 7:481bce714567 3105 }
wolfSSL 7:481bce714567 3106 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3107 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3108 cert->subjectO = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3109 cert->subjectOLen = strLen;
wolfSSL 7:481bce714567 3110 cert->subjectOEnc = b;
wolfSSL 7:481bce714567 3111 }
wolfSSL 7:481bce714567 3112 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3113 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3114 dName->oIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3115 dName->oLen = strLen;
wolfSSL 7:481bce714567 3116 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3117 }
wolfSSL 7:481bce714567 3118 else if (id == ASN_ORGUNIT_NAME) {
wolfSSL 7:481bce714567 3119 if (!tooBig) {
wolfSSL 7:481bce714567 3120 XMEMCPY(&full[idx], "/OU=", 4);
wolfSSL 7:481bce714567 3121 idx += 4;
wolfSSL 7:481bce714567 3122 copy = TRUE;
wolfSSL 7:481bce714567 3123 }
wolfSSL 7:481bce714567 3124 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3125 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3126 cert->subjectOU = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3127 cert->subjectOULen = strLen;
wolfSSL 7:481bce714567 3128 cert->subjectOUEnc = b;
wolfSSL 7:481bce714567 3129 }
wolfSSL 7:481bce714567 3130 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3131 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3132 dName->ouIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3133 dName->ouLen = strLen;
wolfSSL 7:481bce714567 3134 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3135 }
wolfSSL 7:481bce714567 3136 else if (id == ASN_SERIAL_NUMBER) {
wolfSSL 7:481bce714567 3137 if (!tooBig) {
wolfSSL 7:481bce714567 3138 XMEMCPY(&full[idx], "/serialNumber=", 14);
wolfSSL 7:481bce714567 3139 idx += 14;
wolfSSL 7:481bce714567 3140 copy = TRUE;
wolfSSL 7:481bce714567 3141 }
wolfSSL 7:481bce714567 3142 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3143 dName->snIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3144 dName->snLen = strLen;
wolfSSL 7:481bce714567 3145 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3146 }
wolfSSL 7:481bce714567 3147
wolfSSL 7:481bce714567 3148 if (copy && !tooBig) {
wolfSSL 7:481bce714567 3149 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
wolfSSL 7:481bce714567 3150 idx += strLen;
wolfSSL 7:481bce714567 3151 }
wolfSSL 7:481bce714567 3152
wolfSSL 7:481bce714567 3153 cert->srcIdx += strLen;
wolfSSL 7:481bce714567 3154 }
wolfSSL 7:481bce714567 3155 else {
wolfSSL 7:481bce714567 3156 /* skip */
wolfSSL 7:481bce714567 3157 byte email = FALSE;
wolfSSL 7:481bce714567 3158 byte uid = FALSE;
wolfSSL 7:481bce714567 3159 int adv;
wolfSSL 7:481bce714567 3160
wolfSSL 7:481bce714567 3161 if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */
wolfSSL 7:481bce714567 3162 email = TRUE;
wolfSSL 7:481bce714567 3163
wolfSSL 7:481bce714567 3164 if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */
wolfSSL 7:481bce714567 3165 uid = TRUE;
wolfSSL 7:481bce714567 3166
wolfSSL 7:481bce714567 3167 cert->srcIdx += oidSz + 1;
wolfSSL 7:481bce714567 3168
wolfSSL 7:481bce714567 3169 if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 3170 return ASN_PARSE_E;
wolfSSL 7:481bce714567 3171
wolfSSL 7:481bce714567 3172 if (adv > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 7:481bce714567 3173 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 7:481bce714567 3174 tooBig = TRUE;
wolfSSL 7:481bce714567 3175 }
wolfSSL 7:481bce714567 3176
wolfSSL 7:481bce714567 3177 if (email) {
wolfSSL 7:481bce714567 3178 if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 7:481bce714567 3179 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 7:481bce714567 3180 tooBig = TRUE;
wolfSSL 7:481bce714567 3181 }
wolfSSL 7:481bce714567 3182 if (!tooBig) {
wolfSSL 7:481bce714567 3183 XMEMCPY(&full[idx], "/emailAddress=", 14);
wolfSSL 7:481bce714567 3184 idx += 14;
wolfSSL 7:481bce714567 3185 }
wolfSSL 7:481bce714567 3186
wolfSSL 7:481bce714567 3187 #ifdef WOLFSSL_CERT_GEN
wolfSSL 7:481bce714567 3188 if (nameType == SUBJECT) {
wolfSSL 7:481bce714567 3189 cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3190 cert->subjectEmailLen = adv;
wolfSSL 7:481bce714567 3191 }
wolfSSL 7:481bce714567 3192 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3193 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3194 dName->emailIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3195 dName->emailLen = adv;
wolfSSL 7:481bce714567 3196 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3197 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 3198 {
wolfSSL 7:481bce714567 3199 DNS_entry* emailName = NULL;
wolfSSL 7:481bce714567 3200
wolfSSL 7:481bce714567 3201 emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry),
wolfSSL 7:481bce714567 3202 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 3203 if (emailName == NULL) {
wolfSSL 7:481bce714567 3204 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 3205 return MEMORY_E;
wolfSSL 7:481bce714567 3206 }
wolfSSL 7:481bce714567 3207 emailName->name = (char*)XMALLOC(adv + 1,
wolfSSL 7:481bce714567 3208 cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 3209 if (emailName->name == NULL) {
wolfSSL 7:481bce714567 3210 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 3211 XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 3212 return MEMORY_E;
wolfSSL 7:481bce714567 3213 }
wolfSSL 7:481bce714567 3214 XMEMCPY(emailName->name,
wolfSSL 7:481bce714567 3215 &cert->source[cert->srcIdx], adv);
wolfSSL 7:481bce714567 3216 emailName->name[adv] = 0;
wolfSSL 7:481bce714567 3217
wolfSSL 7:481bce714567 3218 emailName->next = cert->altEmailNames;
wolfSSL 7:481bce714567 3219 cert->altEmailNames = emailName;
wolfSSL 7:481bce714567 3220 }
wolfSSL 7:481bce714567 3221 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 3222 if (!tooBig) {
wolfSSL 7:481bce714567 3223 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 7:481bce714567 3224 idx += adv;
wolfSSL 7:481bce714567 3225 }
wolfSSL 7:481bce714567 3226 }
wolfSSL 7:481bce714567 3227
wolfSSL 7:481bce714567 3228 if (uid) {
wolfSSL 7:481bce714567 3229 if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL 7:481bce714567 3230 WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL 7:481bce714567 3231 tooBig = TRUE;
wolfSSL 7:481bce714567 3232 }
wolfSSL 7:481bce714567 3233 if (!tooBig) {
wolfSSL 7:481bce714567 3234 XMEMCPY(&full[idx], "/UID=", 5);
wolfSSL 7:481bce714567 3235 idx += 5;
wolfSSL 7:481bce714567 3236
wolfSSL 7:481bce714567 3237 XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL 7:481bce714567 3238 idx += adv;
wolfSSL 7:481bce714567 3239 }
wolfSSL 7:481bce714567 3240 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3241 dName->uidIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3242 dName->uidLen = adv;
wolfSSL 7:481bce714567 3243 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3244 }
wolfSSL 7:481bce714567 3245
wolfSSL 7:481bce714567 3246 cert->srcIdx += adv;
wolfSSL 7:481bce714567 3247 }
wolfSSL 7:481bce714567 3248 }
wolfSSL 7:481bce714567 3249 full[idx++] = 0;
wolfSSL 7:481bce714567 3250
wolfSSL 7:481bce714567 3251 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 3252 {
wolfSSL 7:481bce714567 3253 int totalLen = 0;
wolfSSL 7:481bce714567 3254
wolfSSL 7:481bce714567 3255 if (dName->cnLen != 0)
wolfSSL 7:481bce714567 3256 totalLen += dName->cnLen + 4;
wolfSSL 7:481bce714567 3257 if (dName->snLen != 0)
wolfSSL 7:481bce714567 3258 totalLen += dName->snLen + 4;
wolfSSL 7:481bce714567 3259 if (dName->cLen != 0)
wolfSSL 7:481bce714567 3260 totalLen += dName->cLen + 3;
wolfSSL 7:481bce714567 3261 if (dName->lLen != 0)
wolfSSL 7:481bce714567 3262 totalLen += dName->lLen + 3;
wolfSSL 7:481bce714567 3263 if (dName->stLen != 0)
wolfSSL 7:481bce714567 3264 totalLen += dName->stLen + 4;
wolfSSL 7:481bce714567 3265 if (dName->oLen != 0)
wolfSSL 7:481bce714567 3266 totalLen += dName->oLen + 3;
wolfSSL 7:481bce714567 3267 if (dName->ouLen != 0)
wolfSSL 7:481bce714567 3268 totalLen += dName->ouLen + 4;
wolfSSL 7:481bce714567 3269 if (dName->emailLen != 0)
wolfSSL 7:481bce714567 3270 totalLen += dName->emailLen + 14;
wolfSSL 7:481bce714567 3271 if (dName->uidLen != 0)
wolfSSL 7:481bce714567 3272 totalLen += dName->uidLen + 5;
wolfSSL 7:481bce714567 3273 if (dName->serialLen != 0)
wolfSSL 7:481bce714567 3274 totalLen += dName->serialLen + 14;
wolfSSL 7:481bce714567 3275
wolfSSL 7:481bce714567 3276 dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap,
wolfSSL 7:481bce714567 3277 DYNAMIC_TYPE_X509);
wolfSSL 7:481bce714567 3278 if (dName->fullName != NULL) {
wolfSSL 7:481bce714567 3279 idx = 0;
wolfSSL 7:481bce714567 3280
wolfSSL 7:481bce714567 3281 if (dName->cnLen != 0) {
wolfSSL 7:481bce714567 3282 dName->entryCount++;
wolfSSL 7:481bce714567 3283 XMEMCPY(&dName->fullName[idx], "/CN=", 4);
wolfSSL 7:481bce714567 3284 idx += 4;
wolfSSL 7:481bce714567 3285 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3286 &cert->source[dName->cnIdx], dName->cnLen);
wolfSSL 7:481bce714567 3287 dName->cnIdx = idx;
wolfSSL 7:481bce714567 3288 idx += dName->cnLen;
wolfSSL 7:481bce714567 3289 }
wolfSSL 7:481bce714567 3290 if (dName->snLen != 0) {
wolfSSL 7:481bce714567 3291 dName->entryCount++;
wolfSSL 7:481bce714567 3292 XMEMCPY(&dName->fullName[idx], "/SN=", 4);
wolfSSL 7:481bce714567 3293 idx += 4;
wolfSSL 7:481bce714567 3294 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3295 &cert->source[dName->snIdx], dName->snLen);
wolfSSL 7:481bce714567 3296 dName->snIdx = idx;
wolfSSL 7:481bce714567 3297 idx += dName->snLen;
wolfSSL 7:481bce714567 3298 }
wolfSSL 7:481bce714567 3299 if (dName->cLen != 0) {
wolfSSL 7:481bce714567 3300 dName->entryCount++;
wolfSSL 7:481bce714567 3301 XMEMCPY(&dName->fullName[idx], "/C=", 3);
wolfSSL 7:481bce714567 3302 idx += 3;
wolfSSL 7:481bce714567 3303 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3304 &cert->source[dName->cIdx], dName->cLen);
wolfSSL 7:481bce714567 3305 dName->cIdx = idx;
wolfSSL 7:481bce714567 3306 idx += dName->cLen;
wolfSSL 7:481bce714567 3307 }
wolfSSL 7:481bce714567 3308 if (dName->lLen != 0) {
wolfSSL 7:481bce714567 3309 dName->entryCount++;
wolfSSL 7:481bce714567 3310 XMEMCPY(&dName->fullName[idx], "/L=", 3);
wolfSSL 7:481bce714567 3311 idx += 3;
wolfSSL 7:481bce714567 3312 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3313 &cert->source[dName->lIdx], dName->lLen);
wolfSSL 7:481bce714567 3314 dName->lIdx = idx;
wolfSSL 7:481bce714567 3315 idx += dName->lLen;
wolfSSL 7:481bce714567 3316 }
wolfSSL 7:481bce714567 3317 if (dName->stLen != 0) {
wolfSSL 7:481bce714567 3318 dName->entryCount++;
wolfSSL 7:481bce714567 3319 XMEMCPY(&dName->fullName[idx], "/ST=", 4);
wolfSSL 7:481bce714567 3320 idx += 4;
wolfSSL 7:481bce714567 3321 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3322 &cert->source[dName->stIdx], dName->stLen);
wolfSSL 7:481bce714567 3323 dName->stIdx = idx;
wolfSSL 7:481bce714567 3324 idx += dName->stLen;
wolfSSL 7:481bce714567 3325 }
wolfSSL 7:481bce714567 3326 if (dName->oLen != 0) {
wolfSSL 7:481bce714567 3327 dName->entryCount++;
wolfSSL 7:481bce714567 3328 XMEMCPY(&dName->fullName[idx], "/O=", 3);
wolfSSL 7:481bce714567 3329 idx += 3;
wolfSSL 7:481bce714567 3330 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3331 &cert->source[dName->oIdx], dName->oLen);
wolfSSL 7:481bce714567 3332 dName->oIdx = idx;
wolfSSL 7:481bce714567 3333 idx += dName->oLen;
wolfSSL 7:481bce714567 3334 }
wolfSSL 7:481bce714567 3335 if (dName->ouLen != 0) {
wolfSSL 7:481bce714567 3336 dName->entryCount++;
wolfSSL 7:481bce714567 3337 XMEMCPY(&dName->fullName[idx], "/OU=", 4);
wolfSSL 7:481bce714567 3338 idx += 4;
wolfSSL 7:481bce714567 3339 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3340 &cert->source[dName->ouIdx], dName->ouLen);
wolfSSL 7:481bce714567 3341 dName->ouIdx = idx;
wolfSSL 7:481bce714567 3342 idx += dName->ouLen;
wolfSSL 7:481bce714567 3343 }
wolfSSL 7:481bce714567 3344 if (dName->emailLen != 0) {
wolfSSL 7:481bce714567 3345 dName->entryCount++;
wolfSSL 7:481bce714567 3346 XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
wolfSSL 7:481bce714567 3347 idx += 14;
wolfSSL 7:481bce714567 3348 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3349 &cert->source[dName->emailIdx], dName->emailLen);
wolfSSL 7:481bce714567 3350 dName->emailIdx = idx;
wolfSSL 7:481bce714567 3351 idx += dName->emailLen;
wolfSSL 7:481bce714567 3352 }
wolfSSL 7:481bce714567 3353 if (dName->uidLen != 0) {
wolfSSL 7:481bce714567 3354 dName->entryCount++;
wolfSSL 7:481bce714567 3355 XMEMCPY(&dName->fullName[idx], "/UID=", 5);
wolfSSL 7:481bce714567 3356 idx += 5;
wolfSSL 7:481bce714567 3357 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3358 &cert->source[dName->uidIdx], dName->uidLen);
wolfSSL 7:481bce714567 3359 dName->uidIdx = idx;
wolfSSL 7:481bce714567 3360 idx += dName->uidLen;
wolfSSL 7:481bce714567 3361 }
wolfSSL 7:481bce714567 3362 if (dName->serialLen != 0) {
wolfSSL 7:481bce714567 3363 dName->entryCount++;
wolfSSL 7:481bce714567 3364 XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
wolfSSL 7:481bce714567 3365 idx += 14;
wolfSSL 7:481bce714567 3366 XMEMCPY(&dName->fullName[idx],
wolfSSL 7:481bce714567 3367 &cert->source[dName->serialIdx], dName->serialLen);
wolfSSL 7:481bce714567 3368 dName->serialIdx = idx;
wolfSSL 7:481bce714567 3369 idx += dName->serialLen;
wolfSSL 7:481bce714567 3370 }
wolfSSL 7:481bce714567 3371 dName->fullName[idx] = '\0';
wolfSSL 7:481bce714567 3372 dName->fullNameLen = totalLen;
wolfSSL 7:481bce714567 3373 }
wolfSSL 7:481bce714567 3374 }
wolfSSL 7:481bce714567 3375 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 3376
wolfSSL 7:481bce714567 3377 return 0;
wolfSSL 7:481bce714567 3378 }
wolfSSL 7:481bce714567 3379
wolfSSL 7:481bce714567 3380
wolfSSL 7:481bce714567 3381 #ifndef NO_ASN_TIME
wolfSSL 7:481bce714567 3382 #if !defined(NO_TIME_H) && defined(USE_WOLF_VALIDDATE)
wolfSSL 7:481bce714567 3383
wolfSSL 7:481bce714567 3384 /* to the second */
wolfSSL 7:481bce714567 3385 static int DateGreaterThan(const struct tm* a, const struct tm* b)
wolfSSL 7:481bce714567 3386 {
wolfSSL 7:481bce714567 3387 if (a->tm_year > b->tm_year)
wolfSSL 7:481bce714567 3388 return 1;
wolfSSL 7:481bce714567 3389
wolfSSL 7:481bce714567 3390 if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon)
wolfSSL 7:481bce714567 3391 return 1;
wolfSSL 7:481bce714567 3392
wolfSSL 7:481bce714567 3393 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 7:481bce714567 3394 a->tm_mday > b->tm_mday)
wolfSSL 7:481bce714567 3395 return 1;
wolfSSL 7:481bce714567 3396
wolfSSL 7:481bce714567 3397 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 7:481bce714567 3398 a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour)
wolfSSL 7:481bce714567 3399 return 1;
wolfSSL 7:481bce714567 3400
wolfSSL 7:481bce714567 3401 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 7:481bce714567 3402 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 7:481bce714567 3403 a->tm_min > b->tm_min)
wolfSSL 7:481bce714567 3404 return 1;
wolfSSL 7:481bce714567 3405
wolfSSL 7:481bce714567 3406 if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL 7:481bce714567 3407 a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL 7:481bce714567 3408 a->tm_min == b->tm_min && a->tm_sec > b->tm_sec)
wolfSSL 7:481bce714567 3409 return 1;
wolfSSL 7:481bce714567 3410
wolfSSL 7:481bce714567 3411 return 0; /* false */
wolfSSL 7:481bce714567 3412 }
wolfSSL 7:481bce714567 3413
wolfSSL 7:481bce714567 3414
wolfSSL 7:481bce714567 3415 static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
wolfSSL 7:481bce714567 3416 {
wolfSSL 7:481bce714567 3417 return DateGreaterThan(b,a);
wolfSSL 7:481bce714567 3418 }
wolfSSL 7:481bce714567 3419
wolfSSL 7:481bce714567 3420
wolfSSL 7:481bce714567 3421 #if defined(WOLFSSL_MYSQL_COMPATIBLE)
wolfSSL 7:481bce714567 3422 int GetTimeString(byte* date, int format, char* buf, int len)
wolfSSL 7:481bce714567 3423 {
wolfSSL 7:481bce714567 3424 struct tm t;
wolfSSL 7:481bce714567 3425 int idx = 0;
wolfSSL 7:481bce714567 3426
wolfSSL 7:481bce714567 3427 if (!ExtractDate(date, format, &t, &idx)) {
wolfSSL 7:481bce714567 3428 return 0;
wolfSSL 7:481bce714567 3429 }
wolfSSL 7:481bce714567 3430
wolfSSL 7:481bce714567 3431 if (date[idx] != 'Z') {
wolfSSL 7:481bce714567 3432 WOLFSSL_MSG("UTCtime, not Zulu") ;
wolfSSL 7:481bce714567 3433 return 0;
wolfSSL 7:481bce714567 3434 }
wolfSSL 7:481bce714567 3435
wolfSSL 7:481bce714567 3436 /* place month in buffer */
wolfSSL 7:481bce714567 3437 buf[0] = '\0';
wolfSSL 7:481bce714567 3438 switch(t.tm_mon) {
wolfSSL 7:481bce714567 3439 case 0: XSTRNCAT(buf, "Jan ", 4); break;
wolfSSL 7:481bce714567 3440 case 1: XSTRNCAT(buf, "Feb ", 4); break;
wolfSSL 7:481bce714567 3441 case 2: XSTRNCAT(buf, "Mar ", 4); break;
wolfSSL 7:481bce714567 3442 case 3: XSTRNCAT(buf, "Apr ", 4); break;
wolfSSL 7:481bce714567 3443 case 4: XSTRNCAT(buf, "May ", 4); break;
wolfSSL 7:481bce714567 3444 case 5: XSTRNCAT(buf, "Jun ", 4); break;
wolfSSL 7:481bce714567 3445 case 6: XSTRNCAT(buf, "Jul ", 4); break;
wolfSSL 7:481bce714567 3446 case 7: XSTRNCAT(buf, "Aug ", 4); break;
wolfSSL 7:481bce714567 3447 case 8: XSTRNCAT(buf, "Sep ", 4); break;
wolfSSL 7:481bce714567 3448 case 9: XSTRNCAT(buf, "Oct ", 4); break;
wolfSSL 7:481bce714567 3449 case 10: XSTRNCAT(buf, "Nov ", 4); break;
wolfSSL 7:481bce714567 3450 case 11: XSTRNCAT(buf, "Dec ", 4); break;
wolfSSL 7:481bce714567 3451 default:
wolfSSL 7:481bce714567 3452 return 0;
wolfSSL 7:481bce714567 3453
wolfSSL 7:481bce714567 3454 }
wolfSSL 7:481bce714567 3455 idx = 4; /* use idx now for char buffer */
wolfSSL 7:481bce714567 3456 buf[idx] = ' ';
wolfSSL 7:481bce714567 3457
wolfSSL 7:481bce714567 3458 XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT",
wolfSSL 7:481bce714567 3459 t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900);
wolfSSL 7:481bce714567 3460
wolfSSL 7:481bce714567 3461 return 1;
wolfSSL 7:481bce714567 3462 }
wolfSSL 7:481bce714567 3463 #endif /* WOLFSSL_MYSQL_COMPATIBLE */
wolfSSL 7:481bce714567 3464
wolfSSL 7:481bce714567 3465 int ExtractDate(const unsigned char* date, unsigned char format,
wolfSSL 7:481bce714567 3466 struct tm* certTime, int* idx)
wolfSSL 7:481bce714567 3467 {
wolfSSL 7:481bce714567 3468 XMEMSET(certTime, 0, sizeof(struct tm));
wolfSSL 7:481bce714567 3469
wolfSSL 7:481bce714567 3470 if (format == ASN_UTC_TIME) {
wolfSSL 7:481bce714567 3471 if (btoi(date[0]) >= 5)
wolfSSL 7:481bce714567 3472 certTime->tm_year = 1900;
wolfSSL 7:481bce714567 3473 else
wolfSSL 7:481bce714567 3474 certTime->tm_year = 2000;
wolfSSL 7:481bce714567 3475 }
wolfSSL 7:481bce714567 3476 else { /* format == GENERALIZED_TIME */
wolfSSL 7:481bce714567 3477 certTime->tm_year += btoi(date[*idx]) * 1000; *idx = *idx + 1;
wolfSSL 7:481bce714567 3478 certTime->tm_year += btoi(date[*idx]) * 100; *idx = *idx + 1;
wolfSSL 7:481bce714567 3479 }
wolfSSL 7:481bce714567 3480
wolfSSL 7:481bce714567 3481 /* adjust tm_year, tm_mon */
wolfSSL 7:481bce714567 3482 GetTime((int*)&certTime->tm_year, date, idx); certTime->tm_year -= 1900;
wolfSSL 7:481bce714567 3483 GetTime((int*)&certTime->tm_mon, date, idx); certTime->tm_mon -= 1;
wolfSSL 7:481bce714567 3484 GetTime((int*)&certTime->tm_mday, date, idx);
wolfSSL 7:481bce714567 3485 GetTime((int*)&certTime->tm_hour, date, idx);
wolfSSL 7:481bce714567 3486 GetTime((int*)&certTime->tm_min, date, idx);
wolfSSL 7:481bce714567 3487 GetTime((int*)&certTime->tm_sec, date, idx);
wolfSSL 7:481bce714567 3488
wolfSSL 7:481bce714567 3489 return 1;
wolfSSL 7:481bce714567 3490 }
wolfSSL 7:481bce714567 3491
wolfSSL 7:481bce714567 3492
wolfSSL 7:481bce714567 3493 /* like atoi but only use first byte */
wolfSSL 7:481bce714567 3494 /* Make sure before and after dates are valid */
wolfSSL 7:481bce714567 3495 int ValidateDate(const byte* date, byte format, int dateType)
wolfSSL 7:481bce714567 3496 {
wolfSSL 7:481bce714567 3497 time_t ltime;
wolfSSL 7:481bce714567 3498 struct tm certTime;
wolfSSL 7:481bce714567 3499 struct tm* localTime;
wolfSSL 7:481bce714567 3500 struct tm* tmpTime = NULL;
wolfSSL 7:481bce714567 3501 int i = 0;
wolfSSL 7:481bce714567 3502 int timeDiff = 0 ;
wolfSSL 7:481bce714567 3503 int diffHH = 0 ; int diffMM = 0 ;
wolfSSL 7:481bce714567 3504 int diffSign = 0 ;
wolfSSL 7:481bce714567 3505
wolfSSL 7:481bce714567 3506 #if defined(NEED_TMP_TIME)
wolfSSL 7:481bce714567 3507 struct tm tmpTimeStorage;
wolfSSL 7:481bce714567 3508 tmpTime = &tmpTimeStorage;
wolfSSL 7:481bce714567 3509 #else
wolfSSL 7:481bce714567 3510 (void)tmpTime;
wolfSSL 7:481bce714567 3511 #endif
wolfSSL 7:481bce714567 3512
wolfSSL 7:481bce714567 3513 ltime = XTIME(0);
wolfSSL 7:481bce714567 3514
wolfSSL 7:481bce714567 3515 #ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW
wolfSSL 7:481bce714567 3516 if (dateType == BEFORE) {
wolfSSL 7:481bce714567 3517 WOLFSSL_MSG("Skewing local time for before date check");
wolfSSL 7:481bce714567 3518 ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW;
wolfSSL 7:481bce714567 3519 }
wolfSSL 7:481bce714567 3520 #endif
wolfSSL 7:481bce714567 3521
wolfSSL 7:481bce714567 3522 #ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW
wolfSSL 7:481bce714567 3523 if (dateType == AFTER) {
wolfSSL 7:481bce714567 3524 WOLFSSL_MSG("Skewing local time for after date check");
wolfSSL 7:481bce714567 3525 ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW;
wolfSSL 7:481bce714567 3526 }
wolfSSL 7:481bce714567 3527 #endif
wolfSSL 7:481bce714567 3528
wolfSSL 7:481bce714567 3529 if (!ExtractDate(date, format, &certTime, &i)) {
wolfSSL 7:481bce714567 3530 WOLFSSL_MSG("Error extracting the date");
wolfSSL 7:481bce714567 3531 return 0;
wolfSSL 7:481bce714567 3532 }
wolfSSL 7:481bce714567 3533
wolfSSL 7:481bce714567 3534 if ((date[i] == '+') || (date[i] == '-')) {
wolfSSL 7:481bce714567 3535 WOLFSSL_MSG("Using time differential, not Zulu") ;
wolfSSL 7:481bce714567 3536 diffSign = date[i++] == '+' ? 1 : -1 ;
wolfSSL 7:481bce714567 3537 GetTime(&diffHH, date, &i);
wolfSSL 7:481bce714567 3538 GetTime(&diffMM, date, &i);
wolfSSL 7:481bce714567 3539 timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ;
wolfSSL 7:481bce714567 3540 } else if (date[i] != 'Z') {
wolfSSL 7:481bce714567 3541 WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ;
wolfSSL 7:481bce714567 3542 return 0;
wolfSSL 7:481bce714567 3543 }
wolfSSL 7:481bce714567 3544
wolfSSL 7:481bce714567 3545 ltime -= (time_t)timeDiff ;
wolfSSL 7:481bce714567 3546 localTime = XGMTIME(&ltime, tmpTime);
wolfSSL 7:481bce714567 3547
wolfSSL 7:481bce714567 3548 if (localTime == NULL) {
wolfSSL 7:481bce714567 3549 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 7:481bce714567 3550 return 0;
wolfSSL 7:481bce714567 3551 }
wolfSSL 7:481bce714567 3552
wolfSSL 7:481bce714567 3553 if (dateType == BEFORE) {
wolfSSL 7:481bce714567 3554 if (DateLessThan(localTime, &certTime)) {
wolfSSL 7:481bce714567 3555 WOLFSSL_MSG("Date BEFORE check failed");
wolfSSL 7:481bce714567 3556 return 0;
wolfSSL 7:481bce714567 3557 }
wolfSSL 7:481bce714567 3558 }
wolfSSL 7:481bce714567 3559 else { /* dateType == AFTER */
wolfSSL 7:481bce714567 3560 if (DateGreaterThan(localTime, &certTime)) {
wolfSSL 7:481bce714567 3561 WOLFSSL_MSG("Date AFTER check failed");
wolfSSL 7:481bce714567 3562 return 0;
wolfSSL 7:481bce714567 3563 }
wolfSSL 7:481bce714567 3564 }
wolfSSL 7:481bce714567 3565
wolfSSL 7:481bce714567 3566 return 1;
wolfSSL 7:481bce714567 3567 }
wolfSSL 7:481bce714567 3568 #endif /* !NO_TIME_H && USE_WOLF_VALIDDATE */
wolfSSL 7:481bce714567 3569
wolfSSL 7:481bce714567 3570 int wc_GetTime(void* timePtr, word32 timeSize)
wolfSSL 7:481bce714567 3571 {
wolfSSL 7:481bce714567 3572 time_t* ltime = (time_t*)timePtr;
wolfSSL 7:481bce714567 3573
wolfSSL 7:481bce714567 3574 if (timePtr == NULL) {
wolfSSL 7:481bce714567 3575 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 3576 }
wolfSSL 7:481bce714567 3577
wolfSSL 7:481bce714567 3578 if ((word32)sizeof(time_t) > timeSize) {
wolfSSL 7:481bce714567 3579 return BUFFER_E;
wolfSSL 7:481bce714567 3580 }
wolfSSL 7:481bce714567 3581
wolfSSL 7:481bce714567 3582 *ltime = XTIME(0);
wolfSSL 7:481bce714567 3583
wolfSSL 7:481bce714567 3584 return 0;
wolfSSL 7:481bce714567 3585 }
wolfSSL 7:481bce714567 3586
wolfSSL 7:481bce714567 3587 #endif /* !NO_ASN_TIME */
wolfSSL 7:481bce714567 3588
wolfSSL 7:481bce714567 3589 static int GetDate(DecodedCert* cert, int dateType)
wolfSSL 7:481bce714567 3590 {
wolfSSL 7:481bce714567 3591 int length;
wolfSSL 7:481bce714567 3592 byte date[MAX_DATE_SIZE];
wolfSSL 7:481bce714567 3593 byte b;
wolfSSL 7:481bce714567 3594 word32 startIdx = 0;
wolfSSL 7:481bce714567 3595
wolfSSL 7:481bce714567 3596 XMEMSET(date, 0, MAX_DATE_SIZE);
wolfSSL 7:481bce714567 3597
wolfSSL 7:481bce714567 3598 if (dateType == BEFORE)
wolfSSL 7:481bce714567 3599 cert->beforeDate = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3600 else
wolfSSL 7:481bce714567 3601 cert->afterDate = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3602 startIdx = cert->srcIdx;
wolfSSL 7:481bce714567 3603
wolfSSL 7:481bce714567 3604 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 3605 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
wolfSSL 7:481bce714567 3606 return ASN_TIME_E;
wolfSSL 7:481bce714567 3607
wolfSSL 7:481bce714567 3608 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 3609 return ASN_PARSE_E;
wolfSSL 7:481bce714567 3610
wolfSSL 7:481bce714567 3611 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 7:481bce714567 3612 return ASN_DATE_SZ_E;
wolfSSL 7:481bce714567 3613
wolfSSL 7:481bce714567 3614 XMEMCPY(date, &cert->source[cert->srcIdx], length);
wolfSSL 7:481bce714567 3615 cert->srcIdx += length;
wolfSSL 7:481bce714567 3616
wolfSSL 7:481bce714567 3617 if (dateType == BEFORE)
wolfSSL 7:481bce714567 3618 cert->beforeDateLen = cert->srcIdx - startIdx;
wolfSSL 7:481bce714567 3619 else
wolfSSL 7:481bce714567 3620 cert->afterDateLen = cert->srcIdx - startIdx;
wolfSSL 7:481bce714567 3621
wolfSSL 7:481bce714567 3622 #ifndef NO_ASN_TIME
wolfSSL 7:481bce714567 3623 if (!XVALIDATE_DATE(date, b, dateType)) {
wolfSSL 7:481bce714567 3624 if (dateType == BEFORE)
wolfSSL 7:481bce714567 3625 return ASN_BEFORE_DATE_E;
wolfSSL 7:481bce714567 3626 else
wolfSSL 7:481bce714567 3627 return ASN_AFTER_DATE_E;
wolfSSL 7:481bce714567 3628 }
wolfSSL 7:481bce714567 3629 #endif
wolfSSL 7:481bce714567 3630
wolfSSL 7:481bce714567 3631 return 0;
wolfSSL 7:481bce714567 3632 }
wolfSSL 7:481bce714567 3633
wolfSSL 7:481bce714567 3634 static int GetValidity(DecodedCert* cert, int verify)
wolfSSL 7:481bce714567 3635 {
wolfSSL 7:481bce714567 3636 int length;
wolfSSL 7:481bce714567 3637 int badDate = 0;
wolfSSL 7:481bce714567 3638
wolfSSL 7:481bce714567 3639 if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 3640 return ASN_PARSE_E;
wolfSSL 7:481bce714567 3641
wolfSSL 7:481bce714567 3642 if (GetDate(cert, BEFORE) < 0 && verify)
wolfSSL 7:481bce714567 3643 badDate = ASN_BEFORE_DATE_E; /* continue parsing */
wolfSSL 7:481bce714567 3644
wolfSSL 7:481bce714567 3645 if (GetDate(cert, AFTER) < 0 && verify)
wolfSSL 7:481bce714567 3646 return ASN_AFTER_DATE_E;
wolfSSL 7:481bce714567 3647
wolfSSL 7:481bce714567 3648 if (badDate != 0)
wolfSSL 7:481bce714567 3649 return badDate;
wolfSSL 7:481bce714567 3650
wolfSSL 7:481bce714567 3651 return 0;
wolfSSL 7:481bce714567 3652 }
wolfSSL 7:481bce714567 3653
wolfSSL 7:481bce714567 3654
wolfSSL 7:481bce714567 3655 int DecodeToKey(DecodedCert* cert, int verify)
wolfSSL 7:481bce714567 3656 {
wolfSSL 7:481bce714567 3657 int badDate = 0;
wolfSSL 7:481bce714567 3658 int ret;
wolfSSL 7:481bce714567 3659
wolfSSL 7:481bce714567 3660 if ( (ret = GetCertHeader(cert)) < 0)
wolfSSL 7:481bce714567 3661 return ret;
wolfSSL 7:481bce714567 3662
wolfSSL 7:481bce714567 3663 WOLFSSL_MSG("Got Cert Header");
wolfSSL 7:481bce714567 3664
wolfSSL 7:481bce714567 3665 if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
wolfSSL 7:481bce714567 3666 oidSigType, cert->maxIdx)) < 0)
wolfSSL 7:481bce714567 3667 return ret;
wolfSSL 7:481bce714567 3668
wolfSSL 7:481bce714567 3669 WOLFSSL_MSG("Got Algo ID");
wolfSSL 7:481bce714567 3670
wolfSSL 7:481bce714567 3671 if ( (ret = GetName(cert, ISSUER)) < 0)
wolfSSL 7:481bce714567 3672 return ret;
wolfSSL 7:481bce714567 3673
wolfSSL 7:481bce714567 3674 if ( (ret = GetValidity(cert, verify)) < 0)
wolfSSL 7:481bce714567 3675 badDate = ret;
wolfSSL 7:481bce714567 3676
wolfSSL 7:481bce714567 3677 if ( (ret = GetName(cert, SUBJECT)) < 0)
wolfSSL 7:481bce714567 3678 return ret;
wolfSSL 7:481bce714567 3679
wolfSSL 7:481bce714567 3680 WOLFSSL_MSG("Got Subject Name");
wolfSSL 7:481bce714567 3681
wolfSSL 7:481bce714567 3682 if ( (ret = GetKey(cert)) < 0)
wolfSSL 7:481bce714567 3683 return ret;
wolfSSL 7:481bce714567 3684
wolfSSL 7:481bce714567 3685 WOLFSSL_MSG("Got Key");
wolfSSL 7:481bce714567 3686
wolfSSL 7:481bce714567 3687 if (badDate != 0)
wolfSSL 7:481bce714567 3688 return badDate;
wolfSSL 7:481bce714567 3689
wolfSSL 7:481bce714567 3690 return ret;
wolfSSL 7:481bce714567 3691 }
wolfSSL 7:481bce714567 3692
wolfSSL 7:481bce714567 3693 static int GetSignature(DecodedCert* cert)
wolfSSL 7:481bce714567 3694 {
wolfSSL 7:481bce714567 3695 int length;
wolfSSL 7:481bce714567 3696 byte b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 3697
wolfSSL 7:481bce714567 3698 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 3699 return ASN_BITSTR_E;
wolfSSL 7:481bce714567 3700
wolfSSL 7:481bce714567 3701 if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL 7:481bce714567 3702 return ASN_PARSE_E;
wolfSSL 7:481bce714567 3703
wolfSSL 7:481bce714567 3704 cert->sigLength = length;
wolfSSL 7:481bce714567 3705
wolfSSL 7:481bce714567 3706 if (length > 0) {
wolfSSL 7:481bce714567 3707 b = cert->source[cert->srcIdx++];
wolfSSL 7:481bce714567 3708 if (b != 0x00)
wolfSSL 7:481bce714567 3709 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 3710 cert->sigLength--;
wolfSSL 7:481bce714567 3711 }
wolfSSL 7:481bce714567 3712
wolfSSL 7:481bce714567 3713 cert->signature = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 3714 cert->srcIdx += cert->sigLength;
wolfSSL 7:481bce714567 3715
wolfSSL 7:481bce714567 3716 return 0;
wolfSSL 7:481bce714567 3717 }
wolfSSL 7:481bce714567 3718
wolfSSL 7:481bce714567 3719 static word32 SetDigest(const byte* digest, word32 digSz, byte* output)
wolfSSL 7:481bce714567 3720 {
wolfSSL 7:481bce714567 3721 output[0] = ASN_OCTET_STRING;
wolfSSL 7:481bce714567 3722 output[1] = (byte)digSz;
wolfSSL 7:481bce714567 3723 XMEMCPY(&output[2], digest, digSz);
wolfSSL 7:481bce714567 3724
wolfSSL 7:481bce714567 3725 return digSz + 2;
wolfSSL 7:481bce714567 3726 }
wolfSSL 7:481bce714567 3727
wolfSSL 7:481bce714567 3728
wolfSSL 7:481bce714567 3729 static word32 BytePrecision(word32 value)
wolfSSL 7:481bce714567 3730 {
wolfSSL 7:481bce714567 3731 word32 i;
wolfSSL 7:481bce714567 3732 for (i = sizeof(value); i; --i)
wolfSSL 7:481bce714567 3733 if (value >> ((i - 1) * WOLFSSL_BIT_SIZE))
wolfSSL 7:481bce714567 3734 break;
wolfSSL 7:481bce714567 3735
wolfSSL 7:481bce714567 3736 return i;
wolfSSL 7:481bce714567 3737 }
wolfSSL 7:481bce714567 3738
wolfSSL 7:481bce714567 3739
wolfSSL 7:481bce714567 3740 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
wolfSSL 7:481bce714567 3741 {
wolfSSL 7:481bce714567 3742 word32 i = 0, j;
wolfSSL 7:481bce714567 3743
wolfSSL 7:481bce714567 3744 if (length < ASN_LONG_LENGTH)
wolfSSL 7:481bce714567 3745 output[i++] = (byte)length;
wolfSSL 7:481bce714567 3746 else {
wolfSSL 7:481bce714567 3747 output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
wolfSSL 7:481bce714567 3748
wolfSSL 7:481bce714567 3749 for (j = BytePrecision(length); j; --j) {
wolfSSL 7:481bce714567 3750 output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
wolfSSL 7:481bce714567 3751 i++;
wolfSSL 7:481bce714567 3752 }
wolfSSL 7:481bce714567 3753 }
wolfSSL 7:481bce714567 3754
wolfSSL 7:481bce714567 3755 return i;
wolfSSL 7:481bce714567 3756 }
wolfSSL 7:481bce714567 3757
wolfSSL 7:481bce714567 3758
wolfSSL 7:481bce714567 3759 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
wolfSSL 7:481bce714567 3760 {
wolfSSL 7:481bce714567 3761 output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
wolfSSL 7:481bce714567 3762 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 3763 }
wolfSSL 7:481bce714567 3764
wolfSSL 7:481bce714567 3765 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
wolfSSL 7:481bce714567 3766 {
wolfSSL 7:481bce714567 3767 output[0] = ASN_OCTET_STRING;
wolfSSL 7:481bce714567 3768 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 3769 }
wolfSSL 7:481bce714567 3770
wolfSSL 7:481bce714567 3771 /* Write a set header to output */
wolfSSL 7:481bce714567 3772 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output)
wolfSSL 7:481bce714567 3773 {
wolfSSL 7:481bce714567 3774 output[0] = ASN_SET | ASN_CONSTRUCTED;
wolfSSL 7:481bce714567 3775 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 3776 }
wolfSSL 7:481bce714567 3777
wolfSSL 7:481bce714567 3778 WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
wolfSSL 7:481bce714567 3779 {
wolfSSL 7:481bce714567 3780
wolfSSL 7:481bce714567 3781 output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
wolfSSL 7:481bce714567 3782 | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 7:481bce714567 3783 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 3784 }
wolfSSL 7:481bce714567 3785
wolfSSL 7:481bce714567 3786 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
wolfSSL 7:481bce714567 3787 {
wolfSSL 7:481bce714567 3788 output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number;
wolfSSL 7:481bce714567 3789 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 3790 }
wolfSSL 7:481bce714567 3791
wolfSSL 7:481bce714567 3792
wolfSSL 7:481bce714567 3793 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
wolfSSL 7:481bce714567 3794
wolfSSL 7:481bce714567 3795 static int SetCurve(ecc_key* key, byte* output)
wolfSSL 7:481bce714567 3796 {
wolfSSL 7:481bce714567 3797 int ret;
wolfSSL 7:481bce714567 3798 int idx = 0;
wolfSSL 7:481bce714567 3799 word32 oidSz = 0;
wolfSSL 7:481bce714567 3800
wolfSSL 7:481bce714567 3801 /* validate key */
wolfSSL 7:481bce714567 3802 if (key == NULL || key->dp == NULL) {
wolfSSL 7:481bce714567 3803 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 3804 }
wolfSSL 7:481bce714567 3805
wolfSSL 7:481bce714567 3806 #ifdef HAVE_OID_ENCODING
wolfSSL 7:481bce714567 3807 ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, NULL, &oidSz);
wolfSSL 7:481bce714567 3808 if (ret != 0) {
wolfSSL 7:481bce714567 3809 return ret;
wolfSSL 7:481bce714567 3810 }
wolfSSL 7:481bce714567 3811 #else
wolfSSL 7:481bce714567 3812 oidSz = key->dp->oidSz;
wolfSSL 7:481bce714567 3813 #endif
wolfSSL 7:481bce714567 3814
wolfSSL 7:481bce714567 3815 output[0] = ASN_OBJECT_ID;
wolfSSL 7:481bce714567 3816 idx++;
wolfSSL 7:481bce714567 3817
wolfSSL 7:481bce714567 3818 ret = SetLength(oidSz, output+idx);
wolfSSL 7:481bce714567 3819 idx += ret;
wolfSSL 7:481bce714567 3820
wolfSSL 7:481bce714567 3821 #ifdef HAVE_OID_ENCODING
wolfSSL 7:481bce714567 3822 ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
wolfSSL 7:481bce714567 3823 if (ret != 0) {
wolfSSL 7:481bce714567 3824 return ret;
wolfSSL 7:481bce714567 3825 }
wolfSSL 7:481bce714567 3826 #else
wolfSSL 7:481bce714567 3827 XMEMCPY(output+idx, key->dp->oid, oidSz);
wolfSSL 7:481bce714567 3828 #endif
wolfSSL 7:481bce714567 3829 idx += oidSz;
wolfSSL 7:481bce714567 3830
wolfSSL 7:481bce714567 3831 return idx;
wolfSSL 7:481bce714567 3832 }
wolfSSL 7:481bce714567 3833
wolfSSL 7:481bce714567 3834 #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 3835
wolfSSL 7:481bce714567 3836
wolfSSL 7:481bce714567 3837 static INLINE int IsSigAlgoECDSA(int algoOID)
wolfSSL 7:481bce714567 3838 {
wolfSSL 7:481bce714567 3839 /* ECDSA sigAlgo must not have ASN1 NULL parameters */
wolfSSL 7:481bce714567 3840 if (algoOID == CTC_SHAwECDSA || algoOID == CTC_SHA256wECDSA ||
wolfSSL 7:481bce714567 3841 algoOID == CTC_SHA384wECDSA || algoOID == CTC_SHA512wECDSA) {
wolfSSL 7:481bce714567 3842 return 1;
wolfSSL 7:481bce714567 3843 }
wolfSSL 7:481bce714567 3844
wolfSSL 7:481bce714567 3845 return 0;
wolfSSL 7:481bce714567 3846 }
wolfSSL 7:481bce714567 3847
wolfSSL 7:481bce714567 3848 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
wolfSSL 7:481bce714567 3849 {
wolfSSL 7:481bce714567 3850 word32 tagSz, idSz, seqSz, algoSz = 0;
wolfSSL 7:481bce714567 3851 const byte* algoName = 0;
wolfSSL 7:481bce714567 3852 byte ID_Length[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 3853 byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
wolfSSL 7:481bce714567 3854
wolfSSL 7:481bce714567 3855 tagSz = (type == oidHashType ||
wolfSSL 7:481bce714567 3856 (type == oidSigType && !IsSigAlgoECDSA(algoOID)) ||
wolfSSL 7:481bce714567 3857 (type == oidKeyType && algoOID == RSAk)) ? 2 : 0;
wolfSSL 7:481bce714567 3858
wolfSSL 7:481bce714567 3859 algoName = OidFromId(algoOID, type, &algoSz);
wolfSSL 7:481bce714567 3860
wolfSSL 7:481bce714567 3861 if (algoName == NULL) {
wolfSSL 7:481bce714567 3862 WOLFSSL_MSG("Unknown Algorithm");
wolfSSL 7:481bce714567 3863 return 0;
wolfSSL 7:481bce714567 3864 }
wolfSSL 7:481bce714567 3865
wolfSSL 7:481bce714567 3866 idSz = SetLength(algoSz, ID_Length);
wolfSSL 7:481bce714567 3867 seqSz = SetSequence(idSz + algoSz + 1 + tagSz + curveSz, seqArray);
wolfSSL 7:481bce714567 3868 /* +1 for object id, curveID of curveSz follows for ecc */
wolfSSL 7:481bce714567 3869 seqArray[seqSz++] = ASN_OBJECT_ID;
wolfSSL 7:481bce714567 3870
wolfSSL 7:481bce714567 3871 XMEMCPY(output, seqArray, seqSz);
wolfSSL 7:481bce714567 3872 XMEMCPY(output + seqSz, ID_Length, idSz);
wolfSSL 7:481bce714567 3873 XMEMCPY(output + seqSz + idSz, algoName, algoSz);
wolfSSL 7:481bce714567 3874 if (tagSz == 2) {
wolfSSL 7:481bce714567 3875 output[seqSz + idSz + algoSz] = ASN_TAG_NULL;
wolfSSL 7:481bce714567 3876 output[seqSz + idSz + algoSz + 1] = 0;
wolfSSL 7:481bce714567 3877 }
wolfSSL 7:481bce714567 3878
wolfSSL 7:481bce714567 3879 return seqSz + idSz + algoSz + tagSz;
wolfSSL 7:481bce714567 3880
wolfSSL 7:481bce714567 3881 }
wolfSSL 7:481bce714567 3882
wolfSSL 7:481bce714567 3883
wolfSSL 7:481bce714567 3884 word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
wolfSSL 7:481bce714567 3885 int hashOID)
wolfSSL 7:481bce714567 3886 {
wolfSSL 7:481bce714567 3887 byte digArray[MAX_ENCODED_DIG_SZ];
wolfSSL 7:481bce714567 3888 byte algoArray[MAX_ALGO_SZ];
wolfSSL 7:481bce714567 3889 byte seqArray[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 3890 word32 encDigSz, algoSz, seqSz;
wolfSSL 7:481bce714567 3891
wolfSSL 7:481bce714567 3892 encDigSz = SetDigest(digest, digSz, digArray);
wolfSSL 7:481bce714567 3893 algoSz = SetAlgoID(hashOID, algoArray, oidHashType, 0);
wolfSSL 7:481bce714567 3894 seqSz = SetSequence(encDigSz + algoSz, seqArray);
wolfSSL 7:481bce714567 3895
wolfSSL 7:481bce714567 3896 XMEMCPY(out, seqArray, seqSz);
wolfSSL 7:481bce714567 3897 XMEMCPY(out + seqSz, algoArray, algoSz);
wolfSSL 7:481bce714567 3898 XMEMCPY(out + seqSz + algoSz, digArray, encDigSz);
wolfSSL 7:481bce714567 3899
wolfSSL 7:481bce714567 3900 return encDigSz + algoSz + seqSz;
wolfSSL 7:481bce714567 3901 }
wolfSSL 7:481bce714567 3902
wolfSSL 7:481bce714567 3903
wolfSSL 7:481bce714567 3904 int wc_GetCTC_HashOID(int type)
wolfSSL 7:481bce714567 3905 {
wolfSSL 7:481bce714567 3906 switch (type) {
wolfSSL 7:481bce714567 3907 #ifdef WOLFSSL_MD2
wolfSSL 7:481bce714567 3908 case MD2:
wolfSSL 7:481bce714567 3909 return MD2h;
wolfSSL 7:481bce714567 3910 #endif
wolfSSL 7:481bce714567 3911 #ifndef NO_MD5
wolfSSL 7:481bce714567 3912 case MD5:
wolfSSL 7:481bce714567 3913 return MD5h;
wolfSSL 7:481bce714567 3914 #endif
wolfSSL 7:481bce714567 3915 #ifndef NO_SHA
wolfSSL 7:481bce714567 3916 case SHA:
wolfSSL 7:481bce714567 3917 return SHAh;
wolfSSL 7:481bce714567 3918 #endif
wolfSSL 7:481bce714567 3919 #ifdef WOLFSSL_SHA224
wolfSSL 7:481bce714567 3920 case SHA224:
wolfSSL 7:481bce714567 3921 return SHA224h;
wolfSSL 7:481bce714567 3922 #endif
wolfSSL 7:481bce714567 3923 #ifndef NO_SHA256
wolfSSL 7:481bce714567 3924 case SHA256:
wolfSSL 7:481bce714567 3925 return SHA256h;
wolfSSL 7:481bce714567 3926 #endif
wolfSSL 7:481bce714567 3927 #ifdef WOLFSSL_SHA384
wolfSSL 7:481bce714567 3928 case SHA384:
wolfSSL 7:481bce714567 3929 return SHA384h;
wolfSSL 7:481bce714567 3930 #endif
wolfSSL 7:481bce714567 3931 #ifdef WOLFSSL_SHA512
wolfSSL 7:481bce714567 3932 case SHA512:
wolfSSL 7:481bce714567 3933 return SHA512h;
wolfSSL 7:481bce714567 3934 #endif
wolfSSL 7:481bce714567 3935 default:
wolfSSL 7:481bce714567 3936 return 0;
wolfSSL 7:481bce714567 3937 };
wolfSSL 7:481bce714567 3938 }
wolfSSL 7:481bce714567 3939
wolfSSL 7:481bce714567 3940 /* return true (1) or false (0) for Confirmation */
wolfSSL 7:481bce714567 3941 static int ConfirmSignature(const byte* buf, word32 bufSz,
wolfSSL 7:481bce714567 3942 const byte* key, word32 keySz, word32 keyOID,
wolfSSL 7:481bce714567 3943 const byte* sig, word32 sigSz, word32 sigOID,
wolfSSL 7:481bce714567 3944 void* heap)
wolfSSL 7:481bce714567 3945 {
wolfSSL 7:481bce714567 3946 int typeH = 0, digestSz = 0, ret = 0;
wolfSSL 7:481bce714567 3947 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 3948 byte* digest;
wolfSSL 7:481bce714567 3949 #else
wolfSSL 7:481bce714567 3950 byte digest[WC_MAX_DIGEST_SIZE];
wolfSSL 7:481bce714567 3951 #endif
wolfSSL 7:481bce714567 3952
wolfSSL 7:481bce714567 3953 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 3954 digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 3955 if (digest == NULL)
wolfSSL 7:481bce714567 3956 return 0; /* not confirmed */
wolfSSL 7:481bce714567 3957 #endif
wolfSSL 7:481bce714567 3958
wolfSSL 7:481bce714567 3959 (void)key;
wolfSSL 7:481bce714567 3960 (void)keySz;
wolfSSL 7:481bce714567 3961 (void)sig;
wolfSSL 7:481bce714567 3962 (void)sigSz;
wolfSSL 7:481bce714567 3963 (void)heap;
wolfSSL 7:481bce714567 3964
wolfSSL 7:481bce714567 3965 switch (sigOID) {
wolfSSL 7:481bce714567 3966 #ifndef NO_MD5
wolfSSL 7:481bce714567 3967 case CTC_MD5wRSA:
wolfSSL 7:481bce714567 3968 if (wc_Md5Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 3969 typeH = MD5h;
wolfSSL 7:481bce714567 3970 digestSz = MD5_DIGEST_SIZE;
wolfSSL 7:481bce714567 3971 }
wolfSSL 7:481bce714567 3972 break;
wolfSSL 7:481bce714567 3973 #endif
wolfSSL 7:481bce714567 3974 #if defined(WOLFSSL_MD2)
wolfSSL 7:481bce714567 3975 case CTC_MD2wRSA:
wolfSSL 7:481bce714567 3976 if (wc_Md2Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 3977 typeH = MD2h;
wolfSSL 7:481bce714567 3978 digestSz = MD2_DIGEST_SIZE;
wolfSSL 7:481bce714567 3979 }
wolfSSL 7:481bce714567 3980 break;
wolfSSL 7:481bce714567 3981 #endif
wolfSSL 7:481bce714567 3982 #ifndef NO_SHA
wolfSSL 7:481bce714567 3983 case CTC_SHAwRSA:
wolfSSL 7:481bce714567 3984 case CTC_SHAwDSA:
wolfSSL 7:481bce714567 3985 case CTC_SHAwECDSA:
wolfSSL 7:481bce714567 3986 if (wc_ShaHash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 3987 typeH = SHAh;
wolfSSL 7:481bce714567 3988 digestSz = SHA_DIGEST_SIZE;
wolfSSL 7:481bce714567 3989 }
wolfSSL 7:481bce714567 3990 break;
wolfSSL 7:481bce714567 3991 #endif
wolfSSL 7:481bce714567 3992 #ifdef WOLFSSL_SHA224
wolfSSL 7:481bce714567 3993 case CTC_SHA224wRSA:
wolfSSL 7:481bce714567 3994 case CTC_SHA224wECDSA:
wolfSSL 7:481bce714567 3995 if (wc_Sha224Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 3996 typeH = SHA224h;
wolfSSL 7:481bce714567 3997 digestSz = SHA224_DIGEST_SIZE;
wolfSSL 7:481bce714567 3998 }
wolfSSL 7:481bce714567 3999 break;
wolfSSL 7:481bce714567 4000 #endif
wolfSSL 7:481bce714567 4001 #ifndef NO_SHA256
wolfSSL 7:481bce714567 4002 case CTC_SHA256wRSA:
wolfSSL 7:481bce714567 4003 case CTC_SHA256wECDSA:
wolfSSL 7:481bce714567 4004 if (wc_Sha256Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 4005 typeH = SHA256h;
wolfSSL 7:481bce714567 4006 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 7:481bce714567 4007 }
wolfSSL 7:481bce714567 4008 break;
wolfSSL 7:481bce714567 4009 #endif
wolfSSL 7:481bce714567 4010 #ifdef WOLFSSL_SHA512
wolfSSL 7:481bce714567 4011 case CTC_SHA512wRSA:
wolfSSL 7:481bce714567 4012 case CTC_SHA512wECDSA:
wolfSSL 7:481bce714567 4013 if (wc_Sha512Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 4014 typeH = SHA512h;
wolfSSL 7:481bce714567 4015 digestSz = SHA512_DIGEST_SIZE;
wolfSSL 7:481bce714567 4016 }
wolfSSL 7:481bce714567 4017 break;
wolfSSL 7:481bce714567 4018 #endif
wolfSSL 7:481bce714567 4019 #ifdef WOLFSSL_SHA384
wolfSSL 7:481bce714567 4020 case CTC_SHA384wRSA:
wolfSSL 7:481bce714567 4021 case CTC_SHA384wECDSA:
wolfSSL 7:481bce714567 4022 if (wc_Sha384Hash(buf, bufSz, digest) == 0) {
wolfSSL 7:481bce714567 4023 typeH = SHA384h;
wolfSSL 7:481bce714567 4024 digestSz = SHA384_DIGEST_SIZE;
wolfSSL 7:481bce714567 4025 }
wolfSSL 7:481bce714567 4026 break;
wolfSSL 7:481bce714567 4027 #endif
wolfSSL 7:481bce714567 4028 default:
wolfSSL 7:481bce714567 4029 WOLFSSL_MSG("Verify Signature has unsupported type");
wolfSSL 7:481bce714567 4030 }
wolfSSL 7:481bce714567 4031
wolfSSL 7:481bce714567 4032 if (typeH == 0) {
wolfSSL 7:481bce714567 4033 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4034 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4035 #endif
wolfSSL 7:481bce714567 4036 return 0; /* not confirmed */
wolfSSL 7:481bce714567 4037 }
wolfSSL 7:481bce714567 4038
wolfSSL 7:481bce714567 4039 switch (keyOID) {
wolfSSL 7:481bce714567 4040 #ifndef NO_RSA
wolfSSL 7:481bce714567 4041 case RSAk:
wolfSSL 7:481bce714567 4042 {
wolfSSL 7:481bce714567 4043 word32 idx = 0;
wolfSSL 7:481bce714567 4044 int encodedSigSz, verifySz;
wolfSSL 7:481bce714567 4045 byte* out;
wolfSSL 7:481bce714567 4046 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4047 RsaKey* pubKey;
wolfSSL 7:481bce714567 4048 byte* plain;
wolfSSL 7:481bce714567 4049 byte* encodedSig;
wolfSSL 7:481bce714567 4050 #else
wolfSSL 7:481bce714567 4051 RsaKey pubKey[1];
wolfSSL 7:481bce714567 4052 byte plain[MAX_ENCODED_SIG_SZ];
wolfSSL 7:481bce714567 4053 byte encodedSig[MAX_ENCODED_SIG_SZ];
wolfSSL 7:481bce714567 4054 #endif
wolfSSL 7:481bce714567 4055
wolfSSL 7:481bce714567 4056 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4057 pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
wolfSSL 7:481bce714567 4058 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4059 plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL 7:481bce714567 4060 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4061 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL 7:481bce714567 4062 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4063
wolfSSL 7:481bce714567 4064 if (pubKey == NULL || plain == NULL || encodedSig == NULL) {
wolfSSL 7:481bce714567 4065 WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature");
wolfSSL 7:481bce714567 4066
wolfSSL 7:481bce714567 4067 if (pubKey)
wolfSSL 7:481bce714567 4068 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4069 if (plain)
wolfSSL 7:481bce714567 4070 XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4071 if (encodedSig)
wolfSSL 7:481bce714567 4072 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4073
wolfSSL 7:481bce714567 4074 break; /* not confirmed */
wolfSSL 7:481bce714567 4075 }
wolfSSL 7:481bce714567 4076 #endif
wolfSSL 7:481bce714567 4077 if (wc_InitRsaKey(pubKey, heap) != 0) {
wolfSSL 7:481bce714567 4078 WOLFSSL_MSG("InitRsaKey failed");
wolfSSL 7:481bce714567 4079 }
wolfSSL 7:481bce714567 4080 else if (sigSz > MAX_ENCODED_SIG_SZ) {
wolfSSL 7:481bce714567 4081 WOLFSSL_MSG("Verify Signature is too big");
wolfSSL 7:481bce714567 4082 }
wolfSSL 7:481bce714567 4083 else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) {
wolfSSL 7:481bce714567 4084 WOLFSSL_MSG("ASN Key decode error RSA");
wolfSSL 7:481bce714567 4085 }
wolfSSL 7:481bce714567 4086 else {
wolfSSL 7:481bce714567 4087 XMEMCPY(plain, sig, sigSz);
wolfSSL 7:481bce714567 4088
wolfSSL 7:481bce714567 4089 ret = 0;
wolfSSL 7:481bce714567 4090 do {
wolfSSL 7:481bce714567 4091 #if defined(WOLFSSL_ASYNC_CRYPT)
wolfSSL 7:481bce714567 4092 ret = wc_RsaAsyncWait(ret, pubKey);
wolfSSL 7:481bce714567 4093 #endif
wolfSSL 7:481bce714567 4094 if (ret >= 0) {
wolfSSL 7:481bce714567 4095 ret = wc_RsaSSL_VerifyInline(plain, sigSz, &out,
wolfSSL 7:481bce714567 4096 pubKey);
wolfSSL 7:481bce714567 4097 }
wolfSSL 7:481bce714567 4098 } while (ret == WC_PENDING_E);
wolfSSL 7:481bce714567 4099
wolfSSL 7:481bce714567 4100 if (ret < 0) {
wolfSSL 7:481bce714567 4101 WOLFSSL_MSG("Rsa SSL verify error");
wolfSSL 7:481bce714567 4102 }
wolfSSL 7:481bce714567 4103 else {
wolfSSL 7:481bce714567 4104 verifySz = ret;
wolfSSL 7:481bce714567 4105 /* make sure we're right justified */
wolfSSL 7:481bce714567 4106 encodedSigSz =
wolfSSL 7:481bce714567 4107 wc_EncodeSignature(encodedSig, digest, digestSz, typeH);
wolfSSL 7:481bce714567 4108 if (encodedSigSz != verifySz ||
wolfSSL 7:481bce714567 4109 XMEMCMP(out, encodedSig, encodedSigSz) != 0) {
wolfSSL 7:481bce714567 4110 WOLFSSL_MSG("Rsa SSL verify match encode error");
wolfSSL 7:481bce714567 4111 }
wolfSSL 7:481bce714567 4112 else
wolfSSL 7:481bce714567 4113 ret = 1; /* match */
wolfSSL 7:481bce714567 4114
wolfSSL 7:481bce714567 4115 #ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL 7:481bce714567 4116 {
wolfSSL 7:481bce714567 4117 int x;
wolfSSL 7:481bce714567 4118
wolfSSL 7:481bce714567 4119 printf("wolfssl encodedSig:\n");
wolfSSL 7:481bce714567 4120
wolfSSL 7:481bce714567 4121 for (x = 0; x < encodedSigSz; x++) {
wolfSSL 7:481bce714567 4122 printf("%02x ", encodedSig[x]);
wolfSSL 7:481bce714567 4123 if ( (x % 16) == 15)
wolfSSL 7:481bce714567 4124 printf("\n");
wolfSSL 7:481bce714567 4125 }
wolfSSL 7:481bce714567 4126
wolfSSL 7:481bce714567 4127 printf("\n");
wolfSSL 7:481bce714567 4128 printf("actual digest:\n");
wolfSSL 7:481bce714567 4129
wolfSSL 7:481bce714567 4130 for (x = 0; x < verifySz; x++) {
wolfSSL 7:481bce714567 4131 printf("%02x ", out[x]);
wolfSSL 7:481bce714567 4132 if ( (x % 16) == 15)
wolfSSL 7:481bce714567 4133 printf("\n");
wolfSSL 7:481bce714567 4134 }
wolfSSL 7:481bce714567 4135
wolfSSL 7:481bce714567 4136 printf("\n");
wolfSSL 7:481bce714567 4137 }
wolfSSL 7:481bce714567 4138 #endif /* WOLFSSL_DEBUG_ENCODING */
wolfSSL 7:481bce714567 4139
wolfSSL 7:481bce714567 4140 }
wolfSSL 7:481bce714567 4141
wolfSSL 7:481bce714567 4142 }
wolfSSL 7:481bce714567 4143
wolfSSL 7:481bce714567 4144 wc_FreeRsaKey(pubKey);
wolfSSL 7:481bce714567 4145
wolfSSL 7:481bce714567 4146 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4147 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4148 XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4149 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4150 #endif
wolfSSL 7:481bce714567 4151 break;
wolfSSL 7:481bce714567 4152 }
wolfSSL 7:481bce714567 4153
wolfSSL 7:481bce714567 4154 #endif /* NO_RSA */
wolfSSL 7:481bce714567 4155 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 4156 case ECDSAk:
wolfSSL 7:481bce714567 4157 {
wolfSSL 7:481bce714567 4158 int verify = 0;
wolfSSL 7:481bce714567 4159 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4160 ecc_key* pubKey;
wolfSSL 7:481bce714567 4161 #else
wolfSSL 7:481bce714567 4162 ecc_key pubKey[1];
wolfSSL 7:481bce714567 4163 #endif
wolfSSL 7:481bce714567 4164
wolfSSL 7:481bce714567 4165 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4166 pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL,
wolfSSL 7:481bce714567 4167 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4168 if (pubKey == NULL) {
wolfSSL 7:481bce714567 4169 WOLFSSL_MSG("Failed to allocate pubKey");
wolfSSL 7:481bce714567 4170 break; /* not confirmed */
wolfSSL 7:481bce714567 4171 }
wolfSSL 7:481bce714567 4172 #endif
wolfSSL 7:481bce714567 4173
wolfSSL 7:481bce714567 4174 if (wc_ecc_init(pubKey) < 0) {
wolfSSL 7:481bce714567 4175 WOLFSSL_MSG("Failed to initialize key");
wolfSSL 7:481bce714567 4176 break; /* not confirmed */
wolfSSL 7:481bce714567 4177 }
wolfSSL 7:481bce714567 4178 if (wc_ecc_import_x963(key, keySz, pubKey) < 0) {
wolfSSL 7:481bce714567 4179 WOLFSSL_MSG("ASN Key import error ECC");
wolfSSL 7:481bce714567 4180 }
wolfSSL 7:481bce714567 4181 else {
wolfSSL 7:481bce714567 4182 if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify,
wolfSSL 7:481bce714567 4183 pubKey) != 0) {
wolfSSL 7:481bce714567 4184 WOLFSSL_MSG("ECC verify hash error");
wolfSSL 7:481bce714567 4185 }
wolfSSL 7:481bce714567 4186 else if (1 != verify) {
wolfSSL 7:481bce714567 4187 WOLFSSL_MSG("ECC Verify didn't match");
wolfSSL 7:481bce714567 4188 } else
wolfSSL 7:481bce714567 4189 ret = 1; /* match */
wolfSSL 7:481bce714567 4190
wolfSSL 7:481bce714567 4191 }
wolfSSL 7:481bce714567 4192 wc_ecc_free(pubKey);
wolfSSL 7:481bce714567 4193
wolfSSL 7:481bce714567 4194 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4195 XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4196 #endif
wolfSSL 7:481bce714567 4197 break;
wolfSSL 7:481bce714567 4198 }
wolfSSL 7:481bce714567 4199 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 4200 default:
wolfSSL 7:481bce714567 4201 WOLFSSL_MSG("Verify Key type unknown");
wolfSSL 7:481bce714567 4202 }
wolfSSL 7:481bce714567 4203
wolfSSL 7:481bce714567 4204 (void)digestSz;
wolfSSL 7:481bce714567 4205 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 4206 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 4207 #endif
wolfSSL 7:481bce714567 4208
wolfSSL 7:481bce714567 4209 return ret;
wolfSSL 7:481bce714567 4210 }
wolfSSL 7:481bce714567 4211
wolfSSL 7:481bce714567 4212
wolfSSL 7:481bce714567 4213 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 4214
wolfSSL 7:481bce714567 4215 static int MatchBaseName(int type, const char* name, int nameSz,
wolfSSL 7:481bce714567 4216 const char* base, int baseSz)
wolfSSL 7:481bce714567 4217 {
wolfSSL 7:481bce714567 4218 if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 ||
wolfSSL 7:481bce714567 4219 name[0] == '.' || nameSz < baseSz ||
wolfSSL 7:481bce714567 4220 (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE))
wolfSSL 7:481bce714567 4221 return 0;
wolfSSL 7:481bce714567 4222
wolfSSL 7:481bce714567 4223 /* If an email type, handle special cases where the base is only
wolfSSL 7:481bce714567 4224 * a domain, or is an email address itself. */
wolfSSL 7:481bce714567 4225 if (type == ASN_RFC822_TYPE) {
wolfSSL 7:481bce714567 4226 const char* p = NULL;
wolfSSL 7:481bce714567 4227 int count = 0;
wolfSSL 7:481bce714567 4228
wolfSSL 7:481bce714567 4229 if (base[0] != '.') {
wolfSSL 7:481bce714567 4230 p = base;
wolfSSL 7:481bce714567 4231 count = 0;
wolfSSL 7:481bce714567 4232
wolfSSL 7:481bce714567 4233 /* find the '@' in the base */
wolfSSL 7:481bce714567 4234 while (*p != '@' && count < baseSz) {
wolfSSL 7:481bce714567 4235 count++;
wolfSSL 7:481bce714567 4236 p++;
wolfSSL 7:481bce714567 4237 }
wolfSSL 7:481bce714567 4238
wolfSSL 7:481bce714567 4239 /* No '@' in base, reset p to NULL */
wolfSSL 7:481bce714567 4240 if (count >= baseSz)
wolfSSL 7:481bce714567 4241 p = NULL;
wolfSSL 7:481bce714567 4242 }
wolfSSL 7:481bce714567 4243
wolfSSL 7:481bce714567 4244 if (p == NULL) {
wolfSSL 7:481bce714567 4245 /* Base isn't an email address, it is a domain name,
wolfSSL 7:481bce714567 4246 * wind the name forward one character past its '@'. */
wolfSSL 7:481bce714567 4247 p = name;
wolfSSL 7:481bce714567 4248 count = 0;
wolfSSL 7:481bce714567 4249 while (*p != '@' && count < baseSz) {
wolfSSL 7:481bce714567 4250 count++;
wolfSSL 7:481bce714567 4251 p++;
wolfSSL 7:481bce714567 4252 }
wolfSSL 7:481bce714567 4253
wolfSSL 7:481bce714567 4254 if (count < baseSz && *p == '@') {
wolfSSL 7:481bce714567 4255 name = p + 1;
wolfSSL 7:481bce714567 4256 nameSz -= count + 1;
wolfSSL 7:481bce714567 4257 }
wolfSSL 7:481bce714567 4258 }
wolfSSL 7:481bce714567 4259 }
wolfSSL 7:481bce714567 4260
wolfSSL 7:481bce714567 4261 if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') {
wolfSSL 7:481bce714567 4262 int szAdjust = nameSz - baseSz;
wolfSSL 7:481bce714567 4263 name += szAdjust;
wolfSSL 7:481bce714567 4264 nameSz -= szAdjust;
wolfSSL 7:481bce714567 4265 }
wolfSSL 7:481bce714567 4266
wolfSSL 7:481bce714567 4267 while (nameSz > 0) {
wolfSSL 7:481bce714567 4268 if (XTOLOWER((unsigned char)*name++) !=
wolfSSL 7:481bce714567 4269 XTOLOWER((unsigned char)*base++))
wolfSSL 7:481bce714567 4270 return 0;
wolfSSL 7:481bce714567 4271 nameSz--;
wolfSSL 7:481bce714567 4272 }
wolfSSL 7:481bce714567 4273
wolfSSL 7:481bce714567 4274 return 1;
wolfSSL 7:481bce714567 4275 }
wolfSSL 7:481bce714567 4276
wolfSSL 7:481bce714567 4277
wolfSSL 7:481bce714567 4278 static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
wolfSSL 7:481bce714567 4279 {
wolfSSL 7:481bce714567 4280 if (signer == NULL || cert == NULL)
wolfSSL 7:481bce714567 4281 return 0;
wolfSSL 7:481bce714567 4282
wolfSSL 7:481bce714567 4283 /* Check against the excluded list */
wolfSSL 7:481bce714567 4284 if (signer->excludedNames) {
wolfSSL 7:481bce714567 4285 Base_entry* base = signer->excludedNames;
wolfSSL 7:481bce714567 4286
wolfSSL 7:481bce714567 4287 while (base != NULL) {
wolfSSL 7:481bce714567 4288 if (base->type == ASN_DNS_TYPE) {
wolfSSL 7:481bce714567 4289 DNS_entry* name = cert->altNames;
wolfSSL 7:481bce714567 4290 while (name != NULL) {
wolfSSL 7:481bce714567 4291 if (MatchBaseName(ASN_DNS_TYPE,
wolfSSL 7:481bce714567 4292 name->name, (int)XSTRLEN(name->name),
wolfSSL 7:481bce714567 4293 base->name, base->nameSz))
wolfSSL 7:481bce714567 4294 return 0;
wolfSSL 7:481bce714567 4295 name = name->next;
wolfSSL 7:481bce714567 4296 }
wolfSSL 7:481bce714567 4297 }
wolfSSL 7:481bce714567 4298 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 7:481bce714567 4299 DNS_entry* name = cert->altEmailNames;
wolfSSL 7:481bce714567 4300 while (name != NULL) {
wolfSSL 7:481bce714567 4301 if (MatchBaseName(ASN_RFC822_TYPE,
wolfSSL 7:481bce714567 4302 name->name, (int)XSTRLEN(name->name),
wolfSSL 7:481bce714567 4303 base->name, base->nameSz))
wolfSSL 7:481bce714567 4304 return 0;
wolfSSL 7:481bce714567 4305
wolfSSL 7:481bce714567 4306 name = name->next;
wolfSSL 7:481bce714567 4307 }
wolfSSL 7:481bce714567 4308 }
wolfSSL 7:481bce714567 4309 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 7:481bce714567 4310 if (cert->subjectRawLen == base->nameSz &&
wolfSSL 7:481bce714567 4311 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 7:481bce714567 4312
wolfSSL 7:481bce714567 4313 return 0;
wolfSSL 7:481bce714567 4314 }
wolfSSL 7:481bce714567 4315 }
wolfSSL 7:481bce714567 4316 base = base->next;
wolfSSL 7:481bce714567 4317 }
wolfSSL 7:481bce714567 4318 }
wolfSSL 7:481bce714567 4319
wolfSSL 7:481bce714567 4320 /* Check against the permitted list */
wolfSSL 7:481bce714567 4321 if (signer->permittedNames != NULL) {
wolfSSL 7:481bce714567 4322 int needDns = 0;
wolfSSL 7:481bce714567 4323 int matchDns = 0;
wolfSSL 7:481bce714567 4324 int needEmail = 0;
wolfSSL 7:481bce714567 4325 int matchEmail = 0;
wolfSSL 7:481bce714567 4326 int needDir = 0;
wolfSSL 7:481bce714567 4327 int matchDir = 0;
wolfSSL 7:481bce714567 4328 Base_entry* base = signer->permittedNames;
wolfSSL 7:481bce714567 4329
wolfSSL 7:481bce714567 4330 while (base != NULL) {
wolfSSL 7:481bce714567 4331 if (base->type == ASN_DNS_TYPE) {
wolfSSL 7:481bce714567 4332 DNS_entry* name = cert->altNames;
wolfSSL 7:481bce714567 4333
wolfSSL 7:481bce714567 4334 if (name != NULL)
wolfSSL 7:481bce714567 4335 needDns = 1;
wolfSSL 7:481bce714567 4336
wolfSSL 7:481bce714567 4337 while (name != NULL) {
wolfSSL 7:481bce714567 4338 matchDns = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 7:481bce714567 4339 name->name, (int)XSTRLEN(name->name),
wolfSSL 7:481bce714567 4340 base->name, base->nameSz);
wolfSSL 7:481bce714567 4341 name = name->next;
wolfSSL 7:481bce714567 4342 }
wolfSSL 7:481bce714567 4343 }
wolfSSL 7:481bce714567 4344 else if (base->type == ASN_RFC822_TYPE) {
wolfSSL 7:481bce714567 4345 DNS_entry* name = cert->altEmailNames;
wolfSSL 7:481bce714567 4346
wolfSSL 7:481bce714567 4347 if (name != NULL)
wolfSSL 7:481bce714567 4348 needEmail = 1;
wolfSSL 7:481bce714567 4349
wolfSSL 7:481bce714567 4350 while (name != NULL) {
wolfSSL 7:481bce714567 4351 matchEmail = MatchBaseName(ASN_DNS_TYPE,
wolfSSL 7:481bce714567 4352 name->name, (int)XSTRLEN(name->name),
wolfSSL 7:481bce714567 4353 base->name, base->nameSz);
wolfSSL 7:481bce714567 4354 name = name->next;
wolfSSL 7:481bce714567 4355 }
wolfSSL 7:481bce714567 4356 }
wolfSSL 7:481bce714567 4357 else if (base->type == ASN_DIR_TYPE) {
wolfSSL 7:481bce714567 4358 needDir = 1;
wolfSSL 7:481bce714567 4359 if (cert->subjectRaw != NULL &&
wolfSSL 7:481bce714567 4360 cert->subjectRawLen == base->nameSz &&
wolfSSL 7:481bce714567 4361 XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL 7:481bce714567 4362
wolfSSL 7:481bce714567 4363 matchDir = 1;
wolfSSL 7:481bce714567 4364 }
wolfSSL 7:481bce714567 4365 }
wolfSSL 7:481bce714567 4366 base = base->next;
wolfSSL 7:481bce714567 4367 }
wolfSSL 7:481bce714567 4368
wolfSSL 7:481bce714567 4369 if ((needDns && !matchDns) || (needEmail && !matchEmail) ||
wolfSSL 7:481bce714567 4370 (needDir && !matchDir)) {
wolfSSL 7:481bce714567 4371
wolfSSL 7:481bce714567 4372 return 0;
wolfSSL 7:481bce714567 4373 }
wolfSSL 7:481bce714567 4374 }
wolfSSL 7:481bce714567 4375
wolfSSL 7:481bce714567 4376 return 1;
wolfSSL 7:481bce714567 4377 }
wolfSSL 7:481bce714567 4378
wolfSSL 7:481bce714567 4379 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 4380
wolfSSL 7:481bce714567 4381 static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4382 {
wolfSSL 7:481bce714567 4383 word32 idx = 0;
wolfSSL 7:481bce714567 4384 int length = 0;
wolfSSL 7:481bce714567 4385
wolfSSL 7:481bce714567 4386 WOLFSSL_ENTER("DecodeAltNames");
wolfSSL 7:481bce714567 4387
wolfSSL 7:481bce714567 4388 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 4389 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 7:481bce714567 4390 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4391 }
wolfSSL 7:481bce714567 4392
wolfSSL 7:481bce714567 4393 cert->weOwnAltNames = 1;
wolfSSL 7:481bce714567 4394
wolfSSL 7:481bce714567 4395 while (length > 0) {
wolfSSL 7:481bce714567 4396 byte b = input[idx++];
wolfSSL 7:481bce714567 4397
wolfSSL 7:481bce714567 4398 length--;
wolfSSL 7:481bce714567 4399
wolfSSL 7:481bce714567 4400 /* Save DNS Type names in the altNames list. */
wolfSSL 7:481bce714567 4401 /* Save Other Type names in the cert's OidMap */
wolfSSL 7:481bce714567 4402 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
wolfSSL 7:481bce714567 4403 DNS_entry* dnsEntry;
wolfSSL 7:481bce714567 4404 int strLen;
wolfSSL 7:481bce714567 4405 word32 lenStartIdx = idx;
wolfSSL 7:481bce714567 4406
wolfSSL 7:481bce714567 4407 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4408 WOLFSSL_MSG("\tfail: str length");
wolfSSL 7:481bce714567 4409 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4410 }
wolfSSL 7:481bce714567 4411 length -= (idx - lenStartIdx);
wolfSSL 7:481bce714567 4412
wolfSSL 7:481bce714567 4413 dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 7:481bce714567 4414 DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4415 if (dnsEntry == NULL) {
wolfSSL 7:481bce714567 4416 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4417 return MEMORY_E;
wolfSSL 7:481bce714567 4418 }
wolfSSL 7:481bce714567 4419
wolfSSL 7:481bce714567 4420 dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 7:481bce714567 4421 DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4422 if (dnsEntry->name == NULL) {
wolfSSL 7:481bce714567 4423 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4424 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4425 return MEMORY_E;
wolfSSL 7:481bce714567 4426 }
wolfSSL 7:481bce714567 4427
wolfSSL 7:481bce714567 4428 XMEMCPY(dnsEntry->name, &input[idx], strLen);
wolfSSL 7:481bce714567 4429 dnsEntry->name[strLen] = '\0';
wolfSSL 7:481bce714567 4430
wolfSSL 7:481bce714567 4431 dnsEntry->next = cert->altNames;
wolfSSL 7:481bce714567 4432 cert->altNames = dnsEntry;
wolfSSL 7:481bce714567 4433
wolfSSL 7:481bce714567 4434 length -= strLen;
wolfSSL 7:481bce714567 4435 idx += strLen;
wolfSSL 7:481bce714567 4436 }
wolfSSL 7:481bce714567 4437 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 4438 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
wolfSSL 7:481bce714567 4439 DNS_entry* emailEntry;
wolfSSL 7:481bce714567 4440 int strLen;
wolfSSL 7:481bce714567 4441 word32 lenStartIdx = idx;
wolfSSL 7:481bce714567 4442
wolfSSL 7:481bce714567 4443 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4444 WOLFSSL_MSG("\tfail: str length");
wolfSSL 7:481bce714567 4445 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4446 }
wolfSSL 7:481bce714567 4447 length -= (idx - lenStartIdx);
wolfSSL 7:481bce714567 4448
wolfSSL 7:481bce714567 4449 emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL 7:481bce714567 4450 DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4451 if (emailEntry == NULL) {
wolfSSL 7:481bce714567 4452 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4453 return MEMORY_E;
wolfSSL 7:481bce714567 4454 }
wolfSSL 7:481bce714567 4455
wolfSSL 7:481bce714567 4456 emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 7:481bce714567 4457 DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4458 if (emailEntry->name == NULL) {
wolfSSL 7:481bce714567 4459 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4460 XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4461 return MEMORY_E;
wolfSSL 7:481bce714567 4462 }
wolfSSL 7:481bce714567 4463
wolfSSL 7:481bce714567 4464 XMEMCPY(emailEntry->name, &input[idx], strLen);
wolfSSL 7:481bce714567 4465 emailEntry->name[strLen] = '\0';
wolfSSL 7:481bce714567 4466
wolfSSL 7:481bce714567 4467 emailEntry->next = cert->altEmailNames;
wolfSSL 7:481bce714567 4468 cert->altEmailNames = emailEntry;
wolfSSL 7:481bce714567 4469
wolfSSL 7:481bce714567 4470 length -= strLen;
wolfSSL 7:481bce714567 4471 idx += strLen;
wolfSSL 7:481bce714567 4472 }
wolfSSL 7:481bce714567 4473 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 4474 #ifdef WOLFSSL_SEP
wolfSSL 7:481bce714567 4475 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
wolfSSL 7:481bce714567 4476 {
wolfSSL 7:481bce714567 4477 int strLen;
wolfSSL 7:481bce714567 4478 word32 lenStartIdx = idx;
wolfSSL 7:481bce714567 4479 word32 oid = 0;
wolfSSL 7:481bce714567 4480
wolfSSL 7:481bce714567 4481 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4482 WOLFSSL_MSG("\tfail: other name length");
wolfSSL 7:481bce714567 4483 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4484 }
wolfSSL 7:481bce714567 4485 /* Consume the rest of this sequence. */
wolfSSL 7:481bce714567 4486 length -= (strLen + idx - lenStartIdx);
wolfSSL 7:481bce714567 4487
wolfSSL 7:481bce714567 4488 if (GetObjectId(input, &idx, &oid, oidCertAltNameType, sz) < 0) {
wolfSSL 7:481bce714567 4489 WOLFSSL_MSG("\tbad OID");
wolfSSL 7:481bce714567 4490 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4491 }
wolfSSL 7:481bce714567 4492
wolfSSL 7:481bce714567 4493 if (oid != HW_NAME_OID) {
wolfSSL 7:481bce714567 4494 WOLFSSL_MSG("\tincorrect OID");
wolfSSL 7:481bce714567 4495 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4496 }
wolfSSL 7:481bce714567 4497
wolfSSL 7:481bce714567 4498 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
wolfSSL 7:481bce714567 4499 WOLFSSL_MSG("\twrong type");
wolfSSL 7:481bce714567 4500 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4501 }
wolfSSL 7:481bce714567 4502
wolfSSL 7:481bce714567 4503 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4504 WOLFSSL_MSG("\tfail: str len");
wolfSSL 7:481bce714567 4505 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4506 }
wolfSSL 7:481bce714567 4507
wolfSSL 7:481bce714567 4508 if (GetSequence(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4509 WOLFSSL_MSG("\tBad Sequence");
wolfSSL 7:481bce714567 4510 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4511 }
wolfSSL 7:481bce714567 4512
wolfSSL 7:481bce714567 4513 if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 4514 WOLFSSL_MSG("\texpected OID");
wolfSSL 7:481bce714567 4515 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4516 }
wolfSSL 7:481bce714567 4517
wolfSSL 7:481bce714567 4518 if (GetLength(input, &idx, &strLen, sz) <= 0) {
wolfSSL 7:481bce714567 4519 WOLFSSL_MSG("\tfailed: str len");
wolfSSL 7:481bce714567 4520 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4521 }
wolfSSL 7:481bce714567 4522
wolfSSL 7:481bce714567 4523 cert->hwType = (byte*)XMALLOC(strLen, cert->heap,
wolfSSL 7:481bce714567 4524 DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 4525 if (cert->hwType == NULL) {
wolfSSL 7:481bce714567 4526 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4527 return MEMORY_E;
wolfSSL 7:481bce714567 4528 }
wolfSSL 7:481bce714567 4529
wolfSSL 7:481bce714567 4530 XMEMCPY(cert->hwType, &input[idx], strLen);
wolfSSL 7:481bce714567 4531 cert->hwTypeSz = strLen;
wolfSSL 7:481bce714567 4532 idx += strLen;
wolfSSL 7:481bce714567 4533
wolfSSL 7:481bce714567 4534 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 4535 WOLFSSL_MSG("\texpected Octet String");
wolfSSL 7:481bce714567 4536 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4537 }
wolfSSL 7:481bce714567 4538
wolfSSL 7:481bce714567 4539 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4540 WOLFSSL_MSG("\tfailed: str len");
wolfSSL 7:481bce714567 4541 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4542 }
wolfSSL 7:481bce714567 4543
wolfSSL 7:481bce714567 4544 cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap,
wolfSSL 7:481bce714567 4545 DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 4546 if (cert->hwSerialNum == NULL) {
wolfSSL 7:481bce714567 4547 WOLFSSL_MSG("\tOut of Memory");
wolfSSL 7:481bce714567 4548 return MEMORY_E;
wolfSSL 7:481bce714567 4549 }
wolfSSL 7:481bce714567 4550
wolfSSL 7:481bce714567 4551 XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
wolfSSL 7:481bce714567 4552 cert->hwSerialNum[strLen] = '\0';
wolfSSL 7:481bce714567 4553 cert->hwSerialNumSz = strLen;
wolfSSL 7:481bce714567 4554 idx += strLen;
wolfSSL 7:481bce714567 4555 }
wolfSSL 7:481bce714567 4556 #endif /* WOLFSSL_SEP */
wolfSSL 7:481bce714567 4557 else {
wolfSSL 7:481bce714567 4558 int strLen;
wolfSSL 7:481bce714567 4559 word32 lenStartIdx = idx;
wolfSSL 7:481bce714567 4560
wolfSSL 7:481bce714567 4561 WOLFSSL_MSG("\tUnsupported name type, skipping");
wolfSSL 7:481bce714567 4562
wolfSSL 7:481bce714567 4563 if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL 7:481bce714567 4564 WOLFSSL_MSG("\tfail: unsupported name length");
wolfSSL 7:481bce714567 4565 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4566 }
wolfSSL 7:481bce714567 4567 length -= (strLen + idx - lenStartIdx);
wolfSSL 7:481bce714567 4568 idx += strLen;
wolfSSL 7:481bce714567 4569 }
wolfSSL 7:481bce714567 4570 }
wolfSSL 7:481bce714567 4571 return 0;
wolfSSL 7:481bce714567 4572 }
wolfSSL 7:481bce714567 4573
wolfSSL 7:481bce714567 4574 static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4575 {
wolfSSL 7:481bce714567 4576 word32 idx = 0;
wolfSSL 7:481bce714567 4577 int length = 0;
wolfSSL 7:481bce714567 4578
wolfSSL 7:481bce714567 4579 WOLFSSL_ENTER("DecodeBasicCaConstraint");
wolfSSL 7:481bce714567 4580
wolfSSL 7:481bce714567 4581 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 4582 WOLFSSL_MSG("\tfail: bad SEQUENCE");
wolfSSL 7:481bce714567 4583 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4584 }
wolfSSL 7:481bce714567 4585
wolfSSL 7:481bce714567 4586 if (length == 0)
wolfSSL 7:481bce714567 4587 return 0;
wolfSSL 7:481bce714567 4588
wolfSSL 7:481bce714567 4589 /* If the basic ca constraint is false, this extension may be named, but
wolfSSL 7:481bce714567 4590 * left empty. So, if the length is 0, just return. */
wolfSSL 7:481bce714567 4591
wolfSSL 7:481bce714567 4592 if (input[idx++] != ASN_BOOLEAN) {
wolfSSL 7:481bce714567 4593 WOLFSSL_MSG("\tfail: constraint not BOOLEAN");
wolfSSL 7:481bce714567 4594 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4595 }
wolfSSL 7:481bce714567 4596
wolfSSL 7:481bce714567 4597 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 4598 WOLFSSL_MSG("\tfail: length");
wolfSSL 7:481bce714567 4599 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4600 }
wolfSSL 7:481bce714567 4601
wolfSSL 7:481bce714567 4602 if (input[idx++])
wolfSSL 7:481bce714567 4603 cert->isCA = 1;
wolfSSL 7:481bce714567 4604
wolfSSL 7:481bce714567 4605 /* If there isn't any more data, return. */
wolfSSL 7:481bce714567 4606 if (idx >= (word32)sz)
wolfSSL 7:481bce714567 4607 return 0;
wolfSSL 7:481bce714567 4608
wolfSSL 7:481bce714567 4609 /* Anything left should be the optional pathlength */
wolfSSL 7:481bce714567 4610 if (input[idx++] != ASN_INTEGER) {
wolfSSL 7:481bce714567 4611 WOLFSSL_MSG("\tfail: pathlen not INTEGER");
wolfSSL 7:481bce714567 4612 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4613 }
wolfSSL 7:481bce714567 4614
wolfSSL 7:481bce714567 4615 if (input[idx++] != 1) {
wolfSSL 7:481bce714567 4616 WOLFSSL_MSG("\tfail: pathlen too long");
wolfSSL 7:481bce714567 4617 return ASN_PATHLEN_SIZE_E;
wolfSSL 7:481bce714567 4618 }
wolfSSL 7:481bce714567 4619
wolfSSL 7:481bce714567 4620 cert->pathLength = input[idx];
wolfSSL 7:481bce714567 4621 cert->pathLengthSet = 1;
wolfSSL 7:481bce714567 4622
wolfSSL 7:481bce714567 4623 return 0;
wolfSSL 7:481bce714567 4624 }
wolfSSL 7:481bce714567 4625
wolfSSL 7:481bce714567 4626
wolfSSL 7:481bce714567 4627 #define CRLDP_FULL_NAME 0
wolfSSL 7:481bce714567 4628 /* From RFC3280 SS4.2.1.14, Distribution Point Name*/
wolfSSL 7:481bce714567 4629 #define GENERALNAME_URI 6
wolfSSL 7:481bce714567 4630 /* From RFC3280 SS4.2.1.7, GeneralName */
wolfSSL 7:481bce714567 4631
wolfSSL 7:481bce714567 4632 static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4633 {
wolfSSL 7:481bce714567 4634 word32 idx = 0;
wolfSSL 7:481bce714567 4635 int length = 0;
wolfSSL 7:481bce714567 4636
wolfSSL 7:481bce714567 4637 WOLFSSL_ENTER("DecodeCrlDist");
wolfSSL 7:481bce714567 4638
wolfSSL 7:481bce714567 4639 /* Unwrap the list of Distribution Points*/
wolfSSL 7:481bce714567 4640 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4641 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4642
wolfSSL 7:481bce714567 4643 /* Unwrap a single Distribution Point */
wolfSSL 7:481bce714567 4644 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4645 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4646
wolfSSL 7:481bce714567 4647 /* The Distribution Point has three explicit optional members
wolfSSL 7:481bce714567 4648 * First check for a DistributionPointName
wolfSSL 7:481bce714567 4649 */
wolfSSL 7:481bce714567 4650 if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
wolfSSL 7:481bce714567 4651 {
wolfSSL 7:481bce714567 4652 idx++;
wolfSSL 7:481bce714567 4653 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4654 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4655
wolfSSL 7:481bce714567 4656 if (input[idx] ==
wolfSSL 7:481bce714567 4657 (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME))
wolfSSL 7:481bce714567 4658 {
wolfSSL 7:481bce714567 4659 idx++;
wolfSSL 7:481bce714567 4660 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4661 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4662
wolfSSL 7:481bce714567 4663 if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
wolfSSL 7:481bce714567 4664 {
wolfSSL 7:481bce714567 4665 idx++;
wolfSSL 7:481bce714567 4666 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4667 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4668
wolfSSL 7:481bce714567 4669 cert->extCrlInfoSz = length;
wolfSSL 7:481bce714567 4670 cert->extCrlInfo = input + idx;
wolfSSL 7:481bce714567 4671 idx += length;
wolfSSL 7:481bce714567 4672 }
wolfSSL 7:481bce714567 4673 else
wolfSSL 7:481bce714567 4674 /* This isn't a URI, skip it. */
wolfSSL 7:481bce714567 4675 idx += length;
wolfSSL 7:481bce714567 4676 }
wolfSSL 7:481bce714567 4677 else {
wolfSSL 7:481bce714567 4678 /* This isn't a FULLNAME, skip it. */
wolfSSL 7:481bce714567 4679 idx += length;
wolfSSL 7:481bce714567 4680 }
wolfSSL 7:481bce714567 4681 }
wolfSSL 7:481bce714567 4682
wolfSSL 7:481bce714567 4683 /* Check for reasonFlags */
wolfSSL 7:481bce714567 4684 if (idx < (word32)sz &&
wolfSSL 7:481bce714567 4685 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 7:481bce714567 4686 {
wolfSSL 7:481bce714567 4687 idx++;
wolfSSL 7:481bce714567 4688 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4689 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4690 idx += length;
wolfSSL 7:481bce714567 4691 }
wolfSSL 7:481bce714567 4692
wolfSSL 7:481bce714567 4693 /* Check for cRLIssuer */
wolfSSL 7:481bce714567 4694 if (idx < (word32)sz &&
wolfSSL 7:481bce714567 4695 input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2))
wolfSSL 7:481bce714567 4696 {
wolfSSL 7:481bce714567 4697 idx++;
wolfSSL 7:481bce714567 4698 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4699 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4700 idx += length;
wolfSSL 7:481bce714567 4701 }
wolfSSL 7:481bce714567 4702
wolfSSL 7:481bce714567 4703 if (idx < (word32)sz)
wolfSSL 7:481bce714567 4704 {
wolfSSL 7:481bce714567 4705 WOLFSSL_MSG("\tThere are more CRL Distribution Point records, "
wolfSSL 7:481bce714567 4706 "but we only use the first one.");
wolfSSL 7:481bce714567 4707 }
wolfSSL 7:481bce714567 4708
wolfSSL 7:481bce714567 4709 return 0;
wolfSSL 7:481bce714567 4710 }
wolfSSL 7:481bce714567 4711
wolfSSL 7:481bce714567 4712
wolfSSL 7:481bce714567 4713 static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4714 /*
wolfSSL 7:481bce714567 4715 * Read the first of the Authority Information Access records. If there are
wolfSSL 7:481bce714567 4716 * any issues, return without saving the record.
wolfSSL 7:481bce714567 4717 */
wolfSSL 7:481bce714567 4718 {
wolfSSL 7:481bce714567 4719 word32 idx = 0;
wolfSSL 7:481bce714567 4720 int length = 0;
wolfSSL 7:481bce714567 4721 byte b;
wolfSSL 7:481bce714567 4722 word32 oid;
wolfSSL 7:481bce714567 4723
wolfSSL 7:481bce714567 4724 WOLFSSL_ENTER("DecodeAuthInfo");
wolfSSL 7:481bce714567 4725
wolfSSL 7:481bce714567 4726 /* Unwrap the list of AIAs */
wolfSSL 7:481bce714567 4727 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4728 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4729
wolfSSL 7:481bce714567 4730 while (idx < (word32)sz) {
wolfSSL 7:481bce714567 4731 /* Unwrap a single AIA */
wolfSSL 7:481bce714567 4732 if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4733 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4734
wolfSSL 7:481bce714567 4735 oid = 0;
wolfSSL 7:481bce714567 4736 if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0)
wolfSSL 7:481bce714567 4737 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4738
wolfSSL 7:481bce714567 4739
wolfSSL 7:481bce714567 4740 /* Only supporting URIs right now. */
wolfSSL 7:481bce714567 4741 b = input[idx++];
wolfSSL 7:481bce714567 4742 if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 4743 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4744
wolfSSL 7:481bce714567 4745 if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
wolfSSL 7:481bce714567 4746 oid == AIA_OCSP_OID)
wolfSSL 7:481bce714567 4747 {
wolfSSL 7:481bce714567 4748 cert->extAuthInfoSz = length;
wolfSSL 7:481bce714567 4749 cert->extAuthInfo = input + idx;
wolfSSL 7:481bce714567 4750 break;
wolfSSL 7:481bce714567 4751 }
wolfSSL 7:481bce714567 4752 idx += length;
wolfSSL 7:481bce714567 4753 }
wolfSSL 7:481bce714567 4754
wolfSSL 7:481bce714567 4755 return 0;
wolfSSL 7:481bce714567 4756 }
wolfSSL 7:481bce714567 4757
wolfSSL 7:481bce714567 4758
wolfSSL 7:481bce714567 4759 static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4760 {
wolfSSL 7:481bce714567 4761 word32 idx = 0;
wolfSSL 7:481bce714567 4762 int length = 0, ret = 0;
wolfSSL 7:481bce714567 4763
wolfSSL 7:481bce714567 4764 WOLFSSL_ENTER("DecodeAuthKeyId");
wolfSSL 7:481bce714567 4765
wolfSSL 7:481bce714567 4766 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 4767 WOLFSSL_MSG("\tfail: should be a SEQUENCE\n");
wolfSSL 7:481bce714567 4768 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4769 }
wolfSSL 7:481bce714567 4770
wolfSSL 7:481bce714567 4771 if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
wolfSSL 7:481bce714567 4772 WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
wolfSSL 7:481bce714567 4773 return 0;
wolfSSL 7:481bce714567 4774 }
wolfSSL 7:481bce714567 4775
wolfSSL 7:481bce714567 4776 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 4777 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 7:481bce714567 4778 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4779 }
wolfSSL 7:481bce714567 4780
wolfSSL 7:481bce714567 4781 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 4782 cert->extAuthKeyIdSrc = &input[idx];
wolfSSL 7:481bce714567 4783 cert->extAuthKeyIdSz = length;
wolfSSL 7:481bce714567 4784 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 4785
wolfSSL 7:481bce714567 4786 if (length == KEYID_SIZE) {
wolfSSL 7:481bce714567 4787 XMEMCPY(cert->extAuthKeyId, input + idx, length);
wolfSSL 7:481bce714567 4788 }
wolfSSL 7:481bce714567 4789 else {
wolfSSL 7:481bce714567 4790 #ifdef NO_SHA
wolfSSL 7:481bce714567 4791 ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId);
wolfSSL 7:481bce714567 4792 #else
wolfSSL 7:481bce714567 4793 ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId);
wolfSSL 7:481bce714567 4794 #endif
wolfSSL 7:481bce714567 4795 }
wolfSSL 7:481bce714567 4796
wolfSSL 7:481bce714567 4797 return ret;
wolfSSL 7:481bce714567 4798 }
wolfSSL 7:481bce714567 4799
wolfSSL 7:481bce714567 4800
wolfSSL 7:481bce714567 4801 static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4802 {
wolfSSL 7:481bce714567 4803 word32 idx = 0;
wolfSSL 7:481bce714567 4804 int length = 0, ret = 0;
wolfSSL 7:481bce714567 4805
wolfSSL 7:481bce714567 4806 WOLFSSL_ENTER("DecodeSubjKeyId");
wolfSSL 7:481bce714567 4807
wolfSSL 7:481bce714567 4808 if (sz <= 0)
wolfSSL 7:481bce714567 4809 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4810
wolfSSL 7:481bce714567 4811 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 4812 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 7:481bce714567 4813 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4814 }
wolfSSL 7:481bce714567 4815
wolfSSL 7:481bce714567 4816 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 4817 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 7:481bce714567 4818 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4819 }
wolfSSL 7:481bce714567 4820
wolfSSL 7:481bce714567 4821 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 4822 cert->extSubjKeyIdSrc = &input[idx];
wolfSSL 7:481bce714567 4823 cert->extSubjKeyIdSz = length;
wolfSSL 7:481bce714567 4824 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 4825
wolfSSL 7:481bce714567 4826 if (length == SIGNER_DIGEST_SIZE) {
wolfSSL 7:481bce714567 4827 XMEMCPY(cert->extSubjKeyId, input + idx, length);
wolfSSL 7:481bce714567 4828 }
wolfSSL 7:481bce714567 4829 else {
wolfSSL 7:481bce714567 4830 #ifdef NO_SHA
wolfSSL 7:481bce714567 4831 ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId);
wolfSSL 7:481bce714567 4832 #else
wolfSSL 7:481bce714567 4833 ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId);
wolfSSL 7:481bce714567 4834 #endif
wolfSSL 7:481bce714567 4835 }
wolfSSL 7:481bce714567 4836
wolfSSL 7:481bce714567 4837 return ret;
wolfSSL 7:481bce714567 4838 }
wolfSSL 7:481bce714567 4839
wolfSSL 7:481bce714567 4840
wolfSSL 7:481bce714567 4841 static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4842 {
wolfSSL 7:481bce714567 4843 word32 idx = 0;
wolfSSL 7:481bce714567 4844 int length;
wolfSSL 7:481bce714567 4845 WOLFSSL_ENTER("DecodeKeyUsage");
wolfSSL 7:481bce714567 4846
wolfSSL 7:481bce714567 4847 if (sz <= 0)
wolfSSL 7:481bce714567 4848 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4849
wolfSSL 7:481bce714567 4850 if (input[idx++] != ASN_BIT_STRING) {
wolfSSL 7:481bce714567 4851 WOLFSSL_MSG("\tfail: key usage expected bit string");
wolfSSL 7:481bce714567 4852 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4853 }
wolfSSL 7:481bce714567 4854
wolfSSL 7:481bce714567 4855 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 4856 WOLFSSL_MSG("\tfail: key usage bad length");
wolfSSL 7:481bce714567 4857 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4858 }
wolfSSL 7:481bce714567 4859
wolfSSL 7:481bce714567 4860 /* pass the unusedBits value */
wolfSSL 7:481bce714567 4861 idx++; length--;
wolfSSL 7:481bce714567 4862
wolfSSL 7:481bce714567 4863 cert->extKeyUsage = (word16)(input[idx]);
wolfSSL 7:481bce714567 4864 if (length == 2)
wolfSSL 7:481bce714567 4865 cert->extKeyUsage |= (word16)(input[idx+1] << 8);
wolfSSL 7:481bce714567 4866
wolfSSL 7:481bce714567 4867 return 0;
wolfSSL 7:481bce714567 4868 }
wolfSSL 7:481bce714567 4869
wolfSSL 7:481bce714567 4870
wolfSSL 7:481bce714567 4871 static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4872 {
wolfSSL 7:481bce714567 4873 word32 idx = 0, oid;
wolfSSL 7:481bce714567 4874 int length;
wolfSSL 7:481bce714567 4875
wolfSSL 7:481bce714567 4876 WOLFSSL_ENTER("DecodeExtKeyUsage");
wolfSSL 7:481bce714567 4877
wolfSSL 7:481bce714567 4878 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 4879 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 7:481bce714567 4880 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4881 }
wolfSSL 7:481bce714567 4882
wolfSSL 7:481bce714567 4883 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 4884 cert->extExtKeyUsageSrc = input + idx;
wolfSSL 7:481bce714567 4885 cert->extExtKeyUsageSz = length;
wolfSSL 7:481bce714567 4886 #endif
wolfSSL 7:481bce714567 4887
wolfSSL 7:481bce714567 4888 while (idx < (word32)sz) {
wolfSSL 7:481bce714567 4889 if (GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz) < 0)
wolfSSL 7:481bce714567 4890 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4891
wolfSSL 7:481bce714567 4892 switch (oid) {
wolfSSL 7:481bce714567 4893 case EKU_ANY_OID:
wolfSSL 7:481bce714567 4894 cert->extExtKeyUsage |= EXTKEYUSE_ANY;
wolfSSL 7:481bce714567 4895 break;
wolfSSL 7:481bce714567 4896 case EKU_SERVER_AUTH_OID:
wolfSSL 7:481bce714567 4897 cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH;
wolfSSL 7:481bce714567 4898 break;
wolfSSL 7:481bce714567 4899 case EKU_CLIENT_AUTH_OID:
wolfSSL 7:481bce714567 4900 cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
wolfSSL 7:481bce714567 4901 break;
wolfSSL 7:481bce714567 4902 case EKU_OCSP_SIGN_OID:
wolfSSL 7:481bce714567 4903 cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
wolfSSL 7:481bce714567 4904 break;
wolfSSL 7:481bce714567 4905 }
wolfSSL 7:481bce714567 4906
wolfSSL 7:481bce714567 4907 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 4908 cert->extExtKeyUsageCount++;
wolfSSL 7:481bce714567 4909 #endif
wolfSSL 7:481bce714567 4910 }
wolfSSL 7:481bce714567 4911
wolfSSL 7:481bce714567 4912 return 0;
wolfSSL 7:481bce714567 4913 }
wolfSSL 7:481bce714567 4914
wolfSSL 7:481bce714567 4915
wolfSSL 7:481bce714567 4916 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 4917 static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
wolfSSL 7:481bce714567 4918 {
wolfSSL 7:481bce714567 4919 word32 idx = 0;
wolfSSL 7:481bce714567 4920
wolfSSL 7:481bce714567 4921 (void)heap;
wolfSSL 7:481bce714567 4922
wolfSSL 7:481bce714567 4923 while (idx < (word32)sz) {
wolfSSL 7:481bce714567 4924 int seqLength, strLength;
wolfSSL 7:481bce714567 4925 word32 nameIdx;
wolfSSL 7:481bce714567 4926 byte b;
wolfSSL 7:481bce714567 4927
wolfSSL 7:481bce714567 4928 if (GetSequence(input, &idx, &seqLength, sz) < 0) {
wolfSSL 7:481bce714567 4929 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 7:481bce714567 4930 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4931 }
wolfSSL 7:481bce714567 4932
wolfSSL 7:481bce714567 4933 nameIdx = idx;
wolfSSL 7:481bce714567 4934 b = input[nameIdx++];
wolfSSL 7:481bce714567 4935 if (GetLength(input, &nameIdx, &strLength, sz) <= 0) {
wolfSSL 7:481bce714567 4936 WOLFSSL_MSG("\tinvalid length");
wolfSSL 7:481bce714567 4937 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4938 }
wolfSSL 7:481bce714567 4939
wolfSSL 7:481bce714567 4940 if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
wolfSSL 7:481bce714567 4941 b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) ||
wolfSSL 7:481bce714567 4942 b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
wolfSSL 7:481bce714567 4943
wolfSSL 7:481bce714567 4944 Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
wolfSSL 7:481bce714567 4945 heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4946
wolfSSL 7:481bce714567 4947 if (entry == NULL) {
wolfSSL 7:481bce714567 4948 WOLFSSL_MSG("allocate error");
wolfSSL 7:481bce714567 4949 return MEMORY_E;
wolfSSL 7:481bce714567 4950 }
wolfSSL 7:481bce714567 4951
wolfSSL 7:481bce714567 4952 entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4953 if (entry->name == NULL) {
wolfSSL 7:481bce714567 4954 WOLFSSL_MSG("allocate error");
wolfSSL 7:481bce714567 4955 XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL 7:481bce714567 4956 return MEMORY_E;
wolfSSL 7:481bce714567 4957 }
wolfSSL 7:481bce714567 4958
wolfSSL 7:481bce714567 4959 XMEMCPY(entry->name, &input[nameIdx], strLength);
wolfSSL 7:481bce714567 4960 entry->nameSz = strLength;
wolfSSL 7:481bce714567 4961 entry->type = b & 0x0F;
wolfSSL 7:481bce714567 4962
wolfSSL 7:481bce714567 4963 entry->next = *head;
wolfSSL 7:481bce714567 4964 *head = entry;
wolfSSL 7:481bce714567 4965 }
wolfSSL 7:481bce714567 4966
wolfSSL 7:481bce714567 4967 idx += seqLength;
wolfSSL 7:481bce714567 4968 }
wolfSSL 7:481bce714567 4969
wolfSSL 7:481bce714567 4970 return 0;
wolfSSL 7:481bce714567 4971 }
wolfSSL 7:481bce714567 4972
wolfSSL 7:481bce714567 4973
wolfSSL 7:481bce714567 4974 static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 4975 {
wolfSSL 7:481bce714567 4976 word32 idx = 0;
wolfSSL 7:481bce714567 4977 int length = 0;
wolfSSL 7:481bce714567 4978
wolfSSL 7:481bce714567 4979 WOLFSSL_ENTER("DecodeNameConstraints");
wolfSSL 7:481bce714567 4980
wolfSSL 7:481bce714567 4981 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 4982 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 7:481bce714567 4983 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4984 }
wolfSSL 7:481bce714567 4985
wolfSSL 7:481bce714567 4986 while (idx < (word32)sz) {
wolfSSL 7:481bce714567 4987 byte b = input[idx++];
wolfSSL 7:481bce714567 4988 Base_entry** subtree = NULL;
wolfSSL 7:481bce714567 4989
wolfSSL 7:481bce714567 4990 if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL 7:481bce714567 4991 WOLFSSL_MSG("\tinvalid length");
wolfSSL 7:481bce714567 4992 return ASN_PARSE_E;
wolfSSL 7:481bce714567 4993 }
wolfSSL 7:481bce714567 4994
wolfSSL 7:481bce714567 4995 if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0))
wolfSSL 7:481bce714567 4996 subtree = &cert->permittedNames;
wolfSSL 7:481bce714567 4997 else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1))
wolfSSL 7:481bce714567 4998 subtree = &cert->excludedNames;
wolfSSL 7:481bce714567 4999 else {
wolfSSL 7:481bce714567 5000 WOLFSSL_MSG("\tinvalid subtree");
wolfSSL 7:481bce714567 5001 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5002 }
wolfSSL 7:481bce714567 5003
wolfSSL 7:481bce714567 5004 DecodeSubtree(input + idx, length, subtree, cert->heap);
wolfSSL 7:481bce714567 5005
wolfSSL 7:481bce714567 5006 idx += length;
wolfSSL 7:481bce714567 5007 }
wolfSSL 7:481bce714567 5008
wolfSSL 7:481bce714567 5009 return 0;
wolfSSL 7:481bce714567 5010 }
wolfSSL 7:481bce714567 5011 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 5012
wolfSSL 7:481bce714567 5013 #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)
wolfSSL 7:481bce714567 5014
wolfSSL 7:481bce714567 5015 static int Word32ToString(char* d, word32 number)
wolfSSL 7:481bce714567 5016 {
wolfSSL 7:481bce714567 5017 int i = 0;
wolfSSL 7:481bce714567 5018
wolfSSL 7:481bce714567 5019 if (d != NULL) {
wolfSSL 7:481bce714567 5020 word32 order = 1000000000;
wolfSSL 7:481bce714567 5021 word32 digit;
wolfSSL 7:481bce714567 5022
wolfSSL 7:481bce714567 5023 if (number == 0) {
wolfSSL 7:481bce714567 5024 d[i++] = '0';
wolfSSL 7:481bce714567 5025 }
wolfSSL 7:481bce714567 5026 else {
wolfSSL 7:481bce714567 5027 while (order) {
wolfSSL 7:481bce714567 5028 digit = number / order;
wolfSSL 7:481bce714567 5029 if (i > 0 || digit != 0) {
wolfSSL 7:481bce714567 5030 d[i++] = (char)digit + '0';
wolfSSL 7:481bce714567 5031 }
wolfSSL 7:481bce714567 5032 if (digit != 0)
wolfSSL 7:481bce714567 5033 number %= digit * order;
wolfSSL 7:481bce714567 5034 if (order > 1)
wolfSSL 7:481bce714567 5035 order /= 10;
wolfSSL 7:481bce714567 5036 else
wolfSSL 7:481bce714567 5037 order = 0;
wolfSSL 7:481bce714567 5038 }
wolfSSL 7:481bce714567 5039 }
wolfSSL 7:481bce714567 5040 d[i] = 0;
wolfSSL 7:481bce714567 5041 }
wolfSSL 7:481bce714567 5042
wolfSSL 7:481bce714567 5043 return i;
wolfSSL 7:481bce714567 5044 }
wolfSSL 7:481bce714567 5045
wolfSSL 7:481bce714567 5046
wolfSSL 7:481bce714567 5047 /* Decode ITU-T X.690 OID format to a string representation
wolfSSL 7:481bce714567 5048 * return string length */
wolfSSL 7:481bce714567 5049 static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
wolfSSL 7:481bce714567 5050 {
wolfSSL 7:481bce714567 5051 word32 val, idx = 0, nb_bytes;
wolfSSL 7:481bce714567 5052 size_t w_bytes = 0;
wolfSSL 7:481bce714567 5053
wolfSSL 7:481bce714567 5054 if (out == NULL || in == NULL || outSz < 4 || inSz < 2)
wolfSSL 7:481bce714567 5055 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5056
wolfSSL 7:481bce714567 5057 /* first two byte must be interpreted as : 40 * int1 + int2 */
wolfSSL 7:481bce714567 5058 val = (word16)in[idx++];
wolfSSL 7:481bce714567 5059
wolfSSL 7:481bce714567 5060 w_bytes = Word32ToString(out, val / 40);
wolfSSL 7:481bce714567 5061 out[w_bytes++] = '.';
wolfSSL 7:481bce714567 5062 w_bytes += Word32ToString(out+w_bytes, val % 40);
wolfSSL 7:481bce714567 5063
wolfSSL 7:481bce714567 5064 while (idx < inSz) {
wolfSSL 7:481bce714567 5065 /* init value */
wolfSSL 7:481bce714567 5066 val = 0;
wolfSSL 7:481bce714567 5067 nb_bytes = 0;
wolfSSL 7:481bce714567 5068
wolfSSL 7:481bce714567 5069 /* check that output size is ok */
wolfSSL 7:481bce714567 5070 if (w_bytes > (outSz - 3))
wolfSSL 7:481bce714567 5071 return BUFFER_E;
wolfSSL 7:481bce714567 5072
wolfSSL 7:481bce714567 5073 /* first bit is used to set if value is coded on 1 or multiple bytes */
wolfSSL 7:481bce714567 5074 while ((in[idx+nb_bytes] & 0x80))
wolfSSL 7:481bce714567 5075 nb_bytes++;
wolfSSL 7:481bce714567 5076
wolfSSL 7:481bce714567 5077 if (!nb_bytes)
wolfSSL 7:481bce714567 5078 val = (word32)(in[idx++] & 0x7f);
wolfSSL 7:481bce714567 5079 else {
wolfSSL 7:481bce714567 5080 word32 base = 1, tmp = nb_bytes;
wolfSSL 7:481bce714567 5081
wolfSSL 7:481bce714567 5082 while (tmp != 0) {
wolfSSL 7:481bce714567 5083 val += (word32)(in[idx+tmp] & 0x7f) * base;
wolfSSL 7:481bce714567 5084 base *= 128;
wolfSSL 7:481bce714567 5085 tmp--;
wolfSSL 7:481bce714567 5086 }
wolfSSL 7:481bce714567 5087 val += (word32)(in[idx++] & 0x7f) * base;
wolfSSL 7:481bce714567 5088
wolfSSL 7:481bce714567 5089 idx += nb_bytes;
wolfSSL 7:481bce714567 5090 }
wolfSSL 7:481bce714567 5091
wolfSSL 7:481bce714567 5092 out[w_bytes++] = '.';
wolfSSL 7:481bce714567 5093 w_bytes += Word32ToString(out+w_bytes, val);
wolfSSL 7:481bce714567 5094 }
wolfSSL 7:481bce714567 5095
wolfSSL 7:481bce714567 5096 return 0;
wolfSSL 7:481bce714567 5097 }
wolfSSL 7:481bce714567 5098 #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
wolfSSL 7:481bce714567 5099
wolfSSL 7:481bce714567 5100 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 7:481bce714567 5101 /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
wolfSSL 7:481bce714567 5102 static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
wolfSSL 7:481bce714567 5103 {
wolfSSL 7:481bce714567 5104 word32 idx = 0;
wolfSSL 7:481bce714567 5105 int total_length = 0, policy_length = 0, length = 0;
wolfSSL 7:481bce714567 5106
wolfSSL 7:481bce714567 5107 WOLFSSL_ENTER("DecodeCertPolicy");
wolfSSL 7:481bce714567 5108
wolfSSL 7:481bce714567 5109 if (GetSequence(input, &idx, &total_length, sz) < 0) {
wolfSSL 7:481bce714567 5110 WOLFSSL_MSG("\tGet CertPolicy total seq failed");
wolfSSL 7:481bce714567 5111 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5112 }
wolfSSL 7:481bce714567 5113
wolfSSL 7:481bce714567 5114 /* Validate total length (2 is the CERT_POLICY_OID+SEQ) */
wolfSSL 7:481bce714567 5115 if ((total_length + 2) != sz) {
wolfSSL 7:481bce714567 5116 WOLFSSL_MSG("\tCertPolicy length mismatch");
wolfSSL 7:481bce714567 5117 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5118 }
wolfSSL 7:481bce714567 5119
wolfSSL 7:481bce714567 5120 /* Unwrap certificatePolicies */
wolfSSL 7:481bce714567 5121 do {
wolfSSL 7:481bce714567 5122 if (GetSequence(input, &idx, &policy_length, sz) < 0) {
wolfSSL 7:481bce714567 5123 WOLFSSL_MSG("\tGet CertPolicy seq failed");
wolfSSL 7:481bce714567 5124 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5125 }
wolfSSL 7:481bce714567 5126
wolfSSL 7:481bce714567 5127 if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 5128 WOLFSSL_MSG("\tCertPolicy isn't OID");
wolfSSL 7:481bce714567 5129 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5130 }
wolfSSL 7:481bce714567 5131 policy_length--;
wolfSSL 7:481bce714567 5132
wolfSSL 7:481bce714567 5133 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 5134 WOLFSSL_MSG("\tGet CertPolicy length failed");
wolfSSL 7:481bce714567 5135 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5136 }
wolfSSL 7:481bce714567 5137 policy_length--;
wolfSSL 7:481bce714567 5138
wolfSSL 7:481bce714567 5139 if (length > 0) {
wolfSSL 7:481bce714567 5140 /* Verify length won't overrun buffer */
wolfSSL 7:481bce714567 5141 if (length > (sz - (int)idx)) {
wolfSSL 7:481bce714567 5142 WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
wolfSSL 7:481bce714567 5143 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5144 }
wolfSSL 7:481bce714567 5145
wolfSSL 7:481bce714567 5146 #if defined(WOLFSSL_SEP)
wolfSSL 7:481bce714567 5147 cert->deviceType = (byte*)XMALLOC(length, cert->heap,
wolfSSL 7:481bce714567 5148 DYNAMIC_TYPE_X509_EXT);
wolfSSL 7:481bce714567 5149 if (cert->deviceType == NULL) {
wolfSSL 7:481bce714567 5150 WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
wolfSSL 7:481bce714567 5151 return MEMORY_E;
wolfSSL 7:481bce714567 5152 }
wolfSSL 7:481bce714567 5153 cert->deviceTypeSz = length;
wolfSSL 7:481bce714567 5154 XMEMCPY(cert->deviceType, input + idx, length);
wolfSSL 7:481bce714567 5155 break;
wolfSSL 7:481bce714567 5156 #elif defined(WOLFSSL_CERT_EXT)
wolfSSL 7:481bce714567 5157 /* decode cert policy */
wolfSSL 7:481bce714567 5158 if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
wolfSSL 7:481bce714567 5159 input + idx, length) != 0) {
wolfSSL 7:481bce714567 5160 WOLFSSL_MSG("\tCouldn't decode CertPolicy");
wolfSSL 7:481bce714567 5161 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5162 }
wolfSSL 7:481bce714567 5163 cert->extCertPoliciesNb++;
wolfSSL 7:481bce714567 5164 #else
wolfSSL 7:481bce714567 5165 WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
wolfSSL 7:481bce714567 5166 return 0;
wolfSSL 7:481bce714567 5167 #endif
wolfSSL 7:481bce714567 5168 }
wolfSSL 7:481bce714567 5169 idx += policy_length;
wolfSSL 7:481bce714567 5170 } while((int)idx < total_length
wolfSSL 7:481bce714567 5171 #if defined(WOLFSSL_CERT_EXT)
wolfSSL 7:481bce714567 5172 && cert->extCertPoliciesNb < MAX_CERTPOL_NB
wolfSSL 7:481bce714567 5173 #endif
wolfSSL 7:481bce714567 5174 );
wolfSSL 7:481bce714567 5175
wolfSSL 7:481bce714567 5176 WOLFSSL_LEAVE("DecodeCertPolicy", 0);
wolfSSL 7:481bce714567 5177 return 0;
wolfSSL 7:481bce714567 5178 }
wolfSSL 7:481bce714567 5179 #endif /* WOLFSSL_SEP */
wolfSSL 7:481bce714567 5180
wolfSSL 7:481bce714567 5181 static int DecodeCertExtensions(DecodedCert* cert)
wolfSSL 7:481bce714567 5182 /*
wolfSSL 7:481bce714567 5183 * Processing the Certificate Extensions. This does not modify the current
wolfSSL 7:481bce714567 5184 * index. It is works starting with the recorded extensions pointer.
wolfSSL 7:481bce714567 5185 */
wolfSSL 7:481bce714567 5186 {
wolfSSL 7:481bce714567 5187 int ret;
wolfSSL 7:481bce714567 5188 word32 idx = 0;
wolfSSL 7:481bce714567 5189 int sz = cert->extensionsSz;
wolfSSL 7:481bce714567 5190 byte* input = cert->extensions;
wolfSSL 7:481bce714567 5191 int length;
wolfSSL 7:481bce714567 5192 word32 oid;
wolfSSL 7:481bce714567 5193 byte critical = 0;
wolfSSL 7:481bce714567 5194 byte criticalFail = 0;
wolfSSL 7:481bce714567 5195
wolfSSL 7:481bce714567 5196 WOLFSSL_ENTER("DecodeCertExtensions");
wolfSSL 7:481bce714567 5197
wolfSSL 7:481bce714567 5198 if (input == NULL || sz == 0)
wolfSSL 7:481bce714567 5199 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5200
wolfSSL 7:481bce714567 5201 if (input[idx++] != ASN_EXTENSIONS) {
wolfSSL 7:481bce714567 5202 WOLFSSL_MSG("\tfail: should be an EXTENSIONS");
wolfSSL 7:481bce714567 5203 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5204 }
wolfSSL 7:481bce714567 5205
wolfSSL 7:481bce714567 5206 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 5207 WOLFSSL_MSG("\tfail: invalid length");
wolfSSL 7:481bce714567 5208 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5209 }
wolfSSL 7:481bce714567 5210
wolfSSL 7:481bce714567 5211 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 5212 WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)");
wolfSSL 7:481bce714567 5213 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5214 }
wolfSSL 7:481bce714567 5215
wolfSSL 7:481bce714567 5216 while (idx < (word32)sz) {
wolfSSL 7:481bce714567 5217 if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 5218 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 7:481bce714567 5219 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5220 }
wolfSSL 7:481bce714567 5221
wolfSSL 7:481bce714567 5222 oid = 0;
wolfSSL 7:481bce714567 5223 if ((ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz)) < 0) {
wolfSSL 7:481bce714567 5224 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 7:481bce714567 5225 return ret;
wolfSSL 7:481bce714567 5226 }
wolfSSL 7:481bce714567 5227
wolfSSL 7:481bce714567 5228 /* check for critical flag */
wolfSSL 7:481bce714567 5229 critical = 0;
wolfSSL 7:481bce714567 5230 if (input[idx] == ASN_BOOLEAN) {
wolfSSL 7:481bce714567 5231 int boolLength = 0;
wolfSSL 7:481bce714567 5232 idx++;
wolfSSL 7:481bce714567 5233 if (GetLength(input, &idx, &boolLength, sz) < 0) {
wolfSSL 7:481bce714567 5234 WOLFSSL_MSG("\tfail: critical boolean length");
wolfSSL 7:481bce714567 5235 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5236 }
wolfSSL 7:481bce714567 5237 if (input[idx++])
wolfSSL 7:481bce714567 5238 critical = 1;
wolfSSL 7:481bce714567 5239 }
wolfSSL 7:481bce714567 5240
wolfSSL 7:481bce714567 5241 /* process the extension based on the OID */
wolfSSL 7:481bce714567 5242 if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 5243 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 7:481bce714567 5244 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5245 }
wolfSSL 7:481bce714567 5246
wolfSSL 7:481bce714567 5247 if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 5248 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 7:481bce714567 5249 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5250 }
wolfSSL 7:481bce714567 5251
wolfSSL 7:481bce714567 5252 switch (oid) {
wolfSSL 7:481bce714567 5253 case BASIC_CA_OID:
wolfSSL 7:481bce714567 5254 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5255 cert->extBasicConstSet = 1;
wolfSSL 7:481bce714567 5256 cert->extBasicConstCrit = critical;
wolfSSL 7:481bce714567 5257 #endif
wolfSSL 7:481bce714567 5258 if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5259 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5260 break;
wolfSSL 7:481bce714567 5261
wolfSSL 7:481bce714567 5262 case CRL_DIST_OID:
wolfSSL 7:481bce714567 5263 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5264 cert->extCRLdistSet = 1;
wolfSSL 7:481bce714567 5265 cert->extCRLdistCrit = critical;
wolfSSL 7:481bce714567 5266 #endif
wolfSSL 7:481bce714567 5267 if (DecodeCrlDist(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5268 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5269 break;
wolfSSL 7:481bce714567 5270
wolfSSL 7:481bce714567 5271 case AUTH_INFO_OID:
wolfSSL 7:481bce714567 5272 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5273 cert->extAuthInfoSet = 1;
wolfSSL 7:481bce714567 5274 cert->extAuthInfoCrit = critical;
wolfSSL 7:481bce714567 5275 #endif
wolfSSL 7:481bce714567 5276 if (DecodeAuthInfo(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5277 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5278 break;
wolfSSL 7:481bce714567 5279
wolfSSL 7:481bce714567 5280 case ALT_NAMES_OID:
wolfSSL 7:481bce714567 5281 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5282 cert->extSubjAltNameSet = 1;
wolfSSL 7:481bce714567 5283 cert->extSubjAltNameCrit = critical;
wolfSSL 7:481bce714567 5284 #endif
wolfSSL 7:481bce714567 5285 if (DecodeAltNames(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5286 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5287 break;
wolfSSL 7:481bce714567 5288
wolfSSL 7:481bce714567 5289 case AUTH_KEY_OID:
wolfSSL 7:481bce714567 5290 cert->extAuthKeyIdSet = 1;
wolfSSL 7:481bce714567 5291 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5292 cert->extAuthKeyIdCrit = critical;
wolfSSL 7:481bce714567 5293 #endif
wolfSSL 7:481bce714567 5294 if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5295 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5296 break;
wolfSSL 7:481bce714567 5297
wolfSSL 7:481bce714567 5298 case SUBJ_KEY_OID:
wolfSSL 7:481bce714567 5299 cert->extSubjKeyIdSet = 1;
wolfSSL 7:481bce714567 5300 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5301 cert->extSubjKeyIdCrit = critical;
wolfSSL 7:481bce714567 5302 #endif
wolfSSL 7:481bce714567 5303 if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5304 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5305 break;
wolfSSL 7:481bce714567 5306
wolfSSL 7:481bce714567 5307 case CERT_POLICY_OID:
wolfSSL 7:481bce714567 5308 #ifdef WOLFSSL_SEP
wolfSSL 7:481bce714567 5309 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5310 cert->extCertPolicySet = 1;
wolfSSL 7:481bce714567 5311 cert->extCertPolicyCrit = critical;
wolfSSL 7:481bce714567 5312 #endif
wolfSSL 7:481bce714567 5313 #endif
wolfSSL 7:481bce714567 5314 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
wolfSSL 7:481bce714567 5315 if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
wolfSSL 7:481bce714567 5316 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5317 }
wolfSSL 7:481bce714567 5318 #else
wolfSSL 7:481bce714567 5319 WOLFSSL_MSG("Certificate Policy extension not supported yet.");
wolfSSL 7:481bce714567 5320 #endif
wolfSSL 7:481bce714567 5321 break;
wolfSSL 7:481bce714567 5322
wolfSSL 7:481bce714567 5323 case KEY_USAGE_OID:
wolfSSL 7:481bce714567 5324 cert->extKeyUsageSet = 1;
wolfSSL 7:481bce714567 5325 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5326 cert->extKeyUsageCrit = critical;
wolfSSL 7:481bce714567 5327 #endif
wolfSSL 7:481bce714567 5328 if (DecodeKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5329 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5330 break;
wolfSSL 7:481bce714567 5331
wolfSSL 7:481bce714567 5332 case EXT_KEY_USAGE_OID:
wolfSSL 7:481bce714567 5333 cert->extExtKeyUsageSet = 1;
wolfSSL 7:481bce714567 5334 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5335 cert->extExtKeyUsageCrit = critical;
wolfSSL 7:481bce714567 5336 #endif
wolfSSL 7:481bce714567 5337 if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5338 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5339 break;
wolfSSL 7:481bce714567 5340
wolfSSL 7:481bce714567 5341 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 5342 case NAME_CONS_OID:
wolfSSL 7:481bce714567 5343 cert->extNameConstraintSet = 1;
wolfSSL 7:481bce714567 5344 #ifdef OPENSSL_EXTRA
wolfSSL 7:481bce714567 5345 cert->extNameConstraintCrit = critical;
wolfSSL 7:481bce714567 5346 #endif
wolfSSL 7:481bce714567 5347 if (DecodeNameConstraints(&input[idx], length, cert) < 0)
wolfSSL 7:481bce714567 5348 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5349 break;
wolfSSL 7:481bce714567 5350 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 5351
wolfSSL 7:481bce714567 5352 case INHIBIT_ANY_OID:
wolfSSL 7:481bce714567 5353 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
wolfSSL 7:481bce714567 5354 break;
wolfSSL 7:481bce714567 5355
wolfSSL 7:481bce714567 5356 default:
wolfSSL 7:481bce714567 5357 /* While it is a failure to not support critical extensions,
wolfSSL 7:481bce714567 5358 * still parse the certificate ignoring the unsupported
wolfSSL 7:481bce714567 5359 * extension to allow caller to accept it with the verify
wolfSSL 7:481bce714567 5360 * callback. */
wolfSSL 7:481bce714567 5361 if (critical)
wolfSSL 7:481bce714567 5362 criticalFail = 1;
wolfSSL 7:481bce714567 5363 break;
wolfSSL 7:481bce714567 5364 }
wolfSSL 7:481bce714567 5365 idx += length;
wolfSSL 7:481bce714567 5366 }
wolfSSL 7:481bce714567 5367
wolfSSL 7:481bce714567 5368 return criticalFail ? ASN_CRIT_EXT_E : 0;
wolfSSL 7:481bce714567 5369 }
wolfSSL 7:481bce714567 5370
wolfSSL 7:481bce714567 5371 int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 7:481bce714567 5372 {
wolfSSL 7:481bce714567 5373 int ret;
wolfSSL 7:481bce714567 5374 char* ptr;
wolfSSL 7:481bce714567 5375
wolfSSL 7:481bce714567 5376 ret = ParseCertRelative(cert, type, verify, cm);
wolfSSL 7:481bce714567 5377 if (ret < 0)
wolfSSL 7:481bce714567 5378 return ret;
wolfSSL 7:481bce714567 5379
wolfSSL 7:481bce714567 5380 if (cert->subjectCNLen > 0) {
wolfSSL 7:481bce714567 5381 ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap,
wolfSSL 7:481bce714567 5382 DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 7:481bce714567 5383 if (ptr == NULL)
wolfSSL 7:481bce714567 5384 return MEMORY_E;
wolfSSL 7:481bce714567 5385 XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen);
wolfSSL 7:481bce714567 5386 ptr[cert->subjectCNLen] = '\0';
wolfSSL 7:481bce714567 5387 cert->subjectCN = ptr;
wolfSSL 7:481bce714567 5388 cert->subjectCNStored = 1;
wolfSSL 7:481bce714567 5389 }
wolfSSL 7:481bce714567 5390
wolfSSL 7:481bce714567 5391 if (cert->keyOID == RSAk &&
wolfSSL 7:481bce714567 5392 cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL 7:481bce714567 5393 ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap,
wolfSSL 7:481bce714567 5394 DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 7:481bce714567 5395 if (ptr == NULL)
wolfSSL 7:481bce714567 5396 return MEMORY_E;
wolfSSL 7:481bce714567 5397 XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
wolfSSL 7:481bce714567 5398 cert->publicKey = (byte *)ptr;
wolfSSL 7:481bce714567 5399 cert->pubKeyStored = 1;
wolfSSL 7:481bce714567 5400 }
wolfSSL 7:481bce714567 5401
wolfSSL 7:481bce714567 5402 return ret;
wolfSSL 7:481bce714567 5403 }
wolfSSL 7:481bce714567 5404
wolfSSL 7:481bce714567 5405 /* from SSL proper, for locking can't do find here anymore */
wolfSSL 7:481bce714567 5406 #ifdef __cplusplus
wolfSSL 7:481bce714567 5407 extern "C" {
wolfSSL 7:481bce714567 5408 #endif
wolfSSL 7:481bce714567 5409 WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
wolfSSL 7:481bce714567 5410 #ifndef NO_SKID
wolfSSL 7:481bce714567 5411 WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
wolfSSL 7:481bce714567 5412 #endif
wolfSSL 7:481bce714567 5413 #ifdef __cplusplus
wolfSSL 7:481bce714567 5414 }
wolfSSL 7:481bce714567 5415 #endif
wolfSSL 7:481bce714567 5416
wolfSSL 7:481bce714567 5417
wolfSSL 7:481bce714567 5418 #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
wolfSSL 7:481bce714567 5419
wolfSSL 7:481bce714567 5420 /* dummy functions, not using wolfSSL so don't need actual ones */
wolfSSL 7:481bce714567 5421 Signer* GetCA(void* signers, byte* hash)
wolfSSL 7:481bce714567 5422 {
wolfSSL 7:481bce714567 5423 (void)hash;
wolfSSL 7:481bce714567 5424
wolfSSL 7:481bce714567 5425 return (Signer*)signers;
wolfSSL 7:481bce714567 5426 }
wolfSSL 7:481bce714567 5427
wolfSSL 7:481bce714567 5428 #ifndef NO_SKID
wolfSSL 7:481bce714567 5429 Signer* GetCAByName(void* signers, byte* hash)
wolfSSL 7:481bce714567 5430 {
wolfSSL 7:481bce714567 5431 (void)hash;
wolfSSL 7:481bce714567 5432
wolfSSL 7:481bce714567 5433 return (Signer*)signers;
wolfSSL 7:481bce714567 5434 }
wolfSSL 7:481bce714567 5435 #endif /* NO_SKID */
wolfSSL 7:481bce714567 5436
wolfSSL 7:481bce714567 5437 #endif /* WOLFCRYPT_ONLY || NO_CERTS */
wolfSSL 7:481bce714567 5438
wolfSSL 7:481bce714567 5439 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL 7:481bce714567 5440 {
wolfSSL 7:481bce714567 5441 word32 confirmOID;
wolfSSL 7:481bce714567 5442 int ret;
wolfSSL 7:481bce714567 5443 int badDate = 0;
wolfSSL 7:481bce714567 5444 int criticalExt = 0;
wolfSSL 7:481bce714567 5445
wolfSSL 7:481bce714567 5446 if ((ret = DecodeToKey(cert, verify)) < 0) {
wolfSSL 7:481bce714567 5447 if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)
wolfSSL 7:481bce714567 5448 badDate = ret;
wolfSSL 7:481bce714567 5449 else
wolfSSL 7:481bce714567 5450 return ret;
wolfSSL 7:481bce714567 5451 }
wolfSSL 7:481bce714567 5452
wolfSSL 7:481bce714567 5453 WOLFSSL_MSG("Parsed Past Key");
wolfSSL 7:481bce714567 5454
wolfSSL 7:481bce714567 5455 if (cert->srcIdx < cert->sigIndex) {
wolfSSL 7:481bce714567 5456 #ifndef ALLOW_V1_EXTENSIONS
wolfSSL 7:481bce714567 5457 if (cert->version < 2) {
wolfSSL 7:481bce714567 5458 WOLFSSL_MSG(" v1 and v2 certs not allowed extensions");
wolfSSL 7:481bce714567 5459 return ASN_VERSION_E;
wolfSSL 7:481bce714567 5460 }
wolfSSL 7:481bce714567 5461 #endif
wolfSSL 7:481bce714567 5462 /* save extensions */
wolfSSL 7:481bce714567 5463 cert->extensions = &cert->source[cert->srcIdx];
wolfSSL 7:481bce714567 5464 cert->extensionsSz = cert->sigIndex - cert->srcIdx;
wolfSSL 7:481bce714567 5465 cert->extensionsIdx = cert->srcIdx; /* for potential later use */
wolfSSL 7:481bce714567 5466
wolfSSL 7:481bce714567 5467 if ((ret = DecodeCertExtensions(cert)) < 0) {
wolfSSL 7:481bce714567 5468 if (ret == ASN_CRIT_EXT_E)
wolfSSL 7:481bce714567 5469 criticalExt = ret;
wolfSSL 7:481bce714567 5470 else
wolfSSL 7:481bce714567 5471 return ret;
wolfSSL 7:481bce714567 5472 }
wolfSSL 7:481bce714567 5473
wolfSSL 7:481bce714567 5474 /* advance past extensions */
wolfSSL 7:481bce714567 5475 cert->srcIdx = cert->sigIndex;
wolfSSL 7:481bce714567 5476 }
wolfSSL 7:481bce714567 5477
wolfSSL 7:481bce714567 5478 if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
wolfSSL 7:481bce714567 5479 oidSigType, cert->maxIdx)) < 0)
wolfSSL 7:481bce714567 5480 return ret;
wolfSSL 7:481bce714567 5481
wolfSSL 7:481bce714567 5482 if ((ret = GetSignature(cert)) < 0)
wolfSSL 7:481bce714567 5483 return ret;
wolfSSL 7:481bce714567 5484
wolfSSL 7:481bce714567 5485 if (confirmOID != cert->signatureOID)
wolfSSL 7:481bce714567 5486 return ASN_SIG_OID_E;
wolfSSL 7:481bce714567 5487
wolfSSL 7:481bce714567 5488 #ifndef NO_SKID
wolfSSL 7:481bce714567 5489 if (cert->extSubjKeyIdSet == 0
wolfSSL 7:481bce714567 5490 && cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL 7:481bce714567 5491 #ifdef NO_SHA
wolfSSL 7:481bce714567 5492 ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize,
wolfSSL 7:481bce714567 5493 cert->extSubjKeyId);
wolfSSL 7:481bce714567 5494 #else
wolfSSL 7:481bce714567 5495 ret = wc_ShaHash(cert->publicKey, cert->pubKeySize,
wolfSSL 7:481bce714567 5496 cert->extSubjKeyId);
wolfSSL 7:481bce714567 5497 #endif
wolfSSL 7:481bce714567 5498 if (ret != 0)
wolfSSL 7:481bce714567 5499 return ret;
wolfSSL 7:481bce714567 5500 }
wolfSSL 7:481bce714567 5501 #endif
wolfSSL 7:481bce714567 5502
wolfSSL 7:481bce714567 5503 if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
wolfSSL 7:481bce714567 5504 Signer* ca = NULL;
wolfSSL 7:481bce714567 5505 #ifndef NO_SKID
wolfSSL 7:481bce714567 5506 if (cert->extAuthKeyIdSet)
wolfSSL 7:481bce714567 5507 ca = GetCA(cm, cert->extAuthKeyId);
wolfSSL 7:481bce714567 5508 if (ca == NULL)
wolfSSL 7:481bce714567 5509 ca = GetCAByName(cm, cert->issuerHash);
wolfSSL 7:481bce714567 5510 #else /* NO_SKID */
wolfSSL 7:481bce714567 5511 ca = GetCA(cm, cert->issuerHash);
wolfSSL 7:481bce714567 5512 #endif /* NO SKID */
wolfSSL 7:481bce714567 5513 WOLFSSL_MSG("About to verify certificate signature");
wolfSSL 7:481bce714567 5514
wolfSSL 7:481bce714567 5515 if (ca) {
wolfSSL 7:481bce714567 5516 if (cert->isCA) {
wolfSSL 7:481bce714567 5517 if (ca->pathLengthSet) {
wolfSSL 7:481bce714567 5518 if (ca->pathLength == 0) {
wolfSSL 7:481bce714567 5519 WOLFSSL_MSG("CA with path length 0 signing a CA");
wolfSSL 7:481bce714567 5520 return ASN_PATHLEN_INV_E;
wolfSSL 7:481bce714567 5521 }
wolfSSL 7:481bce714567 5522 if (cert->pathLengthSet &&
wolfSSL 7:481bce714567 5523 cert->pathLength >= ca->pathLength) {
wolfSSL 7:481bce714567 5524
wolfSSL 7:481bce714567 5525 WOLFSSL_MSG("CA signing CA with longer path length");
wolfSSL 7:481bce714567 5526 return ASN_PATHLEN_INV_E;
wolfSSL 7:481bce714567 5527 }
wolfSSL 7:481bce714567 5528 }
wolfSSL 7:481bce714567 5529 }
wolfSSL 7:481bce714567 5530
wolfSSL 7:481bce714567 5531 #ifdef HAVE_OCSP
wolfSSL 7:481bce714567 5532 /* Need the ca's public key hash for OCSP */
wolfSSL 7:481bce714567 5533 #ifdef NO_SHA
wolfSSL 7:481bce714567 5534 ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize,
wolfSSL 7:481bce714567 5535 cert->issuerKeyHash);
wolfSSL 7:481bce714567 5536 #else /* NO_SHA */
wolfSSL 7:481bce714567 5537 ret = wc_ShaHash(ca->publicKey, ca->pubKeySize,
wolfSSL 7:481bce714567 5538 cert->issuerKeyHash);
wolfSSL 7:481bce714567 5539 #endif /* NO_SHA */
wolfSSL 7:481bce714567 5540 if (ret != 0)
wolfSSL 7:481bce714567 5541 return ret;
wolfSSL 7:481bce714567 5542 #endif /* HAVE_OCSP */
wolfSSL 7:481bce714567 5543
wolfSSL 7:481bce714567 5544 if (verify == VERIFY) {
wolfSSL 7:481bce714567 5545 /* try to confirm/verify signature */
wolfSSL 7:481bce714567 5546 if (!ConfirmSignature(cert->source + cert->certBegin,
wolfSSL 7:481bce714567 5547 cert->sigIndex - cert->certBegin,
wolfSSL 7:481bce714567 5548 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 7:481bce714567 5549 cert->signature, cert->sigLength, cert->signatureOID,
wolfSSL 7:481bce714567 5550 cert->heap)) {
wolfSSL 7:481bce714567 5551 WOLFSSL_MSG("Confirm signature failed");
wolfSSL 7:481bce714567 5552 return ASN_SIG_CONFIRM_E;
wolfSSL 7:481bce714567 5553 }
wolfSSL 7:481bce714567 5554 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 5555 /* check that this cert's name is permitted by the signer's
wolfSSL 7:481bce714567 5556 * name constraints */
wolfSSL 7:481bce714567 5557 if (!ConfirmNameConstraints(ca, cert)) {
wolfSSL 7:481bce714567 5558 WOLFSSL_MSG("Confirm name constraint failed");
wolfSSL 7:481bce714567 5559 return ASN_NAME_INVALID_E;
wolfSSL 7:481bce714567 5560 }
wolfSSL 7:481bce714567 5561 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 5562 }
wolfSSL 7:481bce714567 5563 }
wolfSSL 7:481bce714567 5564 else {
wolfSSL 7:481bce714567 5565 /* no signer */
wolfSSL 7:481bce714567 5566 WOLFSSL_MSG("No CA signer to verify with");
wolfSSL 7:481bce714567 5567 return ASN_NO_SIGNER_E;
wolfSSL 7:481bce714567 5568 }
wolfSSL 7:481bce714567 5569 }
wolfSSL 7:481bce714567 5570
wolfSSL 7:481bce714567 5571 if (badDate != 0)
wolfSSL 7:481bce714567 5572 return badDate;
wolfSSL 7:481bce714567 5573
wolfSSL 7:481bce714567 5574 if (criticalExt != 0)
wolfSSL 7:481bce714567 5575 return criticalExt;
wolfSSL 7:481bce714567 5576
wolfSSL 7:481bce714567 5577 return 0;
wolfSSL 7:481bce714567 5578 }
wolfSSL 7:481bce714567 5579
wolfSSL 7:481bce714567 5580 /* Create and init an new signer */
wolfSSL 7:481bce714567 5581 Signer* MakeSigner(void* heap)
wolfSSL 7:481bce714567 5582 {
wolfSSL 7:481bce714567 5583 Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap,
wolfSSL 7:481bce714567 5584 DYNAMIC_TYPE_SIGNER);
wolfSSL 7:481bce714567 5585 if (signer) {
wolfSSL 7:481bce714567 5586 signer->pubKeySize = 0;
wolfSSL 7:481bce714567 5587 signer->keyOID = 0;
wolfSSL 7:481bce714567 5588 signer->publicKey = NULL;
wolfSSL 7:481bce714567 5589 signer->nameLen = 0;
wolfSSL 7:481bce714567 5590 signer->name = NULL;
wolfSSL 7:481bce714567 5591 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 5592 signer->permittedNames = NULL;
wolfSSL 7:481bce714567 5593 signer->excludedNames = NULL;
wolfSSL 7:481bce714567 5594 #endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL 7:481bce714567 5595 signer->pathLengthSet = 0;
wolfSSL 7:481bce714567 5596 signer->pathLength = 0;
wolfSSL 7:481bce714567 5597 signer->next = NULL;
wolfSSL 7:481bce714567 5598 }
wolfSSL 7:481bce714567 5599 (void)heap;
wolfSSL 7:481bce714567 5600
wolfSSL 7:481bce714567 5601 return signer;
wolfSSL 7:481bce714567 5602 }
wolfSSL 7:481bce714567 5603
wolfSSL 7:481bce714567 5604
wolfSSL 7:481bce714567 5605 /* Free an individual signer */
wolfSSL 7:481bce714567 5606 void FreeSigner(Signer* signer, void* heap)
wolfSSL 7:481bce714567 5607 {
wolfSSL 7:481bce714567 5608 XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 7:481bce714567 5609 XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL 7:481bce714567 5610 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 5611 if (signer->permittedNames)
wolfSSL 7:481bce714567 5612 FreeNameSubtrees(signer->permittedNames, heap);
wolfSSL 7:481bce714567 5613 if (signer->excludedNames)
wolfSSL 7:481bce714567 5614 FreeNameSubtrees(signer->excludedNames, heap);
wolfSSL 7:481bce714567 5615 #endif
wolfSSL 7:481bce714567 5616 XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
wolfSSL 7:481bce714567 5617
wolfSSL 7:481bce714567 5618 (void)heap;
wolfSSL 7:481bce714567 5619 }
wolfSSL 7:481bce714567 5620
wolfSSL 7:481bce714567 5621
wolfSSL 7:481bce714567 5622 /* Free the whole singer table with number of rows */
wolfSSL 7:481bce714567 5623 void FreeSignerTable(Signer** table, int rows, void* heap)
wolfSSL 7:481bce714567 5624 {
wolfSSL 7:481bce714567 5625 int i;
wolfSSL 7:481bce714567 5626
wolfSSL 7:481bce714567 5627 for (i = 0; i < rows; i++) {
wolfSSL 7:481bce714567 5628 Signer* signer = table[i];
wolfSSL 7:481bce714567 5629 while (signer) {
wolfSSL 7:481bce714567 5630 Signer* next = signer->next;
wolfSSL 7:481bce714567 5631 FreeSigner(signer, heap);
wolfSSL 7:481bce714567 5632 signer = next;
wolfSSL 7:481bce714567 5633 }
wolfSSL 7:481bce714567 5634 table[i] = NULL;
wolfSSL 7:481bce714567 5635 }
wolfSSL 7:481bce714567 5636 }
wolfSSL 7:481bce714567 5637
wolfSSL 7:481bce714567 5638 #ifdef WOLFSSL_TRUST_PEER_CERT
wolfSSL 7:481bce714567 5639 /* Free an individual trusted peer cert */
wolfSSL 7:481bce714567 5640 void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
wolfSSL 7:481bce714567 5641 {
wolfSSL 7:481bce714567 5642 if (tp == NULL) {
wolfSSL 7:481bce714567 5643 return;
wolfSSL 7:481bce714567 5644 }
wolfSSL 7:481bce714567 5645
wolfSSL 7:481bce714567 5646 if (tp->name) {
wolfSSL 7:481bce714567 5647 XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL 7:481bce714567 5648 }
wolfSSL 7:481bce714567 5649
wolfSSL 7:481bce714567 5650 if (tp->sig) {
wolfSSL 7:481bce714567 5651 XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 7:481bce714567 5652 }
wolfSSL 7:481bce714567 5653 #ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL 7:481bce714567 5654 if (tp->permittedNames)
wolfSSL 7:481bce714567 5655 FreeNameSubtrees(tp->permittedNames, heap);
wolfSSL 7:481bce714567 5656 if (tp->excludedNames)
wolfSSL 7:481bce714567 5657 FreeNameSubtrees(tp->excludedNames, heap);
wolfSSL 7:481bce714567 5658 #endif
wolfSSL 7:481bce714567 5659 XFREE(tp, heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 5660
wolfSSL 7:481bce714567 5661 (void)heap;
wolfSSL 7:481bce714567 5662 }
wolfSSL 7:481bce714567 5663
wolfSSL 7:481bce714567 5664 /* Free the whole Trusted Peer linked list */
wolfSSL 7:481bce714567 5665 void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
wolfSSL 7:481bce714567 5666 {
wolfSSL 7:481bce714567 5667 int i;
wolfSSL 7:481bce714567 5668
wolfSSL 7:481bce714567 5669 for (i = 0; i < rows; i++) {
wolfSSL 7:481bce714567 5670 TrustedPeerCert* tp = table[i];
wolfSSL 7:481bce714567 5671 while (tp) {
wolfSSL 7:481bce714567 5672 TrustedPeerCert* next = tp->next;
wolfSSL 7:481bce714567 5673 FreeTrustedPeer(tp, heap);
wolfSSL 7:481bce714567 5674 tp = next;
wolfSSL 7:481bce714567 5675 }
wolfSSL 7:481bce714567 5676 table[i] = NULL;
wolfSSL 7:481bce714567 5677 }
wolfSSL 7:481bce714567 5678 }
wolfSSL 7:481bce714567 5679 #endif /* WOLFSSL_TRUST_PEER_CERT */
wolfSSL 7:481bce714567 5680
wolfSSL 7:481bce714567 5681 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
wolfSSL 7:481bce714567 5682 {
wolfSSL 7:481bce714567 5683 int i = 0;
wolfSSL 7:481bce714567 5684
wolfSSL 7:481bce714567 5685 if (output == NULL)
wolfSSL 7:481bce714567 5686 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5687
wolfSSL 7:481bce714567 5688 if (header) {
wolfSSL 7:481bce714567 5689 output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED;
wolfSSL 7:481bce714567 5690 output[i++] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 5691 }
wolfSSL 7:481bce714567 5692 output[i++] = ASN_INTEGER;
wolfSSL 7:481bce714567 5693 output[i++] = 0x01;
wolfSSL 7:481bce714567 5694 output[i++] = (byte)version;
wolfSSL 7:481bce714567 5695
wolfSSL 7:481bce714567 5696 return i;
wolfSSL 7:481bce714567 5697 }
wolfSSL 7:481bce714567 5698
wolfSSL 7:481bce714567 5699
wolfSSL 7:481bce714567 5700 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
wolfSSL 7:481bce714567 5701 {
wolfSSL 7:481bce714567 5702 int result = 0;
wolfSSL 7:481bce714567 5703
wolfSSL 7:481bce714567 5704 WOLFSSL_ENTER("SetSerialNumber");
wolfSSL 7:481bce714567 5705
wolfSSL 7:481bce714567 5706 if (sn == NULL || output == NULL)
wolfSSL 7:481bce714567 5707 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5708
wolfSSL 7:481bce714567 5709 if (snSz <= EXTERNAL_SERIAL_SIZE) {
wolfSSL 7:481bce714567 5710 output[0] = ASN_INTEGER;
wolfSSL 7:481bce714567 5711 /* The serial number is always positive. When encoding the
wolfSSL 7:481bce714567 5712 * INTEGER, if the MSB is 1, add a padding zero to keep the
wolfSSL 7:481bce714567 5713 * number positive. */
wolfSSL 7:481bce714567 5714 if (sn[0] & 0x80) {
wolfSSL 7:481bce714567 5715 output[1] = (byte)snSz + 1;
wolfSSL 7:481bce714567 5716 output[2] = 0;
wolfSSL 7:481bce714567 5717 XMEMCPY(&output[3], sn, snSz);
wolfSSL 7:481bce714567 5718 result = snSz + 3;
wolfSSL 7:481bce714567 5719 }
wolfSSL 7:481bce714567 5720 else {
wolfSSL 7:481bce714567 5721 output[1] = (byte)snSz;
wolfSSL 7:481bce714567 5722 XMEMCPY(&output[2], sn, snSz);
wolfSSL 7:481bce714567 5723 result = snSz + 2;
wolfSSL 7:481bce714567 5724 }
wolfSSL 7:481bce714567 5725 }
wolfSSL 7:481bce714567 5726 return result;
wolfSSL 7:481bce714567 5727 }
wolfSSL 7:481bce714567 5728
wolfSSL 7:481bce714567 5729 WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
wolfSSL 7:481bce714567 5730 byte* serial, int* serialSz, word32 maxIdx)
wolfSSL 7:481bce714567 5731 {
wolfSSL 7:481bce714567 5732 int result = 0;
wolfSSL 7:481bce714567 5733 byte b;
wolfSSL 7:481bce714567 5734
wolfSSL 7:481bce714567 5735 WOLFSSL_ENTER("GetSerialNumber");
wolfSSL 7:481bce714567 5736
wolfSSL 7:481bce714567 5737 if (serial == NULL || input == NULL || serialSz == NULL) {
wolfSSL 7:481bce714567 5738 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5739 }
wolfSSL 7:481bce714567 5740
wolfSSL 7:481bce714567 5741 /* First byte is ASN type */
wolfSSL 7:481bce714567 5742 if ((*inOutIdx+1) > maxIdx) {
wolfSSL 7:481bce714567 5743 WOLFSSL_MSG("Bad idx first");
wolfSSL 7:481bce714567 5744 return BUFFER_E;
wolfSSL 7:481bce714567 5745 }
wolfSSL 7:481bce714567 5746 b = input[*inOutIdx];
wolfSSL 7:481bce714567 5747 *inOutIdx += 1;
wolfSSL 7:481bce714567 5748
wolfSSL 7:481bce714567 5749 if (b != ASN_INTEGER) {
wolfSSL 7:481bce714567 5750 WOLFSSL_MSG("Expecting Integer");
wolfSSL 7:481bce714567 5751 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5752 }
wolfSSL 7:481bce714567 5753
wolfSSL 7:481bce714567 5754 if (GetLength(input, inOutIdx, serialSz, maxIdx) < 0) {
wolfSSL 7:481bce714567 5755 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5756 }
wolfSSL 7:481bce714567 5757
wolfSSL 7:481bce714567 5758 /* serial size check */
wolfSSL 7:481bce714567 5759 if (*serialSz < 0 || *serialSz > EXTERNAL_SERIAL_SIZE) {
wolfSSL 7:481bce714567 5760 WOLFSSL_MSG("Serial size bad");
wolfSSL 7:481bce714567 5761 return ASN_PARSE_E;
wolfSSL 7:481bce714567 5762 }
wolfSSL 7:481bce714567 5763
wolfSSL 7:481bce714567 5764 /* serial size check against max index */
wolfSSL 7:481bce714567 5765 if ((*inOutIdx + *serialSz) > maxIdx) {
wolfSSL 7:481bce714567 5766 WOLFSSL_MSG("Bad idx serial");
wolfSSL 7:481bce714567 5767 return BUFFER_E;
wolfSSL 7:481bce714567 5768 }
wolfSSL 7:481bce714567 5769
wolfSSL 7:481bce714567 5770 /* only check padding and return serial if length is greater than 1 */
wolfSSL 7:481bce714567 5771 if (*serialSz > 0) {
wolfSSL 7:481bce714567 5772 /* skip padding */
wolfSSL 7:481bce714567 5773 if (input[*inOutIdx] == 0x00) {
wolfSSL 7:481bce714567 5774 *serialSz -= 1;
wolfSSL 7:481bce714567 5775 *inOutIdx += 1;
wolfSSL 7:481bce714567 5776 }
wolfSSL 7:481bce714567 5777
wolfSSL 7:481bce714567 5778 /* return serial */
wolfSSL 7:481bce714567 5779 XMEMCPY(serial, &input[*inOutIdx], *serialSz);
wolfSSL 7:481bce714567 5780 *inOutIdx += *serialSz;
wolfSSL 7:481bce714567 5781 }
wolfSSL 7:481bce714567 5782
wolfSSL 7:481bce714567 5783 return result;
wolfSSL 7:481bce714567 5784 }
wolfSSL 7:481bce714567 5785
wolfSSL 7:481bce714567 5786
wolfSSL 7:481bce714567 5787
wolfSSL 7:481bce714567 5788 const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
wolfSSL 7:481bce714567 5789 const char* END_CERT = "-----END CERTIFICATE-----";
wolfSSL 7:481bce714567 5790 const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----";
wolfSSL 7:481bce714567 5791 const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----";
wolfSSL 7:481bce714567 5792 const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----";
wolfSSL 7:481bce714567 5793 const char* END_DH_PARAM = "-----END DH PARAMETERS-----";
wolfSSL 7:481bce714567 5794 const char* BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----";
wolfSSL 7:481bce714567 5795 const char* END_DSA_PARAM = "-----END DSA PARAMETERS-----";
wolfSSL 7:481bce714567 5796 const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----";
wolfSSL 7:481bce714567 5797 const char* END_X509_CRL = "-----END X509 CRL-----";
wolfSSL 7:481bce714567 5798 const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----";
wolfSSL 7:481bce714567 5799 const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----";
wolfSSL 7:481bce714567 5800 const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----";
wolfSSL 7:481bce714567 5801 const char* END_PRIV_KEY = "-----END PRIVATE KEY-----";
wolfSSL 7:481bce714567 5802 const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
wolfSSL 7:481bce714567 5803 const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----";
wolfSSL 7:481bce714567 5804 const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----";
wolfSSL 7:481bce714567 5805 const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----";
wolfSSL 7:481bce714567 5806 const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----";
wolfSSL 7:481bce714567 5807 const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----";
wolfSSL 7:481bce714567 5808 const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
wolfSSL 7:481bce714567 5809 const char* END_PUB_KEY = "-----END PUBLIC KEY-----";
wolfSSL 7:481bce714567 5810
wolfSSL 7:481bce714567 5811 #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)
wolfSSL 7:481bce714567 5812
wolfSSL 7:481bce714567 5813 /* Used for compatibility API */
wolfSSL 7:481bce714567 5814 int wc_DerToPem(const byte* der, word32 derSz,
wolfSSL 7:481bce714567 5815 byte* output, word32 outSz, int type)
wolfSSL 7:481bce714567 5816 {
wolfSSL 7:481bce714567 5817 return wc_DerToPemEx(der, derSz, output, outSz, NULL, type);
wolfSSL 7:481bce714567 5818 }
wolfSSL 7:481bce714567 5819
wolfSSL 7:481bce714567 5820 /* convert der buffer to pem into output, can't do inplace, der and output
wolfSSL 7:481bce714567 5821 need to be different */
wolfSSL 7:481bce714567 5822 int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
wolfSSL 7:481bce714567 5823 byte *cipher_info, int type)
wolfSSL 7:481bce714567 5824 {
wolfSSL 7:481bce714567 5825 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5826 char* header = NULL;
wolfSSL 7:481bce714567 5827 char* footer = NULL;
wolfSSL 7:481bce714567 5828 #else
wolfSSL 7:481bce714567 5829 char header[40 + HEADER_ENCRYPTED_KEY_SIZE];
wolfSSL 7:481bce714567 5830 char footer[40];
wolfSSL 7:481bce714567 5831 #endif
wolfSSL 7:481bce714567 5832
wolfSSL 7:481bce714567 5833 int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE;
wolfSSL 7:481bce714567 5834 int footerLen = 40;
wolfSSL 7:481bce714567 5835 int i;
wolfSSL 7:481bce714567 5836 int err;
wolfSSL 7:481bce714567 5837 int outLen; /* return length or error */
wolfSSL 7:481bce714567 5838
wolfSSL 7:481bce714567 5839 if (der == output) /* no in place conversion */
wolfSSL 7:481bce714567 5840 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5841
wolfSSL 7:481bce714567 5842 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5843 header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5844 if (header == NULL)
wolfSSL 7:481bce714567 5845 return MEMORY_E;
wolfSSL 7:481bce714567 5846
wolfSSL 7:481bce714567 5847 footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5848 if (footer == NULL) {
wolfSSL 7:481bce714567 5849 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5850 return MEMORY_E;
wolfSSL 7:481bce714567 5851 }
wolfSSL 7:481bce714567 5852 #endif
wolfSSL 7:481bce714567 5853 if (type == CERT_TYPE) {
wolfSSL 7:481bce714567 5854 XSTRNCPY(header, BEGIN_CERT, headerLen);
wolfSSL 7:481bce714567 5855 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5856
wolfSSL 7:481bce714567 5857 XSTRNCPY(footer, END_CERT, footerLen);
wolfSSL 7:481bce714567 5858 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5859 }
wolfSSL 7:481bce714567 5860 else if (type == PRIVATEKEY_TYPE) {
wolfSSL 7:481bce714567 5861 XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen);
wolfSSL 7:481bce714567 5862 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5863
wolfSSL 7:481bce714567 5864 XSTRNCPY(footer, END_RSA_PRIV, footerLen);
wolfSSL 7:481bce714567 5865 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5866 }
wolfSSL 7:481bce714567 5867 #ifndef NO_DSA
wolfSSL 7:481bce714567 5868 else if (type == DSA_PRIVATEKEY_TYPE) {
wolfSSL 7:481bce714567 5869 XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen);
wolfSSL 7:481bce714567 5870 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5871
wolfSSL 7:481bce714567 5872 XSTRNCPY(footer, END_DSA_PRIV, footerLen);
wolfSSL 7:481bce714567 5873 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5874 }
wolfSSL 7:481bce714567 5875 #endif
wolfSSL 7:481bce714567 5876 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 5877 else if (type == ECC_PRIVATEKEY_TYPE) {
wolfSSL 7:481bce714567 5878 XSTRNCPY(header, BEGIN_EC_PRIV, headerLen);
wolfSSL 7:481bce714567 5879 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5880
wolfSSL 7:481bce714567 5881 XSTRNCPY(footer, END_EC_PRIV, footerLen);
wolfSSL 7:481bce714567 5882 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5883 }
wolfSSL 7:481bce714567 5884 #endif
wolfSSL 7:481bce714567 5885 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 5886 else if (type == CERTREQ_TYPE)
wolfSSL 7:481bce714567 5887 {
wolfSSL 7:481bce714567 5888 XSTRNCPY(header, BEGIN_CERT_REQ, headerLen);
wolfSSL 7:481bce714567 5889 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5890
wolfSSL 7:481bce714567 5891 XSTRNCPY(footer, END_CERT_REQ, footerLen);
wolfSSL 7:481bce714567 5892 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5893 }
wolfSSL 7:481bce714567 5894 #endif
wolfSSL 7:481bce714567 5895 #ifdef HAVE_CRL
wolfSSL 7:481bce714567 5896 else if (type == CRL_TYPE)
wolfSSL 7:481bce714567 5897 {
wolfSSL 7:481bce714567 5898 XSTRNCPY(header, BEGIN_X509_CRL, headerLen);
wolfSSL 7:481bce714567 5899 XSTRNCAT(header, "\n", 1);
wolfSSL 7:481bce714567 5900
wolfSSL 7:481bce714567 5901 XSTRNCPY(footer, END_X509_CRL, footerLen);
wolfSSL 7:481bce714567 5902 XSTRNCAT(footer, "\n", 1);
wolfSSL 7:481bce714567 5903 }
wolfSSL 7:481bce714567 5904 #endif
wolfSSL 7:481bce714567 5905 else {
wolfSSL 7:481bce714567 5906 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5907 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5908 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5909 #endif
wolfSSL 7:481bce714567 5910 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5911 }
wolfSSL 7:481bce714567 5912
wolfSSL 7:481bce714567 5913 /* extra header information for encrypted key */
wolfSSL 7:481bce714567 5914 if (cipher_info != NULL) {
wolfSSL 7:481bce714567 5915 XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23);
wolfSSL 7:481bce714567 5916 XSTRNCAT(header, "DEK-Info: ", 10);
wolfSSL 7:481bce714567 5917 XSTRNCAT(header, (char*)cipher_info, XSTRLEN((char*)cipher_info));
wolfSSL 7:481bce714567 5918 XSTRNCAT(header, "\n\n", 2);
wolfSSL 7:481bce714567 5919 }
wolfSSL 7:481bce714567 5920
wolfSSL 7:481bce714567 5921 headerLen = (int)XSTRLEN(header);
wolfSSL 7:481bce714567 5922 footerLen = (int)XSTRLEN(footer);
wolfSSL 7:481bce714567 5923
wolfSSL 7:481bce714567 5924 /* if null output and 0 size passed in then return size needed */
wolfSSL 7:481bce714567 5925 if (!output && outSz == 0) {
wolfSSL 7:481bce714567 5926 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5927 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5928 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5929 #endif
wolfSSL 7:481bce714567 5930 outLen = 0;
wolfSSL 7:481bce714567 5931 if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen))
wolfSSL 7:481bce714567 5932 != LENGTH_ONLY_E) {
wolfSSL 7:481bce714567 5933 return err;
wolfSSL 7:481bce714567 5934 }
wolfSSL 7:481bce714567 5935 return headerLen + footerLen + outLen;
wolfSSL 7:481bce714567 5936 }
wolfSSL 7:481bce714567 5937
wolfSSL 7:481bce714567 5938 if (!der || !output) {
wolfSSL 7:481bce714567 5939 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5940 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5941 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5942 #endif
wolfSSL 7:481bce714567 5943 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5944 }
wolfSSL 7:481bce714567 5945
wolfSSL 7:481bce714567 5946 /* don't even try if outSz too short */
wolfSSL 7:481bce714567 5947 if (outSz < headerLen + footerLen + derSz) {
wolfSSL 7:481bce714567 5948 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5949 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5950 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5951 #endif
wolfSSL 7:481bce714567 5952 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5953 }
wolfSSL 7:481bce714567 5954
wolfSSL 7:481bce714567 5955 /* header */
wolfSSL 7:481bce714567 5956 XMEMCPY(output, header, headerLen);
wolfSSL 7:481bce714567 5957 i = headerLen;
wolfSSL 7:481bce714567 5958
wolfSSL 7:481bce714567 5959 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5960 XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5961 #endif
wolfSSL 7:481bce714567 5962
wolfSSL 7:481bce714567 5963 /* body */
wolfSSL 7:481bce714567 5964 outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */
wolfSSL 7:481bce714567 5965 if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) {
wolfSSL 7:481bce714567 5966 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5967 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5968 #endif
wolfSSL 7:481bce714567 5969 return err;
wolfSSL 7:481bce714567 5970 }
wolfSSL 7:481bce714567 5971 i += outLen;
wolfSSL 7:481bce714567 5972
wolfSSL 7:481bce714567 5973 /* footer */
wolfSSL 7:481bce714567 5974 if ( (i + footerLen) > (int)outSz) {
wolfSSL 7:481bce714567 5975 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5976 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5977 #endif
wolfSSL 7:481bce714567 5978 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 5979 }
wolfSSL 7:481bce714567 5980 XMEMCPY(output + i, footer, footerLen);
wolfSSL 7:481bce714567 5981
wolfSSL 7:481bce714567 5982 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5983 XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 5984 #endif
wolfSSL 7:481bce714567 5985
wolfSSL 7:481bce714567 5986 return outLen + headerLen + footerLen;
wolfSSL 7:481bce714567 5987 }
wolfSSL 7:481bce714567 5988
wolfSSL 7:481bce714567 5989 #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 5990
wolfSSL 7:481bce714567 5991 #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
wolfSSL 7:481bce714567 5992 /* USER RSA ifdef portions used instead of refactor in consideration for
wolfSSL 7:481bce714567 5993 possible fips build */
wolfSSL 7:481bce714567 5994 /* Write a public RSA key to output */
wolfSSL 7:481bce714567 5995 static int SetRsaPublicKey(byte* output, RsaKey* key,
wolfSSL 7:481bce714567 5996 int outLen, int with_header)
wolfSSL 7:481bce714567 5997 {
wolfSSL 7:481bce714567 5998 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 5999 byte* n = NULL;
wolfSSL 7:481bce714567 6000 byte* e = NULL;
wolfSSL 7:481bce714567 6001 #else
wolfSSL 7:481bce714567 6002 byte n[MAX_RSA_INT_SZ];
wolfSSL 7:481bce714567 6003 byte e[MAX_RSA_E_SZ];
wolfSSL 7:481bce714567 6004 #endif
wolfSSL 7:481bce714567 6005 byte seq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 6006 byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */
wolfSSL 7:481bce714567 6007 int nSz;
wolfSSL 7:481bce714567 6008 int eSz;
wolfSSL 7:481bce714567 6009 int seqSz;
wolfSSL 7:481bce714567 6010 int lenSz;
wolfSSL 7:481bce714567 6011 int idx;
wolfSSL 7:481bce714567 6012 int rawLen;
wolfSSL 7:481bce714567 6013 int leadingBit;
wolfSSL 7:481bce714567 6014 int err;
wolfSSL 7:481bce714567 6015
wolfSSL 7:481bce714567 6016 if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ)
wolfSSL 7:481bce714567 6017 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6018
wolfSSL 7:481bce714567 6019 /* n */
wolfSSL 7:481bce714567 6020 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6021 n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6022 if (n == NULL)
wolfSSL 7:481bce714567 6023 return MEMORY_E;
wolfSSL 7:481bce714567 6024 #endif
wolfSSL 7:481bce714567 6025
wolfSSL 7:481bce714567 6026 #ifdef HAVE_USER_RSA
wolfSSL 7:481bce714567 6027 leadingBit = wc_Rsa_leading_bit(key->n);
wolfSSL 7:481bce714567 6028 rawLen = wc_Rsa_unsigned_bin_size(key->n) + leadingBit;
wolfSSL 7:481bce714567 6029 #else
wolfSSL 7:481bce714567 6030 leadingBit = mp_leading_bit(&key->n);
wolfSSL 7:481bce714567 6031 rawLen = mp_unsigned_bin_size(&key->n) + leadingBit;
wolfSSL 7:481bce714567 6032 #endif
wolfSSL 7:481bce714567 6033 n[0] = ASN_INTEGER;
wolfSSL 7:481bce714567 6034 nSz = SetLength(rawLen, n + 1) + 1; /* int tag */
wolfSSL 7:481bce714567 6035
wolfSSL 7:481bce714567 6036 if ( (nSz + rawLen) <= MAX_RSA_INT_SZ) {
wolfSSL 7:481bce714567 6037 if (leadingBit)
wolfSSL 7:481bce714567 6038 n[nSz] = 0;
wolfSSL 7:481bce714567 6039 #ifdef HAVE_USER_RSA
wolfSSL 7:481bce714567 6040 err = wc_Rsa_to_unsigned_bin(key->n, n + nSz, rawLen);
wolfSSL 7:481bce714567 6041 #else
wolfSSL 7:481bce714567 6042 err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit);
wolfSSL 7:481bce714567 6043 #endif
wolfSSL 7:481bce714567 6044 if (err == MP_OKAY)
wolfSSL 7:481bce714567 6045 nSz += rawLen;
wolfSSL 7:481bce714567 6046 else {
wolfSSL 7:481bce714567 6047 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6048 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6049 #endif
wolfSSL 7:481bce714567 6050 return MP_TO_E;
wolfSSL 7:481bce714567 6051 }
wolfSSL 7:481bce714567 6052 }
wolfSSL 7:481bce714567 6053 else {
wolfSSL 7:481bce714567 6054 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6055 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6056 #endif
wolfSSL 7:481bce714567 6057 return BUFFER_E;
wolfSSL 7:481bce714567 6058 }
wolfSSL 7:481bce714567 6059
wolfSSL 7:481bce714567 6060 /* e */
wolfSSL 7:481bce714567 6061 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6062 e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6063 if (e == NULL) {
wolfSSL 7:481bce714567 6064 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6065 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6066 #endif
wolfSSL 7:481bce714567 6067 return MEMORY_E;
wolfSSL 7:481bce714567 6068 }
wolfSSL 7:481bce714567 6069 #endif
wolfSSL 7:481bce714567 6070
wolfSSL 7:481bce714567 6071 #ifdef HAVE_USER_RSA
wolfSSL 7:481bce714567 6072 leadingBit = wc_Rsa_leading_bit(key->e);
wolfSSL 7:481bce714567 6073 rawLen = wc_Rsa_unsigned_bin_size(key->e) + leadingBit;
wolfSSL 7:481bce714567 6074 #else
wolfSSL 7:481bce714567 6075 leadingBit = mp_leading_bit(&key->e);
wolfSSL 7:481bce714567 6076 rawLen = mp_unsigned_bin_size(&key->e) + leadingBit;
wolfSSL 7:481bce714567 6077 #endif
wolfSSL 7:481bce714567 6078 e[0] = ASN_INTEGER;
wolfSSL 7:481bce714567 6079 eSz = SetLength(rawLen, e + 1) + 1; /* int tag */
wolfSSL 7:481bce714567 6080
wolfSSL 7:481bce714567 6081 if ( (eSz + rawLen) < MAX_RSA_E_SZ) {
wolfSSL 7:481bce714567 6082 if (leadingBit)
wolfSSL 7:481bce714567 6083 e[eSz] = 0;
wolfSSL 7:481bce714567 6084 #ifdef HAVE_USER_RSA
wolfSSL 7:481bce714567 6085 err = wc_Rsa_to_unsigned_bin(key->e, e + eSz, rawLen);
wolfSSL 7:481bce714567 6086 #else
wolfSSL 7:481bce714567 6087 err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit);
wolfSSL 7:481bce714567 6088 #endif
wolfSSL 7:481bce714567 6089 if (err == MP_OKAY)
wolfSSL 7:481bce714567 6090 eSz += rawLen;
wolfSSL 7:481bce714567 6091 else {
wolfSSL 7:481bce714567 6092 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6093 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6094 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6095 #endif
wolfSSL 7:481bce714567 6096 return MP_TO_E;
wolfSSL 7:481bce714567 6097 }
wolfSSL 7:481bce714567 6098 }
wolfSSL 7:481bce714567 6099 else {
wolfSSL 7:481bce714567 6100 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6101 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6102 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6103 #endif
wolfSSL 7:481bce714567 6104 return BUFFER_E;
wolfSSL 7:481bce714567 6105 }
wolfSSL 7:481bce714567 6106
wolfSSL 7:481bce714567 6107 seqSz = SetSequence(nSz + eSz, seq);
wolfSSL 7:481bce714567 6108
wolfSSL 7:481bce714567 6109 /* check output size */
wolfSSL 7:481bce714567 6110 if ( (seqSz + nSz + eSz) > outLen) {
wolfSSL 7:481bce714567 6111 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6112 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6113 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6114 #endif
wolfSSL 7:481bce714567 6115 return BUFFER_E;
wolfSSL 7:481bce714567 6116 }
wolfSSL 7:481bce714567 6117
wolfSSL 7:481bce714567 6118 /* headers */
wolfSSL 7:481bce714567 6119 if (with_header) {
wolfSSL 7:481bce714567 6120 int algoSz;
wolfSSL 7:481bce714567 6121 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6122 byte* algo = NULL;
wolfSSL 7:481bce714567 6123
wolfSSL 7:481bce714567 6124 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6125 if (algo == NULL) {
wolfSSL 7:481bce714567 6126 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6127 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6128 return MEMORY_E;
wolfSSL 7:481bce714567 6129 }
wolfSSL 7:481bce714567 6130 #else
wolfSSL 7:481bce714567 6131 byte algo[MAX_ALGO_SZ];
wolfSSL 7:481bce714567 6132 #endif
wolfSSL 7:481bce714567 6133 algoSz = SetAlgoID(RSAk, algo, oidKeyType, 0);
wolfSSL 7:481bce714567 6134 lenSz = SetLength(seqSz + nSz + eSz + 1, len);
wolfSSL 7:481bce714567 6135 len[lenSz++] = 0; /* trailing 0 */
wolfSSL 7:481bce714567 6136
wolfSSL 7:481bce714567 6137 /* write, 1 is for ASN_BIT_STRING */
wolfSSL 7:481bce714567 6138 idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output);
wolfSSL 7:481bce714567 6139
wolfSSL 7:481bce714567 6140 /* check output size */
wolfSSL 7:481bce714567 6141 if ( (idx + algoSz + 1 + lenSz + seqSz + nSz + eSz) > outLen) {
wolfSSL 7:481bce714567 6142 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6143 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6144 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6145 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6146 #endif
wolfSSL 7:481bce714567 6147
wolfSSL 7:481bce714567 6148 return BUFFER_E;
wolfSSL 7:481bce714567 6149 }
wolfSSL 7:481bce714567 6150
wolfSSL 7:481bce714567 6151 /* algo */
wolfSSL 7:481bce714567 6152 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 7:481bce714567 6153 idx += algoSz;
wolfSSL 7:481bce714567 6154 /* bit string */
wolfSSL 7:481bce714567 6155 output[idx++] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 6156 /* length */
wolfSSL 7:481bce714567 6157 XMEMCPY(output + idx, len, lenSz);
wolfSSL 7:481bce714567 6158 idx += lenSz;
wolfSSL 7:481bce714567 6159 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6160 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6161 #endif
wolfSSL 7:481bce714567 6162 }
wolfSSL 7:481bce714567 6163 else
wolfSSL 7:481bce714567 6164 idx = 0;
wolfSSL 7:481bce714567 6165
wolfSSL 7:481bce714567 6166 /* seq */
wolfSSL 7:481bce714567 6167 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 7:481bce714567 6168 idx += seqSz;
wolfSSL 7:481bce714567 6169 /* n */
wolfSSL 7:481bce714567 6170 XMEMCPY(output + idx, n, nSz);
wolfSSL 7:481bce714567 6171 idx += nSz;
wolfSSL 7:481bce714567 6172 /* e */
wolfSSL 7:481bce714567 6173 XMEMCPY(output + idx, e, eSz);
wolfSSL 7:481bce714567 6174 idx += eSz;
wolfSSL 7:481bce714567 6175
wolfSSL 7:481bce714567 6176 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6177 XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6178 XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6179 #endif
wolfSSL 7:481bce714567 6180
wolfSSL 7:481bce714567 6181 return idx;
wolfSSL 7:481bce714567 6182 }
wolfSSL 7:481bce714567 6183 #endif /* !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) ||
wolfSSL 7:481bce714567 6184 defined(WOLFSSL_KEY_GEN)) */
wolfSSL 7:481bce714567 6185
wolfSSL 7:481bce714567 6186
wolfSSL 7:481bce714567 6187 #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
wolfSSL 7:481bce714567 6188
wolfSSL 7:481bce714567 6189
wolfSSL 7:481bce714567 6190 static mp_int* GetRsaInt(RsaKey* key, int idx)
wolfSSL 7:481bce714567 6191 {
wolfSSL 7:481bce714567 6192 if (idx == 0)
wolfSSL 7:481bce714567 6193 return &key->n;
wolfSSL 7:481bce714567 6194 if (idx == 1)
wolfSSL 7:481bce714567 6195 return &key->e;
wolfSSL 7:481bce714567 6196 if (idx == 2)
wolfSSL 7:481bce714567 6197 return &key->d;
wolfSSL 7:481bce714567 6198 if (idx == 3)
wolfSSL 7:481bce714567 6199 return &key->p;
wolfSSL 7:481bce714567 6200 if (idx == 4)
wolfSSL 7:481bce714567 6201 return &key->q;
wolfSSL 7:481bce714567 6202 if (idx == 5)
wolfSSL 7:481bce714567 6203 return &key->dP;
wolfSSL 7:481bce714567 6204 if (idx == 6)
wolfSSL 7:481bce714567 6205 return &key->dQ;
wolfSSL 7:481bce714567 6206 if (idx == 7)
wolfSSL 7:481bce714567 6207 return &key->u;
wolfSSL 7:481bce714567 6208
wolfSSL 7:481bce714567 6209 return NULL;
wolfSSL 7:481bce714567 6210 }
wolfSSL 7:481bce714567 6211
wolfSSL 7:481bce714567 6212
wolfSSL 7:481bce714567 6213 /* Release Tmp RSA resources */
wolfSSL 7:481bce714567 6214 static INLINE void FreeTmpRsas(byte** tmps, void* heap)
wolfSSL 7:481bce714567 6215 {
wolfSSL 7:481bce714567 6216 int i;
wolfSSL 7:481bce714567 6217
wolfSSL 7:481bce714567 6218 (void)heap;
wolfSSL 7:481bce714567 6219
wolfSSL 7:481bce714567 6220 for (i = 0; i < RSA_INTS; i++)
wolfSSL 7:481bce714567 6221 XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 6222 }
wolfSSL 7:481bce714567 6223
wolfSSL 7:481bce714567 6224
wolfSSL 7:481bce714567 6225 /* Convert RsaKey key to DER format, write to output (inLen), return bytes
wolfSSL 7:481bce714567 6226 written */
wolfSSL 7:481bce714567 6227 int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 7:481bce714567 6228 {
wolfSSL 7:481bce714567 6229 word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL 7:481bce714567 6230 word32 sizes[RSA_INTS];
wolfSSL 7:481bce714567 6231 int i, j, outLen, ret = 0, lbit;
wolfSSL 7:481bce714567 6232
wolfSSL 7:481bce714567 6233 byte seq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 6234 byte ver[MAX_VERSION_SZ];
wolfSSL 7:481bce714567 6235 byte* tmps[RSA_INTS];
wolfSSL 7:481bce714567 6236
wolfSSL 7:481bce714567 6237 if (!key || !output)
wolfSSL 7:481bce714567 6238 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6239
wolfSSL 7:481bce714567 6240 if (key->type != RSA_PRIVATE)
wolfSSL 7:481bce714567 6241 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6242
wolfSSL 7:481bce714567 6243 for (i = 0; i < RSA_INTS; i++)
wolfSSL 7:481bce714567 6244 tmps[i] = NULL;
wolfSSL 7:481bce714567 6245
wolfSSL 7:481bce714567 6246 /* write all big ints from key to DER tmps */
wolfSSL 7:481bce714567 6247 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 7:481bce714567 6248 mp_int* keyInt = GetRsaInt(key, i);
wolfSSL 7:481bce714567 6249
wolfSSL 7:481bce714567 6250 /* leading zero */
wolfSSL 7:481bce714567 6251 lbit = mp_leading_bit(keyInt);
wolfSSL 7:481bce714567 6252 rawLen = mp_unsigned_bin_size(keyInt) + lbit;
wolfSSL 7:481bce714567 6253
wolfSSL 7:481bce714567 6254 tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL 7:481bce714567 6255 DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 6256 if (tmps[i] == NULL) {
wolfSSL 7:481bce714567 6257 ret = MEMORY_E;
wolfSSL 7:481bce714567 6258 break;
wolfSSL 7:481bce714567 6259 }
wolfSSL 7:481bce714567 6260
wolfSSL 7:481bce714567 6261 tmps[i][0] = ASN_INTEGER;
wolfSSL 7:481bce714567 6262 sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */
wolfSSL 7:481bce714567 6263
wolfSSL 7:481bce714567 6264 if (sizes[i] <= MAX_SEQ_SZ) {
wolfSSL 7:481bce714567 6265 int err;
wolfSSL 7:481bce714567 6266
wolfSSL 7:481bce714567 6267 /* leading zero */
wolfSSL 7:481bce714567 6268 if (lbit)
wolfSSL 7:481bce714567 6269 tmps[i][sizes[i]-1] = 0x00;
wolfSSL 7:481bce714567 6270
wolfSSL 7:481bce714567 6271 err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
wolfSSL 7:481bce714567 6272 if (err == MP_OKAY) {
wolfSSL 7:481bce714567 6273 sizes[i] += (rawLen-lbit); /* lbit included in rawLen */
wolfSSL 7:481bce714567 6274 intTotalLen += sizes[i];
wolfSSL 7:481bce714567 6275 }
wolfSSL 7:481bce714567 6276 else {
wolfSSL 7:481bce714567 6277 ret = err;
wolfSSL 7:481bce714567 6278 break;
wolfSSL 7:481bce714567 6279 }
wolfSSL 7:481bce714567 6280 }
wolfSSL 7:481bce714567 6281 else {
wolfSSL 7:481bce714567 6282 ret = ASN_INPUT_E;
wolfSSL 7:481bce714567 6283 break;
wolfSSL 7:481bce714567 6284 }
wolfSSL 7:481bce714567 6285 }
wolfSSL 7:481bce714567 6286
wolfSSL 7:481bce714567 6287 if (ret != 0) {
wolfSSL 7:481bce714567 6288 FreeTmpRsas(tmps, key->heap);
wolfSSL 7:481bce714567 6289 return ret;
wolfSSL 7:481bce714567 6290 }
wolfSSL 7:481bce714567 6291
wolfSSL 7:481bce714567 6292 /* make headers */
wolfSSL 7:481bce714567 6293 verSz = SetMyVersion(0, ver, FALSE);
wolfSSL 7:481bce714567 6294 seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL 7:481bce714567 6295
wolfSSL 7:481bce714567 6296 outLen = seqSz + verSz + intTotalLen;
wolfSSL 7:481bce714567 6297 if (outLen > (int)inLen)
wolfSSL 7:481bce714567 6298 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6299
wolfSSL 7:481bce714567 6300 /* write to output */
wolfSSL 7:481bce714567 6301 XMEMCPY(output, seq, seqSz);
wolfSSL 7:481bce714567 6302 j = seqSz;
wolfSSL 7:481bce714567 6303 XMEMCPY(output + j, ver, verSz);
wolfSSL 7:481bce714567 6304 j += verSz;
wolfSSL 7:481bce714567 6305
wolfSSL 7:481bce714567 6306 for (i = 0; i < RSA_INTS; i++) {
wolfSSL 7:481bce714567 6307 XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL 7:481bce714567 6308 j += sizes[i];
wolfSSL 7:481bce714567 6309 }
wolfSSL 7:481bce714567 6310 FreeTmpRsas(tmps, key->heap);
wolfSSL 7:481bce714567 6311
wolfSSL 7:481bce714567 6312 return outLen;
wolfSSL 7:481bce714567 6313 }
wolfSSL 7:481bce714567 6314
wolfSSL 7:481bce714567 6315
wolfSSL 7:481bce714567 6316 /* Convert Rsa Public key to DER format, write to output (inLen), return bytes
wolfSSL 7:481bce714567 6317 written */
wolfSSL 7:481bce714567 6318 int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL 7:481bce714567 6319 {
wolfSSL 7:481bce714567 6320 return SetRsaPublicKey(output, key, inLen, 1);
wolfSSL 7:481bce714567 6321 }
wolfSSL 7:481bce714567 6322
wolfSSL 7:481bce714567 6323 #endif /* WOLFSSL_KEY_GEN && !NO_RSA */
wolfSSL 7:481bce714567 6324
wolfSSL 7:481bce714567 6325
wolfSSL 7:481bce714567 6326 #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL 7:481bce714567 6327
wolfSSL 7:481bce714567 6328 /* Initialize and Set Certificate defaults:
wolfSSL 7:481bce714567 6329 version = 3 (0x2)
wolfSSL 7:481bce714567 6330 serial = 0
wolfSSL 7:481bce714567 6331 sigType = SHA_WITH_RSA
wolfSSL 7:481bce714567 6332 issuer = blank
wolfSSL 7:481bce714567 6333 daysValid = 500
wolfSSL 7:481bce714567 6334 selfSigned = 1 (true) use subject as issuer
wolfSSL 7:481bce714567 6335 subject = blank
wolfSSL 7:481bce714567 6336 */
wolfSSL 7:481bce714567 6337 void wc_InitCert(Cert* cert)
wolfSSL 7:481bce714567 6338 {
wolfSSL 7:481bce714567 6339 cert->version = 2; /* version 3 is hex 2 */
wolfSSL 7:481bce714567 6340 cert->sigType = CTC_SHAwRSA;
wolfSSL 7:481bce714567 6341 cert->daysValid = 500;
wolfSSL 7:481bce714567 6342 cert->selfSigned = 1;
wolfSSL 7:481bce714567 6343 cert->isCA = 0;
wolfSSL 7:481bce714567 6344 cert->bodySz = 0;
wolfSSL 7:481bce714567 6345 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 6346 cert->altNamesSz = 0;
wolfSSL 7:481bce714567 6347 cert->beforeDateSz = 0;
wolfSSL 7:481bce714567 6348 cert->afterDateSz = 0;
wolfSSL 7:481bce714567 6349 #endif
wolfSSL 7:481bce714567 6350 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 6351 cert->skidSz = 0;
wolfSSL 7:481bce714567 6352 cert->akidSz = 0;
wolfSSL 7:481bce714567 6353 cert->keyUsage = 0;
wolfSSL 7:481bce714567 6354 cert->certPoliciesNb = 0;
wolfSSL 7:481bce714567 6355 XMEMSET(cert->akid, 0, CTC_MAX_AKID_SIZE);
wolfSSL 7:481bce714567 6356 XMEMSET(cert->skid, 0, CTC_MAX_SKID_SIZE);
wolfSSL 7:481bce714567 6357 XMEMSET(cert->certPolicies, 0, CTC_MAX_CERTPOL_NB*CTC_MAX_CERTPOL_SZ);
wolfSSL 7:481bce714567 6358 #endif
wolfSSL 7:481bce714567 6359 cert->keyType = RSA_KEY;
wolfSSL 7:481bce714567 6360 XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE);
wolfSSL 7:481bce714567 6361
wolfSSL 7:481bce714567 6362 cert->issuer.country[0] = '\0';
wolfSSL 7:481bce714567 6363 cert->issuer.countryEnc = CTC_PRINTABLE;
wolfSSL 7:481bce714567 6364 cert->issuer.state[0] = '\0';
wolfSSL 7:481bce714567 6365 cert->issuer.stateEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6366 cert->issuer.locality[0] = '\0';
wolfSSL 7:481bce714567 6367 cert->issuer.localityEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6368 cert->issuer.sur[0] = '\0';
wolfSSL 7:481bce714567 6369 cert->issuer.surEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6370 cert->issuer.org[0] = '\0';
wolfSSL 7:481bce714567 6371 cert->issuer.orgEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6372 cert->issuer.unit[0] = '\0';
wolfSSL 7:481bce714567 6373 cert->issuer.unitEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6374 cert->issuer.commonName[0] = '\0';
wolfSSL 7:481bce714567 6375 cert->issuer.commonNameEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6376 cert->issuer.email[0] = '\0';
wolfSSL 7:481bce714567 6377
wolfSSL 7:481bce714567 6378 cert->subject.country[0] = '\0';
wolfSSL 7:481bce714567 6379 cert->subject.countryEnc = CTC_PRINTABLE;
wolfSSL 7:481bce714567 6380 cert->subject.state[0] = '\0';
wolfSSL 7:481bce714567 6381 cert->subject.stateEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6382 cert->subject.locality[0] = '\0';
wolfSSL 7:481bce714567 6383 cert->subject.localityEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6384 cert->subject.sur[0] = '\0';
wolfSSL 7:481bce714567 6385 cert->subject.surEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6386 cert->subject.org[0] = '\0';
wolfSSL 7:481bce714567 6387 cert->subject.orgEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6388 cert->subject.unit[0] = '\0';
wolfSSL 7:481bce714567 6389 cert->subject.unitEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6390 cert->subject.commonName[0] = '\0';
wolfSSL 7:481bce714567 6391 cert->subject.commonNameEnc = CTC_UTF8;
wolfSSL 7:481bce714567 6392 cert->subject.email[0] = '\0';
wolfSSL 7:481bce714567 6393
wolfSSL 7:481bce714567 6394 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 6395 cert->challengePw[0] ='\0';
wolfSSL 7:481bce714567 6396 #endif
wolfSSL 7:481bce714567 6397 #ifdef WOLFSSL_HEAP_TEST
wolfSSL 7:481bce714567 6398 cert->heap = (void*)WOLFSSL_HEAP_TEST;
wolfSSL 7:481bce714567 6399 #else
wolfSSL 7:481bce714567 6400 cert->heap = NULL;
wolfSSL 7:481bce714567 6401 #endif
wolfSSL 7:481bce714567 6402 }
wolfSSL 7:481bce714567 6403
wolfSSL 7:481bce714567 6404
wolfSSL 7:481bce714567 6405 /* DER encoded x509 Certificate */
wolfSSL 7:481bce714567 6406 typedef struct DerCert {
wolfSSL 7:481bce714567 6407 byte size[MAX_LENGTH_SZ]; /* length encoded */
wolfSSL 7:481bce714567 6408 byte version[MAX_VERSION_SZ]; /* version encoded */
wolfSSL 7:481bce714567 6409 byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */
wolfSSL 7:481bce714567 6410 byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */
wolfSSL 7:481bce714567 6411 byte issuer[ASN_NAME_MAX]; /* issuer encoded */
wolfSSL 7:481bce714567 6412 byte subject[ASN_NAME_MAX]; /* subject encoded */
wolfSSL 7:481bce714567 6413 byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */
wolfSSL 7:481bce714567 6414 byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
wolfSSL 7:481bce714567 6415 byte ca[MAX_CA_SZ]; /* basic constraint CA true size */
wolfSSL 7:481bce714567 6416 byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
wolfSSL 7:481bce714567 6417 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 6418 byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */
wolfSSL 7:481bce714567 6419 byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */
wolfSSL 7:481bce714567 6420 byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */
wolfSSL 7:481bce714567 6421 byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */
wolfSSL 7:481bce714567 6422 #endif
wolfSSL 7:481bce714567 6423 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 6424 byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */
wolfSSL 7:481bce714567 6425 #endif
wolfSSL 7:481bce714567 6426 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 6427 byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */
wolfSSL 7:481bce714567 6428 #endif
wolfSSL 7:481bce714567 6429 int sizeSz; /* encoded size length */
wolfSSL 7:481bce714567 6430 int versionSz; /* encoded version length */
wolfSSL 7:481bce714567 6431 int serialSz; /* encoded serial length */
wolfSSL 7:481bce714567 6432 int sigAlgoSz; /* encoded sig alog length */
wolfSSL 7:481bce714567 6433 int issuerSz; /* encoded issuer length */
wolfSSL 7:481bce714567 6434 int subjectSz; /* encoded subject length */
wolfSSL 7:481bce714567 6435 int validitySz; /* encoded validity length */
wolfSSL 7:481bce714567 6436 int publicKeySz; /* encoded public key length */
wolfSSL 7:481bce714567 6437 int caSz; /* encoded CA extension length */
wolfSSL 7:481bce714567 6438 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 6439 int skidSz; /* encoded SKID extension length */
wolfSSL 7:481bce714567 6440 int akidSz; /* encoded SKID extension length */
wolfSSL 7:481bce714567 6441 int keyUsageSz; /* encoded KeyUsage extension length */
wolfSSL 7:481bce714567 6442 int certPoliciesSz; /* encoded CertPolicies extension length*/
wolfSSL 7:481bce714567 6443 #endif
wolfSSL 7:481bce714567 6444 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 6445 int altNamesSz; /* encoded AltNames extension length */
wolfSSL 7:481bce714567 6446 #endif
wolfSSL 7:481bce714567 6447 int extensionsSz; /* encoded extensions total length */
wolfSSL 7:481bce714567 6448 int total; /* total encoded lengths */
wolfSSL 7:481bce714567 6449 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 6450 int attribSz;
wolfSSL 7:481bce714567 6451 #endif
wolfSSL 7:481bce714567 6452 } DerCert;
wolfSSL 7:481bce714567 6453
wolfSSL 7:481bce714567 6454
wolfSSL 7:481bce714567 6455 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 6456
wolfSSL 7:481bce714567 6457 /* Write a set header to output */
wolfSSL 7:481bce714567 6458 static word32 SetUTF8String(word32 len, byte* output)
wolfSSL 7:481bce714567 6459 {
wolfSSL 7:481bce714567 6460 output[0] = ASN_UTF8STRING;
wolfSSL 7:481bce714567 6461 return SetLength(len, output + 1) + 1;
wolfSSL 7:481bce714567 6462 }
wolfSSL 7:481bce714567 6463
wolfSSL 7:481bce714567 6464 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 7:481bce714567 6465
wolfSSL 7:481bce714567 6466
wolfSSL 7:481bce714567 6467 /* Write a serial number to output */
wolfSSL 7:481bce714567 6468 static int SetSerial(const byte* serial, byte* output)
wolfSSL 7:481bce714567 6469 {
wolfSSL 7:481bce714567 6470 int length = 0;
wolfSSL 7:481bce714567 6471
wolfSSL 7:481bce714567 6472 output[length++] = ASN_INTEGER;
wolfSSL 7:481bce714567 6473 length += SetLength(CTC_SERIAL_SIZE, &output[length]);
wolfSSL 7:481bce714567 6474 XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE);
wolfSSL 7:481bce714567 6475
wolfSSL 7:481bce714567 6476 return length + CTC_SERIAL_SIZE;
wolfSSL 7:481bce714567 6477 }
wolfSSL 7:481bce714567 6478
wolfSSL 7:481bce714567 6479 #endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */
wolfSSL 7:481bce714567 6480 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
wolfSSL 7:481bce714567 6481
wolfSSL 7:481bce714567 6482 /* Write a public ECC key to output */
wolfSSL 7:481bce714567 6483 static int SetEccPublicKey(byte* output, ecc_key* key, int with_header)
wolfSSL 7:481bce714567 6484 {
wolfSSL 7:481bce714567 6485 byte len[MAX_LENGTH_SZ + TRAILING_ZERO];
wolfSSL 7:481bce714567 6486 int algoSz;
wolfSSL 7:481bce714567 6487 int curveSz;
wolfSSL 7:481bce714567 6488 int lenSz;
wolfSSL 7:481bce714567 6489 int idx;
wolfSSL 7:481bce714567 6490 word32 pubSz = ECC_BUFSIZE;
wolfSSL 7:481bce714567 6491 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6492 byte* algo = NULL;
wolfSSL 7:481bce714567 6493 byte* curve = NULL;
wolfSSL 7:481bce714567 6494 byte* pub = NULL;
wolfSSL 7:481bce714567 6495 #else
wolfSSL 7:481bce714567 6496 byte algo[MAX_ALGO_SZ];
wolfSSL 7:481bce714567 6497 byte curve[MAX_ALGO_SZ];
wolfSSL 7:481bce714567 6498 byte pub[ECC_BUFSIZE];
wolfSSL 7:481bce714567 6499 #endif
wolfSSL 7:481bce714567 6500
wolfSSL 7:481bce714567 6501 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6502 pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6503 if (pub == NULL)
wolfSSL 7:481bce714567 6504 return MEMORY_E;
wolfSSL 7:481bce714567 6505 #endif
wolfSSL 7:481bce714567 6506
wolfSSL 7:481bce714567 6507 int ret = wc_ecc_export_x963(key, pub, &pubSz);
wolfSSL 7:481bce714567 6508 if (ret != 0) {
wolfSSL 7:481bce714567 6509 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6510 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6511 #endif
wolfSSL 7:481bce714567 6512 return ret;
wolfSSL 7:481bce714567 6513 }
wolfSSL 7:481bce714567 6514
wolfSSL 7:481bce714567 6515 /* headers */
wolfSSL 7:481bce714567 6516 if (with_header) {
wolfSSL 7:481bce714567 6517 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6518 curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6519 if (curve == NULL) {
wolfSSL 7:481bce714567 6520 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6521 return MEMORY_E;
wolfSSL 7:481bce714567 6522 }
wolfSSL 7:481bce714567 6523 #endif
wolfSSL 7:481bce714567 6524 curveSz = SetCurve(key, curve);
wolfSSL 7:481bce714567 6525 if (curveSz <= 0) {
wolfSSL 7:481bce714567 6526 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6527 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6528 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6529 #endif
wolfSSL 7:481bce714567 6530 return curveSz;
wolfSSL 7:481bce714567 6531 }
wolfSSL 7:481bce714567 6532
wolfSSL 7:481bce714567 6533 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6534 algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6535 if (algo == NULL) {
wolfSSL 7:481bce714567 6536 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6537 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6538 return MEMORY_E;
wolfSSL 7:481bce714567 6539 }
wolfSSL 7:481bce714567 6540 #endif
wolfSSL 7:481bce714567 6541 algoSz = SetAlgoID(ECDSAk, algo, oidKeyType, curveSz);
wolfSSL 7:481bce714567 6542
wolfSSL 7:481bce714567 6543 lenSz = SetLength(pubSz + TRAILING_ZERO, len);
wolfSSL 7:481bce714567 6544 len[lenSz++] = 0; /* trailing 0 */
wolfSSL 7:481bce714567 6545
wolfSSL 7:481bce714567 6546 /* write, 1 is for ASN_BIT_STRING */
wolfSSL 7:481bce714567 6547 idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output);
wolfSSL 7:481bce714567 6548 /* algo */
wolfSSL 7:481bce714567 6549 XMEMCPY(output + idx, algo, algoSz);
wolfSSL 7:481bce714567 6550 idx += algoSz;
wolfSSL 7:481bce714567 6551 /* curve */
wolfSSL 7:481bce714567 6552 XMEMCPY(output + idx, curve, curveSz);
wolfSSL 7:481bce714567 6553 idx += curveSz;
wolfSSL 7:481bce714567 6554 /* bit string */
wolfSSL 7:481bce714567 6555 output[idx++] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 6556 /* length */
wolfSSL 7:481bce714567 6557 XMEMCPY(output + idx, len, lenSz);
wolfSSL 7:481bce714567 6558 idx += lenSz;
wolfSSL 7:481bce714567 6559 }
wolfSSL 7:481bce714567 6560 else
wolfSSL 7:481bce714567 6561 idx = 0;
wolfSSL 7:481bce714567 6562
wolfSSL 7:481bce714567 6563 /* pub */
wolfSSL 7:481bce714567 6564 XMEMCPY(output + idx, pub, pubSz);
wolfSSL 7:481bce714567 6565 idx += pubSz;
wolfSSL 7:481bce714567 6566
wolfSSL 7:481bce714567 6567 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 6568 if (with_header) {
wolfSSL 7:481bce714567 6569 XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6570 XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6571 }
wolfSSL 7:481bce714567 6572 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 6573 #endif
wolfSSL 7:481bce714567 6574
wolfSSL 7:481bce714567 6575 return idx;
wolfSSL 7:481bce714567 6576 }
wolfSSL 7:481bce714567 6577
wolfSSL 7:481bce714567 6578
wolfSSL 7:481bce714567 6579 /* returns the size of buffer used, the public ECC key in DER format is stored
wolfSSL 7:481bce714567 6580 in output buffer
wolfSSL 7:481bce714567 6581 with_AlgCurve is a flag for when to include a header that has the Algorithm
wolfSSL 7:481bce714567 6582 and Curve infromation */
wolfSSL 7:481bce714567 6583 int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
wolfSSL 7:481bce714567 6584 int with_AlgCurve)
wolfSSL 7:481bce714567 6585 {
wolfSSL 7:481bce714567 6586 word32 infoSz = 0;
wolfSSL 7:481bce714567 6587 word32 keySz = 0;
wolfSSL 7:481bce714567 6588 int ret;
wolfSSL 7:481bce714567 6589
wolfSSL 7:481bce714567 6590 if (output == NULL || key == NULL) {
wolfSSL 7:481bce714567 6591 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6592 }
wolfSSL 7:481bce714567 6593
wolfSSL 7:481bce714567 6594 if (with_AlgCurve) {
wolfSSL 7:481bce714567 6595 /* buffer space for algorithm/curve */
wolfSSL 7:481bce714567 6596 infoSz += MAX_SEQ_SZ;
wolfSSL 7:481bce714567 6597 infoSz += 2 * MAX_ALGO_SZ;
wolfSSL 7:481bce714567 6598
wolfSSL 7:481bce714567 6599 /* buffer space for public key sequence */
wolfSSL 7:481bce714567 6600 infoSz += MAX_SEQ_SZ;
wolfSSL 7:481bce714567 6601 infoSz += TRAILING_ZERO;
wolfSSL 7:481bce714567 6602 }
wolfSSL 7:481bce714567 6603
wolfSSL 7:481bce714567 6604 if ((ret = wc_ecc_export_x963(key, NULL, &keySz)) != LENGTH_ONLY_E) {
wolfSSL 7:481bce714567 6605 WOLFSSL_MSG("Error in getting ECC public key size");
wolfSSL 7:481bce714567 6606 return ret;
wolfSSL 7:481bce714567 6607 }
wolfSSL 7:481bce714567 6608
wolfSSL 7:481bce714567 6609 if (inLen < keySz + infoSz) {
wolfSSL 7:481bce714567 6610 return BUFFER_E;
wolfSSL 7:481bce714567 6611 }
wolfSSL 7:481bce714567 6612
wolfSSL 7:481bce714567 6613 return SetEccPublicKey(output, key, with_AlgCurve);
wolfSSL 7:481bce714567 6614 }
wolfSSL 7:481bce714567 6615 #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
wolfSSL 7:481bce714567 6616 #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL 7:481bce714567 6617
wolfSSL 7:481bce714567 6618 static INLINE byte itob(int number)
wolfSSL 7:481bce714567 6619 {
wolfSSL 7:481bce714567 6620 return (byte)number + 0x30;
wolfSSL 7:481bce714567 6621 }
wolfSSL 7:481bce714567 6622
wolfSSL 7:481bce714567 6623
wolfSSL 7:481bce714567 6624 /* write time to output, format */
wolfSSL 7:481bce714567 6625 static void SetTime(struct tm* date, byte* output)
wolfSSL 7:481bce714567 6626 {
wolfSSL 7:481bce714567 6627 int i = 0;
wolfSSL 7:481bce714567 6628
wolfSSL 7:481bce714567 6629 output[i++] = itob((date->tm_year % 10000) / 1000);
wolfSSL 7:481bce714567 6630 output[i++] = itob((date->tm_year % 1000) / 100);
wolfSSL 7:481bce714567 6631 output[i++] = itob((date->tm_year % 100) / 10);
wolfSSL 7:481bce714567 6632 output[i++] = itob( date->tm_year % 10);
wolfSSL 7:481bce714567 6633
wolfSSL 7:481bce714567 6634 output[i++] = itob(date->tm_mon / 10);
wolfSSL 7:481bce714567 6635 output[i++] = itob(date->tm_mon % 10);
wolfSSL 7:481bce714567 6636
wolfSSL 7:481bce714567 6637 output[i++] = itob(date->tm_mday / 10);
wolfSSL 7:481bce714567 6638 output[i++] = itob(date->tm_mday % 10);
wolfSSL 7:481bce714567 6639
wolfSSL 7:481bce714567 6640 output[i++] = itob(date->tm_hour / 10);
wolfSSL 7:481bce714567 6641 output[i++] = itob(date->tm_hour % 10);
wolfSSL 7:481bce714567 6642
wolfSSL 7:481bce714567 6643 output[i++] = itob(date->tm_min / 10);
wolfSSL 7:481bce714567 6644 output[i++] = itob(date->tm_min % 10);
wolfSSL 7:481bce714567 6645
wolfSSL 7:481bce714567 6646 output[i++] = itob(date->tm_sec / 10);
wolfSSL 7:481bce714567 6647 output[i++] = itob(date->tm_sec % 10);
wolfSSL 7:481bce714567 6648
wolfSSL 7:481bce714567 6649 output[i] = 'Z'; /* Zulu profile */
wolfSSL 7:481bce714567 6650 }
wolfSSL 7:481bce714567 6651
wolfSSL 7:481bce714567 6652
wolfSSL 7:481bce714567 6653 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 6654
wolfSSL 7:481bce714567 6655 /* Copy Dates from cert, return bytes written */
wolfSSL 7:481bce714567 6656 static int CopyValidity(byte* output, Cert* cert)
wolfSSL 7:481bce714567 6657 {
wolfSSL 7:481bce714567 6658 int seqSz;
wolfSSL 7:481bce714567 6659
wolfSSL 7:481bce714567 6660 WOLFSSL_ENTER("CopyValidity");
wolfSSL 7:481bce714567 6661
wolfSSL 7:481bce714567 6662 /* headers and output */
wolfSSL 7:481bce714567 6663 seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
wolfSSL 7:481bce714567 6664 XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
wolfSSL 7:481bce714567 6665 XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
wolfSSL 7:481bce714567 6666 cert->afterDateSz);
wolfSSL 7:481bce714567 6667 return seqSz + cert->beforeDateSz + cert->afterDateSz;
wolfSSL 7:481bce714567 6668 }
wolfSSL 7:481bce714567 6669
wolfSSL 7:481bce714567 6670 #endif
wolfSSL 7:481bce714567 6671
wolfSSL 7:481bce714567 6672
wolfSSL 7:481bce714567 6673 /* for systems where mktime() doesn't normalize fully */
wolfSSL 7:481bce714567 6674 static void RebuildTime(time_t* in, struct tm* out)
wolfSSL 7:481bce714567 6675 {
wolfSSL 7:481bce714567 6676 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 7:481bce714567 6677 out = localtime_r(in, out);
wolfSSL 7:481bce714567 6678 #else
wolfSSL 7:481bce714567 6679 (void)in;
wolfSSL 7:481bce714567 6680 (void)out;
wolfSSL 7:481bce714567 6681 #endif
wolfSSL 7:481bce714567 6682 }
wolfSSL 7:481bce714567 6683
wolfSSL 7:481bce714567 6684
wolfSSL 7:481bce714567 6685 /* Set Date validity from now until now + daysValid
wolfSSL 7:481bce714567 6686 * return size in bytes written to output, 0 on error */
wolfSSL 7:481bce714567 6687 static int SetValidity(byte* output, int daysValid)
wolfSSL 7:481bce714567 6688 {
wolfSSL 7:481bce714567 6689 byte before[MAX_DATE_SIZE];
wolfSSL 7:481bce714567 6690 byte after[MAX_DATE_SIZE];
wolfSSL 7:481bce714567 6691
wolfSSL 7:481bce714567 6692 int beforeSz;
wolfSSL 7:481bce714567 6693 int afterSz;
wolfSSL 7:481bce714567 6694 int seqSz;
wolfSSL 7:481bce714567 6695
wolfSSL 7:481bce714567 6696 time_t ticks;
wolfSSL 7:481bce714567 6697 time_t normalTime;
wolfSSL 7:481bce714567 6698 struct tm* now;
wolfSSL 7:481bce714567 6699 struct tm* tmpTime = NULL;
wolfSSL 7:481bce714567 6700 struct tm local;
wolfSSL 7:481bce714567 6701
wolfSSL 7:481bce714567 6702 #if defined(NEED_TMP_TIME)
wolfSSL 7:481bce714567 6703 /* for use with gmtime_r */
wolfSSL 7:481bce714567 6704 struct tm tmpTimeStorage;
wolfSSL 7:481bce714567 6705 tmpTime = &tmpTimeStorage;
wolfSSL 7:481bce714567 6706 #else
wolfSSL 7:481bce714567 6707 (void)tmpTime;
wolfSSL 7:481bce714567 6708 #endif
wolfSSL 7:481bce714567 6709
wolfSSL 7:481bce714567 6710 ticks = XTIME(0);
wolfSSL 7:481bce714567 6711 now = XGMTIME(&ticks, tmpTime);
wolfSSL 7:481bce714567 6712
wolfSSL 7:481bce714567 6713 if (now == NULL) {
wolfSSL 7:481bce714567 6714 WOLFSSL_MSG("XGMTIME failed");
wolfSSL 7:481bce714567 6715 return 0; /* error */
wolfSSL 7:481bce714567 6716 }
wolfSSL 7:481bce714567 6717
wolfSSL 7:481bce714567 6718 /* before now */
wolfSSL 7:481bce714567 6719 local = *now;
wolfSSL 7:481bce714567 6720 before[0] = ASN_GENERALIZED_TIME;
wolfSSL 7:481bce714567 6721 beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */
wolfSSL 7:481bce714567 6722
wolfSSL 7:481bce714567 6723 /* subtract 1 day for more compliance */
wolfSSL 7:481bce714567 6724 local.tm_mday -= 1;
wolfSSL 7:481bce714567 6725 normalTime = mktime(&local);
wolfSSL 7:481bce714567 6726 RebuildTime(&normalTime, &local);
wolfSSL 7:481bce714567 6727
wolfSSL 7:481bce714567 6728 /* adjust */
wolfSSL 7:481bce714567 6729 local.tm_year += 1900;
wolfSSL 7:481bce714567 6730 local.tm_mon += 1;
wolfSSL 7:481bce714567 6731
wolfSSL 7:481bce714567 6732 SetTime(&local, before + beforeSz);
wolfSSL 7:481bce714567 6733 beforeSz += ASN_GEN_TIME_SZ;
wolfSSL 7:481bce714567 6734
wolfSSL 7:481bce714567 6735 /* after now + daysValid */
wolfSSL 7:481bce714567 6736 local = *now;
wolfSSL 7:481bce714567 6737 after[0] = ASN_GENERALIZED_TIME;
wolfSSL 7:481bce714567 6738 afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */
wolfSSL 7:481bce714567 6739
wolfSSL 7:481bce714567 6740 /* add daysValid */
wolfSSL 7:481bce714567 6741 local.tm_mday += daysValid;
wolfSSL 7:481bce714567 6742 normalTime = mktime(&local);
wolfSSL 7:481bce714567 6743 RebuildTime(&normalTime, &local);
wolfSSL 7:481bce714567 6744
wolfSSL 7:481bce714567 6745 /* adjust */
wolfSSL 7:481bce714567 6746 local.tm_year += 1900;
wolfSSL 7:481bce714567 6747 local.tm_mon += 1;
wolfSSL 7:481bce714567 6748
wolfSSL 7:481bce714567 6749 SetTime(&local, after + afterSz);
wolfSSL 7:481bce714567 6750 afterSz += ASN_GEN_TIME_SZ;
wolfSSL 7:481bce714567 6751
wolfSSL 7:481bce714567 6752 /* headers and output */
wolfSSL 7:481bce714567 6753 seqSz = SetSequence(beforeSz + afterSz, output);
wolfSSL 7:481bce714567 6754 XMEMCPY(output + seqSz, before, beforeSz);
wolfSSL 7:481bce714567 6755 XMEMCPY(output + seqSz + beforeSz, after, afterSz);
wolfSSL 7:481bce714567 6756
wolfSSL 7:481bce714567 6757 return seqSz + beforeSz + afterSz;
wolfSSL 7:481bce714567 6758 }
wolfSSL 7:481bce714567 6759
wolfSSL 7:481bce714567 6760
wolfSSL 7:481bce714567 6761 /* ASN Encoded Name field */
wolfSSL 7:481bce714567 6762 typedef struct EncodedName {
wolfSSL 7:481bce714567 6763 int nameLen; /* actual string value length */
wolfSSL 7:481bce714567 6764 int totalLen; /* total encoded length */
wolfSSL 7:481bce714567 6765 int type; /* type of name */
wolfSSL 7:481bce714567 6766 int used; /* are we actually using this one */
wolfSSL 7:481bce714567 6767 byte encoded[CTC_NAME_SIZE * 2]; /* encoding */
wolfSSL 7:481bce714567 6768 } EncodedName;
wolfSSL 7:481bce714567 6769
wolfSSL 7:481bce714567 6770
wolfSSL 7:481bce714567 6771 /* Get Which Name from index */
wolfSSL 7:481bce714567 6772 static const char* GetOneName(CertName* name, int idx)
wolfSSL 7:481bce714567 6773 {
wolfSSL 7:481bce714567 6774 switch (idx) {
wolfSSL 7:481bce714567 6775 case 0:
wolfSSL 7:481bce714567 6776 return name->country;
wolfSSL 7:481bce714567 6777
wolfSSL 7:481bce714567 6778 case 1:
wolfSSL 7:481bce714567 6779 return name->state;
wolfSSL 7:481bce714567 6780
wolfSSL 7:481bce714567 6781 case 2:
wolfSSL 7:481bce714567 6782 return name->locality;
wolfSSL 7:481bce714567 6783
wolfSSL 7:481bce714567 6784 case 3:
wolfSSL 7:481bce714567 6785 return name->sur;
wolfSSL 7:481bce714567 6786
wolfSSL 7:481bce714567 6787 case 4:
wolfSSL 7:481bce714567 6788 return name->org;
wolfSSL 7:481bce714567 6789
wolfSSL 7:481bce714567 6790 case 5:
wolfSSL 7:481bce714567 6791 return name->unit;
wolfSSL 7:481bce714567 6792
wolfSSL 7:481bce714567 6793 case 6:
wolfSSL 7:481bce714567 6794 return name->commonName;
wolfSSL 7:481bce714567 6795
wolfSSL 7:481bce714567 6796 case 7:
wolfSSL 7:481bce714567 6797 return name->email;
wolfSSL 7:481bce714567 6798
wolfSSL 7:481bce714567 6799 default:
wolfSSL 7:481bce714567 6800 return 0;
wolfSSL 7:481bce714567 6801 }
wolfSSL 7:481bce714567 6802 }
wolfSSL 7:481bce714567 6803
wolfSSL 7:481bce714567 6804
wolfSSL 7:481bce714567 6805 /* Get Which Name Encoding from index */
wolfSSL 7:481bce714567 6806 static char GetNameType(CertName* name, int idx)
wolfSSL 7:481bce714567 6807 {
wolfSSL 7:481bce714567 6808 switch (idx) {
wolfSSL 7:481bce714567 6809 case 0:
wolfSSL 7:481bce714567 6810 return name->countryEnc;
wolfSSL 7:481bce714567 6811
wolfSSL 7:481bce714567 6812 case 1:
wolfSSL 7:481bce714567 6813 return name->stateEnc;
wolfSSL 7:481bce714567 6814
wolfSSL 7:481bce714567 6815 case 2:
wolfSSL 7:481bce714567 6816 return name->localityEnc;
wolfSSL 7:481bce714567 6817
wolfSSL 7:481bce714567 6818 case 3:
wolfSSL 7:481bce714567 6819 return name->surEnc;
wolfSSL 7:481bce714567 6820
wolfSSL 7:481bce714567 6821 case 4:
wolfSSL 7:481bce714567 6822 return name->orgEnc;
wolfSSL 7:481bce714567 6823
wolfSSL 7:481bce714567 6824 case 5:
wolfSSL 7:481bce714567 6825 return name->unitEnc;
wolfSSL 7:481bce714567 6826
wolfSSL 7:481bce714567 6827 case 6:
wolfSSL 7:481bce714567 6828 return name->commonNameEnc;
wolfSSL 7:481bce714567 6829
wolfSSL 7:481bce714567 6830 default:
wolfSSL 7:481bce714567 6831 return 0;
wolfSSL 7:481bce714567 6832 }
wolfSSL 7:481bce714567 6833 }
wolfSSL 7:481bce714567 6834
wolfSSL 7:481bce714567 6835
wolfSSL 7:481bce714567 6836 /* Get ASN Name from index */
wolfSSL 7:481bce714567 6837 static byte GetNameId(int idx)
wolfSSL 7:481bce714567 6838 {
wolfSSL 7:481bce714567 6839 switch (idx) {
wolfSSL 7:481bce714567 6840 case 0:
wolfSSL 7:481bce714567 6841 return ASN_COUNTRY_NAME;
wolfSSL 7:481bce714567 6842
wolfSSL 7:481bce714567 6843 case 1:
wolfSSL 7:481bce714567 6844 return ASN_STATE_NAME;
wolfSSL 7:481bce714567 6845
wolfSSL 7:481bce714567 6846 case 2:
wolfSSL 7:481bce714567 6847 return ASN_LOCALITY_NAME;
wolfSSL 7:481bce714567 6848
wolfSSL 7:481bce714567 6849 case 3:
wolfSSL 7:481bce714567 6850 return ASN_SUR_NAME;
wolfSSL 7:481bce714567 6851
wolfSSL 7:481bce714567 6852 case 4:
wolfSSL 7:481bce714567 6853 return ASN_ORG_NAME;
wolfSSL 7:481bce714567 6854
wolfSSL 7:481bce714567 6855 case 5:
wolfSSL 7:481bce714567 6856 return ASN_ORGUNIT_NAME;
wolfSSL 7:481bce714567 6857
wolfSSL 7:481bce714567 6858 case 6:
wolfSSL 7:481bce714567 6859 return ASN_COMMON_NAME;
wolfSSL 7:481bce714567 6860
wolfSSL 7:481bce714567 6861 case 7:
wolfSSL 7:481bce714567 6862 /* email uses different id type */
wolfSSL 7:481bce714567 6863 return 0;
wolfSSL 7:481bce714567 6864
wolfSSL 7:481bce714567 6865 default:
wolfSSL 7:481bce714567 6866 return 0;
wolfSSL 7:481bce714567 6867 }
wolfSSL 7:481bce714567 6868 }
wolfSSL 7:481bce714567 6869
wolfSSL 7:481bce714567 6870 /*
wolfSSL 7:481bce714567 6871 Extensions ::= SEQUENCE OF Extension
wolfSSL 7:481bce714567 6872
wolfSSL 7:481bce714567 6873 Extension ::= SEQUENCE {
wolfSSL 7:481bce714567 6874 extnId OBJECT IDENTIFIER,
wolfSSL 7:481bce714567 6875 critical BOOLEAN DEFAULT FALSE,
wolfSSL 7:481bce714567 6876 extnValue OCTET STRING }
wolfSSL 7:481bce714567 6877 */
wolfSSL 7:481bce714567 6878
wolfSSL 7:481bce714567 6879 /* encode all extensions, return total bytes written */
wolfSSL 7:481bce714567 6880 static int SetExtensions(byte* out, word32 outSz, int *IdxInOut,
wolfSSL 7:481bce714567 6881 const byte* ext, int extSz)
wolfSSL 7:481bce714567 6882 {
wolfSSL 7:481bce714567 6883 if (out == NULL || IdxInOut == NULL || ext == NULL)
wolfSSL 7:481bce714567 6884 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6885
wolfSSL 7:481bce714567 6886 if (outSz < (word32)(*IdxInOut+extSz))
wolfSSL 7:481bce714567 6887 return BUFFER_E;
wolfSSL 7:481bce714567 6888
wolfSSL 7:481bce714567 6889 XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */
wolfSSL 7:481bce714567 6890 *IdxInOut += extSz;
wolfSSL 7:481bce714567 6891
wolfSSL 7:481bce714567 6892 return *IdxInOut;
wolfSSL 7:481bce714567 6893 }
wolfSSL 7:481bce714567 6894
wolfSSL 7:481bce714567 6895 /* encode extensions header, return total bytes written */
wolfSSL 7:481bce714567 6896 static int SetExtensionsHeader(byte* out, word32 outSz, int extSz)
wolfSSL 7:481bce714567 6897 {
wolfSSL 7:481bce714567 6898 byte sequence[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 6899 byte len[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 6900 int seqSz, lenSz, idx = 0;
wolfSSL 7:481bce714567 6901
wolfSSL 7:481bce714567 6902 if (out == NULL)
wolfSSL 7:481bce714567 6903 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6904
wolfSSL 7:481bce714567 6905 if (outSz < 3)
wolfSSL 7:481bce714567 6906 return BUFFER_E;
wolfSSL 7:481bce714567 6907
wolfSSL 7:481bce714567 6908 seqSz = SetSequence(extSz, sequence);
wolfSSL 7:481bce714567 6909
wolfSSL 7:481bce714567 6910 /* encode extensions length provided */
wolfSSL 7:481bce714567 6911 lenSz = SetLength(extSz+seqSz, len);
wolfSSL 7:481bce714567 6912
wolfSSL 7:481bce714567 6913 if (outSz < (word32)(lenSz+seqSz+1))
wolfSSL 7:481bce714567 6914 return BUFFER_E;
wolfSSL 7:481bce714567 6915
wolfSSL 7:481bce714567 6916 out[idx++] = ASN_EXTENSIONS; /* extensions id */
wolfSSL 7:481bce714567 6917 XMEMCPY(&out[idx], len, lenSz); /* length */
wolfSSL 7:481bce714567 6918 idx += lenSz;
wolfSSL 7:481bce714567 6919
wolfSSL 7:481bce714567 6920 XMEMCPY(&out[idx], sequence, seqSz); /* sequence */
wolfSSL 7:481bce714567 6921 idx += seqSz;
wolfSSL 7:481bce714567 6922
wolfSSL 7:481bce714567 6923 return idx;
wolfSSL 7:481bce714567 6924 }
wolfSSL 7:481bce714567 6925
wolfSSL 7:481bce714567 6926
wolfSSL 7:481bce714567 6927 /* encode CA basic constraint true, return total bytes written */
wolfSSL 7:481bce714567 6928 static int SetCa(byte* out, word32 outSz)
wolfSSL 7:481bce714567 6929 {
wolfSSL 7:481bce714567 6930 static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
wolfSSL 7:481bce714567 6931 0x05, 0x30, 0x03, 0x01, 0x01, 0xff };
wolfSSL 7:481bce714567 6932
wolfSSL 7:481bce714567 6933 if (out == NULL)
wolfSSL 7:481bce714567 6934 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6935
wolfSSL 7:481bce714567 6936 if (outSz < sizeof(ca))
wolfSSL 7:481bce714567 6937 return BUFFER_E;
wolfSSL 7:481bce714567 6938
wolfSSL 7:481bce714567 6939 XMEMCPY(out, ca, sizeof(ca));
wolfSSL 7:481bce714567 6940
wolfSSL 7:481bce714567 6941 return (int)sizeof(ca);
wolfSSL 7:481bce714567 6942 }
wolfSSL 7:481bce714567 6943
wolfSSL 7:481bce714567 6944
wolfSSL 7:481bce714567 6945 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 6946 /* encode OID and associated value, return total bytes written */
wolfSSL 7:481bce714567 6947 static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz,
wolfSSL 7:481bce714567 6948 byte *in, word32 inSz)
wolfSSL 7:481bce714567 6949 {
wolfSSL 7:481bce714567 6950 int idx = 0;
wolfSSL 7:481bce714567 6951
wolfSSL 7:481bce714567 6952 if (out == NULL || oid == NULL || in == NULL)
wolfSSL 7:481bce714567 6953 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6954
wolfSSL 7:481bce714567 6955 if (outSz < 3)
wolfSSL 7:481bce714567 6956 return BUFFER_E;
wolfSSL 7:481bce714567 6957
wolfSSL 7:481bce714567 6958 /* sequence, + 1 => byte to put value size */
wolfSSL 7:481bce714567 6959 idx = SetSequence(inSz + oidSz + 1, out);
wolfSSL 7:481bce714567 6960
wolfSSL 7:481bce714567 6961 if ((idx + inSz + oidSz + 1) > outSz)
wolfSSL 7:481bce714567 6962 return BUFFER_E;
wolfSSL 7:481bce714567 6963
wolfSSL 7:481bce714567 6964 XMEMCPY(out+idx, oid, oidSz);
wolfSSL 7:481bce714567 6965 idx += oidSz;
wolfSSL 7:481bce714567 6966 out[idx++] = (byte)inSz;
wolfSSL 7:481bce714567 6967 XMEMCPY(out+idx, in, inSz);
wolfSSL 7:481bce714567 6968
wolfSSL 7:481bce714567 6969 return (idx+inSz);
wolfSSL 7:481bce714567 6970 }
wolfSSL 7:481bce714567 6971
wolfSSL 7:481bce714567 6972 /* encode Subject Key Identifier, return total bytes written
wolfSSL 7:481bce714567 6973 * RFC5280 : non-critical */
wolfSSL 7:481bce714567 6974 static int SetSKID(byte* output, word32 outSz, byte *input, word32 length)
wolfSSL 7:481bce714567 6975 {
wolfSSL 7:481bce714567 6976 byte skid_len[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 6977 byte skid_enc_len[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 6978 int idx = 0, skid_lenSz, skid_enc_lenSz;
wolfSSL 7:481bce714567 6979 static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 };
wolfSSL 7:481bce714567 6980
wolfSSL 7:481bce714567 6981 if (output == NULL || input == NULL)
wolfSSL 7:481bce714567 6982 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 6983
wolfSSL 7:481bce714567 6984 /* length of value */
wolfSSL 7:481bce714567 6985 skid_lenSz = SetLength(length, skid_len);
wolfSSL 7:481bce714567 6986
wolfSSL 7:481bce714567 6987 /* length of encoded value */
wolfSSL 7:481bce714567 6988 skid_enc_lenSz = SetLength(length + skid_lenSz + 1, skid_enc_len);
wolfSSL 7:481bce714567 6989
wolfSSL 7:481bce714567 6990 if (outSz < 3)
wolfSSL 7:481bce714567 6991 return BUFFER_E;
wolfSSL 7:481bce714567 6992
wolfSSL 7:481bce714567 6993 /* sequence, + 1 => byte to put type size */
wolfSSL 7:481bce714567 6994 idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz+1,
wolfSSL 7:481bce714567 6995 output);
wolfSSL 7:481bce714567 6996
wolfSSL 7:481bce714567 6997 if ((length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz + 1) > outSz)
wolfSSL 7:481bce714567 6998 return BUFFER_E;
wolfSSL 7:481bce714567 6999
wolfSSL 7:481bce714567 7000 /* put oid */
wolfSSL 7:481bce714567 7001 XMEMCPY(output+idx, skid_oid, sizeof(skid_oid));
wolfSSL 7:481bce714567 7002 idx += sizeof(skid_oid);
wolfSSL 7:481bce714567 7003
wolfSSL 7:481bce714567 7004 /* put encoded len */
wolfSSL 7:481bce714567 7005 XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz);
wolfSSL 7:481bce714567 7006 idx += skid_enc_lenSz;
wolfSSL 7:481bce714567 7007
wolfSSL 7:481bce714567 7008 /* put type */
wolfSSL 7:481bce714567 7009 output[idx++] = ASN_OCTET_STRING;
wolfSSL 7:481bce714567 7010
wolfSSL 7:481bce714567 7011 /* put value len */
wolfSSL 7:481bce714567 7012 XMEMCPY(output+idx, skid_len, skid_lenSz);
wolfSSL 7:481bce714567 7013 idx += skid_lenSz;
wolfSSL 7:481bce714567 7014
wolfSSL 7:481bce714567 7015 /* put value */
wolfSSL 7:481bce714567 7016 XMEMCPY(output+idx, input, length);
wolfSSL 7:481bce714567 7017 idx += length;
wolfSSL 7:481bce714567 7018
wolfSSL 7:481bce714567 7019 return idx;
wolfSSL 7:481bce714567 7020 }
wolfSSL 7:481bce714567 7021
wolfSSL 7:481bce714567 7022 /* encode Authority Key Identifier, return total bytes written
wolfSSL 7:481bce714567 7023 * RFC5280 : non-critical */
wolfSSL 7:481bce714567 7024 static int SetAKID(byte* output, word32 outSz,
wolfSSL 7:481bce714567 7025 byte *input, word32 length, void* heap)
wolfSSL 7:481bce714567 7026 {
wolfSSL 7:481bce714567 7027 byte *enc_val;
wolfSSL 7:481bce714567 7028 int ret, enc_valSz;
wolfSSL 7:481bce714567 7029 static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04};
wolfSSL 7:481bce714567 7030 static const byte akid_cs[] = { 0x80 };
wolfSSL 7:481bce714567 7031
wolfSSL 7:481bce714567 7032 if (output == NULL || input == NULL)
wolfSSL 7:481bce714567 7033 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7034
wolfSSL 7:481bce714567 7035 enc_val = (byte *)XMALLOC(length+3+sizeof(akid_cs), heap,
wolfSSL 7:481bce714567 7036 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7037 if (enc_val == NULL)
wolfSSL 7:481bce714567 7038 return MEMORY_E;
wolfSSL 7:481bce714567 7039
wolfSSL 7:481bce714567 7040 /* sequence for ContentSpec & value */
wolfSSL 7:481bce714567 7041 enc_valSz = SetOidValue(enc_val, length+3+sizeof(akid_cs),
wolfSSL 7:481bce714567 7042 akid_cs, sizeof(akid_cs), input, length);
wolfSSL 7:481bce714567 7043 if (enc_valSz == 0) {
wolfSSL 7:481bce714567 7044 XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7045 return 0;
wolfSSL 7:481bce714567 7046 }
wolfSSL 7:481bce714567 7047
wolfSSL 7:481bce714567 7048 ret = SetOidValue(output, outSz, akid_oid,
wolfSSL 7:481bce714567 7049 sizeof(akid_oid), enc_val, enc_valSz);
wolfSSL 7:481bce714567 7050
wolfSSL 7:481bce714567 7051 XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7052 return ret;
wolfSSL 7:481bce714567 7053 }
wolfSSL 7:481bce714567 7054
wolfSSL 7:481bce714567 7055 /* encode Key Usage, return total bytes written
wolfSSL 7:481bce714567 7056 * RFC5280 : critical */
wolfSSL 7:481bce714567 7057 static int SetKeyUsage(byte* output, word32 outSz, word16 input)
wolfSSL 7:481bce714567 7058 {
wolfSSL 7:481bce714567 7059 byte ku[5];
wolfSSL 7:481bce714567 7060 int unusedBits = 0;
wolfSSL 7:481bce714567 7061 static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f,
wolfSSL 7:481bce714567 7062 0x01, 0x01, 0xff, 0x04};
wolfSSL 7:481bce714567 7063
wolfSSL 7:481bce714567 7064 if (output == NULL)
wolfSSL 7:481bce714567 7065 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7066
wolfSSL 7:481bce714567 7067 /* Key Usage is a BitString */
wolfSSL 7:481bce714567 7068 ku[0] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 7069
wolfSSL 7:481bce714567 7070 /* put the Bit String size */
wolfSSL 7:481bce714567 7071 if (input > 255) {
wolfSSL 7:481bce714567 7072 ku[1] = (byte)3;
wolfSSL 7:481bce714567 7073
wolfSSL 7:481bce714567 7074 /* compute unused bits */
wolfSSL 7:481bce714567 7075 while (((((input >> 8) & 0xff) >> unusedBits) & 0x01) == 0)
wolfSSL 7:481bce714567 7076 unusedBits++;
wolfSSL 7:481bce714567 7077 }
wolfSSL 7:481bce714567 7078 else {
wolfSSL 7:481bce714567 7079 ku[1] = (byte)2;
wolfSSL 7:481bce714567 7080
wolfSSL 7:481bce714567 7081 /* compute unused bits */
wolfSSL 7:481bce714567 7082 while (((input >> unusedBits) & 0x01) == 0)
wolfSSL 7:481bce714567 7083 unusedBits++;
wolfSSL 7:481bce714567 7084 }
wolfSSL 7:481bce714567 7085
wolfSSL 7:481bce714567 7086 /* put unused bits value */
wolfSSL 7:481bce714567 7087 ku[2] = (byte)unusedBits;
wolfSSL 7:481bce714567 7088
wolfSSL 7:481bce714567 7089 /* compute byte value */
wolfSSL 7:481bce714567 7090 ku[3] = (byte)(input & 0xff);
wolfSSL 7:481bce714567 7091 if (input > 255)
wolfSSL 7:481bce714567 7092 ku[4] = (byte)((input >> 8) & 0xff);
wolfSSL 7:481bce714567 7093
wolfSSL 7:481bce714567 7094 return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid),
wolfSSL 7:481bce714567 7095 ku, (int)ku[1]+2);
wolfSSL 7:481bce714567 7096 }
wolfSSL 7:481bce714567 7097
wolfSSL 7:481bce714567 7098 /* Encode OID string representation to ITU-T X.690 format */
wolfSSL 7:481bce714567 7099 static int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
wolfSSL 7:481bce714567 7100 {
wolfSSL 7:481bce714567 7101 word32 val, idx = 0, nb_val;
wolfSSL 7:481bce714567 7102 char *token, *str, *ptr;
wolfSSL 7:481bce714567 7103 word32 len;
wolfSSL 7:481bce714567 7104
wolfSSL 7:481bce714567 7105 if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL)
wolfSSL 7:481bce714567 7106 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7107
wolfSSL 7:481bce714567 7108 len = (word32)XSTRLEN(in);
wolfSSL 7:481bce714567 7109
wolfSSL 7:481bce714567 7110 str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7111 if (str == NULL)
wolfSSL 7:481bce714567 7112 return MEMORY_E;
wolfSSL 7:481bce714567 7113
wolfSSL 7:481bce714567 7114 XSTRNCPY(str, in, len);
wolfSSL 7:481bce714567 7115 str[len] = 0x00;
wolfSSL 7:481bce714567 7116
wolfSSL 7:481bce714567 7117 nb_val = 0;
wolfSSL 7:481bce714567 7118
wolfSSL 7:481bce714567 7119 /* parse value, and set corresponding Policy OID value */
wolfSSL 7:481bce714567 7120 token = XSTRTOK(str, ".", &ptr);
wolfSSL 7:481bce714567 7121 while (token != NULL)
wolfSSL 7:481bce714567 7122 {
wolfSSL 7:481bce714567 7123 val = (word32)atoi(token);
wolfSSL 7:481bce714567 7124
wolfSSL 7:481bce714567 7125 if (nb_val == 0) {
wolfSSL 7:481bce714567 7126 if (val > 2) {
wolfSSL 7:481bce714567 7127 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7128 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 7129 }
wolfSSL 7:481bce714567 7130
wolfSSL 7:481bce714567 7131 out[idx] = (byte)(40 * val);
wolfSSL 7:481bce714567 7132 }
wolfSSL 7:481bce714567 7133 else if (nb_val == 1) {
wolfSSL 7:481bce714567 7134 if (val > 127) {
wolfSSL 7:481bce714567 7135 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7136 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 7137 }
wolfSSL 7:481bce714567 7138
wolfSSL 7:481bce714567 7139 if (idx > *outSz) {
wolfSSL 7:481bce714567 7140 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7141 return BUFFER_E;
wolfSSL 7:481bce714567 7142 }
wolfSSL 7:481bce714567 7143
wolfSSL 7:481bce714567 7144 out[idx++] += (byte)val;
wolfSSL 7:481bce714567 7145 }
wolfSSL 7:481bce714567 7146 else {
wolfSSL 7:481bce714567 7147 word32 tb = 0, x;
wolfSSL 7:481bce714567 7148 int i = 0;
wolfSSL 7:481bce714567 7149 byte oid[MAX_OID_SZ];
wolfSSL 7:481bce714567 7150
wolfSSL 7:481bce714567 7151 while (val >= 128) {
wolfSSL 7:481bce714567 7152 x = val % 128;
wolfSSL 7:481bce714567 7153 val /= 128;
wolfSSL 7:481bce714567 7154 oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x);
wolfSSL 7:481bce714567 7155 }
wolfSSL 7:481bce714567 7156
wolfSSL 7:481bce714567 7157 if ((idx+(word32)i) > *outSz) {
wolfSSL 7:481bce714567 7158 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7159 return BUFFER_E;
wolfSSL 7:481bce714567 7160 }
wolfSSL 7:481bce714567 7161
wolfSSL 7:481bce714567 7162 oid[i] = (byte) (((tb++) ? 0x80 : 0) | val);
wolfSSL 7:481bce714567 7163
wolfSSL 7:481bce714567 7164 /* push value in the right order */
wolfSSL 7:481bce714567 7165 while (i >= 0)
wolfSSL 7:481bce714567 7166 out[idx++] = oid[i--];
wolfSSL 7:481bce714567 7167 }
wolfSSL 7:481bce714567 7168
wolfSSL 7:481bce714567 7169 token = XSTRTOK(NULL, ".", &ptr);
wolfSSL 7:481bce714567 7170 nb_val++;
wolfSSL 7:481bce714567 7171 }
wolfSSL 7:481bce714567 7172
wolfSSL 7:481bce714567 7173 *outSz = idx;
wolfSSL 7:481bce714567 7174
wolfSSL 7:481bce714567 7175 XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7176 return 0;
wolfSSL 7:481bce714567 7177 }
wolfSSL 7:481bce714567 7178
wolfSSL 7:481bce714567 7179 /* encode Certificate Policies, return total bytes written
wolfSSL 7:481bce714567 7180 * each input value must be ITU-T X.690 formatted : a.b.c...
wolfSSL 7:481bce714567 7181 * input must be an array of values with a NULL terminated for the latest
wolfSSL 7:481bce714567 7182 * RFC5280 : non-critical */
wolfSSL 7:481bce714567 7183 static int SetCertificatePolicies(byte *output,
wolfSSL 7:481bce714567 7184 word32 outputSz,
wolfSSL 7:481bce714567 7185 char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ],
wolfSSL 7:481bce714567 7186 word16 nb_certpol,
wolfSSL 7:481bce714567 7187 void* heap)
wolfSSL 7:481bce714567 7188 {
wolfSSL 7:481bce714567 7189 byte oid[MAX_OID_SZ],
wolfSSL 7:481bce714567 7190 der_oid[MAX_CERTPOL_NB][MAX_OID_SZ],
wolfSSL 7:481bce714567 7191 out[MAX_CERTPOL_SZ];
wolfSSL 7:481bce714567 7192 word32 oidSz;
wolfSSL 7:481bce714567 7193 word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB];
wolfSSL 7:481bce714567 7194 int ret;
wolfSSL 7:481bce714567 7195
wolfSSL 7:481bce714567 7196 static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 };
wolfSSL 7:481bce714567 7197 static const byte oid_oid[] = { 0x06 };
wolfSSL 7:481bce714567 7198
wolfSSL 7:481bce714567 7199 if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB)
wolfSSL 7:481bce714567 7200 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7201
wolfSSL 7:481bce714567 7202 for (i = 0; i < nb_certpol; i++) {
wolfSSL 7:481bce714567 7203 oidSz = sizeof(oid);
wolfSSL 7:481bce714567 7204 XMEMSET(oid, 0, oidSz);
wolfSSL 7:481bce714567 7205
wolfSSL 7:481bce714567 7206 ret = EncodePolicyOID(oid, &oidSz, input[i], heap);
wolfSSL 7:481bce714567 7207 if (ret != 0)
wolfSSL 7:481bce714567 7208 return ret;
wolfSSL 7:481bce714567 7209
wolfSSL 7:481bce714567 7210 /* compute sequence value for the oid */
wolfSSL 7:481bce714567 7211 ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid,
wolfSSL 7:481bce714567 7212 sizeof(oid_oid), oid, oidSz);
wolfSSL 7:481bce714567 7213 if (ret <= 0)
wolfSSL 7:481bce714567 7214 return ret;
wolfSSL 7:481bce714567 7215 else
wolfSSL 7:481bce714567 7216 der_oidSz[i] = (word32)ret;
wolfSSL 7:481bce714567 7217 }
wolfSSL 7:481bce714567 7218
wolfSSL 7:481bce714567 7219 /* concatenate oid, keep two byte for sequence/size of the created value */
wolfSSL 7:481bce714567 7220 for (i = 0, outSz = 2; i < nb_certpol; i++) {
wolfSSL 7:481bce714567 7221 XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]);
wolfSSL 7:481bce714567 7222 outSz += der_oidSz[i];
wolfSSL 7:481bce714567 7223 }
wolfSSL 7:481bce714567 7224
wolfSSL 7:481bce714567 7225 /* add sequence */
wolfSSL 7:481bce714567 7226 ret = SetSequence(outSz-2, out);
wolfSSL 7:481bce714567 7227 if (ret <= 0)
wolfSSL 7:481bce714567 7228 return ret;
wolfSSL 7:481bce714567 7229
wolfSSL 7:481bce714567 7230 /* add Policy OID to compute final value */
wolfSSL 7:481bce714567 7231 return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid),
wolfSSL 7:481bce714567 7232 out, outSz);
wolfSSL 7:481bce714567 7233 }
wolfSSL 7:481bce714567 7234 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 7235
wolfSSL 7:481bce714567 7236 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 7237 /* encode Alternative Names, return total bytes written */
wolfSSL 7:481bce714567 7238 static int SetAltNames(byte *out, word32 outSz, byte *input, word32 length)
wolfSSL 7:481bce714567 7239 {
wolfSSL 7:481bce714567 7240 if (out == NULL || input == NULL)
wolfSSL 7:481bce714567 7241 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7242
wolfSSL 7:481bce714567 7243 if (outSz < length)
wolfSSL 7:481bce714567 7244 return BUFFER_E;
wolfSSL 7:481bce714567 7245
wolfSSL 7:481bce714567 7246 /* Alternative Names come from certificate or computed by
wolfSSL 7:481bce714567 7247 * external function, so already encoded. Just copy value */
wolfSSL 7:481bce714567 7248 XMEMCPY(out, input, length);
wolfSSL 7:481bce714567 7249 return length;
wolfSSL 7:481bce714567 7250 }
wolfSSL 7:481bce714567 7251 #endif /* WOLFSL_ALT_NAMES */
wolfSSL 7:481bce714567 7252
wolfSSL 7:481bce714567 7253
wolfSSL 7:481bce714567 7254 /* encode CertName into output, return total bytes written */
wolfSSL 7:481bce714567 7255 int SetName(byte* output, word32 outputSz, CertName* name)
wolfSSL 7:481bce714567 7256 {
wolfSSL 7:481bce714567 7257 int totalBytes = 0, i, idx;
wolfSSL 7:481bce714567 7258 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7259 EncodedName* names = NULL;
wolfSSL 7:481bce714567 7260 #else
wolfSSL 7:481bce714567 7261 EncodedName names[NAME_ENTRIES];
wolfSSL 7:481bce714567 7262 #endif
wolfSSL 7:481bce714567 7263
wolfSSL 7:481bce714567 7264 if (output == NULL || name == NULL)
wolfSSL 7:481bce714567 7265 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7266
wolfSSL 7:481bce714567 7267 if (outputSz < 3)
wolfSSL 7:481bce714567 7268 return BUFFER_E;
wolfSSL 7:481bce714567 7269
wolfSSL 7:481bce714567 7270 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7271 names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL,
wolfSSL 7:481bce714567 7272 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7273 if (names == NULL)
wolfSSL 7:481bce714567 7274 return MEMORY_E;
wolfSSL 7:481bce714567 7275 #endif
wolfSSL 7:481bce714567 7276
wolfSSL 7:481bce714567 7277 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 7:481bce714567 7278 const char* nameStr = GetOneName(name, i);
wolfSSL 7:481bce714567 7279 if (nameStr) {
wolfSSL 7:481bce714567 7280 /* bottom up */
wolfSSL 7:481bce714567 7281 byte firstLen[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 7282 byte secondLen[MAX_LENGTH_SZ];
wolfSSL 7:481bce714567 7283 byte sequence[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 7284 byte set[MAX_SET_SZ];
wolfSSL 7:481bce714567 7285
wolfSSL 7:481bce714567 7286 int email = i == (NAME_ENTRIES - 1) ? 1 : 0;
wolfSSL 7:481bce714567 7287 int strLen = (int)XSTRLEN(nameStr);
wolfSSL 7:481bce714567 7288 int thisLen = strLen;
wolfSSL 7:481bce714567 7289 int firstSz, secondSz, seqSz, setSz;
wolfSSL 7:481bce714567 7290
wolfSSL 7:481bce714567 7291 if (strLen == 0) { /* no user data for this item */
wolfSSL 7:481bce714567 7292 names[i].used = 0;
wolfSSL 7:481bce714567 7293 continue;
wolfSSL 7:481bce714567 7294 }
wolfSSL 7:481bce714567 7295
wolfSSL 7:481bce714567 7296 /* Restrict country code size */
wolfSSL 7:481bce714567 7297 if (i == 0 && strLen != CTC_COUNTRY_SIZE) {
wolfSSL 7:481bce714567 7298 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7299 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7300 #endif
wolfSSL 7:481bce714567 7301 return ASN_COUNTRY_SIZE_E;
wolfSSL 7:481bce714567 7302 }
wolfSSL 7:481bce714567 7303
wolfSSL 7:481bce714567 7304 secondSz = SetLength(strLen, secondLen);
wolfSSL 7:481bce714567 7305 thisLen += secondSz;
wolfSSL 7:481bce714567 7306 if (email) {
wolfSSL 7:481bce714567 7307 thisLen += EMAIL_JOINT_LEN;
wolfSSL 7:481bce714567 7308 thisLen ++; /* id type */
wolfSSL 7:481bce714567 7309 firstSz = SetLength(EMAIL_JOINT_LEN, firstLen);
wolfSSL 7:481bce714567 7310 }
wolfSSL 7:481bce714567 7311 else {
wolfSSL 7:481bce714567 7312 thisLen++; /* str type */
wolfSSL 7:481bce714567 7313 thisLen++; /* id type */
wolfSSL 7:481bce714567 7314 thisLen += JOINT_LEN;
wolfSSL 7:481bce714567 7315 firstSz = SetLength(JOINT_LEN + 1, firstLen);
wolfSSL 7:481bce714567 7316 }
wolfSSL 7:481bce714567 7317 thisLen += firstSz;
wolfSSL 7:481bce714567 7318 thisLen++; /* object id */
wolfSSL 7:481bce714567 7319
wolfSSL 7:481bce714567 7320 seqSz = SetSequence(thisLen, sequence);
wolfSSL 7:481bce714567 7321 thisLen += seqSz;
wolfSSL 7:481bce714567 7322 setSz = SetSet(thisLen, set);
wolfSSL 7:481bce714567 7323 thisLen += setSz;
wolfSSL 7:481bce714567 7324
wolfSSL 7:481bce714567 7325 if (thisLen > (int)sizeof(names[i].encoded)) {
wolfSSL 7:481bce714567 7326 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7327 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7328 #endif
wolfSSL 7:481bce714567 7329 return BUFFER_E;
wolfSSL 7:481bce714567 7330 }
wolfSSL 7:481bce714567 7331
wolfSSL 7:481bce714567 7332 /* store it */
wolfSSL 7:481bce714567 7333 idx = 0;
wolfSSL 7:481bce714567 7334 /* set */
wolfSSL 7:481bce714567 7335 XMEMCPY(names[i].encoded, set, setSz);
wolfSSL 7:481bce714567 7336 idx += setSz;
wolfSSL 7:481bce714567 7337 /* seq */
wolfSSL 7:481bce714567 7338 XMEMCPY(names[i].encoded + idx, sequence, seqSz);
wolfSSL 7:481bce714567 7339 idx += seqSz;
wolfSSL 7:481bce714567 7340 /* asn object id */
wolfSSL 7:481bce714567 7341 names[i].encoded[idx++] = ASN_OBJECT_ID;
wolfSSL 7:481bce714567 7342 /* first length */
wolfSSL 7:481bce714567 7343 XMEMCPY(names[i].encoded + idx, firstLen, firstSz);
wolfSSL 7:481bce714567 7344 idx += firstSz;
wolfSSL 7:481bce714567 7345 if (email) {
wolfSSL 7:481bce714567 7346 const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL 7:481bce714567 7347 0x01, 0x09, 0x01, 0x16 };
wolfSSL 7:481bce714567 7348 /* email joint id */
wolfSSL 7:481bce714567 7349 XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
wolfSSL 7:481bce714567 7350 idx += (int)sizeof(EMAIL_OID);
wolfSSL 7:481bce714567 7351 }
wolfSSL 7:481bce714567 7352 else {
wolfSSL 7:481bce714567 7353 /* joint id */
wolfSSL 7:481bce714567 7354 byte bType = GetNameId(i);
wolfSSL 7:481bce714567 7355 names[i].encoded[idx++] = 0x55;
wolfSSL 7:481bce714567 7356 names[i].encoded[idx++] = 0x04;
wolfSSL 7:481bce714567 7357 /* id type */
wolfSSL 7:481bce714567 7358 names[i].encoded[idx++] = bType;
wolfSSL 7:481bce714567 7359 /* str type */
wolfSSL 7:481bce714567 7360 names[i].encoded[idx++] = GetNameType(name, i);
wolfSSL 7:481bce714567 7361 }
wolfSSL 7:481bce714567 7362 /* second length */
wolfSSL 7:481bce714567 7363 XMEMCPY(names[i].encoded + idx, secondLen, secondSz);
wolfSSL 7:481bce714567 7364 idx += secondSz;
wolfSSL 7:481bce714567 7365 /* str value */
wolfSSL 7:481bce714567 7366 XMEMCPY(names[i].encoded + idx, nameStr, strLen);
wolfSSL 7:481bce714567 7367 idx += strLen;
wolfSSL 7:481bce714567 7368
wolfSSL 7:481bce714567 7369 totalBytes += idx;
wolfSSL 7:481bce714567 7370 names[i].totalLen = idx;
wolfSSL 7:481bce714567 7371 names[i].used = 1;
wolfSSL 7:481bce714567 7372 }
wolfSSL 7:481bce714567 7373 else
wolfSSL 7:481bce714567 7374 names[i].used = 0;
wolfSSL 7:481bce714567 7375 }
wolfSSL 7:481bce714567 7376
wolfSSL 7:481bce714567 7377 /* header */
wolfSSL 7:481bce714567 7378 idx = SetSequence(totalBytes, output);
wolfSSL 7:481bce714567 7379 totalBytes += idx;
wolfSSL 7:481bce714567 7380 if (totalBytes > ASN_NAME_MAX) {
wolfSSL 7:481bce714567 7381 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7382 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7383 #endif
wolfSSL 7:481bce714567 7384 return BUFFER_E;
wolfSSL 7:481bce714567 7385 }
wolfSSL 7:481bce714567 7386
wolfSSL 7:481bce714567 7387 for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL 7:481bce714567 7388 if (names[i].used) {
wolfSSL 7:481bce714567 7389 if (outputSz < (word32)(idx+names[i].totalLen)) {
wolfSSL 7:481bce714567 7390 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7391 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7392 #endif
wolfSSL 7:481bce714567 7393 return BUFFER_E;
wolfSSL 7:481bce714567 7394 }
wolfSSL 7:481bce714567 7395
wolfSSL 7:481bce714567 7396 XMEMCPY(output + idx, names[i].encoded, names[i].totalLen);
wolfSSL 7:481bce714567 7397 idx += names[i].totalLen;
wolfSSL 7:481bce714567 7398 }
wolfSSL 7:481bce714567 7399 }
wolfSSL 7:481bce714567 7400
wolfSSL 7:481bce714567 7401 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7402 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7403 #endif
wolfSSL 7:481bce714567 7404
wolfSSL 7:481bce714567 7405 return totalBytes;
wolfSSL 7:481bce714567 7406 }
wolfSSL 7:481bce714567 7407
wolfSSL 7:481bce714567 7408 /* encode info from cert into DER encoded format */
wolfSSL 7:481bce714567 7409 static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
wolfSSL 7:481bce714567 7410 WC_RNG* rng, const byte* ntruKey, word16 ntruSz)
wolfSSL 7:481bce714567 7411 {
wolfSSL 7:481bce714567 7412 int ret;
wolfSSL 7:481bce714567 7413
wolfSSL 7:481bce714567 7414 (void)eccKey;
wolfSSL 7:481bce714567 7415 (void)ntruKey;
wolfSSL 7:481bce714567 7416 (void)ntruSz;
wolfSSL 7:481bce714567 7417
wolfSSL 7:481bce714567 7418 if (cert == NULL || der == NULL || rng == NULL)
wolfSSL 7:481bce714567 7419 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 7420
wolfSSL 7:481bce714567 7421 /* init */
wolfSSL 7:481bce714567 7422 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 7:481bce714567 7423
wolfSSL 7:481bce714567 7424 /* version */
wolfSSL 7:481bce714567 7425 der->versionSz = SetMyVersion(cert->version, der->version, TRUE);
wolfSSL 7:481bce714567 7426
wolfSSL 7:481bce714567 7427 /* serial number */
wolfSSL 7:481bce714567 7428 ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE);
wolfSSL 7:481bce714567 7429 if (ret != 0)
wolfSSL 7:481bce714567 7430 return ret;
wolfSSL 7:481bce714567 7431
wolfSSL 7:481bce714567 7432 cert->serial[0] = 0x01; /* ensure positive */
wolfSSL 7:481bce714567 7433 der->serialSz = SetSerial(cert->serial, der->serial);
wolfSSL 7:481bce714567 7434
wolfSSL 7:481bce714567 7435 /* signature algo */
wolfSSL 7:481bce714567 7436 der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, oidSigType, 0);
wolfSSL 7:481bce714567 7437 if (der->sigAlgoSz <= 0)
wolfSSL 7:481bce714567 7438 return ALGO_ID_E;
wolfSSL 7:481bce714567 7439
wolfSSL 7:481bce714567 7440 /* public key */
wolfSSL 7:481bce714567 7441 if (cert->keyType == RSA_KEY) {
wolfSSL 7:481bce714567 7442 if (rsaKey == NULL)
wolfSSL 7:481bce714567 7443 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7444 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 7:481bce714567 7445 sizeof(der->publicKey), 1);
wolfSSL 7:481bce714567 7446 if (der->publicKeySz <= 0)
wolfSSL 7:481bce714567 7447 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7448 }
wolfSSL 7:481bce714567 7449
wolfSSL 7:481bce714567 7450 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 7451 if (cert->keyType == ECC_KEY) {
wolfSSL 7:481bce714567 7452 if (eccKey == NULL)
wolfSSL 7:481bce714567 7453 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7454 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 7:481bce714567 7455 if (der->publicKeySz <= 0)
wolfSSL 7:481bce714567 7456 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7457 }
wolfSSL 7:481bce714567 7458 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 7459
wolfSSL 7:481bce714567 7460 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 7461 if (cert->keyType == NTRU_KEY) {
wolfSSL 7:481bce714567 7462 word32 rc;
wolfSSL 7:481bce714567 7463 word16 encodedSz;
wolfSSL 7:481bce714567 7464
wolfSSL 7:481bce714567 7465 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 7:481bce714567 7466 ntruKey, &encodedSz, NULL);
wolfSSL 7:481bce714567 7467 if (rc != NTRU_OK)
wolfSSL 7:481bce714567 7468 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7469 if (encodedSz > MAX_PUBLIC_KEY_SZ)
wolfSSL 7:481bce714567 7470 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7471
wolfSSL 7:481bce714567 7472 rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL 7:481bce714567 7473 ntruKey, &encodedSz, der->publicKey);
wolfSSL 7:481bce714567 7474 if (rc != NTRU_OK)
wolfSSL 7:481bce714567 7475 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 7476
wolfSSL 7:481bce714567 7477 der->publicKeySz = encodedSz;
wolfSSL 7:481bce714567 7478 }
wolfSSL 7:481bce714567 7479 #endif /* HAVE_NTRU */
wolfSSL 7:481bce714567 7480
wolfSSL 7:481bce714567 7481 der->validitySz = 0;
wolfSSL 7:481bce714567 7482 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 7483 /* date validity copy ? */
wolfSSL 7:481bce714567 7484 if (cert->beforeDateSz && cert->afterDateSz) {
wolfSSL 7:481bce714567 7485 der->validitySz = CopyValidity(der->validity, cert);
wolfSSL 7:481bce714567 7486 if (der->validitySz <= 0)
wolfSSL 7:481bce714567 7487 return DATE_E;
wolfSSL 7:481bce714567 7488 }
wolfSSL 7:481bce714567 7489 #endif
wolfSSL 7:481bce714567 7490
wolfSSL 7:481bce714567 7491 /* date validity */
wolfSSL 7:481bce714567 7492 if (der->validitySz == 0) {
wolfSSL 7:481bce714567 7493 der->validitySz = SetValidity(der->validity, cert->daysValid);
wolfSSL 7:481bce714567 7494 if (der->validitySz <= 0)
wolfSSL 7:481bce714567 7495 return DATE_E;
wolfSSL 7:481bce714567 7496 }
wolfSSL 7:481bce714567 7497
wolfSSL 7:481bce714567 7498 /* subject name */
wolfSSL 7:481bce714567 7499 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 7:481bce714567 7500 if (der->subjectSz <= 0)
wolfSSL 7:481bce714567 7501 return SUBJECT_E;
wolfSSL 7:481bce714567 7502
wolfSSL 7:481bce714567 7503 /* issuer name */
wolfSSL 7:481bce714567 7504 der->issuerSz = SetName(der->issuer, sizeof(der->issuer), cert->selfSigned ?
wolfSSL 7:481bce714567 7505 &cert->subject : &cert->issuer);
wolfSSL 7:481bce714567 7506 if (der->issuerSz <= 0)
wolfSSL 7:481bce714567 7507 return ISSUER_E;
wolfSSL 7:481bce714567 7508
wolfSSL 7:481bce714567 7509 /* set the extensions */
wolfSSL 7:481bce714567 7510 der->extensionsSz = 0;
wolfSSL 7:481bce714567 7511
wolfSSL 7:481bce714567 7512 /* CA */
wolfSSL 7:481bce714567 7513 if (cert->isCA) {
wolfSSL 7:481bce714567 7514 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 7:481bce714567 7515 if (der->caSz <= 0)
wolfSSL 7:481bce714567 7516 return CA_TRUE_E;
wolfSSL 7:481bce714567 7517
wolfSSL 7:481bce714567 7518 der->extensionsSz += der->caSz;
wolfSSL 7:481bce714567 7519 }
wolfSSL 7:481bce714567 7520 else
wolfSSL 7:481bce714567 7521 der->caSz = 0;
wolfSSL 7:481bce714567 7522
wolfSSL 7:481bce714567 7523 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 7524 /* Alternative Name */
wolfSSL 7:481bce714567 7525 if (cert->altNamesSz) {
wolfSSL 7:481bce714567 7526 der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
wolfSSL 7:481bce714567 7527 cert->altNames, cert->altNamesSz);
wolfSSL 7:481bce714567 7528 if (der->altNamesSz <= 0)
wolfSSL 7:481bce714567 7529 return ALT_NAME_E;
wolfSSL 7:481bce714567 7530
wolfSSL 7:481bce714567 7531 der->extensionsSz += der->altNamesSz;
wolfSSL 7:481bce714567 7532 }
wolfSSL 7:481bce714567 7533 else
wolfSSL 7:481bce714567 7534 der->altNamesSz = 0;
wolfSSL 7:481bce714567 7535 #endif
wolfSSL 7:481bce714567 7536
wolfSSL 7:481bce714567 7537 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 7538 /* SKID */
wolfSSL 7:481bce714567 7539 if (cert->skidSz) {
wolfSSL 7:481bce714567 7540 /* check the provided SKID size */
wolfSSL 7:481bce714567 7541 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 7:481bce714567 7542 return SKID_E;
wolfSSL 7:481bce714567 7543
wolfSSL 7:481bce714567 7544 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 7:481bce714567 7545 cert->skid, cert->skidSz);
wolfSSL 7:481bce714567 7546 if (der->skidSz <= 0)
wolfSSL 7:481bce714567 7547 return SKID_E;
wolfSSL 7:481bce714567 7548
wolfSSL 7:481bce714567 7549 der->extensionsSz += der->skidSz;
wolfSSL 7:481bce714567 7550 }
wolfSSL 7:481bce714567 7551 else
wolfSSL 7:481bce714567 7552 der->skidSz = 0;
wolfSSL 7:481bce714567 7553
wolfSSL 7:481bce714567 7554 /* AKID */
wolfSSL 7:481bce714567 7555 if (cert->akidSz) {
wolfSSL 7:481bce714567 7556 /* check the provided AKID size */
wolfSSL 7:481bce714567 7557 if (cert->akidSz > (int)sizeof(der->akid))
wolfSSL 7:481bce714567 7558 return AKID_E;
wolfSSL 7:481bce714567 7559
wolfSSL 7:481bce714567 7560 der->akidSz = SetAKID(der->akid, sizeof(der->akid),
wolfSSL 7:481bce714567 7561 cert->akid, cert->akidSz, cert->heap);
wolfSSL 7:481bce714567 7562 if (der->akidSz <= 0)
wolfSSL 7:481bce714567 7563 return AKID_E;
wolfSSL 7:481bce714567 7564
wolfSSL 7:481bce714567 7565 der->extensionsSz += der->akidSz;
wolfSSL 7:481bce714567 7566 }
wolfSSL 7:481bce714567 7567 else
wolfSSL 7:481bce714567 7568 der->akidSz = 0;
wolfSSL 7:481bce714567 7569
wolfSSL 7:481bce714567 7570 /* Key Usage */
wolfSSL 7:481bce714567 7571 if (cert->keyUsage != 0){
wolfSSL 7:481bce714567 7572 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 7:481bce714567 7573 cert->keyUsage);
wolfSSL 7:481bce714567 7574 if (der->keyUsageSz <= 0)
wolfSSL 7:481bce714567 7575 return KEYUSAGE_E;
wolfSSL 7:481bce714567 7576
wolfSSL 7:481bce714567 7577 der->extensionsSz += der->keyUsageSz;
wolfSSL 7:481bce714567 7578 }
wolfSSL 7:481bce714567 7579 else
wolfSSL 7:481bce714567 7580 der->keyUsageSz = 0;
wolfSSL 7:481bce714567 7581
wolfSSL 7:481bce714567 7582 /* Certificate Policies */
wolfSSL 7:481bce714567 7583 if (cert->certPoliciesNb != 0) {
wolfSSL 7:481bce714567 7584 der->certPoliciesSz = SetCertificatePolicies(der->certPolicies,
wolfSSL 7:481bce714567 7585 sizeof(der->certPolicies),
wolfSSL 7:481bce714567 7586 cert->certPolicies,
wolfSSL 7:481bce714567 7587 cert->certPoliciesNb,
wolfSSL 7:481bce714567 7588 cert->heap);
wolfSSL 7:481bce714567 7589 if (der->certPoliciesSz <= 0)
wolfSSL 7:481bce714567 7590 return CERTPOLICIES_E;
wolfSSL 7:481bce714567 7591
wolfSSL 7:481bce714567 7592 der->extensionsSz += der->certPoliciesSz;
wolfSSL 7:481bce714567 7593 }
wolfSSL 7:481bce714567 7594 else
wolfSSL 7:481bce714567 7595 der->certPoliciesSz = 0;
wolfSSL 7:481bce714567 7596 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 7597
wolfSSL 7:481bce714567 7598 /* put extensions */
wolfSSL 7:481bce714567 7599 if (der->extensionsSz > 0) {
wolfSSL 7:481bce714567 7600
wolfSSL 7:481bce714567 7601 /* put the start of extensions sequence (ID, Size) */
wolfSSL 7:481bce714567 7602 der->extensionsSz = SetExtensionsHeader(der->extensions,
wolfSSL 7:481bce714567 7603 sizeof(der->extensions),
wolfSSL 7:481bce714567 7604 der->extensionsSz);
wolfSSL 7:481bce714567 7605 if (der->extensionsSz <= 0)
wolfSSL 7:481bce714567 7606 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7607
wolfSSL 7:481bce714567 7608 /* put CA */
wolfSSL 7:481bce714567 7609 if (der->caSz) {
wolfSSL 7:481bce714567 7610 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7611 &der->extensionsSz,
wolfSSL 7:481bce714567 7612 der->ca, der->caSz);
wolfSSL 7:481bce714567 7613 if (ret == 0)
wolfSSL 7:481bce714567 7614 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7615 }
wolfSSL 7:481bce714567 7616
wolfSSL 7:481bce714567 7617 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 7618 /* put Alternative Names */
wolfSSL 7:481bce714567 7619 if (der->altNamesSz) {
wolfSSL 7:481bce714567 7620 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7621 &der->extensionsSz,
wolfSSL 7:481bce714567 7622 der->altNames, der->altNamesSz);
wolfSSL 7:481bce714567 7623 if (ret <= 0)
wolfSSL 7:481bce714567 7624 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7625 }
wolfSSL 7:481bce714567 7626 #endif
wolfSSL 7:481bce714567 7627
wolfSSL 7:481bce714567 7628 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 7629 /* put SKID */
wolfSSL 7:481bce714567 7630 if (der->skidSz) {
wolfSSL 7:481bce714567 7631 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7632 &der->extensionsSz,
wolfSSL 7:481bce714567 7633 der->skid, der->skidSz);
wolfSSL 7:481bce714567 7634 if (ret <= 0)
wolfSSL 7:481bce714567 7635 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7636 }
wolfSSL 7:481bce714567 7637
wolfSSL 7:481bce714567 7638 /* put AKID */
wolfSSL 7:481bce714567 7639 if (der->akidSz) {
wolfSSL 7:481bce714567 7640 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7641 &der->extensionsSz,
wolfSSL 7:481bce714567 7642 der->akid, der->akidSz);
wolfSSL 7:481bce714567 7643 if (ret <= 0)
wolfSSL 7:481bce714567 7644 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7645 }
wolfSSL 7:481bce714567 7646
wolfSSL 7:481bce714567 7647 /* put KeyUsage */
wolfSSL 7:481bce714567 7648 if (der->keyUsageSz) {
wolfSSL 7:481bce714567 7649 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7650 &der->extensionsSz,
wolfSSL 7:481bce714567 7651 der->keyUsage, der->keyUsageSz);
wolfSSL 7:481bce714567 7652 if (ret <= 0)
wolfSSL 7:481bce714567 7653 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7654 }
wolfSSL 7:481bce714567 7655
wolfSSL 7:481bce714567 7656 /* put Certificate Policies */
wolfSSL 7:481bce714567 7657 if (der->certPoliciesSz) {
wolfSSL 7:481bce714567 7658 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 7659 &der->extensionsSz,
wolfSSL 7:481bce714567 7660 der->certPolicies, der->certPoliciesSz);
wolfSSL 7:481bce714567 7661 if (ret <= 0)
wolfSSL 7:481bce714567 7662 return EXTENSIONS_E;
wolfSSL 7:481bce714567 7663 }
wolfSSL 7:481bce714567 7664 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 7665 }
wolfSSL 7:481bce714567 7666
wolfSSL 7:481bce714567 7667 der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
wolfSSL 7:481bce714567 7668 der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz +
wolfSSL 7:481bce714567 7669 der->extensionsSz;
wolfSSL 7:481bce714567 7670
wolfSSL 7:481bce714567 7671 return 0;
wolfSSL 7:481bce714567 7672 }
wolfSSL 7:481bce714567 7673
wolfSSL 7:481bce714567 7674
wolfSSL 7:481bce714567 7675 /* write DER encoded cert to buffer, size already checked */
wolfSSL 7:481bce714567 7676 static int WriteCertBody(DerCert* der, byte* buffer)
wolfSSL 7:481bce714567 7677 {
wolfSSL 7:481bce714567 7678 int idx;
wolfSSL 7:481bce714567 7679
wolfSSL 7:481bce714567 7680 /* signed part header */
wolfSSL 7:481bce714567 7681 idx = SetSequence(der->total, buffer);
wolfSSL 7:481bce714567 7682 /* version */
wolfSSL 7:481bce714567 7683 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 7:481bce714567 7684 idx += der->versionSz;
wolfSSL 7:481bce714567 7685 /* serial */
wolfSSL 7:481bce714567 7686 XMEMCPY(buffer + idx, der->serial, der->serialSz);
wolfSSL 7:481bce714567 7687 idx += der->serialSz;
wolfSSL 7:481bce714567 7688 /* sig algo */
wolfSSL 7:481bce714567 7689 XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz);
wolfSSL 7:481bce714567 7690 idx += der->sigAlgoSz;
wolfSSL 7:481bce714567 7691 /* issuer */
wolfSSL 7:481bce714567 7692 XMEMCPY(buffer + idx, der->issuer, der->issuerSz);
wolfSSL 7:481bce714567 7693 idx += der->issuerSz;
wolfSSL 7:481bce714567 7694 /* validity */
wolfSSL 7:481bce714567 7695 XMEMCPY(buffer + idx, der->validity, der->validitySz);
wolfSSL 7:481bce714567 7696 idx += der->validitySz;
wolfSSL 7:481bce714567 7697 /* subject */
wolfSSL 7:481bce714567 7698 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 7:481bce714567 7699 idx += der->subjectSz;
wolfSSL 7:481bce714567 7700 /* public key */
wolfSSL 7:481bce714567 7701 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 7:481bce714567 7702 idx += der->publicKeySz;
wolfSSL 7:481bce714567 7703 if (der->extensionsSz) {
wolfSSL 7:481bce714567 7704 /* extensions */
wolfSSL 7:481bce714567 7705 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 7:481bce714567 7706 (int)sizeof(der->extensions)));
wolfSSL 7:481bce714567 7707 idx += der->extensionsSz;
wolfSSL 7:481bce714567 7708 }
wolfSSL 7:481bce714567 7709
wolfSSL 7:481bce714567 7710 return idx;
wolfSSL 7:481bce714567 7711 }
wolfSSL 7:481bce714567 7712
wolfSSL 7:481bce714567 7713
wolfSSL 7:481bce714567 7714 /* Make RSA signature from buffer (sz), write to sig (sigSz) */
wolfSSL 7:481bce714567 7715 static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz,
wolfSSL 7:481bce714567 7716 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 7:481bce714567 7717 int sigAlgoType)
wolfSSL 7:481bce714567 7718 {
wolfSSL 7:481bce714567 7719 int encSigSz, digestSz, typeH = 0, ret = 0;
wolfSSL 7:481bce714567 7720 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7721 byte* digest;
wolfSSL 7:481bce714567 7722 #else
wolfSSL 7:481bce714567 7723 byte digest[WC_MAX_DIGEST_SIZE]; /* max size */
wolfSSL 7:481bce714567 7724 #endif
wolfSSL 7:481bce714567 7725 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7726 byte* encSig;
wolfSSL 7:481bce714567 7727 #else
wolfSSL 7:481bce714567 7728 byte encSig[MAX_DER_DIGEST_SZ];
wolfSSL 7:481bce714567 7729 #endif
wolfSSL 7:481bce714567 7730
wolfSSL 7:481bce714567 7731 (void)digest;
wolfSSL 7:481bce714567 7732 (void)digestSz;
wolfSSL 7:481bce714567 7733 (void)encSig;
wolfSSL 7:481bce714567 7734 (void)encSigSz;
wolfSSL 7:481bce714567 7735 (void)typeH;
wolfSSL 7:481bce714567 7736
wolfSSL 7:481bce714567 7737 (void)buffer;
wolfSSL 7:481bce714567 7738 (void)sz;
wolfSSL 7:481bce714567 7739 (void)sig;
wolfSSL 7:481bce714567 7740 (void)sigSz;
wolfSSL 7:481bce714567 7741 (void)rsaKey;
wolfSSL 7:481bce714567 7742 (void)eccKey;
wolfSSL 7:481bce714567 7743 (void)rng;
wolfSSL 7:481bce714567 7744
wolfSSL 7:481bce714567 7745 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7746 digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7747 if (digest == NULL)
wolfSSL 7:481bce714567 7748 return 0; /* not confirmed */
wolfSSL 7:481bce714567 7749 #endif
wolfSSL 7:481bce714567 7750
wolfSSL 7:481bce714567 7751 switch (sigAlgoType) {
wolfSSL 7:481bce714567 7752 #ifndef NO_MD5
wolfSSL 7:481bce714567 7753 case CTC_MD5wRSA:
wolfSSL 7:481bce714567 7754 if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7755 typeH = MD5h;
wolfSSL 7:481bce714567 7756 digestSz = MD5_DIGEST_SIZE;
wolfSSL 7:481bce714567 7757 }
wolfSSL 7:481bce714567 7758 break;
wolfSSL 7:481bce714567 7759 #endif
wolfSSL 7:481bce714567 7760 #ifndef NO_SHA
wolfSSL 7:481bce714567 7761 case CTC_SHAwRSA:
wolfSSL 7:481bce714567 7762 case CTC_SHAwECDSA:
wolfSSL 7:481bce714567 7763 if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7764 typeH = SHAh;
wolfSSL 7:481bce714567 7765 digestSz = SHA_DIGEST_SIZE;
wolfSSL 7:481bce714567 7766 }
wolfSSL 7:481bce714567 7767 break;
wolfSSL 7:481bce714567 7768 #endif
wolfSSL 7:481bce714567 7769 #ifdef WOLFSSL_SHA224
wolfSSL 7:481bce714567 7770 case CTC_SHA224wRSA:
wolfSSL 7:481bce714567 7771 case CTC_SHA224wECDSA:
wolfSSL 7:481bce714567 7772 if ((ret = wc_Sha224Hash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7773 typeH = SHA224h;
wolfSSL 7:481bce714567 7774 digestSz = SHA224_DIGEST_SIZE;
wolfSSL 7:481bce714567 7775 }
wolfSSL 7:481bce714567 7776 break;
wolfSSL 7:481bce714567 7777 #endif
wolfSSL 7:481bce714567 7778 #ifndef NO_SHA256
wolfSSL 7:481bce714567 7779 case CTC_SHA256wRSA:
wolfSSL 7:481bce714567 7780 case CTC_SHA256wECDSA:
wolfSSL 7:481bce714567 7781 if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7782 typeH = SHA256h;
wolfSSL 7:481bce714567 7783 digestSz = SHA256_DIGEST_SIZE;
wolfSSL 7:481bce714567 7784 }
wolfSSL 7:481bce714567 7785 break;
wolfSSL 7:481bce714567 7786 #endif
wolfSSL 7:481bce714567 7787 #ifdef WOLFSSL_SHA384
wolfSSL 7:481bce714567 7788 case CTC_SHA384wRSA:
wolfSSL 7:481bce714567 7789 case CTC_SHA384wECDSA:
wolfSSL 7:481bce714567 7790 if ((ret = wc_Sha384Hash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7791 typeH = SHA384h;
wolfSSL 7:481bce714567 7792 digestSz = SHA384_DIGEST_SIZE;
wolfSSL 7:481bce714567 7793 }
wolfSSL 7:481bce714567 7794 break;
wolfSSL 7:481bce714567 7795 #endif
wolfSSL 7:481bce714567 7796 #ifdef WOLFSSL_SHA512
wolfSSL 7:481bce714567 7797 case CTC_SHA512wRSA:
wolfSSL 7:481bce714567 7798 case CTC_SHA512wECDSA:
wolfSSL 7:481bce714567 7799 if ((ret = wc_Sha512Hash(buffer, sz, digest)) == 0) {
wolfSSL 7:481bce714567 7800 typeH = SHA512h;
wolfSSL 7:481bce714567 7801 digestSz = SHA512_DIGEST_SIZE;
wolfSSL 7:481bce714567 7802 }
wolfSSL 7:481bce714567 7803 break;
wolfSSL 7:481bce714567 7804 #endif
wolfSSL 7:481bce714567 7805 default:
wolfSSL 7:481bce714567 7806 WOLFSSL_MSG("MakeSignautre called with unsupported type");
wolfSSL 7:481bce714567 7807 ret = ALGO_ID_E;
wolfSSL 7:481bce714567 7808 }
wolfSSL 7:481bce714567 7809
wolfSSL 7:481bce714567 7810 if (ret != 0) {
wolfSSL 7:481bce714567 7811 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7812 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7813 #endif
wolfSSL 7:481bce714567 7814 return ret;
wolfSSL 7:481bce714567 7815 }
wolfSSL 7:481bce714567 7816
wolfSSL 7:481bce714567 7817 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7818 encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ,
wolfSSL 7:481bce714567 7819 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7820 if (encSig == NULL) {
wolfSSL 7:481bce714567 7821 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7822 return MEMORY_E;
wolfSSL 7:481bce714567 7823 }
wolfSSL 7:481bce714567 7824 #endif
wolfSSL 7:481bce714567 7825
wolfSSL 7:481bce714567 7826 ret = ALGO_ID_E;
wolfSSL 7:481bce714567 7827
wolfSSL 7:481bce714567 7828 #ifndef NO_RSA
wolfSSL 7:481bce714567 7829 if (rsaKey) {
wolfSSL 7:481bce714567 7830 /* signature */
wolfSSL 7:481bce714567 7831 encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH);
wolfSSL 7:481bce714567 7832 ret = 0;
wolfSSL 7:481bce714567 7833 do {
wolfSSL 7:481bce714567 7834 #if defined(WOLFSSL_ASYNC_CRYPT)
wolfSSL 7:481bce714567 7835 ret = wc_RsaAsyncWait(ret, rsaKey);
wolfSSL 7:481bce714567 7836 #endif
wolfSSL 7:481bce714567 7837 if (ret >= 0) {
wolfSSL 7:481bce714567 7838 ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng);
wolfSSL 7:481bce714567 7839 }
wolfSSL 7:481bce714567 7840 } while (ret == WC_PENDING_E);
wolfSSL 7:481bce714567 7841 }
wolfSSL 7:481bce714567 7842 #endif
wolfSSL 7:481bce714567 7843
wolfSSL 7:481bce714567 7844 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 7845 if (!rsaKey && eccKey) {
wolfSSL 7:481bce714567 7846 word32 outSz = sigSz;
wolfSSL 7:481bce714567 7847 ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey);
wolfSSL 7:481bce714567 7848
wolfSSL 7:481bce714567 7849 if (ret == 0)
wolfSSL 7:481bce714567 7850 ret = outSz;
wolfSSL 7:481bce714567 7851 }
wolfSSL 7:481bce714567 7852 #endif
wolfSSL 7:481bce714567 7853
wolfSSL 7:481bce714567 7854 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7855 XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7856 XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7857 #endif
wolfSSL 7:481bce714567 7858
wolfSSL 7:481bce714567 7859 return ret;
wolfSSL 7:481bce714567 7860 }
wolfSSL 7:481bce714567 7861
wolfSSL 7:481bce714567 7862
wolfSSL 7:481bce714567 7863 /* add signature to end of buffer, size of buffer assumed checked, return
wolfSSL 7:481bce714567 7864 new length */
wolfSSL 7:481bce714567 7865 static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
wolfSSL 7:481bce714567 7866 int sigAlgoType)
wolfSSL 7:481bce714567 7867 {
wolfSSL 7:481bce714567 7868 byte seq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 7869 int idx = bodySz, seqSz;
wolfSSL 7:481bce714567 7870
wolfSSL 7:481bce714567 7871 /* algo */
wolfSSL 7:481bce714567 7872 idx += SetAlgoID(sigAlgoType, buffer + idx, oidSigType, 0);
wolfSSL 7:481bce714567 7873 /* bit string */
wolfSSL 7:481bce714567 7874 buffer[idx++] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 7875 /* length */
wolfSSL 7:481bce714567 7876 idx += SetLength(sigSz + 1, buffer + idx);
wolfSSL 7:481bce714567 7877 buffer[idx++] = 0; /* trailing 0 */
wolfSSL 7:481bce714567 7878 /* signature */
wolfSSL 7:481bce714567 7879 XMEMCPY(buffer + idx, sig, sigSz);
wolfSSL 7:481bce714567 7880 idx += sigSz;
wolfSSL 7:481bce714567 7881
wolfSSL 7:481bce714567 7882 /* make room for overall header */
wolfSSL 7:481bce714567 7883 seqSz = SetSequence(idx, seq);
wolfSSL 7:481bce714567 7884 XMEMMOVE(buffer + seqSz, buffer, idx);
wolfSSL 7:481bce714567 7885 XMEMCPY(buffer, seq, seqSz);
wolfSSL 7:481bce714567 7886
wolfSSL 7:481bce714567 7887 return idx + seqSz;
wolfSSL 7:481bce714567 7888 }
wolfSSL 7:481bce714567 7889
wolfSSL 7:481bce714567 7890
wolfSSL 7:481bce714567 7891 /* Make an x509 Certificate v3 any key type from cert input, write to buffer */
wolfSSL 7:481bce714567 7892 static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 7:481bce714567 7893 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
wolfSSL 7:481bce714567 7894 const byte* ntruKey, word16 ntruSz)
wolfSSL 7:481bce714567 7895 {
wolfSSL 7:481bce714567 7896 int ret;
wolfSSL 7:481bce714567 7897 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7898 DerCert* der;
wolfSSL 7:481bce714567 7899 #else
wolfSSL 7:481bce714567 7900 DerCert der[1];
wolfSSL 7:481bce714567 7901 #endif
wolfSSL 7:481bce714567 7902
wolfSSL 7:481bce714567 7903 cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY);
wolfSSL 7:481bce714567 7904
wolfSSL 7:481bce714567 7905 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7906 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7907 if (der == NULL)
wolfSSL 7:481bce714567 7908 return MEMORY_E;
wolfSSL 7:481bce714567 7909 #endif
wolfSSL 7:481bce714567 7910
wolfSSL 7:481bce714567 7911 ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz);
wolfSSL 7:481bce714567 7912 if (ret == 0) {
wolfSSL 7:481bce714567 7913 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 7:481bce714567 7914 ret = BUFFER_E;
wolfSSL 7:481bce714567 7915 else
wolfSSL 7:481bce714567 7916 ret = cert->bodySz = WriteCertBody(der, derBuffer);
wolfSSL 7:481bce714567 7917 }
wolfSSL 7:481bce714567 7918
wolfSSL 7:481bce714567 7919 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 7920 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 7921 #endif
wolfSSL 7:481bce714567 7922
wolfSSL 7:481bce714567 7923 return ret;
wolfSSL 7:481bce714567 7924 }
wolfSSL 7:481bce714567 7925
wolfSSL 7:481bce714567 7926
wolfSSL 7:481bce714567 7927 /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
wolfSSL 7:481bce714567 7928 int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey,
wolfSSL 7:481bce714567 7929 ecc_key* eccKey, WC_RNG* rng)
wolfSSL 7:481bce714567 7930 {
wolfSSL 7:481bce714567 7931 return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0);
wolfSSL 7:481bce714567 7932 }
wolfSSL 7:481bce714567 7933
wolfSSL 7:481bce714567 7934
wolfSSL 7:481bce714567 7935 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 7936
wolfSSL 7:481bce714567 7937 int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 7:481bce714567 7938 const byte* ntruKey, word16 keySz, WC_RNG* rng)
wolfSSL 7:481bce714567 7939 {
wolfSSL 7:481bce714567 7940 return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz);
wolfSSL 7:481bce714567 7941 }
wolfSSL 7:481bce714567 7942
wolfSSL 7:481bce714567 7943 #endif /* HAVE_NTRU */
wolfSSL 7:481bce714567 7944
wolfSSL 7:481bce714567 7945
wolfSSL 7:481bce714567 7946 #ifdef WOLFSSL_CERT_REQ
wolfSSL 7:481bce714567 7947
wolfSSL 7:481bce714567 7948 static int SetReqAttrib(byte* output, char* pw, int extSz)
wolfSSL 7:481bce714567 7949 {
wolfSSL 7:481bce714567 7950 static const byte cpOid[] =
wolfSSL 7:481bce714567 7951 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 7:481bce714567 7952 0x09, 0x07 };
wolfSSL 7:481bce714567 7953 static const byte erOid[] =
wolfSSL 7:481bce714567 7954 { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL 7:481bce714567 7955 0x09, 0x0e };
wolfSSL 7:481bce714567 7956
wolfSSL 7:481bce714567 7957 int sz = 0; /* overall size */
wolfSSL 7:481bce714567 7958 int cpSz = 0; /* Challenge Password section size */
wolfSSL 7:481bce714567 7959 int cpSeqSz = 0;
wolfSSL 7:481bce714567 7960 int cpSetSz = 0;
wolfSSL 7:481bce714567 7961 int cpStrSz = 0;
wolfSSL 7:481bce714567 7962 int pwSz = 0;
wolfSSL 7:481bce714567 7963 int erSz = 0; /* Extension Request section size */
wolfSSL 7:481bce714567 7964 int erSeqSz = 0;
wolfSSL 7:481bce714567 7965 int erSetSz = 0;
wolfSSL 7:481bce714567 7966 byte cpSeq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 7967 byte cpSet[MAX_SET_SZ];
wolfSSL 7:481bce714567 7968 byte cpStr[MAX_PRSTR_SZ];
wolfSSL 7:481bce714567 7969 byte erSeq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 7970 byte erSet[MAX_SET_SZ];
wolfSSL 7:481bce714567 7971
wolfSSL 7:481bce714567 7972 output[0] = 0xa0;
wolfSSL 7:481bce714567 7973 sz++;
wolfSSL 7:481bce714567 7974
wolfSSL 7:481bce714567 7975 if (pw && pw[0]) {
wolfSSL 7:481bce714567 7976 pwSz = (int)XSTRLEN(pw);
wolfSSL 7:481bce714567 7977 cpStrSz = SetUTF8String(pwSz, cpStr);
wolfSSL 7:481bce714567 7978 cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
wolfSSL 7:481bce714567 7979 cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
wolfSSL 7:481bce714567 7980 cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
wolfSSL 7:481bce714567 7981 }
wolfSSL 7:481bce714567 7982
wolfSSL 7:481bce714567 7983 if (extSz) {
wolfSSL 7:481bce714567 7984 erSetSz = SetSet(extSz, erSet);
wolfSSL 7:481bce714567 7985 erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq);
wolfSSL 7:481bce714567 7986 erSz = extSz + erSetSz + erSeqSz + sizeof(erOid);
wolfSSL 7:481bce714567 7987 }
wolfSSL 7:481bce714567 7988
wolfSSL 7:481bce714567 7989 /* Put the pieces together. */
wolfSSL 7:481bce714567 7990 sz += SetLength(cpSz + erSz, &output[sz]);
wolfSSL 7:481bce714567 7991
wolfSSL 7:481bce714567 7992 if (cpSz) {
wolfSSL 7:481bce714567 7993 XMEMCPY(&output[sz], cpSeq, cpSeqSz);
wolfSSL 7:481bce714567 7994 sz += cpSeqSz;
wolfSSL 7:481bce714567 7995 XMEMCPY(&output[sz], cpOid, sizeof(cpOid));
wolfSSL 7:481bce714567 7996 sz += sizeof(cpOid);
wolfSSL 7:481bce714567 7997 XMEMCPY(&output[sz], cpSet, cpSetSz);
wolfSSL 7:481bce714567 7998 sz += cpSetSz;
wolfSSL 7:481bce714567 7999 XMEMCPY(&output[sz], cpStr, cpStrSz);
wolfSSL 7:481bce714567 8000 sz += cpStrSz;
wolfSSL 7:481bce714567 8001 XMEMCPY(&output[sz], pw, pwSz);
wolfSSL 7:481bce714567 8002 sz += pwSz;
wolfSSL 7:481bce714567 8003 }
wolfSSL 7:481bce714567 8004
wolfSSL 7:481bce714567 8005 if (erSz) {
wolfSSL 7:481bce714567 8006 XMEMCPY(&output[sz], erSeq, erSeqSz);
wolfSSL 7:481bce714567 8007 sz += erSeqSz;
wolfSSL 7:481bce714567 8008 XMEMCPY(&output[sz], erOid, sizeof(erOid));
wolfSSL 7:481bce714567 8009 sz += sizeof(erOid);
wolfSSL 7:481bce714567 8010 XMEMCPY(&output[sz], erSet, erSetSz);
wolfSSL 7:481bce714567 8011 sz += erSetSz;
wolfSSL 7:481bce714567 8012 /* The actual extension data will be tacked onto the output later. */
wolfSSL 7:481bce714567 8013 }
wolfSSL 7:481bce714567 8014
wolfSSL 7:481bce714567 8015 return sz;
wolfSSL 7:481bce714567 8016 }
wolfSSL 7:481bce714567 8017
wolfSSL 7:481bce714567 8018
wolfSSL 7:481bce714567 8019 /* encode info from cert into DER encoded format */
wolfSSL 7:481bce714567 8020 static int EncodeCertReq(Cert* cert, DerCert* der,
wolfSSL 7:481bce714567 8021 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 7:481bce714567 8022 {
wolfSSL 7:481bce714567 8023 (void)eccKey;
wolfSSL 7:481bce714567 8024
wolfSSL 7:481bce714567 8025 if (cert == NULL || der == NULL)
wolfSSL 7:481bce714567 8026 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8027
wolfSSL 7:481bce714567 8028 /* init */
wolfSSL 7:481bce714567 8029 XMEMSET(der, 0, sizeof(DerCert));
wolfSSL 7:481bce714567 8030
wolfSSL 7:481bce714567 8031 /* version */
wolfSSL 7:481bce714567 8032 der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
wolfSSL 7:481bce714567 8033
wolfSSL 7:481bce714567 8034 /* subject name */
wolfSSL 7:481bce714567 8035 der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
wolfSSL 7:481bce714567 8036 if (der->subjectSz <= 0)
wolfSSL 7:481bce714567 8037 return SUBJECT_E;
wolfSSL 7:481bce714567 8038
wolfSSL 7:481bce714567 8039 /* public key */
wolfSSL 7:481bce714567 8040 if (cert->keyType == RSA_KEY) {
wolfSSL 7:481bce714567 8041 if (rsaKey == NULL)
wolfSSL 7:481bce714567 8042 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8043 der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
wolfSSL 7:481bce714567 8044 sizeof(der->publicKey), 1);
wolfSSL 7:481bce714567 8045 if (der->publicKeySz <= 0)
wolfSSL 7:481bce714567 8046 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8047 }
wolfSSL 7:481bce714567 8048
wolfSSL 7:481bce714567 8049 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 8050 if (cert->keyType == ECC_KEY) {
wolfSSL 7:481bce714567 8051 if (eccKey == NULL)
wolfSSL 7:481bce714567 8052 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8053 der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
wolfSSL 7:481bce714567 8054 if (der->publicKeySz <= 0)
wolfSSL 7:481bce714567 8055 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8056 }
wolfSSL 7:481bce714567 8057 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 8058
wolfSSL 7:481bce714567 8059 /* set the extensions */
wolfSSL 7:481bce714567 8060 der->extensionsSz = 0;
wolfSSL 7:481bce714567 8061
wolfSSL 7:481bce714567 8062 /* CA */
wolfSSL 7:481bce714567 8063 if (cert->isCA) {
wolfSSL 7:481bce714567 8064 der->caSz = SetCa(der->ca, sizeof(der->ca));
wolfSSL 7:481bce714567 8065 if (der->caSz <= 0)
wolfSSL 7:481bce714567 8066 return CA_TRUE_E;
wolfSSL 7:481bce714567 8067
wolfSSL 7:481bce714567 8068 der->extensionsSz += der->caSz;
wolfSSL 7:481bce714567 8069 }
wolfSSL 7:481bce714567 8070 else
wolfSSL 7:481bce714567 8071 der->caSz = 0;
wolfSSL 7:481bce714567 8072
wolfSSL 7:481bce714567 8073 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 8074 /* SKID */
wolfSSL 7:481bce714567 8075 if (cert->skidSz) {
wolfSSL 7:481bce714567 8076 /* check the provided SKID size */
wolfSSL 7:481bce714567 8077 if (cert->skidSz > (int)sizeof(der->skid))
wolfSSL 7:481bce714567 8078 return SKID_E;
wolfSSL 7:481bce714567 8079
wolfSSL 7:481bce714567 8080 der->skidSz = SetSKID(der->skid, sizeof(der->skid),
wolfSSL 7:481bce714567 8081 cert->skid, cert->skidSz);
wolfSSL 7:481bce714567 8082 if (der->skidSz <= 0)
wolfSSL 7:481bce714567 8083 return SKID_E;
wolfSSL 7:481bce714567 8084
wolfSSL 7:481bce714567 8085 der->extensionsSz += der->skidSz;
wolfSSL 7:481bce714567 8086 }
wolfSSL 7:481bce714567 8087 else
wolfSSL 7:481bce714567 8088 der->skidSz = 0;
wolfSSL 7:481bce714567 8089
wolfSSL 7:481bce714567 8090 /* Key Usage */
wolfSSL 7:481bce714567 8091 if (cert->keyUsage != 0){
wolfSSL 7:481bce714567 8092 der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
wolfSSL 7:481bce714567 8093 cert->keyUsage);
wolfSSL 7:481bce714567 8094 if (der->keyUsageSz <= 0)
wolfSSL 7:481bce714567 8095 return KEYUSAGE_E;
wolfSSL 7:481bce714567 8096
wolfSSL 7:481bce714567 8097 der->extensionsSz += der->keyUsageSz;
wolfSSL 7:481bce714567 8098 }
wolfSSL 7:481bce714567 8099 else
wolfSSL 7:481bce714567 8100 der->keyUsageSz = 0;
wolfSSL 7:481bce714567 8101 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 8102
wolfSSL 7:481bce714567 8103 /* put extensions */
wolfSSL 7:481bce714567 8104 if (der->extensionsSz > 0) {
wolfSSL 7:481bce714567 8105 int ret;
wolfSSL 7:481bce714567 8106
wolfSSL 7:481bce714567 8107 /* put the start of sequence (ID, Size) */
wolfSSL 7:481bce714567 8108 der->extensionsSz = SetSequence(der->extensionsSz, der->extensions);
wolfSSL 7:481bce714567 8109 if (der->extensionsSz <= 0)
wolfSSL 7:481bce714567 8110 return EXTENSIONS_E;
wolfSSL 7:481bce714567 8111
wolfSSL 7:481bce714567 8112 /* put CA */
wolfSSL 7:481bce714567 8113 if (der->caSz) {
wolfSSL 7:481bce714567 8114 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 8115 &der->extensionsSz,
wolfSSL 7:481bce714567 8116 der->ca, der->caSz);
wolfSSL 7:481bce714567 8117 if (ret <= 0)
wolfSSL 7:481bce714567 8118 return EXTENSIONS_E;
wolfSSL 7:481bce714567 8119 }
wolfSSL 7:481bce714567 8120
wolfSSL 7:481bce714567 8121 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 8122 /* put SKID */
wolfSSL 7:481bce714567 8123 if (der->skidSz) {
wolfSSL 7:481bce714567 8124 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 8125 &der->extensionsSz,
wolfSSL 7:481bce714567 8126 der->skid, der->skidSz);
wolfSSL 7:481bce714567 8127 if (ret <= 0)
wolfSSL 7:481bce714567 8128 return EXTENSIONS_E;
wolfSSL 7:481bce714567 8129 }
wolfSSL 7:481bce714567 8130
wolfSSL 7:481bce714567 8131 /* put AKID */
wolfSSL 7:481bce714567 8132 if (der->akidSz) {
wolfSSL 7:481bce714567 8133 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 8134 &der->extensionsSz,
wolfSSL 7:481bce714567 8135 der->akid, der->akidSz);
wolfSSL 7:481bce714567 8136 if (ret <= 0)
wolfSSL 7:481bce714567 8137 return EXTENSIONS_E;
wolfSSL 7:481bce714567 8138 }
wolfSSL 7:481bce714567 8139
wolfSSL 7:481bce714567 8140 /* put KeyUsage */
wolfSSL 7:481bce714567 8141 if (der->keyUsageSz) {
wolfSSL 7:481bce714567 8142 ret = SetExtensions(der->extensions, sizeof(der->extensions),
wolfSSL 7:481bce714567 8143 &der->extensionsSz,
wolfSSL 7:481bce714567 8144 der->keyUsage, der->keyUsageSz);
wolfSSL 7:481bce714567 8145 if (ret <= 0)
wolfSSL 7:481bce714567 8146 return EXTENSIONS_E;
wolfSSL 7:481bce714567 8147 }
wolfSSL 7:481bce714567 8148
wolfSSL 7:481bce714567 8149 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 8150 }
wolfSSL 7:481bce714567 8151
wolfSSL 7:481bce714567 8152 der->attribSz = SetReqAttrib(der->attrib,
wolfSSL 7:481bce714567 8153 cert->challengePw, der->extensionsSz);
wolfSSL 7:481bce714567 8154 if (der->attribSz <= 0)
wolfSSL 7:481bce714567 8155 return REQ_ATTRIBUTE_E;
wolfSSL 7:481bce714567 8156
wolfSSL 7:481bce714567 8157 der->total = der->versionSz + der->subjectSz + der->publicKeySz +
wolfSSL 7:481bce714567 8158 der->extensionsSz + der->attribSz;
wolfSSL 7:481bce714567 8159
wolfSSL 7:481bce714567 8160 return 0;
wolfSSL 7:481bce714567 8161 }
wolfSSL 7:481bce714567 8162
wolfSSL 7:481bce714567 8163
wolfSSL 7:481bce714567 8164 /* write DER encoded cert req to buffer, size already checked */
wolfSSL 7:481bce714567 8165 static int WriteCertReqBody(DerCert* der, byte* buffer)
wolfSSL 7:481bce714567 8166 {
wolfSSL 7:481bce714567 8167 int idx;
wolfSSL 7:481bce714567 8168
wolfSSL 7:481bce714567 8169 /* signed part header */
wolfSSL 7:481bce714567 8170 idx = SetSequence(der->total, buffer);
wolfSSL 7:481bce714567 8171 /* version */
wolfSSL 7:481bce714567 8172 XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL 7:481bce714567 8173 idx += der->versionSz;
wolfSSL 7:481bce714567 8174 /* subject */
wolfSSL 7:481bce714567 8175 XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL 7:481bce714567 8176 idx += der->subjectSz;
wolfSSL 7:481bce714567 8177 /* public key */
wolfSSL 7:481bce714567 8178 XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL 7:481bce714567 8179 idx += der->publicKeySz;
wolfSSL 7:481bce714567 8180 /* attributes */
wolfSSL 7:481bce714567 8181 XMEMCPY(buffer + idx, der->attrib, der->attribSz);
wolfSSL 7:481bce714567 8182 idx += der->attribSz;
wolfSSL 7:481bce714567 8183 /* extensions */
wolfSSL 7:481bce714567 8184 if (der->extensionsSz) {
wolfSSL 7:481bce714567 8185 XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL 7:481bce714567 8186 sizeof(der->extensions)));
wolfSSL 7:481bce714567 8187 idx += der->extensionsSz;
wolfSSL 7:481bce714567 8188 }
wolfSSL 7:481bce714567 8189
wolfSSL 7:481bce714567 8190 return idx;
wolfSSL 7:481bce714567 8191 }
wolfSSL 7:481bce714567 8192
wolfSSL 7:481bce714567 8193
wolfSSL 7:481bce714567 8194 int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL 7:481bce714567 8195 RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL 7:481bce714567 8196 {
wolfSSL 7:481bce714567 8197 int ret;
wolfSSL 7:481bce714567 8198 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8199 DerCert* der;
wolfSSL 7:481bce714567 8200 #else
wolfSSL 7:481bce714567 8201 DerCert der[1];
wolfSSL 7:481bce714567 8202 #endif
wolfSSL 7:481bce714567 8203
wolfSSL 7:481bce714567 8204 cert->keyType = eccKey ? ECC_KEY : RSA_KEY;
wolfSSL 7:481bce714567 8205
wolfSSL 7:481bce714567 8206 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8207 der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8208 if (der == NULL)
wolfSSL 7:481bce714567 8209 return MEMORY_E;
wolfSSL 7:481bce714567 8210 #endif
wolfSSL 7:481bce714567 8211
wolfSSL 7:481bce714567 8212 ret = EncodeCertReq(cert, der, rsaKey, eccKey);
wolfSSL 7:481bce714567 8213
wolfSSL 7:481bce714567 8214 if (ret == 0) {
wolfSSL 7:481bce714567 8215 if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL 7:481bce714567 8216 ret = BUFFER_E;
wolfSSL 7:481bce714567 8217 else
wolfSSL 7:481bce714567 8218 ret = cert->bodySz = WriteCertReqBody(der, derBuffer);
wolfSSL 7:481bce714567 8219 }
wolfSSL 7:481bce714567 8220
wolfSSL 7:481bce714567 8221 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8222 XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8223 #endif
wolfSSL 7:481bce714567 8224
wolfSSL 7:481bce714567 8225 return ret;
wolfSSL 7:481bce714567 8226 }
wolfSSL 7:481bce714567 8227
wolfSSL 7:481bce714567 8228 #endif /* WOLFSSL_CERT_REQ */
wolfSSL 7:481bce714567 8229
wolfSSL 7:481bce714567 8230
wolfSSL 7:481bce714567 8231 int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
wolfSSL 7:481bce714567 8232 RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng)
wolfSSL 7:481bce714567 8233 {
wolfSSL 7:481bce714567 8234 int sigSz;
wolfSSL 7:481bce714567 8235 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8236 byte* sig;
wolfSSL 7:481bce714567 8237 #else
wolfSSL 7:481bce714567 8238 byte sig[MAX_ENCODED_SIG_SZ];
wolfSSL 7:481bce714567 8239 #endif
wolfSSL 7:481bce714567 8240
wolfSSL 7:481bce714567 8241 if (requestSz < 0)
wolfSSL 7:481bce714567 8242 return requestSz;
wolfSSL 7:481bce714567 8243
wolfSSL 7:481bce714567 8244 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8245 sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8246 if (sig == NULL)
wolfSSL 7:481bce714567 8247 return MEMORY_E;
wolfSSL 7:481bce714567 8248 #endif
wolfSSL 7:481bce714567 8249
wolfSSL 7:481bce714567 8250 sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey,
wolfSSL 7:481bce714567 8251 eccKey, rng, sType);
wolfSSL 7:481bce714567 8252
wolfSSL 7:481bce714567 8253 if (sigSz >= 0) {
wolfSSL 7:481bce714567 8254 if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
wolfSSL 7:481bce714567 8255 sigSz = BUFFER_E;
wolfSSL 7:481bce714567 8256 else
wolfSSL 7:481bce714567 8257 sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType);
wolfSSL 7:481bce714567 8258 }
wolfSSL 7:481bce714567 8259
wolfSSL 7:481bce714567 8260 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8261 XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8262 #endif
wolfSSL 7:481bce714567 8263
wolfSSL 7:481bce714567 8264 return sigSz;
wolfSSL 7:481bce714567 8265 }
wolfSSL 7:481bce714567 8266
wolfSSL 7:481bce714567 8267
wolfSSL 7:481bce714567 8268 int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz,
wolfSSL 7:481bce714567 8269 RsaKey* key, WC_RNG* rng)
wolfSSL 7:481bce714567 8270 {
wolfSSL 7:481bce714567 8271 int ret;
wolfSSL 7:481bce714567 8272
wolfSSL 7:481bce714567 8273 ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng);
wolfSSL 7:481bce714567 8274 if (ret < 0)
wolfSSL 7:481bce714567 8275 return ret;
wolfSSL 7:481bce714567 8276
wolfSSL 7:481bce714567 8277 return wc_SignCert(cert->bodySz, cert->sigType,
wolfSSL 7:481bce714567 8278 buffer, buffSz, key, NULL, rng);
wolfSSL 7:481bce714567 8279 }
wolfSSL 7:481bce714567 8280
wolfSSL 7:481bce714567 8281
wolfSSL 7:481bce714567 8282 #ifdef WOLFSSL_CERT_EXT
wolfSSL 7:481bce714567 8283
wolfSSL 7:481bce714567 8284 /* Set KID from RSA or ECC public key */
wolfSSL 7:481bce714567 8285 static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
wolfSSL 7:481bce714567 8286 byte *ntruKey, word16 ntruKeySz, int kid_type)
wolfSSL 7:481bce714567 8287 {
wolfSSL 7:481bce714567 8288 byte *buffer;
wolfSSL 7:481bce714567 8289 int bufferSz, ret;
wolfSSL 7:481bce714567 8290
wolfSSL 7:481bce714567 8291 #ifndef HAVE_NTRU
wolfSSL 7:481bce714567 8292 (void)ntruKeySz;
wolfSSL 7:481bce714567 8293 #endif
wolfSSL 7:481bce714567 8294
wolfSSL 7:481bce714567 8295 if (cert == NULL || (rsakey == NULL && eckey == NULL && ntruKey == NULL) ||
wolfSSL 7:481bce714567 8296 (rsakey != NULL && eckey != NULL) ||
wolfSSL 7:481bce714567 8297 (rsakey != NULL && ntruKey != NULL) ||
wolfSSL 7:481bce714567 8298 (ntruKey != NULL && eckey != NULL) ||
wolfSSL 7:481bce714567 8299 (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
wolfSSL 7:481bce714567 8300 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8301
wolfSSL 7:481bce714567 8302 buffer = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap,
wolfSSL 7:481bce714567 8303 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8304 if (buffer == NULL)
wolfSSL 7:481bce714567 8305 return MEMORY_E;
wolfSSL 7:481bce714567 8306
wolfSSL 7:481bce714567 8307 /* RSA public key */
wolfSSL 7:481bce714567 8308 if (rsakey != NULL)
wolfSSL 7:481bce714567 8309 bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0);
wolfSSL 7:481bce714567 8310 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 8311 /* ECC public key */
wolfSSL 7:481bce714567 8312 else if (eckey != NULL)
wolfSSL 7:481bce714567 8313 bufferSz = SetEccPublicKey(buffer, eckey, 0);
wolfSSL 7:481bce714567 8314 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 8315 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 8316 /* NTRU public key */
wolfSSL 7:481bce714567 8317 else if (ntruKey != NULL) {
wolfSSL 7:481bce714567 8318 bufferSz = MAX_PUBLIC_KEY_SZ;
wolfSSL 7:481bce714567 8319 ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
wolfSSL 7:481bce714567 8320 ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer);
wolfSSL 7:481bce714567 8321 if (ret != NTRU_OK)
wolfSSL 7:481bce714567 8322 bufferSz = -1;
wolfSSL 7:481bce714567 8323 }
wolfSSL 7:481bce714567 8324 #endif
wolfSSL 7:481bce714567 8325 else
wolfSSL 7:481bce714567 8326 bufferSz = -1;
wolfSSL 7:481bce714567 8327
wolfSSL 7:481bce714567 8328 if (bufferSz <= 0) {
wolfSSL 7:481bce714567 8329 XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8330 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8331 }
wolfSSL 7:481bce714567 8332
wolfSSL 7:481bce714567 8333 /* Compute SKID by hashing public key */
wolfSSL 7:481bce714567 8334 #ifdef NO_SHA
wolfSSL 7:481bce714567 8335 if (kid_type == SKID_TYPE) {
wolfSSL 7:481bce714567 8336 ret = wc_Sha256Hash(buffer, bufferSz, cert->skid);
wolfSSL 7:481bce714567 8337 cert->skidSz = SHA256_DIGEST_SIZE;
wolfSSL 7:481bce714567 8338 }
wolfSSL 7:481bce714567 8339 else if (kid_type == AKID_TYPE) {
wolfSSL 7:481bce714567 8340 ret = wc_Sha256Hash(buffer, bufferSz, cert->akid);
wolfSSL 7:481bce714567 8341 cert->akidSz = SHA256_DIGEST_SIZE;
wolfSSL 7:481bce714567 8342 }
wolfSSL 7:481bce714567 8343 else
wolfSSL 7:481bce714567 8344 ret = BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8345 #else /* NO_SHA */
wolfSSL 7:481bce714567 8346 if (kid_type == SKID_TYPE) {
wolfSSL 7:481bce714567 8347 ret = wc_ShaHash(buffer, bufferSz, cert->skid);
wolfSSL 7:481bce714567 8348 cert->skidSz = SHA_DIGEST_SIZE;
wolfSSL 7:481bce714567 8349 }
wolfSSL 7:481bce714567 8350 else if (kid_type == AKID_TYPE) {
wolfSSL 7:481bce714567 8351 ret = wc_ShaHash(buffer, bufferSz, cert->akid);
wolfSSL 7:481bce714567 8352 cert->akidSz = SHA_DIGEST_SIZE;
wolfSSL 7:481bce714567 8353 }
wolfSSL 7:481bce714567 8354 else
wolfSSL 7:481bce714567 8355 ret = BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8356 #endif /* NO_SHA */
wolfSSL 7:481bce714567 8357
wolfSSL 7:481bce714567 8358 XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8359 return ret;
wolfSSL 7:481bce714567 8360 }
wolfSSL 7:481bce714567 8361
wolfSSL 7:481bce714567 8362 /* Set SKID from RSA or ECC public key */
wolfSSL 7:481bce714567 8363 int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 7:481bce714567 8364 {
wolfSSL 7:481bce714567 8365 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, SKID_TYPE);
wolfSSL 7:481bce714567 8366 }
wolfSSL 7:481bce714567 8367
wolfSSL 7:481bce714567 8368 #ifdef HAVE_NTRU
wolfSSL 7:481bce714567 8369 /* Set SKID from NTRU public key */
wolfSSL 7:481bce714567 8370 int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert,
wolfSSL 7:481bce714567 8371 byte *ntruKey, word16 ntruKeySz)
wolfSSL 7:481bce714567 8372 {
wolfSSL 7:481bce714567 8373 return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, SKID_TYPE);
wolfSSL 7:481bce714567 8374 }
wolfSSL 7:481bce714567 8375 #endif
wolfSSL 7:481bce714567 8376
wolfSSL 7:481bce714567 8377 /* Set SKID from RSA or ECC public key */
wolfSSL 7:481bce714567 8378 int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
wolfSSL 7:481bce714567 8379 {
wolfSSL 7:481bce714567 8380 return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, AKID_TYPE);
wolfSSL 7:481bce714567 8381 }
wolfSSL 7:481bce714567 8382
wolfSSL 7:481bce714567 8383
wolfSSL 7:481bce714567 8384 #ifndef NO_FILESYSTEM
wolfSSL 7:481bce714567 8385
wolfSSL 7:481bce714567 8386 /* Set SKID from public key file in PEM */
wolfSSL 7:481bce714567 8387 int wc_SetSubjectKeyId(Cert *cert, const char* file)
wolfSSL 7:481bce714567 8388 {
wolfSSL 7:481bce714567 8389 int ret, derSz;
wolfSSL 7:481bce714567 8390 byte* der;
wolfSSL 7:481bce714567 8391 word32 idx;
wolfSSL 7:481bce714567 8392 RsaKey *rsakey = NULL;
wolfSSL 7:481bce714567 8393 ecc_key *eckey = NULL;
wolfSSL 7:481bce714567 8394
wolfSSL 7:481bce714567 8395 if (cert == NULL || file == NULL)
wolfSSL 7:481bce714567 8396 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8397
wolfSSL 7:481bce714567 8398 der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8399 if (der == NULL) {
wolfSSL 7:481bce714567 8400 WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem");
wolfSSL 7:481bce714567 8401 return MEMORY_E;
wolfSSL 7:481bce714567 8402 }
wolfSSL 7:481bce714567 8403
wolfSSL 7:481bce714567 8404 derSz = wolfSSL_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ);
wolfSSL 7:481bce714567 8405 if (derSz <= 0)
wolfSSL 7:481bce714567 8406 {
wolfSSL 7:481bce714567 8407 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8408 return derSz;
wolfSSL 7:481bce714567 8409 }
wolfSSL 7:481bce714567 8410
wolfSSL 7:481bce714567 8411 /* Load PubKey in internal structure */
wolfSSL 7:481bce714567 8412 rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 8413 if (rsakey == NULL) {
wolfSSL 7:481bce714567 8414 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8415 return MEMORY_E;
wolfSSL 7:481bce714567 8416 }
wolfSSL 7:481bce714567 8417
wolfSSL 7:481bce714567 8418 if (wc_InitRsaKey(rsakey, cert->heap) != 0) {
wolfSSL 7:481bce714567 8419 WOLFSSL_MSG("wc_InitRsaKey failure");
wolfSSL 7:481bce714567 8420 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 8421 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8422 return MEMORY_E;
wolfSSL 7:481bce714567 8423 }
wolfSSL 7:481bce714567 8424
wolfSSL 7:481bce714567 8425 idx = 0;
wolfSSL 7:481bce714567 8426 ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
wolfSSL 7:481bce714567 8427 if (ret != 0) {
wolfSSL 7:481bce714567 8428 WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
wolfSSL 7:481bce714567 8429 wc_FreeRsaKey(rsakey);
wolfSSL 7:481bce714567 8430 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 8431 rsakey = NULL;
wolfSSL 7:481bce714567 8432 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 8433 /* Check to load ecc public key */
wolfSSL 7:481bce714567 8434 eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap,
wolfSSL 7:481bce714567 8435 DYNAMIC_TYPE_ECC);
wolfSSL 7:481bce714567 8436 if (eckey == NULL) {
wolfSSL 7:481bce714567 8437 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8438 return MEMORY_E;
wolfSSL 7:481bce714567 8439 }
wolfSSL 7:481bce714567 8440
wolfSSL 7:481bce714567 8441 if (wc_ecc_init(eckey) != 0) {
wolfSSL 7:481bce714567 8442 WOLFSSL_MSG("wc_ecc_init failure");
wolfSSL 7:481bce714567 8443 wc_ecc_free(eckey);
wolfSSL 7:481bce714567 8444 XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
wolfSSL 7:481bce714567 8445 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8446 return MEMORY_E;
wolfSSL 7:481bce714567 8447 }
wolfSSL 7:481bce714567 8448
wolfSSL 7:481bce714567 8449 idx = 0;
wolfSSL 7:481bce714567 8450 ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz);
wolfSSL 7:481bce714567 8451 if (ret != 0) {
wolfSSL 7:481bce714567 8452 WOLFSSL_MSG("wc_EccPublicKeyDecode failed");
wolfSSL 7:481bce714567 8453 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8454 wc_ecc_free(eckey);
wolfSSL 7:481bce714567 8455 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8456 }
wolfSSL 7:481bce714567 8457 #else
wolfSSL 7:481bce714567 8458 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8459 return PUBLIC_KEY_E;
wolfSSL 7:481bce714567 8460 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 8461 }
wolfSSL 7:481bce714567 8462
wolfSSL 7:481bce714567 8463 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8464
wolfSSL 7:481bce714567 8465 ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
wolfSSL 7:481bce714567 8466
wolfSSL 7:481bce714567 8467 wc_FreeRsaKey(rsakey);
wolfSSL 7:481bce714567 8468 XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
wolfSSL 7:481bce714567 8469 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 8470 wc_ecc_free(eckey);
wolfSSL 7:481bce714567 8471 XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
wolfSSL 7:481bce714567 8472 #endif
wolfSSL 7:481bce714567 8473 return ret;
wolfSSL 7:481bce714567 8474 }
wolfSSL 7:481bce714567 8475
wolfSSL 7:481bce714567 8476 #endif /* NO_FILESYSTEM */
wolfSSL 7:481bce714567 8477
wolfSSL 7:481bce714567 8478 /* Set AKID from certificate contains in buffer (DER encoded) */
wolfSSL 7:481bce714567 8479 int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
wolfSSL 7:481bce714567 8480 {
wolfSSL 7:481bce714567 8481 int ret;
wolfSSL 7:481bce714567 8482
wolfSSL 7:481bce714567 8483 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8484 DecodedCert* decoded;
wolfSSL 7:481bce714567 8485 #else
wolfSSL 7:481bce714567 8486 DecodedCert decoded[1];
wolfSSL 7:481bce714567 8487 #endif
wolfSSL 7:481bce714567 8488
wolfSSL 7:481bce714567 8489 if (cert == NULL || der == NULL || derSz <= 0)
wolfSSL 7:481bce714567 8490 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8491
wolfSSL 7:481bce714567 8492 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8493 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert),
wolfSSL 7:481bce714567 8494 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8495 if (decoded == NULL)
wolfSSL 7:481bce714567 8496 return MEMORY_E;
wolfSSL 7:481bce714567 8497 #endif
wolfSSL 7:481bce714567 8498
wolfSSL 7:481bce714567 8499 /* decode certificate and get SKID that will be AKID of current cert */
wolfSSL 7:481bce714567 8500 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 7:481bce714567 8501 ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0);
wolfSSL 7:481bce714567 8502 if (ret != 0) {
wolfSSL 7:481bce714567 8503 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8504 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8505 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8506 #endif
wolfSSL 7:481bce714567 8507 return ret;
wolfSSL 7:481bce714567 8508 }
wolfSSL 7:481bce714567 8509
wolfSSL 7:481bce714567 8510 /* Subject Key Id not found !! */
wolfSSL 7:481bce714567 8511 if (decoded->extSubjKeyIdSet == 0) {
wolfSSL 7:481bce714567 8512 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8513 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8514 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8515 #endif
wolfSSL 7:481bce714567 8516 return ASN_NO_SKID;
wolfSSL 7:481bce714567 8517 }
wolfSSL 7:481bce714567 8518
wolfSSL 7:481bce714567 8519 /* SKID invalid size */
wolfSSL 7:481bce714567 8520 if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) {
wolfSSL 7:481bce714567 8521 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8522 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8523 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8524 #endif
wolfSSL 7:481bce714567 8525 return MEMORY_E;
wolfSSL 7:481bce714567 8526 }
wolfSSL 7:481bce714567 8527
wolfSSL 7:481bce714567 8528 /* Put the SKID of CA to AKID of certificate */
wolfSSL 7:481bce714567 8529 XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE);
wolfSSL 7:481bce714567 8530 cert->akidSz = KEYID_SIZE;
wolfSSL 7:481bce714567 8531
wolfSSL 7:481bce714567 8532 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8533 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8534 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8535 #endif
wolfSSL 7:481bce714567 8536
wolfSSL 7:481bce714567 8537 return 0;
wolfSSL 7:481bce714567 8538 }
wolfSSL 7:481bce714567 8539
wolfSSL 7:481bce714567 8540
wolfSSL 7:481bce714567 8541 #ifndef NO_FILESYSTEM
wolfSSL 7:481bce714567 8542
wolfSSL 7:481bce714567 8543 /* Set AKID from certificate file in PEM */
wolfSSL 7:481bce714567 8544 int wc_SetAuthKeyId(Cert *cert, const char* file)
wolfSSL 7:481bce714567 8545 {
wolfSSL 7:481bce714567 8546 int ret;
wolfSSL 7:481bce714567 8547 int derSz;
wolfSSL 7:481bce714567 8548 byte* der;
wolfSSL 7:481bce714567 8549
wolfSSL 7:481bce714567 8550 if (cert == NULL || file == NULL)
wolfSSL 7:481bce714567 8551 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8552
wolfSSL 7:481bce714567 8553 der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8554 if (der == NULL) {
wolfSSL 7:481bce714567 8555 WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem");
wolfSSL 7:481bce714567 8556 return MEMORY_E;
wolfSSL 7:481bce714567 8557 }
wolfSSL 7:481bce714567 8558
wolfSSL 7:481bce714567 8559 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 7:481bce714567 8560 if (derSz <= 0)
wolfSSL 7:481bce714567 8561 {
wolfSSL 7:481bce714567 8562 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8563 return derSz;
wolfSSL 7:481bce714567 8564 }
wolfSSL 7:481bce714567 8565
wolfSSL 7:481bce714567 8566 ret = wc_SetAuthKeyIdFromCert(cert, der, derSz);
wolfSSL 7:481bce714567 8567 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8568
wolfSSL 7:481bce714567 8569 return ret;
wolfSSL 7:481bce714567 8570 }
wolfSSL 7:481bce714567 8571
wolfSSL 7:481bce714567 8572 #endif /* NO_FILESYSTEM */
wolfSSL 7:481bce714567 8573
wolfSSL 7:481bce714567 8574 /* Set KeyUsage from human readable string */
wolfSSL 7:481bce714567 8575 int wc_SetKeyUsage(Cert *cert, const char *value)
wolfSSL 7:481bce714567 8576 {
wolfSSL 7:481bce714567 8577 char *token, *str, *ptr;
wolfSSL 7:481bce714567 8578 word32 len;
wolfSSL 7:481bce714567 8579
wolfSSL 7:481bce714567 8580 if (cert == NULL || value == NULL)
wolfSSL 7:481bce714567 8581 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 8582
wolfSSL 7:481bce714567 8583 cert->keyUsage = 0;
wolfSSL 7:481bce714567 8584
wolfSSL 7:481bce714567 8585 str = (char *)XMALLOC(XSTRLEN(value)+1, cert->heap,
wolfSSL 7:481bce714567 8586 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8587 if (str == NULL)
wolfSSL 7:481bce714567 8588 return MEMORY_E;
wolfSSL 7:481bce714567 8589
wolfSSL 7:481bce714567 8590 XMEMSET(str, 0, XSTRLEN(value)+1);
wolfSSL 7:481bce714567 8591 XSTRNCPY(str, value, XSTRLEN(value));
wolfSSL 7:481bce714567 8592
wolfSSL 7:481bce714567 8593 /* parse value, and set corresponding Key Usage value */
wolfSSL 7:481bce714567 8594 token = XSTRTOK(str, ",", &ptr);
wolfSSL 7:481bce714567 8595 while (token != NULL)
wolfSSL 7:481bce714567 8596 {
wolfSSL 7:481bce714567 8597 len = (word32)XSTRLEN(token);
wolfSSL 7:481bce714567 8598
wolfSSL 7:481bce714567 8599 if (!XSTRNCASECMP(token, "digitalSignature", len))
wolfSSL 7:481bce714567 8600 cert->keyUsage |= KEYUSE_DIGITAL_SIG;
wolfSSL 7:481bce714567 8601 else if (!XSTRNCASECMP(token, "nonRepudiation", len) ||
wolfSSL 7:481bce714567 8602 !XSTRNCASECMP(token, "contentCommitment", len))
wolfSSL 7:481bce714567 8603 cert->keyUsage |= KEYUSE_CONTENT_COMMIT;
wolfSSL 7:481bce714567 8604 else if (!XSTRNCASECMP(token, "keyEncipherment", len))
wolfSSL 7:481bce714567 8605 cert->keyUsage |= KEYUSE_KEY_ENCIPHER;
wolfSSL 7:481bce714567 8606 else if (!XSTRNCASECMP(token, "dataEncipherment", len))
wolfSSL 7:481bce714567 8607 cert->keyUsage |= KEYUSE_DATA_ENCIPHER;
wolfSSL 7:481bce714567 8608 else if (!XSTRNCASECMP(token, "keyAgreement", len))
wolfSSL 7:481bce714567 8609 cert->keyUsage |= KEYUSE_KEY_AGREE;
wolfSSL 7:481bce714567 8610 else if (!XSTRNCASECMP(token, "keyCertSign", len))
wolfSSL 7:481bce714567 8611 cert->keyUsage |= KEYUSE_KEY_CERT_SIGN;
wolfSSL 7:481bce714567 8612 else if (!XSTRNCASECMP(token, "cRLSign", len))
wolfSSL 7:481bce714567 8613 cert->keyUsage |= KEYUSE_CRL_SIGN;
wolfSSL 7:481bce714567 8614 else if (!XSTRNCASECMP(token, "encipherOnly", len))
wolfSSL 7:481bce714567 8615 cert->keyUsage |= KEYUSE_ENCIPHER_ONLY;
wolfSSL 7:481bce714567 8616 else if (!XSTRNCASECMP(token, "decipherOnly", len))
wolfSSL 7:481bce714567 8617 cert->keyUsage |= KEYUSE_DECIPHER_ONLY;
wolfSSL 7:481bce714567 8618 else
wolfSSL 7:481bce714567 8619 return KEYUSAGE_E;
wolfSSL 7:481bce714567 8620
wolfSSL 7:481bce714567 8621 token = XSTRTOK(NULL, ",", &ptr);
wolfSSL 7:481bce714567 8622 }
wolfSSL 7:481bce714567 8623
wolfSSL 7:481bce714567 8624 XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8625 return 0;
wolfSSL 7:481bce714567 8626 }
wolfSSL 7:481bce714567 8627 #endif /* WOLFSSL_CERT_EXT */
wolfSSL 7:481bce714567 8628
wolfSSL 7:481bce714567 8629
wolfSSL 7:481bce714567 8630 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 8631
wolfSSL 7:481bce714567 8632 /* Set Alt Names from der cert, return 0 on success */
wolfSSL 7:481bce714567 8633 static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8634 {
wolfSSL 7:481bce714567 8635 int ret;
wolfSSL 7:481bce714567 8636 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8637 DecodedCert* decoded;
wolfSSL 7:481bce714567 8638 #else
wolfSSL 7:481bce714567 8639 DecodedCert decoded[1];
wolfSSL 7:481bce714567 8640 #endif
wolfSSL 7:481bce714567 8641
wolfSSL 7:481bce714567 8642 if (derSz < 0)
wolfSSL 7:481bce714567 8643 return derSz;
wolfSSL 7:481bce714567 8644
wolfSSL 7:481bce714567 8645 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8646 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 7:481bce714567 8647 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8648 if (decoded == NULL)
wolfSSL 7:481bce714567 8649 return MEMORY_E;
wolfSSL 7:481bce714567 8650 #endif
wolfSSL 7:481bce714567 8651
wolfSSL 7:481bce714567 8652 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 7:481bce714567 8653 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 7:481bce714567 8654
wolfSSL 7:481bce714567 8655 if (ret < 0) {
wolfSSL 7:481bce714567 8656 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 7:481bce714567 8657 }
wolfSSL 7:481bce714567 8658 else if (decoded->extensions) {
wolfSSL 7:481bce714567 8659 byte b;
wolfSSL 7:481bce714567 8660 int length;
wolfSSL 7:481bce714567 8661 word32 maxExtensionsIdx;
wolfSSL 7:481bce714567 8662
wolfSSL 7:481bce714567 8663 decoded->srcIdx = decoded->extensionsIdx;
wolfSSL 7:481bce714567 8664 b = decoded->source[decoded->srcIdx++];
wolfSSL 7:481bce714567 8665
wolfSSL 7:481bce714567 8666 if (b != ASN_EXTENSIONS) {
wolfSSL 7:481bce714567 8667 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 8668 }
wolfSSL 7:481bce714567 8669 else if (GetLength(decoded->source, &decoded->srcIdx, &length,
wolfSSL 7:481bce714567 8670 decoded->maxIdx) < 0) {
wolfSSL 7:481bce714567 8671 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 8672 }
wolfSSL 7:481bce714567 8673 else if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 7:481bce714567 8674 decoded->maxIdx) < 0) {
wolfSSL 7:481bce714567 8675 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 8676 }
wolfSSL 7:481bce714567 8677 else {
wolfSSL 7:481bce714567 8678 maxExtensionsIdx = decoded->srcIdx + length;
wolfSSL 7:481bce714567 8679
wolfSSL 7:481bce714567 8680 while (decoded->srcIdx < maxExtensionsIdx) {
wolfSSL 7:481bce714567 8681 word32 oid;
wolfSSL 7:481bce714567 8682 word32 startIdx = decoded->srcIdx;
wolfSSL 7:481bce714567 8683 word32 tmpIdx;
wolfSSL 7:481bce714567 8684
wolfSSL 7:481bce714567 8685 if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL 7:481bce714567 8686 decoded->maxIdx) < 0) {
wolfSSL 7:481bce714567 8687 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 8688 break;
wolfSSL 7:481bce714567 8689 }
wolfSSL 7:481bce714567 8690
wolfSSL 7:481bce714567 8691 tmpIdx = decoded->srcIdx;
wolfSSL 7:481bce714567 8692 decoded->srcIdx = startIdx;
wolfSSL 7:481bce714567 8693
wolfSSL 7:481bce714567 8694 if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
wolfSSL 7:481bce714567 8695 oidCertExtType, decoded->maxIdx) < 0) {
wolfSSL 7:481bce714567 8696 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 8697 break;
wolfSSL 7:481bce714567 8698 }
wolfSSL 7:481bce714567 8699
wolfSSL 7:481bce714567 8700 if (oid == ALT_NAMES_OID) {
wolfSSL 7:481bce714567 8701 cert->altNamesSz = length + (tmpIdx - startIdx);
wolfSSL 7:481bce714567 8702
wolfSSL 7:481bce714567 8703 if (cert->altNamesSz < (int)sizeof(cert->altNames))
wolfSSL 7:481bce714567 8704 XMEMCPY(cert->altNames, &decoded->source[startIdx],
wolfSSL 7:481bce714567 8705 cert->altNamesSz);
wolfSSL 7:481bce714567 8706 else {
wolfSSL 7:481bce714567 8707 cert->altNamesSz = 0;
wolfSSL 7:481bce714567 8708 WOLFSSL_MSG("AltNames extensions too big");
wolfSSL 7:481bce714567 8709 ret = ALT_NAME_E;
wolfSSL 7:481bce714567 8710 break;
wolfSSL 7:481bce714567 8711 }
wolfSSL 7:481bce714567 8712 }
wolfSSL 7:481bce714567 8713 decoded->srcIdx = tmpIdx + length;
wolfSSL 7:481bce714567 8714 }
wolfSSL 7:481bce714567 8715 }
wolfSSL 7:481bce714567 8716 }
wolfSSL 7:481bce714567 8717
wolfSSL 7:481bce714567 8718 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8719 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8720 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8721 #endif
wolfSSL 7:481bce714567 8722
wolfSSL 7:481bce714567 8723 return ret < 0 ? ret : 0;
wolfSSL 7:481bce714567 8724 }
wolfSSL 7:481bce714567 8725
wolfSSL 7:481bce714567 8726
wolfSSL 7:481bce714567 8727 /* Set Dates from der cert, return 0 on success */
wolfSSL 7:481bce714567 8728 static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8729 {
wolfSSL 7:481bce714567 8730 int ret;
wolfSSL 7:481bce714567 8731 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8732 DecodedCert* decoded;
wolfSSL 7:481bce714567 8733 #else
wolfSSL 7:481bce714567 8734 DecodedCert decoded[1];
wolfSSL 7:481bce714567 8735 #endif
wolfSSL 7:481bce714567 8736
wolfSSL 7:481bce714567 8737 WOLFSSL_ENTER("SetDatesFromCert");
wolfSSL 7:481bce714567 8738 if (derSz < 0)
wolfSSL 7:481bce714567 8739 return derSz;
wolfSSL 7:481bce714567 8740
wolfSSL 7:481bce714567 8741 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8742 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 7:481bce714567 8743 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8744 if (decoded == NULL)
wolfSSL 7:481bce714567 8745 return MEMORY_E;
wolfSSL 7:481bce714567 8746 #endif
wolfSSL 7:481bce714567 8747
wolfSSL 7:481bce714567 8748 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 7:481bce714567 8749 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 7:481bce714567 8750
wolfSSL 7:481bce714567 8751 if (ret < 0) {
wolfSSL 7:481bce714567 8752 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 7:481bce714567 8753 }
wolfSSL 7:481bce714567 8754 else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) {
wolfSSL 7:481bce714567 8755 WOLFSSL_MSG("Couldn't extract dates");
wolfSSL 7:481bce714567 8756 ret = -1;
wolfSSL 7:481bce714567 8757 }
wolfSSL 7:481bce714567 8758 else if (decoded->beforeDateLen > MAX_DATE_SIZE ||
wolfSSL 7:481bce714567 8759 decoded->afterDateLen > MAX_DATE_SIZE) {
wolfSSL 7:481bce714567 8760 WOLFSSL_MSG("Bad date size");
wolfSSL 7:481bce714567 8761 ret = -1;
wolfSSL 7:481bce714567 8762 }
wolfSSL 7:481bce714567 8763 else {
wolfSSL 7:481bce714567 8764 XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen);
wolfSSL 7:481bce714567 8765 XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen);
wolfSSL 7:481bce714567 8766
wolfSSL 7:481bce714567 8767 cert->beforeDateSz = decoded->beforeDateLen;
wolfSSL 7:481bce714567 8768 cert->afterDateSz = decoded->afterDateLen;
wolfSSL 7:481bce714567 8769 }
wolfSSL 7:481bce714567 8770
wolfSSL 7:481bce714567 8771 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8772
wolfSSL 7:481bce714567 8773 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8774 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8775 #endif
wolfSSL 7:481bce714567 8776
wolfSSL 7:481bce714567 8777 return ret < 0 ? ret : 0;
wolfSSL 7:481bce714567 8778 }
wolfSSL 7:481bce714567 8779
wolfSSL 7:481bce714567 8780
wolfSSL 7:481bce714567 8781 #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
wolfSSL 7:481bce714567 8782
wolfSSL 7:481bce714567 8783
wolfSSL 7:481bce714567 8784 /* Set cn name from der buffer, return 0 on success */
wolfSSL 7:481bce714567 8785 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
wolfSSL 7:481bce714567 8786 {
wolfSSL 7:481bce714567 8787 int ret, sz;
wolfSSL 7:481bce714567 8788 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8789 DecodedCert* decoded;
wolfSSL 7:481bce714567 8790 #else
wolfSSL 7:481bce714567 8791 DecodedCert decoded[1];
wolfSSL 7:481bce714567 8792 #endif
wolfSSL 7:481bce714567 8793
wolfSSL 7:481bce714567 8794 if (derSz < 0)
wolfSSL 7:481bce714567 8795 return derSz;
wolfSSL 7:481bce714567 8796
wolfSSL 7:481bce714567 8797 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8798 decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL 7:481bce714567 8799 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8800 if (decoded == NULL)
wolfSSL 7:481bce714567 8801 return MEMORY_E;
wolfSSL 7:481bce714567 8802 #endif
wolfSSL 7:481bce714567 8803
wolfSSL 7:481bce714567 8804 InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL 7:481bce714567 8805 ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL 7:481bce714567 8806
wolfSSL 7:481bce714567 8807 if (ret < 0) {
wolfSSL 7:481bce714567 8808 WOLFSSL_MSG("ParseCertRelative error");
wolfSSL 7:481bce714567 8809 }
wolfSSL 7:481bce714567 8810 else {
wolfSSL 7:481bce714567 8811 if (decoded->subjectCN) {
wolfSSL 7:481bce714567 8812 sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
wolfSSL 7:481bce714567 8813 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8814 strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8815 cn->commonName[sz] = 0;
wolfSSL 7:481bce714567 8816 cn->commonNameEnc = decoded->subjectCNEnc;
wolfSSL 7:481bce714567 8817 }
wolfSSL 7:481bce714567 8818 if (decoded->subjectC) {
wolfSSL 7:481bce714567 8819 sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
wolfSSL 7:481bce714567 8820 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8821 strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8822 cn->country[sz] = 0;
wolfSSL 7:481bce714567 8823 cn->countryEnc = decoded->subjectCEnc;
wolfSSL 7:481bce714567 8824 }
wolfSSL 7:481bce714567 8825 if (decoded->subjectST) {
wolfSSL 7:481bce714567 8826 sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
wolfSSL 7:481bce714567 8827 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8828 strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8829 cn->state[sz] = 0;
wolfSSL 7:481bce714567 8830 cn->stateEnc = decoded->subjectSTEnc;
wolfSSL 7:481bce714567 8831 }
wolfSSL 7:481bce714567 8832 if (decoded->subjectL) {
wolfSSL 7:481bce714567 8833 sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
wolfSSL 7:481bce714567 8834 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8835 strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8836 cn->locality[sz] = 0;
wolfSSL 7:481bce714567 8837 cn->localityEnc = decoded->subjectLEnc;
wolfSSL 7:481bce714567 8838 }
wolfSSL 7:481bce714567 8839 if (decoded->subjectO) {
wolfSSL 7:481bce714567 8840 sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
wolfSSL 7:481bce714567 8841 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8842 strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8843 cn->org[sz] = 0;
wolfSSL 7:481bce714567 8844 cn->orgEnc = decoded->subjectOEnc;
wolfSSL 7:481bce714567 8845 }
wolfSSL 7:481bce714567 8846 if (decoded->subjectOU) {
wolfSSL 7:481bce714567 8847 sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
wolfSSL 7:481bce714567 8848 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8849 strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8850 cn->unit[sz] = 0;
wolfSSL 7:481bce714567 8851 cn->unitEnc = decoded->subjectOUEnc;
wolfSSL 7:481bce714567 8852 }
wolfSSL 7:481bce714567 8853 if (decoded->subjectSN) {
wolfSSL 7:481bce714567 8854 sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
wolfSSL 7:481bce714567 8855 : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8856 strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8857 cn->sur[sz] = 0;
wolfSSL 7:481bce714567 8858 cn->surEnc = decoded->subjectSNEnc;
wolfSSL 7:481bce714567 8859 }
wolfSSL 7:481bce714567 8860 if (decoded->subjectEmail) {
wolfSSL 7:481bce714567 8861 sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
wolfSSL 7:481bce714567 8862 ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
wolfSSL 7:481bce714567 8863 strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE);
wolfSSL 7:481bce714567 8864 cn->email[sz] = 0;
wolfSSL 7:481bce714567 8865 }
wolfSSL 7:481bce714567 8866 }
wolfSSL 7:481bce714567 8867
wolfSSL 7:481bce714567 8868 FreeDecodedCert(decoded);
wolfSSL 7:481bce714567 8869
wolfSSL 7:481bce714567 8870 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 8871 XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 8872 #endif
wolfSSL 7:481bce714567 8873
wolfSSL 7:481bce714567 8874 return ret < 0 ? ret : 0;
wolfSSL 7:481bce714567 8875 }
wolfSSL 7:481bce714567 8876
wolfSSL 7:481bce714567 8877
wolfSSL 7:481bce714567 8878 #ifndef NO_FILESYSTEM
wolfSSL 7:481bce714567 8879
wolfSSL 7:481bce714567 8880 /* Set cert issuer from issuerFile in PEM */
wolfSSL 7:481bce714567 8881 int wc_SetIssuer(Cert* cert, const char* issuerFile)
wolfSSL 7:481bce714567 8882 {
wolfSSL 7:481bce714567 8883 int ret;
wolfSSL 7:481bce714567 8884 int derSz;
wolfSSL 7:481bce714567 8885 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8886
wolfSSL 7:481bce714567 8887 if (der == NULL) {
wolfSSL 7:481bce714567 8888 WOLFSSL_MSG("wc_SetIssuer OOF Problem");
wolfSSL 7:481bce714567 8889 return MEMORY_E;
wolfSSL 7:481bce714567 8890 }
wolfSSL 7:481bce714567 8891 derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF);
wolfSSL 7:481bce714567 8892 cert->selfSigned = 0;
wolfSSL 7:481bce714567 8893 ret = SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 7:481bce714567 8894 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8895
wolfSSL 7:481bce714567 8896 return ret;
wolfSSL 7:481bce714567 8897 }
wolfSSL 7:481bce714567 8898
wolfSSL 7:481bce714567 8899
wolfSSL 7:481bce714567 8900 /* Set cert subject from subjectFile in PEM */
wolfSSL 7:481bce714567 8901 int wc_SetSubject(Cert* cert, const char* subjectFile)
wolfSSL 7:481bce714567 8902 {
wolfSSL 7:481bce714567 8903 int ret;
wolfSSL 7:481bce714567 8904 int derSz;
wolfSSL 7:481bce714567 8905 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8906
wolfSSL 7:481bce714567 8907 if (der == NULL) {
wolfSSL 7:481bce714567 8908 WOLFSSL_MSG("wc_SetSubject OOF Problem");
wolfSSL 7:481bce714567 8909 return MEMORY_E;
wolfSSL 7:481bce714567 8910 }
wolfSSL 7:481bce714567 8911 derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF);
wolfSSL 7:481bce714567 8912 ret = SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 7:481bce714567 8913 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8914
wolfSSL 7:481bce714567 8915 return ret;
wolfSSL 7:481bce714567 8916 }
wolfSSL 7:481bce714567 8917
wolfSSL 7:481bce714567 8918
wolfSSL 7:481bce714567 8919 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 8920
wolfSSL 7:481bce714567 8921 /* Set atl names from file in PEM */
wolfSSL 7:481bce714567 8922 int wc_SetAltNames(Cert* cert, const char* file)
wolfSSL 7:481bce714567 8923 {
wolfSSL 7:481bce714567 8924 int ret;
wolfSSL 7:481bce714567 8925 int derSz;
wolfSSL 7:481bce714567 8926 byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8927
wolfSSL 7:481bce714567 8928 if (der == NULL) {
wolfSSL 7:481bce714567 8929 WOLFSSL_MSG("wc_SetAltNames OOF Problem");
wolfSSL 7:481bce714567 8930 return MEMORY_E;
wolfSSL 7:481bce714567 8931 }
wolfSSL 7:481bce714567 8932 derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL 7:481bce714567 8933 ret = SetAltNamesFromCert(cert, der, derSz);
wolfSSL 7:481bce714567 8934 XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
wolfSSL 7:481bce714567 8935
wolfSSL 7:481bce714567 8936 return ret;
wolfSSL 7:481bce714567 8937 }
wolfSSL 7:481bce714567 8938
wolfSSL 7:481bce714567 8939 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 7:481bce714567 8940
wolfSSL 7:481bce714567 8941 #endif /* NO_FILESYSTEM */
wolfSSL 7:481bce714567 8942
wolfSSL 7:481bce714567 8943 /* Set cert issuer from DER buffer */
wolfSSL 7:481bce714567 8944 int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8945 {
wolfSSL 7:481bce714567 8946 cert->selfSigned = 0;
wolfSSL 7:481bce714567 8947 return SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL 7:481bce714567 8948 }
wolfSSL 7:481bce714567 8949
wolfSSL 7:481bce714567 8950
wolfSSL 7:481bce714567 8951 /* Set cert subject from DER buffer */
wolfSSL 7:481bce714567 8952 int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8953 {
wolfSSL 7:481bce714567 8954 return SetNameFromCert(&cert->subject, der, derSz);
wolfSSL 7:481bce714567 8955 }
wolfSSL 7:481bce714567 8956
wolfSSL 7:481bce714567 8957
wolfSSL 7:481bce714567 8958 #ifdef WOLFSSL_ALT_NAMES
wolfSSL 7:481bce714567 8959
wolfSSL 7:481bce714567 8960 /* Set cert alt names from DER buffer */
wolfSSL 7:481bce714567 8961 int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8962 {
wolfSSL 7:481bce714567 8963 return SetAltNamesFromCert(cert, der, derSz);
wolfSSL 7:481bce714567 8964 }
wolfSSL 7:481bce714567 8965
wolfSSL 7:481bce714567 8966 /* Set cert dates from DER buffer */
wolfSSL 7:481bce714567 8967 int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL 7:481bce714567 8968 {
wolfSSL 7:481bce714567 8969 return SetDatesFromCert(cert, der, derSz);
wolfSSL 7:481bce714567 8970 }
wolfSSL 7:481bce714567 8971
wolfSSL 7:481bce714567 8972 #endif /* WOLFSSL_ALT_NAMES */
wolfSSL 7:481bce714567 8973
wolfSSL 7:481bce714567 8974 #endif /* WOLFSSL_CERT_GEN */
wolfSSL 7:481bce714567 8975
wolfSSL 7:481bce714567 8976
wolfSSL 7:481bce714567 8977 #ifdef HAVE_ECC
wolfSSL 7:481bce714567 8978
wolfSSL 7:481bce714567 8979 /* Der Encode r & s ints into out, outLen is (in/out) size */
wolfSSL 7:481bce714567 8980 int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
wolfSSL 7:481bce714567 8981 {
wolfSSL 7:481bce714567 8982 word32 idx = 0;
wolfSSL 7:481bce714567 8983 word32 rSz; /* encoding size */
wolfSSL 7:481bce714567 8984 word32 sSz;
wolfSSL 7:481bce714567 8985 word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */
wolfSSL 7:481bce714567 8986
wolfSSL 7:481bce714567 8987 /* If the leading bit on the INTEGER is a 1, add a leading zero */
wolfSSL 7:481bce714567 8988 int rLeadingZero = mp_leading_bit(r);
wolfSSL 7:481bce714567 8989 int sLeadingZero = mp_leading_bit(s);
wolfSSL 7:481bce714567 8990 int rLen = mp_unsigned_bin_size(r); /* big int size */
wolfSSL 7:481bce714567 8991 int sLen = mp_unsigned_bin_size(s);
wolfSSL 7:481bce714567 8992 int err;
wolfSSL 7:481bce714567 8993
wolfSSL 7:481bce714567 8994 if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
wolfSSL 7:481bce714567 8995 headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
wolfSSL 7:481bce714567 8996 return BUFFER_E;
wolfSSL 7:481bce714567 8997
wolfSSL 7:481bce714567 8998 idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out);
wolfSSL 7:481bce714567 8999
wolfSSL 7:481bce714567 9000 /* store r */
wolfSSL 7:481bce714567 9001 out[idx++] = ASN_INTEGER;
wolfSSL 7:481bce714567 9002 rSz = SetLength(rLen + rLeadingZero, &out[idx]);
wolfSSL 7:481bce714567 9003 idx += rSz;
wolfSSL 7:481bce714567 9004 if (rLeadingZero)
wolfSSL 7:481bce714567 9005 out[idx++] = 0;
wolfSSL 7:481bce714567 9006 err = mp_to_unsigned_bin(r, &out[idx]);
wolfSSL 7:481bce714567 9007 if (err != MP_OKAY) return err;
wolfSSL 7:481bce714567 9008 idx += rLen;
wolfSSL 7:481bce714567 9009
wolfSSL 7:481bce714567 9010 /* store s */
wolfSSL 7:481bce714567 9011 out[idx++] = ASN_INTEGER;
wolfSSL 7:481bce714567 9012 sSz = SetLength(sLen + sLeadingZero, &out[idx]);
wolfSSL 7:481bce714567 9013 idx += sSz;
wolfSSL 7:481bce714567 9014 if (sLeadingZero)
wolfSSL 7:481bce714567 9015 out[idx++] = 0;
wolfSSL 7:481bce714567 9016 err = mp_to_unsigned_bin(s, &out[idx]);
wolfSSL 7:481bce714567 9017 if (err != MP_OKAY) return err;
wolfSSL 7:481bce714567 9018 idx += sLen;
wolfSSL 7:481bce714567 9019
wolfSSL 7:481bce714567 9020 *outLen = idx;
wolfSSL 7:481bce714567 9021
wolfSSL 7:481bce714567 9022 return 0;
wolfSSL 7:481bce714567 9023 }
wolfSSL 7:481bce714567 9024
wolfSSL 7:481bce714567 9025
wolfSSL 7:481bce714567 9026 /* Der Decode ECC-DSA Signature, r & s stored as big ints */
wolfSSL 7:481bce714567 9027 int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
wolfSSL 7:481bce714567 9028 {
wolfSSL 7:481bce714567 9029 word32 idx = 0;
wolfSSL 7:481bce714567 9030 int len = 0;
wolfSSL 7:481bce714567 9031
wolfSSL 7:481bce714567 9032 if (GetSequence(sig, &idx, &len, sigLen) < 0)
wolfSSL 7:481bce714567 9033 return ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9034
wolfSSL 7:481bce714567 9035 if ((word32)len > (sigLen - idx))
wolfSSL 7:481bce714567 9036 return ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9037
wolfSSL 7:481bce714567 9038 if (GetInt(r, sig, &idx, sigLen) < 0)
wolfSSL 7:481bce714567 9039 return ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9040
wolfSSL 7:481bce714567 9041 if (GetInt(s, sig, &idx, sigLen) < 0)
wolfSSL 7:481bce714567 9042 return ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9043
wolfSSL 7:481bce714567 9044 return 0;
wolfSSL 7:481bce714567 9045 }
wolfSSL 7:481bce714567 9046
wolfSSL 7:481bce714567 9047
wolfSSL 7:481bce714567 9048 int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
wolfSSL 7:481bce714567 9049 word32 inSz)
wolfSSL 7:481bce714567 9050 {
wolfSSL 7:481bce714567 9051 word32 oidSum = 0;
wolfSSL 7:481bce714567 9052 int version, length;
wolfSSL 7:481bce714567 9053 int privSz, pubSz;
wolfSSL 7:481bce714567 9054 byte b;
wolfSSL 7:481bce714567 9055 int ret = 0;
wolfSSL 7:481bce714567 9056 int curve_id = ECC_CURVE_DEF;
wolfSSL 7:481bce714567 9057 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 9058 byte* priv;
wolfSSL 7:481bce714567 9059 byte* pub;
wolfSSL 7:481bce714567 9060 #else
wolfSSL 7:481bce714567 9061 byte priv[ECC_MAXSIZE+1];
wolfSSL 7:481bce714567 9062 byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */
wolfSSL 7:481bce714567 9063 #endif
wolfSSL 7:481bce714567 9064
wolfSSL 7:481bce714567 9065 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 7:481bce714567 9066 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 9067
wolfSSL 7:481bce714567 9068 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 9069 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9070
wolfSSL 7:481bce714567 9071 if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
wolfSSL 7:481bce714567 9072 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9073
wolfSSL 7:481bce714567 9074 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9075 *inOutIdx += 1;
wolfSSL 7:481bce714567 9076
wolfSSL 7:481bce714567 9077 /* priv type */
wolfSSL 7:481bce714567 9078 if (b != 4 && b != 6 && b != 7)
wolfSSL 7:481bce714567 9079 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9080
wolfSSL 7:481bce714567 9081 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 9082 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9083
wolfSSL 7:481bce714567 9084 if (length > ECC_MAXSIZE)
wolfSSL 7:481bce714567 9085 return BUFFER_E;
wolfSSL 7:481bce714567 9086
wolfSSL 7:481bce714567 9087 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 9088 priv = (byte*)XMALLOC(ECC_MAXSIZE+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9089 if (priv == NULL)
wolfSSL 7:481bce714567 9090 return MEMORY_E;
wolfSSL 7:481bce714567 9091
wolfSSL 7:481bce714567 9092 pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9093 if (pub == NULL) {
wolfSSL 7:481bce714567 9094 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9095 return MEMORY_E;
wolfSSL 7:481bce714567 9096 }
wolfSSL 7:481bce714567 9097 #endif
wolfSSL 7:481bce714567 9098
wolfSSL 7:481bce714567 9099 /* priv key */
wolfSSL 7:481bce714567 9100 privSz = length;
wolfSSL 7:481bce714567 9101 XMEMCPY(priv, &input[*inOutIdx], privSz);
wolfSSL 7:481bce714567 9102 *inOutIdx += length;
wolfSSL 7:481bce714567 9103
wolfSSL 7:481bce714567 9104 if ((*inOutIdx + 1) > inSz)
wolfSSL 7:481bce714567 9105 return BUFFER_E;
wolfSSL 7:481bce714567 9106
wolfSSL 7:481bce714567 9107 /* prefix 0, may have */
wolfSSL 7:481bce714567 9108 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9109 if (b == ECC_PREFIX_0) {
wolfSSL 7:481bce714567 9110 *inOutIdx += 1;
wolfSSL 7:481bce714567 9111
wolfSSL 7:481bce714567 9112 if (GetLength(input, inOutIdx, &length, inSz) <= 0)
wolfSSL 7:481bce714567 9113 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 9114 else {
wolfSSL 7:481bce714567 9115 /* object id */
wolfSSL 7:481bce714567 9116 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9117 *inOutIdx += 1;
wolfSSL 7:481bce714567 9118
wolfSSL 7:481bce714567 9119 if (b != ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 9120 ret = ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 9121 }
wolfSSL 7:481bce714567 9122 else if (GetLength(input, inOutIdx, &length, inSz) <= 0) {
wolfSSL 7:481bce714567 9123 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 9124 }
wolfSSL 7:481bce714567 9125 else {
wolfSSL 7:481bce714567 9126 while(length--) {
wolfSSL 7:481bce714567 9127 oidSum += input[*inOutIdx];
wolfSSL 7:481bce714567 9128 *inOutIdx += 1;
wolfSSL 7:481bce714567 9129 }
wolfSSL 7:481bce714567 9130 if ((ret = CheckCurve(oidSum)) < 0) {
wolfSSL 7:481bce714567 9131 ret = ECC_CURVE_OID_E;
wolfSSL 7:481bce714567 9132 }
wolfSSL 7:481bce714567 9133 else {
wolfSSL 7:481bce714567 9134 curve_id = ret;
wolfSSL 7:481bce714567 9135 ret = 0;
wolfSSL 7:481bce714567 9136 }
wolfSSL 7:481bce714567 9137 }
wolfSSL 7:481bce714567 9138 }
wolfSSL 7:481bce714567 9139 }
wolfSSL 7:481bce714567 9140
wolfSSL 7:481bce714567 9141 if (ret == 0) {
wolfSSL 7:481bce714567 9142 /* prefix 1 */
wolfSSL 7:481bce714567 9143 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9144 *inOutIdx += 1;
wolfSSL 7:481bce714567 9145
wolfSSL 7:481bce714567 9146 if (b != ECC_PREFIX_1) {
wolfSSL 7:481bce714567 9147 ret = ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9148 }
wolfSSL 7:481bce714567 9149 else if (GetLength(input, inOutIdx, &length, inSz) <= 0) {
wolfSSL 7:481bce714567 9150 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 9151 }
wolfSSL 7:481bce714567 9152 else {
wolfSSL 7:481bce714567 9153 /* key header */
wolfSSL 7:481bce714567 9154 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9155 *inOutIdx += 1;
wolfSSL 7:481bce714567 9156
wolfSSL 7:481bce714567 9157 if (b != ASN_BIT_STRING) {
wolfSSL 7:481bce714567 9158 ret = ASN_BITSTR_E;
wolfSSL 7:481bce714567 9159 }
wolfSSL 7:481bce714567 9160 else if (GetLength(input, inOutIdx, &length, inSz) <= 0) {
wolfSSL 7:481bce714567 9161 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 9162 }
wolfSSL 7:481bce714567 9163 else {
wolfSSL 7:481bce714567 9164 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9165 *inOutIdx += 1;
wolfSSL 7:481bce714567 9166
wolfSSL 7:481bce714567 9167 if (b != 0x00) {
wolfSSL 7:481bce714567 9168 ret = ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 9169 }
wolfSSL 7:481bce714567 9170 else {
wolfSSL 7:481bce714567 9171 /* pub key */
wolfSSL 7:481bce714567 9172 pubSz = length - 1; /* null prefix */
wolfSSL 7:481bce714567 9173 if (pubSz < 2*(ECC_MAXSIZE+1)) {
wolfSSL 7:481bce714567 9174 XMEMCPY(pub, &input[*inOutIdx], pubSz);
wolfSSL 7:481bce714567 9175 *inOutIdx += length;
wolfSSL 7:481bce714567 9176 ret = wc_ecc_import_private_key_ex(priv, privSz, pub,
wolfSSL 7:481bce714567 9177 pubSz, key, curve_id);
wolfSSL 7:481bce714567 9178 } else
wolfSSL 7:481bce714567 9179 ret = BUFFER_E;
wolfSSL 7:481bce714567 9180 }
wolfSSL 7:481bce714567 9181 }
wolfSSL 7:481bce714567 9182 }
wolfSSL 7:481bce714567 9183 }
wolfSSL 7:481bce714567 9184
wolfSSL 7:481bce714567 9185 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 9186 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9187 XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9188 #endif
wolfSSL 7:481bce714567 9189
wolfSSL 7:481bce714567 9190 return ret;
wolfSSL 7:481bce714567 9191 }
wolfSSL 7:481bce714567 9192
wolfSSL 7:481bce714567 9193 int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
wolfSSL 7:481bce714567 9194 ecc_key* key, word32 inSz)
wolfSSL 7:481bce714567 9195 {
wolfSSL 7:481bce714567 9196 int length;
wolfSSL 7:481bce714567 9197 int ret = 0;
wolfSSL 7:481bce714567 9198
wolfSSL 7:481bce714567 9199 if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
wolfSSL 7:481bce714567 9200 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 9201
wolfSSL 7:481bce714567 9202 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 9203 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9204
wolfSSL 7:481bce714567 9205 #if defined(OPENSSL_EXTRA) || defined(ECC_DECODE_EXTRA)
wolfSSL 7:481bce714567 9206 {
wolfSSL 7:481bce714567 9207 byte b = input[*inOutIdx];
wolfSSL 7:481bce714567 9208 if (b != ASN_INTEGER) {
wolfSSL 7:481bce714567 9209 /* not from decoded cert, will have algo id, skip past */
wolfSSL 7:481bce714567 9210 if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 9211 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9212
wolfSSL 7:481bce714567 9213 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 9214 if (b != ASN_OBJECT_ID)
wolfSSL 7:481bce714567 9215 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 9216
wolfSSL 7:481bce714567 9217 if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL 7:481bce714567 9218 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9219
wolfSSL 7:481bce714567 9220 *inOutIdx += length; /* skip past */
wolfSSL 7:481bce714567 9221
wolfSSL 7:481bce714567 9222 /* ecc params information */
wolfSSL 7:481bce714567 9223 b = input[(*inOutIdx)++];
wolfSSL 7:481bce714567 9224 if (b != ASN_OBJECT_ID)
wolfSSL 7:481bce714567 9225 return ASN_OBJECT_ID_E;
wolfSSL 7:481bce714567 9226
wolfSSL 7:481bce714567 9227 if (GetLength(input, inOutIdx, &length, inSz) <= 0)
wolfSSL 7:481bce714567 9228 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9229
wolfSSL 7:481bce714567 9230 *inOutIdx += length; /* skip past */
wolfSSL 7:481bce714567 9231
wolfSSL 7:481bce714567 9232 /* key header */
wolfSSL 7:481bce714567 9233 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9234 *inOutIdx += 1;
wolfSSL 7:481bce714567 9235
wolfSSL 7:481bce714567 9236 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 9237 ret = ASN_BITSTR_E;
wolfSSL 7:481bce714567 9238 else if (GetLength(input, inOutIdx, &length, inSz) <= 0)
wolfSSL 7:481bce714567 9239 ret = ASN_PARSE_E;
wolfSSL 7:481bce714567 9240 else {
wolfSSL 7:481bce714567 9241 b = input[*inOutIdx];
wolfSSL 7:481bce714567 9242 *inOutIdx += 1;
wolfSSL 7:481bce714567 9243
wolfSSL 7:481bce714567 9244 if (b != 0x00)
wolfSSL 7:481bce714567 9245 ret = ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 9246 }
wolfSSL 7:481bce714567 9247 }
wolfSSL 7:481bce714567 9248 } /* openssl var block */
wolfSSL 7:481bce714567 9249 #endif /* OPENSSL_EXTRA */
wolfSSL 7:481bce714567 9250
wolfSSL 7:481bce714567 9251 if (wc_ecc_import_x963(input+*inOutIdx, inSz - *inOutIdx, key) != 0)
wolfSSL 7:481bce714567 9252 return ASN_ECC_KEY_E;
wolfSSL 7:481bce714567 9253
wolfSSL 7:481bce714567 9254 return ret;
wolfSSL 7:481bce714567 9255 }
wolfSSL 7:481bce714567 9256
wolfSSL 7:481bce714567 9257
wolfSSL 7:481bce714567 9258 #ifdef WOLFSSL_KEY_GEN
wolfSSL 7:481bce714567 9259
wolfSSL 7:481bce714567 9260 /* Write a Private ecc key to DER format, length on success else < 0 */
wolfSSL 7:481bce714567 9261 int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
wolfSSL 7:481bce714567 9262 {
wolfSSL 7:481bce714567 9263 byte curve[MAX_ALGO_SZ+2];
wolfSSL 7:481bce714567 9264 byte ver[MAX_VERSION_SZ];
wolfSSL 7:481bce714567 9265 byte seq[MAX_SEQ_SZ];
wolfSSL 7:481bce714567 9266 byte *prv, *pub;
wolfSSL 7:481bce714567 9267 int ret, totalSz, curveSz, verSz;
wolfSSL 7:481bce714567 9268 int privHdrSz = ASN_ECC_HEADER_SZ;
wolfSSL 7:481bce714567 9269 int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ;
wolfSSL 7:481bce714567 9270
wolfSSL 7:481bce714567 9271 word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0;
wolfSSL 7:481bce714567 9272 word32 seqSz, privSz, pubSz = ECC_BUFSIZE;
wolfSSL 7:481bce714567 9273
wolfSSL 7:481bce714567 9274 if (key == NULL || output == NULL || inLen == 0)
wolfSSL 7:481bce714567 9275 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 9276
wolfSSL 7:481bce714567 9277 /* curve */
wolfSSL 7:481bce714567 9278 curve[curveidx++] = ECC_PREFIX_0;
wolfSSL 7:481bce714567 9279 curveidx++ /* to put the size after computation */;
wolfSSL 7:481bce714567 9280 curveSz = SetCurve(key, curve+curveidx);
wolfSSL 7:481bce714567 9281 if (curveSz < 0)
wolfSSL 7:481bce714567 9282 return curveSz;
wolfSSL 7:481bce714567 9283 /* set computed size */
wolfSSL 7:481bce714567 9284 curve[1] = (byte)curveSz;
wolfSSL 7:481bce714567 9285 curveidx += curveSz;
wolfSSL 7:481bce714567 9286
wolfSSL 7:481bce714567 9287 /* private */
wolfSSL 7:481bce714567 9288 privSz = key->dp->size;
wolfSSL 7:481bce714567 9289 prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ,
wolfSSL 7:481bce714567 9290 key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9291 if (prv == NULL) {
wolfSSL 7:481bce714567 9292 return MEMORY_E;
wolfSSL 7:481bce714567 9293 }
wolfSSL 7:481bce714567 9294 prv[prvidx++] = ASN_OCTET_STRING;
wolfSSL 7:481bce714567 9295 prv[prvidx++] = (byte)key->dp->size;
wolfSSL 7:481bce714567 9296 ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz);
wolfSSL 7:481bce714567 9297 if (ret < 0) {
wolfSSL 7:481bce714567 9298 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9299 return ret;
wolfSSL 7:481bce714567 9300 }
wolfSSL 7:481bce714567 9301 prvidx += privSz;
wolfSSL 7:481bce714567 9302
wolfSSL 7:481bce714567 9303 /* public */
wolfSSL 7:481bce714567 9304 ret = wc_ecc_export_x963(key, NULL, &pubSz);
wolfSSL 7:481bce714567 9305 if (ret != LENGTH_ONLY_E) {
wolfSSL 7:481bce714567 9306 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9307 return ret;
wolfSSL 7:481bce714567 9308 }
wolfSSL 7:481bce714567 9309
wolfSSL 7:481bce714567 9310 pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ,
wolfSSL 7:481bce714567 9311 key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9312 if (pub == NULL) {
wolfSSL 7:481bce714567 9313 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9314 return MEMORY_E;
wolfSSL 7:481bce714567 9315 }
wolfSSL 7:481bce714567 9316
wolfSSL 7:481bce714567 9317 pub[pubidx++] = ECC_PREFIX_1;
wolfSSL 7:481bce714567 9318 if (pubSz > 128) /* leading zero + extra size byte */
wolfSSL 7:481bce714567 9319 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx);
wolfSSL 7:481bce714567 9320 else /* leading zero */
wolfSSL 7:481bce714567 9321 pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx);
wolfSSL 7:481bce714567 9322 pub[pubidx++] = ASN_BIT_STRING;
wolfSSL 7:481bce714567 9323 pubidx += SetLength(pubSz + 1, pub+pubidx);
wolfSSL 7:481bce714567 9324 pub[pubidx++] = (byte)0; /* leading zero */
wolfSSL 7:481bce714567 9325 ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz);
wolfSSL 7:481bce714567 9326 if (ret != 0) {
wolfSSL 7:481bce714567 9327 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9328 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9329 return ret;
wolfSSL 7:481bce714567 9330 }
wolfSSL 7:481bce714567 9331 pubidx += pubSz;
wolfSSL 7:481bce714567 9332
wolfSSL 7:481bce714567 9333 /* make headers */
wolfSSL 7:481bce714567 9334 verSz = SetMyVersion(1, ver, FALSE);
wolfSSL 7:481bce714567 9335 seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq);
wolfSSL 7:481bce714567 9336
wolfSSL 7:481bce714567 9337 totalSz = prvidx + pubidx + curveidx + verSz + seqSz;
wolfSSL 7:481bce714567 9338 if (totalSz > (int)inLen) {
wolfSSL 7:481bce714567 9339 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9340 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9341 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 9342 }
wolfSSL 7:481bce714567 9343
wolfSSL 7:481bce714567 9344 /* write out */
wolfSSL 7:481bce714567 9345 /* seq */
wolfSSL 7:481bce714567 9346 XMEMCPY(output + idx, seq, seqSz);
wolfSSL 7:481bce714567 9347 idx = seqSz;
wolfSSL 7:481bce714567 9348
wolfSSL 7:481bce714567 9349 /* ver */
wolfSSL 7:481bce714567 9350 XMEMCPY(output + idx, ver, verSz);
wolfSSL 7:481bce714567 9351 idx += verSz;
wolfSSL 7:481bce714567 9352
wolfSSL 7:481bce714567 9353 /* private */
wolfSSL 7:481bce714567 9354 XMEMCPY(output + idx, prv, prvidx);
wolfSSL 7:481bce714567 9355 idx += prvidx;
wolfSSL 7:481bce714567 9356 XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9357
wolfSSL 7:481bce714567 9358 /* curve */
wolfSSL 7:481bce714567 9359 XMEMCPY(output + idx, curve, curveidx);
wolfSSL 7:481bce714567 9360 idx += curveidx;
wolfSSL 7:481bce714567 9361
wolfSSL 7:481bce714567 9362 /* public */
wolfSSL 7:481bce714567 9363 XMEMCPY(output + idx, pub, pubidx);
wolfSSL 7:481bce714567 9364 /* idx += pubidx; not used after write, if more data remove comment */
wolfSSL 7:481bce714567 9365 XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 9366
wolfSSL 7:481bce714567 9367 return totalSz;
wolfSSL 7:481bce714567 9368 }
wolfSSL 7:481bce714567 9369
wolfSSL 7:481bce714567 9370 #endif /* WOLFSSL_KEY_GEN */
wolfSSL 7:481bce714567 9371
wolfSSL 7:481bce714567 9372 #endif /* HAVE_ECC */
wolfSSL 7:481bce714567 9373
wolfSSL 7:481bce714567 9374
wolfSSL 7:481bce714567 9375 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
wolfSSL 7:481bce714567 9376
wolfSSL 7:481bce714567 9377 /* Get raw Date only, no processing, 0 on success */
wolfSSL 7:481bce714567 9378 static int GetBasicDate(const byte* source, word32* idx, byte* date,
wolfSSL 7:481bce714567 9379 byte* format, int maxIdx)
wolfSSL 7:481bce714567 9380 {
wolfSSL 7:481bce714567 9381 int length;
wolfSSL 7:481bce714567 9382
wolfSSL 7:481bce714567 9383 WOLFSSL_ENTER("GetBasicDate");
wolfSSL 7:481bce714567 9384
wolfSSL 7:481bce714567 9385 *format = source[*idx];
wolfSSL 7:481bce714567 9386 *idx += 1;
wolfSSL 7:481bce714567 9387 if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
wolfSSL 7:481bce714567 9388 return ASN_TIME_E;
wolfSSL 7:481bce714567 9389
wolfSSL 7:481bce714567 9390 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 9391 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9392
wolfSSL 7:481bce714567 9393 if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
wolfSSL 7:481bce714567 9394 return ASN_DATE_SZ_E;
wolfSSL 7:481bce714567 9395
wolfSSL 7:481bce714567 9396 XMEMCPY(date, &source[*idx], length);
wolfSSL 7:481bce714567 9397 *idx += length;
wolfSSL 7:481bce714567 9398
wolfSSL 7:481bce714567 9399 return 0;
wolfSSL 7:481bce714567 9400 }
wolfSSL 7:481bce714567 9401
wolfSSL 7:481bce714567 9402 #endif
wolfSSL 7:481bce714567 9403
wolfSSL 7:481bce714567 9404
wolfSSL 7:481bce714567 9405 #ifdef HAVE_OCSP
wolfSSL 7:481bce714567 9406
wolfSSL 7:481bce714567 9407 static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
wolfSSL 7:481bce714567 9408 {
wolfSSL 7:481bce714567 9409 word32 idx = *inOutIdx;
wolfSSL 7:481bce714567 9410 word32 len;
wolfSSL 7:481bce714567 9411
wolfSSL 7:481bce714567 9412 WOLFSSL_ENTER("GetEnumerated");
wolfSSL 7:481bce714567 9413
wolfSSL 7:481bce714567 9414 *value = 0;
wolfSSL 7:481bce714567 9415
wolfSSL 7:481bce714567 9416 if (input[idx++] != ASN_ENUMERATED)
wolfSSL 7:481bce714567 9417 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9418
wolfSSL 7:481bce714567 9419 len = input[idx++];
wolfSSL 7:481bce714567 9420 if (len > 4)
wolfSSL 7:481bce714567 9421 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9422
wolfSSL 7:481bce714567 9423 while (len--) {
wolfSSL 7:481bce714567 9424 *value = *value << 8 | input[idx++];
wolfSSL 7:481bce714567 9425 }
wolfSSL 7:481bce714567 9426
wolfSSL 7:481bce714567 9427 *inOutIdx = idx;
wolfSSL 7:481bce714567 9428
wolfSSL 7:481bce714567 9429 return *value;
wolfSSL 7:481bce714567 9430 }
wolfSSL 7:481bce714567 9431
wolfSSL 7:481bce714567 9432
wolfSSL 7:481bce714567 9433 static int DecodeSingleResponse(byte* source,
wolfSSL 7:481bce714567 9434 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 7:481bce714567 9435 {
wolfSSL 7:481bce714567 9436 word32 idx = *ioIndex, prevIndex, oid;
wolfSSL 7:481bce714567 9437 int length, wrapperSz;
wolfSSL 7:481bce714567 9438 CertStatus* cs = resp->status;
wolfSSL 7:481bce714567 9439
wolfSSL 7:481bce714567 9440 WOLFSSL_ENTER("DecodeSingleResponse");
wolfSSL 7:481bce714567 9441
wolfSSL 7:481bce714567 9442 /* Outer wrapper of the SEQUENCE OF Single Responses. */
wolfSSL 7:481bce714567 9443 if (GetSequence(source, &idx, &wrapperSz, size) < 0)
wolfSSL 7:481bce714567 9444 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9445
wolfSSL 7:481bce714567 9446 prevIndex = idx;
wolfSSL 7:481bce714567 9447
wolfSSL 7:481bce714567 9448 /* When making a request, we only request one status on one certificate
wolfSSL 7:481bce714567 9449 * at a time. There should only be one SingleResponse */
wolfSSL 7:481bce714567 9450
wolfSSL 7:481bce714567 9451 /* Wrapper around the Single Response */
wolfSSL 7:481bce714567 9452 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9453 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9454
wolfSSL 7:481bce714567 9455 /* Wrapper around the CertID */
wolfSSL 7:481bce714567 9456 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9457 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9458 /* Skip the hash algorithm */
wolfSSL 7:481bce714567 9459 if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0)
wolfSSL 7:481bce714567 9460 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9461 /* Save reference to the hash of CN */
wolfSSL 7:481bce714567 9462 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 7:481bce714567 9463 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9464 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9465 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9466 resp->issuerHash = source + idx;
wolfSSL 7:481bce714567 9467 idx += length;
wolfSSL 7:481bce714567 9468 /* Save reference to the hash of the issuer public key */
wolfSSL 7:481bce714567 9469 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 7:481bce714567 9470 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9471 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9472 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9473 resp->issuerKeyHash = source + idx;
wolfSSL 7:481bce714567 9474 idx += length;
wolfSSL 7:481bce714567 9475
wolfSSL 7:481bce714567 9476 /* Get serial number */
wolfSSL 7:481bce714567 9477 if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0)
wolfSSL 7:481bce714567 9478 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9479
wolfSSL 7:481bce714567 9480 /* CertStatus */
wolfSSL 7:481bce714567 9481 switch (source[idx++])
wolfSSL 7:481bce714567 9482 {
wolfSSL 7:481bce714567 9483 case (ASN_CONTEXT_SPECIFIC | CERT_GOOD):
wolfSSL 7:481bce714567 9484 cs->status = CERT_GOOD;
wolfSSL 7:481bce714567 9485 idx++;
wolfSSL 7:481bce714567 9486 break;
wolfSSL 7:481bce714567 9487 case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED):
wolfSSL 7:481bce714567 9488 cs->status = CERT_REVOKED;
wolfSSL 7:481bce714567 9489 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9490 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9491 idx += length;
wolfSSL 7:481bce714567 9492 break;
wolfSSL 7:481bce714567 9493 case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN):
wolfSSL 7:481bce714567 9494 cs->status = CERT_UNKNOWN;
wolfSSL 7:481bce714567 9495 idx++;
wolfSSL 7:481bce714567 9496 break;
wolfSSL 7:481bce714567 9497 default:
wolfSSL 7:481bce714567 9498 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9499 }
wolfSSL 7:481bce714567 9500
wolfSSL 7:481bce714567 9501 if (GetBasicDate(source, &idx, cs->thisDate,
wolfSSL 7:481bce714567 9502 &cs->thisDateFormat, size) < 0)
wolfSSL 7:481bce714567 9503 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9504 if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
wolfSSL 7:481bce714567 9505 return ASN_BEFORE_DATE_E;
wolfSSL 7:481bce714567 9506
wolfSSL 7:481bce714567 9507 /* The following items are optional. Only check for them if there is more
wolfSSL 7:481bce714567 9508 * unprocessed data in the singleResponse wrapper. */
wolfSSL 7:481bce714567 9509
wolfSSL 7:481bce714567 9510 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 7:481bce714567 9511 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)))
wolfSSL 7:481bce714567 9512 {
wolfSSL 7:481bce714567 9513 idx++;
wolfSSL 7:481bce714567 9514 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9515 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9516 if (GetBasicDate(source, &idx, cs->nextDate,
wolfSSL 7:481bce714567 9517 &cs->nextDateFormat, size) < 0)
wolfSSL 7:481bce714567 9518 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9519 if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
wolfSSL 7:481bce714567 9520 return ASN_AFTER_DATE_E;
wolfSSL 7:481bce714567 9521 }
wolfSSL 7:481bce714567 9522 if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL 7:481bce714567 9523 (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
wolfSSL 7:481bce714567 9524 {
wolfSSL 7:481bce714567 9525 idx++;
wolfSSL 7:481bce714567 9526 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9527 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9528 idx += length;
wolfSSL 7:481bce714567 9529 }
wolfSSL 7:481bce714567 9530
wolfSSL 7:481bce714567 9531 *ioIndex = idx;
wolfSSL 7:481bce714567 9532
wolfSSL 7:481bce714567 9533 return 0;
wolfSSL 7:481bce714567 9534 }
wolfSSL 7:481bce714567 9535
wolfSSL 7:481bce714567 9536 static int DecodeOcspRespExtensions(byte* source,
wolfSSL 7:481bce714567 9537 word32* ioIndex, OcspResponse* resp, word32 sz)
wolfSSL 7:481bce714567 9538 {
wolfSSL 7:481bce714567 9539 word32 idx = *ioIndex;
wolfSSL 7:481bce714567 9540 int length;
wolfSSL 7:481bce714567 9541 int ext_bound; /* boundary index for the sequence of extensions */
wolfSSL 7:481bce714567 9542 word32 oid;
wolfSSL 7:481bce714567 9543
wolfSSL 7:481bce714567 9544 WOLFSSL_ENTER("DecodeOcspRespExtensions");
wolfSSL 7:481bce714567 9545
wolfSSL 7:481bce714567 9546 if ((idx + 1) > sz)
wolfSSL 7:481bce714567 9547 return BUFFER_E;
wolfSSL 7:481bce714567 9548
wolfSSL 7:481bce714567 9549 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
wolfSSL 7:481bce714567 9550 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9551
wolfSSL 7:481bce714567 9552 if (GetLength(source, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 9553 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9554
wolfSSL 7:481bce714567 9555 if (GetSequence(source, &idx, &length, sz) < 0)
wolfSSL 7:481bce714567 9556 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9557
wolfSSL 7:481bce714567 9558 ext_bound = idx + length;
wolfSSL 7:481bce714567 9559
wolfSSL 7:481bce714567 9560 while (idx < (word32)ext_bound) {
wolfSSL 7:481bce714567 9561 if (GetSequence(source, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 9562 WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL 7:481bce714567 9563 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9564 }
wolfSSL 7:481bce714567 9565
wolfSSL 7:481bce714567 9566 oid = 0;
wolfSSL 7:481bce714567 9567 if (GetObjectId(source, &idx, &oid, oidOcspType, sz) < 0) {
wolfSSL 7:481bce714567 9568 WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL 7:481bce714567 9569 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9570 }
wolfSSL 7:481bce714567 9571
wolfSSL 7:481bce714567 9572 /* check for critical flag */
wolfSSL 7:481bce714567 9573 if (source[idx] == ASN_BOOLEAN) {
wolfSSL 7:481bce714567 9574 WOLFSSL_MSG("\tfound optional critical flag, moving past");
wolfSSL 7:481bce714567 9575 idx += (ASN_BOOL_SIZE + 1);
wolfSSL 7:481bce714567 9576 }
wolfSSL 7:481bce714567 9577
wolfSSL 7:481bce714567 9578 /* process the extension based on the OID */
wolfSSL 7:481bce714567 9579 if (source[idx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 9580 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 7:481bce714567 9581 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9582 }
wolfSSL 7:481bce714567 9583
wolfSSL 7:481bce714567 9584 if (GetLength(source, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 9585 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 7:481bce714567 9586 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9587 }
wolfSSL 7:481bce714567 9588
wolfSSL 7:481bce714567 9589 if (oid == OCSP_NONCE_OID) {
wolfSSL 7:481bce714567 9590 /* get data inside extra OCTET_STRING */
wolfSSL 7:481bce714567 9591 if (source[idx++] != ASN_OCTET_STRING) {
wolfSSL 7:481bce714567 9592 WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL 7:481bce714567 9593 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9594 }
wolfSSL 7:481bce714567 9595
wolfSSL 7:481bce714567 9596 if (GetLength(source, &idx, &length, sz) < 0) {
wolfSSL 7:481bce714567 9597 WOLFSSL_MSG("\tfail: extension data length");
wolfSSL 7:481bce714567 9598 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9599 }
wolfSSL 7:481bce714567 9600
wolfSSL 7:481bce714567 9601 resp->nonce = source + idx;
wolfSSL 7:481bce714567 9602 resp->nonceSz = length;
wolfSSL 7:481bce714567 9603 }
wolfSSL 7:481bce714567 9604
wolfSSL 7:481bce714567 9605 idx += length;
wolfSSL 7:481bce714567 9606 }
wolfSSL 7:481bce714567 9607
wolfSSL 7:481bce714567 9608 *ioIndex = idx;
wolfSSL 7:481bce714567 9609 return 0;
wolfSSL 7:481bce714567 9610 }
wolfSSL 7:481bce714567 9611
wolfSSL 7:481bce714567 9612
wolfSSL 7:481bce714567 9613 static int DecodeResponseData(byte* source,
wolfSSL 7:481bce714567 9614 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 7:481bce714567 9615 {
wolfSSL 7:481bce714567 9616 word32 idx = *ioIndex, prev_idx;
wolfSSL 7:481bce714567 9617 int length;
wolfSSL 7:481bce714567 9618 int version;
wolfSSL 7:481bce714567 9619 word32 responderId = 0;
wolfSSL 7:481bce714567 9620
wolfSSL 7:481bce714567 9621 WOLFSSL_ENTER("DecodeResponseData");
wolfSSL 7:481bce714567 9622
wolfSSL 7:481bce714567 9623 resp->response = source + idx;
wolfSSL 7:481bce714567 9624 prev_idx = idx;
wolfSSL 7:481bce714567 9625 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9626 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9627 resp->responseSz = length + idx - prev_idx;
wolfSSL 7:481bce714567 9628
wolfSSL 7:481bce714567 9629 /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
wolfSSL 7:481bce714567 9630 * item isn't an EXPLICIT[0], then set version to zero and move
wolfSSL 7:481bce714567 9631 * onto the next item.
wolfSSL 7:481bce714567 9632 */
wolfSSL 7:481bce714567 9633 if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
wolfSSL 7:481bce714567 9634 {
wolfSSL 7:481bce714567 9635 idx += 2; /* Eat the value and length */
wolfSSL 7:481bce714567 9636 if (GetMyVersion(source, &idx, &version, size) < 0)
wolfSSL 7:481bce714567 9637 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9638 } else
wolfSSL 7:481bce714567 9639 version = 0;
wolfSSL 7:481bce714567 9640
wolfSSL 7:481bce714567 9641 responderId = source[idx++];
wolfSSL 7:481bce714567 9642 if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
wolfSSL 7:481bce714567 9643 (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
wolfSSL 7:481bce714567 9644 {
wolfSSL 7:481bce714567 9645 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9646 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9647 idx += length;
wolfSSL 7:481bce714567 9648 }
wolfSSL 7:481bce714567 9649 else
wolfSSL 7:481bce714567 9650 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9651
wolfSSL 7:481bce714567 9652 /* save pointer to the producedAt time */
wolfSSL 7:481bce714567 9653 if (GetBasicDate(source, &idx, resp->producedDate,
wolfSSL 7:481bce714567 9654 &resp->producedDateFormat, size) < 0)
wolfSSL 7:481bce714567 9655 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9656
wolfSSL 7:481bce714567 9657 if (DecodeSingleResponse(source, &idx, resp, size) < 0)
wolfSSL 7:481bce714567 9658 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9659
wolfSSL 7:481bce714567 9660 /*
wolfSSL 7:481bce714567 9661 * Check the length of the ResponseData against the current index to
wolfSSL 7:481bce714567 9662 * see if there are extensions, they are optional.
wolfSSL 7:481bce714567 9663 */
wolfSSL 7:481bce714567 9664 if (idx - prev_idx < resp->responseSz)
wolfSSL 7:481bce714567 9665 if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
wolfSSL 7:481bce714567 9666 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9667
wolfSSL 7:481bce714567 9668 *ioIndex = idx;
wolfSSL 7:481bce714567 9669 return 0;
wolfSSL 7:481bce714567 9670 }
wolfSSL 7:481bce714567 9671
wolfSSL 7:481bce714567 9672
wolfSSL 7:481bce714567 9673 #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
wolfSSL 7:481bce714567 9674
wolfSSL 7:481bce714567 9675 static int DecodeCerts(byte* source,
wolfSSL 7:481bce714567 9676 word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL 7:481bce714567 9677 {
wolfSSL 7:481bce714567 9678 word32 idx = *ioIndex;
wolfSSL 7:481bce714567 9679
wolfSSL 7:481bce714567 9680 WOLFSSL_ENTER("DecodeCerts");
wolfSSL 7:481bce714567 9681
wolfSSL 7:481bce714567 9682 if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 7:481bce714567 9683 {
wolfSSL 7:481bce714567 9684 int length;
wolfSSL 7:481bce714567 9685
wolfSSL 7:481bce714567 9686 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9687 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9688
wolfSSL 7:481bce714567 9689 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9690 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9691
wolfSSL 7:481bce714567 9692 resp->cert = source + idx;
wolfSSL 7:481bce714567 9693 resp->certSz = length;
wolfSSL 7:481bce714567 9694
wolfSSL 7:481bce714567 9695 idx += length;
wolfSSL 7:481bce714567 9696 }
wolfSSL 7:481bce714567 9697 *ioIndex = idx;
wolfSSL 7:481bce714567 9698 return 0;
wolfSSL 7:481bce714567 9699 }
wolfSSL 7:481bce714567 9700
wolfSSL 7:481bce714567 9701 #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
wolfSSL 7:481bce714567 9702
wolfSSL 7:481bce714567 9703
wolfSSL 7:481bce714567 9704 static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
wolfSSL 7:481bce714567 9705 OcspResponse* resp, word32 size, void* cm, void* heap)
wolfSSL 7:481bce714567 9706 {
wolfSSL 7:481bce714567 9707 int length;
wolfSSL 7:481bce714567 9708 word32 idx = *ioIndex;
wolfSSL 7:481bce714567 9709 word32 end_index;
wolfSSL 7:481bce714567 9710
wolfSSL 7:481bce714567 9711 WOLFSSL_ENTER("DecodeBasicOcspResponse");
wolfSSL 7:481bce714567 9712 (void)heap;
wolfSSL 7:481bce714567 9713
wolfSSL 7:481bce714567 9714 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9715 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9716
wolfSSL 7:481bce714567 9717 if (idx + length > size)
wolfSSL 7:481bce714567 9718 return ASN_INPUT_E;
wolfSSL 7:481bce714567 9719 end_index = idx + length;
wolfSSL 7:481bce714567 9720
wolfSSL 7:481bce714567 9721 if (DecodeResponseData(source, &idx, resp, size) < 0)
wolfSSL 7:481bce714567 9722 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9723
wolfSSL 7:481bce714567 9724 /* Get the signature algorithm */
wolfSSL 7:481bce714567 9725 if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0)
wolfSSL 7:481bce714567 9726 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9727
wolfSSL 7:481bce714567 9728 /* Obtain pointer to the start of the signature, and save the size */
wolfSSL 7:481bce714567 9729 if (source[idx++] == ASN_BIT_STRING)
wolfSSL 7:481bce714567 9730 {
wolfSSL 7:481bce714567 9731 int sigLength = 0;
wolfSSL 7:481bce714567 9732 byte b;
wolfSSL 7:481bce714567 9733
wolfSSL 7:481bce714567 9734 if (GetLength(source, &idx, &sigLength, size) <= 0)
wolfSSL 7:481bce714567 9735 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9736
wolfSSL 7:481bce714567 9737 b = source[idx++];
wolfSSL 7:481bce714567 9738 if (b != 0x00) {
wolfSSL 7:481bce714567 9739 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 9740 }
wolfSSL 7:481bce714567 9741
wolfSSL 7:481bce714567 9742 sigLength--;
wolfSSL 7:481bce714567 9743 resp->sigSz = sigLength;
wolfSSL 7:481bce714567 9744 resp->sig = source + idx;
wolfSSL 7:481bce714567 9745 idx += sigLength;
wolfSSL 7:481bce714567 9746 }
wolfSSL 7:481bce714567 9747
wolfSSL 7:481bce714567 9748 /*
wolfSSL 7:481bce714567 9749 * Check the length of the BasicOcspResponse against the current index to
wolfSSL 7:481bce714567 9750 * see if there are certificates, they are optional.
wolfSSL 7:481bce714567 9751 */
wolfSSL 7:481bce714567 9752 #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
wolfSSL 7:481bce714567 9753 if (idx < end_index)
wolfSSL 7:481bce714567 9754 {
wolfSSL 7:481bce714567 9755 DecodedCert cert;
wolfSSL 7:481bce714567 9756 int ret;
wolfSSL 7:481bce714567 9757
wolfSSL 7:481bce714567 9758 if (DecodeCerts(source, &idx, resp, size) < 0)
wolfSSL 7:481bce714567 9759 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9760
wolfSSL 7:481bce714567 9761 InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
wolfSSL 7:481bce714567 9762 ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
wolfSSL 7:481bce714567 9763 if (ret < 0) {
wolfSSL 7:481bce714567 9764 WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
wolfSSL 7:481bce714567 9765 FreeDecodedCert(&cert);
wolfSSL 7:481bce714567 9766 return ret;
wolfSSL 7:481bce714567 9767 }
wolfSSL 7:481bce714567 9768
wolfSSL 7:481bce714567 9769 ret = ConfirmSignature(resp->response, resp->responseSz,
wolfSSL 7:481bce714567 9770 cert.publicKey, cert.pubKeySize, cert.keyOID,
wolfSSL 7:481bce714567 9771 resp->sig, resp->sigSz, resp->sigOID, NULL);
wolfSSL 7:481bce714567 9772 FreeDecodedCert(&cert);
wolfSSL 7:481bce714567 9773
wolfSSL 7:481bce714567 9774 if (ret == 0)
wolfSSL 7:481bce714567 9775 {
wolfSSL 7:481bce714567 9776 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 7:481bce714567 9777 return ASN_OCSP_CONFIRM_E;
wolfSSL 7:481bce714567 9778 }
wolfSSL 7:481bce714567 9779 }
wolfSSL 7:481bce714567 9780 else
wolfSSL 7:481bce714567 9781 #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
wolfSSL 7:481bce714567 9782 {
wolfSSL 7:481bce714567 9783 Signer* ca = NULL;
wolfSSL 7:481bce714567 9784
wolfSSL 7:481bce714567 9785 #ifndef NO_SKID
wolfSSL 7:481bce714567 9786 ca = GetCA(cm, resp->issuerKeyHash);
wolfSSL 7:481bce714567 9787 #else
wolfSSL 7:481bce714567 9788 ca = GetCA(cm, resp->issuerHash);
wolfSSL 7:481bce714567 9789 #endif
wolfSSL 7:481bce714567 9790
wolfSSL 7:481bce714567 9791 if (!ca || !ConfirmSignature(resp->response, resp->responseSz,
wolfSSL 7:481bce714567 9792 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 7:481bce714567 9793 resp->sig, resp->sigSz, resp->sigOID, NULL)) {
wolfSSL 7:481bce714567 9794 WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL 7:481bce714567 9795 return ASN_OCSP_CONFIRM_E;
wolfSSL 7:481bce714567 9796 }
wolfSSL 7:481bce714567 9797 }
wolfSSL 7:481bce714567 9798
wolfSSL 7:481bce714567 9799 *ioIndex = idx;
wolfSSL 7:481bce714567 9800 return 0;
wolfSSL 7:481bce714567 9801 }
wolfSSL 7:481bce714567 9802
wolfSSL 7:481bce714567 9803
wolfSSL 7:481bce714567 9804 void InitOcspResponse(OcspResponse* resp, CertStatus* status,
wolfSSL 7:481bce714567 9805 byte* source, word32 inSz)
wolfSSL 7:481bce714567 9806 {
wolfSSL 7:481bce714567 9807 WOLFSSL_ENTER("InitOcspResponse");
wolfSSL 7:481bce714567 9808
wolfSSL 7:481bce714567 9809 XMEMSET(status, 0, sizeof(CertStatus));
wolfSSL 7:481bce714567 9810 XMEMSET(resp, 0, sizeof(OcspResponse));
wolfSSL 7:481bce714567 9811
wolfSSL 7:481bce714567 9812 resp->responseStatus = -1;
wolfSSL 7:481bce714567 9813 resp->status = status;
wolfSSL 7:481bce714567 9814 resp->source = source;
wolfSSL 7:481bce714567 9815 resp->maxIdx = inSz;
wolfSSL 7:481bce714567 9816 }
wolfSSL 7:481bce714567 9817
wolfSSL 7:481bce714567 9818
wolfSSL 7:481bce714567 9819 int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap)
wolfSSL 7:481bce714567 9820 {
wolfSSL 7:481bce714567 9821 int length = 0;
wolfSSL 7:481bce714567 9822 word32 idx = 0;
wolfSSL 7:481bce714567 9823 byte* source = resp->source;
wolfSSL 7:481bce714567 9824 word32 size = resp->maxIdx;
wolfSSL 7:481bce714567 9825 word32 oid;
wolfSSL 7:481bce714567 9826
wolfSSL 7:481bce714567 9827 WOLFSSL_ENTER("OcspResponseDecode");
wolfSSL 7:481bce714567 9828
wolfSSL 7:481bce714567 9829 /* peel the outer SEQUENCE wrapper */
wolfSSL 7:481bce714567 9830 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9831 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9832
wolfSSL 7:481bce714567 9833 /* First get the responseStatus, an ENUMERATED */
wolfSSL 7:481bce714567 9834 if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
wolfSSL 7:481bce714567 9835 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9836
wolfSSL 7:481bce714567 9837 if (resp->responseStatus != OCSP_SUCCESSFUL)
wolfSSL 7:481bce714567 9838 return 0;
wolfSSL 7:481bce714567 9839
wolfSSL 7:481bce714567 9840 /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
wolfSSL 7:481bce714567 9841 if (idx >= size)
wolfSSL 7:481bce714567 9842 return ASN_INPUT_E;
wolfSSL 7:481bce714567 9843 if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
wolfSSL 7:481bce714567 9844 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9845 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9846 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9847
wolfSSL 7:481bce714567 9848 /* Get the responseBytes SEQUENCE */
wolfSSL 7:481bce714567 9849 if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9850 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9851
wolfSSL 7:481bce714567 9852 /* Check ObjectID for the resposeBytes */
wolfSSL 7:481bce714567 9853 if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0)
wolfSSL 7:481bce714567 9854 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9855 if (oid != OCSP_BASIC_OID)
wolfSSL 7:481bce714567 9856 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9857 if (source[idx++] != ASN_OCTET_STRING)
wolfSSL 7:481bce714567 9858 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9859
wolfSSL 7:481bce714567 9860 if (GetLength(source, &idx, &length, size) < 0)
wolfSSL 7:481bce714567 9861 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9862
wolfSSL 7:481bce714567 9863 if (DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap) < 0)
wolfSSL 7:481bce714567 9864 return ASN_PARSE_E;
wolfSSL 7:481bce714567 9865
wolfSSL 7:481bce714567 9866 return 0;
wolfSSL 7:481bce714567 9867 }
wolfSSL 7:481bce714567 9868
wolfSSL 7:481bce714567 9869
wolfSSL 7:481bce714567 9870 word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
wolfSSL 7:481bce714567 9871 {
wolfSSL 7:481bce714567 9872 static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
wolfSSL 7:481bce714567 9873 0x30, 0x01, 0x02 };
wolfSSL 7:481bce714567 9874 byte seqArray[6][MAX_SEQ_SZ];
wolfSSL 7:481bce714567 9875 word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId);
wolfSSL 7:481bce714567 9876
wolfSSL 7:481bce714567 9877 WOLFSSL_ENTER("SetOcspReqExtensions");
wolfSSL 7:481bce714567 9878
wolfSSL 7:481bce714567 9879 if (!req || !output || !req->nonceSz)
wolfSSL 7:481bce714567 9880 return 0;
wolfSSL 7:481bce714567 9881
wolfSSL 7:481bce714567 9882 totalSz += req->nonceSz;
wolfSSL 7:481bce714567 9883 totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]);
wolfSSL 7:481bce714567 9884 totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]);
wolfSSL 7:481bce714567 9885 seqArray[2][0] = ASN_OBJECT_ID;
wolfSSL 7:481bce714567 9886 totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]);
wolfSSL 7:481bce714567 9887 totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
wolfSSL 7:481bce714567 9888 totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
wolfSSL 7:481bce714567 9889 totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]);
wolfSSL 7:481bce714567 9890
wolfSSL 7:481bce714567 9891 if (totalSz > size)
wolfSSL 7:481bce714567 9892 return 0;
wolfSSL 7:481bce714567 9893
wolfSSL 7:481bce714567 9894 totalSz = 0;
wolfSSL 7:481bce714567 9895
wolfSSL 7:481bce714567 9896 XMEMCPY(output + totalSz, seqArray[5], seqSz[5]);
wolfSSL 7:481bce714567 9897 totalSz += seqSz[5];
wolfSSL 7:481bce714567 9898
wolfSSL 7:481bce714567 9899 XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
wolfSSL 7:481bce714567 9900 totalSz += seqSz[4];
wolfSSL 7:481bce714567 9901
wolfSSL 7:481bce714567 9902 XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
wolfSSL 7:481bce714567 9903 totalSz += seqSz[3];
wolfSSL 7:481bce714567 9904
wolfSSL 7:481bce714567 9905 XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
wolfSSL 7:481bce714567 9906 totalSz += seqSz[2];
wolfSSL 7:481bce714567 9907
wolfSSL 7:481bce714567 9908 XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
wolfSSL 7:481bce714567 9909 totalSz += (word32)sizeof(NonceObjId);
wolfSSL 7:481bce714567 9910
wolfSSL 7:481bce714567 9911 XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
wolfSSL 7:481bce714567 9912 totalSz += seqSz[1];
wolfSSL 7:481bce714567 9913
wolfSSL 7:481bce714567 9914 XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
wolfSSL 7:481bce714567 9915 totalSz += seqSz[0];
wolfSSL 7:481bce714567 9916
wolfSSL 7:481bce714567 9917 XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
wolfSSL 7:481bce714567 9918 totalSz += req->nonceSz;
wolfSSL 7:481bce714567 9919
wolfSSL 7:481bce714567 9920 return totalSz;
wolfSSL 7:481bce714567 9921 }
wolfSSL 7:481bce714567 9922
wolfSSL 7:481bce714567 9923
wolfSSL 7:481bce714567 9924 int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
wolfSSL 7:481bce714567 9925 {
wolfSSL 7:481bce714567 9926 byte seqArray[5][MAX_SEQ_SZ];
wolfSSL 7:481bce714567 9927 /* The ASN.1 of the OCSP Request is an onion of sequences */
wolfSSL 7:481bce714567 9928 byte algoArray[MAX_ALGO_SZ];
wolfSSL 7:481bce714567 9929 byte issuerArray[MAX_ENCODED_DIG_SZ];
wolfSSL 7:481bce714567 9930 byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
wolfSSL 7:481bce714567 9931 byte snArray[MAX_SN_SZ];
wolfSSL 7:481bce714567 9932 byte extArray[MAX_OCSP_EXT_SZ];
wolfSSL 7:481bce714567 9933 word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
wolfSSL 7:481bce714567 9934 int i;
wolfSSL 7:481bce714567 9935
wolfSSL 7:481bce714567 9936 WOLFSSL_ENTER("EncodeOcspRequest");
wolfSSL 7:481bce714567 9937
wolfSSL 7:481bce714567 9938 #ifdef NO_SHA
wolfSSL 7:481bce714567 9939 algoSz = SetAlgoID(SHA256h, algoArray, oidHashType, 0);
wolfSSL 7:481bce714567 9940 #else
wolfSSL 7:481bce714567 9941 algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0);
wolfSSL 7:481bce714567 9942 #endif
wolfSSL 7:481bce714567 9943
wolfSSL 7:481bce714567 9944 issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray);
wolfSSL 7:481bce714567 9945 issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray);
wolfSSL 7:481bce714567 9946 snSz = SetSerialNumber(req->serial, req->serialSz, snArray);
wolfSSL 7:481bce714567 9947 extSz = 0;
wolfSSL 7:481bce714567 9948
wolfSSL 7:481bce714567 9949 if (req->nonceSz)
wolfSSL 7:481bce714567 9950 extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ);
wolfSSL 7:481bce714567 9951
wolfSSL 7:481bce714567 9952 totalSz = algoSz + issuerSz + issuerKeySz + snSz;
wolfSSL 7:481bce714567 9953 for (i = 4; i >= 0; i--) {
wolfSSL 7:481bce714567 9954 seqSz[i] = SetSequence(totalSz, seqArray[i]);
wolfSSL 7:481bce714567 9955 totalSz += seqSz[i];
wolfSSL 7:481bce714567 9956 if (i == 2) totalSz += extSz;
wolfSSL 7:481bce714567 9957 }
wolfSSL 7:481bce714567 9958
wolfSSL 7:481bce714567 9959 if (totalSz > size)
wolfSSL 7:481bce714567 9960 return BUFFER_E;
wolfSSL 7:481bce714567 9961
wolfSSL 7:481bce714567 9962 totalSz = 0;
wolfSSL 7:481bce714567 9963 for (i = 0; i < 5; i++) {
wolfSSL 7:481bce714567 9964 XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
wolfSSL 7:481bce714567 9965 totalSz += seqSz[i];
wolfSSL 7:481bce714567 9966 }
wolfSSL 7:481bce714567 9967
wolfSSL 7:481bce714567 9968 XMEMCPY(output + totalSz, algoArray, algoSz);
wolfSSL 7:481bce714567 9969 totalSz += algoSz;
wolfSSL 7:481bce714567 9970
wolfSSL 7:481bce714567 9971 XMEMCPY(output + totalSz, issuerArray, issuerSz);
wolfSSL 7:481bce714567 9972 totalSz += issuerSz;
wolfSSL 7:481bce714567 9973
wolfSSL 7:481bce714567 9974 XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
wolfSSL 7:481bce714567 9975 totalSz += issuerKeySz;
wolfSSL 7:481bce714567 9976
wolfSSL 7:481bce714567 9977 XMEMCPY(output + totalSz, snArray, snSz);
wolfSSL 7:481bce714567 9978 totalSz += snSz;
wolfSSL 7:481bce714567 9979
wolfSSL 7:481bce714567 9980 if (extSz != 0) {
wolfSSL 7:481bce714567 9981 XMEMCPY(output + totalSz, extArray, extSz);
wolfSSL 7:481bce714567 9982 totalSz += extSz;
wolfSSL 7:481bce714567 9983 }
wolfSSL 7:481bce714567 9984
wolfSSL 7:481bce714567 9985 return totalSz;
wolfSSL 7:481bce714567 9986 }
wolfSSL 7:481bce714567 9987
wolfSSL 7:481bce714567 9988
wolfSSL 7:481bce714567 9989 int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
wolfSSL 7:481bce714567 9990 void* heap)
wolfSSL 7:481bce714567 9991 {
wolfSSL 7:481bce714567 9992 WOLFSSL_ENTER("InitOcspRequest");
wolfSSL 7:481bce714567 9993
wolfSSL 7:481bce714567 9994 if (req == NULL)
wolfSSL 7:481bce714567 9995 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 9996
wolfSSL 7:481bce714567 9997 ForceZero(req, sizeof(OcspRequest));
wolfSSL 7:481bce714567 9998 req->heap = heap;
wolfSSL 7:481bce714567 9999
wolfSSL 7:481bce714567 10000 if (cert) {
wolfSSL 7:481bce714567 10001 XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE);
wolfSSL 7:481bce714567 10002 XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
wolfSSL 7:481bce714567 10003
wolfSSL 7:481bce714567 10004 req->serial = (byte*)XMALLOC(cert->serialSz, req->heap,
wolfSSL 7:481bce714567 10005 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 7:481bce714567 10006 if (req->serial == NULL)
wolfSSL 7:481bce714567 10007 return MEMORY_E;
wolfSSL 7:481bce714567 10008
wolfSSL 7:481bce714567 10009 XMEMCPY(req->serial, cert->serial, cert->serialSz);
wolfSSL 7:481bce714567 10010 req->serialSz = cert->serialSz;
wolfSSL 7:481bce714567 10011
wolfSSL 7:481bce714567 10012 if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
wolfSSL 7:481bce714567 10013 req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap,
wolfSSL 7:481bce714567 10014 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 7:481bce714567 10015 if (req->url == NULL) {
wolfSSL 7:481bce714567 10016 XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 7:481bce714567 10017 return MEMORY_E;
wolfSSL 7:481bce714567 10018 }
wolfSSL 7:481bce714567 10019
wolfSSL 7:481bce714567 10020 XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
wolfSSL 7:481bce714567 10021 req->urlSz = cert->extAuthInfoSz;
wolfSSL 7:481bce714567 10022 }
wolfSSL 7:481bce714567 10023
wolfSSL 7:481bce714567 10024 }
wolfSSL 7:481bce714567 10025
wolfSSL 7:481bce714567 10026 if (useNonce) {
wolfSSL 7:481bce714567 10027 WC_RNG rng;
wolfSSL 7:481bce714567 10028
wolfSSL 7:481bce714567 10029 #ifdef WOLFSSL_STATIC_MEMORY
wolfSSL 7:481bce714567 10030 if (wc_InitRng_ex(&rng, req->heap) != 0) {
wolfSSL 7:481bce714567 10031 #else
wolfSSL 7:481bce714567 10032 if (wc_InitRng(&rng) != 0) {
wolfSSL 7:481bce714567 10033 #endif
wolfSSL 7:481bce714567 10034 WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
wolfSSL 7:481bce714567 10035 } else {
wolfSSL 7:481bce714567 10036 if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
wolfSSL 7:481bce714567 10037 WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
wolfSSL 7:481bce714567 10038 else
wolfSSL 7:481bce714567 10039 req->nonceSz = MAX_OCSP_NONCE_SZ;
wolfSSL 7:481bce714567 10040
wolfSSL 7:481bce714567 10041 wc_FreeRng(&rng);
wolfSSL 7:481bce714567 10042 }
wolfSSL 7:481bce714567 10043 }
wolfSSL 7:481bce714567 10044
wolfSSL 7:481bce714567 10045 return 0;
wolfSSL 7:481bce714567 10046 }
wolfSSL 7:481bce714567 10047
wolfSSL 7:481bce714567 10048 void FreeOcspRequest(OcspRequest* req)
wolfSSL 7:481bce714567 10049 {
wolfSSL 7:481bce714567 10050 WOLFSSL_ENTER("FreeOcspRequest");
wolfSSL 7:481bce714567 10051
wolfSSL 7:481bce714567 10052 if (req) {
wolfSSL 7:481bce714567 10053 if (req->serial)
wolfSSL 7:481bce714567 10054 XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 7:481bce714567 10055
wolfSSL 7:481bce714567 10056 if (req->url)
wolfSSL 7:481bce714567 10057 XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 7:481bce714567 10058 }
wolfSSL 7:481bce714567 10059 }
wolfSSL 7:481bce714567 10060
wolfSSL 7:481bce714567 10061
wolfSSL 7:481bce714567 10062 int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
wolfSSL 7:481bce714567 10063 {
wolfSSL 7:481bce714567 10064 int cmp;
wolfSSL 7:481bce714567 10065
wolfSSL 7:481bce714567 10066 WOLFSSL_ENTER("CompareOcspReqResp");
wolfSSL 7:481bce714567 10067
wolfSSL 7:481bce714567 10068 if (req == NULL)
wolfSSL 7:481bce714567 10069 {
wolfSSL 7:481bce714567 10070 WOLFSSL_MSG("\tReq missing");
wolfSSL 7:481bce714567 10071 return -1;
wolfSSL 7:481bce714567 10072 }
wolfSSL 7:481bce714567 10073
wolfSSL 7:481bce714567 10074 if (resp == NULL)
wolfSSL 7:481bce714567 10075 {
wolfSSL 7:481bce714567 10076 WOLFSSL_MSG("\tResp missing");
wolfSSL 7:481bce714567 10077 return 1;
wolfSSL 7:481bce714567 10078 }
wolfSSL 7:481bce714567 10079
wolfSSL 7:481bce714567 10080 /* Nonces are not critical. The responder may not necessarily add
wolfSSL 7:481bce714567 10081 * the nonce to the response. */
wolfSSL 7:481bce714567 10082 if (resp->nonceSz != 0) {
wolfSSL 7:481bce714567 10083 cmp = req->nonceSz - resp->nonceSz;
wolfSSL 7:481bce714567 10084 if (cmp != 0)
wolfSSL 7:481bce714567 10085 {
wolfSSL 7:481bce714567 10086 WOLFSSL_MSG("\tnonceSz mismatch");
wolfSSL 7:481bce714567 10087 return cmp;
wolfSSL 7:481bce714567 10088 }
wolfSSL 7:481bce714567 10089
wolfSSL 7:481bce714567 10090 cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
wolfSSL 7:481bce714567 10091 if (cmp != 0)
wolfSSL 7:481bce714567 10092 {
wolfSSL 7:481bce714567 10093 WOLFSSL_MSG("\tnonce mismatch");
wolfSSL 7:481bce714567 10094 return cmp;
wolfSSL 7:481bce714567 10095 }
wolfSSL 7:481bce714567 10096 }
wolfSSL 7:481bce714567 10097
wolfSSL 7:481bce714567 10098 cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
wolfSSL 7:481bce714567 10099 if (cmp != 0)
wolfSSL 7:481bce714567 10100 {
wolfSSL 7:481bce714567 10101 WOLFSSL_MSG("\tissuerHash mismatch");
wolfSSL 7:481bce714567 10102 return cmp;
wolfSSL 7:481bce714567 10103 }
wolfSSL 7:481bce714567 10104
wolfSSL 7:481bce714567 10105 cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
wolfSSL 7:481bce714567 10106 if (cmp != 0)
wolfSSL 7:481bce714567 10107 {
wolfSSL 7:481bce714567 10108 WOLFSSL_MSG("\tissuerKeyHash mismatch");
wolfSSL 7:481bce714567 10109 return cmp;
wolfSSL 7:481bce714567 10110 }
wolfSSL 7:481bce714567 10111
wolfSSL 7:481bce714567 10112 cmp = req->serialSz - resp->status->serialSz;
wolfSSL 7:481bce714567 10113 if (cmp != 0)
wolfSSL 7:481bce714567 10114 {
wolfSSL 7:481bce714567 10115 WOLFSSL_MSG("\tserialSz mismatch");
wolfSSL 7:481bce714567 10116 return cmp;
wolfSSL 7:481bce714567 10117 }
wolfSSL 7:481bce714567 10118
wolfSSL 7:481bce714567 10119 cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz);
wolfSSL 7:481bce714567 10120 if (cmp != 0)
wolfSSL 7:481bce714567 10121 {
wolfSSL 7:481bce714567 10122 WOLFSSL_MSG("\tserial mismatch");
wolfSSL 7:481bce714567 10123 return cmp;
wolfSSL 7:481bce714567 10124 }
wolfSSL 7:481bce714567 10125
wolfSSL 7:481bce714567 10126 return 0;
wolfSSL 7:481bce714567 10127 }
wolfSSL 7:481bce714567 10128
wolfSSL 7:481bce714567 10129 #endif
wolfSSL 7:481bce714567 10130
wolfSSL 7:481bce714567 10131
wolfSSL 7:481bce714567 10132 /* store SHA hash of NAME */
wolfSSL 7:481bce714567 10133 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
wolfSSL 7:481bce714567 10134 int maxIdx)
wolfSSL 7:481bce714567 10135 {
wolfSSL 7:481bce714567 10136 int length; /* length of all distinguished names */
wolfSSL 7:481bce714567 10137 int ret;
wolfSSL 7:481bce714567 10138 word32 dummy;
wolfSSL 7:481bce714567 10139
wolfSSL 7:481bce714567 10140 WOLFSSL_ENTER("GetNameHash");
wolfSSL 7:481bce714567 10141
wolfSSL 7:481bce714567 10142 if (source[*idx] == ASN_OBJECT_ID) {
wolfSSL 7:481bce714567 10143 WOLFSSL_MSG("Trying optional prefix...");
wolfSSL 7:481bce714567 10144
wolfSSL 7:481bce714567 10145 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 10146 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10147
wolfSSL 7:481bce714567 10148 *idx += length;
wolfSSL 7:481bce714567 10149 WOLFSSL_MSG("Got optional prefix");
wolfSSL 7:481bce714567 10150 }
wolfSSL 7:481bce714567 10151
wolfSSL 7:481bce714567 10152 /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL 7:481bce714567 10153 * calculated over the entire DER encoding of the Name field, including
wolfSSL 7:481bce714567 10154 * the tag and length. */
wolfSSL 7:481bce714567 10155 dummy = *idx;
wolfSSL 7:481bce714567 10156 if (GetSequence(source, idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 10157 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10158
wolfSSL 7:481bce714567 10159 #ifdef NO_SHA
wolfSSL 7:481bce714567 10160 ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash);
wolfSSL 7:481bce714567 10161 #else
wolfSSL 7:481bce714567 10162 ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash);
wolfSSL 7:481bce714567 10163 #endif
wolfSSL 7:481bce714567 10164
wolfSSL 7:481bce714567 10165 *idx += length;
wolfSSL 7:481bce714567 10166
wolfSSL 7:481bce714567 10167 return ret;
wolfSSL 7:481bce714567 10168 }
wolfSSL 7:481bce714567 10169
wolfSSL 7:481bce714567 10170
wolfSSL 7:481bce714567 10171 #ifdef HAVE_CRL
wolfSSL 7:481bce714567 10172
wolfSSL 7:481bce714567 10173 /* initialize decoded CRL */
wolfSSL 7:481bce714567 10174 void InitDecodedCRL(DecodedCRL* dcrl, void* heap)
wolfSSL 7:481bce714567 10175 {
wolfSSL 7:481bce714567 10176 WOLFSSL_MSG("InitDecodedCRL");
wolfSSL 7:481bce714567 10177
wolfSSL 7:481bce714567 10178 dcrl->certBegin = 0;
wolfSSL 7:481bce714567 10179 dcrl->sigIndex = 0;
wolfSSL 7:481bce714567 10180 dcrl->sigLength = 0;
wolfSSL 7:481bce714567 10181 dcrl->signatureOID = 0;
wolfSSL 7:481bce714567 10182 dcrl->certs = NULL;
wolfSSL 7:481bce714567 10183 dcrl->totalCerts = 0;
wolfSSL 7:481bce714567 10184 dcrl->heap = heap;
wolfSSL 7:481bce714567 10185 #ifdef WOLFSSL_HEAP_TEST
wolfSSL 7:481bce714567 10186 dcrl->heap = (void*)WOLFSSL_HEAP_TEST;
wolfSSL 7:481bce714567 10187 #endif
wolfSSL 7:481bce714567 10188 }
wolfSSL 7:481bce714567 10189
wolfSSL 7:481bce714567 10190
wolfSSL 7:481bce714567 10191 /* free decoded CRL resources */
wolfSSL 7:481bce714567 10192 void FreeDecodedCRL(DecodedCRL* dcrl)
wolfSSL 7:481bce714567 10193 {
wolfSSL 7:481bce714567 10194 RevokedCert* tmp = dcrl->certs;
wolfSSL 7:481bce714567 10195
wolfSSL 7:481bce714567 10196 WOLFSSL_MSG("FreeDecodedCRL");
wolfSSL 7:481bce714567 10197
wolfSSL 7:481bce714567 10198 while(tmp) {
wolfSSL 7:481bce714567 10199 RevokedCert* next = tmp->next;
wolfSSL 7:481bce714567 10200 XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED);
wolfSSL 7:481bce714567 10201 tmp = next;
wolfSSL 7:481bce714567 10202 }
wolfSSL 7:481bce714567 10203 }
wolfSSL 7:481bce714567 10204
wolfSSL 7:481bce714567 10205
wolfSSL 7:481bce714567 10206 /* Get Revoked Cert list, 0 on success */
wolfSSL 7:481bce714567 10207 static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
wolfSSL 7:481bce714567 10208 int maxIdx)
wolfSSL 7:481bce714567 10209 {
wolfSSL 7:481bce714567 10210 int len;
wolfSSL 7:481bce714567 10211 word32 end;
wolfSSL 7:481bce714567 10212 byte b;
wolfSSL 7:481bce714567 10213 RevokedCert* rc;
wolfSSL 7:481bce714567 10214
wolfSSL 7:481bce714567 10215 WOLFSSL_ENTER("GetRevoked");
wolfSSL 7:481bce714567 10216
wolfSSL 7:481bce714567 10217 if (GetSequence(buff, idx, &len, maxIdx) < 0)
wolfSSL 7:481bce714567 10218 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10219
wolfSSL 7:481bce714567 10220 end = *idx + len;
wolfSSL 7:481bce714567 10221
wolfSSL 7:481bce714567 10222 rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap,
wolfSSL 7:481bce714567 10223 DYNAMIC_TYPE_CRL);
wolfSSL 7:481bce714567 10224 if (rc == NULL) {
wolfSSL 7:481bce714567 10225 WOLFSSL_MSG("Alloc Revoked Cert failed");
wolfSSL 7:481bce714567 10226 return MEMORY_E;
wolfSSL 7:481bce714567 10227 }
wolfSSL 7:481bce714567 10228
wolfSSL 7:481bce714567 10229 if (GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,
wolfSSL 7:481bce714567 10230 maxIdx) < 0) {
wolfSSL 7:481bce714567 10231 XFREE(rc, dcrl->heap, DYNAMIC_TYPE_CRL);
wolfSSL 7:481bce714567 10232 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10233 }
wolfSSL 7:481bce714567 10234
wolfSSL 7:481bce714567 10235 /* add to list */
wolfSSL 7:481bce714567 10236 rc->next = dcrl->certs;
wolfSSL 7:481bce714567 10237 dcrl->certs = rc;
wolfSSL 7:481bce714567 10238 dcrl->totalCerts++;
wolfSSL 7:481bce714567 10239
wolfSSL 7:481bce714567 10240
wolfSSL 7:481bce714567 10241 /* get date */
wolfSSL 7:481bce714567 10242 b = buff[*idx];
wolfSSL 7:481bce714567 10243 *idx += 1;
wolfSSL 7:481bce714567 10244
wolfSSL 7:481bce714567 10245 if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
wolfSSL 7:481bce714567 10246 WOLFSSL_MSG("Expecting Date");
wolfSSL 7:481bce714567 10247 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10248 }
wolfSSL 7:481bce714567 10249
wolfSSL 7:481bce714567 10250 if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL 7:481bce714567 10251 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10252
wolfSSL 7:481bce714567 10253 /* skip for now */
wolfSSL 7:481bce714567 10254 *idx += len;
wolfSSL 7:481bce714567 10255
wolfSSL 7:481bce714567 10256 if (*idx != end) /* skip extensions */
wolfSSL 7:481bce714567 10257 *idx = end;
wolfSSL 7:481bce714567 10258
wolfSSL 7:481bce714567 10259 return 0;
wolfSSL 7:481bce714567 10260 }
wolfSSL 7:481bce714567 10261
wolfSSL 7:481bce714567 10262
wolfSSL 7:481bce714567 10263 /* Get CRL Signature, 0 on success */
wolfSSL 7:481bce714567 10264 static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
wolfSSL 7:481bce714567 10265 int maxIdx)
wolfSSL 7:481bce714567 10266 {
wolfSSL 7:481bce714567 10267 int length;
wolfSSL 7:481bce714567 10268 byte b;
wolfSSL 7:481bce714567 10269
wolfSSL 7:481bce714567 10270 WOLFSSL_ENTER("GetCRL_Signature");
wolfSSL 7:481bce714567 10271
wolfSSL 7:481bce714567 10272 b = source[*idx];
wolfSSL 7:481bce714567 10273 *idx += 1;
wolfSSL 7:481bce714567 10274 if (b != ASN_BIT_STRING)
wolfSSL 7:481bce714567 10275 return ASN_BITSTR_E;
wolfSSL 7:481bce714567 10276
wolfSSL 7:481bce714567 10277 if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL 7:481bce714567 10278 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10279
wolfSSL 7:481bce714567 10280 dcrl->sigLength = length;
wolfSSL 7:481bce714567 10281
wolfSSL 7:481bce714567 10282 if (length > 0) {
wolfSSL 7:481bce714567 10283 b = source[*idx];
wolfSSL 7:481bce714567 10284 *idx += 1;
wolfSSL 7:481bce714567 10285 if (b != 0x00)
wolfSSL 7:481bce714567 10286 return ASN_EXPECT_0_E;
wolfSSL 7:481bce714567 10287
wolfSSL 7:481bce714567 10288 dcrl->sigLength--;
wolfSSL 7:481bce714567 10289 }
wolfSSL 7:481bce714567 10290
wolfSSL 7:481bce714567 10291 dcrl->signature = (byte*)&source[*idx];
wolfSSL 7:481bce714567 10292 *idx += dcrl->sigLength;
wolfSSL 7:481bce714567 10293
wolfSSL 7:481bce714567 10294 return 0;
wolfSSL 7:481bce714567 10295 }
wolfSSL 7:481bce714567 10296
wolfSSL 7:481bce714567 10297
wolfSSL 7:481bce714567 10298 /* prase crl buffer into decoded state, 0 on success */
wolfSSL 7:481bce714567 10299 int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
wolfSSL 7:481bce714567 10300 {
wolfSSL 7:481bce714567 10301 int version, len, doNextDate = 1;
wolfSSL 7:481bce714567 10302 word32 oid, idx = 0, dateIdx;
wolfSSL 7:481bce714567 10303 Signer* ca = NULL;
wolfSSL 7:481bce714567 10304
wolfSSL 7:481bce714567 10305 WOLFSSL_MSG("ParseCRL");
wolfSSL 7:481bce714567 10306
wolfSSL 7:481bce714567 10307 /* raw crl hash */
wolfSSL 7:481bce714567 10308 /* hash here if needed for optimized comparisons
wolfSSL 7:481bce714567 10309 * Sha sha;
wolfSSL 7:481bce714567 10310 * wc_InitSha(&sha);
wolfSSL 7:481bce714567 10311 * wc_ShaUpdate(&sha, buff, sz);
wolfSSL 7:481bce714567 10312 * wc_ShaFinal(&sha, dcrl->crlHash); */
wolfSSL 7:481bce714567 10313
wolfSSL 7:481bce714567 10314 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 7:481bce714567 10315 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10316
wolfSSL 7:481bce714567 10317 dcrl->certBegin = idx;
wolfSSL 7:481bce714567 10318
wolfSSL 7:481bce714567 10319 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 7:481bce714567 10320 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10321 dcrl->sigIndex = len + idx;
wolfSSL 7:481bce714567 10322
wolfSSL 7:481bce714567 10323 /* may have version */
wolfSSL 7:481bce714567 10324 if (buff[idx] == ASN_INTEGER) {
wolfSSL 7:481bce714567 10325 if (GetMyVersion(buff, &idx, &version, sz) < 0)
wolfSSL 7:481bce714567 10326 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10327 }
wolfSSL 7:481bce714567 10328
wolfSSL 7:481bce714567 10329 if (GetAlgoId(buff, &idx, &oid, oidIgnoreType, sz) < 0)
wolfSSL 7:481bce714567 10330 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10331
wolfSSL 7:481bce714567 10332 if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
wolfSSL 7:481bce714567 10333 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10334
wolfSSL 7:481bce714567 10335 if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
wolfSSL 7:481bce714567 10336 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10337
wolfSSL 7:481bce714567 10338 dateIdx = idx;
wolfSSL 7:481bce714567 10339
wolfSSL 7:481bce714567 10340 if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
wolfSSL 7:481bce714567 10341 {
wolfSSL 7:481bce714567 10342 #ifndef WOLFSSL_NO_CRL_NEXT_DATE
wolfSSL 7:481bce714567 10343 (void)dateIdx;
wolfSSL 7:481bce714567 10344 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10345 #else
wolfSSL 7:481bce714567 10346 dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */
wolfSSL 7:481bce714567 10347 doNextDate = 0;
wolfSSL 7:481bce714567 10348 idx = dateIdx;
wolfSSL 7:481bce714567 10349 #endif
wolfSSL 7:481bce714567 10350 }
wolfSSL 7:481bce714567 10351
wolfSSL 7:481bce714567 10352 if (doNextDate && !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat,
wolfSSL 7:481bce714567 10353 AFTER)) {
wolfSSL 7:481bce714567 10354 WOLFSSL_MSG("CRL after date is no longer valid");
wolfSSL 7:481bce714567 10355 return ASN_AFTER_DATE_E;
wolfSSL 7:481bce714567 10356 }
wolfSSL 7:481bce714567 10357
wolfSSL 7:481bce714567 10358 if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
wolfSSL 7:481bce714567 10359 if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL 7:481bce714567 10360 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10361
wolfSSL 7:481bce714567 10362 len += idx;
wolfSSL 7:481bce714567 10363
wolfSSL 7:481bce714567 10364 while (idx < (word32)len) {
wolfSSL 7:481bce714567 10365 if (GetRevoked(buff, &idx, dcrl, sz) < 0)
wolfSSL 7:481bce714567 10366 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10367 }
wolfSSL 7:481bce714567 10368 }
wolfSSL 7:481bce714567 10369
wolfSSL 7:481bce714567 10370 if (idx != dcrl->sigIndex)
wolfSSL 7:481bce714567 10371 idx = dcrl->sigIndex; /* skip extensions */
wolfSSL 7:481bce714567 10372
wolfSSL 7:481bce714567 10373 if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0)
wolfSSL 7:481bce714567 10374 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10375
wolfSSL 7:481bce714567 10376 if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
wolfSSL 7:481bce714567 10377 return ASN_PARSE_E;
wolfSSL 7:481bce714567 10378
wolfSSL 7:481bce714567 10379 /* openssl doesn't add skid by default for CRLs cause firefox chokes
wolfSSL 7:481bce714567 10380 we're not assuming it's available yet */
wolfSSL 7:481bce714567 10381 #if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL 7:481bce714567 10382 if (dcrl->extAuthKeyIdSet)
wolfSSL 7:481bce714567 10383 ca = GetCA(cm, dcrl->extAuthKeyId);
wolfSSL 7:481bce714567 10384 if (ca == NULL)
wolfSSL 7:481bce714567 10385 ca = GetCAByName(cm, dcrl->issuerHash);
wolfSSL 7:481bce714567 10386 #else /* NO_SKID */
wolfSSL 7:481bce714567 10387 ca = GetCA(cm, dcrl->issuerHash);
wolfSSL 7:481bce714567 10388 #endif /* NO_SKID */
wolfSSL 7:481bce714567 10389 WOLFSSL_MSG("About to verify CRL signature");
wolfSSL 7:481bce714567 10390
wolfSSL 7:481bce714567 10391 if (ca) {
wolfSSL 7:481bce714567 10392 WOLFSSL_MSG("Found CRL issuer CA");
wolfSSL 7:481bce714567 10393 /* try to confirm/verify signature */
wolfSSL 7:481bce714567 10394 #ifndef IGNORE_KEY_EXTENSIONS
wolfSSL 7:481bce714567 10395 if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
wolfSSL 7:481bce714567 10396 WOLFSSL_MSG("CA cannot sign CRLs");
wolfSSL 7:481bce714567 10397 return ASN_CRL_NO_SIGNER_E;
wolfSSL 7:481bce714567 10398 }
wolfSSL 7:481bce714567 10399 #endif /* IGNORE_KEY_EXTENSIONS */
wolfSSL 7:481bce714567 10400 if (!ConfirmSignature(buff + dcrl->certBegin,
wolfSSL 7:481bce714567 10401 dcrl->sigIndex - dcrl->certBegin,
wolfSSL 7:481bce714567 10402 ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL 7:481bce714567 10403 dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
wolfSSL 7:481bce714567 10404 WOLFSSL_MSG("CRL Confirm signature failed");
wolfSSL 7:481bce714567 10405 return ASN_CRL_CONFIRM_E;
wolfSSL 7:481bce714567 10406 }
wolfSSL 7:481bce714567 10407 }
wolfSSL 7:481bce714567 10408 else {
wolfSSL 7:481bce714567 10409 WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL 7:481bce714567 10410 return ASN_CRL_NO_SIGNER_E;
wolfSSL 7:481bce714567 10411 }
wolfSSL 7:481bce714567 10412
wolfSSL 7:481bce714567 10413 return 0;
wolfSSL 7:481bce714567 10414 }
wolfSSL 7:481bce714567 10415
wolfSSL 7:481bce714567 10416 #endif /* HAVE_CRL */
wolfSSL 7:481bce714567 10417
wolfSSL 7:481bce714567 10418 #undef ERROR_OUT
wolfSSL 7:481bce714567 10419
wolfSSL 7:481bce714567 10420 #endif /* !NO_ASN */
wolfSSL 7:481bce714567 10421
wolfSSL 7:481bce714567 10422 #ifdef WOLFSSL_SEP
wolfSSL 7:481bce714567 10423
wolfSSL 7:481bce714567 10424
wolfSSL 7:481bce714567 10425 #endif /* WOLFSSL_SEP */
wolfSSL 7:481bce714567 10426