wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/asn.c@17:a5f916481144, 2020-06-05 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 05 00:11:07 2020 +0000
- Revision:
- 17:a5f916481144
- Parent:
- 16:8e0d178b1d1e
wolfSSL 4.4.0
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 15:117db924cf7c | 1 | /* asn.c |
wolfSSL | 15:117db924cf7c | 2 | * |
wolfSSL | 16:8e0d178b1d1e | 3 | * Copyright (C) 2006-2020 wolfSSL Inc. |
wolfSSL | 15:117db924cf7c | 4 | * |
wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
wolfSSL | 15:117db924cf7c | 6 | * |
wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
wolfSSL | 15:117db924cf7c | 11 | * |
wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
wolfSSL | 15:117db924cf7c | 16 | * |
wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 15:117db924cf7c | 20 | */ |
wolfSSL | 15:117db924cf7c | 21 | |
wolfSSL | 15:117db924cf7c | 22 | |
wolfSSL | 15:117db924cf7c | 23 | #ifdef HAVE_CONFIG_H |
wolfSSL | 15:117db924cf7c | 24 | #include <config.h> |
wolfSSL | 15:117db924cf7c | 25 | #endif |
wolfSSL | 15:117db924cf7c | 26 | |
wolfSSL | 15:117db924cf7c | 27 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 15:117db924cf7c | 28 | |
wolfSSL | 15:117db924cf7c | 29 | /* |
wolfSSL | 15:117db924cf7c | 30 | ASN Options: |
wolfSSL | 15:117db924cf7c | 31 | * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC |
wolfSSL | 15:117db924cf7c | 32 | or wishing to save space. |
wolfSSL | 15:117db924cf7c | 33 | * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks. |
wolfSSL | 15:117db924cf7c | 34 | * ASN_DUMP_OID: Allows dump of OID information for debugging. |
wolfSSL | 15:117db924cf7c | 35 | * RSA_DECODE_EXTRA: Decodes extra information in RSA public key. |
wolfSSL | 15:117db924cf7c | 36 | * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. |
wolfSSL | 15:117db924cf7c | 37 | * WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to |
wolfSSL | 15:117db924cf7c | 38 | restore 3.13.0 behavior. |
wolfSSL | 15:117db924cf7c | 39 | * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer |
wolfSSL | 15:117db924cf7c | 40 | must still be trusted) |
wolfSSL | 15:117db924cf7c | 41 | * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert |
wolfSSL | 15:117db924cf7c | 42 | chain is not loaded. This only matches on subject and public key and |
wolfSSL | 15:117db924cf7c | 43 | does not perform a PKI validation, so it is not a secure solution. |
wolfSSL | 15:117db924cf7c | 44 | Only enabled for OCSP. |
wolfSSL | 15:117db924cf7c | 45 | * WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to |
wolfSSL | 15:117db924cf7c | 46 | disable checking of OCSP subject hash with issuer hash. |
wolfSSL | 16:8e0d178b1d1e | 47 | * WOLFSSL_SMALL_CERT_VERIFY: Verify the certificate signature without using |
wolfSSL | 16:8e0d178b1d1e | 48 | DecodedCert. Doubles up on some code but allows smaller dynamic memory |
wolfSSL | 16:8e0d178b1d1e | 49 | usage. |
wolfSSL | 16:8e0d178b1d1e | 50 | * WOLFSSL_NO_OCSP_DATE_CHECK: Disable date checks for OCSP responses. This |
wolfSSL | 16:8e0d178b1d1e | 51 | may be required when the system's real-time clock is not very accurate. |
wolfSSL | 16:8e0d178b1d1e | 52 | It is recommended to enforce the nonce check instead if possible. |
wolfSSL | 16:8e0d178b1d1e | 53 | * WOLFSSL_FORCE_OCSP_NONCE_CHECK: Require nonces to be available in OCSP |
wolfSSL | 16:8e0d178b1d1e | 54 | responses. The nonces are optional and may not be supported by all |
wolfSSL | 16:8e0d178b1d1e | 55 | responders. If it can be ensured that the used responder sends nonces this |
wolfSSL | 16:8e0d178b1d1e | 56 | option may improve security. |
wolfSSL | 15:117db924cf7c | 57 | */ |
wolfSSL | 15:117db924cf7c | 58 | |
wolfSSL | 15:117db924cf7c | 59 | #ifndef NO_ASN |
wolfSSL | 15:117db924cf7c | 60 | |
wolfSSL | 15:117db924cf7c | 61 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 15:117db924cf7c | 62 | #include <wolfssl/wolfcrypt/coding.h> |
wolfSSL | 15:117db924cf7c | 63 | #include <wolfssl/wolfcrypt/md2.h> |
wolfSSL | 15:117db924cf7c | 64 | #include <wolfssl/wolfcrypt/hmac.h> |
wolfSSL | 15:117db924cf7c | 65 | #include <wolfssl/wolfcrypt/error-crypt.h> |
wolfSSL | 15:117db924cf7c | 66 | #include <wolfssl/wolfcrypt/pwdbased.h> |
wolfSSL | 15:117db924cf7c | 67 | #include <wolfssl/wolfcrypt/des3.h> |
wolfSSL | 15:117db924cf7c | 68 | #include <wolfssl/wolfcrypt/aes.h> |
wolfSSL | 15:117db924cf7c | 69 | #include <wolfssl/wolfcrypt/wc_encrypt.h> |
wolfSSL | 15:117db924cf7c | 70 | #include <wolfssl/wolfcrypt/logging.h> |
wolfSSL | 15:117db924cf7c | 71 | |
wolfSSL | 15:117db924cf7c | 72 | #include <wolfssl/wolfcrypt/random.h> |
wolfSSL | 15:117db924cf7c | 73 | #include <wolfssl/wolfcrypt/hash.h> |
wolfSSL | 15:117db924cf7c | 74 | #ifdef NO_INLINE |
wolfSSL | 15:117db924cf7c | 75 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 15:117db924cf7c | 76 | #else |
wolfSSL | 15:117db924cf7c | 77 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 15:117db924cf7c | 78 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 15:117db924cf7c | 79 | #endif |
wolfSSL | 15:117db924cf7c | 80 | |
wolfSSL | 15:117db924cf7c | 81 | #ifndef NO_RC4 |
wolfSSL | 15:117db924cf7c | 82 | #include <wolfssl/wolfcrypt/arc4.h> |
wolfSSL | 15:117db924cf7c | 83 | #endif |
wolfSSL | 15:117db924cf7c | 84 | |
wolfSSL | 15:117db924cf7c | 85 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 86 | #include "libntruencrypt/ntru_crypto.h" |
wolfSSL | 15:117db924cf7c | 87 | #endif |
wolfSSL | 15:117db924cf7c | 88 | |
wolfSSL | 15:117db924cf7c | 89 | #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) |
wolfSSL | 15:117db924cf7c | 90 | #include <wolfssl/wolfcrypt/sha512.h> |
wolfSSL | 15:117db924cf7c | 91 | #endif |
wolfSSL | 15:117db924cf7c | 92 | |
wolfSSL | 15:117db924cf7c | 93 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 94 | #include <wolfssl/wolfcrypt/sha256.h> |
wolfSSL | 15:117db924cf7c | 95 | #endif |
wolfSSL | 15:117db924cf7c | 96 | |
wolfSSL | 15:117db924cf7c | 97 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 98 | #include <wolfssl/wolfcrypt/ecc.h> |
wolfSSL | 15:117db924cf7c | 99 | #endif |
wolfSSL | 15:117db924cf7c | 100 | |
wolfSSL | 15:117db924cf7c | 101 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 102 | #include <wolfssl/wolfcrypt/ed25519.h> |
wolfSSL | 15:117db924cf7c | 103 | #endif |
wolfSSL | 15:117db924cf7c | 104 | |
wolfSSL | 16:8e0d178b1d1e | 105 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 106 | #include <wolfssl/wolfcrypt/ed448.h> |
wolfSSL | 16:8e0d178b1d1e | 107 | #endif |
wolfSSL | 16:8e0d178b1d1e | 108 | |
wolfSSL | 15:117db924cf7c | 109 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 110 | #include <wolfssl/wolfcrypt/rsa.h> |
wolfSSL | 16:8e0d178b1d1e | 111 | #if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL) |
wolfSSL | 16:8e0d178b1d1e | 112 | extern int wc_InitRsaHw(RsaKey* key); |
wolfSSL | 16:8e0d178b1d1e | 113 | #endif |
wolfSSL | 16:8e0d178b1d1e | 114 | #endif |
wolfSSL | 16:8e0d178b1d1e | 115 | |
wolfSSL | 16:8e0d178b1d1e | 116 | #ifdef WOLF_CRYPTO_CB |
wolfSSL | 16:8e0d178b1d1e | 117 | #include <wolfssl/wolfcrypt/cryptocb.h> |
wolfSSL | 16:8e0d178b1d1e | 118 | #endif |
wolfSSL | 16:8e0d178b1d1e | 119 | |
wolfSSL | 16:8e0d178b1d1e | 120 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 121 | #include <wolfssl/openssl/objects.h> |
wolfSSL | 16:8e0d178b1d1e | 122 | #endif |
wolfSSL | 15:117db924cf7c | 123 | |
wolfSSL | 15:117db924cf7c | 124 | #ifdef _MSC_VER |
wolfSSL | 15:117db924cf7c | 125 | /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */ |
wolfSSL | 15:117db924cf7c | 126 | #pragma warning(disable: 4996) |
wolfSSL | 15:117db924cf7c | 127 | #endif |
wolfSSL | 15:117db924cf7c | 128 | |
wolfSSL | 15:117db924cf7c | 129 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } |
wolfSSL | 15:117db924cf7c | 130 | |
wolfSSL | 16:8e0d178b1d1e | 131 | #if defined(HAVE_SELFTEST) || ( !defined(NO_SKID) && \ |
wolfSSL | 16:8e0d178b1d1e | 132 | ( !defined(HAVE_FIPS) || \ |
wolfSSL | 16:8e0d178b1d1e | 133 | !defined(HAVE_FIPS_VERSION) )) |
wolfSSL | 16:8e0d178b1d1e | 134 | #ifndef WOLFSSL_AES_KEY_SIZE_ENUM |
wolfSSL | 16:8e0d178b1d1e | 135 | #define WOLFSSL_AES_KEY_SIZE_ENUM |
wolfSSL | 16:8e0d178b1d1e | 136 | enum Asn_Misc { |
wolfSSL | 16:8e0d178b1d1e | 137 | AES_IV_SIZE = 16, |
wolfSSL | 16:8e0d178b1d1e | 138 | AES_128_KEY_SIZE = 16, |
wolfSSL | 16:8e0d178b1d1e | 139 | AES_192_KEY_SIZE = 24, |
wolfSSL | 16:8e0d178b1d1e | 140 | AES_256_KEY_SIZE = 32 |
wolfSSL | 16:8e0d178b1d1e | 141 | }; |
wolfSSL | 16:8e0d178b1d1e | 142 | #endif |
wolfSSL | 16:8e0d178b1d1e | 143 | #endif |
wolfSSL | 16:8e0d178b1d1e | 144 | #ifdef WOLFSSL_RENESAS_TSIP_TLS |
wolfSSL | 16:8e0d178b1d1e | 145 | void tsip_inform_key_position(const word32 key_n_start, |
wolfSSL | 16:8e0d178b1d1e | 146 | const word32 key_n_len, const word32 key_e_start, |
wolfSSL | 16:8e0d178b1d1e | 147 | const word32 key_e_len); |
wolfSSL | 16:8e0d178b1d1e | 148 | int tsip_tls_CertVerify(const byte *cert, word32 certSz, |
wolfSSL | 16:8e0d178b1d1e | 149 | const byte *signature, word32 sigSz, |
wolfSSL | 16:8e0d178b1d1e | 150 | word32 key_n_start, word32 key_n_len, |
wolfSSL | 16:8e0d178b1d1e | 151 | word32 key_e_start, word32 key_e_len, |
wolfSSL | 16:8e0d178b1d1e | 152 | byte *tsip_encRsaKeyIdx); |
wolfSSL | 16:8e0d178b1d1e | 153 | #endif |
wolfSSL | 16:8e0d178b1d1e | 154 | int GetLength(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 155 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 156 | { |
wolfSSL | 16:8e0d178b1d1e | 157 | return GetLength_ex(input, inOutIdx, len, maxIdx, 1); |
wolfSSL | 16:8e0d178b1d1e | 158 | } |
wolfSSL | 16:8e0d178b1d1e | 159 | |
wolfSSL | 16:8e0d178b1d1e | 160 | |
wolfSSL | 16:8e0d178b1d1e | 161 | /* give option to check length value found against index. 1 to check 0 to not */ |
wolfSSL | 16:8e0d178b1d1e | 162 | int GetLength_ex(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 16:8e0d178b1d1e | 163 | word32 maxIdx, int check) |
wolfSSL | 16:8e0d178b1d1e | 164 | { |
wolfSSL | 15:117db924cf7c | 165 | int length = 0; |
wolfSSL | 15:117db924cf7c | 166 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 167 | byte b; |
wolfSSL | 15:117db924cf7c | 168 | |
wolfSSL | 15:117db924cf7c | 169 | *len = 0; /* default length */ |
wolfSSL | 15:117db924cf7c | 170 | |
wolfSSL | 15:117db924cf7c | 171 | if ((idx + 1) > maxIdx) { /* for first read */ |
wolfSSL | 15:117db924cf7c | 172 | WOLFSSL_MSG("GetLength bad index on input"); |
wolfSSL | 15:117db924cf7c | 173 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 174 | } |
wolfSSL | 15:117db924cf7c | 175 | |
wolfSSL | 15:117db924cf7c | 176 | b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 177 | if (b >= ASN_LONG_LENGTH) { |
wolfSSL | 15:117db924cf7c | 178 | word32 bytes = b & 0x7F; |
wolfSSL | 15:117db924cf7c | 179 | |
wolfSSL | 15:117db924cf7c | 180 | if ((idx + bytes) > maxIdx) { /* for reading bytes */ |
wolfSSL | 15:117db924cf7c | 181 | WOLFSSL_MSG("GetLength bad long length"); |
wolfSSL | 15:117db924cf7c | 182 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 183 | } |
wolfSSL | 15:117db924cf7c | 184 | |
wolfSSL | 16:8e0d178b1d1e | 185 | if (bytes > sizeof(length)) { |
wolfSSL | 16:8e0d178b1d1e | 186 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 187 | } |
wolfSSL | 15:117db924cf7c | 188 | while (bytes--) { |
wolfSSL | 15:117db924cf7c | 189 | b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 190 | length = (length << 8) | b; |
wolfSSL | 15:117db924cf7c | 191 | } |
wolfSSL | 16:8e0d178b1d1e | 192 | if (length < 0) { |
wolfSSL | 16:8e0d178b1d1e | 193 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 194 | } |
wolfSSL | 15:117db924cf7c | 195 | } |
wolfSSL | 15:117db924cf7c | 196 | else |
wolfSSL | 15:117db924cf7c | 197 | length = b; |
wolfSSL | 15:117db924cf7c | 198 | |
wolfSSL | 16:8e0d178b1d1e | 199 | if (check && (idx + length) > maxIdx) { /* for user of length */ |
wolfSSL | 15:117db924cf7c | 200 | WOLFSSL_MSG("GetLength value exceeds buffer length"); |
wolfSSL | 15:117db924cf7c | 201 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 202 | } |
wolfSSL | 15:117db924cf7c | 203 | |
wolfSSL | 15:117db924cf7c | 204 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 205 | if (length > 0) |
wolfSSL | 15:117db924cf7c | 206 | *len = length; |
wolfSSL | 15:117db924cf7c | 207 | |
wolfSSL | 15:117db924cf7c | 208 | return length; |
wolfSSL | 15:117db924cf7c | 209 | } |
wolfSSL | 15:117db924cf7c | 210 | |
wolfSSL | 15:117db924cf7c | 211 | |
wolfSSL | 16:8e0d178b1d1e | 212 | /* input : buffer to read from |
wolfSSL | 16:8e0d178b1d1e | 213 | * inOutIdx : index to start reading from, gets advanced by 1 if successful |
wolfSSL | 16:8e0d178b1d1e | 214 | * maxIdx : maximum index value |
wolfSSL | 16:8e0d178b1d1e | 215 | * tag : ASN tag value found |
wolfSSL | 16:8e0d178b1d1e | 216 | * |
wolfSSL | 16:8e0d178b1d1e | 217 | * returns 0 on success |
wolfSSL | 16:8e0d178b1d1e | 218 | */ |
wolfSSL | 16:8e0d178b1d1e | 219 | int GetASNTag(const byte* input, word32* inOutIdx, byte* tag, word32 maxIdx) |
wolfSSL | 16:8e0d178b1d1e | 220 | { |
wolfSSL | 16:8e0d178b1d1e | 221 | word32 idx; |
wolfSSL | 16:8e0d178b1d1e | 222 | |
wolfSSL | 16:8e0d178b1d1e | 223 | if (tag == NULL || inOutIdx == NULL || input == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 224 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 225 | } |
wolfSSL | 16:8e0d178b1d1e | 226 | |
wolfSSL | 16:8e0d178b1d1e | 227 | idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 228 | if (idx + ASN_TAG_SZ > maxIdx) { |
wolfSSL | 16:8e0d178b1d1e | 229 | WOLFSSL_MSG("Buffer too small for ASN tag"); |
wolfSSL | 16:8e0d178b1d1e | 230 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 231 | } |
wolfSSL | 16:8e0d178b1d1e | 232 | |
wolfSSL | 16:8e0d178b1d1e | 233 | *tag = input[idx]; |
wolfSSL | 16:8e0d178b1d1e | 234 | *inOutIdx = idx + ASN_TAG_SZ; |
wolfSSL | 16:8e0d178b1d1e | 235 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 236 | } |
wolfSSL | 16:8e0d178b1d1e | 237 | |
wolfSSL | 16:8e0d178b1d1e | 238 | |
wolfSSL | 16:8e0d178b1d1e | 239 | static int GetASNHeader_ex(const byte* input, byte tag, word32* inOutIdx, int* len, |
wolfSSL | 16:8e0d178b1d1e | 240 | word32 maxIdx, int check) |
wolfSSL | 16:8e0d178b1d1e | 241 | { |
wolfSSL | 16:8e0d178b1d1e | 242 | word32 idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 243 | byte tagFound; |
wolfSSL | 16:8e0d178b1d1e | 244 | int length; |
wolfSSL | 16:8e0d178b1d1e | 245 | |
wolfSSL | 16:8e0d178b1d1e | 246 | if (GetASNTag(input, &idx, &tagFound, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 247 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 248 | |
wolfSSL | 16:8e0d178b1d1e | 249 | if (tagFound != tag) |
wolfSSL | 16:8e0d178b1d1e | 250 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 251 | |
wolfSSL | 16:8e0d178b1d1e | 252 | if (GetLength_ex(input, &idx, &length, maxIdx, check) < 0) |
wolfSSL | 16:8e0d178b1d1e | 253 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 254 | |
wolfSSL | 16:8e0d178b1d1e | 255 | *len = length; |
wolfSSL | 16:8e0d178b1d1e | 256 | *inOutIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 257 | return length; |
wolfSSL | 16:8e0d178b1d1e | 258 | } |
wolfSSL | 16:8e0d178b1d1e | 259 | |
wolfSSL | 16:8e0d178b1d1e | 260 | |
wolfSSL | 15:117db924cf7c | 261 | /* Get the DER/BER encoding of an ASN.1 header. |
wolfSSL | 15:117db924cf7c | 262 | * |
wolfSSL | 15:117db924cf7c | 263 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 264 | * tag ASN.1 tag value expected in header. |
wolfSSL | 15:117db924cf7c | 265 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 266 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 15:117db924cf7c | 267 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 268 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 269 | * ASN_PARSE_E when the expected tag is not found or length is invalid. |
wolfSSL | 15:117db924cf7c | 270 | * Otherwise, the number of bytes in the ASN.1 data. |
wolfSSL | 15:117db924cf7c | 271 | */ |
wolfSSL | 15:117db924cf7c | 272 | static int GetASNHeader(const byte* input, byte tag, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 273 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 274 | { |
wolfSSL | 16:8e0d178b1d1e | 275 | return GetASNHeader_ex(input, tag, inOutIdx, len, maxIdx, 1); |
wolfSSL | 16:8e0d178b1d1e | 276 | } |
wolfSSL | 16:8e0d178b1d1e | 277 | |
wolfSSL | 16:8e0d178b1d1e | 278 | static int GetHeader(const byte* input, byte* tag, word32* inOutIdx, int* len, |
wolfSSL | 16:8e0d178b1d1e | 279 | word32 maxIdx, int check) |
wolfSSL | 16:8e0d178b1d1e | 280 | { |
wolfSSL | 15:117db924cf7c | 281 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 282 | int length; |
wolfSSL | 15:117db924cf7c | 283 | |
wolfSSL | 15:117db924cf7c | 284 | if ((idx + 1) > maxIdx) |
wolfSSL | 15:117db924cf7c | 285 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 286 | |
wolfSSL | 16:8e0d178b1d1e | 287 | *tag = input[idx++]; |
wolfSSL | 16:8e0d178b1d1e | 288 | |
wolfSSL | 16:8e0d178b1d1e | 289 | if (GetLength_ex(input, &idx, &length, maxIdx, check) < 0) |
wolfSSL | 15:117db924cf7c | 290 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 291 | |
wolfSSL | 15:117db924cf7c | 292 | *len = length; |
wolfSSL | 15:117db924cf7c | 293 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 294 | return length; |
wolfSSL | 15:117db924cf7c | 295 | } |
wolfSSL | 15:117db924cf7c | 296 | |
wolfSSL | 16:8e0d178b1d1e | 297 | int GetSequence(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 298 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 299 | { |
wolfSSL | 15:117db924cf7c | 300 | return GetASNHeader(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 15:117db924cf7c | 301 | maxIdx); |
wolfSSL | 15:117db924cf7c | 302 | } |
wolfSSL | 15:117db924cf7c | 303 | |
wolfSSL | 15:117db924cf7c | 304 | |
wolfSSL | 16:8e0d178b1d1e | 305 | int GetSequence_ex(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 16:8e0d178b1d1e | 306 | word32 maxIdx, int check) |
wolfSSL | 16:8e0d178b1d1e | 307 | { |
wolfSSL | 16:8e0d178b1d1e | 308 | return GetASNHeader_ex(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 16:8e0d178b1d1e | 309 | maxIdx, check); |
wolfSSL | 16:8e0d178b1d1e | 310 | } |
wolfSSL | 16:8e0d178b1d1e | 311 | |
wolfSSL | 16:8e0d178b1d1e | 312 | |
wolfSSL | 16:8e0d178b1d1e | 313 | int GetSet(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 314 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 315 | { |
wolfSSL | 15:117db924cf7c | 316 | return GetASNHeader(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 15:117db924cf7c | 317 | maxIdx); |
wolfSSL | 15:117db924cf7c | 318 | } |
wolfSSL | 15:117db924cf7c | 319 | |
wolfSSL | 16:8e0d178b1d1e | 320 | |
wolfSSL | 16:8e0d178b1d1e | 321 | int GetSet_ex(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 16:8e0d178b1d1e | 322 | word32 maxIdx, int check) |
wolfSSL | 16:8e0d178b1d1e | 323 | { |
wolfSSL | 16:8e0d178b1d1e | 324 | return GetASNHeader_ex(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 16:8e0d178b1d1e | 325 | maxIdx, check); |
wolfSSL | 16:8e0d178b1d1e | 326 | } |
wolfSSL | 16:8e0d178b1d1e | 327 | |
wolfSSL | 15:117db924cf7c | 328 | /* Get the DER/BER encoded ASN.1 NULL element. |
wolfSSL | 15:117db924cf7c | 329 | * Ensure that the all fields are as expected and move index past the element. |
wolfSSL | 15:117db924cf7c | 330 | * |
wolfSSL | 15:117db924cf7c | 331 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 332 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 333 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 334 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 335 | * ASN_TAG_NULL_E when the NULL tag is not found. |
wolfSSL | 15:117db924cf7c | 336 | * ASN_EXPECT_0_E when the length is not zero. |
wolfSSL | 15:117db924cf7c | 337 | * Otherwise, 0 to indicate success. |
wolfSSL | 15:117db924cf7c | 338 | */ |
wolfSSL | 15:117db924cf7c | 339 | static int GetASNNull(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 340 | { |
wolfSSL | 15:117db924cf7c | 341 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 342 | byte b; |
wolfSSL | 15:117db924cf7c | 343 | |
wolfSSL | 15:117db924cf7c | 344 | if ((idx + 2) > maxIdx) |
wolfSSL | 15:117db924cf7c | 345 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 346 | |
wolfSSL | 15:117db924cf7c | 347 | b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 348 | if (b != ASN_TAG_NULL) |
wolfSSL | 15:117db924cf7c | 349 | return ASN_TAG_NULL_E; |
wolfSSL | 15:117db924cf7c | 350 | |
wolfSSL | 15:117db924cf7c | 351 | if (input[idx++] != 0) |
wolfSSL | 15:117db924cf7c | 352 | return ASN_EXPECT_0_E; |
wolfSSL | 15:117db924cf7c | 353 | |
wolfSSL | 15:117db924cf7c | 354 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 355 | return 0; |
wolfSSL | 15:117db924cf7c | 356 | } |
wolfSSL | 15:117db924cf7c | 357 | |
wolfSSL | 15:117db924cf7c | 358 | /* Set the DER/BER encoding of the ASN.1 NULL element. |
wolfSSL | 15:117db924cf7c | 359 | * |
wolfSSL | 15:117db924cf7c | 360 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 361 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 362 | */ |
wolfSSL | 15:117db924cf7c | 363 | static int SetASNNull(byte* output) |
wolfSSL | 15:117db924cf7c | 364 | { |
wolfSSL | 15:117db924cf7c | 365 | output[0] = ASN_TAG_NULL; |
wolfSSL | 15:117db924cf7c | 366 | output[1] = 0; |
wolfSSL | 15:117db924cf7c | 367 | |
wolfSSL | 15:117db924cf7c | 368 | return 2; |
wolfSSL | 15:117db924cf7c | 369 | } |
wolfSSL | 15:117db924cf7c | 370 | |
wolfSSL | 15:117db924cf7c | 371 | /* Get the DER/BER encoding of an ASN.1 BOOLEAN. |
wolfSSL | 15:117db924cf7c | 372 | * |
wolfSSL | 15:117db924cf7c | 373 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 374 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 375 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 376 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 377 | * ASN_PARSE_E when the BOOLEAN tag is not found or length is not 1. |
wolfSSL | 15:117db924cf7c | 378 | * Otherwise, 0 to indicate the value was false and 1 to indicate true. |
wolfSSL | 15:117db924cf7c | 379 | */ |
wolfSSL | 15:117db924cf7c | 380 | static int GetBoolean(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 381 | { |
wolfSSL | 15:117db924cf7c | 382 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 383 | byte b; |
wolfSSL | 15:117db924cf7c | 384 | |
wolfSSL | 15:117db924cf7c | 385 | if ((idx + 3) > maxIdx) |
wolfSSL | 15:117db924cf7c | 386 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 387 | |
wolfSSL | 15:117db924cf7c | 388 | b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 389 | if (b != ASN_BOOLEAN) |
wolfSSL | 15:117db924cf7c | 390 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 391 | |
wolfSSL | 15:117db924cf7c | 392 | if (input[idx++] != 1) |
wolfSSL | 15:117db924cf7c | 393 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 394 | |
wolfSSL | 15:117db924cf7c | 395 | b = input[idx++] != 0; |
wolfSSL | 15:117db924cf7c | 396 | |
wolfSSL | 15:117db924cf7c | 397 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 398 | return b; |
wolfSSL | 15:117db924cf7c | 399 | } |
wolfSSL | 15:117db924cf7c | 400 | |
wolfSSL | 15:117db924cf7c | 401 | #ifdef ASN1_SET_BOOLEAN |
wolfSSL | 15:117db924cf7c | 402 | /* Set the DER/BER encoding of the ASN.1 NULL element. |
wolfSSL | 15:117db924cf7c | 403 | * Note: Function not required as yet. |
wolfSSL | 15:117db924cf7c | 404 | * |
wolfSSL | 15:117db924cf7c | 405 | * val Boolean value to encode. |
wolfSSL | 15:117db924cf7c | 406 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 407 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 408 | */ |
wolfSSL | 15:117db924cf7c | 409 | static int SetBoolean(int val, byte* output) |
wolfSSL | 15:117db924cf7c | 410 | { |
wolfSSL | 15:117db924cf7c | 411 | output[0] = ASN_BOOLEAN; |
wolfSSL | 15:117db924cf7c | 412 | output[1] = 1; |
wolfSSL | 15:117db924cf7c | 413 | output[2] = val ? -1 : 0; |
wolfSSL | 15:117db924cf7c | 414 | |
wolfSSL | 15:117db924cf7c | 415 | return 3; |
wolfSSL | 15:117db924cf7c | 416 | } |
wolfSSL | 15:117db924cf7c | 417 | #endif |
wolfSSL | 15:117db924cf7c | 418 | |
wolfSSL | 15:117db924cf7c | 419 | /* Get the DER/BER encoding of an ASN.1 OCTET_STRING header. |
wolfSSL | 15:117db924cf7c | 420 | * |
wolfSSL | 15:117db924cf7c | 421 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 422 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 423 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 15:117db924cf7c | 424 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 425 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 426 | * ASN_PARSE_E when the OCTET_STRING tag is not found or length is |
wolfSSL | 15:117db924cf7c | 427 | * invalid. |
wolfSSL | 15:117db924cf7c | 428 | * Otherwise, the number of bytes in the ASN.1 data. |
wolfSSL | 15:117db924cf7c | 429 | */ |
wolfSSL | 16:8e0d178b1d1e | 430 | int GetOctetString(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 431 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 432 | { |
wolfSSL | 15:117db924cf7c | 433 | return GetASNHeader(input, ASN_OCTET_STRING, inOutIdx, len, maxIdx); |
wolfSSL | 15:117db924cf7c | 434 | } |
wolfSSL | 15:117db924cf7c | 435 | |
wolfSSL | 15:117db924cf7c | 436 | /* Get the DER/BER encoding of an ASN.1 INTEGER header. |
wolfSSL | 15:117db924cf7c | 437 | * Removes the leading zero byte when found. |
wolfSSL | 15:117db924cf7c | 438 | * |
wolfSSL | 15:117db924cf7c | 439 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 440 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 441 | * len The number of bytes in the ASN.1 data (excluding any leading zero). |
wolfSSL | 15:117db924cf7c | 442 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 443 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 444 | * ASN_PARSE_E when the INTEGER tag is not found, length is invalid, |
wolfSSL | 15:117db924cf7c | 445 | * or invalid use of or missing leading zero. |
wolfSSL | 15:117db924cf7c | 446 | * Otherwise, 0 to indicate success. |
wolfSSL | 15:117db924cf7c | 447 | */ |
wolfSSL | 15:117db924cf7c | 448 | static int GetASNInt(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 449 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 450 | { |
wolfSSL | 15:117db924cf7c | 451 | int ret; |
wolfSSL | 15:117db924cf7c | 452 | |
wolfSSL | 15:117db924cf7c | 453 | ret = GetASNHeader(input, ASN_INTEGER, inOutIdx, len, maxIdx); |
wolfSSL | 15:117db924cf7c | 454 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 455 | return ret; |
wolfSSL | 15:117db924cf7c | 456 | |
wolfSSL | 15:117db924cf7c | 457 | if (*len > 0) { |
wolfSSL | 15:117db924cf7c | 458 | /* remove leading zero, unless there is only one 0x00 byte */ |
wolfSSL | 15:117db924cf7c | 459 | if ((input[*inOutIdx] == 0x00) && (*len > 1)) { |
wolfSSL | 15:117db924cf7c | 460 | (*inOutIdx)++; |
wolfSSL | 15:117db924cf7c | 461 | (*len)--; |
wolfSSL | 15:117db924cf7c | 462 | |
wolfSSL | 15:117db924cf7c | 463 | if (*len > 0 && (input[*inOutIdx] & 0x80) == 0) |
wolfSSL | 15:117db924cf7c | 464 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 465 | } |
wolfSSL | 15:117db924cf7c | 466 | } |
wolfSSL | 15:117db924cf7c | 467 | |
wolfSSL | 15:117db924cf7c | 468 | return 0; |
wolfSSL | 15:117db924cf7c | 469 | } |
wolfSSL | 15:117db924cf7c | 470 | |
wolfSSL | 15:117db924cf7c | 471 | /* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than |
wolfSSL | 15:117db924cf7c | 472 | * 7 bits. |
wolfSSL | 15:117db924cf7c | 473 | * |
wolfSSL | 15:117db924cf7c | 474 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 475 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 476 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 477 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 478 | * ASN_PARSE_E when the INTEGER tag is not found or length is invalid. |
wolfSSL | 15:117db924cf7c | 479 | * Otherwise, the 7-bit value. |
wolfSSL | 15:117db924cf7c | 480 | */ |
wolfSSL | 15:117db924cf7c | 481 | static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 482 | { |
wolfSSL | 15:117db924cf7c | 483 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 484 | byte b; |
wolfSSL | 15:117db924cf7c | 485 | |
wolfSSL | 15:117db924cf7c | 486 | if ((idx + 3) > maxIdx) |
wolfSSL | 15:117db924cf7c | 487 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 488 | |
wolfSSL | 16:8e0d178b1d1e | 489 | if (GetASNTag(input, &idx, &b, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 490 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 491 | if (b != ASN_INTEGER) |
wolfSSL | 15:117db924cf7c | 492 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 493 | if (input[idx++] != 1) |
wolfSSL | 15:117db924cf7c | 494 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 495 | b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 496 | |
wolfSSL | 15:117db924cf7c | 497 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 498 | return b; |
wolfSSL | 15:117db924cf7c | 499 | } |
wolfSSL | 15:117db924cf7c | 500 | |
wolfSSL | 15:117db924cf7c | 501 | |
wolfSSL | 15:117db924cf7c | 502 | #if !defined(NO_DSA) && !defined(NO_SHA) |
wolfSSL | 16:8e0d178b1d1e | 503 | static const char sigSha1wDsaName[] = "SHAwDSA"; |
wolfSSL | 15:117db924cf7c | 504 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 505 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 506 | #ifdef WOLFSSL_MD2 |
wolfSSL | 16:8e0d178b1d1e | 507 | static const char sigMd2wRsaName[] = "md2WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 508 | #endif |
wolfSSL | 15:117db924cf7c | 509 | #ifndef NO_MD5 |
wolfSSL | 16:8e0d178b1d1e | 510 | static const char sigMd5wRsaName[] = "md5WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 511 | #endif |
wolfSSL | 15:117db924cf7c | 512 | #ifndef NO_SHA |
wolfSSL | 16:8e0d178b1d1e | 513 | static const char sigSha1wRsaName[] = "sha1WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 514 | #endif |
wolfSSL | 15:117db924cf7c | 515 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 16:8e0d178b1d1e | 516 | static const char sigSha224wRsaName[] = "sha224WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 517 | #endif |
wolfSSL | 15:117db924cf7c | 518 | #ifndef NO_SHA256 |
wolfSSL | 16:8e0d178b1d1e | 519 | static const char sigSha256wRsaName[] = "sha256WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 520 | #endif |
wolfSSL | 15:117db924cf7c | 521 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 16:8e0d178b1d1e | 522 | static const char sigSha384wRsaName[] = "sha384WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 523 | #endif |
wolfSSL | 15:117db924cf7c | 524 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 16:8e0d178b1d1e | 525 | static const char sigSha512wRsaName[] = "sha512WithRSAEncryption"; |
wolfSSL | 15:117db924cf7c | 526 | #endif |
wolfSSL | 15:117db924cf7c | 527 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 528 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 529 | #ifndef NO_SHA |
wolfSSL | 16:8e0d178b1d1e | 530 | static const char sigSha1wEcdsaName[] = "SHAwECDSA"; |
wolfSSL | 15:117db924cf7c | 531 | #endif |
wolfSSL | 15:117db924cf7c | 532 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 16:8e0d178b1d1e | 533 | static const char sigSha224wEcdsaName[] = "SHA224wECDSA"; |
wolfSSL | 15:117db924cf7c | 534 | #endif |
wolfSSL | 15:117db924cf7c | 535 | #ifndef NO_SHA256 |
wolfSSL | 16:8e0d178b1d1e | 536 | static const char sigSha256wEcdsaName[] = "SHA256wECDSA"; |
wolfSSL | 15:117db924cf7c | 537 | #endif |
wolfSSL | 15:117db924cf7c | 538 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 16:8e0d178b1d1e | 539 | static const char sigSha384wEcdsaName[] = "SHA384wECDSA"; |
wolfSSL | 15:117db924cf7c | 540 | #endif |
wolfSSL | 15:117db924cf7c | 541 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 16:8e0d178b1d1e | 542 | static const char sigSha512wEcdsaName[] = "SHA512wECDSA"; |
wolfSSL | 15:117db924cf7c | 543 | #endif |
wolfSSL | 15:117db924cf7c | 544 | #endif /* HAVE_ECC */ |
wolfSSL | 16:8e0d178b1d1e | 545 | static const char sigUnknownName[] = "Unknown"; |
wolfSSL | 15:117db924cf7c | 546 | |
wolfSSL | 15:117db924cf7c | 547 | |
wolfSSL | 15:117db924cf7c | 548 | /* Get the human readable string for a signature type |
wolfSSL | 15:117db924cf7c | 549 | * |
wolfSSL | 15:117db924cf7c | 550 | * oid Oid value for signature |
wolfSSL | 15:117db924cf7c | 551 | */ |
wolfSSL | 16:8e0d178b1d1e | 552 | const char* GetSigName(int oid) { |
wolfSSL | 15:117db924cf7c | 553 | switch (oid) { |
wolfSSL | 15:117db924cf7c | 554 | #if !defined(NO_DSA) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 555 | case CTC_SHAwDSA: |
wolfSSL | 15:117db924cf7c | 556 | return sigSha1wDsaName; |
wolfSSL | 15:117db924cf7c | 557 | #endif /* NO_DSA && NO_SHA */ |
wolfSSL | 15:117db924cf7c | 558 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 559 | #ifdef WOLFSSL_MD2 |
wolfSSL | 15:117db924cf7c | 560 | case CTC_MD2wRSA: |
wolfSSL | 15:117db924cf7c | 561 | return sigMd2wRsaName; |
wolfSSL | 15:117db924cf7c | 562 | #endif |
wolfSSL | 15:117db924cf7c | 563 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 564 | case CTC_MD5wRSA: |
wolfSSL | 15:117db924cf7c | 565 | return sigMd5wRsaName; |
wolfSSL | 15:117db924cf7c | 566 | #endif |
wolfSSL | 15:117db924cf7c | 567 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 568 | case CTC_SHAwRSA: |
wolfSSL | 15:117db924cf7c | 569 | return sigSha1wRsaName; |
wolfSSL | 15:117db924cf7c | 570 | #endif |
wolfSSL | 15:117db924cf7c | 571 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 572 | case CTC_SHA224wRSA: |
wolfSSL | 15:117db924cf7c | 573 | return sigSha224wRsaName; |
wolfSSL | 15:117db924cf7c | 574 | #endif |
wolfSSL | 15:117db924cf7c | 575 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 576 | case CTC_SHA256wRSA: |
wolfSSL | 15:117db924cf7c | 577 | return sigSha256wRsaName; |
wolfSSL | 15:117db924cf7c | 578 | #endif |
wolfSSL | 15:117db924cf7c | 579 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 580 | case CTC_SHA384wRSA: |
wolfSSL | 15:117db924cf7c | 581 | return sigSha384wRsaName; |
wolfSSL | 15:117db924cf7c | 582 | #endif |
wolfSSL | 15:117db924cf7c | 583 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 584 | case CTC_SHA512wRSA: |
wolfSSL | 15:117db924cf7c | 585 | return sigSha512wRsaName; |
wolfSSL | 15:117db924cf7c | 586 | #endif |
wolfSSL | 15:117db924cf7c | 587 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 588 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 589 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 590 | case CTC_SHAwECDSA: |
wolfSSL | 15:117db924cf7c | 591 | return sigSha1wEcdsaName; |
wolfSSL | 15:117db924cf7c | 592 | #endif |
wolfSSL | 15:117db924cf7c | 593 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 594 | case CTC_SHA224wECDSA: |
wolfSSL | 15:117db924cf7c | 595 | return sigSha224wEcdsaName; |
wolfSSL | 15:117db924cf7c | 596 | #endif |
wolfSSL | 15:117db924cf7c | 597 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 598 | case CTC_SHA256wECDSA: |
wolfSSL | 15:117db924cf7c | 599 | return sigSha256wEcdsaName; |
wolfSSL | 15:117db924cf7c | 600 | #endif |
wolfSSL | 15:117db924cf7c | 601 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 602 | case CTC_SHA384wECDSA: |
wolfSSL | 15:117db924cf7c | 603 | return sigSha384wEcdsaName; |
wolfSSL | 15:117db924cf7c | 604 | #endif |
wolfSSL | 15:117db924cf7c | 605 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 606 | case CTC_SHA512wECDSA: |
wolfSSL | 15:117db924cf7c | 607 | return sigSha512wEcdsaName; |
wolfSSL | 15:117db924cf7c | 608 | #endif |
wolfSSL | 15:117db924cf7c | 609 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 610 | default: |
wolfSSL | 15:117db924cf7c | 611 | return sigUnknownName; |
wolfSSL | 15:117db924cf7c | 612 | } |
wolfSSL | 15:117db924cf7c | 613 | } |
wolfSSL | 15:117db924cf7c | 614 | |
wolfSSL | 15:117db924cf7c | 615 | |
wolfSSL | 16:8e0d178b1d1e | 616 | #if !defined(NO_DSA) || defined(HAVE_ECC) || !defined(NO_CERTS) || \ |
wolfSSL | 15:117db924cf7c | 617 | (!defined(NO_RSA) && \ |
wolfSSL | 15:117db924cf7c | 618 | (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 15:117db924cf7c | 619 | ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(HAVE_USER_RSA)))) |
wolfSSL | 15:117db924cf7c | 620 | /* Set the DER/BER encoding of the ASN.1 INTEGER header. |
wolfSSL | 15:117db924cf7c | 621 | * |
wolfSSL | 15:117db924cf7c | 622 | * len Length of data to encode. |
wolfSSL | 15:117db924cf7c | 623 | * firstByte First byte of data, most significant byte of integer, to encode. |
wolfSSL | 15:117db924cf7c | 624 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 625 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 626 | */ |
wolfSSL | 15:117db924cf7c | 627 | static int SetASNInt(int len, byte firstByte, byte* output) |
wolfSSL | 15:117db924cf7c | 628 | { |
wolfSSL | 15:117db924cf7c | 629 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 630 | |
wolfSSL | 16:8e0d178b1d1e | 631 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 632 | output[idx] = ASN_INTEGER; |
wolfSSL | 16:8e0d178b1d1e | 633 | idx++; |
wolfSSL | 15:117db924cf7c | 634 | if (firstByte & 0x80) |
wolfSSL | 15:117db924cf7c | 635 | len++; |
wolfSSL | 16:8e0d178b1d1e | 636 | idx += SetLength(len, output ? output + idx : NULL); |
wolfSSL | 16:8e0d178b1d1e | 637 | if (firstByte & 0x80) { |
wolfSSL | 16:8e0d178b1d1e | 638 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 639 | output[idx] = 0x00; |
wolfSSL | 16:8e0d178b1d1e | 640 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 641 | } |
wolfSSL | 15:117db924cf7c | 642 | |
wolfSSL | 15:117db924cf7c | 643 | return idx; |
wolfSSL | 15:117db924cf7c | 644 | } |
wolfSSL | 15:117db924cf7c | 645 | #endif |
wolfSSL | 15:117db924cf7c | 646 | |
wolfSSL | 16:8e0d178b1d1e | 647 | #if !defined(NO_DSA) || defined(HAVE_ECC) || (defined(WOLFSSL_CERT_GEN) && \ |
wolfSSL | 16:8e0d178b1d1e | 648 | !defined(NO_RSA)) || ((defined(WOLFSSL_KEY_GEN) || \ |
wolfSSL | 16:8e0d178b1d1e | 649 | defined(OPENSSL_EXTRA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)) |
wolfSSL | 15:117db924cf7c | 650 | /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int. |
wolfSSL | 15:117db924cf7c | 651 | * The number is assumed to be positive. |
wolfSSL | 15:117db924cf7c | 652 | * |
wolfSSL | 15:117db924cf7c | 653 | * n Multi-precision integer to encode. |
wolfSSL | 15:117db924cf7c | 654 | * maxSz Maximum size of the encoded integer. |
wolfSSL | 15:117db924cf7c | 655 | * A negative value indicates no check of length requested. |
wolfSSL | 15:117db924cf7c | 656 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 657 | * returns BUFFER_E when the data is too long for the buffer. |
wolfSSL | 15:117db924cf7c | 658 | * MP_TO_E when encoding the integer fails. |
wolfSSL | 15:117db924cf7c | 659 | * Otherwise, the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 660 | */ |
wolfSSL | 15:117db924cf7c | 661 | static int SetASNIntMP(mp_int* n, int maxSz, byte* output) |
wolfSSL | 15:117db924cf7c | 662 | { |
wolfSSL | 15:117db924cf7c | 663 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 664 | int leadingBit; |
wolfSSL | 15:117db924cf7c | 665 | int length; |
wolfSSL | 15:117db924cf7c | 666 | int err; |
wolfSSL | 15:117db924cf7c | 667 | |
wolfSSL | 15:117db924cf7c | 668 | leadingBit = mp_leading_bit(n); |
wolfSSL | 15:117db924cf7c | 669 | length = mp_unsigned_bin_size(n); |
wolfSSL | 15:117db924cf7c | 670 | idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output); |
wolfSSL | 15:117db924cf7c | 671 | if (maxSz >= 0 && (idx + length) > maxSz) |
wolfSSL | 15:117db924cf7c | 672 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 673 | |
wolfSSL | 16:8e0d178b1d1e | 674 | if (output) { |
wolfSSL | 16:8e0d178b1d1e | 675 | err = mp_to_unsigned_bin(n, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 676 | if (err != MP_OKAY) |
wolfSSL | 16:8e0d178b1d1e | 677 | return MP_TO_E; |
wolfSSL | 16:8e0d178b1d1e | 678 | } |
wolfSSL | 15:117db924cf7c | 679 | idx += length; |
wolfSSL | 15:117db924cf7c | 680 | |
wolfSSL | 15:117db924cf7c | 681 | return idx; |
wolfSSL | 15:117db924cf7c | 682 | } |
wolfSSL | 15:117db924cf7c | 683 | #endif |
wolfSSL | 15:117db924cf7c | 684 | |
wolfSSL | 16:8e0d178b1d1e | 685 | #if !defined(NO_RSA) && defined(HAVE_USER_RSA) && \ |
wolfSSL | 16:8e0d178b1d1e | 686 | (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA)) |
wolfSSL | 15:117db924cf7c | 687 | /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int from |
wolfSSL | 15:117db924cf7c | 688 | * an RSA key. |
wolfSSL | 15:117db924cf7c | 689 | * The number is assumed to be positive. |
wolfSSL | 15:117db924cf7c | 690 | * |
wolfSSL | 15:117db924cf7c | 691 | * n Multi-precision integer to encode. |
wolfSSL | 15:117db924cf7c | 692 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 693 | * returns BUFFER_E when the data is too long for the buffer. |
wolfSSL | 15:117db924cf7c | 694 | * MP_TO_E when encoding the integer fails. |
wolfSSL | 15:117db924cf7c | 695 | * Otherwise, the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 696 | */ |
wolfSSL | 16:8e0d178b1d1e | 697 | static int SetASNIntRSA(void* n, byte* output) |
wolfSSL | 15:117db924cf7c | 698 | { |
wolfSSL | 15:117db924cf7c | 699 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 700 | int leadingBit; |
wolfSSL | 15:117db924cf7c | 701 | int length; |
wolfSSL | 15:117db924cf7c | 702 | int err; |
wolfSSL | 15:117db924cf7c | 703 | |
wolfSSL | 15:117db924cf7c | 704 | leadingBit = wc_Rsa_leading_bit(n); |
wolfSSL | 15:117db924cf7c | 705 | length = wc_Rsa_unsigned_bin_size(n); |
wolfSSL | 15:117db924cf7c | 706 | idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output); |
wolfSSL | 15:117db924cf7c | 707 | if ((idx + length) > MAX_RSA_INT_SZ) |
wolfSSL | 15:117db924cf7c | 708 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 709 | |
wolfSSL | 16:8e0d178b1d1e | 710 | if (output) { |
wolfSSL | 16:8e0d178b1d1e | 711 | err = wc_Rsa_to_unsigned_bin(n, output + idx, length); |
wolfSSL | 16:8e0d178b1d1e | 712 | if (err != MP_OKAY) |
wolfSSL | 16:8e0d178b1d1e | 713 | return MP_TO_E; |
wolfSSL | 16:8e0d178b1d1e | 714 | } |
wolfSSL | 15:117db924cf7c | 715 | idx += length; |
wolfSSL | 15:117db924cf7c | 716 | |
wolfSSL | 15:117db924cf7c | 717 | return idx; |
wolfSSL | 15:117db924cf7c | 718 | } |
wolfSSL | 15:117db924cf7c | 719 | #endif /* !NO_RSA && HAVE_USER_RSA && WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 720 | |
wolfSSL | 15:117db924cf7c | 721 | /* Windows header clash for WinCE using GetVersion */ |
wolfSSL | 16:8e0d178b1d1e | 722 | int GetMyVersion(const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 723 | int* version, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 724 | { |
wolfSSL | 15:117db924cf7c | 725 | word32 idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 726 | byte tag; |
wolfSSL | 15:117db924cf7c | 727 | |
wolfSSL | 15:117db924cf7c | 728 | if ((idx + MIN_VERSION_SZ) > maxIdx) |
wolfSSL | 15:117db924cf7c | 729 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 730 | |
wolfSSL | 16:8e0d178b1d1e | 731 | if (GetASNTag(input, &idx, &tag, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 732 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 733 | |
wolfSSL | 16:8e0d178b1d1e | 734 | if (tag != ASN_INTEGER) |
wolfSSL | 15:117db924cf7c | 735 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 736 | |
wolfSSL | 15:117db924cf7c | 737 | if (input[idx++] != 0x01) |
wolfSSL | 15:117db924cf7c | 738 | return ASN_VERSION_E; |
wolfSSL | 15:117db924cf7c | 739 | |
wolfSSL | 15:117db924cf7c | 740 | *version = input[idx++]; |
wolfSSL | 15:117db924cf7c | 741 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 742 | |
wolfSSL | 15:117db924cf7c | 743 | return *version; |
wolfSSL | 15:117db924cf7c | 744 | } |
wolfSSL | 15:117db924cf7c | 745 | |
wolfSSL | 15:117db924cf7c | 746 | |
wolfSSL | 15:117db924cf7c | 747 | #ifndef NO_PWDBASED |
wolfSSL | 15:117db924cf7c | 748 | /* Get small count integer, 32 bits or less */ |
wolfSSL | 15:117db924cf7c | 749 | int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 750 | { |
wolfSSL | 15:117db924cf7c | 751 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 752 | word32 len; |
wolfSSL | 16:8e0d178b1d1e | 753 | byte tag; |
wolfSSL | 15:117db924cf7c | 754 | |
wolfSSL | 15:117db924cf7c | 755 | *number = 0; |
wolfSSL | 15:117db924cf7c | 756 | |
wolfSSL | 15:117db924cf7c | 757 | /* check for type and length bytes */ |
wolfSSL | 15:117db924cf7c | 758 | if ((idx + 2) > maxIdx) |
wolfSSL | 15:117db924cf7c | 759 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 760 | |
wolfSSL | 16:8e0d178b1d1e | 761 | if (GetASNTag(input, &idx, &tag, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 762 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 763 | |
wolfSSL | 16:8e0d178b1d1e | 764 | if (tag != ASN_INTEGER) |
wolfSSL | 15:117db924cf7c | 765 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 766 | |
wolfSSL | 15:117db924cf7c | 767 | len = input[idx++]; |
wolfSSL | 15:117db924cf7c | 768 | if (len > 4) |
wolfSSL | 15:117db924cf7c | 769 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 770 | |
wolfSSL | 15:117db924cf7c | 771 | if (len + idx > maxIdx) |
wolfSSL | 15:117db924cf7c | 772 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 773 | |
wolfSSL | 15:117db924cf7c | 774 | while (len--) { |
wolfSSL | 15:117db924cf7c | 775 | *number = *number << 8 | input[idx++]; |
wolfSSL | 15:117db924cf7c | 776 | } |
wolfSSL | 15:117db924cf7c | 777 | |
wolfSSL | 15:117db924cf7c | 778 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 779 | |
wolfSSL | 15:117db924cf7c | 780 | return *number; |
wolfSSL | 15:117db924cf7c | 781 | } |
wolfSSL | 15:117db924cf7c | 782 | |
wolfSSL | 15:117db924cf7c | 783 | |
wolfSSL | 15:117db924cf7c | 784 | /* Set small integer, 32 bits or less. DER encoding with no leading 0s |
wolfSSL | 15:117db924cf7c | 785 | * returns total amount written including ASN tag and length byte on success */ |
wolfSSL | 16:8e0d178b1d1e | 786 | int SetShortInt(byte* input, word32* inOutIdx, word32 number, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 787 | { |
wolfSSL | 15:117db924cf7c | 788 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 789 | word32 len = 0; |
wolfSSL | 15:117db924cf7c | 790 | int i; |
wolfSSL | 15:117db924cf7c | 791 | byte ar[MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 792 | |
wolfSSL | 15:117db924cf7c | 793 | /* check for room for type and length bytes */ |
wolfSSL | 15:117db924cf7c | 794 | if ((idx + 2) > maxIdx) |
wolfSSL | 15:117db924cf7c | 795 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 796 | |
wolfSSL | 15:117db924cf7c | 797 | input[idx++] = ASN_INTEGER; |
wolfSSL | 15:117db924cf7c | 798 | idx++; /* place holder for length byte */ |
wolfSSL | 15:117db924cf7c | 799 | if (MAX_LENGTH_SZ + idx > maxIdx) |
wolfSSL | 15:117db924cf7c | 800 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 801 | |
wolfSSL | 15:117db924cf7c | 802 | /* find first non zero byte */ |
wolfSSL | 15:117db924cf7c | 803 | XMEMSET(ar, 0, MAX_LENGTH_SZ); |
wolfSSL | 15:117db924cf7c | 804 | c32toa(number, ar); |
wolfSSL | 15:117db924cf7c | 805 | for (i = 0; i < MAX_LENGTH_SZ; i++) { |
wolfSSL | 15:117db924cf7c | 806 | if (ar[i] != 0) { |
wolfSSL | 15:117db924cf7c | 807 | break; |
wolfSSL | 15:117db924cf7c | 808 | } |
wolfSSL | 15:117db924cf7c | 809 | } |
wolfSSL | 15:117db924cf7c | 810 | |
wolfSSL | 15:117db924cf7c | 811 | /* handle case of 0 */ |
wolfSSL | 15:117db924cf7c | 812 | if (i == MAX_LENGTH_SZ) { |
wolfSSL | 15:117db924cf7c | 813 | input[idx++] = 0; len++; |
wolfSSL | 15:117db924cf7c | 814 | } |
wolfSSL | 15:117db924cf7c | 815 | |
wolfSSL | 15:117db924cf7c | 816 | for (; i < MAX_LENGTH_SZ && idx < maxIdx; i++) { |
wolfSSL | 15:117db924cf7c | 817 | input[idx++] = ar[i]; len++; |
wolfSSL | 15:117db924cf7c | 818 | } |
wolfSSL | 15:117db924cf7c | 819 | |
wolfSSL | 15:117db924cf7c | 820 | /* jump back to beginning of input buffer using unaltered inOutIdx value |
wolfSSL | 15:117db924cf7c | 821 | * and set number of bytes for integer, then update the index value */ |
wolfSSL | 15:117db924cf7c | 822 | input[*inOutIdx + 1] = (byte)len; |
wolfSSL | 15:117db924cf7c | 823 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 824 | |
wolfSSL | 15:117db924cf7c | 825 | return len + 2; /* size of integer bytes plus ASN TAG and length byte */ |
wolfSSL | 15:117db924cf7c | 826 | } |
wolfSSL | 15:117db924cf7c | 827 | #endif /* !NO_PWDBASED */ |
wolfSSL | 15:117db924cf7c | 828 | |
wolfSSL | 15:117db924cf7c | 829 | /* May not have one, not an error */ |
wolfSSL | 15:117db924cf7c | 830 | static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version, |
wolfSSL | 15:117db924cf7c | 831 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 832 | { |
wolfSSL | 15:117db924cf7c | 833 | word32 idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 834 | byte tag; |
wolfSSL | 15:117db924cf7c | 835 | |
wolfSSL | 15:117db924cf7c | 836 | WOLFSSL_ENTER("GetExplicitVersion"); |
wolfSSL | 15:117db924cf7c | 837 | |
wolfSSL | 16:8e0d178b1d1e | 838 | if (GetASNTag(input, &idx, &tag, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 839 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 840 | |
wolfSSL | 16:8e0d178b1d1e | 841 | if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 15:117db924cf7c | 842 | *inOutIdx = ++idx; /* skip header */ |
wolfSSL | 15:117db924cf7c | 843 | return GetMyVersion(input, inOutIdx, version, maxIdx); |
wolfSSL | 15:117db924cf7c | 844 | } |
wolfSSL | 15:117db924cf7c | 845 | |
wolfSSL | 15:117db924cf7c | 846 | /* go back as is */ |
wolfSSL | 15:117db924cf7c | 847 | *version = 0; |
wolfSSL | 15:117db924cf7c | 848 | |
wolfSSL | 15:117db924cf7c | 849 | return 0; |
wolfSSL | 15:117db924cf7c | 850 | } |
wolfSSL | 15:117db924cf7c | 851 | |
wolfSSL | 15:117db924cf7c | 852 | int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 853 | { |
wolfSSL | 15:117db924cf7c | 854 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 855 | int ret; |
wolfSSL | 15:117db924cf7c | 856 | int length; |
wolfSSL | 15:117db924cf7c | 857 | |
wolfSSL | 15:117db924cf7c | 858 | ret = GetASNInt(input, &idx, &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 859 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 860 | return ret; |
wolfSSL | 15:117db924cf7c | 861 | |
wolfSSL | 15:117db924cf7c | 862 | if (mp_init(mpi) != MP_OKAY) |
wolfSSL | 15:117db924cf7c | 863 | return MP_INIT_E; |
wolfSSL | 15:117db924cf7c | 864 | |
wolfSSL | 15:117db924cf7c | 865 | if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) { |
wolfSSL | 15:117db924cf7c | 866 | mp_clear(mpi); |
wolfSSL | 15:117db924cf7c | 867 | return ASN_GETINT_E; |
wolfSSL | 15:117db924cf7c | 868 | } |
wolfSSL | 15:117db924cf7c | 869 | |
wolfSSL | 15:117db924cf7c | 870 | #ifdef HAVE_WOLF_BIGINT |
wolfSSL | 15:117db924cf7c | 871 | if (wc_bigint_from_unsigned_bin(&mpi->raw, input + idx, length) != 0) { |
wolfSSL | 15:117db924cf7c | 872 | mp_clear(mpi); |
wolfSSL | 15:117db924cf7c | 873 | return ASN_GETINT_E; |
wolfSSL | 15:117db924cf7c | 874 | } |
wolfSSL | 15:117db924cf7c | 875 | #endif /* HAVE_WOLF_BIGINT */ |
wolfSSL | 15:117db924cf7c | 876 | |
wolfSSL | 15:117db924cf7c | 877 | *inOutIdx = idx + length; |
wolfSSL | 15:117db924cf7c | 878 | |
wolfSSL | 15:117db924cf7c | 879 | return 0; |
wolfSSL | 15:117db924cf7c | 880 | } |
wolfSSL | 15:117db924cf7c | 881 | |
wolfSSL | 16:8e0d178b1d1e | 882 | #if (!defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)) \ |
wolfSSL | 16:8e0d178b1d1e | 883 | || defined(WOLFSSL_RSA_PUBLIC_ONLY) || (!defined(NO_DSA) && defined(WOLFSSL_QT)) |
wolfSSL | 15:117db924cf7c | 884 | #if !defined(NO_RSA) && !defined(HAVE_USER_RSA) |
wolfSSL | 15:117db924cf7c | 885 | static int SkipInt(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 886 | { |
wolfSSL | 15:117db924cf7c | 887 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 888 | int ret; |
wolfSSL | 15:117db924cf7c | 889 | int length; |
wolfSSL | 15:117db924cf7c | 890 | |
wolfSSL | 15:117db924cf7c | 891 | ret = GetASNInt(input, &idx, &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 892 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 893 | return ret; |
wolfSSL | 15:117db924cf7c | 894 | |
wolfSSL | 15:117db924cf7c | 895 | *inOutIdx = idx + length; |
wolfSSL | 15:117db924cf7c | 896 | |
wolfSSL | 15:117db924cf7c | 897 | return 0; |
wolfSSL | 15:117db924cf7c | 898 | } |
wolfSSL | 15:117db924cf7c | 899 | #endif |
wolfSSL | 15:117db924cf7c | 900 | #endif |
wolfSSL | 15:117db924cf7c | 901 | |
wolfSSL | 15:117db924cf7c | 902 | static int CheckBitString(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 903 | word32 maxIdx, int zeroBits, byte* unusedBits) |
wolfSSL | 15:117db924cf7c | 904 | { |
wolfSSL | 15:117db924cf7c | 905 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 906 | int length; |
wolfSSL | 15:117db924cf7c | 907 | byte b; |
wolfSSL | 15:117db924cf7c | 908 | |
wolfSSL | 16:8e0d178b1d1e | 909 | if (GetASNTag(input, &idx, &b, maxIdx) != 0) { |
wolfSSL | 15:117db924cf7c | 910 | return ASN_BITSTR_E; |
wolfSSL | 16:8e0d178b1d1e | 911 | } |
wolfSSL | 16:8e0d178b1d1e | 912 | |
wolfSSL | 16:8e0d178b1d1e | 913 | if (b != ASN_BIT_STRING) { |
wolfSSL | 16:8e0d178b1d1e | 914 | return ASN_BITSTR_E; |
wolfSSL | 16:8e0d178b1d1e | 915 | } |
wolfSSL | 15:117db924cf7c | 916 | |
wolfSSL | 15:117db924cf7c | 917 | if (GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 918 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 919 | |
wolfSSL | 15:117db924cf7c | 920 | /* extra sanity check that length is greater than 0 */ |
wolfSSL | 15:117db924cf7c | 921 | if (length <= 0) { |
wolfSSL | 15:117db924cf7c | 922 | WOLFSSL_MSG("Error length was 0 in CheckBitString"); |
wolfSSL | 15:117db924cf7c | 923 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 924 | } |
wolfSSL | 15:117db924cf7c | 925 | |
wolfSSL | 15:117db924cf7c | 926 | if (idx + 1 > maxIdx) { |
wolfSSL | 15:117db924cf7c | 927 | WOLFSSL_MSG("Attempted buffer read larger than input buffer"); |
wolfSSL | 15:117db924cf7c | 928 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 929 | } |
wolfSSL | 15:117db924cf7c | 930 | |
wolfSSL | 15:117db924cf7c | 931 | b = input[idx]; |
wolfSSL | 15:117db924cf7c | 932 | if (zeroBits && b != 0x00) |
wolfSSL | 15:117db924cf7c | 933 | return ASN_EXPECT_0_E; |
wolfSSL | 15:117db924cf7c | 934 | if (b >= 0x08) |
wolfSSL | 15:117db924cf7c | 935 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 936 | if (b != 0) { |
wolfSSL | 15:117db924cf7c | 937 | if ((byte)(input[idx + length - 1] << (8 - b)) != 0) |
wolfSSL | 15:117db924cf7c | 938 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 939 | } |
wolfSSL | 15:117db924cf7c | 940 | idx++; |
wolfSSL | 15:117db924cf7c | 941 | length--; /* length has been checked for greater than 0 */ |
wolfSSL | 15:117db924cf7c | 942 | |
wolfSSL | 15:117db924cf7c | 943 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 944 | if (len != NULL) |
wolfSSL | 15:117db924cf7c | 945 | *len = length; |
wolfSSL | 15:117db924cf7c | 946 | if (unusedBits != NULL) |
wolfSSL | 15:117db924cf7c | 947 | *unusedBits = b; |
wolfSSL | 15:117db924cf7c | 948 | |
wolfSSL | 15:117db924cf7c | 949 | return 0; |
wolfSSL | 15:117db924cf7c | 950 | } |
wolfSSL | 15:117db924cf7c | 951 | |
wolfSSL | 16:8e0d178b1d1e | 952 | /* RSA (with CertGen or KeyGen) OR ECC OR ED25519 OR ED448 (with CertGen or |
wolfSSL | 16:8e0d178b1d1e | 953 | * KeyGen) */ |
wolfSSL | 15:117db924cf7c | 954 | #if (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && \ |
wolfSSL | 15:117db924cf7c | 955 | (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA))) || \ |
wolfSSL | 16:8e0d178b1d1e | 956 | (defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)) || \ |
wolfSSL | 16:8e0d178b1d1e | 957 | ((defined(HAVE_ED25519) || defined(HAVE_ED448)) && \ |
wolfSSL | 15:117db924cf7c | 958 | (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA))) |
wolfSSL | 15:117db924cf7c | 959 | |
wolfSSL | 15:117db924cf7c | 960 | /* Set the DER/BER encoding of the ASN.1 BIT_STRING header. |
wolfSSL | 15:117db924cf7c | 961 | * |
wolfSSL | 15:117db924cf7c | 962 | * len Length of data to encode. |
wolfSSL | 15:117db924cf7c | 963 | * unusedBits The number of unused bits in the last byte of data. |
wolfSSL | 15:117db924cf7c | 964 | * That is, the number of least significant zero bits before a one. |
wolfSSL | 15:117db924cf7c | 965 | * The last byte is the most-significant non-zero byte of a number. |
wolfSSL | 15:117db924cf7c | 966 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 967 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 968 | */ |
wolfSSL | 16:8e0d178b1d1e | 969 | word32 SetBitString(word32 len, byte unusedBits, byte* output) |
wolfSSL | 15:117db924cf7c | 970 | { |
wolfSSL | 15:117db924cf7c | 971 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 972 | |
wolfSSL | 16:8e0d178b1d1e | 973 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 974 | output[idx] = ASN_BIT_STRING; |
wolfSSL | 16:8e0d178b1d1e | 975 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 976 | |
wolfSSL | 16:8e0d178b1d1e | 977 | idx += SetLength(len + 1, output ? output + idx : NULL); |
wolfSSL | 16:8e0d178b1d1e | 978 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 979 | output[idx] = unusedBits; |
wolfSSL | 16:8e0d178b1d1e | 980 | idx++; |
wolfSSL | 15:117db924cf7c | 981 | |
wolfSSL | 15:117db924cf7c | 982 | return idx; |
wolfSSL | 15:117db924cf7c | 983 | } |
wolfSSL | 16:8e0d178b1d1e | 984 | #endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 985 | |
wolfSSL | 15:117db924cf7c | 986 | #ifdef ASN_BER_TO_DER |
wolfSSL | 16:8e0d178b1d1e | 987 | /* Pull informtation from the ASN.1 BER encoded item header */ |
wolfSSL | 16:8e0d178b1d1e | 988 | static int GetBerHeader(const byte* data, word32* idx, word32 maxIdx, |
wolfSSL | 16:8e0d178b1d1e | 989 | byte* pTag, word32* pLen, int* indef) |
wolfSSL | 16:8e0d178b1d1e | 990 | { |
wolfSSL | 16:8e0d178b1d1e | 991 | int len = 0; |
wolfSSL | 16:8e0d178b1d1e | 992 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 993 | word32 i = *idx; |
wolfSSL | 16:8e0d178b1d1e | 994 | |
wolfSSL | 16:8e0d178b1d1e | 995 | *indef = 0; |
wolfSSL | 16:8e0d178b1d1e | 996 | |
wolfSSL | 16:8e0d178b1d1e | 997 | /* Check there is enough data for a minimal header */ |
wolfSSL | 16:8e0d178b1d1e | 998 | if (i + 2 > maxIdx) { |
wolfSSL | 16:8e0d178b1d1e | 999 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1000 | } |
wolfSSL | 16:8e0d178b1d1e | 1001 | |
wolfSSL | 16:8e0d178b1d1e | 1002 | /* Retrieve tag */ |
wolfSSL | 16:8e0d178b1d1e | 1003 | tag = data[i++]; |
wolfSSL | 16:8e0d178b1d1e | 1004 | |
wolfSSL | 16:8e0d178b1d1e | 1005 | /* Indefinite length handled specially */ |
wolfSSL | 16:8e0d178b1d1e | 1006 | if (data[i] == 0x80) { |
wolfSSL | 16:8e0d178b1d1e | 1007 | /* Check valid tag for indefinite */ |
wolfSSL | 16:8e0d178b1d1e | 1008 | if (((tag & 0xc0) == 0) && ((tag & ASN_CONSTRUCTED) == 0x00)) { |
wolfSSL | 16:8e0d178b1d1e | 1009 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1010 | } |
wolfSSL | 16:8e0d178b1d1e | 1011 | i++; |
wolfSSL | 16:8e0d178b1d1e | 1012 | *indef = 1; |
wolfSSL | 16:8e0d178b1d1e | 1013 | } |
wolfSSL | 16:8e0d178b1d1e | 1014 | else if (GetLength(data, &i, &len, maxIdx) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 1015 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1016 | } |
wolfSSL | 16:8e0d178b1d1e | 1017 | |
wolfSSL | 16:8e0d178b1d1e | 1018 | /* Return tag, length and index after BER item header */ |
wolfSSL | 16:8e0d178b1d1e | 1019 | *pTag = tag; |
wolfSSL | 16:8e0d178b1d1e | 1020 | *pLen = len; |
wolfSSL | 16:8e0d178b1d1e | 1021 | *idx = i; |
wolfSSL | 16:8e0d178b1d1e | 1022 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 1023 | } |
wolfSSL | 16:8e0d178b1d1e | 1024 | |
wolfSSL | 16:8e0d178b1d1e | 1025 | #ifndef INDEF_ITEMS_MAX |
wolfSSL | 16:8e0d178b1d1e | 1026 | #define INDEF_ITEMS_MAX 20 |
wolfSSL | 16:8e0d178b1d1e | 1027 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1028 | |
wolfSSL | 16:8e0d178b1d1e | 1029 | /* Indef length item data */ |
wolfSSL | 16:8e0d178b1d1e | 1030 | typedef struct Indef { |
wolfSSL | 16:8e0d178b1d1e | 1031 | word32 start; |
wolfSSL | 16:8e0d178b1d1e | 1032 | int depth; |
wolfSSL | 16:8e0d178b1d1e | 1033 | int headerLen; |
wolfSSL | 16:8e0d178b1d1e | 1034 | word32 len; |
wolfSSL | 16:8e0d178b1d1e | 1035 | } Indef; |
wolfSSL | 16:8e0d178b1d1e | 1036 | |
wolfSSL | 16:8e0d178b1d1e | 1037 | /* Indef length items */ |
wolfSSL | 16:8e0d178b1d1e | 1038 | typedef struct IndefItems |
wolfSSL | 16:8e0d178b1d1e | 1039 | { |
wolfSSL | 16:8e0d178b1d1e | 1040 | Indef len[INDEF_ITEMS_MAX]; |
wolfSSL | 16:8e0d178b1d1e | 1041 | int cnt; |
wolfSSL | 16:8e0d178b1d1e | 1042 | int idx; |
wolfSSL | 16:8e0d178b1d1e | 1043 | int depth; |
wolfSSL | 16:8e0d178b1d1e | 1044 | } IndefItems; |
wolfSSL | 16:8e0d178b1d1e | 1045 | |
wolfSSL | 16:8e0d178b1d1e | 1046 | |
wolfSSL | 16:8e0d178b1d1e | 1047 | /* Get header length of current item */ |
wolfSSL | 16:8e0d178b1d1e | 1048 | static int IndefItems_HeaderLen(IndefItems* items) |
wolfSSL | 16:8e0d178b1d1e | 1049 | { |
wolfSSL | 16:8e0d178b1d1e | 1050 | return items->len[items->idx].headerLen; |
wolfSSL | 16:8e0d178b1d1e | 1051 | } |
wolfSSL | 16:8e0d178b1d1e | 1052 | |
wolfSSL | 16:8e0d178b1d1e | 1053 | /* Get data length of current item */ |
wolfSSL | 16:8e0d178b1d1e | 1054 | static word32 IndefItems_Len(IndefItems* items) |
wolfSSL | 16:8e0d178b1d1e | 1055 | { |
wolfSSL | 16:8e0d178b1d1e | 1056 | return items->len[items->idx].len; |
wolfSSL | 16:8e0d178b1d1e | 1057 | } |
wolfSSL | 16:8e0d178b1d1e | 1058 | |
wolfSSL | 16:8e0d178b1d1e | 1059 | /* Add a indefinite length item */ |
wolfSSL | 16:8e0d178b1d1e | 1060 | static int IndefItems_AddItem(IndefItems* items, word32 start) |
wolfSSL | 16:8e0d178b1d1e | 1061 | { |
wolfSSL | 16:8e0d178b1d1e | 1062 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 1063 | int i; |
wolfSSL | 16:8e0d178b1d1e | 1064 | |
wolfSSL | 16:8e0d178b1d1e | 1065 | if (items->cnt == INDEF_ITEMS_MAX) { |
wolfSSL | 16:8e0d178b1d1e | 1066 | ret = MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 1067 | } |
wolfSSL | 16:8e0d178b1d1e | 1068 | else { |
wolfSSL | 16:8e0d178b1d1e | 1069 | i = items->cnt++; |
wolfSSL | 16:8e0d178b1d1e | 1070 | items->len[i].start = start; |
wolfSSL | 16:8e0d178b1d1e | 1071 | items->len[i].depth = items->depth++; |
wolfSSL | 16:8e0d178b1d1e | 1072 | items->len[i].headerLen = 1; |
wolfSSL | 16:8e0d178b1d1e | 1073 | items->len[i].len = 0; |
wolfSSL | 16:8e0d178b1d1e | 1074 | items->idx = i; |
wolfSSL | 16:8e0d178b1d1e | 1075 | } |
wolfSSL | 16:8e0d178b1d1e | 1076 | |
wolfSSL | 16:8e0d178b1d1e | 1077 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 1078 | } |
wolfSSL | 16:8e0d178b1d1e | 1079 | |
wolfSSL | 16:8e0d178b1d1e | 1080 | /* Increase data length of current item */ |
wolfSSL | 16:8e0d178b1d1e | 1081 | static void IndefItems_AddData(IndefItems* items, word32 length) |
wolfSSL | 16:8e0d178b1d1e | 1082 | { |
wolfSSL | 16:8e0d178b1d1e | 1083 | items->len[items->idx].len += length; |
wolfSSL | 16:8e0d178b1d1e | 1084 | } |
wolfSSL | 16:8e0d178b1d1e | 1085 | |
wolfSSL | 16:8e0d178b1d1e | 1086 | /* Update header length of current item to reflect data length */ |
wolfSSL | 16:8e0d178b1d1e | 1087 | static void IndefItems_UpdateHeaderLen(IndefItems* items) |
wolfSSL | 16:8e0d178b1d1e | 1088 | { |
wolfSSL | 16:8e0d178b1d1e | 1089 | items->len[items->idx].headerLen += |
wolfSSL | 16:8e0d178b1d1e | 1090 | SetLength(items->len[items->idx].len, NULL); |
wolfSSL | 16:8e0d178b1d1e | 1091 | } |
wolfSSL | 16:8e0d178b1d1e | 1092 | |
wolfSSL | 16:8e0d178b1d1e | 1093 | /* Go to indefinite parent of current item */ |
wolfSSL | 16:8e0d178b1d1e | 1094 | static void IndefItems_Up(IndefItems* items) |
wolfSSL | 16:8e0d178b1d1e | 1095 | { |
wolfSSL | 16:8e0d178b1d1e | 1096 | int i; |
wolfSSL | 16:8e0d178b1d1e | 1097 | int depth = items->len[items->idx].depth - 1; |
wolfSSL | 16:8e0d178b1d1e | 1098 | |
wolfSSL | 16:8e0d178b1d1e | 1099 | for (i = items->cnt - 1; i >= 0; i--) { |
wolfSSL | 16:8e0d178b1d1e | 1100 | if (items->len[i].depth == depth) { |
wolfSSL | 16:8e0d178b1d1e | 1101 | break; |
wolfSSL | 16:8e0d178b1d1e | 1102 | } |
wolfSSL | 16:8e0d178b1d1e | 1103 | } |
wolfSSL | 16:8e0d178b1d1e | 1104 | items->idx = i; |
wolfSSL | 16:8e0d178b1d1e | 1105 | items->depth = depth + 1; |
wolfSSL | 16:8e0d178b1d1e | 1106 | } |
wolfSSL | 16:8e0d178b1d1e | 1107 | |
wolfSSL | 16:8e0d178b1d1e | 1108 | /* Calculate final length by adding length of indefinite child items */ |
wolfSSL | 16:8e0d178b1d1e | 1109 | static void IndefItems_CalcLength(IndefItems* items) |
wolfSSL | 16:8e0d178b1d1e | 1110 | { |
wolfSSL | 16:8e0d178b1d1e | 1111 | int i; |
wolfSSL | 16:8e0d178b1d1e | 1112 | int idx = items->idx; |
wolfSSL | 16:8e0d178b1d1e | 1113 | |
wolfSSL | 16:8e0d178b1d1e | 1114 | for (i = idx + 1; i < items->cnt; i++) { |
wolfSSL | 16:8e0d178b1d1e | 1115 | if (items->len[i].depth == items->depth) { |
wolfSSL | 16:8e0d178b1d1e | 1116 | items->len[idx].len += items->len[i].headerLen; |
wolfSSL | 16:8e0d178b1d1e | 1117 | items->len[idx].len += items->len[i].len; |
wolfSSL | 16:8e0d178b1d1e | 1118 | } |
wolfSSL | 16:8e0d178b1d1e | 1119 | } |
wolfSSL | 16:8e0d178b1d1e | 1120 | items->len[idx].headerLen += SetLength(items->len[idx].len, NULL); |
wolfSSL | 16:8e0d178b1d1e | 1121 | } |
wolfSSL | 16:8e0d178b1d1e | 1122 | |
wolfSSL | 16:8e0d178b1d1e | 1123 | /* Add more data to indefinite length item */ |
wolfSSL | 16:8e0d178b1d1e | 1124 | static void IndefItems_MoreData(IndefItems* items, word32 length) |
wolfSSL | 16:8e0d178b1d1e | 1125 | { |
wolfSSL | 16:8e0d178b1d1e | 1126 | if (items->cnt > 0 && items->idx >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 1127 | items->len[items->idx].len += length; |
wolfSSL | 16:8e0d178b1d1e | 1128 | } |
wolfSSL | 16:8e0d178b1d1e | 1129 | } |
wolfSSL | 16:8e0d178b1d1e | 1130 | |
wolfSSL | 15:117db924cf7c | 1131 | /* Convert a BER encoding with indefinite length items to DER. |
wolfSSL | 15:117db924cf7c | 1132 | * |
wolfSSL | 15:117db924cf7c | 1133 | * ber BER encoded data. |
wolfSSL | 15:117db924cf7c | 1134 | * berSz Length of BER encoded data. |
wolfSSL | 15:117db924cf7c | 1135 | * der Buffer to hold DER encoded version of data. |
wolfSSL | 15:117db924cf7c | 1136 | * NULL indicates only the length is required. |
wolfSSL | 15:117db924cf7c | 1137 | * derSz The size of the buffer to hold the DER encoded data. |
wolfSSL | 15:117db924cf7c | 1138 | * Will be set if der is NULL, otherwise the value is checked as der is |
wolfSSL | 15:117db924cf7c | 1139 | * filled. |
wolfSSL | 15:117db924cf7c | 1140 | * returns ASN_PARSE_E if the BER data is invalid and BAD_FUNC_ARG if ber or |
wolfSSL | 15:117db924cf7c | 1141 | * derSz are NULL. |
wolfSSL | 15:117db924cf7c | 1142 | */ |
wolfSSL | 15:117db924cf7c | 1143 | int wc_BerToDer(const byte* ber, word32 berSz, byte* der, word32* derSz) |
wolfSSL | 15:117db924cf7c | 1144 | { |
wolfSSL | 16:8e0d178b1d1e | 1145 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 1146 | word32 i, j; |
wolfSSL | 16:8e0d178b1d1e | 1147 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 1148 | IndefItems* indefItems = NULL; |
wolfSSL | 16:8e0d178b1d1e | 1149 | #else |
wolfSSL | 16:8e0d178b1d1e | 1150 | IndefItems indefItems[1]; |
wolfSSL | 16:8e0d178b1d1e | 1151 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1152 | byte tag, basic; |
wolfSSL | 16:8e0d178b1d1e | 1153 | word32 length; |
wolfSSL | 15:117db924cf7c | 1154 | int indef; |
wolfSSL | 15:117db924cf7c | 1155 | |
wolfSSL | 15:117db924cf7c | 1156 | if (ber == NULL || derSz == NULL) |
wolfSSL | 15:117db924cf7c | 1157 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 1158 | |
wolfSSL | 16:8e0d178b1d1e | 1159 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 1160 | indefItems = XMALLOC(sizeof(IndefItems), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 1161 | if (indefItems == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1162 | ret = MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 1163 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1164 | } |
wolfSSL | 16:8e0d178b1d1e | 1165 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1166 | |
wolfSSL | 16:8e0d178b1d1e | 1167 | XMEMSET(indefItems, 0, sizeof(*indefItems)); |
wolfSSL | 16:8e0d178b1d1e | 1168 | |
wolfSSL | 16:8e0d178b1d1e | 1169 | /* Calculate indefinite item lengths */ |
wolfSSL | 16:8e0d178b1d1e | 1170 | for (i = 0; i < berSz; ) { |
wolfSSL | 16:8e0d178b1d1e | 1171 | word32 start = i; |
wolfSSL | 16:8e0d178b1d1e | 1172 | |
wolfSSL | 16:8e0d178b1d1e | 1173 | /* Get next BER item */ |
wolfSSL | 16:8e0d178b1d1e | 1174 | ret = GetBerHeader(ber, &i, berSz, &tag, &length, &indef); |
wolfSSL | 16:8e0d178b1d1e | 1175 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1176 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1177 | } |
wolfSSL | 15:117db924cf7c | 1178 | |
wolfSSL | 15:117db924cf7c | 1179 | if (indef) { |
wolfSSL | 16:8e0d178b1d1e | 1180 | /* Indefinite item - add to list */ |
wolfSSL | 16:8e0d178b1d1e | 1181 | ret = IndefItems_AddItem(indefItems, i); |
wolfSSL | 16:8e0d178b1d1e | 1182 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1183 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1184 | } |
wolfSSL | 16:8e0d178b1d1e | 1185 | |
wolfSSL | 16:8e0d178b1d1e | 1186 | if ((tag & 0xC0) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 1187 | tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) && |
wolfSSL | 16:8e0d178b1d1e | 1188 | tag != (ASN_SET | ASN_CONSTRUCTED)) { |
wolfSSL | 16:8e0d178b1d1e | 1189 | /* Constructed basic type - get repeating tag */ |
wolfSSL | 16:8e0d178b1d1e | 1190 | basic = tag & (~ASN_CONSTRUCTED); |
wolfSSL | 16:8e0d178b1d1e | 1191 | |
wolfSSL | 16:8e0d178b1d1e | 1192 | /* Add up lengths of each item below */ |
wolfSSL | 16:8e0d178b1d1e | 1193 | for (; i < berSz; ) { |
wolfSSL | 16:8e0d178b1d1e | 1194 | /* Get next BER_item */ |
wolfSSL | 16:8e0d178b1d1e | 1195 | ret = GetBerHeader(ber, &i, berSz, &tag, &length, &indef); |
wolfSSL | 16:8e0d178b1d1e | 1196 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1197 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1198 | } |
wolfSSL | 16:8e0d178b1d1e | 1199 | |
wolfSSL | 16:8e0d178b1d1e | 1200 | /* End of content closes item */ |
wolfSSL | 16:8e0d178b1d1e | 1201 | if (tag == ASN_EOC) { |
wolfSSL | 16:8e0d178b1d1e | 1202 | /* Must be zero length */ |
wolfSSL | 16:8e0d178b1d1e | 1203 | if (length != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1204 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1205 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1206 | } |
wolfSSL | 16:8e0d178b1d1e | 1207 | break; |
wolfSSL | 16:8e0d178b1d1e | 1208 | } |
wolfSSL | 16:8e0d178b1d1e | 1209 | |
wolfSSL | 16:8e0d178b1d1e | 1210 | /* Must not be indefinite and tag must match parent */ |
wolfSSL | 16:8e0d178b1d1e | 1211 | if (indef || tag != basic) { |
wolfSSL | 16:8e0d178b1d1e | 1212 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1213 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1214 | } |
wolfSSL | 16:8e0d178b1d1e | 1215 | |
wolfSSL | 16:8e0d178b1d1e | 1216 | /* Add to length */ |
wolfSSL | 16:8e0d178b1d1e | 1217 | IndefItems_AddData(indefItems, length); |
wolfSSL | 16:8e0d178b1d1e | 1218 | /* Skip data */ |
wolfSSL | 16:8e0d178b1d1e | 1219 | i += length; |
wolfSSL | 16:8e0d178b1d1e | 1220 | } |
wolfSSL | 16:8e0d178b1d1e | 1221 | |
wolfSSL | 16:8e0d178b1d1e | 1222 | /* Ensure we got an EOC and not end of data */ |
wolfSSL | 16:8e0d178b1d1e | 1223 | if (tag != ASN_EOC) { |
wolfSSL | 16:8e0d178b1d1e | 1224 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1225 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1226 | } |
wolfSSL | 16:8e0d178b1d1e | 1227 | |
wolfSSL | 16:8e0d178b1d1e | 1228 | /* Set the header length to include the length field */ |
wolfSSL | 16:8e0d178b1d1e | 1229 | IndefItems_UpdateHeaderLen(indefItems); |
wolfSSL | 16:8e0d178b1d1e | 1230 | /* Go to indefinte parent item */ |
wolfSSL | 16:8e0d178b1d1e | 1231 | IndefItems_Up(indefItems); |
wolfSSL | 16:8e0d178b1d1e | 1232 | } |
wolfSSL | 16:8e0d178b1d1e | 1233 | } |
wolfSSL | 16:8e0d178b1d1e | 1234 | else if (tag == ASN_EOC) { |
wolfSSL | 16:8e0d178b1d1e | 1235 | /* End-of-content must be 0 length */ |
wolfSSL | 16:8e0d178b1d1e | 1236 | if (length != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1237 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1238 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1239 | } |
wolfSSL | 16:8e0d178b1d1e | 1240 | /* Check there is an item to close - missing EOC */ |
wolfSSL | 16:8e0d178b1d1e | 1241 | if (indefItems->depth == 0) { |
wolfSSL | 16:8e0d178b1d1e | 1242 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1243 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1244 | } |
wolfSSL | 16:8e0d178b1d1e | 1245 | |
wolfSSL | 16:8e0d178b1d1e | 1246 | /* Finish calculation of data length for indefinite item */ |
wolfSSL | 16:8e0d178b1d1e | 1247 | IndefItems_CalcLength(indefItems); |
wolfSSL | 16:8e0d178b1d1e | 1248 | /* Go to indefinte parent item */ |
wolfSSL | 16:8e0d178b1d1e | 1249 | IndefItems_Up(indefItems); |
wolfSSL | 15:117db924cf7c | 1250 | } |
wolfSSL | 15:117db924cf7c | 1251 | else { |
wolfSSL | 16:8e0d178b1d1e | 1252 | /* Known length item to add in - make sure enough data for it */ |
wolfSSL | 16:8e0d178b1d1e | 1253 | if (i + length > berSz) { |
wolfSSL | 16:8e0d178b1d1e | 1254 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1255 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1256 | } |
wolfSSL | 16:8e0d178b1d1e | 1257 | |
wolfSSL | 16:8e0d178b1d1e | 1258 | /* Include all data - can't have indefinite inside definite */ |
wolfSSL | 16:8e0d178b1d1e | 1259 | i += length; |
wolfSSL | 16:8e0d178b1d1e | 1260 | /* Add entire item to current indefinite item */ |
wolfSSL | 16:8e0d178b1d1e | 1261 | IndefItems_MoreData(indefItems, i - start); |
wolfSSL | 16:8e0d178b1d1e | 1262 | } |
wolfSSL | 16:8e0d178b1d1e | 1263 | } |
wolfSSL | 16:8e0d178b1d1e | 1264 | /* Check we had a EOC for each indefinite item */ |
wolfSSL | 16:8e0d178b1d1e | 1265 | if (indefItems->depth != 0) { |
wolfSSL | 16:8e0d178b1d1e | 1266 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 1267 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1268 | } |
wolfSSL | 16:8e0d178b1d1e | 1269 | |
wolfSSL | 16:8e0d178b1d1e | 1270 | /* Write out DER */ |
wolfSSL | 16:8e0d178b1d1e | 1271 | |
wolfSSL | 16:8e0d178b1d1e | 1272 | j = 0; |
wolfSSL | 16:8e0d178b1d1e | 1273 | /* Reset index */ |
wolfSSL | 16:8e0d178b1d1e | 1274 | indefItems->idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 1275 | for (i = 0; i < berSz; ) { |
wolfSSL | 16:8e0d178b1d1e | 1276 | word32 start = i; |
wolfSSL | 16:8e0d178b1d1e | 1277 | |
wolfSSL | 16:8e0d178b1d1e | 1278 | /* Get item - checked above */ |
wolfSSL | 16:8e0d178b1d1e | 1279 | (void)GetBerHeader(ber, &i, berSz, &tag, &length, &indef); |
wolfSSL | 16:8e0d178b1d1e | 1280 | if (indef) { |
wolfSSL | 15:117db924cf7c | 1281 | if (der != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1282 | /* Check enough space for header */ |
wolfSSL | 16:8e0d178b1d1e | 1283 | if (j + IndefItems_HeaderLen(indefItems) > *derSz) { |
wolfSSL | 16:8e0d178b1d1e | 1284 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 1285 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1286 | } |
wolfSSL | 16:8e0d178b1d1e | 1287 | |
wolfSSL | 16:8e0d178b1d1e | 1288 | if ((tag & 0xC0) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 1289 | tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) && |
wolfSSL | 16:8e0d178b1d1e | 1290 | tag != (ASN_SET | ASN_CONSTRUCTED)) { |
wolfSSL | 16:8e0d178b1d1e | 1291 | /* Remove constructed tag for basic types */ |
wolfSSL | 16:8e0d178b1d1e | 1292 | tag &= ~ASN_CONSTRUCTED; |
wolfSSL | 16:8e0d178b1d1e | 1293 | } |
wolfSSL | 16:8e0d178b1d1e | 1294 | /* Add tag and length */ |
wolfSSL | 16:8e0d178b1d1e | 1295 | der[j] = tag; |
wolfSSL | 16:8e0d178b1d1e | 1296 | (void)SetLength(IndefItems_Len(indefItems), der + j + 1); |
wolfSSL | 16:8e0d178b1d1e | 1297 | } |
wolfSSL | 16:8e0d178b1d1e | 1298 | /* Add header length of indefinite item */ |
wolfSSL | 16:8e0d178b1d1e | 1299 | j += IndefItems_HeaderLen(indefItems); |
wolfSSL | 16:8e0d178b1d1e | 1300 | |
wolfSSL | 16:8e0d178b1d1e | 1301 | if ((tag & 0xC0) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 1302 | tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) && |
wolfSSL | 16:8e0d178b1d1e | 1303 | tag != (ASN_SET | ASN_CONSTRUCTED)) { |
wolfSSL | 16:8e0d178b1d1e | 1304 | /* For basic type - get each child item and add data */ |
wolfSSL | 16:8e0d178b1d1e | 1305 | for (; i < berSz; ) { |
wolfSSL | 16:8e0d178b1d1e | 1306 | (void)GetBerHeader(ber, &i, berSz, &tag, &length, &indef); |
wolfSSL | 16:8e0d178b1d1e | 1307 | if (tag == ASN_EOC) { |
wolfSSL | 16:8e0d178b1d1e | 1308 | break; |
wolfSSL | 16:8e0d178b1d1e | 1309 | } |
wolfSSL | 16:8e0d178b1d1e | 1310 | if (der != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1311 | if (j + length > *derSz) { |
wolfSSL | 16:8e0d178b1d1e | 1312 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 1313 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1314 | } |
wolfSSL | 16:8e0d178b1d1e | 1315 | XMEMCPY(der + j, ber + i, length); |
wolfSSL | 16:8e0d178b1d1e | 1316 | } |
wolfSSL | 16:8e0d178b1d1e | 1317 | j += length; |
wolfSSL | 16:8e0d178b1d1e | 1318 | i += length; |
wolfSSL | 16:8e0d178b1d1e | 1319 | } |
wolfSSL | 16:8e0d178b1d1e | 1320 | } |
wolfSSL | 16:8e0d178b1d1e | 1321 | |
wolfSSL | 16:8e0d178b1d1e | 1322 | /* Move to next indef item in list */ |
wolfSSL | 16:8e0d178b1d1e | 1323 | indefItems->idx++; |
wolfSSL | 16:8e0d178b1d1e | 1324 | } |
wolfSSL | 16:8e0d178b1d1e | 1325 | else if (tag == ASN_EOC) { |
wolfSSL | 16:8e0d178b1d1e | 1326 | /* End-Of-Content is not written out in DER */ |
wolfSSL | 16:8e0d178b1d1e | 1327 | } |
wolfSSL | 16:8e0d178b1d1e | 1328 | else { |
wolfSSL | 16:8e0d178b1d1e | 1329 | /* Write out definite length item as is. */ |
wolfSSL | 16:8e0d178b1d1e | 1330 | i += length; |
wolfSSL | 16:8e0d178b1d1e | 1331 | if (der != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1332 | /* Ensure space for item */ |
wolfSSL | 16:8e0d178b1d1e | 1333 | if (j + i - start > *derSz) { |
wolfSSL | 16:8e0d178b1d1e | 1334 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 1335 | goto end; |
wolfSSL | 16:8e0d178b1d1e | 1336 | } |
wolfSSL | 16:8e0d178b1d1e | 1337 | /* Copy item as is */ |
wolfSSL | 16:8e0d178b1d1e | 1338 | XMEMCPY(der + j, ber + start, i - start); |
wolfSSL | 16:8e0d178b1d1e | 1339 | } |
wolfSSL | 16:8e0d178b1d1e | 1340 | j += i - start; |
wolfSSL | 16:8e0d178b1d1e | 1341 | } |
wolfSSL | 16:8e0d178b1d1e | 1342 | } |
wolfSSL | 16:8e0d178b1d1e | 1343 | |
wolfSSL | 16:8e0d178b1d1e | 1344 | /* Return the length of the DER encoded ASN.1 */ |
wolfSSL | 16:8e0d178b1d1e | 1345 | *derSz = j; |
wolfSSL | 15:117db924cf7c | 1346 | if (der == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1347 | ret = LENGTH_ONLY_E; |
wolfSSL | 16:8e0d178b1d1e | 1348 | } |
wolfSSL | 16:8e0d178b1d1e | 1349 | end: |
wolfSSL | 16:8e0d178b1d1e | 1350 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 1351 | if (indefItems != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 1352 | XFREE(indefItems, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 1353 | } |
wolfSSL | 16:8e0d178b1d1e | 1354 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1355 | return ret; |
wolfSSL | 15:117db924cf7c | 1356 | } |
wolfSSL | 15:117db924cf7c | 1357 | #endif |
wolfSSL | 15:117db924cf7c | 1358 | |
wolfSSL | 15:117db924cf7c | 1359 | #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) |
wolfSSL | 15:117db924cf7c | 1360 | |
wolfSSL | 15:117db924cf7c | 1361 | #if (!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || \ |
wolfSSL | 16:8e0d178b1d1e | 1362 | defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) |
wolfSSL | 15:117db924cf7c | 1363 | |
wolfSSL | 15:117db924cf7c | 1364 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 1365 | /* Set the DER/BER encoding of the ASN.1 BIT_STRING with a 16-bit value. |
wolfSSL | 15:117db924cf7c | 1366 | * |
wolfSSL | 15:117db924cf7c | 1367 | * val 16-bit value to encode. |
wolfSSL | 15:117db924cf7c | 1368 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 1369 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 1370 | */ |
wolfSSL | 15:117db924cf7c | 1371 | static word32 SetBitString16Bit(word16 val, byte* output) |
wolfSSL | 15:117db924cf7c | 1372 | { |
wolfSSL | 15:117db924cf7c | 1373 | word32 idx; |
wolfSSL | 15:117db924cf7c | 1374 | int len; |
wolfSSL | 15:117db924cf7c | 1375 | byte lastByte; |
wolfSSL | 15:117db924cf7c | 1376 | byte unusedBits = 0; |
wolfSSL | 15:117db924cf7c | 1377 | |
wolfSSL | 15:117db924cf7c | 1378 | if ((val >> 8) != 0) { |
wolfSSL | 15:117db924cf7c | 1379 | len = 2; |
wolfSSL | 15:117db924cf7c | 1380 | lastByte = (byte)(val >> 8); |
wolfSSL | 15:117db924cf7c | 1381 | } |
wolfSSL | 15:117db924cf7c | 1382 | else { |
wolfSSL | 15:117db924cf7c | 1383 | len = 1; |
wolfSSL | 15:117db924cf7c | 1384 | lastByte = (byte)val; |
wolfSSL | 15:117db924cf7c | 1385 | } |
wolfSSL | 15:117db924cf7c | 1386 | |
wolfSSL | 15:117db924cf7c | 1387 | while (((lastByte >> unusedBits) & 0x01) == 0x00) |
wolfSSL | 15:117db924cf7c | 1388 | unusedBits++; |
wolfSSL | 15:117db924cf7c | 1389 | |
wolfSSL | 15:117db924cf7c | 1390 | idx = SetBitString(len, unusedBits, output); |
wolfSSL | 15:117db924cf7c | 1391 | output[idx++] = (byte)val; |
wolfSSL | 15:117db924cf7c | 1392 | if (len > 1) |
wolfSSL | 15:117db924cf7c | 1393 | output[idx++] = (byte)(val >> 8); |
wolfSSL | 15:117db924cf7c | 1394 | |
wolfSSL | 15:117db924cf7c | 1395 | return idx; |
wolfSSL | 15:117db924cf7c | 1396 | } |
wolfSSL | 15:117db924cf7c | 1397 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 16:8e0d178b1d1e | 1398 | #endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 || defined(HAVE_ED448) */ |
wolfSSL | 15:117db924cf7c | 1399 | #endif /* WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN */ |
wolfSSL | 15:117db924cf7c | 1400 | |
wolfSSL | 15:117db924cf7c | 1401 | |
wolfSSL | 15:117db924cf7c | 1402 | |
wolfSSL | 15:117db924cf7c | 1403 | /* hashType */ |
wolfSSL | 15:117db924cf7c | 1404 | #ifdef WOLFSSL_MD2 |
wolfSSL | 15:117db924cf7c | 1405 | static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2}; |
wolfSSL | 15:117db924cf7c | 1406 | #endif |
wolfSSL | 15:117db924cf7c | 1407 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 1408 | static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5}; |
wolfSSL | 15:117db924cf7c | 1409 | #endif |
wolfSSL | 15:117db924cf7c | 1410 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1411 | static const byte hashSha1hOid[] = {43, 14, 3, 2, 26}; |
wolfSSL | 15:117db924cf7c | 1412 | #endif |
wolfSSL | 15:117db924cf7c | 1413 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1414 | static const byte hashSha224hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 4}; |
wolfSSL | 15:117db924cf7c | 1415 | #endif |
wolfSSL | 15:117db924cf7c | 1416 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1417 | static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1}; |
wolfSSL | 15:117db924cf7c | 1418 | #endif |
wolfSSL | 15:117db924cf7c | 1419 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1420 | static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2}; |
wolfSSL | 15:117db924cf7c | 1421 | #endif |
wolfSSL | 15:117db924cf7c | 1422 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1423 | static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3}; |
wolfSSL | 15:117db924cf7c | 1424 | #endif |
wolfSSL | 15:117db924cf7c | 1425 | |
wolfSSL | 15:117db924cf7c | 1426 | /* hmacType */ |
wolfSSL | 15:117db924cf7c | 1427 | #ifndef NO_HMAC |
wolfSSL | 15:117db924cf7c | 1428 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1429 | static const byte hmacSha224Oid[] = {42, 134, 72, 134, 247, 13, 2, 8}; |
wolfSSL | 15:117db924cf7c | 1430 | #endif |
wolfSSL | 15:117db924cf7c | 1431 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1432 | static const byte hmacSha256Oid[] = {42, 134, 72, 134, 247, 13, 2, 9}; |
wolfSSL | 15:117db924cf7c | 1433 | #endif |
wolfSSL | 15:117db924cf7c | 1434 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1435 | static const byte hmacSha384Oid[] = {42, 134, 72, 134, 247, 13, 2, 10}; |
wolfSSL | 15:117db924cf7c | 1436 | #endif |
wolfSSL | 15:117db924cf7c | 1437 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1438 | static const byte hmacSha512Oid[] = {42, 134, 72, 134, 247, 13, 2, 11}; |
wolfSSL | 15:117db924cf7c | 1439 | #endif |
wolfSSL | 15:117db924cf7c | 1440 | #endif |
wolfSSL | 15:117db924cf7c | 1441 | |
wolfSSL | 15:117db924cf7c | 1442 | /* sigType */ |
wolfSSL | 15:117db924cf7c | 1443 | #if !defined(NO_DSA) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 1444 | static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3}; |
wolfSSL | 15:117db924cf7c | 1445 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 1446 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 1447 | #ifdef WOLFSSL_MD2 |
wolfSSL | 15:117db924cf7c | 1448 | static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2}; |
wolfSSL | 15:117db924cf7c | 1449 | #endif |
wolfSSL | 15:117db924cf7c | 1450 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 1451 | static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4}; |
wolfSSL | 15:117db924cf7c | 1452 | #endif |
wolfSSL | 15:117db924cf7c | 1453 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1454 | static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5}; |
wolfSSL | 15:117db924cf7c | 1455 | #endif |
wolfSSL | 15:117db924cf7c | 1456 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1457 | static const byte sigSha224wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,14}; |
wolfSSL | 15:117db924cf7c | 1458 | #endif |
wolfSSL | 15:117db924cf7c | 1459 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1460 | static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11}; |
wolfSSL | 15:117db924cf7c | 1461 | #endif |
wolfSSL | 15:117db924cf7c | 1462 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1463 | static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12}; |
wolfSSL | 15:117db924cf7c | 1464 | #endif |
wolfSSL | 15:117db924cf7c | 1465 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1466 | static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13}; |
wolfSSL | 15:117db924cf7c | 1467 | #endif |
wolfSSL | 15:117db924cf7c | 1468 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 1469 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1470 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1471 | static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1}; |
wolfSSL | 15:117db924cf7c | 1472 | #endif |
wolfSSL | 15:117db924cf7c | 1473 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1474 | static const byte sigSha224wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 1}; |
wolfSSL | 15:117db924cf7c | 1475 | #endif |
wolfSSL | 15:117db924cf7c | 1476 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1477 | static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2}; |
wolfSSL | 15:117db924cf7c | 1478 | #endif |
wolfSSL | 15:117db924cf7c | 1479 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1480 | static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3}; |
wolfSSL | 15:117db924cf7c | 1481 | #endif |
wolfSSL | 15:117db924cf7c | 1482 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1483 | static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4}; |
wolfSSL | 15:117db924cf7c | 1484 | #endif |
wolfSSL | 15:117db924cf7c | 1485 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1486 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 1487 | static const byte sigEd25519Oid[] = {43, 101, 112}; |
wolfSSL | 15:117db924cf7c | 1488 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 1489 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 1490 | static const byte sigEd448Oid[] = {43, 101, 113}; |
wolfSSL | 16:8e0d178b1d1e | 1491 | #endif /* HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 1492 | |
wolfSSL | 15:117db924cf7c | 1493 | /* keyType */ |
wolfSSL | 15:117db924cf7c | 1494 | #ifndef NO_DSA |
wolfSSL | 15:117db924cf7c | 1495 | static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1}; |
wolfSSL | 15:117db924cf7c | 1496 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 1497 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 1498 | static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; |
wolfSSL | 15:117db924cf7c | 1499 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 1500 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 1501 | static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1}; |
wolfSSL | 15:117db924cf7c | 1502 | #endif /* HAVE_NTRU */ |
wolfSSL | 15:117db924cf7c | 1503 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1504 | static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; |
wolfSSL | 15:117db924cf7c | 1505 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1506 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 1507 | static const byte keyEd25519Oid[] = {43, 101, 112}; |
wolfSSL | 15:117db924cf7c | 1508 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 1509 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 1510 | static const byte keyEd448Oid[] = {43, 101, 113}; |
wolfSSL | 16:8e0d178b1d1e | 1511 | #endif /* HAVE_ED448 */ |
wolfSSL | 16:8e0d178b1d1e | 1512 | #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) |
wolfSSL | 16:8e0d178b1d1e | 1513 | static const byte keyDhOid[] = {42, 134, 72, 134, 247, 13, 1, 3, 1}; |
wolfSSL | 16:8e0d178b1d1e | 1514 | #endif /* ! NO_DH ... */ |
wolfSSL | 15:117db924cf7c | 1515 | |
wolfSSL | 15:117db924cf7c | 1516 | /* curveType */ |
wolfSSL | 15:117db924cf7c | 1517 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1518 | /* See "ecc_sets" table in ecc.c */ |
wolfSSL | 15:117db924cf7c | 1519 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1520 | |
wolfSSL | 15:117db924cf7c | 1521 | #ifdef HAVE_AES_CBC |
wolfSSL | 15:117db924cf7c | 1522 | /* blkType */ |
wolfSSL | 15:117db924cf7c | 1523 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 15:117db924cf7c | 1524 | static const byte blkAes128CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 2}; |
wolfSSL | 15:117db924cf7c | 1525 | #endif |
wolfSSL | 15:117db924cf7c | 1526 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 15:117db924cf7c | 1527 | static const byte blkAes192CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 22}; |
wolfSSL | 15:117db924cf7c | 1528 | #endif |
wolfSSL | 15:117db924cf7c | 1529 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 15:117db924cf7c | 1530 | static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42}; |
wolfSSL | 15:117db924cf7c | 1531 | #endif |
wolfSSL | 15:117db924cf7c | 1532 | #endif /* HAVE_AES_CBC */ |
wolfSSL | 16:8e0d178b1d1e | 1533 | #ifdef HAVE_AESGCM |
wolfSSL | 16:8e0d178b1d1e | 1534 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 16:8e0d178b1d1e | 1535 | static const byte blkAes128GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 6}; |
wolfSSL | 16:8e0d178b1d1e | 1536 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1537 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 16:8e0d178b1d1e | 1538 | static const byte blkAes192GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 26}; |
wolfSSL | 16:8e0d178b1d1e | 1539 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1540 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 16:8e0d178b1d1e | 1541 | static const byte blkAes256GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 46}; |
wolfSSL | 16:8e0d178b1d1e | 1542 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1543 | #endif /* HAVE_AESGCM */ |
wolfSSL | 16:8e0d178b1d1e | 1544 | #ifdef HAVE_AESCCM |
wolfSSL | 16:8e0d178b1d1e | 1545 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 16:8e0d178b1d1e | 1546 | static const byte blkAes128CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 7}; |
wolfSSL | 16:8e0d178b1d1e | 1547 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1548 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 16:8e0d178b1d1e | 1549 | static const byte blkAes192CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 27}; |
wolfSSL | 16:8e0d178b1d1e | 1550 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1551 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 16:8e0d178b1d1e | 1552 | static const byte blkAes256CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 47}; |
wolfSSL | 16:8e0d178b1d1e | 1553 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1554 | #endif /* HAVE_AESCCM */ |
wolfSSL | 15:117db924cf7c | 1555 | |
wolfSSL | 15:117db924cf7c | 1556 | #ifndef NO_DES3 |
wolfSSL | 15:117db924cf7c | 1557 | static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7}; |
wolfSSL | 15:117db924cf7c | 1558 | static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7}; |
wolfSSL | 15:117db924cf7c | 1559 | #endif |
wolfSSL | 15:117db924cf7c | 1560 | |
wolfSSL | 15:117db924cf7c | 1561 | /* keyWrapType */ |
wolfSSL | 15:117db924cf7c | 1562 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 15:117db924cf7c | 1563 | static const byte wrapAes128Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 5}; |
wolfSSL | 15:117db924cf7c | 1564 | #endif |
wolfSSL | 15:117db924cf7c | 1565 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 15:117db924cf7c | 1566 | static const byte wrapAes192Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 25}; |
wolfSSL | 15:117db924cf7c | 1567 | #endif |
wolfSSL | 15:117db924cf7c | 1568 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 15:117db924cf7c | 1569 | static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45}; |
wolfSSL | 15:117db924cf7c | 1570 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1571 | #ifdef HAVE_PKCS7 |
wolfSSL | 16:8e0d178b1d1e | 1572 | /* From RFC 3211 */ |
wolfSSL | 16:8e0d178b1d1e | 1573 | static const byte wrapPwriKekOid[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3,9}; |
wolfSSL | 16:8e0d178b1d1e | 1574 | #endif |
wolfSSL | 15:117db924cf7c | 1575 | |
wolfSSL | 15:117db924cf7c | 1576 | /* cmsKeyAgreeType */ |
wolfSSL | 15:117db924cf7c | 1577 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1578 | static const byte dhSinglePass_stdDH_sha1kdf_Oid[] = |
wolfSSL | 15:117db924cf7c | 1579 | {43, 129, 5, 16, 134, 72, 63, 0, 2}; |
wolfSSL | 15:117db924cf7c | 1580 | #endif |
wolfSSL | 15:117db924cf7c | 1581 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1582 | static const byte dhSinglePass_stdDH_sha224kdf_Oid[] = {43, 129, 4, 1, 11, 0}; |
wolfSSL | 15:117db924cf7c | 1583 | #endif |
wolfSSL | 15:117db924cf7c | 1584 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1585 | static const byte dhSinglePass_stdDH_sha256kdf_Oid[] = {43, 129, 4, 1, 11, 1}; |
wolfSSL | 15:117db924cf7c | 1586 | #endif |
wolfSSL | 15:117db924cf7c | 1587 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1588 | static const byte dhSinglePass_stdDH_sha384kdf_Oid[] = {43, 129, 4, 1, 11, 2}; |
wolfSSL | 15:117db924cf7c | 1589 | #endif |
wolfSSL | 15:117db924cf7c | 1590 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1591 | static const byte dhSinglePass_stdDH_sha512kdf_Oid[] = {43, 129, 4, 1, 11, 3}; |
wolfSSL | 15:117db924cf7c | 1592 | #endif |
wolfSSL | 15:117db924cf7c | 1593 | |
wolfSSL | 15:117db924cf7c | 1594 | /* ocspType */ |
wolfSSL | 15:117db924cf7c | 1595 | #ifdef HAVE_OCSP |
wolfSSL | 15:117db924cf7c | 1596 | static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1}; |
wolfSSL | 15:117db924cf7c | 1597 | static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2}; |
wolfSSL | 15:117db924cf7c | 1598 | #endif /* HAVE_OCSP */ |
wolfSSL | 15:117db924cf7c | 1599 | |
wolfSSL | 15:117db924cf7c | 1600 | /* certExtType */ |
wolfSSL | 15:117db924cf7c | 1601 | static const byte extBasicCaOid[] = {85, 29, 19}; |
wolfSSL | 15:117db924cf7c | 1602 | static const byte extAltNamesOid[] = {85, 29, 17}; |
wolfSSL | 15:117db924cf7c | 1603 | static const byte extCrlDistOid[] = {85, 29, 31}; |
wolfSSL | 15:117db924cf7c | 1604 | static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1}; |
wolfSSL | 15:117db924cf7c | 1605 | static const byte extAuthKeyOid[] = {85, 29, 35}; |
wolfSSL | 15:117db924cf7c | 1606 | static const byte extSubjKeyOid[] = {85, 29, 14}; |
wolfSSL | 15:117db924cf7c | 1607 | static const byte extCertPolicyOid[] = {85, 29, 32}; |
wolfSSL | 15:117db924cf7c | 1608 | static const byte extKeyUsageOid[] = {85, 29, 15}; |
wolfSSL | 15:117db924cf7c | 1609 | static const byte extInhibitAnyOid[] = {85, 29, 54}; |
wolfSSL | 15:117db924cf7c | 1610 | static const byte extExtKeyUsageOid[] = {85, 29, 37}; |
wolfSSL | 15:117db924cf7c | 1611 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 1612 | static const byte extNameConsOid[] = {85, 29, 30}; |
wolfSSL | 15:117db924cf7c | 1613 | #endif |
wolfSSL | 15:117db924cf7c | 1614 | |
wolfSSL | 15:117db924cf7c | 1615 | /* certAuthInfoType */ |
wolfSSL | 15:117db924cf7c | 1616 | #ifdef HAVE_OCSP |
wolfSSL | 15:117db924cf7c | 1617 | static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; |
wolfSSL | 15:117db924cf7c | 1618 | #endif |
wolfSSL | 15:117db924cf7c | 1619 | static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; |
wolfSSL | 15:117db924cf7c | 1620 | |
wolfSSL | 15:117db924cf7c | 1621 | /* certPolicyType */ |
wolfSSL | 15:117db924cf7c | 1622 | static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; |
wolfSSL | 15:117db924cf7c | 1623 | |
wolfSSL | 15:117db924cf7c | 1624 | /* certKeyUseType */ |
wolfSSL | 15:117db924cf7c | 1625 | static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4}; |
wolfSSL | 15:117db924cf7c | 1626 | |
wolfSSL | 15:117db924cf7c | 1627 | /* certKeyUseType */ |
wolfSSL | 15:117db924cf7c | 1628 | static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0}; |
wolfSSL | 15:117db924cf7c | 1629 | static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1}; |
wolfSSL | 15:117db924cf7c | 1630 | static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2}; |
wolfSSL | 15:117db924cf7c | 1631 | static const byte extExtKeyUsageCodeSigningOid[] = {43, 6, 1, 5, 5, 7, 3, 3}; |
wolfSSL | 15:117db924cf7c | 1632 | static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4}; |
wolfSSL | 15:117db924cf7c | 1633 | static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8}; |
wolfSSL | 15:117db924cf7c | 1634 | static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; |
wolfSSL | 15:117db924cf7c | 1635 | |
wolfSSL | 15:117db924cf7c | 1636 | /* kdfType */ |
wolfSSL | 15:117db924cf7c | 1637 | static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12}; |
wolfSSL | 15:117db924cf7c | 1638 | |
wolfSSL | 15:117db924cf7c | 1639 | /* PKCS5 */ |
wolfSSL | 15:117db924cf7c | 1640 | #if !defined(NO_DES3) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 1641 | static const byte pbeSha1Des[] = {42, 134, 72, 134, 247, 13, 1, 5, 10}; |
wolfSSL | 15:117db924cf7c | 1642 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1643 | static const byte pbes2[] = {42, 134, 72, 134, 247, 13, 1, 5, 13}; |
wolfSSL | 15:117db924cf7c | 1644 | |
wolfSSL | 15:117db924cf7c | 1645 | /* PKCS12 */ |
wolfSSL | 15:117db924cf7c | 1646 | #if !defined(NO_RC4) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 1647 | static const byte pbeSha1RC4128[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 1}; |
wolfSSL | 15:117db924cf7c | 1648 | #endif |
wolfSSL | 15:117db924cf7c | 1649 | #if !defined(NO_DES3) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 1650 | static const byte pbeSha1Des3[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 3}; |
wolfSSL | 15:117db924cf7c | 1651 | #endif |
wolfSSL | 15:117db924cf7c | 1652 | |
wolfSSL | 16:8e0d178b1d1e | 1653 | #ifdef HAVE_LIBZ |
wolfSSL | 16:8e0d178b1d1e | 1654 | /* zlib compression */ |
wolfSSL | 16:8e0d178b1d1e | 1655 | static const byte zlibCompress[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3, 8}; |
wolfSSL | 16:8e0d178b1d1e | 1656 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1657 | #ifdef WOLFSSL_APACHE_HTTPD |
wolfSSL | 16:8e0d178b1d1e | 1658 | /* tlsExtType */ |
wolfSSL | 16:8e0d178b1d1e | 1659 | static const byte tlsFeatureOid[] = {43, 6, 1, 5, 5, 7, 1, 24}; |
wolfSSL | 16:8e0d178b1d1e | 1660 | /* certNameType */ |
wolfSSL | 16:8e0d178b1d1e | 1661 | static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7}; |
wolfSSL | 16:8e0d178b1d1e | 1662 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1663 | |
wolfSSL | 15:117db924cf7c | 1664 | |
wolfSSL | 15:117db924cf7c | 1665 | /* returns a pointer to the OID string on success and NULL on fail */ |
wolfSSL | 15:117db924cf7c | 1666 | const byte* OidFromId(word32 id, word32 type, word32* oidSz) |
wolfSSL | 15:117db924cf7c | 1667 | { |
wolfSSL | 15:117db924cf7c | 1668 | const byte* oid = NULL; |
wolfSSL | 15:117db924cf7c | 1669 | |
wolfSSL | 15:117db924cf7c | 1670 | *oidSz = 0; |
wolfSSL | 15:117db924cf7c | 1671 | |
wolfSSL | 15:117db924cf7c | 1672 | switch (type) { |
wolfSSL | 15:117db924cf7c | 1673 | |
wolfSSL | 15:117db924cf7c | 1674 | case oidHashType: |
wolfSSL | 15:117db924cf7c | 1675 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1676 | #ifdef WOLFSSL_MD2 |
wolfSSL | 15:117db924cf7c | 1677 | case MD2h: |
wolfSSL | 15:117db924cf7c | 1678 | oid = hashMd2hOid; |
wolfSSL | 15:117db924cf7c | 1679 | *oidSz = sizeof(hashMd2hOid); |
wolfSSL | 15:117db924cf7c | 1680 | break; |
wolfSSL | 15:117db924cf7c | 1681 | #endif |
wolfSSL | 15:117db924cf7c | 1682 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 1683 | case MD5h: |
wolfSSL | 15:117db924cf7c | 1684 | oid = hashMd5hOid; |
wolfSSL | 15:117db924cf7c | 1685 | *oidSz = sizeof(hashMd5hOid); |
wolfSSL | 15:117db924cf7c | 1686 | break; |
wolfSSL | 15:117db924cf7c | 1687 | #endif |
wolfSSL | 15:117db924cf7c | 1688 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1689 | case SHAh: |
wolfSSL | 15:117db924cf7c | 1690 | oid = hashSha1hOid; |
wolfSSL | 15:117db924cf7c | 1691 | *oidSz = sizeof(hashSha1hOid); |
wolfSSL | 15:117db924cf7c | 1692 | break; |
wolfSSL | 15:117db924cf7c | 1693 | #endif |
wolfSSL | 15:117db924cf7c | 1694 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1695 | case SHA224h: |
wolfSSL | 15:117db924cf7c | 1696 | oid = hashSha224hOid; |
wolfSSL | 15:117db924cf7c | 1697 | *oidSz = sizeof(hashSha224hOid); |
wolfSSL | 15:117db924cf7c | 1698 | break; |
wolfSSL | 15:117db924cf7c | 1699 | #endif |
wolfSSL | 15:117db924cf7c | 1700 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1701 | case SHA256h: |
wolfSSL | 15:117db924cf7c | 1702 | oid = hashSha256hOid; |
wolfSSL | 15:117db924cf7c | 1703 | *oidSz = sizeof(hashSha256hOid); |
wolfSSL | 15:117db924cf7c | 1704 | break; |
wolfSSL | 15:117db924cf7c | 1705 | #endif |
wolfSSL | 15:117db924cf7c | 1706 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1707 | case SHA384h: |
wolfSSL | 15:117db924cf7c | 1708 | oid = hashSha384hOid; |
wolfSSL | 15:117db924cf7c | 1709 | *oidSz = sizeof(hashSha384hOid); |
wolfSSL | 15:117db924cf7c | 1710 | break; |
wolfSSL | 15:117db924cf7c | 1711 | #endif |
wolfSSL | 15:117db924cf7c | 1712 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1713 | case SHA512h: |
wolfSSL | 15:117db924cf7c | 1714 | oid = hashSha512hOid; |
wolfSSL | 15:117db924cf7c | 1715 | *oidSz = sizeof(hashSha512hOid); |
wolfSSL | 15:117db924cf7c | 1716 | break; |
wolfSSL | 15:117db924cf7c | 1717 | #endif |
wolfSSL | 15:117db924cf7c | 1718 | } |
wolfSSL | 15:117db924cf7c | 1719 | break; |
wolfSSL | 15:117db924cf7c | 1720 | |
wolfSSL | 15:117db924cf7c | 1721 | case oidSigType: |
wolfSSL | 15:117db924cf7c | 1722 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1723 | #if !defined(NO_DSA) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 1724 | case CTC_SHAwDSA: |
wolfSSL | 15:117db924cf7c | 1725 | oid = sigSha1wDsaOid; |
wolfSSL | 15:117db924cf7c | 1726 | *oidSz = sizeof(sigSha1wDsaOid); |
wolfSSL | 15:117db924cf7c | 1727 | break; |
wolfSSL | 15:117db924cf7c | 1728 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 1729 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 1730 | #ifdef WOLFSSL_MD2 |
wolfSSL | 15:117db924cf7c | 1731 | case CTC_MD2wRSA: |
wolfSSL | 15:117db924cf7c | 1732 | oid = sigMd2wRsaOid; |
wolfSSL | 15:117db924cf7c | 1733 | *oidSz = sizeof(sigMd2wRsaOid); |
wolfSSL | 15:117db924cf7c | 1734 | break; |
wolfSSL | 15:117db924cf7c | 1735 | #endif |
wolfSSL | 15:117db924cf7c | 1736 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 1737 | case CTC_MD5wRSA: |
wolfSSL | 15:117db924cf7c | 1738 | oid = sigMd5wRsaOid; |
wolfSSL | 15:117db924cf7c | 1739 | *oidSz = sizeof(sigMd5wRsaOid); |
wolfSSL | 15:117db924cf7c | 1740 | break; |
wolfSSL | 15:117db924cf7c | 1741 | #endif |
wolfSSL | 15:117db924cf7c | 1742 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1743 | case CTC_SHAwRSA: |
wolfSSL | 15:117db924cf7c | 1744 | oid = sigSha1wRsaOid; |
wolfSSL | 15:117db924cf7c | 1745 | *oidSz = sizeof(sigSha1wRsaOid); |
wolfSSL | 15:117db924cf7c | 1746 | break; |
wolfSSL | 15:117db924cf7c | 1747 | #endif |
wolfSSL | 15:117db924cf7c | 1748 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1749 | case CTC_SHA224wRSA: |
wolfSSL | 15:117db924cf7c | 1750 | oid = sigSha224wRsaOid; |
wolfSSL | 15:117db924cf7c | 1751 | *oidSz = sizeof(sigSha224wRsaOid); |
wolfSSL | 15:117db924cf7c | 1752 | break; |
wolfSSL | 15:117db924cf7c | 1753 | #endif |
wolfSSL | 15:117db924cf7c | 1754 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1755 | case CTC_SHA256wRSA: |
wolfSSL | 15:117db924cf7c | 1756 | oid = sigSha256wRsaOid; |
wolfSSL | 15:117db924cf7c | 1757 | *oidSz = sizeof(sigSha256wRsaOid); |
wolfSSL | 15:117db924cf7c | 1758 | break; |
wolfSSL | 15:117db924cf7c | 1759 | #endif |
wolfSSL | 15:117db924cf7c | 1760 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1761 | case CTC_SHA384wRSA: |
wolfSSL | 15:117db924cf7c | 1762 | oid = sigSha384wRsaOid; |
wolfSSL | 15:117db924cf7c | 1763 | *oidSz = sizeof(sigSha384wRsaOid); |
wolfSSL | 15:117db924cf7c | 1764 | break; |
wolfSSL | 15:117db924cf7c | 1765 | #endif |
wolfSSL | 15:117db924cf7c | 1766 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1767 | case CTC_SHA512wRSA: |
wolfSSL | 15:117db924cf7c | 1768 | oid = sigSha512wRsaOid; |
wolfSSL | 15:117db924cf7c | 1769 | *oidSz = sizeof(sigSha512wRsaOid); |
wolfSSL | 15:117db924cf7c | 1770 | break; |
wolfSSL | 15:117db924cf7c | 1771 | #endif /* WOLFSSL_SHA512 */ |
wolfSSL | 15:117db924cf7c | 1772 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 1773 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1774 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 1775 | case CTC_SHAwECDSA: |
wolfSSL | 15:117db924cf7c | 1776 | oid = sigSha1wEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1777 | *oidSz = sizeof(sigSha1wEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1778 | break; |
wolfSSL | 15:117db924cf7c | 1779 | #endif |
wolfSSL | 15:117db924cf7c | 1780 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 1781 | case CTC_SHA224wECDSA: |
wolfSSL | 15:117db924cf7c | 1782 | oid = sigSha224wEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1783 | *oidSz = sizeof(sigSha224wEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1784 | break; |
wolfSSL | 15:117db924cf7c | 1785 | #endif |
wolfSSL | 15:117db924cf7c | 1786 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1787 | case CTC_SHA256wECDSA: |
wolfSSL | 15:117db924cf7c | 1788 | oid = sigSha256wEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1789 | *oidSz = sizeof(sigSha256wEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1790 | break; |
wolfSSL | 15:117db924cf7c | 1791 | #endif |
wolfSSL | 15:117db924cf7c | 1792 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1793 | case CTC_SHA384wECDSA: |
wolfSSL | 15:117db924cf7c | 1794 | oid = sigSha384wEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1795 | *oidSz = sizeof(sigSha384wEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1796 | break; |
wolfSSL | 15:117db924cf7c | 1797 | #endif |
wolfSSL | 15:117db924cf7c | 1798 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 1799 | case CTC_SHA512wECDSA: |
wolfSSL | 15:117db924cf7c | 1800 | oid = sigSha512wEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1801 | *oidSz = sizeof(sigSha512wEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1802 | break; |
wolfSSL | 15:117db924cf7c | 1803 | #endif |
wolfSSL | 15:117db924cf7c | 1804 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1805 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 1806 | case CTC_ED25519: |
wolfSSL | 15:117db924cf7c | 1807 | oid = sigEd25519Oid; |
wolfSSL | 15:117db924cf7c | 1808 | *oidSz = sizeof(sigEd25519Oid); |
wolfSSL | 15:117db924cf7c | 1809 | break; |
wolfSSL | 15:117db924cf7c | 1810 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1811 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 1812 | case CTC_ED448: |
wolfSSL | 16:8e0d178b1d1e | 1813 | oid = sigEd448Oid; |
wolfSSL | 16:8e0d178b1d1e | 1814 | *oidSz = sizeof(sigEd448Oid); |
wolfSSL | 16:8e0d178b1d1e | 1815 | break; |
wolfSSL | 16:8e0d178b1d1e | 1816 | #endif |
wolfSSL | 15:117db924cf7c | 1817 | default: |
wolfSSL | 15:117db924cf7c | 1818 | break; |
wolfSSL | 15:117db924cf7c | 1819 | } |
wolfSSL | 15:117db924cf7c | 1820 | break; |
wolfSSL | 15:117db924cf7c | 1821 | |
wolfSSL | 15:117db924cf7c | 1822 | case oidKeyType: |
wolfSSL | 15:117db924cf7c | 1823 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1824 | #ifndef NO_DSA |
wolfSSL | 15:117db924cf7c | 1825 | case DSAk: |
wolfSSL | 15:117db924cf7c | 1826 | oid = keyDsaOid; |
wolfSSL | 15:117db924cf7c | 1827 | *oidSz = sizeof(keyDsaOid); |
wolfSSL | 15:117db924cf7c | 1828 | break; |
wolfSSL | 15:117db924cf7c | 1829 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 1830 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 1831 | case RSAk: |
wolfSSL | 15:117db924cf7c | 1832 | oid = keyRsaOid; |
wolfSSL | 15:117db924cf7c | 1833 | *oidSz = sizeof(keyRsaOid); |
wolfSSL | 15:117db924cf7c | 1834 | break; |
wolfSSL | 15:117db924cf7c | 1835 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 1836 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 1837 | case NTRUk: |
wolfSSL | 15:117db924cf7c | 1838 | oid = keyNtruOid; |
wolfSSL | 15:117db924cf7c | 1839 | *oidSz = sizeof(keyNtruOid); |
wolfSSL | 15:117db924cf7c | 1840 | break; |
wolfSSL | 15:117db924cf7c | 1841 | #endif /* HAVE_NTRU */ |
wolfSSL | 15:117db924cf7c | 1842 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1843 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 1844 | oid = keyEcdsaOid; |
wolfSSL | 15:117db924cf7c | 1845 | *oidSz = sizeof(keyEcdsaOid); |
wolfSSL | 15:117db924cf7c | 1846 | break; |
wolfSSL | 15:117db924cf7c | 1847 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1848 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 1849 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 1850 | oid = keyEd25519Oid; |
wolfSSL | 15:117db924cf7c | 1851 | *oidSz = sizeof(keyEd25519Oid); |
wolfSSL | 15:117db924cf7c | 1852 | break; |
wolfSSL | 15:117db924cf7c | 1853 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 1854 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 1855 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 1856 | oid = keyEd448Oid; |
wolfSSL | 16:8e0d178b1d1e | 1857 | *oidSz = sizeof(keyEd448Oid); |
wolfSSL | 16:8e0d178b1d1e | 1858 | break; |
wolfSSL | 16:8e0d178b1d1e | 1859 | #endif /* HAVE_ED448 */ |
wolfSSL | 16:8e0d178b1d1e | 1860 | #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) |
wolfSSL | 16:8e0d178b1d1e | 1861 | case DHk: |
wolfSSL | 16:8e0d178b1d1e | 1862 | oid = keyDhOid; |
wolfSSL | 16:8e0d178b1d1e | 1863 | *oidSz = sizeof(keyDhOid); |
wolfSSL | 16:8e0d178b1d1e | 1864 | break; |
wolfSSL | 16:8e0d178b1d1e | 1865 | #endif /* ! NO_DH && (WOLFSSL_QT || OPENSSL_ALL */ |
wolfSSL | 15:117db924cf7c | 1866 | default: |
wolfSSL | 15:117db924cf7c | 1867 | break; |
wolfSSL | 15:117db924cf7c | 1868 | } |
wolfSSL | 15:117db924cf7c | 1869 | break; |
wolfSSL | 15:117db924cf7c | 1870 | |
wolfSSL | 15:117db924cf7c | 1871 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 1872 | case oidCurveType: |
wolfSSL | 15:117db924cf7c | 1873 | if (wc_ecc_get_oid(id, &oid, oidSz) < 0) { |
wolfSSL | 15:117db924cf7c | 1874 | WOLFSSL_MSG("ECC OID not found"); |
wolfSSL | 15:117db924cf7c | 1875 | } |
wolfSSL | 15:117db924cf7c | 1876 | break; |
wolfSSL | 15:117db924cf7c | 1877 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 1878 | |
wolfSSL | 15:117db924cf7c | 1879 | case oidBlkType: |
wolfSSL | 15:117db924cf7c | 1880 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1881 | #ifdef HAVE_AES_CBC |
wolfSSL | 15:117db924cf7c | 1882 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 15:117db924cf7c | 1883 | case AES128CBCb: |
wolfSSL | 15:117db924cf7c | 1884 | oid = blkAes128CbcOid; |
wolfSSL | 15:117db924cf7c | 1885 | *oidSz = sizeof(blkAes128CbcOid); |
wolfSSL | 15:117db924cf7c | 1886 | break; |
wolfSSL | 15:117db924cf7c | 1887 | #endif |
wolfSSL | 15:117db924cf7c | 1888 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 15:117db924cf7c | 1889 | case AES192CBCb: |
wolfSSL | 15:117db924cf7c | 1890 | oid = blkAes192CbcOid; |
wolfSSL | 15:117db924cf7c | 1891 | *oidSz = sizeof(blkAes192CbcOid); |
wolfSSL | 15:117db924cf7c | 1892 | break; |
wolfSSL | 15:117db924cf7c | 1893 | #endif |
wolfSSL | 15:117db924cf7c | 1894 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 15:117db924cf7c | 1895 | case AES256CBCb: |
wolfSSL | 15:117db924cf7c | 1896 | oid = blkAes256CbcOid; |
wolfSSL | 15:117db924cf7c | 1897 | *oidSz = sizeof(blkAes256CbcOid); |
wolfSSL | 15:117db924cf7c | 1898 | break; |
wolfSSL | 15:117db924cf7c | 1899 | #endif |
wolfSSL | 15:117db924cf7c | 1900 | #endif /* HAVE_AES_CBC */ |
wolfSSL | 16:8e0d178b1d1e | 1901 | #ifdef HAVE_AESGCM |
wolfSSL | 16:8e0d178b1d1e | 1902 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 16:8e0d178b1d1e | 1903 | case AES128GCMb: |
wolfSSL | 16:8e0d178b1d1e | 1904 | oid = blkAes128GcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1905 | *oidSz = sizeof(blkAes128GcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1906 | break; |
wolfSSL | 16:8e0d178b1d1e | 1907 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1908 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 16:8e0d178b1d1e | 1909 | case AES192GCMb: |
wolfSSL | 16:8e0d178b1d1e | 1910 | oid = blkAes192GcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1911 | *oidSz = sizeof(blkAes192GcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1912 | break; |
wolfSSL | 16:8e0d178b1d1e | 1913 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1914 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 16:8e0d178b1d1e | 1915 | case AES256GCMb: |
wolfSSL | 16:8e0d178b1d1e | 1916 | oid = blkAes256GcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1917 | *oidSz = sizeof(blkAes256GcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1918 | break; |
wolfSSL | 16:8e0d178b1d1e | 1919 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1920 | #endif /* HAVE_AESGCM */ |
wolfSSL | 16:8e0d178b1d1e | 1921 | #ifdef HAVE_AESCCM |
wolfSSL | 16:8e0d178b1d1e | 1922 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 16:8e0d178b1d1e | 1923 | case AES128CCMb: |
wolfSSL | 16:8e0d178b1d1e | 1924 | oid = blkAes128CcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1925 | *oidSz = sizeof(blkAes128CcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1926 | break; |
wolfSSL | 16:8e0d178b1d1e | 1927 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1928 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 16:8e0d178b1d1e | 1929 | case AES192CCMb: |
wolfSSL | 16:8e0d178b1d1e | 1930 | oid = blkAes192CcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1931 | *oidSz = sizeof(blkAes192CcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1932 | break; |
wolfSSL | 16:8e0d178b1d1e | 1933 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1934 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 16:8e0d178b1d1e | 1935 | case AES256CCMb: |
wolfSSL | 16:8e0d178b1d1e | 1936 | oid = blkAes256CcmOid; |
wolfSSL | 16:8e0d178b1d1e | 1937 | *oidSz = sizeof(blkAes256CcmOid); |
wolfSSL | 16:8e0d178b1d1e | 1938 | break; |
wolfSSL | 16:8e0d178b1d1e | 1939 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1940 | #endif /* HAVE_AESCCM */ |
wolfSSL | 15:117db924cf7c | 1941 | #ifndef NO_DES3 |
wolfSSL | 15:117db924cf7c | 1942 | case DESb: |
wolfSSL | 15:117db924cf7c | 1943 | oid = blkDesCbcOid; |
wolfSSL | 15:117db924cf7c | 1944 | *oidSz = sizeof(blkDesCbcOid); |
wolfSSL | 15:117db924cf7c | 1945 | break; |
wolfSSL | 15:117db924cf7c | 1946 | case DES3b: |
wolfSSL | 15:117db924cf7c | 1947 | oid = blkDes3CbcOid; |
wolfSSL | 15:117db924cf7c | 1948 | *oidSz = sizeof(blkDes3CbcOid); |
wolfSSL | 15:117db924cf7c | 1949 | break; |
wolfSSL | 15:117db924cf7c | 1950 | #endif /* !NO_DES3 */ |
wolfSSL | 15:117db924cf7c | 1951 | } |
wolfSSL | 15:117db924cf7c | 1952 | break; |
wolfSSL | 15:117db924cf7c | 1953 | |
wolfSSL | 15:117db924cf7c | 1954 | #ifdef HAVE_OCSP |
wolfSSL | 15:117db924cf7c | 1955 | case oidOcspType: |
wolfSSL | 15:117db924cf7c | 1956 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1957 | case OCSP_BASIC_OID: |
wolfSSL | 15:117db924cf7c | 1958 | oid = ocspBasicOid; |
wolfSSL | 15:117db924cf7c | 1959 | *oidSz = sizeof(ocspBasicOid); |
wolfSSL | 15:117db924cf7c | 1960 | break; |
wolfSSL | 15:117db924cf7c | 1961 | case OCSP_NONCE_OID: |
wolfSSL | 15:117db924cf7c | 1962 | oid = ocspNonceOid; |
wolfSSL | 15:117db924cf7c | 1963 | *oidSz = sizeof(ocspNonceOid); |
wolfSSL | 15:117db924cf7c | 1964 | break; |
wolfSSL | 15:117db924cf7c | 1965 | } |
wolfSSL | 15:117db924cf7c | 1966 | break; |
wolfSSL | 15:117db924cf7c | 1967 | #endif /* HAVE_OCSP */ |
wolfSSL | 15:117db924cf7c | 1968 | |
wolfSSL | 15:117db924cf7c | 1969 | case oidCertExtType: |
wolfSSL | 15:117db924cf7c | 1970 | switch (id) { |
wolfSSL | 15:117db924cf7c | 1971 | case BASIC_CA_OID: |
wolfSSL | 15:117db924cf7c | 1972 | oid = extBasicCaOid; |
wolfSSL | 15:117db924cf7c | 1973 | *oidSz = sizeof(extBasicCaOid); |
wolfSSL | 15:117db924cf7c | 1974 | break; |
wolfSSL | 15:117db924cf7c | 1975 | case ALT_NAMES_OID: |
wolfSSL | 15:117db924cf7c | 1976 | oid = extAltNamesOid; |
wolfSSL | 15:117db924cf7c | 1977 | *oidSz = sizeof(extAltNamesOid); |
wolfSSL | 15:117db924cf7c | 1978 | break; |
wolfSSL | 15:117db924cf7c | 1979 | case CRL_DIST_OID: |
wolfSSL | 15:117db924cf7c | 1980 | oid = extCrlDistOid; |
wolfSSL | 15:117db924cf7c | 1981 | *oidSz = sizeof(extCrlDistOid); |
wolfSSL | 15:117db924cf7c | 1982 | break; |
wolfSSL | 15:117db924cf7c | 1983 | case AUTH_INFO_OID: |
wolfSSL | 15:117db924cf7c | 1984 | oid = extAuthInfoOid; |
wolfSSL | 15:117db924cf7c | 1985 | *oidSz = sizeof(extAuthInfoOid); |
wolfSSL | 15:117db924cf7c | 1986 | break; |
wolfSSL | 15:117db924cf7c | 1987 | case AUTH_KEY_OID: |
wolfSSL | 15:117db924cf7c | 1988 | oid = extAuthKeyOid; |
wolfSSL | 15:117db924cf7c | 1989 | *oidSz = sizeof(extAuthKeyOid); |
wolfSSL | 15:117db924cf7c | 1990 | break; |
wolfSSL | 15:117db924cf7c | 1991 | case SUBJ_KEY_OID: |
wolfSSL | 15:117db924cf7c | 1992 | oid = extSubjKeyOid; |
wolfSSL | 15:117db924cf7c | 1993 | *oidSz = sizeof(extSubjKeyOid); |
wolfSSL | 15:117db924cf7c | 1994 | break; |
wolfSSL | 15:117db924cf7c | 1995 | case CERT_POLICY_OID: |
wolfSSL | 15:117db924cf7c | 1996 | oid = extCertPolicyOid; |
wolfSSL | 15:117db924cf7c | 1997 | *oidSz = sizeof(extCertPolicyOid); |
wolfSSL | 15:117db924cf7c | 1998 | break; |
wolfSSL | 15:117db924cf7c | 1999 | case KEY_USAGE_OID: |
wolfSSL | 15:117db924cf7c | 2000 | oid = extKeyUsageOid; |
wolfSSL | 15:117db924cf7c | 2001 | *oidSz = sizeof(extKeyUsageOid); |
wolfSSL | 15:117db924cf7c | 2002 | break; |
wolfSSL | 15:117db924cf7c | 2003 | case INHIBIT_ANY_OID: |
wolfSSL | 15:117db924cf7c | 2004 | oid = extInhibitAnyOid; |
wolfSSL | 15:117db924cf7c | 2005 | *oidSz = sizeof(extInhibitAnyOid); |
wolfSSL | 15:117db924cf7c | 2006 | break; |
wolfSSL | 15:117db924cf7c | 2007 | case EXT_KEY_USAGE_OID: |
wolfSSL | 15:117db924cf7c | 2008 | oid = extExtKeyUsageOid; |
wolfSSL | 15:117db924cf7c | 2009 | *oidSz = sizeof(extExtKeyUsageOid); |
wolfSSL | 15:117db924cf7c | 2010 | break; |
wolfSSL | 15:117db924cf7c | 2011 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 2012 | case NAME_CONS_OID: |
wolfSSL | 15:117db924cf7c | 2013 | oid = extNameConsOid; |
wolfSSL | 15:117db924cf7c | 2014 | *oidSz = sizeof(extNameConsOid); |
wolfSSL | 15:117db924cf7c | 2015 | break; |
wolfSSL | 15:117db924cf7c | 2016 | #endif |
wolfSSL | 15:117db924cf7c | 2017 | } |
wolfSSL | 15:117db924cf7c | 2018 | break; |
wolfSSL | 15:117db924cf7c | 2019 | |
wolfSSL | 16:8e0d178b1d1e | 2020 | case oidCrlExtType: |
wolfSSL | 16:8e0d178b1d1e | 2021 | #ifdef HAVE_CRL |
wolfSSL | 16:8e0d178b1d1e | 2022 | switch (id) { |
wolfSSL | 16:8e0d178b1d1e | 2023 | case AUTH_KEY_OID: |
wolfSSL | 16:8e0d178b1d1e | 2024 | oid = extAuthKeyOid; |
wolfSSL | 16:8e0d178b1d1e | 2025 | *oidSz = sizeof(extAuthKeyOid); |
wolfSSL | 16:8e0d178b1d1e | 2026 | break; |
wolfSSL | 16:8e0d178b1d1e | 2027 | } |
wolfSSL | 16:8e0d178b1d1e | 2028 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2029 | break; |
wolfSSL | 16:8e0d178b1d1e | 2030 | |
wolfSSL | 15:117db924cf7c | 2031 | case oidCertAuthInfoType: |
wolfSSL | 15:117db924cf7c | 2032 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2033 | #ifdef HAVE_OCSP |
wolfSSL | 15:117db924cf7c | 2034 | case AIA_OCSP_OID: |
wolfSSL | 15:117db924cf7c | 2035 | oid = extAuthInfoOcspOid; |
wolfSSL | 15:117db924cf7c | 2036 | *oidSz = sizeof(extAuthInfoOcspOid); |
wolfSSL | 15:117db924cf7c | 2037 | break; |
wolfSSL | 15:117db924cf7c | 2038 | #endif |
wolfSSL | 15:117db924cf7c | 2039 | case AIA_CA_ISSUER_OID: |
wolfSSL | 15:117db924cf7c | 2040 | oid = extAuthInfoCaIssuerOid; |
wolfSSL | 15:117db924cf7c | 2041 | *oidSz = sizeof(extAuthInfoCaIssuerOid); |
wolfSSL | 15:117db924cf7c | 2042 | break; |
wolfSSL | 15:117db924cf7c | 2043 | } |
wolfSSL | 15:117db924cf7c | 2044 | break; |
wolfSSL | 15:117db924cf7c | 2045 | |
wolfSSL | 15:117db924cf7c | 2046 | case oidCertPolicyType: |
wolfSSL | 15:117db924cf7c | 2047 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2048 | case CP_ANY_OID: |
wolfSSL | 15:117db924cf7c | 2049 | oid = extCertPolicyAnyOid; |
wolfSSL | 15:117db924cf7c | 2050 | *oidSz = sizeof(extCertPolicyAnyOid); |
wolfSSL | 15:117db924cf7c | 2051 | break; |
wolfSSL | 15:117db924cf7c | 2052 | } |
wolfSSL | 15:117db924cf7c | 2053 | break; |
wolfSSL | 15:117db924cf7c | 2054 | |
wolfSSL | 15:117db924cf7c | 2055 | case oidCertAltNameType: |
wolfSSL | 15:117db924cf7c | 2056 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2057 | case HW_NAME_OID: |
wolfSSL | 15:117db924cf7c | 2058 | oid = extAltNamesHwNameOid; |
wolfSSL | 15:117db924cf7c | 2059 | *oidSz = sizeof(extAltNamesHwNameOid); |
wolfSSL | 15:117db924cf7c | 2060 | break; |
wolfSSL | 15:117db924cf7c | 2061 | } |
wolfSSL | 15:117db924cf7c | 2062 | break; |
wolfSSL | 15:117db924cf7c | 2063 | |
wolfSSL | 15:117db924cf7c | 2064 | case oidCertKeyUseType: |
wolfSSL | 15:117db924cf7c | 2065 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2066 | case EKU_ANY_OID: |
wolfSSL | 15:117db924cf7c | 2067 | oid = extExtKeyUsageAnyOid; |
wolfSSL | 15:117db924cf7c | 2068 | *oidSz = sizeof(extExtKeyUsageAnyOid); |
wolfSSL | 15:117db924cf7c | 2069 | break; |
wolfSSL | 15:117db924cf7c | 2070 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 15:117db924cf7c | 2071 | oid = extExtKeyUsageServerAuthOid; |
wolfSSL | 15:117db924cf7c | 2072 | *oidSz = sizeof(extExtKeyUsageServerAuthOid); |
wolfSSL | 15:117db924cf7c | 2073 | break; |
wolfSSL | 15:117db924cf7c | 2074 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 15:117db924cf7c | 2075 | oid = extExtKeyUsageClientAuthOid; |
wolfSSL | 15:117db924cf7c | 2076 | *oidSz = sizeof(extExtKeyUsageClientAuthOid); |
wolfSSL | 15:117db924cf7c | 2077 | break; |
wolfSSL | 15:117db924cf7c | 2078 | case EKU_CODESIGNING_OID: |
wolfSSL | 15:117db924cf7c | 2079 | oid = extExtKeyUsageCodeSigningOid; |
wolfSSL | 15:117db924cf7c | 2080 | *oidSz = sizeof(extExtKeyUsageCodeSigningOid); |
wolfSSL | 15:117db924cf7c | 2081 | break; |
wolfSSL | 15:117db924cf7c | 2082 | case EKU_EMAILPROTECT_OID: |
wolfSSL | 15:117db924cf7c | 2083 | oid = extExtKeyUsageEmailProtectOid; |
wolfSSL | 15:117db924cf7c | 2084 | *oidSz = sizeof(extExtKeyUsageEmailProtectOid); |
wolfSSL | 15:117db924cf7c | 2085 | break; |
wolfSSL | 15:117db924cf7c | 2086 | case EKU_TIMESTAMP_OID: |
wolfSSL | 15:117db924cf7c | 2087 | oid = extExtKeyUsageTimestampOid; |
wolfSSL | 15:117db924cf7c | 2088 | *oidSz = sizeof(extExtKeyUsageTimestampOid); |
wolfSSL | 15:117db924cf7c | 2089 | break; |
wolfSSL | 15:117db924cf7c | 2090 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 15:117db924cf7c | 2091 | oid = extExtKeyUsageOcspSignOid; |
wolfSSL | 15:117db924cf7c | 2092 | *oidSz = sizeof(extExtKeyUsageOcspSignOid); |
wolfSSL | 15:117db924cf7c | 2093 | break; |
wolfSSL | 15:117db924cf7c | 2094 | } |
wolfSSL | 15:117db924cf7c | 2095 | break; |
wolfSSL | 15:117db924cf7c | 2096 | |
wolfSSL | 15:117db924cf7c | 2097 | case oidKdfType: |
wolfSSL | 15:117db924cf7c | 2098 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2099 | case PBKDF2_OID: |
wolfSSL | 15:117db924cf7c | 2100 | oid = pbkdf2Oid; |
wolfSSL | 15:117db924cf7c | 2101 | *oidSz = sizeof(pbkdf2Oid); |
wolfSSL | 15:117db924cf7c | 2102 | break; |
wolfSSL | 15:117db924cf7c | 2103 | } |
wolfSSL | 15:117db924cf7c | 2104 | break; |
wolfSSL | 15:117db924cf7c | 2105 | |
wolfSSL | 15:117db924cf7c | 2106 | case oidPBEType: |
wolfSSL | 15:117db924cf7c | 2107 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2108 | #if !defined(NO_SHA) && !defined(NO_RC4) |
wolfSSL | 15:117db924cf7c | 2109 | case PBE_SHA1_RC4_128: |
wolfSSL | 15:117db924cf7c | 2110 | oid = pbeSha1RC4128; |
wolfSSL | 15:117db924cf7c | 2111 | *oidSz = sizeof(pbeSha1RC4128); |
wolfSSL | 15:117db924cf7c | 2112 | break; |
wolfSSL | 15:117db924cf7c | 2113 | #endif |
wolfSSL | 15:117db924cf7c | 2114 | #if !defined(NO_SHA) && !defined(NO_DES3) |
wolfSSL | 15:117db924cf7c | 2115 | case PBE_SHA1_DES: |
wolfSSL | 15:117db924cf7c | 2116 | oid = pbeSha1Des; |
wolfSSL | 15:117db924cf7c | 2117 | *oidSz = sizeof(pbeSha1Des); |
wolfSSL | 15:117db924cf7c | 2118 | break; |
wolfSSL | 15:117db924cf7c | 2119 | |
wolfSSL | 15:117db924cf7c | 2120 | #endif |
wolfSSL | 15:117db924cf7c | 2121 | #if !defined(NO_SHA) && !defined(NO_DES3) |
wolfSSL | 15:117db924cf7c | 2122 | case PBE_SHA1_DES3: |
wolfSSL | 15:117db924cf7c | 2123 | oid = pbeSha1Des3; |
wolfSSL | 15:117db924cf7c | 2124 | *oidSz = sizeof(pbeSha1Des3); |
wolfSSL | 15:117db924cf7c | 2125 | break; |
wolfSSL | 15:117db924cf7c | 2126 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2127 | case PBES2: |
wolfSSL | 16:8e0d178b1d1e | 2128 | oid = pbes2; |
wolfSSL | 16:8e0d178b1d1e | 2129 | *oidSz = sizeof(pbes2); |
wolfSSL | 16:8e0d178b1d1e | 2130 | break; |
wolfSSL | 15:117db924cf7c | 2131 | } |
wolfSSL | 15:117db924cf7c | 2132 | break; |
wolfSSL | 15:117db924cf7c | 2133 | |
wolfSSL | 15:117db924cf7c | 2134 | case oidKeyWrapType: |
wolfSSL | 15:117db924cf7c | 2135 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2136 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 15:117db924cf7c | 2137 | case AES128_WRAP: |
wolfSSL | 15:117db924cf7c | 2138 | oid = wrapAes128Oid; |
wolfSSL | 15:117db924cf7c | 2139 | *oidSz = sizeof(wrapAes128Oid); |
wolfSSL | 15:117db924cf7c | 2140 | break; |
wolfSSL | 15:117db924cf7c | 2141 | #endif |
wolfSSL | 15:117db924cf7c | 2142 | #ifdef WOLFSSL_AES_192 |
wolfSSL | 15:117db924cf7c | 2143 | case AES192_WRAP: |
wolfSSL | 15:117db924cf7c | 2144 | oid = wrapAes192Oid; |
wolfSSL | 15:117db924cf7c | 2145 | *oidSz = sizeof(wrapAes192Oid); |
wolfSSL | 15:117db924cf7c | 2146 | break; |
wolfSSL | 15:117db924cf7c | 2147 | #endif |
wolfSSL | 15:117db924cf7c | 2148 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 15:117db924cf7c | 2149 | case AES256_WRAP: |
wolfSSL | 15:117db924cf7c | 2150 | oid = wrapAes256Oid; |
wolfSSL | 15:117db924cf7c | 2151 | *oidSz = sizeof(wrapAes256Oid); |
wolfSSL | 15:117db924cf7c | 2152 | break; |
wolfSSL | 15:117db924cf7c | 2153 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2154 | #ifdef HAVE_PKCS7 |
wolfSSL | 16:8e0d178b1d1e | 2155 | case PWRI_KEK_WRAP: |
wolfSSL | 16:8e0d178b1d1e | 2156 | oid = wrapPwriKekOid; |
wolfSSL | 16:8e0d178b1d1e | 2157 | *oidSz = sizeof(wrapPwriKekOid); |
wolfSSL | 16:8e0d178b1d1e | 2158 | break; |
wolfSSL | 16:8e0d178b1d1e | 2159 | #endif |
wolfSSL | 15:117db924cf7c | 2160 | } |
wolfSSL | 15:117db924cf7c | 2161 | break; |
wolfSSL | 15:117db924cf7c | 2162 | |
wolfSSL | 15:117db924cf7c | 2163 | case oidCmsKeyAgreeType: |
wolfSSL | 15:117db924cf7c | 2164 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2165 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 2166 | case dhSinglePass_stdDH_sha1kdf_scheme: |
wolfSSL | 15:117db924cf7c | 2167 | oid = dhSinglePass_stdDH_sha1kdf_Oid; |
wolfSSL | 15:117db924cf7c | 2168 | *oidSz = sizeof(dhSinglePass_stdDH_sha1kdf_Oid); |
wolfSSL | 15:117db924cf7c | 2169 | break; |
wolfSSL | 15:117db924cf7c | 2170 | #endif |
wolfSSL | 15:117db924cf7c | 2171 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 2172 | case dhSinglePass_stdDH_sha224kdf_scheme: |
wolfSSL | 15:117db924cf7c | 2173 | oid = dhSinglePass_stdDH_sha224kdf_Oid; |
wolfSSL | 15:117db924cf7c | 2174 | *oidSz = sizeof(dhSinglePass_stdDH_sha224kdf_Oid); |
wolfSSL | 15:117db924cf7c | 2175 | break; |
wolfSSL | 15:117db924cf7c | 2176 | #endif |
wolfSSL | 15:117db924cf7c | 2177 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2178 | case dhSinglePass_stdDH_sha256kdf_scheme: |
wolfSSL | 15:117db924cf7c | 2179 | oid = dhSinglePass_stdDH_sha256kdf_Oid; |
wolfSSL | 15:117db924cf7c | 2180 | *oidSz = sizeof(dhSinglePass_stdDH_sha256kdf_Oid); |
wolfSSL | 15:117db924cf7c | 2181 | break; |
wolfSSL | 15:117db924cf7c | 2182 | #endif |
wolfSSL | 15:117db924cf7c | 2183 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 2184 | case dhSinglePass_stdDH_sha384kdf_scheme: |
wolfSSL | 15:117db924cf7c | 2185 | oid = dhSinglePass_stdDH_sha384kdf_Oid; |
wolfSSL | 15:117db924cf7c | 2186 | *oidSz = sizeof(dhSinglePass_stdDH_sha384kdf_Oid); |
wolfSSL | 15:117db924cf7c | 2187 | break; |
wolfSSL | 15:117db924cf7c | 2188 | #endif |
wolfSSL | 15:117db924cf7c | 2189 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 2190 | case dhSinglePass_stdDH_sha512kdf_scheme: |
wolfSSL | 15:117db924cf7c | 2191 | oid = dhSinglePass_stdDH_sha512kdf_Oid; |
wolfSSL | 15:117db924cf7c | 2192 | *oidSz = sizeof(dhSinglePass_stdDH_sha512kdf_Oid); |
wolfSSL | 15:117db924cf7c | 2193 | break; |
wolfSSL | 15:117db924cf7c | 2194 | #endif |
wolfSSL | 15:117db924cf7c | 2195 | } |
wolfSSL | 15:117db924cf7c | 2196 | break; |
wolfSSL | 15:117db924cf7c | 2197 | |
wolfSSL | 15:117db924cf7c | 2198 | #ifndef NO_HMAC |
wolfSSL | 15:117db924cf7c | 2199 | case oidHmacType: |
wolfSSL | 15:117db924cf7c | 2200 | switch (id) { |
wolfSSL | 15:117db924cf7c | 2201 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 2202 | case HMAC_SHA224_OID: |
wolfSSL | 15:117db924cf7c | 2203 | oid = hmacSha224Oid; |
wolfSSL | 15:117db924cf7c | 2204 | *oidSz = sizeof(hmacSha224Oid); |
wolfSSL | 15:117db924cf7c | 2205 | break; |
wolfSSL | 15:117db924cf7c | 2206 | #endif |
wolfSSL | 15:117db924cf7c | 2207 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2208 | case HMAC_SHA256_OID: |
wolfSSL | 15:117db924cf7c | 2209 | oid = hmacSha256Oid; |
wolfSSL | 15:117db924cf7c | 2210 | *oidSz = sizeof(hmacSha256Oid); |
wolfSSL | 15:117db924cf7c | 2211 | break; |
wolfSSL | 15:117db924cf7c | 2212 | #endif |
wolfSSL | 15:117db924cf7c | 2213 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 2214 | case HMAC_SHA384_OID: |
wolfSSL | 15:117db924cf7c | 2215 | oid = hmacSha384Oid; |
wolfSSL | 15:117db924cf7c | 2216 | *oidSz = sizeof(hmacSha384Oid); |
wolfSSL | 15:117db924cf7c | 2217 | break; |
wolfSSL | 15:117db924cf7c | 2218 | #endif |
wolfSSL | 15:117db924cf7c | 2219 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 2220 | case HMAC_SHA512_OID: |
wolfSSL | 15:117db924cf7c | 2221 | oid = hmacSha512Oid; |
wolfSSL | 15:117db924cf7c | 2222 | *oidSz = sizeof(hmacSha512Oid); |
wolfSSL | 15:117db924cf7c | 2223 | break; |
wolfSSL | 15:117db924cf7c | 2224 | #endif |
wolfSSL | 15:117db924cf7c | 2225 | } |
wolfSSL | 15:117db924cf7c | 2226 | break; |
wolfSSL | 15:117db924cf7c | 2227 | #endif /* !NO_HMAC */ |
wolfSSL | 15:117db924cf7c | 2228 | |
wolfSSL | 16:8e0d178b1d1e | 2229 | #ifdef HAVE_LIBZ |
wolfSSL | 16:8e0d178b1d1e | 2230 | case oidCompressType: |
wolfSSL | 16:8e0d178b1d1e | 2231 | switch (id) { |
wolfSSL | 16:8e0d178b1d1e | 2232 | case ZLIBc: |
wolfSSL | 16:8e0d178b1d1e | 2233 | oid = zlibCompress; |
wolfSSL | 16:8e0d178b1d1e | 2234 | *oidSz = sizeof(zlibCompress); |
wolfSSL | 16:8e0d178b1d1e | 2235 | break; |
wolfSSL | 16:8e0d178b1d1e | 2236 | } |
wolfSSL | 16:8e0d178b1d1e | 2237 | break; |
wolfSSL | 16:8e0d178b1d1e | 2238 | #endif /* HAVE_LIBZ */ |
wolfSSL | 16:8e0d178b1d1e | 2239 | #ifdef WOLFSSL_APACHE_HTTPD |
wolfSSL | 16:8e0d178b1d1e | 2240 | case oidCertNameType: |
wolfSSL | 16:8e0d178b1d1e | 2241 | switch (id) { |
wolfSSL | 16:8e0d178b1d1e | 2242 | case NID_id_on_dnsSRV: |
wolfSSL | 16:8e0d178b1d1e | 2243 | oid = dnsSRVOid; |
wolfSSL | 16:8e0d178b1d1e | 2244 | *oidSz = sizeof(dnsSRVOid); |
wolfSSL | 16:8e0d178b1d1e | 2245 | break; |
wolfSSL | 16:8e0d178b1d1e | 2246 | } |
wolfSSL | 16:8e0d178b1d1e | 2247 | break; |
wolfSSL | 16:8e0d178b1d1e | 2248 | case oidTlsExtType: |
wolfSSL | 16:8e0d178b1d1e | 2249 | switch (id) { |
wolfSSL | 16:8e0d178b1d1e | 2250 | case TLS_FEATURE_OID: |
wolfSSL | 16:8e0d178b1d1e | 2251 | oid = tlsFeatureOid; |
wolfSSL | 16:8e0d178b1d1e | 2252 | *oidSz = sizeof(tlsFeatureOid); |
wolfSSL | 16:8e0d178b1d1e | 2253 | break; |
wolfSSL | 16:8e0d178b1d1e | 2254 | } |
wolfSSL | 16:8e0d178b1d1e | 2255 | break; |
wolfSSL | 16:8e0d178b1d1e | 2256 | #endif /* WOLFSSL_APACHE_HTTPD */ |
wolfSSL | 15:117db924cf7c | 2257 | case oidIgnoreType: |
wolfSSL | 15:117db924cf7c | 2258 | default: |
wolfSSL | 15:117db924cf7c | 2259 | break; |
wolfSSL | 15:117db924cf7c | 2260 | } |
wolfSSL | 15:117db924cf7c | 2261 | |
wolfSSL | 15:117db924cf7c | 2262 | return oid; |
wolfSSL | 15:117db924cf7c | 2263 | } |
wolfSSL | 15:117db924cf7c | 2264 | |
wolfSSL | 15:117db924cf7c | 2265 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 15:117db924cf7c | 2266 | int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz) |
wolfSSL | 15:117db924cf7c | 2267 | { |
wolfSSL | 15:117db924cf7c | 2268 | int i, x, len; |
wolfSSL | 15:117db924cf7c | 2269 | word32 d, t; |
wolfSSL | 15:117db924cf7c | 2270 | |
wolfSSL | 15:117db924cf7c | 2271 | /* check args */ |
wolfSSL | 15:117db924cf7c | 2272 | if (in == NULL || outSz == NULL) { |
wolfSSL | 15:117db924cf7c | 2273 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2274 | } |
wolfSSL | 15:117db924cf7c | 2275 | |
wolfSSL | 15:117db924cf7c | 2276 | /* compute length of encoded OID */ |
wolfSSL | 15:117db924cf7c | 2277 | d = (in[0] * 40) + in[1]; |
wolfSSL | 15:117db924cf7c | 2278 | len = 0; |
wolfSSL | 15:117db924cf7c | 2279 | for (i = 1; i < (int)inSz; i++) { |
wolfSSL | 15:117db924cf7c | 2280 | x = 0; |
wolfSSL | 15:117db924cf7c | 2281 | t = d; |
wolfSSL | 15:117db924cf7c | 2282 | while (t) { |
wolfSSL | 15:117db924cf7c | 2283 | x++; |
wolfSSL | 15:117db924cf7c | 2284 | t >>= 1; |
wolfSSL | 15:117db924cf7c | 2285 | } |
wolfSSL | 15:117db924cf7c | 2286 | len += (x / 7) + ((x % 7) ? 1 : 0) + (d == 0 ? 1 : 0); |
wolfSSL | 15:117db924cf7c | 2287 | |
wolfSSL | 15:117db924cf7c | 2288 | if (i < (int)inSz - 1) { |
wolfSSL | 15:117db924cf7c | 2289 | d = in[i + 1]; |
wolfSSL | 15:117db924cf7c | 2290 | } |
wolfSSL | 15:117db924cf7c | 2291 | } |
wolfSSL | 15:117db924cf7c | 2292 | |
wolfSSL | 15:117db924cf7c | 2293 | if (out) { |
wolfSSL | 15:117db924cf7c | 2294 | /* verify length */ |
wolfSSL | 15:117db924cf7c | 2295 | if ((int)*outSz < len) { |
wolfSSL | 15:117db924cf7c | 2296 | return BUFFER_E; /* buffer provided is not large enough */ |
wolfSSL | 15:117db924cf7c | 2297 | } |
wolfSSL | 15:117db924cf7c | 2298 | |
wolfSSL | 15:117db924cf7c | 2299 | /* calc first byte */ |
wolfSSL | 15:117db924cf7c | 2300 | d = (in[0] * 40) + in[1]; |
wolfSSL | 15:117db924cf7c | 2301 | |
wolfSSL | 15:117db924cf7c | 2302 | /* encode bytes */ |
wolfSSL | 15:117db924cf7c | 2303 | x = 0; |
wolfSSL | 15:117db924cf7c | 2304 | for (i = 1; i < (int)inSz; i++) { |
wolfSSL | 15:117db924cf7c | 2305 | if (d) { |
wolfSSL | 15:117db924cf7c | 2306 | int y = x, z; |
wolfSSL | 15:117db924cf7c | 2307 | byte mask = 0; |
wolfSSL | 15:117db924cf7c | 2308 | while (d) { |
wolfSSL | 15:117db924cf7c | 2309 | out[x++] = (byte)((d & 0x7F) | mask); |
wolfSSL | 15:117db924cf7c | 2310 | d >>= 7; |
wolfSSL | 15:117db924cf7c | 2311 | mask |= 0x80; /* upper bit is set on all but the last byte */ |
wolfSSL | 15:117db924cf7c | 2312 | } |
wolfSSL | 15:117db924cf7c | 2313 | /* now swap bytes y...x-1 */ |
wolfSSL | 15:117db924cf7c | 2314 | z = x - 1; |
wolfSSL | 15:117db924cf7c | 2315 | while (y < z) { |
wolfSSL | 15:117db924cf7c | 2316 | mask = out[y]; |
wolfSSL | 15:117db924cf7c | 2317 | out[y] = out[z]; |
wolfSSL | 15:117db924cf7c | 2318 | out[z] = mask; |
wolfSSL | 15:117db924cf7c | 2319 | ++y; |
wolfSSL | 15:117db924cf7c | 2320 | --z; |
wolfSSL | 15:117db924cf7c | 2321 | } |
wolfSSL | 15:117db924cf7c | 2322 | } |
wolfSSL | 15:117db924cf7c | 2323 | else { |
wolfSSL | 15:117db924cf7c | 2324 | out[x++] = 0x00; /* zero value */ |
wolfSSL | 15:117db924cf7c | 2325 | } |
wolfSSL | 15:117db924cf7c | 2326 | |
wolfSSL | 15:117db924cf7c | 2327 | /* next word */ |
wolfSSL | 15:117db924cf7c | 2328 | if (i < (int)inSz - 1) { |
wolfSSL | 15:117db924cf7c | 2329 | d = in[i + 1]; |
wolfSSL | 15:117db924cf7c | 2330 | } |
wolfSSL | 15:117db924cf7c | 2331 | } |
wolfSSL | 15:117db924cf7c | 2332 | } |
wolfSSL | 15:117db924cf7c | 2333 | |
wolfSSL | 15:117db924cf7c | 2334 | /* return length */ |
wolfSSL | 15:117db924cf7c | 2335 | *outSz = len; |
wolfSSL | 15:117db924cf7c | 2336 | |
wolfSSL | 15:117db924cf7c | 2337 | return 0; |
wolfSSL | 15:117db924cf7c | 2338 | } |
wolfSSL | 15:117db924cf7c | 2339 | #endif /* HAVE_OID_ENCODING */ |
wolfSSL | 15:117db924cf7c | 2340 | |
wolfSSL | 15:117db924cf7c | 2341 | #ifdef HAVE_OID_DECODING |
wolfSSL | 15:117db924cf7c | 2342 | int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz) |
wolfSSL | 15:117db924cf7c | 2343 | { |
wolfSSL | 15:117db924cf7c | 2344 | int x = 0, y = 0; |
wolfSSL | 15:117db924cf7c | 2345 | word32 t = 0; |
wolfSSL | 15:117db924cf7c | 2346 | |
wolfSSL | 15:117db924cf7c | 2347 | /* check args */ |
wolfSSL | 15:117db924cf7c | 2348 | if (in == NULL || outSz == NULL) { |
wolfSSL | 15:117db924cf7c | 2349 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2350 | } |
wolfSSL | 15:117db924cf7c | 2351 | |
wolfSSL | 15:117db924cf7c | 2352 | /* decode bytes */ |
wolfSSL | 15:117db924cf7c | 2353 | while (inSz--) { |
wolfSSL | 15:117db924cf7c | 2354 | t = (t << 7) | (in[x] & 0x7F); |
wolfSSL | 15:117db924cf7c | 2355 | if (!(in[x] & 0x80)) { |
wolfSSL | 15:117db924cf7c | 2356 | if (y >= (int)*outSz) { |
wolfSSL | 15:117db924cf7c | 2357 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2358 | } |
wolfSSL | 15:117db924cf7c | 2359 | if (y == 0) { |
wolfSSL | 15:117db924cf7c | 2360 | out[0] = (t / 40); |
wolfSSL | 15:117db924cf7c | 2361 | out[1] = (t % 40); |
wolfSSL | 15:117db924cf7c | 2362 | y = 2; |
wolfSSL | 15:117db924cf7c | 2363 | } |
wolfSSL | 15:117db924cf7c | 2364 | else { |
wolfSSL | 15:117db924cf7c | 2365 | out[y++] = t; |
wolfSSL | 15:117db924cf7c | 2366 | } |
wolfSSL | 15:117db924cf7c | 2367 | t = 0; /* reset tmp */ |
wolfSSL | 15:117db924cf7c | 2368 | } |
wolfSSL | 15:117db924cf7c | 2369 | x++; |
wolfSSL | 15:117db924cf7c | 2370 | } |
wolfSSL | 15:117db924cf7c | 2371 | |
wolfSSL | 15:117db924cf7c | 2372 | /* return length */ |
wolfSSL | 15:117db924cf7c | 2373 | *outSz = y; |
wolfSSL | 15:117db924cf7c | 2374 | |
wolfSSL | 15:117db924cf7c | 2375 | return 0; |
wolfSSL | 15:117db924cf7c | 2376 | } |
wolfSSL | 15:117db924cf7c | 2377 | #endif /* HAVE_OID_DECODING */ |
wolfSSL | 15:117db924cf7c | 2378 | |
wolfSSL | 15:117db924cf7c | 2379 | /* Get the DER/BER encoding of an ASN.1 OBJECT_ID header. |
wolfSSL | 15:117db924cf7c | 2380 | * |
wolfSSL | 15:117db924cf7c | 2381 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 15:117db924cf7c | 2382 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 15:117db924cf7c | 2383 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 15:117db924cf7c | 2384 | * maxIdx Length of data in buffer. |
wolfSSL | 15:117db924cf7c | 2385 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 15:117db924cf7c | 2386 | * ASN_OBJECt_ID_E when the OBJECT_ID tag is not found. |
wolfSSL | 15:117db924cf7c | 2387 | * ASN_PARSE_E when length is invalid. |
wolfSSL | 15:117db924cf7c | 2388 | * Otherwise, 0 to indicate success. |
wolfSSL | 15:117db924cf7c | 2389 | */ |
wolfSSL | 16:8e0d178b1d1e | 2390 | int GetASNObjectId(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 15:117db924cf7c | 2391 | word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 2392 | { |
wolfSSL | 15:117db924cf7c | 2393 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2394 | int length; |
wolfSSL | 16:8e0d178b1d1e | 2395 | byte tag; |
wolfSSL | 15:117db924cf7c | 2396 | |
wolfSSL | 15:117db924cf7c | 2397 | if ((idx + 1) > maxIdx) |
wolfSSL | 15:117db924cf7c | 2398 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2399 | |
wolfSSL | 16:8e0d178b1d1e | 2400 | if (GetASNTag(input, &idx, &tag, maxIdx) != 0) |
wolfSSL | 16:8e0d178b1d1e | 2401 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 2402 | |
wolfSSL | 16:8e0d178b1d1e | 2403 | if (tag != ASN_OBJECT_ID) |
wolfSSL | 15:117db924cf7c | 2404 | return ASN_OBJECT_ID_E; |
wolfSSL | 15:117db924cf7c | 2405 | |
wolfSSL | 15:117db924cf7c | 2406 | if (GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 2407 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2408 | |
wolfSSL | 15:117db924cf7c | 2409 | *len = length; |
wolfSSL | 15:117db924cf7c | 2410 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 2411 | return 0; |
wolfSSL | 15:117db924cf7c | 2412 | } |
wolfSSL | 15:117db924cf7c | 2413 | |
wolfSSL | 15:117db924cf7c | 2414 | /* Set the DER/BER encoding of the ASN.1 OBJECT_ID header. |
wolfSSL | 15:117db924cf7c | 2415 | * |
wolfSSL | 15:117db924cf7c | 2416 | * len Length of the OBJECT_ID data. |
wolfSSL | 15:117db924cf7c | 2417 | * output Buffer to write into. |
wolfSSL | 15:117db924cf7c | 2418 | * returns the number of bytes added to the buffer. |
wolfSSL | 15:117db924cf7c | 2419 | */ |
wolfSSL | 16:8e0d178b1d1e | 2420 | int SetObjectId(int len, byte* output) |
wolfSSL | 15:117db924cf7c | 2421 | { |
wolfSSL | 15:117db924cf7c | 2422 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 2423 | |
wolfSSL | 15:117db924cf7c | 2424 | output[idx++] = ASN_OBJECT_ID; |
wolfSSL | 15:117db924cf7c | 2425 | idx += SetLength(len, output + idx); |
wolfSSL | 15:117db924cf7c | 2426 | |
wolfSSL | 15:117db924cf7c | 2427 | return idx; |
wolfSSL | 15:117db924cf7c | 2428 | } |
wolfSSL | 15:117db924cf7c | 2429 | |
wolfSSL | 15:117db924cf7c | 2430 | int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 15:117db924cf7c | 2431 | word32 oidType, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 2432 | { |
wolfSSL | 15:117db924cf7c | 2433 | int ret = 0, length; |
wolfSSL | 15:117db924cf7c | 2434 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2435 | #ifndef NO_VERIFY_OID |
wolfSSL | 15:117db924cf7c | 2436 | word32 actualOidSz = 0; |
wolfSSL | 15:117db924cf7c | 2437 | const byte* actualOid; |
wolfSSL | 15:117db924cf7c | 2438 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 15:117db924cf7c | 2439 | |
wolfSSL | 15:117db924cf7c | 2440 | (void)oidType; |
wolfSSL | 15:117db924cf7c | 2441 | WOLFSSL_ENTER("GetObjectId()"); |
wolfSSL | 15:117db924cf7c | 2442 | *oid = 0; |
wolfSSL | 15:117db924cf7c | 2443 | |
wolfSSL | 15:117db924cf7c | 2444 | ret = GetASNObjectId(input, &idx, &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 2445 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2446 | return ret; |
wolfSSL | 15:117db924cf7c | 2447 | |
wolfSSL | 15:117db924cf7c | 2448 | #ifndef NO_VERIFY_OID |
wolfSSL | 15:117db924cf7c | 2449 | actualOid = &input[idx]; |
wolfSSL | 15:117db924cf7c | 2450 | if (length > 0) |
wolfSSL | 15:117db924cf7c | 2451 | actualOidSz = (word32)length; |
wolfSSL | 15:117db924cf7c | 2452 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 15:117db924cf7c | 2453 | |
wolfSSL | 15:117db924cf7c | 2454 | while (length--) { |
wolfSSL | 15:117db924cf7c | 2455 | /* odd HC08 compiler behavior here when input[idx++] */ |
wolfSSL | 15:117db924cf7c | 2456 | *oid += (word32)input[idx]; |
wolfSSL | 15:117db924cf7c | 2457 | idx++; |
wolfSSL | 15:117db924cf7c | 2458 | } |
wolfSSL | 15:117db924cf7c | 2459 | /* just sum it up for now */ |
wolfSSL | 15:117db924cf7c | 2460 | |
wolfSSL | 15:117db924cf7c | 2461 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 2462 | |
wolfSSL | 15:117db924cf7c | 2463 | #ifndef NO_VERIFY_OID |
wolfSSL | 15:117db924cf7c | 2464 | { |
wolfSSL | 15:117db924cf7c | 2465 | const byte* checkOid = NULL; |
wolfSSL | 15:117db924cf7c | 2466 | word32 checkOidSz; |
wolfSSL | 15:117db924cf7c | 2467 | #ifdef ASN_DUMP_OID |
wolfSSL | 15:117db924cf7c | 2468 | word32 i; |
wolfSSL | 15:117db924cf7c | 2469 | #endif |
wolfSSL | 15:117db924cf7c | 2470 | |
wolfSSL | 15:117db924cf7c | 2471 | if (oidType != oidIgnoreType) { |
wolfSSL | 15:117db924cf7c | 2472 | checkOid = OidFromId(*oid, oidType, &checkOidSz); |
wolfSSL | 15:117db924cf7c | 2473 | |
wolfSSL | 15:117db924cf7c | 2474 | #ifdef ASN_DUMP_OID |
wolfSSL | 15:117db924cf7c | 2475 | /* support for dumping OID information */ |
wolfSSL | 15:117db924cf7c | 2476 | printf("OID (Type %d, Sz %d, Sum %d): ", oidType, actualOidSz, *oid); |
wolfSSL | 15:117db924cf7c | 2477 | for (i=0; i<actualOidSz; i++) { |
wolfSSL | 15:117db924cf7c | 2478 | printf("%d, ", actualOid[i]); |
wolfSSL | 15:117db924cf7c | 2479 | } |
wolfSSL | 15:117db924cf7c | 2480 | printf("\n"); |
wolfSSL | 15:117db924cf7c | 2481 | #ifdef HAVE_OID_DECODING |
wolfSSL | 15:117db924cf7c | 2482 | { |
wolfSSL | 15:117db924cf7c | 2483 | word16 decOid[16]; |
wolfSSL | 15:117db924cf7c | 2484 | word32 decOidSz = sizeof(decOid); |
wolfSSL | 15:117db924cf7c | 2485 | ret = DecodeObjectId(actualOid, actualOidSz, decOid, &decOidSz); |
wolfSSL | 15:117db924cf7c | 2486 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 2487 | printf(" Decoded (Sz %d): ", decOidSz); |
wolfSSL | 15:117db924cf7c | 2488 | for (i=0; i<decOidSz; i++) { |
wolfSSL | 15:117db924cf7c | 2489 | printf("%d.", decOid[i]); |
wolfSSL | 15:117db924cf7c | 2490 | } |
wolfSSL | 15:117db924cf7c | 2491 | printf("\n"); |
wolfSSL | 15:117db924cf7c | 2492 | } |
wolfSSL | 15:117db924cf7c | 2493 | else { |
wolfSSL | 15:117db924cf7c | 2494 | printf("DecodeObjectId failed: %d\n", ret); |
wolfSSL | 15:117db924cf7c | 2495 | } |
wolfSSL | 15:117db924cf7c | 2496 | } |
wolfSSL | 15:117db924cf7c | 2497 | #endif /* HAVE_OID_DECODING */ |
wolfSSL | 15:117db924cf7c | 2498 | #endif /* ASN_DUMP_OID */ |
wolfSSL | 15:117db924cf7c | 2499 | |
wolfSSL | 15:117db924cf7c | 2500 | if (checkOid != NULL && |
wolfSSL | 15:117db924cf7c | 2501 | (checkOidSz != actualOidSz || |
wolfSSL | 15:117db924cf7c | 2502 | XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) { |
wolfSSL | 15:117db924cf7c | 2503 | WOLFSSL_MSG("OID Check Failed"); |
wolfSSL | 15:117db924cf7c | 2504 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 15:117db924cf7c | 2505 | } |
wolfSSL | 15:117db924cf7c | 2506 | } |
wolfSSL | 15:117db924cf7c | 2507 | } |
wolfSSL | 15:117db924cf7c | 2508 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 15:117db924cf7c | 2509 | |
wolfSSL | 15:117db924cf7c | 2510 | return ret; |
wolfSSL | 15:117db924cf7c | 2511 | } |
wolfSSL | 15:117db924cf7c | 2512 | |
wolfSSL | 15:117db924cf7c | 2513 | static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 2514 | { |
wolfSSL | 15:117db924cf7c | 2515 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2516 | int length; |
wolfSSL | 15:117db924cf7c | 2517 | int ret; |
wolfSSL | 15:117db924cf7c | 2518 | |
wolfSSL | 15:117db924cf7c | 2519 | ret = GetASNObjectId(input, &idx, &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 2520 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2521 | return ret; |
wolfSSL | 15:117db924cf7c | 2522 | |
wolfSSL | 15:117db924cf7c | 2523 | idx += length; |
wolfSSL | 15:117db924cf7c | 2524 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 2525 | |
wolfSSL | 15:117db924cf7c | 2526 | return 0; |
wolfSSL | 15:117db924cf7c | 2527 | } |
wolfSSL | 15:117db924cf7c | 2528 | |
wolfSSL | 16:8e0d178b1d1e | 2529 | int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 15:117db924cf7c | 2530 | word32 oidType, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 2531 | { |
wolfSSL | 15:117db924cf7c | 2532 | int length; |
wolfSSL | 15:117db924cf7c | 2533 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2534 | int ret; |
wolfSSL | 15:117db924cf7c | 2535 | *oid = 0; |
wolfSSL | 15:117db924cf7c | 2536 | |
wolfSSL | 15:117db924cf7c | 2537 | WOLFSSL_ENTER("GetAlgoId"); |
wolfSSL | 15:117db924cf7c | 2538 | |
wolfSSL | 15:117db924cf7c | 2539 | if (GetSequence(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 2540 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2541 | |
wolfSSL | 15:117db924cf7c | 2542 | if (GetObjectId(input, &idx, oid, oidType, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 2543 | return ASN_OBJECT_ID_E; |
wolfSSL | 15:117db924cf7c | 2544 | |
wolfSSL | 15:117db924cf7c | 2545 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 16:8e0d178b1d1e | 2546 | if (idx < maxIdx) { |
wolfSSL | 16:8e0d178b1d1e | 2547 | word32 localIdx = idx; /*use localIdx to not advance when checking tag*/ |
wolfSSL | 16:8e0d178b1d1e | 2548 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 2549 | |
wolfSSL | 16:8e0d178b1d1e | 2550 | if (GetASNTag(input, &localIdx, &tag, maxIdx) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 2551 | if (tag == ASN_TAG_NULL) { |
wolfSSL | 16:8e0d178b1d1e | 2552 | ret = GetASNNull(input, &idx, maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 2553 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 2554 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 2555 | } |
wolfSSL | 16:8e0d178b1d1e | 2556 | } |
wolfSSL | 15:117db924cf7c | 2557 | } |
wolfSSL | 15:117db924cf7c | 2558 | |
wolfSSL | 15:117db924cf7c | 2559 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 2560 | |
wolfSSL | 15:117db924cf7c | 2561 | return 0; |
wolfSSL | 15:117db924cf7c | 2562 | } |
wolfSSL | 15:117db924cf7c | 2563 | |
wolfSSL | 15:117db924cf7c | 2564 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 2565 | |
wolfSSL | 15:117db924cf7c | 2566 | #ifndef HAVE_USER_RSA |
wolfSSL | 15:117db924cf7c | 2567 | int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 15:117db924cf7c | 2568 | word32 inSz) |
wolfSSL | 15:117db924cf7c | 2569 | { |
wolfSSL | 15:117db924cf7c | 2570 | int version, length; |
wolfSSL | 15:117db924cf7c | 2571 | |
wolfSSL | 15:117db924cf7c | 2572 | if (inOutIdx == NULL) { |
wolfSSL | 15:117db924cf7c | 2573 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2574 | } |
wolfSSL | 15:117db924cf7c | 2575 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 2576 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2577 | |
wolfSSL | 15:117db924cf7c | 2578 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 2579 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2580 | |
wolfSSL | 15:117db924cf7c | 2581 | key->type = RSA_PRIVATE; |
wolfSSL | 15:117db924cf7c | 2582 | |
wolfSSL | 15:117db924cf7c | 2583 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2584 | GetInt(&key->e, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 2585 | #ifndef WOLFSSL_RSA_PUBLIC_ONLY |
wolfSSL | 15:117db924cf7c | 2586 | GetInt(&key->d, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2587 | GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 2588 | GetInt(&key->q, input, inOutIdx, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 2589 | #else |
wolfSSL | 16:8e0d178b1d1e | 2590 | SkipInt(input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 2591 | SkipInt(input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 2592 | SkipInt(input, inOutIdx, inSz) < 0 ) |
wolfSSL | 16:8e0d178b1d1e | 2593 | |
wolfSSL | 16:8e0d178b1d1e | 2594 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2595 | return ASN_RSA_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 2596 | #if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)) \ |
wolfSSL | 16:8e0d178b1d1e | 2597 | && !defined(WOLFSSL_RSA_PUBLIC_ONLY) |
wolfSSL | 15:117db924cf7c | 2598 | if (GetInt(&key->dP, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2599 | GetInt(&key->dQ, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2600 | GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 15:117db924cf7c | 2601 | #else |
wolfSSL | 15:117db924cf7c | 2602 | if (SkipInt(input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2603 | SkipInt(input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 2604 | SkipInt(input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 15:117db924cf7c | 2605 | #endif |
wolfSSL | 15:117db924cf7c | 2606 | |
wolfSSL | 16:8e0d178b1d1e | 2607 | #if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL) |
wolfSSL | 15:117db924cf7c | 2608 | if (wc_InitRsaHw(key) != 0) { |
wolfSSL | 15:117db924cf7c | 2609 | return BAD_STATE_E; |
wolfSSL | 15:117db924cf7c | 2610 | } |
wolfSSL | 15:117db924cf7c | 2611 | #endif |
wolfSSL | 15:117db924cf7c | 2612 | |
wolfSSL | 15:117db924cf7c | 2613 | return 0; |
wolfSSL | 15:117db924cf7c | 2614 | } |
wolfSSL | 15:117db924cf7c | 2615 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 15:117db924cf7c | 2616 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 2617 | |
wolfSSL | 16:8e0d178b1d1e | 2618 | #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) |
wolfSSL | 16:8e0d178b1d1e | 2619 | |
wolfSSL | 15:117db924cf7c | 2620 | /* Remove PKCS8 header, place inOutIdx at beginning of traditional, |
wolfSSL | 15:117db924cf7c | 2621 | * return traditional length on success, negative on error */ |
wolfSSL | 16:8e0d178b1d1e | 2622 | int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, |
wolfSSL | 16:8e0d178b1d1e | 2623 | word32* algId) |
wolfSSL | 16:8e0d178b1d1e | 2624 | { |
wolfSSL | 16:8e0d178b1d1e | 2625 | word32 idx; |
wolfSSL | 15:117db924cf7c | 2626 | int version, length; |
wolfSSL | 15:117db924cf7c | 2627 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 2628 | byte tag; |
wolfSSL | 15:117db924cf7c | 2629 | |
wolfSSL | 15:117db924cf7c | 2630 | if (input == NULL || inOutIdx == NULL) |
wolfSSL | 15:117db924cf7c | 2631 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2632 | |
wolfSSL | 15:117db924cf7c | 2633 | idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2634 | |
wolfSSL | 15:117db924cf7c | 2635 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 2636 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2637 | |
wolfSSL | 15:117db924cf7c | 2638 | if (GetMyVersion(input, &idx, &version, sz) < 0) |
wolfSSL | 15:117db924cf7c | 2639 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2640 | |
wolfSSL | 16:8e0d178b1d1e | 2641 | if (GetAlgoId(input, &idx, algId, oidKeyType, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 2642 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 2643 | |
wolfSSL | 16:8e0d178b1d1e | 2644 | if (GetASNTag(input, &idx, &tag, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 2645 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 2646 | idx = idx - 1; /* reset idx after finding tag */ |
wolfSSL | 16:8e0d178b1d1e | 2647 | |
wolfSSL | 16:8e0d178b1d1e | 2648 | if (tag == ASN_OBJECT_ID) { |
wolfSSL | 15:117db924cf7c | 2649 | if (SkipObjectId(input, &idx, sz) < 0) |
wolfSSL | 15:117db924cf7c | 2650 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 2651 | } |
wolfSSL | 15:117db924cf7c | 2652 | |
wolfSSL | 15:117db924cf7c | 2653 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 16:8e0d178b1d1e | 2654 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 2655 | if (ret == BUFFER_E) |
wolfSSL | 16:8e0d178b1d1e | 2656 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 2657 | /* Some private keys don't expect an octet string */ |
wolfSSL | 16:8e0d178b1d1e | 2658 | WOLFSSL_MSG("Couldn't find Octet string"); |
wolfSSL | 16:8e0d178b1d1e | 2659 | } |
wolfSSL | 15:117db924cf7c | 2660 | |
wolfSSL | 15:117db924cf7c | 2661 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 2662 | |
wolfSSL | 15:117db924cf7c | 2663 | return length; |
wolfSSL | 15:117db924cf7c | 2664 | } |
wolfSSL | 15:117db924cf7c | 2665 | |
wolfSSL | 16:8e0d178b1d1e | 2666 | int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz) |
wolfSSL | 16:8e0d178b1d1e | 2667 | { |
wolfSSL | 16:8e0d178b1d1e | 2668 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 2669 | |
wolfSSL | 16:8e0d178b1d1e | 2670 | return ToTraditionalInline_ex(input, inOutIdx, sz, &oid); |
wolfSSL | 16:8e0d178b1d1e | 2671 | } |
wolfSSL | 16:8e0d178b1d1e | 2672 | |
wolfSSL | 15:117db924cf7c | 2673 | /* Remove PKCS8 header, move beginning of traditional to beginning of input */ |
wolfSSL | 16:8e0d178b1d1e | 2674 | int ToTraditional_ex(byte* input, word32 sz, word32* algId) |
wolfSSL | 15:117db924cf7c | 2675 | { |
wolfSSL | 15:117db924cf7c | 2676 | word32 inOutIdx = 0; |
wolfSSL | 15:117db924cf7c | 2677 | int length; |
wolfSSL | 15:117db924cf7c | 2678 | |
wolfSSL | 15:117db924cf7c | 2679 | if (input == NULL) |
wolfSSL | 15:117db924cf7c | 2680 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2681 | |
wolfSSL | 16:8e0d178b1d1e | 2682 | length = ToTraditionalInline_ex(input, &inOutIdx, sz, algId); |
wolfSSL | 15:117db924cf7c | 2683 | if (length < 0) |
wolfSSL | 15:117db924cf7c | 2684 | return length; |
wolfSSL | 15:117db924cf7c | 2685 | |
wolfSSL | 15:117db924cf7c | 2686 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 15:117db924cf7c | 2687 | |
wolfSSL | 15:117db924cf7c | 2688 | return length; |
wolfSSL | 15:117db924cf7c | 2689 | } |
wolfSSL | 15:117db924cf7c | 2690 | |
wolfSSL | 16:8e0d178b1d1e | 2691 | int ToTraditional(byte* input, word32 sz) |
wolfSSL | 16:8e0d178b1d1e | 2692 | { |
wolfSSL | 16:8e0d178b1d1e | 2693 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 2694 | |
wolfSSL | 16:8e0d178b1d1e | 2695 | return ToTraditional_ex(input, sz, &oid); |
wolfSSL | 16:8e0d178b1d1e | 2696 | } |
wolfSSL | 16:8e0d178b1d1e | 2697 | |
wolfSSL | 16:8e0d178b1d1e | 2698 | #endif /* HAVE_PKCS8 || HAVE_PKCS12 */ |
wolfSSL | 16:8e0d178b1d1e | 2699 | |
wolfSSL | 16:8e0d178b1d1e | 2700 | #ifdef HAVE_PKCS8 |
wolfSSL | 15:117db924cf7c | 2701 | |
wolfSSL | 15:117db924cf7c | 2702 | /* find beginning of traditional key inside PKCS#8 unencrypted buffer |
wolfSSL | 15:117db924cf7c | 2703 | * return traditional length on success, with inOutIdx at beginning of |
wolfSSL | 15:117db924cf7c | 2704 | * traditional |
wolfSSL | 15:117db924cf7c | 2705 | * return negative on failure/error */ |
wolfSSL | 15:117db924cf7c | 2706 | int wc_GetPkcs8TraditionalOffset(byte* input, word32* inOutIdx, word32 sz) |
wolfSSL | 15:117db924cf7c | 2707 | { |
wolfSSL | 15:117db924cf7c | 2708 | int length; |
wolfSSL | 16:8e0d178b1d1e | 2709 | word32 algId; |
wolfSSL | 15:117db924cf7c | 2710 | |
wolfSSL | 15:117db924cf7c | 2711 | if (input == NULL || inOutIdx == NULL || (*inOutIdx > sz)) |
wolfSSL | 15:117db924cf7c | 2712 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2713 | |
wolfSSL | 16:8e0d178b1d1e | 2714 | length = ToTraditionalInline_ex(input, inOutIdx, sz, &algId); |
wolfSSL | 15:117db924cf7c | 2715 | |
wolfSSL | 15:117db924cf7c | 2716 | return length; |
wolfSSL | 15:117db924cf7c | 2717 | } |
wolfSSL | 15:117db924cf7c | 2718 | |
wolfSSL | 15:117db924cf7c | 2719 | |
wolfSSL | 15:117db924cf7c | 2720 | /* PKCS#8 from RFC 5208 |
wolfSSL | 15:117db924cf7c | 2721 | * This function takes in a DER key and converts it to PKCS#8 format. Used |
wolfSSL | 15:117db924cf7c | 2722 | * in creating PKCS#12 shrouded key bags. |
wolfSSL | 15:117db924cf7c | 2723 | * Reverse of ToTraditional |
wolfSSL | 15:117db924cf7c | 2724 | * |
wolfSSL | 15:117db924cf7c | 2725 | * PrivateKeyInfo ::= SEQUENCE { |
wolfSSL | 15:117db924cf7c | 2726 | * version Version, |
wolfSSL | 15:117db924cf7c | 2727 | * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, |
wolfSSL | 15:117db924cf7c | 2728 | * privateKey PrivateKey, |
wolfSSL | 15:117db924cf7c | 2729 | * attributes optional |
wolfSSL | 15:117db924cf7c | 2730 | * } |
wolfSSL | 15:117db924cf7c | 2731 | * Version ::= INTEGER |
wolfSSL | 15:117db924cf7c | 2732 | * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier |
wolfSSL | 15:117db924cf7c | 2733 | * PrivateKey ::= OCTET STRING |
wolfSSL | 15:117db924cf7c | 2734 | * |
wolfSSL | 15:117db924cf7c | 2735 | * out buffer to place result in |
wolfSSL | 15:117db924cf7c | 2736 | * outSz size of out buffer |
wolfSSL | 15:117db924cf7c | 2737 | * key buffer with DER key |
wolfSSL | 15:117db924cf7c | 2738 | * keySz size of key buffer |
wolfSSL | 15:117db924cf7c | 2739 | * algoID algorithm ID i.e. RSAk |
wolfSSL | 15:117db924cf7c | 2740 | * curveOID ECC curve oid if used. Should be NULL for RSA keys. |
wolfSSL | 15:117db924cf7c | 2741 | * oidSz size of curve oid. Is set to 0 if curveOID is NULL. |
wolfSSL | 15:117db924cf7c | 2742 | * |
wolfSSL | 15:117db924cf7c | 2743 | * Returns the size of PKCS#8 placed into out. In error cases returns negative |
wolfSSL | 15:117db924cf7c | 2744 | * values. |
wolfSSL | 15:117db924cf7c | 2745 | */ |
wolfSSL | 15:117db924cf7c | 2746 | int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, |
wolfSSL | 15:117db924cf7c | 2747 | int algoID, const byte* curveOID, word32 oidSz) |
wolfSSL | 15:117db924cf7c | 2748 | { |
wolfSSL | 15:117db924cf7c | 2749 | word32 keyIdx = 0; |
wolfSSL | 15:117db924cf7c | 2750 | word32 tmpSz = 0; |
wolfSSL | 15:117db924cf7c | 2751 | word32 sz; |
wolfSSL | 15:117db924cf7c | 2752 | |
wolfSSL | 15:117db924cf7c | 2753 | |
wolfSSL | 15:117db924cf7c | 2754 | /* If out is NULL then return the max size needed |
wolfSSL | 15:117db924cf7c | 2755 | * + 2 for ASN_OBJECT_ID and ASN_OCTET_STRING tags */ |
wolfSSL | 15:117db924cf7c | 2756 | if (out == NULL && outSz != NULL) { |
wolfSSL | 15:117db924cf7c | 2757 | *outSz = keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 15:117db924cf7c | 2758 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2; |
wolfSSL | 15:117db924cf7c | 2759 | |
wolfSSL | 15:117db924cf7c | 2760 | if (curveOID != NULL) |
wolfSSL | 15:117db924cf7c | 2761 | *outSz += oidSz + MAX_LENGTH_SZ + 1; |
wolfSSL | 15:117db924cf7c | 2762 | |
wolfSSL | 15:117db924cf7c | 2763 | WOLFSSL_MSG("Checking size of PKCS8"); |
wolfSSL | 15:117db924cf7c | 2764 | |
wolfSSL | 15:117db924cf7c | 2765 | return LENGTH_ONLY_E; |
wolfSSL | 15:117db924cf7c | 2766 | } |
wolfSSL | 15:117db924cf7c | 2767 | |
wolfSSL | 15:117db924cf7c | 2768 | WOLFSSL_ENTER("wc_CreatePKCS8Key()"); |
wolfSSL | 15:117db924cf7c | 2769 | |
wolfSSL | 15:117db924cf7c | 2770 | if (key == NULL || out == NULL || outSz == NULL) { |
wolfSSL | 15:117db924cf7c | 2771 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2772 | } |
wolfSSL | 15:117db924cf7c | 2773 | |
wolfSSL | 15:117db924cf7c | 2774 | /* check the buffer has enough room for largest possible size */ |
wolfSSL | 15:117db924cf7c | 2775 | if (curveOID != NULL) { |
wolfSSL | 15:117db924cf7c | 2776 | if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 15:117db924cf7c | 2777 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 3 + oidSz + MAX_LENGTH_SZ)) |
wolfSSL | 15:117db924cf7c | 2778 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2779 | } |
wolfSSL | 15:117db924cf7c | 2780 | else { |
wolfSSL | 15:117db924cf7c | 2781 | oidSz = 0; /* with no curveOID oid size must be 0 */ |
wolfSSL | 15:117db924cf7c | 2782 | if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 15:117db924cf7c | 2783 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2)) |
wolfSSL | 15:117db924cf7c | 2784 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2785 | } |
wolfSSL | 15:117db924cf7c | 2786 | |
wolfSSL | 15:117db924cf7c | 2787 | /* PrivateKeyInfo ::= SEQUENCE */ |
wolfSSL | 15:117db924cf7c | 2788 | keyIdx += MAX_SEQ_SZ; /* save room for sequence */ |
wolfSSL | 15:117db924cf7c | 2789 | |
wolfSSL | 15:117db924cf7c | 2790 | /* version Version |
wolfSSL | 15:117db924cf7c | 2791 | * no header information just INTEGER */ |
wolfSSL | 15:117db924cf7c | 2792 | sz = SetMyVersion(PKCS8v0, out + keyIdx, 0); |
wolfSSL | 15:117db924cf7c | 2793 | tmpSz += sz; keyIdx += sz; |
wolfSSL | 15:117db924cf7c | 2794 | |
wolfSSL | 15:117db924cf7c | 2795 | /* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier */ |
wolfSSL | 15:117db924cf7c | 2796 | sz = 0; /* set sz to 0 and get privateKey oid buffer size needed */ |
wolfSSL | 15:117db924cf7c | 2797 | if (curveOID != NULL && oidSz > 0) { |
wolfSSL | 15:117db924cf7c | 2798 | byte buf[MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 2799 | sz = SetLength(oidSz, buf); |
wolfSSL | 15:117db924cf7c | 2800 | sz += 1; /* plus one for ASN object id */ |
wolfSSL | 15:117db924cf7c | 2801 | } |
wolfSSL | 15:117db924cf7c | 2802 | sz = SetAlgoID(algoID, out + keyIdx, oidKeyType, oidSz + sz); |
wolfSSL | 15:117db924cf7c | 2803 | tmpSz += sz; keyIdx += sz; |
wolfSSL | 15:117db924cf7c | 2804 | |
wolfSSL | 15:117db924cf7c | 2805 | /* privateKey PrivateKey * |
wolfSSL | 15:117db924cf7c | 2806 | * pkcs8 ecc uses slightly different format. Places curve oid in |
wolfSSL | 15:117db924cf7c | 2807 | * buffer */ |
wolfSSL | 15:117db924cf7c | 2808 | if (curveOID != NULL && oidSz > 0) { |
wolfSSL | 15:117db924cf7c | 2809 | sz = SetObjectId(oidSz, out + keyIdx); |
wolfSSL | 15:117db924cf7c | 2810 | keyIdx += sz; tmpSz += sz; |
wolfSSL | 15:117db924cf7c | 2811 | XMEMCPY(out + keyIdx, curveOID, oidSz); |
wolfSSL | 15:117db924cf7c | 2812 | keyIdx += oidSz; tmpSz += oidSz; |
wolfSSL | 15:117db924cf7c | 2813 | } |
wolfSSL | 15:117db924cf7c | 2814 | |
wolfSSL | 15:117db924cf7c | 2815 | sz = SetOctetString(keySz, out + keyIdx); |
wolfSSL | 15:117db924cf7c | 2816 | keyIdx += sz; tmpSz += sz; |
wolfSSL | 15:117db924cf7c | 2817 | XMEMCPY(out + keyIdx, key, keySz); |
wolfSSL | 15:117db924cf7c | 2818 | tmpSz += keySz; |
wolfSSL | 15:117db924cf7c | 2819 | |
wolfSSL | 15:117db924cf7c | 2820 | /* attributes optional |
wolfSSL | 15:117db924cf7c | 2821 | * No attributes currently added */ |
wolfSSL | 15:117db924cf7c | 2822 | |
wolfSSL | 15:117db924cf7c | 2823 | /* rewind and add sequence */ |
wolfSSL | 15:117db924cf7c | 2824 | sz = SetSequence(tmpSz, out); |
wolfSSL | 15:117db924cf7c | 2825 | XMEMMOVE(out + sz, out + MAX_SEQ_SZ, tmpSz); |
wolfSSL | 15:117db924cf7c | 2826 | |
wolfSSL | 15:117db924cf7c | 2827 | return tmpSz + sz; |
wolfSSL | 15:117db924cf7c | 2828 | } |
wolfSSL | 15:117db924cf7c | 2829 | |
wolfSSL | 16:8e0d178b1d1e | 2830 | #endif /* HAVE_PKCS8 */ |
wolfSSL | 16:8e0d178b1d1e | 2831 | |
wolfSSL | 16:8e0d178b1d1e | 2832 | #if defined(HAVE_PKCS12) || !defined(NO_CHECK_PRIVATE_KEY) |
wolfSSL | 15:117db924cf7c | 2833 | /* check that the private key is a pair for the public key in certificate |
wolfSSL | 15:117db924cf7c | 2834 | * return 1 (true) on match |
wolfSSL | 15:117db924cf7c | 2835 | * return 0 or negative value on failure/error |
wolfSSL | 15:117db924cf7c | 2836 | * |
wolfSSL | 16:8e0d178b1d1e | 2837 | * key : buffer holding DER format key |
wolfSSL | 15:117db924cf7c | 2838 | * keySz : size of key buffer |
wolfSSL | 15:117db924cf7c | 2839 | * der : a initialized and parsed DecodedCert holding a certificate */ |
wolfSSL | 15:117db924cf7c | 2840 | int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) |
wolfSSL | 15:117db924cf7c | 2841 | { |
wolfSSL | 15:117db924cf7c | 2842 | int ret; |
wolfSSL | 15:117db924cf7c | 2843 | (void)keySz; |
wolfSSL | 15:117db924cf7c | 2844 | |
wolfSSL | 15:117db924cf7c | 2845 | if (key == NULL || der == NULL) { |
wolfSSL | 15:117db924cf7c | 2846 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2847 | } |
wolfSSL | 15:117db924cf7c | 2848 | |
wolfSSL | 16:8e0d178b1d1e | 2849 | #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 2850 | /* test if RSA key */ |
wolfSSL | 15:117db924cf7c | 2851 | if (der->keyOID == RSAk) { |
wolfSSL | 15:117db924cf7c | 2852 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 2853 | RsaKey* a; |
wolfSSL | 15:117db924cf7c | 2854 | RsaKey* b = NULL; |
wolfSSL | 15:117db924cf7c | 2855 | #else |
wolfSSL | 15:117db924cf7c | 2856 | RsaKey a[1], b[1]; |
wolfSSL | 15:117db924cf7c | 2857 | #endif |
wolfSSL | 15:117db924cf7c | 2858 | word32 keyIdx = 0; |
wolfSSL | 15:117db924cf7c | 2859 | |
wolfSSL | 15:117db924cf7c | 2860 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2861 | a = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2862 | if (a == NULL) |
wolfSSL | 15:117db924cf7c | 2863 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2864 | b = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2865 | if (b == NULL) { |
wolfSSL | 15:117db924cf7c | 2866 | XFREE(a, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2867 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2868 | } |
wolfSSL | 15:117db924cf7c | 2869 | #endif |
wolfSSL | 15:117db924cf7c | 2870 | |
wolfSSL | 15:117db924cf7c | 2871 | if ((ret = wc_InitRsaKey(a, NULL)) < 0) { |
wolfSSL | 15:117db924cf7c | 2872 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2873 | XFREE(b, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2874 | XFREE(a, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2875 | #endif |
wolfSSL | 15:117db924cf7c | 2876 | return ret; |
wolfSSL | 15:117db924cf7c | 2877 | } |
wolfSSL | 15:117db924cf7c | 2878 | if ((ret = wc_InitRsaKey(b, NULL)) < 0) { |
wolfSSL | 15:117db924cf7c | 2879 | wc_FreeRsaKey(a); |
wolfSSL | 15:117db924cf7c | 2880 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2881 | XFREE(b, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2882 | XFREE(a, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2883 | #endif |
wolfSSL | 15:117db924cf7c | 2884 | return ret; |
wolfSSL | 15:117db924cf7c | 2885 | } |
wolfSSL | 15:117db924cf7c | 2886 | if ((ret = wc_RsaPrivateKeyDecode(key, &keyIdx, a, keySz)) == 0) { |
wolfSSL | 15:117db924cf7c | 2887 | WOLFSSL_MSG("Checking RSA key pair"); |
wolfSSL | 15:117db924cf7c | 2888 | keyIdx = 0; /* reset to 0 for parsing public key */ |
wolfSSL | 15:117db924cf7c | 2889 | |
wolfSSL | 15:117db924cf7c | 2890 | if ((ret = wc_RsaPublicKeyDecode(der->publicKey, &keyIdx, b, |
wolfSSL | 15:117db924cf7c | 2891 | der->pubKeySize)) == 0) { |
wolfSSL | 15:117db924cf7c | 2892 | /* limit for user RSA crypto because of RsaKey |
wolfSSL | 15:117db924cf7c | 2893 | * dereference. */ |
wolfSSL | 15:117db924cf7c | 2894 | #if defined(HAVE_USER_RSA) |
wolfSSL | 15:117db924cf7c | 2895 | WOLFSSL_MSG("Cannot verify RSA pair with user RSA"); |
wolfSSL | 15:117db924cf7c | 2896 | ret = 1; /* return first RSA cert as match */ |
wolfSSL | 15:117db924cf7c | 2897 | #else |
wolfSSL | 15:117db924cf7c | 2898 | /* both keys extracted successfully now check n and e |
wolfSSL | 15:117db924cf7c | 2899 | * values are the same. This is dereferencing RsaKey */ |
wolfSSL | 15:117db924cf7c | 2900 | if (mp_cmp(&(a->n), &(b->n)) != MP_EQ || |
wolfSSL | 15:117db924cf7c | 2901 | mp_cmp(&(a->e), &(b->e)) != MP_EQ) { |
wolfSSL | 15:117db924cf7c | 2902 | ret = MP_CMP_E; |
wolfSSL | 15:117db924cf7c | 2903 | } |
wolfSSL | 15:117db924cf7c | 2904 | else |
wolfSSL | 15:117db924cf7c | 2905 | ret = 1; |
wolfSSL | 15:117db924cf7c | 2906 | #endif |
wolfSSL | 15:117db924cf7c | 2907 | } |
wolfSSL | 15:117db924cf7c | 2908 | } |
wolfSSL | 15:117db924cf7c | 2909 | wc_FreeRsaKey(b); |
wolfSSL | 15:117db924cf7c | 2910 | wc_FreeRsaKey(a); |
wolfSSL | 15:117db924cf7c | 2911 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2912 | XFREE(b, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2913 | XFREE(a, NULL, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 2914 | #endif |
wolfSSL | 15:117db924cf7c | 2915 | } |
wolfSSL | 15:117db924cf7c | 2916 | else |
wolfSSL | 16:8e0d178b1d1e | 2917 | #endif /* !NO_RSA && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 2918 | |
wolfSSL | 16:8e0d178b1d1e | 2919 | #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 2920 | if (der->keyOID == ECDSAk) { |
wolfSSL | 15:117db924cf7c | 2921 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 2922 | ecc_key* key_pair; |
wolfSSL | 15:117db924cf7c | 2923 | byte* privDer; |
wolfSSL | 15:117db924cf7c | 2924 | #else |
wolfSSL | 15:117db924cf7c | 2925 | ecc_key key_pair[1]; |
wolfSSL | 15:117db924cf7c | 2926 | byte privDer[MAX_ECC_BYTES]; |
wolfSSL | 15:117db924cf7c | 2927 | #endif |
wolfSSL | 15:117db924cf7c | 2928 | word32 privSz = MAX_ECC_BYTES; |
wolfSSL | 15:117db924cf7c | 2929 | word32 keyIdx = 0; |
wolfSSL | 15:117db924cf7c | 2930 | |
wolfSSL | 15:117db924cf7c | 2931 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2932 | key_pair = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 2933 | if (key_pair == NULL) |
wolfSSL | 15:117db924cf7c | 2934 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2935 | privDer = (byte*)XMALLOC(MAX_ECC_BYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 2936 | if (privDer == NULL) { |
wolfSSL | 15:117db924cf7c | 2937 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 2938 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2939 | } |
wolfSSL | 15:117db924cf7c | 2940 | #endif |
wolfSSL | 15:117db924cf7c | 2941 | |
wolfSSL | 15:117db924cf7c | 2942 | if ((ret = wc_ecc_init(key_pair)) < 0) { |
wolfSSL | 15:117db924cf7c | 2943 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2944 | XFREE(privDer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 2945 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 2946 | #endif |
wolfSSL | 15:117db924cf7c | 2947 | return ret; |
wolfSSL | 15:117db924cf7c | 2948 | } |
wolfSSL | 15:117db924cf7c | 2949 | |
wolfSSL | 15:117db924cf7c | 2950 | if ((ret = wc_EccPrivateKeyDecode(key, &keyIdx, key_pair, |
wolfSSL | 15:117db924cf7c | 2951 | keySz)) == 0) { |
wolfSSL | 15:117db924cf7c | 2952 | WOLFSSL_MSG("Checking ECC key pair"); |
wolfSSL | 15:117db924cf7c | 2953 | |
wolfSSL | 15:117db924cf7c | 2954 | if ((ret = wc_ecc_export_private_only(key_pair, privDer, &privSz)) |
wolfSSL | 15:117db924cf7c | 2955 | == 0) { |
wolfSSL | 15:117db924cf7c | 2956 | wc_ecc_free(key_pair); |
wolfSSL | 15:117db924cf7c | 2957 | ret = wc_ecc_init(key_pair); |
wolfSSL | 15:117db924cf7c | 2958 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 2959 | ret = wc_ecc_import_private_key((const byte*)privDer, |
wolfSSL | 15:117db924cf7c | 2960 | privSz, (const byte*)der->publicKey, |
wolfSSL | 15:117db924cf7c | 2961 | der->pubKeySize, key_pair); |
wolfSSL | 15:117db924cf7c | 2962 | } |
wolfSSL | 15:117db924cf7c | 2963 | |
wolfSSL | 16:8e0d178b1d1e | 2964 | /* public and private extracted successfully now check if is |
wolfSSL | 15:117db924cf7c | 2965 | * a pair and also do sanity checks on key. wc_ecc_check_key |
wolfSSL | 15:117db924cf7c | 2966 | * checks that private * base generator equals pubkey */ |
wolfSSL | 15:117db924cf7c | 2967 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 2968 | if ((ret = wc_ecc_check_key(key_pair)) == 0) { |
wolfSSL | 15:117db924cf7c | 2969 | ret = 1; |
wolfSSL | 15:117db924cf7c | 2970 | } |
wolfSSL | 15:117db924cf7c | 2971 | } |
wolfSSL | 15:117db924cf7c | 2972 | ForceZero(privDer, privSz); |
wolfSSL | 15:117db924cf7c | 2973 | } |
wolfSSL | 15:117db924cf7c | 2974 | } |
wolfSSL | 15:117db924cf7c | 2975 | wc_ecc_free(key_pair); |
wolfSSL | 15:117db924cf7c | 2976 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2977 | XFREE(privDer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 2978 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 2979 | #endif |
wolfSSL | 15:117db924cf7c | 2980 | } |
wolfSSL | 15:117db924cf7c | 2981 | else |
wolfSSL | 16:8e0d178b1d1e | 2982 | #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 2983 | |
wolfSSL | 16:8e0d178b1d1e | 2984 | #if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 2985 | if (der->keyOID == ED25519k) { |
wolfSSL | 15:117db924cf7c | 2986 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 2987 | ed25519_key* key_pair; |
wolfSSL | 15:117db924cf7c | 2988 | #else |
wolfSSL | 15:117db924cf7c | 2989 | ed25519_key key_pair[1]; |
wolfSSL | 15:117db924cf7c | 2990 | #endif |
wolfSSL | 15:117db924cf7c | 2991 | word32 keyIdx = 0; |
wolfSSL | 15:117db924cf7c | 2992 | |
wolfSSL | 15:117db924cf7c | 2993 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 2994 | key_pair = (ed25519_key*)XMALLOC(sizeof(ed25519_key), NULL, |
wolfSSL | 15:117db924cf7c | 2995 | DYNAMIC_TYPE_ED25519); |
wolfSSL | 15:117db924cf7c | 2996 | if (key_pair == NULL) |
wolfSSL | 15:117db924cf7c | 2997 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2998 | #endif |
wolfSSL | 15:117db924cf7c | 2999 | |
wolfSSL | 15:117db924cf7c | 3000 | if ((ret = wc_ed25519_init(key_pair)) < 0) { |
wolfSSL | 15:117db924cf7c | 3001 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3002 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ED25519); |
wolfSSL | 15:117db924cf7c | 3003 | #endif |
wolfSSL | 15:117db924cf7c | 3004 | return ret; |
wolfSSL | 15:117db924cf7c | 3005 | } |
wolfSSL | 15:117db924cf7c | 3006 | if ((ret = wc_Ed25519PrivateKeyDecode(key, &keyIdx, key_pair, |
wolfSSL | 15:117db924cf7c | 3007 | keySz)) == 0) { |
wolfSSL | 15:117db924cf7c | 3008 | WOLFSSL_MSG("Checking ED25519 key pair"); |
wolfSSL | 15:117db924cf7c | 3009 | keyIdx = 0; |
wolfSSL | 15:117db924cf7c | 3010 | if ((ret = wc_ed25519_import_public(der->publicKey, der->pubKeySize, |
wolfSSL | 15:117db924cf7c | 3011 | key_pair)) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3012 | /* public and private extracted successfully no check if is |
wolfSSL | 15:117db924cf7c | 3013 | * a pair and also do sanity checks on key. wc_ecc_check_key |
wolfSSL | 15:117db924cf7c | 3014 | * checks that private * base generator equals pubkey */ |
wolfSSL | 15:117db924cf7c | 3015 | if ((ret = wc_ed25519_check_key(key_pair)) == 0) |
wolfSSL | 15:117db924cf7c | 3016 | ret = 1; |
wolfSSL | 15:117db924cf7c | 3017 | } |
wolfSSL | 15:117db924cf7c | 3018 | } |
wolfSSL | 15:117db924cf7c | 3019 | wc_ed25519_free(key_pair); |
wolfSSL | 15:117db924cf7c | 3020 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3021 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ED25519); |
wolfSSL | 15:117db924cf7c | 3022 | #endif |
wolfSSL | 15:117db924cf7c | 3023 | } |
wolfSSL | 15:117db924cf7c | 3024 | else |
wolfSSL | 16:8e0d178b1d1e | 3025 | #endif /* HAVE_ED25519 && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 3026 | |
wolfSSL | 16:8e0d178b1d1e | 3027 | #if defined(HAVE_ED448) && !defined(NO_ASN_CRYPT) |
wolfSSL | 16:8e0d178b1d1e | 3028 | if (der->keyOID == ED448k) { |
wolfSSL | 16:8e0d178b1d1e | 3029 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3030 | ed448_key* key_pair = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3031 | #else |
wolfSSL | 16:8e0d178b1d1e | 3032 | ed448_key key_pair[1]; |
wolfSSL | 16:8e0d178b1d1e | 3033 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3034 | word32 keyIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3035 | |
wolfSSL | 16:8e0d178b1d1e | 3036 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3037 | key_pair = (ed448_key*)XMALLOC(sizeof(ed448_key), NULL, |
wolfSSL | 16:8e0d178b1d1e | 3038 | DYNAMIC_TYPE_ED448); |
wolfSSL | 16:8e0d178b1d1e | 3039 | if (key_pair == NULL) |
wolfSSL | 16:8e0d178b1d1e | 3040 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 3041 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3042 | |
wolfSSL | 16:8e0d178b1d1e | 3043 | if ((ret = wc_ed448_init(key_pair)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 3044 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3045 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ED448); |
wolfSSL | 16:8e0d178b1d1e | 3046 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3047 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3048 | } |
wolfSSL | 16:8e0d178b1d1e | 3049 | if ((ret = wc_Ed448PrivateKeyDecode(key, &keyIdx, key_pair, |
wolfSSL | 16:8e0d178b1d1e | 3050 | keySz)) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3051 | WOLFSSL_MSG("Checking ED448 key pair"); |
wolfSSL | 16:8e0d178b1d1e | 3052 | keyIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3053 | if ((ret = wc_ed448_import_public(der->publicKey, der->pubKeySize, |
wolfSSL | 16:8e0d178b1d1e | 3054 | key_pair)) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3055 | /* public and private extracted successfully no check if is |
wolfSSL | 16:8e0d178b1d1e | 3056 | * a pair and also do sanity checks on key. wc_ecc_check_key |
wolfSSL | 16:8e0d178b1d1e | 3057 | * checks that private * base generator equals pubkey */ |
wolfSSL | 16:8e0d178b1d1e | 3058 | if ((ret = wc_ed448_check_key(key_pair)) == 0) |
wolfSSL | 16:8e0d178b1d1e | 3059 | ret = 1; |
wolfSSL | 16:8e0d178b1d1e | 3060 | } |
wolfSSL | 16:8e0d178b1d1e | 3061 | } |
wolfSSL | 16:8e0d178b1d1e | 3062 | wc_ed448_free(key_pair); |
wolfSSL | 16:8e0d178b1d1e | 3063 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3064 | XFREE(key_pair, NULL, DYNAMIC_TYPE_ED448); |
wolfSSL | 16:8e0d178b1d1e | 3065 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3066 | } |
wolfSSL | 16:8e0d178b1d1e | 3067 | else |
wolfSSL | 16:8e0d178b1d1e | 3068 | #endif /* HAVE_ED448 && !NO_ASN_CRYPT */ |
wolfSSL | 15:117db924cf7c | 3069 | { |
wolfSSL | 15:117db924cf7c | 3070 | ret = 0; |
wolfSSL | 15:117db924cf7c | 3071 | } |
wolfSSL | 15:117db924cf7c | 3072 | |
wolfSSL | 15:117db924cf7c | 3073 | (void)keySz; |
wolfSSL | 15:117db924cf7c | 3074 | |
wolfSSL | 15:117db924cf7c | 3075 | return ret; |
wolfSSL | 15:117db924cf7c | 3076 | } |
wolfSSL | 15:117db924cf7c | 3077 | |
wolfSSL | 16:8e0d178b1d1e | 3078 | #endif /* HAVE_PKCS12 || !NO_CHECK_PRIVATE_KEY */ |
wolfSSL | 16:8e0d178b1d1e | 3079 | |
wolfSSL | 15:117db924cf7c | 3080 | #ifndef NO_PWDBASED |
wolfSSL | 15:117db924cf7c | 3081 | |
wolfSSL | 16:8e0d178b1d1e | 3082 | #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) |
wolfSSL | 15:117db924cf7c | 3083 | /* Check To see if PKCS version algo is supported, set id if it is return 0 |
wolfSSL | 15:117db924cf7c | 3084 | < 0 on error */ |
wolfSSL | 16:8e0d178b1d1e | 3085 | static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz) |
wolfSSL | 15:117db924cf7c | 3086 | { |
wolfSSL | 15:117db924cf7c | 3087 | *id = ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 3088 | *version = PKCS5; /* default */ |
wolfSSL | 16:8e0d178b1d1e | 3089 | if (blockSz) *blockSz = 8; /* default */ |
wolfSSL | 15:117db924cf7c | 3090 | |
wolfSSL | 15:117db924cf7c | 3091 | if (first == 1) { |
wolfSSL | 15:117db924cf7c | 3092 | switch (second) { |
wolfSSL | 15:117db924cf7c | 3093 | #if !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 3094 | #ifndef NO_RC4 |
wolfSSL | 15:117db924cf7c | 3095 | case PBE_SHA1_RC4_128: |
wolfSSL | 15:117db924cf7c | 3096 | *id = PBE_SHA1_RC4_128; |
wolfSSL | 15:117db924cf7c | 3097 | *version = PKCS12v1; |
wolfSSL | 15:117db924cf7c | 3098 | return 0; |
wolfSSL | 15:117db924cf7c | 3099 | #endif |
wolfSSL | 15:117db924cf7c | 3100 | #ifndef NO_DES3 |
wolfSSL | 15:117db924cf7c | 3101 | case PBE_SHA1_DES3: |
wolfSSL | 15:117db924cf7c | 3102 | *id = PBE_SHA1_DES3; |
wolfSSL | 15:117db924cf7c | 3103 | *version = PKCS12v1; |
wolfSSL | 16:8e0d178b1d1e | 3104 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 3105 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 3106 | case PBE_SHA1_DES: |
wolfSSL | 16:8e0d178b1d1e | 3107 | *id = PBE_SHA1_DES; |
wolfSSL | 16:8e0d178b1d1e | 3108 | *version = PKCS12v1; |
wolfSSL | 16:8e0d178b1d1e | 3109 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3110 | return 0; |
wolfSSL | 15:117db924cf7c | 3111 | #endif |
wolfSSL | 15:117db924cf7c | 3112 | #endif /* !NO_SHA */ |
wolfSSL | 15:117db924cf7c | 3113 | default: |
wolfSSL | 15:117db924cf7c | 3114 | return ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 3115 | } |
wolfSSL | 15:117db924cf7c | 3116 | } |
wolfSSL | 15:117db924cf7c | 3117 | |
wolfSSL | 15:117db924cf7c | 3118 | if (first != PKCS5) |
wolfSSL | 15:117db924cf7c | 3119 | return ASN_INPUT_E; /* VERSION ERROR */ |
wolfSSL | 15:117db924cf7c | 3120 | |
wolfSSL | 15:117db924cf7c | 3121 | if (second == PBES2) { |
wolfSSL | 15:117db924cf7c | 3122 | *version = PKCS5v2; |
wolfSSL | 15:117db924cf7c | 3123 | return 0; |
wolfSSL | 15:117db924cf7c | 3124 | } |
wolfSSL | 15:117db924cf7c | 3125 | |
wolfSSL | 15:117db924cf7c | 3126 | switch (second) { |
wolfSSL | 15:117db924cf7c | 3127 | #ifndef NO_DES3 |
wolfSSL | 15:117db924cf7c | 3128 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 3129 | case 3: /* see RFC 2898 for ids */ |
wolfSSL | 15:117db924cf7c | 3130 | *id = PBE_MD5_DES; |
wolfSSL | 16:8e0d178b1d1e | 3131 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3132 | return 0; |
wolfSSL | 15:117db924cf7c | 3133 | #endif |
wolfSSL | 15:117db924cf7c | 3134 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 3135 | case 10: |
wolfSSL | 15:117db924cf7c | 3136 | *id = PBE_SHA1_DES; |
wolfSSL | 16:8e0d178b1d1e | 3137 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3138 | return 0; |
wolfSSL | 15:117db924cf7c | 3139 | #endif |
wolfSSL | 15:117db924cf7c | 3140 | #endif /* !NO_DES3 */ |
wolfSSL | 15:117db924cf7c | 3141 | default: |
wolfSSL | 15:117db924cf7c | 3142 | return ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 3143 | |
wolfSSL | 15:117db924cf7c | 3144 | } |
wolfSSL | 15:117db924cf7c | 3145 | } |
wolfSSL | 15:117db924cf7c | 3146 | |
wolfSSL | 15:117db924cf7c | 3147 | /* Check To see if PKCS v2 algo is supported, set id if it is return 0 |
wolfSSL | 15:117db924cf7c | 3148 | < 0 on error */ |
wolfSSL | 16:8e0d178b1d1e | 3149 | static int CheckAlgoV2(int oid, int* id, int* blockSz) |
wolfSSL | 16:8e0d178b1d1e | 3150 | { |
wolfSSL | 16:8e0d178b1d1e | 3151 | if (blockSz) *blockSz = 8; /* default */ |
wolfSSL | 15:117db924cf7c | 3152 | (void)id; /* not used if AES and DES3 disabled */ |
wolfSSL | 15:117db924cf7c | 3153 | switch (oid) { |
wolfSSL | 15:117db924cf7c | 3154 | #if !defined(NO_DES3) && !defined(NO_SHA) |
wolfSSL | 15:117db924cf7c | 3155 | case DESb: |
wolfSSL | 15:117db924cf7c | 3156 | *id = PBE_SHA1_DES; |
wolfSSL | 16:8e0d178b1d1e | 3157 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3158 | return 0; |
wolfSSL | 15:117db924cf7c | 3159 | case DES3b: |
wolfSSL | 15:117db924cf7c | 3160 | *id = PBE_SHA1_DES3; |
wolfSSL | 16:8e0d178b1d1e | 3161 | if (blockSz) *blockSz = DES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3162 | return 0; |
wolfSSL | 15:117db924cf7c | 3163 | #endif |
wolfSSL | 15:117db924cf7c | 3164 | #ifdef WOLFSSL_AES_256 |
wolfSSL | 15:117db924cf7c | 3165 | case AES256CBCb: |
wolfSSL | 15:117db924cf7c | 3166 | *id = PBE_AES256_CBC; |
wolfSSL | 16:8e0d178b1d1e | 3167 | if (blockSz) *blockSz = AES_BLOCK_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 3168 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 3169 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3170 | #ifdef WOLFSSL_AES_128 |
wolfSSL | 16:8e0d178b1d1e | 3171 | case AES128CBCb: |
wolfSSL | 16:8e0d178b1d1e | 3172 | *id = PBE_AES128_CBC; |
wolfSSL | 16:8e0d178b1d1e | 3173 | if (blockSz) *blockSz = AES_BLOCK_SIZE; |
wolfSSL | 15:117db924cf7c | 3174 | return 0; |
wolfSSL | 15:117db924cf7c | 3175 | #endif |
wolfSSL | 15:117db924cf7c | 3176 | default: |
wolfSSL | 16:8e0d178b1d1e | 3177 | WOLFSSL_MSG("No PKCS v2 algo found"); |
wolfSSL | 15:117db924cf7c | 3178 | return ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 3179 | |
wolfSSL | 15:117db924cf7c | 3180 | } |
wolfSSL | 15:117db924cf7c | 3181 | } |
wolfSSL | 15:117db924cf7c | 3182 | |
wolfSSL | 16:8e0d178b1d1e | 3183 | #endif /* HAVE_PKCS8 || HAVE_PKCS12 */ |
wolfSSL | 16:8e0d178b1d1e | 3184 | |
wolfSSL | 16:8e0d178b1d1e | 3185 | #ifdef HAVE_PKCS8 |
wolfSSL | 15:117db924cf7c | 3186 | |
wolfSSL | 15:117db924cf7c | 3187 | int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, |
wolfSSL | 15:117db924cf7c | 3188 | int* algoID, void* heap) |
wolfSSL | 15:117db924cf7c | 3189 | { |
wolfSSL | 15:117db924cf7c | 3190 | word32 tmpIdx = 0; |
wolfSSL | 15:117db924cf7c | 3191 | |
wolfSSL | 15:117db924cf7c | 3192 | if (key == NULL || algoID == NULL) |
wolfSSL | 15:117db924cf7c | 3193 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 3194 | |
wolfSSL | 15:117db924cf7c | 3195 | *algoID = 0; |
wolfSSL | 15:117db924cf7c | 3196 | |
wolfSSL | 16:8e0d178b1d1e | 3197 | #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 3198 | { |
wolfSSL | 15:117db924cf7c | 3199 | RsaKey rsa; |
wolfSSL | 15:117db924cf7c | 3200 | |
wolfSSL | 15:117db924cf7c | 3201 | wc_InitRsaKey(&rsa, heap); |
wolfSSL | 15:117db924cf7c | 3202 | if (wc_RsaPrivateKeyDecode(key, &tmpIdx, &rsa, keySz) == 0) { |
wolfSSL | 15:117db924cf7c | 3203 | *algoID = RSAk; |
wolfSSL | 15:117db924cf7c | 3204 | } |
wolfSSL | 15:117db924cf7c | 3205 | else { |
wolfSSL | 15:117db924cf7c | 3206 | WOLFSSL_MSG("Not RSA DER key"); |
wolfSSL | 15:117db924cf7c | 3207 | } |
wolfSSL | 15:117db924cf7c | 3208 | wc_FreeRsaKey(&rsa); |
wolfSSL | 15:117db924cf7c | 3209 | } |
wolfSSL | 16:8e0d178b1d1e | 3210 | #endif /* !NO_RSA && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 3211 | #if defined(HAVE_ECC) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 3212 | if (*algoID == 0) { |
wolfSSL | 15:117db924cf7c | 3213 | ecc_key ecc; |
wolfSSL | 15:117db924cf7c | 3214 | |
wolfSSL | 15:117db924cf7c | 3215 | tmpIdx = 0; |
wolfSSL | 15:117db924cf7c | 3216 | wc_ecc_init_ex(&ecc, heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 3217 | if (wc_EccPrivateKeyDecode(key, &tmpIdx, &ecc, keySz) == 0) { |
wolfSSL | 15:117db924cf7c | 3218 | *algoID = ECDSAk; |
wolfSSL | 15:117db924cf7c | 3219 | |
wolfSSL | 15:117db924cf7c | 3220 | /* now find oid */ |
wolfSSL | 15:117db924cf7c | 3221 | if (wc_ecc_get_oid(ecc.dp->oidSum, curveOID, oidSz) < 0) { |
wolfSSL | 15:117db924cf7c | 3222 | WOLFSSL_MSG("Error getting ECC curve OID"); |
wolfSSL | 15:117db924cf7c | 3223 | wc_ecc_free(&ecc); |
wolfSSL | 15:117db924cf7c | 3224 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 3225 | } |
wolfSSL | 15:117db924cf7c | 3226 | } |
wolfSSL | 15:117db924cf7c | 3227 | else { |
wolfSSL | 15:117db924cf7c | 3228 | WOLFSSL_MSG("Not ECC DER key either"); |
wolfSSL | 15:117db924cf7c | 3229 | } |
wolfSSL | 15:117db924cf7c | 3230 | wc_ecc_free(&ecc); |
wolfSSL | 15:117db924cf7c | 3231 | } |
wolfSSL | 16:8e0d178b1d1e | 3232 | #endif /* HAVE_ECC && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 3233 | #if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 3234 | if (*algoID != RSAk && *algoID != ECDSAk) { |
wolfSSL | 15:117db924cf7c | 3235 | ed25519_key ed25519; |
wolfSSL | 15:117db924cf7c | 3236 | |
wolfSSL | 15:117db924cf7c | 3237 | tmpIdx = 0; |
wolfSSL | 15:117db924cf7c | 3238 | if (wc_ed25519_init(&ed25519) == 0) { |
wolfSSL | 15:117db924cf7c | 3239 | if (wc_Ed25519PrivateKeyDecode(key, &tmpIdx, &ed25519, keySz) |
wolfSSL | 15:117db924cf7c | 3240 | == 0) { |
wolfSSL | 15:117db924cf7c | 3241 | *algoID = ED25519k; |
wolfSSL | 15:117db924cf7c | 3242 | } |
wolfSSL | 15:117db924cf7c | 3243 | else { |
wolfSSL | 15:117db924cf7c | 3244 | WOLFSSL_MSG("Not ED25519 DER key"); |
wolfSSL | 15:117db924cf7c | 3245 | } |
wolfSSL | 15:117db924cf7c | 3246 | wc_ed25519_free(&ed25519); |
wolfSSL | 15:117db924cf7c | 3247 | } |
wolfSSL | 15:117db924cf7c | 3248 | else { |
wolfSSL | 15:117db924cf7c | 3249 | WOLFSSL_MSG("GetKeyOID wc_ed25519_init failed"); |
wolfSSL | 15:117db924cf7c | 3250 | } |
wolfSSL | 15:117db924cf7c | 3251 | } |
wolfSSL | 16:8e0d178b1d1e | 3252 | #endif /* HAVE_ED25519 && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 3253 | #if defined(HAVE_ED448) && !defined(NO_ASN_CRYPT) |
wolfSSL | 16:8e0d178b1d1e | 3254 | if (*algoID != RSAk && *algoID != ECDSAk && *algoID != ED25519k) { |
wolfSSL | 16:8e0d178b1d1e | 3255 | ed448_key ed448; |
wolfSSL | 16:8e0d178b1d1e | 3256 | |
wolfSSL | 16:8e0d178b1d1e | 3257 | tmpIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3258 | if (wc_ed448_init(&ed448) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3259 | if (wc_Ed448PrivateKeyDecode(key, &tmpIdx, &ed448, keySz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3260 | *algoID = ED448k; |
wolfSSL | 16:8e0d178b1d1e | 3261 | } |
wolfSSL | 16:8e0d178b1d1e | 3262 | else { |
wolfSSL | 16:8e0d178b1d1e | 3263 | WOLFSSL_MSG("Not ED448 DER key"); |
wolfSSL | 16:8e0d178b1d1e | 3264 | } |
wolfSSL | 16:8e0d178b1d1e | 3265 | wc_ed448_free(&ed448); |
wolfSSL | 16:8e0d178b1d1e | 3266 | } |
wolfSSL | 16:8e0d178b1d1e | 3267 | else { |
wolfSSL | 16:8e0d178b1d1e | 3268 | WOLFSSL_MSG("GetKeyOID wc_ed448_init failed"); |
wolfSSL | 16:8e0d178b1d1e | 3269 | } |
wolfSSL | 16:8e0d178b1d1e | 3270 | } |
wolfSSL | 16:8e0d178b1d1e | 3271 | #endif /* HAVE_ED448 && !NO_ASN_CRYPT */ |
wolfSSL | 15:117db924cf7c | 3272 | |
wolfSSL | 15:117db924cf7c | 3273 | /* if flag is not set then is neither RSA or ECC key that could be |
wolfSSL | 15:117db924cf7c | 3274 | * found */ |
wolfSSL | 15:117db924cf7c | 3275 | if (*algoID == 0) { |
wolfSSL | 15:117db924cf7c | 3276 | WOLFSSL_MSG("Bad key DER or compile options"); |
wolfSSL | 15:117db924cf7c | 3277 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 3278 | } |
wolfSSL | 15:117db924cf7c | 3279 | |
wolfSSL | 16:8e0d178b1d1e | 3280 | (void)tmpIdx; |
wolfSSL | 15:117db924cf7c | 3281 | (void)curveOID; |
wolfSSL | 15:117db924cf7c | 3282 | (void)oidSz; |
wolfSSL | 16:8e0d178b1d1e | 3283 | (void)keySz; |
wolfSSL | 16:8e0d178b1d1e | 3284 | (void)heap; |
wolfSSL | 15:117db924cf7c | 3285 | |
wolfSSL | 15:117db924cf7c | 3286 | return 1; |
wolfSSL | 15:117db924cf7c | 3287 | } |
wolfSSL | 15:117db924cf7c | 3288 | |
wolfSSL | 16:8e0d178b1d1e | 3289 | #endif /* HAVE_PKCS8 */ |
wolfSSL | 16:8e0d178b1d1e | 3290 | |
wolfSSL | 16:8e0d178b1d1e | 3291 | #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) |
wolfSSL | 16:8e0d178b1d1e | 3292 | |
wolfSSL | 16:8e0d178b1d1e | 3293 | #define PKCS8_MIN_BLOCK_SIZE 8 |
wolfSSL | 16:8e0d178b1d1e | 3294 | static int Pkcs8Pad(byte* buf, int sz, int blockSz) |
wolfSSL | 16:8e0d178b1d1e | 3295 | { |
wolfSSL | 16:8e0d178b1d1e | 3296 | int i, padSz; |
wolfSSL | 16:8e0d178b1d1e | 3297 | |
wolfSSL | 16:8e0d178b1d1e | 3298 | /* calculate pad size */ |
wolfSSL | 16:8e0d178b1d1e | 3299 | padSz = blockSz - (sz & (blockSz - 1)); |
wolfSSL | 16:8e0d178b1d1e | 3300 | |
wolfSSL | 16:8e0d178b1d1e | 3301 | /* pad with padSz value */ |
wolfSSL | 16:8e0d178b1d1e | 3302 | if (buf) { |
wolfSSL | 16:8e0d178b1d1e | 3303 | for (i = 0; i < padSz; i++) { |
wolfSSL | 16:8e0d178b1d1e | 3304 | buf[sz+i] = (byte)(padSz & 0xFF); |
wolfSSL | 16:8e0d178b1d1e | 3305 | } |
wolfSSL | 16:8e0d178b1d1e | 3306 | } |
wolfSSL | 16:8e0d178b1d1e | 3307 | |
wolfSSL | 16:8e0d178b1d1e | 3308 | /* return adjusted length */ |
wolfSSL | 16:8e0d178b1d1e | 3309 | return sz + padSz; |
wolfSSL | 16:8e0d178b1d1e | 3310 | } |
wolfSSL | 16:8e0d178b1d1e | 3311 | |
wolfSSL | 16:8e0d178b1d1e | 3312 | #endif /* HAVE_PKCS8 || HAVE_PKCS12 */ |
wolfSSL | 16:8e0d178b1d1e | 3313 | |
wolfSSL | 16:8e0d178b1d1e | 3314 | #ifdef HAVE_PKCS8 |
wolfSSL | 15:117db924cf7c | 3315 | |
wolfSSL | 15:117db924cf7c | 3316 | /* |
wolfSSL | 15:117db924cf7c | 3317 | * Used when creating PKCS12 shrouded key bags |
wolfSSL | 15:117db924cf7c | 3318 | * vPKCS is the version of PKCS to use |
wolfSSL | 15:117db924cf7c | 3319 | * vAlgo is the algorithm version to use |
wolfSSL | 15:117db924cf7c | 3320 | * |
wolfSSL | 15:117db924cf7c | 3321 | * if salt is NULL a random number is generated |
wolfSSL | 15:117db924cf7c | 3322 | * |
wolfSSL | 15:117db924cf7c | 3323 | * returns the size of encrypted data on success |
wolfSSL | 15:117db924cf7c | 3324 | */ |
wolfSSL | 15:117db924cf7c | 3325 | int UnTraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz, |
wolfSSL | 16:8e0d178b1d1e | 3326 | const char* password, int passwordSz, int vPKCS, int vAlgo, |
wolfSSL | 15:117db924cf7c | 3327 | byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap) |
wolfSSL | 15:117db924cf7c | 3328 | { |
wolfSSL | 15:117db924cf7c | 3329 | int algoID = 0; |
wolfSSL | 15:117db924cf7c | 3330 | byte* tmp; |
wolfSSL | 15:117db924cf7c | 3331 | word32 tmpSz = 0; |
wolfSSL | 15:117db924cf7c | 3332 | word32 sz; |
wolfSSL | 15:117db924cf7c | 3333 | word32 seqSz; |
wolfSSL | 15:117db924cf7c | 3334 | word32 inOutIdx = 0; |
wolfSSL | 15:117db924cf7c | 3335 | word32 totalSz = 0; |
wolfSSL | 15:117db924cf7c | 3336 | int version, id; |
wolfSSL | 15:117db924cf7c | 3337 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 3338 | int blockSz = 0; |
wolfSSL | 15:117db924cf7c | 3339 | |
wolfSSL | 15:117db924cf7c | 3340 | const byte* curveOID = NULL; |
wolfSSL | 15:117db924cf7c | 3341 | word32 oidSz = 0; |
wolfSSL | 15:117db924cf7c | 3342 | |
wolfSSL | 15:117db924cf7c | 3343 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3344 | byte* saltTmp = NULL; |
wolfSSL | 15:117db924cf7c | 3345 | byte* cbcIv = NULL; |
wolfSSL | 15:117db924cf7c | 3346 | #else |
wolfSSL | 15:117db924cf7c | 3347 | byte saltTmp[MAX_IV_SIZE]; |
wolfSSL | 15:117db924cf7c | 3348 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 15:117db924cf7c | 3349 | #endif |
wolfSSL | 15:117db924cf7c | 3350 | |
wolfSSL | 15:117db924cf7c | 3351 | WOLFSSL_ENTER("UnTraditionalEnc()"); |
wolfSSL | 15:117db924cf7c | 3352 | |
wolfSSL | 15:117db924cf7c | 3353 | if (saltSz > MAX_SALT_SIZE) |
wolfSSL | 15:117db924cf7c | 3354 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 3355 | |
wolfSSL | 15:117db924cf7c | 3356 | |
wolfSSL | 15:117db924cf7c | 3357 | inOutIdx += MAX_SEQ_SZ; /* leave room for size of finished shroud */ |
wolfSSL | 16:8e0d178b1d1e | 3358 | if (CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz) < 0) { |
wolfSSL | 15:117db924cf7c | 3359 | WOLFSSL_MSG("Bad/Unsupported algorithm ID"); |
wolfSSL | 15:117db924cf7c | 3360 | return ASN_INPUT_E; /* Algo ID error */ |
wolfSSL | 15:117db924cf7c | 3361 | } |
wolfSSL | 15:117db924cf7c | 3362 | |
wolfSSL | 15:117db924cf7c | 3363 | if (out != NULL) { |
wolfSSL | 15:117db924cf7c | 3364 | if (*outSz < inOutIdx + MAX_ALGO_SZ + MAX_SALT_SIZE + MAX_SEQ_SZ + 1 + |
wolfSSL | 15:117db924cf7c | 3365 | MAX_LENGTH_SZ + MAX_SHORT_SZ + 1) |
wolfSSL | 15:117db924cf7c | 3366 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 3367 | |
wolfSSL | 15:117db924cf7c | 3368 | if (version == PKCS5v2) { |
wolfSSL | 15:117db924cf7c | 3369 | WOLFSSL_MSG("PKCS5v2 Not supported yet\n"); |
wolfSSL | 15:117db924cf7c | 3370 | return ASN_VERSION_E; |
wolfSSL | 15:117db924cf7c | 3371 | } |
wolfSSL | 15:117db924cf7c | 3372 | |
wolfSSL | 16:8e0d178b1d1e | 3373 | if (salt == NULL || saltSz == 0) { |
wolfSSL | 15:117db924cf7c | 3374 | saltSz = 8; |
wolfSSL | 15:117db924cf7c | 3375 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3376 | saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3377 | if (saltTmp == NULL) |
wolfSSL | 15:117db924cf7c | 3378 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3379 | #endif |
wolfSSL | 15:117db924cf7c | 3380 | salt = saltTmp; |
wolfSSL | 15:117db924cf7c | 3381 | |
wolfSSL | 15:117db924cf7c | 3382 | if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) { |
wolfSSL | 15:117db924cf7c | 3383 | WOLFSSL_MSG("Error generating random salt"); |
wolfSSL | 15:117db924cf7c | 3384 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3385 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3386 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3387 | #endif |
wolfSSL | 15:117db924cf7c | 3388 | return ret; |
wolfSSL | 15:117db924cf7c | 3389 | } |
wolfSSL | 15:117db924cf7c | 3390 | } |
wolfSSL | 15:117db924cf7c | 3391 | |
wolfSSL | 15:117db924cf7c | 3392 | |
wolfSSL | 15:117db924cf7c | 3393 | /* leave room for a sequence (contains salt and iterations int) */ |
wolfSSL | 15:117db924cf7c | 3394 | inOutIdx += MAX_SEQ_SZ; sz = 0; |
wolfSSL | 15:117db924cf7c | 3395 | inOutIdx += MAX_ALGO_SZ; |
wolfSSL | 15:117db924cf7c | 3396 | |
wolfSSL | 15:117db924cf7c | 3397 | /* place salt in buffer */ |
wolfSSL | 15:117db924cf7c | 3398 | out[inOutIdx++] = ASN_OCTET_STRING; sz++; |
wolfSSL | 15:117db924cf7c | 3399 | tmpSz = SetLength(saltSz, out + inOutIdx); |
wolfSSL | 15:117db924cf7c | 3400 | inOutIdx += tmpSz; sz += tmpSz; |
wolfSSL | 15:117db924cf7c | 3401 | XMEMCPY(out + inOutIdx, salt, saltSz); |
wolfSSL | 15:117db924cf7c | 3402 | inOutIdx += saltSz; sz += saltSz; |
wolfSSL | 15:117db924cf7c | 3403 | |
wolfSSL | 15:117db924cf7c | 3404 | /* place iteration count in buffer */ |
wolfSSL | 15:117db924cf7c | 3405 | ret = SetShortInt(out, &inOutIdx, itt, *outSz); |
wolfSSL | 15:117db924cf7c | 3406 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 3407 | return ret; |
wolfSSL | 15:117db924cf7c | 3408 | } |
wolfSSL | 15:117db924cf7c | 3409 | sz += (word32)ret; |
wolfSSL | 15:117db924cf7c | 3410 | |
wolfSSL | 15:117db924cf7c | 3411 | /* wind back index and set sequence then clean up buffer */ |
wolfSSL | 15:117db924cf7c | 3412 | inOutIdx -= (sz + MAX_SEQ_SZ); |
wolfSSL | 15:117db924cf7c | 3413 | tmpSz = SetSequence(sz, out + inOutIdx); |
wolfSSL | 15:117db924cf7c | 3414 | XMEMMOVE(out + inOutIdx + tmpSz, out + inOutIdx + MAX_SEQ_SZ, sz); |
wolfSSL | 15:117db924cf7c | 3415 | totalSz += tmpSz + sz; sz += tmpSz; |
wolfSSL | 15:117db924cf7c | 3416 | |
wolfSSL | 15:117db924cf7c | 3417 | /* add in algo ID */ |
wolfSSL | 15:117db924cf7c | 3418 | inOutIdx -= MAX_ALGO_SZ; |
wolfSSL | 15:117db924cf7c | 3419 | tmpSz = SetAlgoID(id, out + inOutIdx, oidPBEType, sz); |
wolfSSL | 15:117db924cf7c | 3420 | XMEMMOVE(out + inOutIdx + tmpSz, out + inOutIdx + MAX_ALGO_SZ, sz); |
wolfSSL | 15:117db924cf7c | 3421 | totalSz += tmpSz; inOutIdx += tmpSz + sz; |
wolfSSL | 15:117db924cf7c | 3422 | |
wolfSSL | 15:117db924cf7c | 3423 | /* octet string containing encrypted key */ |
wolfSSL | 15:117db924cf7c | 3424 | out[inOutIdx++] = ASN_OCTET_STRING; totalSz++; |
wolfSSL | 15:117db924cf7c | 3425 | } |
wolfSSL | 15:117db924cf7c | 3426 | |
wolfSSL | 15:117db924cf7c | 3427 | /* check key type and get OID if ECC */ |
wolfSSL | 15:117db924cf7c | 3428 | if ((ret = wc_GetKeyOID(key, keySz, &curveOID, &oidSz, &algoID, heap))< 0) { |
wolfSSL | 16:8e0d178b1d1e | 3429 | WOLFSSL_MSG("Error getting key OID"); |
wolfSSL | 16:8e0d178b1d1e | 3430 | return ret; |
wolfSSL | 15:117db924cf7c | 3431 | } |
wolfSSL | 15:117db924cf7c | 3432 | |
wolfSSL | 15:117db924cf7c | 3433 | /* PKCS#8 wrapping around key */ |
wolfSSL | 15:117db924cf7c | 3434 | if (wc_CreatePKCS8Key(NULL, &tmpSz, key, keySz, algoID, curveOID, oidSz) |
wolfSSL | 15:117db924cf7c | 3435 | != LENGTH_ONLY_E) { |
wolfSSL | 15:117db924cf7c | 3436 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3437 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3438 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3439 | #endif |
wolfSSL | 15:117db924cf7c | 3440 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3441 | } |
wolfSSL | 15:117db924cf7c | 3442 | |
wolfSSL | 15:117db924cf7c | 3443 | /* check if should return max size */ |
wolfSSL | 15:117db924cf7c | 3444 | if (out == NULL) { |
wolfSSL | 15:117db924cf7c | 3445 | /* account for salt size */ |
wolfSSL | 16:8e0d178b1d1e | 3446 | if (salt == NULL || saltSz == 0) { |
wolfSSL | 15:117db924cf7c | 3447 | tmpSz += MAX_SALT_SIZE; |
wolfSSL | 15:117db924cf7c | 3448 | } |
wolfSSL | 15:117db924cf7c | 3449 | else { |
wolfSSL | 15:117db924cf7c | 3450 | tmpSz += saltSz; |
wolfSSL | 15:117db924cf7c | 3451 | } |
wolfSSL | 15:117db924cf7c | 3452 | |
wolfSSL | 15:117db924cf7c | 3453 | /* plus 3 for tags */ |
wolfSSL | 15:117db924cf7c | 3454 | *outSz = tmpSz + MAX_ALGO_SZ + MAX_LENGTH_SZ +MAX_LENGTH_SZ + MAX_SEQ_SZ |
wolfSSL | 15:117db924cf7c | 3455 | + MAX_LENGTH_SZ + MAX_SEQ_SZ + 3; |
wolfSSL | 15:117db924cf7c | 3456 | return LENGTH_ONLY_E; |
wolfSSL | 15:117db924cf7c | 3457 | } |
wolfSSL | 15:117db924cf7c | 3458 | |
wolfSSL | 16:8e0d178b1d1e | 3459 | /* reserve buffer for crypto and make sure it supports full blocks */ |
wolfSSL | 16:8e0d178b1d1e | 3460 | tmp = (byte*)XMALLOC(tmpSz + (blockSz-1), heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3461 | if (tmp == NULL) { |
wolfSSL | 15:117db924cf7c | 3462 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3463 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3464 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3465 | #endif |
wolfSSL | 15:117db924cf7c | 3466 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3467 | } |
wolfSSL | 15:117db924cf7c | 3468 | |
wolfSSL | 15:117db924cf7c | 3469 | if ((ret = wc_CreatePKCS8Key(tmp, &tmpSz, key, keySz, algoID, curveOID, |
wolfSSL | 15:117db924cf7c | 3470 | oidSz)) < 0) { |
wolfSSL | 15:117db924cf7c | 3471 | XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3472 | WOLFSSL_MSG("Error wrapping key with PKCS#8"); |
wolfSSL | 15:117db924cf7c | 3473 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3474 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3475 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3476 | #endif |
wolfSSL | 15:117db924cf7c | 3477 | return ret; |
wolfSSL | 15:117db924cf7c | 3478 | } |
wolfSSL | 15:117db924cf7c | 3479 | tmpSz = ret; |
wolfSSL | 15:117db924cf7c | 3480 | |
wolfSSL | 16:8e0d178b1d1e | 3481 | /* adjust size to pad */ |
wolfSSL | 16:8e0d178b1d1e | 3482 | tmpSz = Pkcs8Pad(tmp, tmpSz, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 3483 | |
wolfSSL | 15:117db924cf7c | 3484 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3485 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3486 | if (cbcIv == NULL) { |
wolfSSL | 15:117db924cf7c | 3487 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3488 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3489 | XFREE(salt, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3490 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3491 | } |
wolfSSL | 15:117db924cf7c | 3492 | #endif |
wolfSSL | 15:117db924cf7c | 3493 | |
wolfSSL | 15:117db924cf7c | 3494 | /* encrypt PKCS#8 wrapped key */ |
wolfSSL | 15:117db924cf7c | 3495 | if ((ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id, |
wolfSSL | 16:8e0d178b1d1e | 3496 | tmp, tmpSz, version, cbcIv, 1, 0)) < 0) { |
wolfSSL | 15:117db924cf7c | 3497 | XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3498 | WOLFSSL_MSG("Error encrypting key"); |
wolfSSL | 15:117db924cf7c | 3499 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3500 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3501 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3502 | if (cbcIv != NULL) |
wolfSSL | 15:117db924cf7c | 3503 | XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3504 | #endif |
wolfSSL | 15:117db924cf7c | 3505 | return ret; /* encryption failure */ |
wolfSSL | 15:117db924cf7c | 3506 | } |
wolfSSL | 15:117db924cf7c | 3507 | totalSz += tmpSz; |
wolfSSL | 15:117db924cf7c | 3508 | |
wolfSSL | 15:117db924cf7c | 3509 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3510 | if (saltTmp != NULL) |
wolfSSL | 15:117db924cf7c | 3511 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3512 | if (cbcIv != NULL) |
wolfSSL | 15:117db924cf7c | 3513 | XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3514 | #endif |
wolfSSL | 15:117db924cf7c | 3515 | |
wolfSSL | 15:117db924cf7c | 3516 | if (*outSz < inOutIdx + tmpSz + MAX_LENGTH_SZ) { |
wolfSSL | 15:117db924cf7c | 3517 | XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3518 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 3519 | } |
wolfSSL | 15:117db924cf7c | 3520 | |
wolfSSL | 15:117db924cf7c | 3521 | /* set length of key and copy over encrypted key */ |
wolfSSL | 15:117db924cf7c | 3522 | seqSz = SetLength(tmpSz, out + inOutIdx); |
wolfSSL | 15:117db924cf7c | 3523 | inOutIdx += seqSz; totalSz += seqSz; |
wolfSSL | 15:117db924cf7c | 3524 | XMEMCPY(out + inOutIdx, tmp, tmpSz); |
wolfSSL | 15:117db924cf7c | 3525 | XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3526 | |
wolfSSL | 16:8e0d178b1d1e | 3527 | /* set total size at beginning */ |
wolfSSL | 15:117db924cf7c | 3528 | sz = SetSequence(totalSz, out); |
wolfSSL | 15:117db924cf7c | 3529 | XMEMMOVE(out + sz, out + MAX_SEQ_SZ, totalSz); |
wolfSSL | 15:117db924cf7c | 3530 | |
wolfSSL | 16:8e0d178b1d1e | 3531 | (void)rng; |
wolfSSL | 16:8e0d178b1d1e | 3532 | |
wolfSSL | 15:117db924cf7c | 3533 | return totalSz + sz; |
wolfSSL | 15:117db924cf7c | 3534 | } |
wolfSSL | 15:117db924cf7c | 3535 | |
wolfSSL | 16:8e0d178b1d1e | 3536 | static int GetAlgoV2(int encAlgId, const byte** oid, int *len, int* id, |
wolfSSL | 16:8e0d178b1d1e | 3537 | int *blkSz) |
wolfSSL | 16:8e0d178b1d1e | 3538 | { |
wolfSSL | 16:8e0d178b1d1e | 3539 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3540 | |
wolfSSL | 16:8e0d178b1d1e | 3541 | switch (encAlgId) { |
wolfSSL | 16:8e0d178b1d1e | 3542 | #if !defined(NO_DES3) && !defined(NO_SHA) |
wolfSSL | 16:8e0d178b1d1e | 3543 | case DESb: |
wolfSSL | 16:8e0d178b1d1e | 3544 | *len = sizeof(blkDesCbcOid); |
wolfSSL | 16:8e0d178b1d1e | 3545 | *oid = blkDesCbcOid; |
wolfSSL | 16:8e0d178b1d1e | 3546 | *id = PBE_SHA1_DES; |
wolfSSL | 16:8e0d178b1d1e | 3547 | *blkSz = 8; |
wolfSSL | 16:8e0d178b1d1e | 3548 | break; |
wolfSSL | 16:8e0d178b1d1e | 3549 | case DES3b: |
wolfSSL | 16:8e0d178b1d1e | 3550 | *len = sizeof(blkDes3CbcOid); |
wolfSSL | 16:8e0d178b1d1e | 3551 | *oid = blkDes3CbcOid; |
wolfSSL | 16:8e0d178b1d1e | 3552 | *id = PBE_SHA1_DES3; |
wolfSSL | 16:8e0d178b1d1e | 3553 | *blkSz = 8; |
wolfSSL | 16:8e0d178b1d1e | 3554 | break; |
wolfSSL | 16:8e0d178b1d1e | 3555 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3556 | #if defined(WOLFSSL_AES_256) && defined(HAVE_AES_CBC) |
wolfSSL | 16:8e0d178b1d1e | 3557 | case AES256CBCb: |
wolfSSL | 16:8e0d178b1d1e | 3558 | *len = sizeof(blkAes256CbcOid); |
wolfSSL | 16:8e0d178b1d1e | 3559 | *oid = blkAes256CbcOid; |
wolfSSL | 16:8e0d178b1d1e | 3560 | *id = PBE_AES256_CBC; |
wolfSSL | 16:8e0d178b1d1e | 3561 | *blkSz = 16; |
wolfSSL | 16:8e0d178b1d1e | 3562 | break; |
wolfSSL | 16:8e0d178b1d1e | 3563 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3564 | default: |
wolfSSL | 16:8e0d178b1d1e | 3565 | (void)len; |
wolfSSL | 16:8e0d178b1d1e | 3566 | (void)oid; |
wolfSSL | 16:8e0d178b1d1e | 3567 | (void)id; |
wolfSSL | 16:8e0d178b1d1e | 3568 | (void)blkSz; |
wolfSSL | 16:8e0d178b1d1e | 3569 | ret = ALGO_ID_E; |
wolfSSL | 16:8e0d178b1d1e | 3570 | } |
wolfSSL | 16:8e0d178b1d1e | 3571 | |
wolfSSL | 16:8e0d178b1d1e | 3572 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3573 | } |
wolfSSL | 16:8e0d178b1d1e | 3574 | |
wolfSSL | 16:8e0d178b1d1e | 3575 | /* Converts Encrypted PKCS#8 to 'traditional' (i.e. PKCS#8 removed from |
wolfSSL | 16:8e0d178b1d1e | 3576 | * decrypted key.) |
wolfSSL | 15:117db924cf7c | 3577 | */ |
wolfSSL | 16:8e0d178b1d1e | 3578 | int TraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz, |
wolfSSL | 15:117db924cf7c | 3579 | const char* password, int passwordSz, int vPKCS, int vAlgo, |
wolfSSL | 16:8e0d178b1d1e | 3580 | int encAlgId, byte* salt, word32 saltSz, int itt, WC_RNG* rng, |
wolfSSL | 16:8e0d178b1d1e | 3581 | void* heap) |
wolfSSL | 16:8e0d178b1d1e | 3582 | { |
wolfSSL | 16:8e0d178b1d1e | 3583 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3584 | int version, blockSz, id; |
wolfSSL | 16:8e0d178b1d1e | 3585 | word32 idx = 0, encIdx; |
wolfSSL | 16:8e0d178b1d1e | 3586 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3587 | byte* saltTmp = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3588 | #else |
wolfSSL | 16:8e0d178b1d1e | 3589 | byte saltTmp[MAX_SALT_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 3590 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3591 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 3592 | byte *pkcs8Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3593 | word32 pkcs8KeySz = 0, padSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3594 | int algId = 0; |
wolfSSL | 16:8e0d178b1d1e | 3595 | const byte* curveOid = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3596 | word32 curveOidSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3597 | const byte* pbeOid = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3598 | word32 pbeOidSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3599 | const byte* encOid = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3600 | int encOidSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3601 | word32 pbeLen = 0, kdfLen = 0, encLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 3602 | word32 innerLen = 0, outerLen; |
wolfSSL | 16:8e0d178b1d1e | 3603 | |
wolfSSL | 16:8e0d178b1d1e | 3604 | ret = CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz); |
wolfSSL | 15:117db924cf7c | 3605 | /* create random salt if one not provided */ |
wolfSSL | 16:8e0d178b1d1e | 3606 | if (ret == 0 && (salt == NULL || saltSz == 0)) { |
wolfSSL | 15:117db924cf7c | 3607 | saltSz = 8; |
wolfSSL | 15:117db924cf7c | 3608 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3609 | saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3610 | if (saltTmp == NULL) |
wolfSSL | 15:117db924cf7c | 3611 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3612 | #endif |
wolfSSL | 15:117db924cf7c | 3613 | salt = saltTmp; |
wolfSSL | 15:117db924cf7c | 3614 | |
wolfSSL | 15:117db924cf7c | 3615 | if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) { |
wolfSSL | 15:117db924cf7c | 3616 | WOLFSSL_MSG("Error generating random salt"); |
wolfSSL | 15:117db924cf7c | 3617 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3618 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3619 | #endif |
wolfSSL | 15:117db924cf7c | 3620 | return ret; |
wolfSSL | 15:117db924cf7c | 3621 | } |
wolfSSL | 15:117db924cf7c | 3622 | } |
wolfSSL | 15:117db924cf7c | 3623 | |
wolfSSL | 16:8e0d178b1d1e | 3624 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3625 | /* check key type and get OID if ECC */ |
wolfSSL | 16:8e0d178b1d1e | 3626 | ret = wc_GetKeyOID(key, keySz, &curveOid, &curveOidSz, &algId, heap); |
wolfSSL | 16:8e0d178b1d1e | 3627 | if (ret == 1) |
wolfSSL | 16:8e0d178b1d1e | 3628 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3629 | } |
wolfSSL | 16:8e0d178b1d1e | 3630 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3631 | ret = wc_CreatePKCS8Key(NULL, &pkcs8KeySz, key, keySz, algId, curveOid, |
wolfSSL | 16:8e0d178b1d1e | 3632 | curveOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3633 | if (ret == LENGTH_ONLY_E) |
wolfSSL | 16:8e0d178b1d1e | 3634 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3635 | } |
wolfSSL | 16:8e0d178b1d1e | 3636 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3637 | pkcs8Key = (byte*)XMALLOC(pkcs8KeySz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 3638 | if (pkcs8Key == NULL) |
wolfSSL | 16:8e0d178b1d1e | 3639 | ret = MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 3640 | } |
wolfSSL | 16:8e0d178b1d1e | 3641 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3642 | ret = wc_CreatePKCS8Key(pkcs8Key, &pkcs8KeySz, key, keySz, algId, |
wolfSSL | 16:8e0d178b1d1e | 3643 | curveOid, curveOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3644 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 3645 | pkcs8KeySz = ret; |
wolfSSL | 16:8e0d178b1d1e | 3646 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3647 | } |
wolfSSL | 16:8e0d178b1d1e | 3648 | } |
wolfSSL | 16:8e0d178b1d1e | 3649 | |
wolfSSL | 16:8e0d178b1d1e | 3650 | if (ret == 0 && version == PKCS5v2) |
wolfSSL | 16:8e0d178b1d1e | 3651 | ret = GetAlgoV2(encAlgId, &encOid, &encOidSz, &id, &blockSz); |
wolfSSL | 16:8e0d178b1d1e | 3652 | |
wolfSSL | 16:8e0d178b1d1e | 3653 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3654 | padSz = (blockSz - (pkcs8KeySz & (blockSz - 1))) & (blockSz - 1); |
wolfSSL | 16:8e0d178b1d1e | 3655 | /* inner = OCT salt INT itt */ |
wolfSSL | 16:8e0d178b1d1e | 3656 | innerLen = 2 + saltSz + 2 + (itt < 256 ? 1 : 2); |
wolfSSL | 16:8e0d178b1d1e | 3657 | |
wolfSSL | 16:8e0d178b1d1e | 3658 | if (version != PKCS5v2) { |
wolfSSL | 16:8e0d178b1d1e | 3659 | pbeOid = OidFromId(id, oidPBEType, &pbeOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3660 | /* pbe = OBJ pbse1 SEQ [ inner ] */ |
wolfSSL | 16:8e0d178b1d1e | 3661 | pbeLen = 2 + pbeOidSz + 2 + innerLen; |
wolfSSL | 16:8e0d178b1d1e | 3662 | } |
wolfSSL | 16:8e0d178b1d1e | 3663 | else { |
wolfSSL | 16:8e0d178b1d1e | 3664 | pbeOid = pbes2; |
wolfSSL | 16:8e0d178b1d1e | 3665 | pbeOidSz = sizeof(pbes2); |
wolfSSL | 16:8e0d178b1d1e | 3666 | /* kdf = OBJ pbkdf2 [ SEQ innerLen ] */ |
wolfSSL | 16:8e0d178b1d1e | 3667 | kdfLen = 2 + sizeof(pbkdf2Oid) + 2 + innerLen; |
wolfSSL | 16:8e0d178b1d1e | 3668 | /* enc = OBJ enc_alg OCT iv */ |
wolfSSL | 16:8e0d178b1d1e | 3669 | encLen = 2 + encOidSz + 2 + blockSz; |
wolfSSL | 16:8e0d178b1d1e | 3670 | /* pbe = OBJ pbse2 SEQ [ SEQ [ kdf ] SEQ [ enc ] ] */ |
wolfSSL | 16:8e0d178b1d1e | 3671 | pbeLen = 2 + sizeof(pbes2) + 2 + 2 + kdfLen + 2 + encLen; |
wolfSSL | 16:8e0d178b1d1e | 3672 | |
wolfSSL | 16:8e0d178b1d1e | 3673 | ret = wc_RNG_GenerateBlock(rng, cbcIv, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 3674 | } |
wolfSSL | 16:8e0d178b1d1e | 3675 | } |
wolfSSL | 16:8e0d178b1d1e | 3676 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3677 | /* outer = SEQ [ pbe ] OCT encrypted_PKCS#8_key */ |
wolfSSL | 16:8e0d178b1d1e | 3678 | outerLen = 2 + pbeLen; |
wolfSSL | 16:8e0d178b1d1e | 3679 | outerLen += SetOctetString(pkcs8KeySz + padSz, out); |
wolfSSL | 16:8e0d178b1d1e | 3680 | outerLen += pkcs8KeySz + padSz; |
wolfSSL | 16:8e0d178b1d1e | 3681 | |
wolfSSL | 16:8e0d178b1d1e | 3682 | idx += SetSequence(outerLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3683 | |
wolfSSL | 16:8e0d178b1d1e | 3684 | encIdx = idx + outerLen - pkcs8KeySz - padSz; |
wolfSSL | 16:8e0d178b1d1e | 3685 | /* Put Encrypted content in place. */ |
wolfSSL | 16:8e0d178b1d1e | 3686 | XMEMCPY(out + encIdx, pkcs8Key, pkcs8KeySz); |
wolfSSL | 16:8e0d178b1d1e | 3687 | if (padSz > 0) { |
wolfSSL | 16:8e0d178b1d1e | 3688 | XMEMSET(out + encIdx + pkcs8KeySz, padSz, padSz); |
wolfSSL | 16:8e0d178b1d1e | 3689 | pkcs8KeySz += padSz; |
wolfSSL | 16:8e0d178b1d1e | 3690 | } |
wolfSSL | 16:8e0d178b1d1e | 3691 | ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id, |
wolfSSL | 16:8e0d178b1d1e | 3692 | out + encIdx, pkcs8KeySz, version, cbcIv, 1, 0); |
wolfSSL | 16:8e0d178b1d1e | 3693 | } |
wolfSSL | 16:8e0d178b1d1e | 3694 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3695 | if (version != PKCS5v2) { |
wolfSSL | 16:8e0d178b1d1e | 3696 | /* PBE algorithm */ |
wolfSSL | 16:8e0d178b1d1e | 3697 | idx += SetSequence(pbeLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3698 | idx += SetObjectId(pbeOidSz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3699 | XMEMCPY(out + idx, pbeOid, pbeOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3700 | idx += pbeOidSz; |
wolfSSL | 16:8e0d178b1d1e | 3701 | } |
wolfSSL | 16:8e0d178b1d1e | 3702 | else { |
wolfSSL | 16:8e0d178b1d1e | 3703 | /* PBES2 algorithm identifier */ |
wolfSSL | 16:8e0d178b1d1e | 3704 | idx += SetSequence(pbeLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3705 | idx += SetObjectId(pbeOidSz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3706 | XMEMCPY(out + idx, pbeOid, pbeOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3707 | idx += pbeOidSz; |
wolfSSL | 16:8e0d178b1d1e | 3708 | /* PBES2 Parameters: SEQ [ kdf ] SEQ [ enc ] */ |
wolfSSL | 16:8e0d178b1d1e | 3709 | idx += SetSequence(2 + kdfLen + 2 + encLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3710 | /* KDF Algorithm Identifier */ |
wolfSSL | 16:8e0d178b1d1e | 3711 | idx += SetSequence(kdfLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3712 | idx += SetObjectId(sizeof(pbkdf2Oid), out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3713 | XMEMCPY(out + idx, pbkdf2Oid, sizeof(pbkdf2Oid)); |
wolfSSL | 16:8e0d178b1d1e | 3714 | idx += sizeof(pbkdf2Oid); |
wolfSSL | 16:8e0d178b1d1e | 3715 | } |
wolfSSL | 16:8e0d178b1d1e | 3716 | idx += SetSequence(innerLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3717 | idx += SetOctetString(saltSz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3718 | XMEMCPY(out + idx, salt, saltSz); idx += saltSz; |
wolfSSL | 16:8e0d178b1d1e | 3719 | ret = SetShortInt(out, &idx, itt, *outSz); |
wolfSSL | 16:8e0d178b1d1e | 3720 | if (ret > 0) |
wolfSSL | 16:8e0d178b1d1e | 3721 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 3722 | } |
wolfSSL | 16:8e0d178b1d1e | 3723 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 3724 | if (version == PKCS5v2) { |
wolfSSL | 16:8e0d178b1d1e | 3725 | /* Encryption Algorithm Identifier */ |
wolfSSL | 16:8e0d178b1d1e | 3726 | idx += SetSequence(encLen, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3727 | idx += SetObjectId(encOidSz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3728 | XMEMCPY(out + idx, encOid, encOidSz); |
wolfSSL | 16:8e0d178b1d1e | 3729 | idx += encOidSz; |
wolfSSL | 16:8e0d178b1d1e | 3730 | /* Encryption Algorithm Parameter: CBC IV */ |
wolfSSL | 16:8e0d178b1d1e | 3731 | idx += SetOctetString(blockSz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3732 | XMEMCPY(out + idx, cbcIv, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 3733 | idx += blockSz; |
wolfSSL | 16:8e0d178b1d1e | 3734 | } |
wolfSSL | 16:8e0d178b1d1e | 3735 | idx += SetOctetString(pkcs8KeySz, out + idx); |
wolfSSL | 16:8e0d178b1d1e | 3736 | /* Default PRF - no need to write out OID */ |
wolfSSL | 16:8e0d178b1d1e | 3737 | idx += pkcs8KeySz; |
wolfSSL | 16:8e0d178b1d1e | 3738 | |
wolfSSL | 16:8e0d178b1d1e | 3739 | ret = idx; |
wolfSSL | 16:8e0d178b1d1e | 3740 | } |
wolfSSL | 16:8e0d178b1d1e | 3741 | |
wolfSSL | 16:8e0d178b1d1e | 3742 | if (pkcs8Key != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 3743 | ForceZero(pkcs8Key, pkcs8KeySz); |
wolfSSL | 16:8e0d178b1d1e | 3744 | XFREE(pkcs8Key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 3745 | } |
wolfSSL | 16:8e0d178b1d1e | 3746 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3747 | if (saltTmp != NULL) { |
wolfSSL | 15:117db924cf7c | 3748 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 3749 | } |
wolfSSL | 16:8e0d178b1d1e | 3750 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3751 | |
wolfSSL | 16:8e0d178b1d1e | 3752 | (void)rng; |
wolfSSL | 16:8e0d178b1d1e | 3753 | |
wolfSSL | 16:8e0d178b1d1e | 3754 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3755 | } |
wolfSSL | 16:8e0d178b1d1e | 3756 | |
wolfSSL | 16:8e0d178b1d1e | 3757 | #endif /* HAVE_PKCS8 */ |
wolfSSL | 16:8e0d178b1d1e | 3758 | |
wolfSSL | 16:8e0d178b1d1e | 3759 | #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) |
wolfSSL | 15:117db924cf7c | 3760 | /* decrypt PKCS |
wolfSSL | 15:117db924cf7c | 3761 | * |
wolfSSL | 15:117db924cf7c | 3762 | * NOTE: input buffer is overwritten with decrypted data! |
wolfSSL | 15:117db924cf7c | 3763 | * |
wolfSSL | 15:117db924cf7c | 3764 | * input[in/out] data to decrypt and results are written to |
wolfSSL | 15:117db924cf7c | 3765 | * sz size of input buffer |
wolfSSL | 15:117db924cf7c | 3766 | * password password if used. Can be NULL for no password |
wolfSSL | 15:117db924cf7c | 3767 | * passwordSz size of password buffer |
wolfSSL | 15:117db924cf7c | 3768 | * |
wolfSSL | 15:117db924cf7c | 3769 | * returns the total size of decrypted content on success. |
wolfSSL | 15:117db924cf7c | 3770 | */ |
wolfSSL | 16:8e0d178b1d1e | 3771 | int DecryptContent(byte* input, word32 sz, const char* password, int passwordSz) |
wolfSSL | 16:8e0d178b1d1e | 3772 | { |
wolfSSL | 16:8e0d178b1d1e | 3773 | word32 inOutIdx = 0, seqEnd, oid, shaOid = 0; |
wolfSSL | 16:8e0d178b1d1e | 3774 | int ret = 0, first, second, length = 0, version, saltSz, id; |
wolfSSL | 15:117db924cf7c | 3775 | int iterations = 0, keySz = 0; |
wolfSSL | 15:117db924cf7c | 3776 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3777 | byte* salt = NULL; |
wolfSSL | 15:117db924cf7c | 3778 | byte* cbcIv = NULL; |
wolfSSL | 15:117db924cf7c | 3779 | #else |
wolfSSL | 15:117db924cf7c | 3780 | byte salt[MAX_SALT_SIZE]; |
wolfSSL | 15:117db924cf7c | 3781 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 15:117db924cf7c | 3782 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3783 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 3784 | |
wolfSSL | 16:8e0d178b1d1e | 3785 | if (passwordSz < 0) { |
wolfSSL | 16:8e0d178b1d1e | 3786 | WOLFSSL_MSG("Bad password size"); |
wolfSSL | 16:8e0d178b1d1e | 3787 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 3788 | } |
wolfSSL | 15:117db924cf7c | 3789 | |
wolfSSL | 15:117db924cf7c | 3790 | if (GetAlgoId(input, &inOutIdx, &oid, oidIgnoreType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3791 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3792 | } |
wolfSSL | 15:117db924cf7c | 3793 | |
wolfSSL | 15:117db924cf7c | 3794 | first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */ |
wolfSSL | 15:117db924cf7c | 3795 | second = input[inOutIdx - 1]; /* version.algo, algo id last byte */ |
wolfSSL | 15:117db924cf7c | 3796 | |
wolfSSL | 16:8e0d178b1d1e | 3797 | if (CheckAlgo(first, second, &id, &version, NULL) < 0) { |
wolfSSL | 15:117db924cf7c | 3798 | ERROR_OUT(ASN_INPUT_E, exit_dc); /* Algo ID error */ |
wolfSSL | 15:117db924cf7c | 3799 | } |
wolfSSL | 15:117db924cf7c | 3800 | |
wolfSSL | 15:117db924cf7c | 3801 | if (version == PKCS5v2) { |
wolfSSL | 15:117db924cf7c | 3802 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3803 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3804 | } |
wolfSSL | 15:117db924cf7c | 3805 | |
wolfSSL | 15:117db924cf7c | 3806 | if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3807 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3808 | } |
wolfSSL | 15:117db924cf7c | 3809 | |
wolfSSL | 15:117db924cf7c | 3810 | if (oid != PBKDF2_OID) { |
wolfSSL | 15:117db924cf7c | 3811 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3812 | } |
wolfSSL | 15:117db924cf7c | 3813 | } |
wolfSSL | 15:117db924cf7c | 3814 | |
wolfSSL | 15:117db924cf7c | 3815 | if (GetSequence(input, &inOutIdx, &length, sz) <= 0) { |
wolfSSL | 15:117db924cf7c | 3816 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3817 | } |
wolfSSL | 15:117db924cf7c | 3818 | /* Find the end of this SEQUENCE so we can check for the OPTIONAL and |
wolfSSL | 15:117db924cf7c | 3819 | * DEFAULT items. */ |
wolfSSL | 15:117db924cf7c | 3820 | seqEnd = inOutIdx + length; |
wolfSSL | 15:117db924cf7c | 3821 | |
wolfSSL | 15:117db924cf7c | 3822 | ret = GetOctetString(input, &inOutIdx, &saltSz, sz); |
wolfSSL | 15:117db924cf7c | 3823 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3824 | goto exit_dc; |
wolfSSL | 15:117db924cf7c | 3825 | |
wolfSSL | 15:117db924cf7c | 3826 | if (saltSz > MAX_SALT_SIZE) { |
wolfSSL | 15:117db924cf7c | 3827 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3828 | } |
wolfSSL | 15:117db924cf7c | 3829 | |
wolfSSL | 15:117db924cf7c | 3830 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3831 | salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3832 | if (salt == NULL) { |
wolfSSL | 15:117db924cf7c | 3833 | ERROR_OUT(MEMORY_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3834 | } |
wolfSSL | 15:117db924cf7c | 3835 | #endif |
wolfSSL | 15:117db924cf7c | 3836 | |
wolfSSL | 15:117db924cf7c | 3837 | XMEMCPY(salt, &input[inOutIdx], saltSz); |
wolfSSL | 15:117db924cf7c | 3838 | inOutIdx += saltSz; |
wolfSSL | 15:117db924cf7c | 3839 | |
wolfSSL | 15:117db924cf7c | 3840 | if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3841 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3842 | } |
wolfSSL | 15:117db924cf7c | 3843 | |
wolfSSL | 15:117db924cf7c | 3844 | /* OPTIONAL key length */ |
wolfSSL | 16:8e0d178b1d1e | 3845 | if (seqEnd > inOutIdx) { |
wolfSSL | 16:8e0d178b1d1e | 3846 | word32 localIdx = inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 3847 | |
wolfSSL | 16:8e0d178b1d1e | 3848 | if (GetASNTag(input, &localIdx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 3849 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 16:8e0d178b1d1e | 3850 | } |
wolfSSL | 16:8e0d178b1d1e | 3851 | |
wolfSSL | 16:8e0d178b1d1e | 3852 | if (tag == ASN_INTEGER && |
wolfSSL | 16:8e0d178b1d1e | 3853 | GetShortInt(input, &inOutIdx, &keySz, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3854 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3855 | } |
wolfSSL | 15:117db924cf7c | 3856 | } |
wolfSSL | 15:117db924cf7c | 3857 | |
wolfSSL | 15:117db924cf7c | 3858 | /* DEFAULT HMAC is SHA-1 */ |
wolfSSL | 15:117db924cf7c | 3859 | if (seqEnd > inOutIdx) { |
wolfSSL | 15:117db924cf7c | 3860 | if (GetAlgoId(input, &inOutIdx, &oid, oidHmacType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3861 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3862 | } |
wolfSSL | 16:8e0d178b1d1e | 3863 | |
wolfSSL | 16:8e0d178b1d1e | 3864 | shaOid = oid; |
wolfSSL | 15:117db924cf7c | 3865 | } |
wolfSSL | 15:117db924cf7c | 3866 | |
wolfSSL | 15:117db924cf7c | 3867 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3868 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3869 | if (cbcIv == NULL) { |
wolfSSL | 15:117db924cf7c | 3870 | ERROR_OUT(MEMORY_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3871 | } |
wolfSSL | 15:117db924cf7c | 3872 | #endif |
wolfSSL | 15:117db924cf7c | 3873 | |
wolfSSL | 15:117db924cf7c | 3874 | if (version == PKCS5v2) { |
wolfSSL | 15:117db924cf7c | 3875 | /* get encryption algo */ |
wolfSSL | 15:117db924cf7c | 3876 | if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3877 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3878 | } |
wolfSSL | 15:117db924cf7c | 3879 | |
wolfSSL | 16:8e0d178b1d1e | 3880 | if (CheckAlgoV2(oid, &id, NULL) < 0) { |
wolfSSL | 15:117db924cf7c | 3881 | ERROR_OUT(ASN_PARSE_E, exit_dc); /* PKCS v2 algo id error */ |
wolfSSL | 15:117db924cf7c | 3882 | } |
wolfSSL | 15:117db924cf7c | 3883 | |
wolfSSL | 16:8e0d178b1d1e | 3884 | if (shaOid == 0) |
wolfSSL | 16:8e0d178b1d1e | 3885 | shaOid = oid; |
wolfSSL | 16:8e0d178b1d1e | 3886 | |
wolfSSL | 15:117db924cf7c | 3887 | ret = GetOctetString(input, &inOutIdx, &length, sz); |
wolfSSL | 15:117db924cf7c | 3888 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3889 | goto exit_dc; |
wolfSSL | 15:117db924cf7c | 3890 | |
wolfSSL | 15:117db924cf7c | 3891 | if (length > MAX_IV_SIZE) { |
wolfSSL | 15:117db924cf7c | 3892 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3893 | } |
wolfSSL | 15:117db924cf7c | 3894 | |
wolfSSL | 15:117db924cf7c | 3895 | XMEMCPY(cbcIv, &input[inOutIdx], length); |
wolfSSL | 15:117db924cf7c | 3896 | inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 3897 | } |
wolfSSL | 15:117db924cf7c | 3898 | |
wolfSSL | 16:8e0d178b1d1e | 3899 | if (GetASNTag(input, &inOutIdx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 3900 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 16:8e0d178b1d1e | 3901 | } |
wolfSSL | 16:8e0d178b1d1e | 3902 | |
wolfSSL | 16:8e0d178b1d1e | 3903 | if (tag != (ASN_CONTEXT_SPECIFIC | 0) && tag != ASN_OCTET_STRING) { |
wolfSSL | 15:117db924cf7c | 3904 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3905 | } |
wolfSSL | 15:117db924cf7c | 3906 | |
wolfSSL | 15:117db924cf7c | 3907 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 3908 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 15:117db924cf7c | 3909 | } |
wolfSSL | 15:117db924cf7c | 3910 | |
wolfSSL | 15:117db924cf7c | 3911 | ret = wc_CryptKey(password, passwordSz, salt, saltSz, iterations, id, |
wolfSSL | 16:8e0d178b1d1e | 3912 | input + inOutIdx, length, version, cbcIv, 0, shaOid); |
wolfSSL | 15:117db924cf7c | 3913 | |
wolfSSL | 15:117db924cf7c | 3914 | exit_dc: |
wolfSSL | 15:117db924cf7c | 3915 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 3916 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3917 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3918 | #endif |
wolfSSL | 15:117db924cf7c | 3919 | |
wolfSSL | 15:117db924cf7c | 3920 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 3921 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 15:117db924cf7c | 3922 | ret = length; |
wolfSSL | 15:117db924cf7c | 3923 | } |
wolfSSL | 15:117db924cf7c | 3924 | |
wolfSSL | 15:117db924cf7c | 3925 | return ret; |
wolfSSL | 15:117db924cf7c | 3926 | } |
wolfSSL | 16:8e0d178b1d1e | 3927 | |
wolfSSL | 16:8e0d178b1d1e | 3928 | |
wolfSSL | 16:8e0d178b1d1e | 3929 | /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning |
wolfSSL | 16:8e0d178b1d1e | 3930 | of input */ |
wolfSSL | 16:8e0d178b1d1e | 3931 | int ToTraditionalEnc(byte* input, word32 sz,const char* password, |
wolfSSL | 16:8e0d178b1d1e | 3932 | int passwordSz, word32* algId) |
wolfSSL | 16:8e0d178b1d1e | 3933 | { |
wolfSSL | 16:8e0d178b1d1e | 3934 | int ret, length; |
wolfSSL | 16:8e0d178b1d1e | 3935 | word32 inOutIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3936 | |
wolfSSL | 16:8e0d178b1d1e | 3937 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 3938 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 3939 | } |
wolfSSL | 16:8e0d178b1d1e | 3940 | else { |
wolfSSL | 16:8e0d178b1d1e | 3941 | ret = DecryptContent(input + inOutIdx, sz - inOutIdx, password, |
wolfSSL | 16:8e0d178b1d1e | 3942 | passwordSz); |
wolfSSL | 16:8e0d178b1d1e | 3943 | if (ret > 0) { |
wolfSSL | 16:8e0d178b1d1e | 3944 | XMEMMOVE(input, input + inOutIdx, ret); |
wolfSSL | 16:8e0d178b1d1e | 3945 | ret = ToTraditional_ex(input, ret, algId); |
wolfSSL | 16:8e0d178b1d1e | 3946 | } |
wolfSSL | 16:8e0d178b1d1e | 3947 | } |
wolfSSL | 16:8e0d178b1d1e | 3948 | |
wolfSSL | 16:8e0d178b1d1e | 3949 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3950 | } |
wolfSSL | 16:8e0d178b1d1e | 3951 | |
wolfSSL | 16:8e0d178b1d1e | 3952 | #endif /* HAVE_PKCS8 || HAVE_PKCS12 */ |
wolfSSL | 16:8e0d178b1d1e | 3953 | |
wolfSSL | 16:8e0d178b1d1e | 3954 | #ifdef HAVE_PKCS12 |
wolfSSL | 16:8e0d178b1d1e | 3955 | |
wolfSSL | 16:8e0d178b1d1e | 3956 | /* encrypt PKCS 12 content |
wolfSSL | 16:8e0d178b1d1e | 3957 | * |
wolfSSL | 16:8e0d178b1d1e | 3958 | * NOTE: if out is NULL then outSz is set with the total buffer size needed and |
wolfSSL | 16:8e0d178b1d1e | 3959 | * the error value LENGTH_ONLY_E is returned. |
wolfSSL | 16:8e0d178b1d1e | 3960 | * |
wolfSSL | 16:8e0d178b1d1e | 3961 | * input data to encrypt |
wolfSSL | 16:8e0d178b1d1e | 3962 | * inputSz size of input buffer |
wolfSSL | 16:8e0d178b1d1e | 3963 | * out buffer to hold the result |
wolfSSL | 16:8e0d178b1d1e | 3964 | * outSz size of out buffer |
wolfSSL | 16:8e0d178b1d1e | 3965 | * password password if used. Can be NULL for no password |
wolfSSL | 16:8e0d178b1d1e | 3966 | * passwordSz size of password buffer |
wolfSSL | 16:8e0d178b1d1e | 3967 | * vPKCS version of PKCS i.e. PKCS5v2 |
wolfSSL | 16:8e0d178b1d1e | 3968 | * vAlgo algorithm version |
wolfSSL | 16:8e0d178b1d1e | 3969 | * salt buffer holding salt if used. If NULL then a random salt is created |
wolfSSL | 16:8e0d178b1d1e | 3970 | * saltSz size of salt buffer if it is not NULL |
wolfSSL | 16:8e0d178b1d1e | 3971 | * itt number of iterations used |
wolfSSL | 16:8e0d178b1d1e | 3972 | * rng random number generator to use |
wolfSSL | 16:8e0d178b1d1e | 3973 | * heap possible heap hint for mallocs/frees |
wolfSSL | 16:8e0d178b1d1e | 3974 | * |
wolfSSL | 16:8e0d178b1d1e | 3975 | * returns the total size of encrypted content on success. |
wolfSSL | 16:8e0d178b1d1e | 3976 | * |
wolfSSL | 16:8e0d178b1d1e | 3977 | * data returned is : |
wolfSSL | 16:8e0d178b1d1e | 3978 | * [ seq - obj [ seq -salt,itt]] , construct with encrypted data |
wolfSSL | 16:8e0d178b1d1e | 3979 | */ |
wolfSSL | 16:8e0d178b1d1e | 3980 | int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, |
wolfSSL | 16:8e0d178b1d1e | 3981 | const char* password, int passwordSz, int vPKCS, int vAlgo, |
wolfSSL | 16:8e0d178b1d1e | 3982 | byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap) |
wolfSSL | 16:8e0d178b1d1e | 3983 | { |
wolfSSL | 16:8e0d178b1d1e | 3984 | word32 sz; |
wolfSSL | 16:8e0d178b1d1e | 3985 | word32 inOutIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3986 | word32 tmpIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 3987 | word32 totalSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3988 | word32 seqSz; |
wolfSSL | 16:8e0d178b1d1e | 3989 | word32 innerSz; |
wolfSSL | 16:8e0d178b1d1e | 3990 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 3991 | int version, id, blockSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3992 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 3993 | byte* saltTmp = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3994 | byte* cbcIv = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3995 | #else |
wolfSSL | 16:8e0d178b1d1e | 3996 | byte saltTmp[MAX_SALT_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 3997 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 3998 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3999 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4000 | byte shr[MAX_SHORT_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4001 | word32 maxShr = MAX_SHORT_SZ; |
wolfSSL | 16:8e0d178b1d1e | 4002 | word32 algoSz; |
wolfSSL | 16:8e0d178b1d1e | 4003 | const byte* algoName; |
wolfSSL | 16:8e0d178b1d1e | 4004 | |
wolfSSL | 16:8e0d178b1d1e | 4005 | (void)heap; |
wolfSSL | 16:8e0d178b1d1e | 4006 | |
wolfSSL | 16:8e0d178b1d1e | 4007 | WOLFSSL_ENTER("EncryptContent()"); |
wolfSSL | 16:8e0d178b1d1e | 4008 | |
wolfSSL | 16:8e0d178b1d1e | 4009 | if (CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4010 | return ASN_INPUT_E; /* Algo ID error */ |
wolfSSL | 16:8e0d178b1d1e | 4011 | |
wolfSSL | 16:8e0d178b1d1e | 4012 | if (version == PKCS5v2) { |
wolfSSL | 16:8e0d178b1d1e | 4013 | WOLFSSL_MSG("PKCS#5 version 2 not supported yet"); |
wolfSSL | 16:8e0d178b1d1e | 4014 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4015 | } |
wolfSSL | 16:8e0d178b1d1e | 4016 | |
wolfSSL | 16:8e0d178b1d1e | 4017 | if (saltSz > MAX_SALT_SIZE) |
wolfSSL | 16:8e0d178b1d1e | 4018 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4019 | |
wolfSSL | 16:8e0d178b1d1e | 4020 | if (outSz == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4021 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4022 | } |
wolfSSL | 16:8e0d178b1d1e | 4023 | |
wolfSSL | 16:8e0d178b1d1e | 4024 | /* calculate size */ |
wolfSSL | 16:8e0d178b1d1e | 4025 | /* size of constructed string at end */ |
wolfSSL | 16:8e0d178b1d1e | 4026 | sz = Pkcs8Pad(NULL, inputSz, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 4027 | totalSz = ASN_TAG_SZ; |
wolfSSL | 16:8e0d178b1d1e | 4028 | totalSz += SetLength(sz, seq); |
wolfSSL | 16:8e0d178b1d1e | 4029 | totalSz += sz; |
wolfSSL | 16:8e0d178b1d1e | 4030 | |
wolfSSL | 16:8e0d178b1d1e | 4031 | /* size of sequence holding object id and sub sequence of salt and itt */ |
wolfSSL | 16:8e0d178b1d1e | 4032 | algoName = OidFromId(id, oidPBEType, &algoSz); |
wolfSSL | 16:8e0d178b1d1e | 4033 | if (algoName == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4034 | WOLFSSL_MSG("Unknown Algorithm"); |
wolfSSL | 16:8e0d178b1d1e | 4035 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 4036 | } |
wolfSSL | 16:8e0d178b1d1e | 4037 | innerSz = SetObjectId(algoSz, seq); |
wolfSSL | 16:8e0d178b1d1e | 4038 | innerSz += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 4039 | |
wolfSSL | 16:8e0d178b1d1e | 4040 | /* get subsequence of salt and itt */ |
wolfSSL | 16:8e0d178b1d1e | 4041 | if (salt == NULL || saltSz == 0) { |
wolfSSL | 16:8e0d178b1d1e | 4042 | sz = 8; |
wolfSSL | 16:8e0d178b1d1e | 4043 | } |
wolfSSL | 16:8e0d178b1d1e | 4044 | else { |
wolfSSL | 16:8e0d178b1d1e | 4045 | sz = saltSz; |
wolfSSL | 16:8e0d178b1d1e | 4046 | } |
wolfSSL | 16:8e0d178b1d1e | 4047 | seqSz = SetOctetString(sz, seq); |
wolfSSL | 16:8e0d178b1d1e | 4048 | seqSz += sz; |
wolfSSL | 16:8e0d178b1d1e | 4049 | |
wolfSSL | 16:8e0d178b1d1e | 4050 | tmpIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 4051 | seqSz += SetShortInt(shr, &tmpIdx, itt, maxShr); |
wolfSSL | 16:8e0d178b1d1e | 4052 | innerSz += seqSz + SetSequence(seqSz, seq); |
wolfSSL | 16:8e0d178b1d1e | 4053 | totalSz += innerSz + SetSequence(innerSz, seq); |
wolfSSL | 16:8e0d178b1d1e | 4054 | |
wolfSSL | 16:8e0d178b1d1e | 4055 | if (out == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4056 | *outSz = totalSz; |
wolfSSL | 16:8e0d178b1d1e | 4057 | return LENGTH_ONLY_E; |
wolfSSL | 16:8e0d178b1d1e | 4058 | } |
wolfSSL | 16:8e0d178b1d1e | 4059 | |
wolfSSL | 16:8e0d178b1d1e | 4060 | inOutIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 4061 | if (totalSz > *outSz) |
wolfSSL | 16:8e0d178b1d1e | 4062 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4063 | |
wolfSSL | 16:8e0d178b1d1e | 4064 | inOutIdx += SetSequence(innerSz, out + inOutIdx); |
wolfSSL | 16:8e0d178b1d1e | 4065 | inOutIdx += SetObjectId(algoSz, out + inOutIdx); |
wolfSSL | 16:8e0d178b1d1e | 4066 | XMEMCPY(out + inOutIdx, algoName, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 4067 | inOutIdx += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 4068 | inOutIdx += SetSequence(seqSz, out + inOutIdx); |
wolfSSL | 16:8e0d178b1d1e | 4069 | |
wolfSSL | 16:8e0d178b1d1e | 4070 | /* create random salt if one not provided */ |
wolfSSL | 16:8e0d178b1d1e | 4071 | if (salt == NULL || saltSz == 0) { |
wolfSSL | 16:8e0d178b1d1e | 4072 | saltSz = 8; |
wolfSSL | 16:8e0d178b1d1e | 4073 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4074 | saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4075 | if (saltTmp == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4076 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4077 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4078 | salt = saltTmp; |
wolfSSL | 16:8e0d178b1d1e | 4079 | |
wolfSSL | 16:8e0d178b1d1e | 4080 | if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 4081 | WOLFSSL_MSG("Error generating random salt"); |
wolfSSL | 16:8e0d178b1d1e | 4082 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4083 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4084 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4085 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4086 | } |
wolfSSL | 16:8e0d178b1d1e | 4087 | } |
wolfSSL | 16:8e0d178b1d1e | 4088 | inOutIdx += SetOctetString(saltSz, out + inOutIdx); |
wolfSSL | 16:8e0d178b1d1e | 4089 | if (saltSz + inOutIdx > *outSz) { |
wolfSSL | 16:8e0d178b1d1e | 4090 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4091 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4092 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4093 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4094 | } |
wolfSSL | 16:8e0d178b1d1e | 4095 | XMEMCPY(out + inOutIdx, salt, saltSz); |
wolfSSL | 16:8e0d178b1d1e | 4096 | inOutIdx += saltSz; |
wolfSSL | 16:8e0d178b1d1e | 4097 | |
wolfSSL | 16:8e0d178b1d1e | 4098 | /* place iteration setting in buffer */ |
wolfSSL | 16:8e0d178b1d1e | 4099 | ret = SetShortInt(out, &inOutIdx, itt, *outSz); |
wolfSSL | 16:8e0d178b1d1e | 4100 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4101 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4102 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4103 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4104 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4105 | } |
wolfSSL | 16:8e0d178b1d1e | 4106 | |
wolfSSL | 16:8e0d178b1d1e | 4107 | if (inOutIdx + 1 > *outSz) { |
wolfSSL | 16:8e0d178b1d1e | 4108 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4109 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4110 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4111 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4112 | } |
wolfSSL | 16:8e0d178b1d1e | 4113 | out[inOutIdx++] = ASN_CONTEXT_SPECIFIC | 0; |
wolfSSL | 16:8e0d178b1d1e | 4114 | |
wolfSSL | 16:8e0d178b1d1e | 4115 | /* get pad size and verify buffer room */ |
wolfSSL | 16:8e0d178b1d1e | 4116 | sz = Pkcs8Pad(NULL, inputSz, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 4117 | if (sz + inOutIdx > *outSz) { |
wolfSSL | 16:8e0d178b1d1e | 4118 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4119 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4120 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4121 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4122 | } |
wolfSSL | 16:8e0d178b1d1e | 4123 | inOutIdx += SetLength(sz, out + inOutIdx); |
wolfSSL | 16:8e0d178b1d1e | 4124 | |
wolfSSL | 16:8e0d178b1d1e | 4125 | /* copy input to output buffer and pad end */ |
wolfSSL | 16:8e0d178b1d1e | 4126 | XMEMCPY(out + inOutIdx, input, inputSz); |
wolfSSL | 16:8e0d178b1d1e | 4127 | sz = Pkcs8Pad(out + inOutIdx, inputSz, blockSz); |
wolfSSL | 16:8e0d178b1d1e | 4128 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4129 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4130 | if (cbcIv == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4131 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4132 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4133 | } |
wolfSSL | 16:8e0d178b1d1e | 4134 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4135 | |
wolfSSL | 16:8e0d178b1d1e | 4136 | /* encrypt */ |
wolfSSL | 16:8e0d178b1d1e | 4137 | if ((ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id, |
wolfSSL | 16:8e0d178b1d1e | 4138 | out + inOutIdx, sz, version, cbcIv, 1, 0)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4139 | |
wolfSSL | 16:8e0d178b1d1e | 4140 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4141 | XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4142 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4143 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4144 | return ret; /* encrypt failure */ |
wolfSSL | 16:8e0d178b1d1e | 4145 | } |
wolfSSL | 16:8e0d178b1d1e | 4146 | |
wolfSSL | 16:8e0d178b1d1e | 4147 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4148 | XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4149 | XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4150 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4151 | |
wolfSSL | 16:8e0d178b1d1e | 4152 | (void)rng; |
wolfSSL | 16:8e0d178b1d1e | 4153 | |
wolfSSL | 16:8e0d178b1d1e | 4154 | return inOutIdx + sz; |
wolfSSL | 16:8e0d178b1d1e | 4155 | } |
wolfSSL | 16:8e0d178b1d1e | 4156 | |
wolfSSL | 16:8e0d178b1d1e | 4157 | |
wolfSSL | 16:8e0d178b1d1e | 4158 | #endif /* HAVE_PKCS12 */ |
wolfSSL | 15:117db924cf7c | 4159 | #endif /* NO_PWDBASED */ |
wolfSSL | 15:117db924cf7c | 4160 | |
wolfSSL | 15:117db924cf7c | 4161 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 4162 | |
wolfSSL | 15:117db924cf7c | 4163 | #ifndef HAVE_USER_RSA |
wolfSSL | 16:8e0d178b1d1e | 4164 | #ifdef WOLFSSL_RENESAS_TSIP |
wolfSSL | 16:8e0d178b1d1e | 4165 | /* This function is to retrieve key position information in a cert.* |
wolfSSL | 16:8e0d178b1d1e | 4166 | * The information will be used to call TSIP TLS-linked API for * |
wolfSSL | 16:8e0d178b1d1e | 4167 | * certificate verification. */ |
wolfSSL | 16:8e0d178b1d1e | 4168 | static int RsaPublicKeyDecodeRawIndex(const byte* input, word32* inOutIdx, |
wolfSSL | 16:8e0d178b1d1e | 4169 | word32 inSz, word32* key_n, |
wolfSSL | 16:8e0d178b1d1e | 4170 | word32* key_n_len, word32* key_e, |
wolfSSL | 16:8e0d178b1d1e | 4171 | word32* key_e_len) |
wolfSSL | 16:8e0d178b1d1e | 4172 | { |
wolfSSL | 16:8e0d178b1d1e | 4173 | |
wolfSSL | 16:8e0d178b1d1e | 4174 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4175 | int length = 0; |
wolfSSL | 15:117db924cf7c | 4176 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 15:117db924cf7c | 4177 | byte b; |
wolfSSL | 15:117db924cf7c | 4178 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4179 | |
wolfSSL | 16:8e0d178b1d1e | 4180 | if (input == NULL || inOutIdx == NULL) |
wolfSSL | 15:117db924cf7c | 4181 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4182 | |
wolfSSL | 15:117db924cf7c | 4183 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4184 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4185 | |
wolfSSL | 15:117db924cf7c | 4186 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 15:117db924cf7c | 4187 | if ((*inOutIdx + 1) > inSz) |
wolfSSL | 15:117db924cf7c | 4188 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 4189 | |
wolfSSL | 15:117db924cf7c | 4190 | b = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 4191 | if (b != ASN_INTEGER) { |
wolfSSL | 15:117db924cf7c | 4192 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 15:117db924cf7c | 4193 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4194 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4195 | |
wolfSSL | 15:117db924cf7c | 4196 | if (SkipObjectId(input, inOutIdx, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4197 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4198 | |
wolfSSL | 15:117db924cf7c | 4199 | /* Option NULL ASN.1 tag */ |
wolfSSL | 15:117db924cf7c | 4200 | if (*inOutIdx >= inSz) { |
wolfSSL | 15:117db924cf7c | 4201 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 4202 | } |
wolfSSL | 15:117db924cf7c | 4203 | if (input[*inOutIdx] == ASN_TAG_NULL) { |
wolfSSL | 15:117db924cf7c | 4204 | ret = GetASNNull(input, inOutIdx, inSz); |
wolfSSL | 15:117db924cf7c | 4205 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4206 | return ret; |
wolfSSL | 15:117db924cf7c | 4207 | } |
wolfSSL | 15:117db924cf7c | 4208 | |
wolfSSL | 15:117db924cf7c | 4209 | /* should have bit tag length and seq next */ |
wolfSSL | 15:117db924cf7c | 4210 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 15:117db924cf7c | 4211 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4212 | return ret; |
wolfSSL | 15:117db924cf7c | 4213 | |
wolfSSL | 15:117db924cf7c | 4214 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4215 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4216 | } |
wolfSSL | 15:117db924cf7c | 4217 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 4218 | |
wolfSSL | 16:8e0d178b1d1e | 4219 | /* Get modulus */ |
wolfSSL | 16:8e0d178b1d1e | 4220 | ret = GetASNInt(input, inOutIdx, &length, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4221 | *key_n += *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4222 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 4223 | return ASN_RSA_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4224 | } |
wolfSSL | 16:8e0d178b1d1e | 4225 | if (key_n_len) |
wolfSSL | 16:8e0d178b1d1e | 4226 | *key_n_len = length; |
wolfSSL | 16:8e0d178b1d1e | 4227 | *inOutIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 4228 | |
wolfSSL | 16:8e0d178b1d1e | 4229 | /* Get exponent */ |
wolfSSL | 16:8e0d178b1d1e | 4230 | ret = GetASNInt(input, inOutIdx, &length, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4231 | *key_e += *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4232 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 4233 | return ASN_RSA_KEY_E; |
wolfSSL | 15:117db924cf7c | 4234 | } |
wolfSSL | 16:8e0d178b1d1e | 4235 | if (key_e_len) |
wolfSSL | 16:8e0d178b1d1e | 4236 | *key_e_len = length; |
wolfSSL | 16:8e0d178b1d1e | 4237 | |
wolfSSL | 16:8e0d178b1d1e | 4238 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4239 | } |
wolfSSL | 16:8e0d178b1d1e | 4240 | #endif /* WOLFSSL_RENESAS_TSIP */ |
wolfSSL | 16:8e0d178b1d1e | 4241 | |
wolfSSL | 16:8e0d178b1d1e | 4242 | int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, |
wolfSSL | 16:8e0d178b1d1e | 4243 | const byte** n, word32* nSz, const byte** e, word32* eSz) |
wolfSSL | 16:8e0d178b1d1e | 4244 | { |
wolfSSL | 16:8e0d178b1d1e | 4245 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4246 | int length = 0; |
wolfSSL | 16:8e0d178b1d1e | 4247 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 16:8e0d178b1d1e | 4248 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 4249 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 4250 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4251 | |
wolfSSL | 16:8e0d178b1d1e | 4252 | if (input == NULL || inOutIdx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4253 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4254 | |
wolfSSL | 16:8e0d178b1d1e | 4255 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4256 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4257 | |
wolfSSL | 16:8e0d178b1d1e | 4258 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 16:8e0d178b1d1e | 4259 | localIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4260 | if (GetASNTag(input, &localIdx, &tag, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4261 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4262 | |
wolfSSL | 16:8e0d178b1d1e | 4263 | if (tag != ASN_INTEGER) { |
wolfSSL | 16:8e0d178b1d1e | 4264 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 16:8e0d178b1d1e | 4265 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4266 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4267 | |
wolfSSL | 16:8e0d178b1d1e | 4268 | if (SkipObjectId(input, inOutIdx, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4269 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4270 | |
wolfSSL | 16:8e0d178b1d1e | 4271 | /* Option NULL ASN.1 tag */ |
wolfSSL | 16:8e0d178b1d1e | 4272 | if (*inOutIdx >= inSz) { |
wolfSSL | 16:8e0d178b1d1e | 4273 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4274 | } |
wolfSSL | 16:8e0d178b1d1e | 4275 | |
wolfSSL | 16:8e0d178b1d1e | 4276 | localIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4277 | if (GetASNTag(input, &localIdx, &tag, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4278 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4279 | |
wolfSSL | 16:8e0d178b1d1e | 4280 | if (tag == ASN_TAG_NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4281 | ret = GetASNNull(input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4282 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 4283 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4284 | } |
wolfSSL | 16:8e0d178b1d1e | 4285 | |
wolfSSL | 16:8e0d178b1d1e | 4286 | /* should have bit tag length and seq next */ |
wolfSSL | 16:8e0d178b1d1e | 4287 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 16:8e0d178b1d1e | 4288 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 4289 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4290 | |
wolfSSL | 16:8e0d178b1d1e | 4291 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4292 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4293 | } |
wolfSSL | 16:8e0d178b1d1e | 4294 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 4295 | |
wolfSSL | 16:8e0d178b1d1e | 4296 | /* Get modulus */ |
wolfSSL | 16:8e0d178b1d1e | 4297 | ret = GetASNInt(input, inOutIdx, &length, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4298 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4299 | return ASN_RSA_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4300 | } |
wolfSSL | 16:8e0d178b1d1e | 4301 | if (nSz) |
wolfSSL | 16:8e0d178b1d1e | 4302 | *nSz = length; |
wolfSSL | 16:8e0d178b1d1e | 4303 | if (n) |
wolfSSL | 16:8e0d178b1d1e | 4304 | *n = &input[*inOutIdx]; |
wolfSSL | 16:8e0d178b1d1e | 4305 | *inOutIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 4306 | |
wolfSSL | 16:8e0d178b1d1e | 4307 | /* Get exponent */ |
wolfSSL | 16:8e0d178b1d1e | 4308 | ret = GetASNInt(input, inOutIdx, &length, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4309 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4310 | return ASN_RSA_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4311 | } |
wolfSSL | 16:8e0d178b1d1e | 4312 | if (eSz) |
wolfSSL | 16:8e0d178b1d1e | 4313 | *eSz = length; |
wolfSSL | 16:8e0d178b1d1e | 4314 | if (e) |
wolfSSL | 16:8e0d178b1d1e | 4315 | *e = &input[*inOutIdx]; |
wolfSSL | 16:8e0d178b1d1e | 4316 | *inOutIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 4317 | |
wolfSSL | 16:8e0d178b1d1e | 4318 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4319 | } |
wolfSSL | 16:8e0d178b1d1e | 4320 | |
wolfSSL | 16:8e0d178b1d1e | 4321 | int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 16:8e0d178b1d1e | 4322 | word32 inSz) |
wolfSSL | 16:8e0d178b1d1e | 4323 | { |
wolfSSL | 16:8e0d178b1d1e | 4324 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 4325 | const byte *n = NULL, *e = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4326 | word32 nSz = 0, eSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 4327 | |
wolfSSL | 16:8e0d178b1d1e | 4328 | if (key == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4329 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4330 | |
wolfSSL | 16:8e0d178b1d1e | 4331 | ret = wc_RsaPublicKeyDecode_ex(input, inOutIdx, inSz, &n, &nSz, &e, &eSz); |
wolfSSL | 16:8e0d178b1d1e | 4332 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 4333 | ret = wc_RsaPublicKeyDecodeRaw(n, nSz, e, eSz, key); |
wolfSSL | 16:8e0d178b1d1e | 4334 | } |
wolfSSL | 16:8e0d178b1d1e | 4335 | |
wolfSSL | 16:8e0d178b1d1e | 4336 | return ret; |
wolfSSL | 15:117db924cf7c | 4337 | } |
wolfSSL | 15:117db924cf7c | 4338 | |
wolfSSL | 15:117db924cf7c | 4339 | /* import RSA public key elements (n, e) into RsaKey structure (key) */ |
wolfSSL | 15:117db924cf7c | 4340 | int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, |
wolfSSL | 15:117db924cf7c | 4341 | word32 eSz, RsaKey* key) |
wolfSSL | 15:117db924cf7c | 4342 | { |
wolfSSL | 15:117db924cf7c | 4343 | if (n == NULL || e == NULL || key == NULL) |
wolfSSL | 15:117db924cf7c | 4344 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4345 | |
wolfSSL | 15:117db924cf7c | 4346 | key->type = RSA_PUBLIC; |
wolfSSL | 15:117db924cf7c | 4347 | |
wolfSSL | 15:117db924cf7c | 4348 | if (mp_init(&key->n) != MP_OKAY) |
wolfSSL | 15:117db924cf7c | 4349 | return MP_INIT_E; |
wolfSSL | 15:117db924cf7c | 4350 | |
wolfSSL | 15:117db924cf7c | 4351 | if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) { |
wolfSSL | 15:117db924cf7c | 4352 | mp_clear(&key->n); |
wolfSSL | 15:117db924cf7c | 4353 | return ASN_GETINT_E; |
wolfSSL | 15:117db924cf7c | 4354 | } |
wolfSSL | 16:8e0d178b1d1e | 4355 | #ifdef HAVE_WOLF_BIGINT |
wolfSSL | 16:8e0d178b1d1e | 4356 | if ((int)nSz > 0 && wc_bigint_from_unsigned_bin(&key->n.raw, n, nSz) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 4357 | mp_clear(&key->n); |
wolfSSL | 16:8e0d178b1d1e | 4358 | return ASN_GETINT_E; |
wolfSSL | 16:8e0d178b1d1e | 4359 | } |
wolfSSL | 16:8e0d178b1d1e | 4360 | #endif /* HAVE_WOLF_BIGINT */ |
wolfSSL | 15:117db924cf7c | 4361 | |
wolfSSL | 15:117db924cf7c | 4362 | if (mp_init(&key->e) != MP_OKAY) { |
wolfSSL | 15:117db924cf7c | 4363 | mp_clear(&key->n); |
wolfSSL | 15:117db924cf7c | 4364 | return MP_INIT_E; |
wolfSSL | 15:117db924cf7c | 4365 | } |
wolfSSL | 15:117db924cf7c | 4366 | |
wolfSSL | 15:117db924cf7c | 4367 | if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) { |
wolfSSL | 15:117db924cf7c | 4368 | mp_clear(&key->n); |
wolfSSL | 15:117db924cf7c | 4369 | mp_clear(&key->e); |
wolfSSL | 15:117db924cf7c | 4370 | return ASN_GETINT_E; |
wolfSSL | 15:117db924cf7c | 4371 | } |
wolfSSL | 16:8e0d178b1d1e | 4372 | #ifdef HAVE_WOLF_BIGINT |
wolfSSL | 16:8e0d178b1d1e | 4373 | if ((int)eSz > 0 && wc_bigint_from_unsigned_bin(&key->e.raw, e, eSz) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 4374 | mp_clear(&key->n); |
wolfSSL | 16:8e0d178b1d1e | 4375 | mp_clear(&key->e); |
wolfSSL | 16:8e0d178b1d1e | 4376 | return ASN_GETINT_E; |
wolfSSL | 16:8e0d178b1d1e | 4377 | } |
wolfSSL | 16:8e0d178b1d1e | 4378 | #endif /* HAVE_WOLF_BIGINT */ |
wolfSSL | 15:117db924cf7c | 4379 | |
wolfSSL | 15:117db924cf7c | 4380 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 15:117db924cf7c | 4381 | if (wc_InitRsaHw(key) != 0) { |
wolfSSL | 15:117db924cf7c | 4382 | return BAD_STATE_E; |
wolfSSL | 15:117db924cf7c | 4383 | } |
wolfSSL | 15:117db924cf7c | 4384 | #endif |
wolfSSL | 15:117db924cf7c | 4385 | |
wolfSSL | 15:117db924cf7c | 4386 | return 0; |
wolfSSL | 15:117db924cf7c | 4387 | } |
wolfSSL | 15:117db924cf7c | 4388 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 16:8e0d178b1d1e | 4389 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 4390 | |
wolfSSL | 15:117db924cf7c | 4391 | #ifndef NO_DH |
wolfSSL | 15:117db924cf7c | 4392 | |
wolfSSL | 15:117db924cf7c | 4393 | int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) |
wolfSSL | 15:117db924cf7c | 4394 | { |
wolfSSL | 16:8e0d178b1d1e | 4395 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4396 | int length; |
wolfSSL | 16:8e0d178b1d1e | 4397 | #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) |
wolfSSL | 16:8e0d178b1d1e | 4398 | word32 oid = 0, temp = 0; |
wolfSSL | 16:8e0d178b1d1e | 4399 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4400 | |
wolfSSL | 16:8e0d178b1d1e | 4401 | WOLFSSL_ENTER("wc_DhKeyDecode"); |
wolfSSL | 16:8e0d178b1d1e | 4402 | |
wolfSSL | 16:8e0d178b1d1e | 4403 | if (inOutIdx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4404 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4405 | |
wolfSSL | 15:117db924cf7c | 4406 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4407 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4408 | |
wolfSSL | 16:8e0d178b1d1e | 4409 | #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) |
wolfSSL | 16:8e0d178b1d1e | 4410 | temp = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4411 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4412 | |
wolfSSL | 16:8e0d178b1d1e | 4413 | /* Assume input started after 1.2.840.113549.1.3.1 dhKeyAgreement */ |
wolfSSL | 15:117db924cf7c | 4414 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 4415 | GetInt(&key->g, input, inOutIdx, inSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4416 | ret = ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4417 | } |
wolfSSL | 16:8e0d178b1d1e | 4418 | |
wolfSSL | 16:8e0d178b1d1e | 4419 | #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) |
wolfSSL | 16:8e0d178b1d1e | 4420 | /* If ASN_DH_KEY_E: Check if input started at beginning of key */ |
wolfSSL | 16:8e0d178b1d1e | 4421 | if (ret == ASN_DH_KEY_E) { |
wolfSSL | 16:8e0d178b1d1e | 4422 | /* rewind back to after the first sequence */ |
wolfSSL | 16:8e0d178b1d1e | 4423 | *inOutIdx = temp; |
wolfSSL | 16:8e0d178b1d1e | 4424 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4425 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4426 | |
wolfSSL | 16:8e0d178b1d1e | 4427 | /* Check for dhKeyAgreement */ |
wolfSSL | 16:8e0d178b1d1e | 4428 | ret = GetObjectId(input, inOutIdx, &oid, oidKeyType, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4429 | if (oid != DHk || ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 4430 | return ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4431 | |
wolfSSL | 16:8e0d178b1d1e | 4432 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4433 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4434 | |
wolfSSL | 16:8e0d178b1d1e | 4435 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4436 | GetInt(&key->g, input, inOutIdx, inSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4437 | return ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4438 | } |
wolfSSL | 16:8e0d178b1d1e | 4439 | } |
wolfSSL | 16:8e0d178b1d1e | 4440 | |
wolfSSL | 16:8e0d178b1d1e | 4441 | temp = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4442 | ret = (CheckBitString(input, inOutIdx, &length, inSz, 0, NULL) == 0); |
wolfSSL | 16:8e0d178b1d1e | 4443 | if (ret > 0) { |
wolfSSL | 16:8e0d178b1d1e | 4444 | /* Found Bit String */ |
wolfSSL | 16:8e0d178b1d1e | 4445 | if (GetInt(&key->pub, input, inOutIdx, inSz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 4446 | WOLFSSL_MSG("Found Public Key"); |
wolfSSL | 16:8e0d178b1d1e | 4447 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4448 | } |
wolfSSL | 16:8e0d178b1d1e | 4449 | } else { |
wolfSSL | 16:8e0d178b1d1e | 4450 | *inOutIdx = temp; |
wolfSSL | 16:8e0d178b1d1e | 4451 | ret = (GetOctetString(input, inOutIdx, &length, inSz) >= 0); |
wolfSSL | 16:8e0d178b1d1e | 4452 | if (ret > 0) { |
wolfSSL | 16:8e0d178b1d1e | 4453 | /* Found Octet String */ |
wolfSSL | 16:8e0d178b1d1e | 4454 | if (GetInt(&key->priv, input, inOutIdx, inSz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 4455 | WOLFSSL_MSG("Found Private Key"); |
wolfSSL | 16:8e0d178b1d1e | 4456 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4457 | } |
wolfSSL | 16:8e0d178b1d1e | 4458 | } else { |
wolfSSL | 16:8e0d178b1d1e | 4459 | /* Don't use length from failed CheckBitString/GetOctetString */ |
wolfSSL | 16:8e0d178b1d1e | 4460 | *inOutIdx = temp; |
wolfSSL | 16:8e0d178b1d1e | 4461 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4462 | } |
wolfSSL | 16:8e0d178b1d1e | 4463 | } |
wolfSSL | 16:8e0d178b1d1e | 4464 | #endif /* WOLFSSL_QT || OPENSSL_ALL */ |
wolfSSL | 16:8e0d178b1d1e | 4465 | |
wolfSSL | 16:8e0d178b1d1e | 4466 | WOLFSSL_MSG("wc_DhKeyDecode Success"); |
wolfSSL | 16:8e0d178b1d1e | 4467 | |
wolfSSL | 16:8e0d178b1d1e | 4468 | return ret; |
wolfSSL | 15:117db924cf7c | 4469 | } |
wolfSSL | 15:117db924cf7c | 4470 | |
wolfSSL | 15:117db924cf7c | 4471 | |
wolfSSL | 15:117db924cf7c | 4472 | int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, |
wolfSSL | 15:117db924cf7c | 4473 | byte* g, word32* gInOutSz) |
wolfSSL | 15:117db924cf7c | 4474 | { |
wolfSSL | 15:117db924cf7c | 4475 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 4476 | int ret; |
wolfSSL | 15:117db924cf7c | 4477 | int length; |
wolfSSL | 15:117db924cf7c | 4478 | |
wolfSSL | 15:117db924cf7c | 4479 | if (GetSequence(input, &idx, &length, inSz) <= 0) |
wolfSSL | 15:117db924cf7c | 4480 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4481 | |
wolfSSL | 15:117db924cf7c | 4482 | ret = GetASNInt(input, &idx, &length, inSz); |
wolfSSL | 15:117db924cf7c | 4483 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4484 | return ret; |
wolfSSL | 15:117db924cf7c | 4485 | |
wolfSSL | 15:117db924cf7c | 4486 | if (length <= (int)*pInOutSz) { |
wolfSSL | 15:117db924cf7c | 4487 | XMEMCPY(p, &input[idx], length); |
wolfSSL | 15:117db924cf7c | 4488 | *pInOutSz = length; |
wolfSSL | 15:117db924cf7c | 4489 | } |
wolfSSL | 15:117db924cf7c | 4490 | else { |
wolfSSL | 15:117db924cf7c | 4491 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 4492 | } |
wolfSSL | 15:117db924cf7c | 4493 | idx += length; |
wolfSSL | 15:117db924cf7c | 4494 | |
wolfSSL | 15:117db924cf7c | 4495 | ret = GetASNInt(input, &idx, &length, inSz); |
wolfSSL | 15:117db924cf7c | 4496 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4497 | return ret; |
wolfSSL | 15:117db924cf7c | 4498 | |
wolfSSL | 15:117db924cf7c | 4499 | if (length <= (int)*gInOutSz) { |
wolfSSL | 15:117db924cf7c | 4500 | XMEMCPY(g, &input[idx], length); |
wolfSSL | 15:117db924cf7c | 4501 | *gInOutSz = length; |
wolfSSL | 15:117db924cf7c | 4502 | } |
wolfSSL | 15:117db924cf7c | 4503 | else { |
wolfSSL | 15:117db924cf7c | 4504 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 4505 | } |
wolfSSL | 15:117db924cf7c | 4506 | |
wolfSSL | 15:117db924cf7c | 4507 | return 0; |
wolfSSL | 15:117db924cf7c | 4508 | } |
wolfSSL | 15:117db924cf7c | 4509 | #endif /* NO_DH */ |
wolfSSL | 15:117db924cf7c | 4510 | |
wolfSSL | 15:117db924cf7c | 4511 | |
wolfSSL | 15:117db924cf7c | 4512 | #ifndef NO_DSA |
wolfSSL | 15:117db924cf7c | 4513 | |
wolfSSL | 15:117db924cf7c | 4514 | int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 15:117db924cf7c | 4515 | word32 inSz) |
wolfSSL | 15:117db924cf7c | 4516 | { |
wolfSSL | 15:117db924cf7c | 4517 | int length; |
wolfSSL | 16:8e0d178b1d1e | 4518 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4519 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 4520 | |
wolfSSL | 16:8e0d178b1d1e | 4521 | if (input == NULL || inOutIdx == NULL || key == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4522 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4523 | |
wolfSSL | 15:117db924cf7c | 4524 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4525 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4526 | |
wolfSSL | 15:117db924cf7c | 4527 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 4528 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 4529 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 15:117db924cf7c | 4530 | GetInt(&key->y, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 16:8e0d178b1d1e | 4531 | ret = ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4532 | |
wolfSSL | 16:8e0d178b1d1e | 4533 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 4534 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4535 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4536 | |
wolfSSL | 16:8e0d178b1d1e | 4537 | ret = GetObjectId(input, inOutIdx, &oid, oidIgnoreType, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4538 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 4539 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4540 | |
wolfSSL | 16:8e0d178b1d1e | 4541 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4542 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4543 | |
wolfSSL | 16:8e0d178b1d1e | 4544 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4545 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4546 | GetInt(&key->g, input, inOutIdx, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4547 | return ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4548 | |
wolfSSL | 16:8e0d178b1d1e | 4549 | if (CheckBitString(input, inOutIdx, &length, inSz, 0, NULL) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4550 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4551 | |
wolfSSL | 16:8e0d178b1d1e | 4552 | if (GetInt(&key->y, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 16:8e0d178b1d1e | 4553 | return ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4554 | |
wolfSSL | 16:8e0d178b1d1e | 4555 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4556 | } |
wolfSSL | 15:117db924cf7c | 4557 | |
wolfSSL | 15:117db924cf7c | 4558 | key->type = DSA_PUBLIC; |
wolfSSL | 16:8e0d178b1d1e | 4559 | return ret; |
wolfSSL | 15:117db924cf7c | 4560 | } |
wolfSSL | 15:117db924cf7c | 4561 | |
wolfSSL | 15:117db924cf7c | 4562 | |
wolfSSL | 15:117db924cf7c | 4563 | int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 15:117db924cf7c | 4564 | word32 inSz) |
wolfSSL | 15:117db924cf7c | 4565 | { |
wolfSSL | 16:8e0d178b1d1e | 4566 | int length, version, ret = 0, temp = 0; |
wolfSSL | 15:117db924cf7c | 4567 | |
wolfSSL | 15:117db924cf7c | 4568 | /* Sanity checks on input */ |
wolfSSL | 15:117db924cf7c | 4569 | if (input == NULL || inOutIdx == NULL || key == NULL) { |
wolfSSL | 15:117db924cf7c | 4570 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4571 | } |
wolfSSL | 15:117db924cf7c | 4572 | |
wolfSSL | 15:117db924cf7c | 4573 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 4574 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 4575 | |
wolfSSL | 16:8e0d178b1d1e | 4576 | temp = (int)*inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 4577 | |
wolfSSL | 16:8e0d178b1d1e | 4578 | /* Default case expects a certificate with OctetString but no version ID */ |
wolfSSL | 16:8e0d178b1d1e | 4579 | ret = GetInt(&key->p, input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4580 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4581 | mp_clear(&key->p); |
wolfSSL | 16:8e0d178b1d1e | 4582 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4583 | } |
wolfSSL | 16:8e0d178b1d1e | 4584 | else { |
wolfSSL | 16:8e0d178b1d1e | 4585 | ret = GetInt(&key->q, input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4586 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4587 | mp_clear(&key->p); |
wolfSSL | 16:8e0d178b1d1e | 4588 | mp_clear(&key->q); |
wolfSSL | 16:8e0d178b1d1e | 4589 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4590 | } |
wolfSSL | 16:8e0d178b1d1e | 4591 | else { |
wolfSSL | 16:8e0d178b1d1e | 4592 | ret = GetInt(&key->g, input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4593 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4594 | mp_clear(&key->p); |
wolfSSL | 16:8e0d178b1d1e | 4595 | mp_clear(&key->q); |
wolfSSL | 16:8e0d178b1d1e | 4596 | mp_clear(&key->g); |
wolfSSL | 16:8e0d178b1d1e | 4597 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4598 | } |
wolfSSL | 16:8e0d178b1d1e | 4599 | else { |
wolfSSL | 16:8e0d178b1d1e | 4600 | ret = GetOctetString(input, inOutIdx, &length, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4601 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4602 | mp_clear(&key->p); |
wolfSSL | 16:8e0d178b1d1e | 4603 | mp_clear(&key->q); |
wolfSSL | 16:8e0d178b1d1e | 4604 | mp_clear(&key->g); |
wolfSSL | 16:8e0d178b1d1e | 4605 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4606 | } |
wolfSSL | 16:8e0d178b1d1e | 4607 | else { |
wolfSSL | 16:8e0d178b1d1e | 4608 | ret = GetInt(&key->y, input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 4609 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4610 | mp_clear(&key->p); |
wolfSSL | 16:8e0d178b1d1e | 4611 | mp_clear(&key->q); |
wolfSSL | 16:8e0d178b1d1e | 4612 | mp_clear(&key->g); |
wolfSSL | 16:8e0d178b1d1e | 4613 | mp_clear(&key->y); |
wolfSSL | 16:8e0d178b1d1e | 4614 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4615 | } |
wolfSSL | 16:8e0d178b1d1e | 4616 | } |
wolfSSL | 16:8e0d178b1d1e | 4617 | } |
wolfSSL | 16:8e0d178b1d1e | 4618 | } |
wolfSSL | 16:8e0d178b1d1e | 4619 | } |
wolfSSL | 16:8e0d178b1d1e | 4620 | /* An alternate pass if default certificate fails parsing */ |
wolfSSL | 16:8e0d178b1d1e | 4621 | if (ret == ASN_PARSE_E) { |
wolfSSL | 16:8e0d178b1d1e | 4622 | *inOutIdx = temp; |
wolfSSL | 16:8e0d178b1d1e | 4623 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 4624 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 4625 | |
wolfSSL | 16:8e0d178b1d1e | 4626 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4627 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4628 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4629 | GetInt(&key->y, input, inOutIdx, inSz) < 0 || |
wolfSSL | 16:8e0d178b1d1e | 4630 | GetInt(&key->x, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 16:8e0d178b1d1e | 4631 | return ASN_DH_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 4632 | } |
wolfSSL | 15:117db924cf7c | 4633 | |
wolfSSL | 15:117db924cf7c | 4634 | key->type = DSA_PRIVATE; |
wolfSSL | 15:117db924cf7c | 4635 | return 0; |
wolfSSL | 15:117db924cf7c | 4636 | } |
wolfSSL | 15:117db924cf7c | 4637 | |
wolfSSL | 15:117db924cf7c | 4638 | static mp_int* GetDsaInt(DsaKey* key, int idx) |
wolfSSL | 15:117db924cf7c | 4639 | { |
wolfSSL | 15:117db924cf7c | 4640 | if (idx == 0) |
wolfSSL | 15:117db924cf7c | 4641 | return &key->p; |
wolfSSL | 15:117db924cf7c | 4642 | if (idx == 1) |
wolfSSL | 15:117db924cf7c | 4643 | return &key->q; |
wolfSSL | 15:117db924cf7c | 4644 | if (idx == 2) |
wolfSSL | 15:117db924cf7c | 4645 | return &key->g; |
wolfSSL | 15:117db924cf7c | 4646 | if (idx == 3) |
wolfSSL | 15:117db924cf7c | 4647 | return &key->y; |
wolfSSL | 15:117db924cf7c | 4648 | if (idx == 4) |
wolfSSL | 15:117db924cf7c | 4649 | return &key->x; |
wolfSSL | 15:117db924cf7c | 4650 | |
wolfSSL | 15:117db924cf7c | 4651 | return NULL; |
wolfSSL | 15:117db924cf7c | 4652 | } |
wolfSSL | 15:117db924cf7c | 4653 | |
wolfSSL | 15:117db924cf7c | 4654 | /* Release Tmp DSA resources */ |
wolfSSL | 15:117db924cf7c | 4655 | static WC_INLINE void FreeTmpDsas(byte** tmps, void* heap) |
wolfSSL | 15:117db924cf7c | 4656 | { |
wolfSSL | 15:117db924cf7c | 4657 | int i; |
wolfSSL | 15:117db924cf7c | 4658 | |
wolfSSL | 15:117db924cf7c | 4659 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 15:117db924cf7c | 4660 | XFREE(tmps[i], heap, DYNAMIC_TYPE_DSA); |
wolfSSL | 15:117db924cf7c | 4661 | |
wolfSSL | 15:117db924cf7c | 4662 | (void)heap; |
wolfSSL | 15:117db924cf7c | 4663 | } |
wolfSSL | 15:117db924cf7c | 4664 | |
wolfSSL | 16:8e0d178b1d1e | 4665 | #if !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) |
wolfSSL | 16:8e0d178b1d1e | 4666 | /* Write a public DSA key to output */ |
wolfSSL | 16:8e0d178b1d1e | 4667 | int wc_SetDsaPublicKey(byte* output, DsaKey* key, |
wolfSSL | 16:8e0d178b1d1e | 4668 | int outLen, int with_header) |
wolfSSL | 16:8e0d178b1d1e | 4669 | { |
wolfSSL | 16:8e0d178b1d1e | 4670 | /* p, g, q = DSA params, y = public exponent */ |
wolfSSL | 16:8e0d178b1d1e | 4671 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4672 | byte* p = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4673 | byte* g = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4674 | byte* q = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4675 | byte* y = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4676 | #else |
wolfSSL | 16:8e0d178b1d1e | 4677 | byte p[MAX_DSA_INT_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4678 | byte g[MAX_DSA_INT_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4679 | byte q[MAX_DSA_INT_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4680 | byte y[MAX_DSA_INT_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4681 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4682 | byte innerSeq[MAX_SEQ_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4683 | byte outerSeq[MAX_SEQ_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4684 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 16:8e0d178b1d1e | 4685 | int idx, pSz, gSz, qSz, ySz, innerSeqSz, outerSeqSz, bitStringSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 4686 | |
wolfSSL | 16:8e0d178b1d1e | 4687 | WOLFSSL_ENTER("wc_SetDsaPublicKey"); |
wolfSSL | 16:8e0d178b1d1e | 4688 | |
wolfSSL | 16:8e0d178b1d1e | 4689 | if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) { |
wolfSSL | 16:8e0d178b1d1e | 4690 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4691 | } |
wolfSSL | 16:8e0d178b1d1e | 4692 | |
wolfSSL | 16:8e0d178b1d1e | 4693 | /* p */ |
wolfSSL | 16:8e0d178b1d1e | 4694 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4695 | p = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4696 | if (p == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4697 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4698 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4699 | if ((pSz = SetASNIntMP(&key->p, MAX_DSA_INT_SZ, p)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4700 | WOLFSSL_MSG("SetASNIntMP Error with p"); |
wolfSSL | 16:8e0d178b1d1e | 4701 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4702 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4703 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4704 | return pSz; |
wolfSSL | 16:8e0d178b1d1e | 4705 | } |
wolfSSL | 16:8e0d178b1d1e | 4706 | |
wolfSSL | 16:8e0d178b1d1e | 4707 | /* q */ |
wolfSSL | 16:8e0d178b1d1e | 4708 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4709 | q = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4710 | if (q == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4711 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4712 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4713 | if ((qSz = SetASNIntMP(&key->q, MAX_DSA_INT_SZ, q)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4714 | WOLFSSL_MSG("SetASNIntMP Error with q"); |
wolfSSL | 16:8e0d178b1d1e | 4715 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4716 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4717 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4718 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4719 | return qSz; |
wolfSSL | 16:8e0d178b1d1e | 4720 | } |
wolfSSL | 16:8e0d178b1d1e | 4721 | |
wolfSSL | 16:8e0d178b1d1e | 4722 | /* g */ |
wolfSSL | 16:8e0d178b1d1e | 4723 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4724 | g = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4725 | if (g == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4726 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4727 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4728 | if ((gSz = SetASNIntMP(&key->g, MAX_DSA_INT_SZ, g)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4729 | WOLFSSL_MSG("SetASNIntMP Error with g"); |
wolfSSL | 16:8e0d178b1d1e | 4730 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4731 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4732 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4733 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4734 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4735 | return gSz; |
wolfSSL | 16:8e0d178b1d1e | 4736 | } |
wolfSSL | 16:8e0d178b1d1e | 4737 | |
wolfSSL | 16:8e0d178b1d1e | 4738 | /* y */ |
wolfSSL | 16:8e0d178b1d1e | 4739 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4740 | y = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4741 | if (y == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4742 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4743 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4744 | if ((ySz = SetASNIntMP(&key->y, MAX_DSA_INT_SZ, y)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4745 | WOLFSSL_MSG("SetASNIntMP Error with y"); |
wolfSSL | 16:8e0d178b1d1e | 4746 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4747 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4748 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4749 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4750 | XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4751 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4752 | return ySz; |
wolfSSL | 16:8e0d178b1d1e | 4753 | } |
wolfSSL | 16:8e0d178b1d1e | 4754 | |
wolfSSL | 16:8e0d178b1d1e | 4755 | innerSeqSz = SetSequence(pSz + qSz + gSz, innerSeq); |
wolfSSL | 16:8e0d178b1d1e | 4756 | |
wolfSSL | 16:8e0d178b1d1e | 4757 | /* check output size */ |
wolfSSL | 16:8e0d178b1d1e | 4758 | if ((innerSeqSz + pSz + qSz + gSz) > outLen) { |
wolfSSL | 16:8e0d178b1d1e | 4759 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4760 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4761 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4762 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4763 | XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4764 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4765 | WOLFSSL_MSG("Error, output size smaller than outlen"); |
wolfSSL | 16:8e0d178b1d1e | 4766 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4767 | } |
wolfSSL | 16:8e0d178b1d1e | 4768 | |
wolfSSL | 16:8e0d178b1d1e | 4769 | if (with_header) { |
wolfSSL | 16:8e0d178b1d1e | 4770 | int algoSz; |
wolfSSL | 16:8e0d178b1d1e | 4771 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4772 | byte* algo = NULL; |
wolfSSL | 16:8e0d178b1d1e | 4773 | |
wolfSSL | 16:8e0d178b1d1e | 4774 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4775 | if (algo == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4776 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4777 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4778 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4779 | XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4780 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 4781 | } |
wolfSSL | 16:8e0d178b1d1e | 4782 | #else |
wolfSSL | 16:8e0d178b1d1e | 4783 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 4784 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4785 | algoSz = SetAlgoID(DSAk, algo, oidKeyType, 0); |
wolfSSL | 16:8e0d178b1d1e | 4786 | bitStringSz = SetBitString(ySz, 0, bitString); |
wolfSSL | 16:8e0d178b1d1e | 4787 | outerSeqSz = SetSequence(algoSz + innerSeqSz + pSz + qSz + gSz, |
wolfSSL | 16:8e0d178b1d1e | 4788 | outerSeq); |
wolfSSL | 16:8e0d178b1d1e | 4789 | |
wolfSSL | 16:8e0d178b1d1e | 4790 | idx = SetSequence(algoSz + innerSeqSz + pSz + qSz + gSz + bitStringSz + |
wolfSSL | 16:8e0d178b1d1e | 4791 | ySz + outerSeqSz, output); |
wolfSSL | 16:8e0d178b1d1e | 4792 | |
wolfSSL | 16:8e0d178b1d1e | 4793 | /* check output size */ |
wolfSSL | 16:8e0d178b1d1e | 4794 | if ((idx + algoSz + bitStringSz + innerSeqSz + pSz + qSz + gSz + ySz) > |
wolfSSL | 16:8e0d178b1d1e | 4795 | outLen) { |
wolfSSL | 16:8e0d178b1d1e | 4796 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4797 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4798 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4799 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4800 | XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4801 | XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4802 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4803 | WOLFSSL_MSG("Error, output size smaller than outlen"); |
wolfSSL | 16:8e0d178b1d1e | 4804 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 4805 | } |
wolfSSL | 16:8e0d178b1d1e | 4806 | |
wolfSSL | 16:8e0d178b1d1e | 4807 | /* outerSeq */ |
wolfSSL | 16:8e0d178b1d1e | 4808 | XMEMCPY(output + idx, outerSeq, outerSeqSz); |
wolfSSL | 16:8e0d178b1d1e | 4809 | idx += outerSeqSz; |
wolfSSL | 16:8e0d178b1d1e | 4810 | /* algo */ |
wolfSSL | 16:8e0d178b1d1e | 4811 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 4812 | idx += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 4813 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4814 | XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4815 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4816 | } else { |
wolfSSL | 16:8e0d178b1d1e | 4817 | idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 4818 | } |
wolfSSL | 16:8e0d178b1d1e | 4819 | |
wolfSSL | 16:8e0d178b1d1e | 4820 | /* innerSeq */ |
wolfSSL | 16:8e0d178b1d1e | 4821 | XMEMCPY(output + idx, innerSeq, innerSeqSz); |
wolfSSL | 16:8e0d178b1d1e | 4822 | idx += innerSeqSz; |
wolfSSL | 16:8e0d178b1d1e | 4823 | /* p */ |
wolfSSL | 16:8e0d178b1d1e | 4824 | XMEMCPY(output + idx, p, pSz); |
wolfSSL | 16:8e0d178b1d1e | 4825 | idx += pSz; |
wolfSSL | 16:8e0d178b1d1e | 4826 | /* q */ |
wolfSSL | 16:8e0d178b1d1e | 4827 | XMEMCPY(output + idx, q, qSz); |
wolfSSL | 16:8e0d178b1d1e | 4828 | idx += qSz; |
wolfSSL | 16:8e0d178b1d1e | 4829 | /* g */ |
wolfSSL | 16:8e0d178b1d1e | 4830 | XMEMCPY(output + idx, g, gSz); |
wolfSSL | 16:8e0d178b1d1e | 4831 | idx += gSz; |
wolfSSL | 16:8e0d178b1d1e | 4832 | /* bit string */ |
wolfSSL | 16:8e0d178b1d1e | 4833 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 16:8e0d178b1d1e | 4834 | idx += bitStringSz; |
wolfSSL | 16:8e0d178b1d1e | 4835 | /* y */ |
wolfSSL | 16:8e0d178b1d1e | 4836 | XMEMCPY(output + idx, y, ySz); |
wolfSSL | 16:8e0d178b1d1e | 4837 | idx += ySz; |
wolfSSL | 16:8e0d178b1d1e | 4838 | |
wolfSSL | 16:8e0d178b1d1e | 4839 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 4840 | XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4841 | XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4842 | XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4843 | XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 4844 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4845 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 4846 | } |
wolfSSL | 16:8e0d178b1d1e | 4847 | |
wolfSSL | 16:8e0d178b1d1e | 4848 | /* Convert DSA Public key to DER format, write to output (inLen), return bytes |
wolfSSL | 16:8e0d178b1d1e | 4849 | written */ |
wolfSSL | 16:8e0d178b1d1e | 4850 | int wc_DsaKeyToPublicDer(DsaKey* key, byte* output, word32 inLen) |
wolfSSL | 16:8e0d178b1d1e | 4851 | { |
wolfSSL | 16:8e0d178b1d1e | 4852 | return wc_SetDsaPublicKey(output, key, inLen, 1); |
wolfSSL | 16:8e0d178b1d1e | 4853 | } |
wolfSSL | 16:8e0d178b1d1e | 4854 | #endif /* !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 4855 | |
wolfSSL | 16:8e0d178b1d1e | 4856 | /* Convert private DsaKey key to DER format, write to output (inLen), |
wolfSSL | 16:8e0d178b1d1e | 4857 | return bytes written */ |
wolfSSL | 15:117db924cf7c | 4858 | int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 4859 | { |
wolfSSL | 15:117db924cf7c | 4860 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 15:117db924cf7c | 4861 | word32 sizes[DSA_INTS]; |
wolfSSL | 15:117db924cf7c | 4862 | int i, j, outLen, ret = 0, mpSz; |
wolfSSL | 15:117db924cf7c | 4863 | |
wolfSSL | 15:117db924cf7c | 4864 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 4865 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 15:117db924cf7c | 4866 | byte* tmps[DSA_INTS]; |
wolfSSL | 15:117db924cf7c | 4867 | |
wolfSSL | 15:117db924cf7c | 4868 | if (!key || !output) |
wolfSSL | 15:117db924cf7c | 4869 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4870 | |
wolfSSL | 15:117db924cf7c | 4871 | if (key->type != DSA_PRIVATE) |
wolfSSL | 15:117db924cf7c | 4872 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4873 | |
wolfSSL | 15:117db924cf7c | 4874 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 15:117db924cf7c | 4875 | tmps[i] = NULL; |
wolfSSL | 15:117db924cf7c | 4876 | |
wolfSSL | 15:117db924cf7c | 4877 | /* write all big ints from key to DER tmps */ |
wolfSSL | 15:117db924cf7c | 4878 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 15:117db924cf7c | 4879 | mp_int* keyInt = GetDsaInt(key, i); |
wolfSSL | 15:117db924cf7c | 4880 | |
wolfSSL | 15:117db924cf7c | 4881 | rawLen = mp_unsigned_bin_size(keyInt) + 1; |
wolfSSL | 15:117db924cf7c | 4882 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 15:117db924cf7c | 4883 | DYNAMIC_TYPE_DSA); |
wolfSSL | 15:117db924cf7c | 4884 | if (tmps[i] == NULL) { |
wolfSSL | 15:117db924cf7c | 4885 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 4886 | break; |
wolfSSL | 15:117db924cf7c | 4887 | } |
wolfSSL | 15:117db924cf7c | 4888 | |
wolfSSL | 15:117db924cf7c | 4889 | mpSz = SetASNIntMP(keyInt, -1, tmps[i]); |
wolfSSL | 15:117db924cf7c | 4890 | if (mpSz < 0) { |
wolfSSL | 15:117db924cf7c | 4891 | ret = mpSz; |
wolfSSL | 15:117db924cf7c | 4892 | break; |
wolfSSL | 15:117db924cf7c | 4893 | } |
wolfSSL | 15:117db924cf7c | 4894 | intTotalLen += (sizes[i] = mpSz); |
wolfSSL | 15:117db924cf7c | 4895 | } |
wolfSSL | 15:117db924cf7c | 4896 | |
wolfSSL | 15:117db924cf7c | 4897 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 4898 | FreeTmpDsas(tmps, key->heap); |
wolfSSL | 15:117db924cf7c | 4899 | return ret; |
wolfSSL | 15:117db924cf7c | 4900 | } |
wolfSSL | 15:117db924cf7c | 4901 | |
wolfSSL | 15:117db924cf7c | 4902 | /* make headers */ |
wolfSSL | 15:117db924cf7c | 4903 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 15:117db924cf7c | 4904 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 15:117db924cf7c | 4905 | |
wolfSSL | 15:117db924cf7c | 4906 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 16:8e0d178b1d1e | 4907 | if (outLen > (int)inLen) { |
wolfSSL | 16:8e0d178b1d1e | 4908 | FreeTmpDsas(tmps, key->heap); |
wolfSSL | 16:8e0d178b1d1e | 4909 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 4910 | } |
wolfSSL | 15:117db924cf7c | 4911 | |
wolfSSL | 15:117db924cf7c | 4912 | /* write to output */ |
wolfSSL | 15:117db924cf7c | 4913 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 15:117db924cf7c | 4914 | j = seqSz; |
wolfSSL | 15:117db924cf7c | 4915 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 15:117db924cf7c | 4916 | j += verSz; |
wolfSSL | 15:117db924cf7c | 4917 | |
wolfSSL | 15:117db924cf7c | 4918 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 15:117db924cf7c | 4919 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 15:117db924cf7c | 4920 | j += sizes[i]; |
wolfSSL | 15:117db924cf7c | 4921 | } |
wolfSSL | 15:117db924cf7c | 4922 | FreeTmpDsas(tmps, key->heap); |
wolfSSL | 15:117db924cf7c | 4923 | |
wolfSSL | 15:117db924cf7c | 4924 | return outLen; |
wolfSSL | 15:117db924cf7c | 4925 | } |
wolfSSL | 15:117db924cf7c | 4926 | |
wolfSSL | 15:117db924cf7c | 4927 | #endif /* NO_DSA */ |
wolfSSL | 15:117db924cf7c | 4928 | |
wolfSSL | 16:8e0d178b1d1e | 4929 | void InitDecodedCert(DecodedCert* cert, |
wolfSSL | 16:8e0d178b1d1e | 4930 | const byte* source, word32 inSz, void* heap) |
wolfSSL | 15:117db924cf7c | 4931 | { |
wolfSSL | 15:117db924cf7c | 4932 | if (cert != NULL) { |
wolfSSL | 15:117db924cf7c | 4933 | XMEMSET(cert, 0, sizeof(DecodedCert)); |
wolfSSL | 15:117db924cf7c | 4934 | |
wolfSSL | 15:117db924cf7c | 4935 | cert->subjectCNEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4936 | cert->issuer[0] = '\0'; |
wolfSSL | 15:117db924cf7c | 4937 | cert->subject[0] = '\0'; |
wolfSSL | 15:117db924cf7c | 4938 | cert->source = source; /* don't own */ |
wolfSSL | 15:117db924cf7c | 4939 | cert->maxIdx = inSz; /* can't go over this index */ |
wolfSSL | 15:117db924cf7c | 4940 | cert->heap = heap; |
wolfSSL | 16:8e0d178b1d1e | 4941 | cert->maxPathLen = WOLFSSL_MAX_PATH_LEN; |
wolfSSL | 15:117db924cf7c | 4942 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 4943 | cert->subjectSNEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4944 | cert->subjectCEnc = CTC_PRINTABLE; |
wolfSSL | 15:117db924cf7c | 4945 | cert->subjectLEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4946 | cert->subjectSTEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4947 | cert->subjectOEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4948 | cert->subjectOUEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 4949 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 4950 | |
wolfSSL | 16:8e0d178b1d1e | 4951 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 4952 | InitSignatureCtx(&cert->sigCtx, heap, INVALID_DEVID); |
wolfSSL | 16:8e0d178b1d1e | 4953 | #endif |
wolfSSL | 15:117db924cf7c | 4954 | } |
wolfSSL | 15:117db924cf7c | 4955 | } |
wolfSSL | 15:117db924cf7c | 4956 | |
wolfSSL | 15:117db924cf7c | 4957 | |
wolfSSL | 15:117db924cf7c | 4958 | void FreeAltNames(DNS_entry* altNames, void* heap) |
wolfSSL | 15:117db924cf7c | 4959 | { |
wolfSSL | 15:117db924cf7c | 4960 | (void)heap; |
wolfSSL | 15:117db924cf7c | 4961 | |
wolfSSL | 15:117db924cf7c | 4962 | while (altNames) { |
wolfSSL | 15:117db924cf7c | 4963 | DNS_entry* tmp = altNames->next; |
wolfSSL | 15:117db924cf7c | 4964 | |
wolfSSL | 15:117db924cf7c | 4965 | XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 4966 | XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 4967 | altNames = tmp; |
wolfSSL | 15:117db924cf7c | 4968 | } |
wolfSSL | 15:117db924cf7c | 4969 | } |
wolfSSL | 15:117db924cf7c | 4970 | |
wolfSSL | 15:117db924cf7c | 4971 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 4972 | |
wolfSSL | 15:117db924cf7c | 4973 | void FreeNameSubtrees(Base_entry* names, void* heap) |
wolfSSL | 15:117db924cf7c | 4974 | { |
wolfSSL | 15:117db924cf7c | 4975 | (void)heap; |
wolfSSL | 15:117db924cf7c | 4976 | |
wolfSSL | 15:117db924cf7c | 4977 | while (names) { |
wolfSSL | 15:117db924cf7c | 4978 | Base_entry* tmp = names->next; |
wolfSSL | 15:117db924cf7c | 4979 | |
wolfSSL | 15:117db924cf7c | 4980 | XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 4981 | XFREE(names, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 4982 | names = tmp; |
wolfSSL | 15:117db924cf7c | 4983 | } |
wolfSSL | 15:117db924cf7c | 4984 | } |
wolfSSL | 15:117db924cf7c | 4985 | |
wolfSSL | 15:117db924cf7c | 4986 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 4987 | |
wolfSSL | 15:117db924cf7c | 4988 | void FreeDecodedCert(DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 4989 | { |
wolfSSL | 16:8e0d178b1d1e | 4990 | if (cert == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4991 | return; |
wolfSSL | 15:117db924cf7c | 4992 | if (cert->subjectCNStored == 1) |
wolfSSL | 15:117db924cf7c | 4993 | XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 15:117db924cf7c | 4994 | if (cert->pubKeyStored == 1) |
wolfSSL | 16:8e0d178b1d1e | 4995 | XFREE((void*)cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 15:117db924cf7c | 4996 | if (cert->weOwnAltNames && cert->altNames) |
wolfSSL | 15:117db924cf7c | 4997 | FreeAltNames(cert->altNames, cert->heap); |
wolfSSL | 15:117db924cf7c | 4998 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 4999 | if (cert->altEmailNames) |
wolfSSL | 15:117db924cf7c | 5000 | FreeAltNames(cert->altEmailNames, cert->heap); |
wolfSSL | 15:117db924cf7c | 5001 | if (cert->permittedNames) |
wolfSSL | 15:117db924cf7c | 5002 | FreeNameSubtrees(cert->permittedNames, cert->heap); |
wolfSSL | 15:117db924cf7c | 5003 | if (cert->excludedNames) |
wolfSSL | 15:117db924cf7c | 5004 | FreeNameSubtrees(cert->excludedNames, cert->heap); |
wolfSSL | 15:117db924cf7c | 5005 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 5006 | #ifdef WOLFSSL_SEP |
wolfSSL | 15:117db924cf7c | 5007 | XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 5008 | XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 5009 | XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 5010 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 15:117db924cf7c | 5011 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5012 | if (cert->issuerName.fullName != NULL) |
wolfSSL | 15:117db924cf7c | 5013 | XFREE(cert->issuerName.fullName, cert->heap, DYNAMIC_TYPE_X509); |
wolfSSL | 15:117db924cf7c | 5014 | if (cert->subjectName.fullName != NULL) |
wolfSSL | 15:117db924cf7c | 5015 | XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509); |
wolfSSL | 15:117db924cf7c | 5016 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5017 | #ifdef WOLFSSL_RENESAS_TSIP_TLS |
wolfSSL | 16:8e0d178b1d1e | 5018 | if (cert->tsip_encRsaKeyIdx != NULL) |
wolfSSL | 16:8e0d178b1d1e | 5019 | XFREE(cert->tsip_encRsaKeyIdx, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 16:8e0d178b1d1e | 5020 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5021 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 5022 | FreeSignatureCtx(&cert->sigCtx); |
wolfSSL | 16:8e0d178b1d1e | 5023 | #endif |
wolfSSL | 15:117db924cf7c | 5024 | } |
wolfSSL | 15:117db924cf7c | 5025 | |
wolfSSL | 15:117db924cf7c | 5026 | static int GetCertHeader(DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 5027 | { |
wolfSSL | 15:117db924cf7c | 5028 | int ret = 0, len; |
wolfSSL | 15:117db924cf7c | 5029 | |
wolfSSL | 15:117db924cf7c | 5030 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5031 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5032 | |
wolfSSL | 16:8e0d178b1d1e | 5033 | /* Reset the max index for the size indicated in the outer wrapper. */ |
wolfSSL | 16:8e0d178b1d1e | 5034 | cert->maxIdx = len + cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5035 | cert->certBegin = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5036 | |
wolfSSL | 15:117db924cf7c | 5037 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5038 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5039 | |
wolfSSL | 15:117db924cf7c | 5040 | cert->sigIndex = len + cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5041 | if (cert->sigIndex > cert->maxIdx) |
wolfSSL | 16:8e0d178b1d1e | 5042 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5043 | |
wolfSSL | 15:117db924cf7c | 5044 | if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version, |
wolfSSL | 16:8e0d178b1d1e | 5045 | cert->sigIndex) < 0) |
wolfSSL | 15:117db924cf7c | 5046 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5047 | |
wolfSSL | 15:117db924cf7c | 5048 | if (GetSerialNumber(cert->source, &cert->srcIdx, cert->serial, |
wolfSSL | 16:8e0d178b1d1e | 5049 | &cert->serialSz, cert->sigIndex) < 0) |
wolfSSL | 15:117db924cf7c | 5050 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5051 | |
wolfSSL | 15:117db924cf7c | 5052 | return ret; |
wolfSSL | 15:117db924cf7c | 5053 | } |
wolfSSL | 15:117db924cf7c | 5054 | |
wolfSSL | 15:117db924cf7c | 5055 | #if !defined(NO_RSA) |
wolfSSL | 15:117db924cf7c | 5056 | /* Store Rsa Key, may save later, Dsa could use in future */ |
wolfSSL | 16:8e0d178b1d1e | 5057 | static int StoreRsaKey(DecodedCert* cert, word32 bitStringEnd) |
wolfSSL | 15:117db924cf7c | 5058 | { |
wolfSSL | 15:117db924cf7c | 5059 | int length; |
wolfSSL | 15:117db924cf7c | 5060 | word32 recvd = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5061 | |
wolfSSL | 16:8e0d178b1d1e | 5062 | if (GetSequence(cert->source, &cert->srcIdx, &length, bitStringEnd) < 0) |
wolfSSL | 15:117db924cf7c | 5063 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5064 | |
wolfSSL | 15:117db924cf7c | 5065 | recvd = cert->srcIdx - recvd; |
wolfSSL | 15:117db924cf7c | 5066 | length += recvd; |
wolfSSL | 15:117db924cf7c | 5067 | |
wolfSSL | 15:117db924cf7c | 5068 | while (recvd--) |
wolfSSL | 15:117db924cf7c | 5069 | cert->srcIdx--; |
wolfSSL | 16:8e0d178b1d1e | 5070 | #if defined(WOLFSSL_RENESAS_TSIP) |
wolfSSL | 16:8e0d178b1d1e | 5071 | cert->sigCtx.pubkey_n_start = cert->sigCtx.pubkey_e_start = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5072 | #endif |
wolfSSL | 15:117db924cf7c | 5073 | cert->pubKeySize = length; |
wolfSSL | 15:117db924cf7c | 5074 | cert->publicKey = cert->source + cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5075 | cert->srcIdx += length; |
wolfSSL | 15:117db924cf7c | 5076 | |
wolfSSL | 15:117db924cf7c | 5077 | return 0; |
wolfSSL | 15:117db924cf7c | 5078 | } |
wolfSSL | 15:117db924cf7c | 5079 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5080 | |
wolfSSL | 15:117db924cf7c | 5081 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5082 | |
wolfSSL | 15:117db924cf7c | 5083 | /* return 0 on success if the ECC curve oid sum is supported */ |
wolfSSL | 15:117db924cf7c | 5084 | static int CheckCurve(word32 oid) |
wolfSSL | 15:117db924cf7c | 5085 | { |
wolfSSL | 15:117db924cf7c | 5086 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5087 | word32 oidSz = 0; |
wolfSSL | 15:117db924cf7c | 5088 | |
wolfSSL | 15:117db924cf7c | 5089 | ret = wc_ecc_get_oid(oid, NULL, &oidSz); |
wolfSSL | 16:8e0d178b1d1e | 5090 | if (ret < 0 || oidSz == 0) { |
wolfSSL | 15:117db924cf7c | 5091 | WOLFSSL_MSG("CheckCurve not found"); |
wolfSSL | 15:117db924cf7c | 5092 | ret = ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 5093 | } |
wolfSSL | 15:117db924cf7c | 5094 | |
wolfSSL | 15:117db924cf7c | 5095 | return ret; |
wolfSSL | 15:117db924cf7c | 5096 | } |
wolfSSL | 15:117db924cf7c | 5097 | |
wolfSSL | 15:117db924cf7c | 5098 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5099 | |
wolfSSL | 15:117db924cf7c | 5100 | static int GetKey(DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 5101 | { |
wolfSSL | 15:117db924cf7c | 5102 | int length; |
wolfSSL | 16:8e0d178b1d1e | 5103 | #if !defined(NO_DSA) && defined(WOLFSSL_QT) |
wolfSSL | 16:8e0d178b1d1e | 5104 | int tmpLen; |
wolfSSL | 16:8e0d178b1d1e | 5105 | #endif |
wolfSSL | 15:117db924cf7c | 5106 | #if defined(HAVE_ECC) || defined(HAVE_NTRU) |
wolfSSL | 15:117db924cf7c | 5107 | int tmpIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5108 | #endif |
wolfSSL | 15:117db924cf7c | 5109 | |
wolfSSL | 15:117db924cf7c | 5110 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5111 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5112 | |
wolfSSL | 16:8e0d178b1d1e | 5113 | #if !defined(NO_DSA) && defined(WOLFSSL_QT) |
wolfSSL | 16:8e0d178b1d1e | 5114 | tmpLen = length + 4; |
wolfSSL | 16:8e0d178b1d1e | 5115 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5116 | |
wolfSSL | 15:117db924cf7c | 5117 | if (GetAlgoId(cert->source, &cert->srcIdx, |
wolfSSL | 15:117db924cf7c | 5118 | &cert->keyOID, oidKeyType, cert->maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5119 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5120 | |
wolfSSL | 15:117db924cf7c | 5121 | switch (cert->keyOID) { |
wolfSSL | 15:117db924cf7c | 5122 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5123 | case RSAk: |
wolfSSL | 15:117db924cf7c | 5124 | { |
wolfSSL | 15:117db924cf7c | 5125 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 5126 | |
wolfSSL | 16:8e0d178b1d1e | 5127 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 5128 | cert->maxIdx, 1, NULL); |
wolfSSL | 15:117db924cf7c | 5129 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5130 | return ret; |
wolfSSL | 15:117db924cf7c | 5131 | |
wolfSSL | 16:8e0d178b1d1e | 5132 | #ifdef HAVE_OCSP |
wolfSSL | 16:8e0d178b1d1e | 5133 | ret = CalcHashId(cert->source + cert->srcIdx, length, |
wolfSSL | 16:8e0d178b1d1e | 5134 | cert->subjectKeyHash); |
wolfSSL | 16:8e0d178b1d1e | 5135 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5136 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5137 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5138 | |
wolfSSL | 16:8e0d178b1d1e | 5139 | return StoreRsaKey(cert, cert->srcIdx + length); |
wolfSSL | 15:117db924cf7c | 5140 | } |
wolfSSL | 15:117db924cf7c | 5141 | |
wolfSSL | 15:117db924cf7c | 5142 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5143 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 5144 | case NTRUk: |
wolfSSL | 15:117db924cf7c | 5145 | { |
wolfSSL | 15:117db924cf7c | 5146 | const byte* key = &cert->source[tmpIdx]; |
wolfSSL | 15:117db924cf7c | 5147 | byte* next = (byte*)key; |
wolfSSL | 15:117db924cf7c | 5148 | word16 keyLen; |
wolfSSL | 15:117db924cf7c | 5149 | word32 rc; |
wolfSSL | 15:117db924cf7c | 5150 | word32 remaining = cert->maxIdx - cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5151 | byte* publicKey; |
wolfSSL | 15:117db924cf7c | 5152 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5153 | byte* keyBlob = NULL; |
wolfSSL | 15:117db924cf7c | 5154 | #else |
wolfSSL | 15:117db924cf7c | 5155 | byte keyBlob[MAX_NTRU_KEY_SZ]; |
wolfSSL | 15:117db924cf7c | 5156 | #endif |
wolfSSL | 15:117db924cf7c | 5157 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 15:117db924cf7c | 5158 | &keyLen, NULL, &next, &remaining); |
wolfSSL | 15:117db924cf7c | 5159 | if (rc != NTRU_OK) |
wolfSSL | 15:117db924cf7c | 5160 | return ASN_NTRU_KEY_E; |
wolfSSL | 15:117db924cf7c | 5161 | if (keyLen > MAX_NTRU_KEY_SZ) |
wolfSSL | 15:117db924cf7c | 5162 | return ASN_NTRU_KEY_E; |
wolfSSL | 15:117db924cf7c | 5163 | |
wolfSSL | 15:117db924cf7c | 5164 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5165 | keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, cert->heap, |
wolfSSL | 15:117db924cf7c | 5166 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5167 | if (keyBlob == NULL) |
wolfSSL | 15:117db924cf7c | 5168 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 5169 | #endif |
wolfSSL | 15:117db924cf7c | 5170 | |
wolfSSL | 15:117db924cf7c | 5171 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 15:117db924cf7c | 5172 | &keyLen, keyBlob, &next, &remaining); |
wolfSSL | 15:117db924cf7c | 5173 | if (rc != NTRU_OK) { |
wolfSSL | 15:117db924cf7c | 5174 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5175 | XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5176 | #endif |
wolfSSL | 15:117db924cf7c | 5177 | return ASN_NTRU_KEY_E; |
wolfSSL | 15:117db924cf7c | 5178 | } |
wolfSSL | 15:117db924cf7c | 5179 | |
wolfSSL | 15:117db924cf7c | 5180 | if ( (next - key) < 0) { |
wolfSSL | 15:117db924cf7c | 5181 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5182 | XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5183 | #endif |
wolfSSL | 15:117db924cf7c | 5184 | return ASN_NTRU_KEY_E; |
wolfSSL | 15:117db924cf7c | 5185 | } |
wolfSSL | 15:117db924cf7c | 5186 | |
wolfSSL | 15:117db924cf7c | 5187 | cert->srcIdx = tmpIdx + (int)(next - key); |
wolfSSL | 15:117db924cf7c | 5188 | |
wolfSSL | 16:8e0d178b1d1e | 5189 | publicKey = (byte*)XMALLOC(keyLen, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 5190 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 16:8e0d178b1d1e | 5191 | if (publicKey == NULL) { |
wolfSSL | 15:117db924cf7c | 5192 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5193 | XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5194 | #endif |
wolfSSL | 15:117db924cf7c | 5195 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 5196 | } |
wolfSSL | 16:8e0d178b1d1e | 5197 | XMEMCPY(publicKey, keyBlob, keyLen); |
wolfSSL | 16:8e0d178b1d1e | 5198 | cert->publicKey = publicKey; |
wolfSSL | 15:117db924cf7c | 5199 | cert->pubKeyStored = 1; |
wolfSSL | 15:117db924cf7c | 5200 | cert->pubKeySize = keyLen; |
wolfSSL | 15:117db924cf7c | 5201 | |
wolfSSL | 15:117db924cf7c | 5202 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 5203 | XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5204 | #endif |
wolfSSL | 15:117db924cf7c | 5205 | |
wolfSSL | 15:117db924cf7c | 5206 | return 0; |
wolfSSL | 15:117db924cf7c | 5207 | } |
wolfSSL | 15:117db924cf7c | 5208 | #endif /* HAVE_NTRU */ |
wolfSSL | 15:117db924cf7c | 5209 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5210 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 5211 | { |
wolfSSL | 15:117db924cf7c | 5212 | int ret; |
wolfSSL | 15:117db924cf7c | 5213 | byte seq[5]; |
wolfSSL | 15:117db924cf7c | 5214 | int pubLen = length + 1 + SetLength(length, seq); |
wolfSSL | 16:8e0d178b1d1e | 5215 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 5216 | byte* publicKey; |
wolfSSL | 16:8e0d178b1d1e | 5217 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 5218 | |
wolfSSL | 16:8e0d178b1d1e | 5219 | localIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5220 | if (GetASNTag(cert->source, &localIdx, &tag, cert->maxIdx) < 0) |
wolfSSL | 16:8e0d178b1d1e | 5221 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5222 | |
wolfSSL | 16:8e0d178b1d1e | 5223 | if (tag != (ASN_SEQUENCE | ASN_CONSTRUCTED)) { |
wolfSSL | 15:117db924cf7c | 5224 | if (GetObjectId(cert->source, &cert->srcIdx, |
wolfSSL | 15:117db924cf7c | 5225 | &cert->pkCurveOID, oidCurveType, cert->maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5226 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5227 | |
wolfSSL | 15:117db924cf7c | 5228 | if (CheckCurve(cert->pkCurveOID) < 0) |
wolfSSL | 15:117db924cf7c | 5229 | return ECC_CURVE_OID_E; |
wolfSSL | 15:117db924cf7c | 5230 | |
wolfSSL | 15:117db924cf7c | 5231 | /* key header */ |
wolfSSL | 15:117db924cf7c | 5232 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 5233 | cert->maxIdx, 1, NULL); |
wolfSSL | 15:117db924cf7c | 5234 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5235 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5236 | #ifdef HAVE_OCSP |
wolfSSL | 16:8e0d178b1d1e | 5237 | ret = CalcHashId(cert->source + cert->srcIdx, length, |
wolfSSL | 16:8e0d178b1d1e | 5238 | cert->subjectKeyHash); |
wolfSSL | 16:8e0d178b1d1e | 5239 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5240 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5241 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5242 | } |
wolfSSL | 16:8e0d178b1d1e | 5243 | |
wolfSSL | 16:8e0d178b1d1e | 5244 | publicKey = (byte*)XMALLOC(pubLen, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 5245 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 16:8e0d178b1d1e | 5246 | if (publicKey == NULL) |
wolfSSL | 15:117db924cf7c | 5247 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 5248 | XMEMCPY(publicKey, &cert->source[tmpIdx], pubLen); |
wolfSSL | 16:8e0d178b1d1e | 5249 | cert->publicKey = publicKey; |
wolfSSL | 15:117db924cf7c | 5250 | cert->pubKeyStored = 1; |
wolfSSL | 15:117db924cf7c | 5251 | cert->pubKeySize = pubLen; |
wolfSSL | 15:117db924cf7c | 5252 | |
wolfSSL | 15:117db924cf7c | 5253 | cert->srcIdx = tmpIdx + pubLen; |
wolfSSL | 15:117db924cf7c | 5254 | |
wolfSSL | 15:117db924cf7c | 5255 | return 0; |
wolfSSL | 15:117db924cf7c | 5256 | } |
wolfSSL | 15:117db924cf7c | 5257 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5258 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5259 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 5260 | { |
wolfSSL | 16:8e0d178b1d1e | 5261 | byte* publicKey; |
wolfSSL | 15:117db924cf7c | 5262 | int ret; |
wolfSSL | 15:117db924cf7c | 5263 | |
wolfSSL | 15:117db924cf7c | 5264 | cert->pkCurveOID = ED25519k; |
wolfSSL | 15:117db924cf7c | 5265 | |
wolfSSL | 15:117db924cf7c | 5266 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 5267 | cert->maxIdx, 1, NULL); |
wolfSSL | 15:117db924cf7c | 5268 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5269 | return ret; |
wolfSSL | 15:117db924cf7c | 5270 | |
wolfSSL | 16:8e0d178b1d1e | 5271 | #ifdef HAVE_OCSP |
wolfSSL | 16:8e0d178b1d1e | 5272 | ret = CalcHashId(cert->source + cert->srcIdx, length, |
wolfSSL | 16:8e0d178b1d1e | 5273 | cert->subjectKeyHash); |
wolfSSL | 16:8e0d178b1d1e | 5274 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5275 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5276 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5277 | |
wolfSSL | 16:8e0d178b1d1e | 5278 | publicKey = (byte*) XMALLOC(length, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 5279 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 16:8e0d178b1d1e | 5280 | if (publicKey == NULL) |
wolfSSL | 15:117db924cf7c | 5281 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 5282 | XMEMCPY(publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 16:8e0d178b1d1e | 5283 | cert->publicKey = publicKey; |
wolfSSL | 15:117db924cf7c | 5284 | cert->pubKeyStored = 1; |
wolfSSL | 15:117db924cf7c | 5285 | cert->pubKeySize = length; |
wolfSSL | 15:117db924cf7c | 5286 | |
wolfSSL | 15:117db924cf7c | 5287 | cert->srcIdx += length; |
wolfSSL | 15:117db924cf7c | 5288 | |
wolfSSL | 15:117db924cf7c | 5289 | return 0; |
wolfSSL | 15:117db924cf7c | 5290 | } |
wolfSSL | 15:117db924cf7c | 5291 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 5292 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 5293 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 5294 | { |
wolfSSL | 16:8e0d178b1d1e | 5295 | byte* publicKey; |
wolfSSL | 16:8e0d178b1d1e | 5296 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 5297 | |
wolfSSL | 16:8e0d178b1d1e | 5298 | cert->pkCurveOID = ED448k; |
wolfSSL | 16:8e0d178b1d1e | 5299 | |
wolfSSL | 16:8e0d178b1d1e | 5300 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 16:8e0d178b1d1e | 5301 | cert->maxIdx, 1, NULL); |
wolfSSL | 16:8e0d178b1d1e | 5302 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5303 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5304 | |
wolfSSL | 16:8e0d178b1d1e | 5305 | #ifdef HAVE_OCSP |
wolfSSL | 16:8e0d178b1d1e | 5306 | ret = CalcHashId(cert->source + cert->srcIdx, length, |
wolfSSL | 16:8e0d178b1d1e | 5307 | cert->subjectKeyHash); |
wolfSSL | 16:8e0d178b1d1e | 5308 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5309 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5310 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5311 | |
wolfSSL | 16:8e0d178b1d1e | 5312 | publicKey = (byte*) XMALLOC(length, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 5313 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 16:8e0d178b1d1e | 5314 | if (publicKey == NULL) |
wolfSSL | 16:8e0d178b1d1e | 5315 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 5316 | XMEMCPY(publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 16:8e0d178b1d1e | 5317 | cert->publicKey = publicKey; |
wolfSSL | 16:8e0d178b1d1e | 5318 | cert->pubKeyStored = 1; |
wolfSSL | 16:8e0d178b1d1e | 5319 | cert->pubKeySize = length; |
wolfSSL | 16:8e0d178b1d1e | 5320 | |
wolfSSL | 16:8e0d178b1d1e | 5321 | cert->srcIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 5322 | |
wolfSSL | 16:8e0d178b1d1e | 5323 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 5324 | } |
wolfSSL | 16:8e0d178b1d1e | 5325 | #endif /* HAVE_ED448 */ |
wolfSSL | 16:8e0d178b1d1e | 5326 | #if !defined(NO_DSA) && defined(WOLFSSL_QT) |
wolfSSL | 16:8e0d178b1d1e | 5327 | case DSAk: |
wolfSSL | 16:8e0d178b1d1e | 5328 | { |
wolfSSL | 16:8e0d178b1d1e | 5329 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 5330 | ret = GetSequence(cert->source, &cert->srcIdx, &length, |
wolfSSL | 16:8e0d178b1d1e | 5331 | cert->maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 5332 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 5333 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5334 | |
wolfSSL | 16:8e0d178b1d1e | 5335 | ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 5336 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5337 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5338 | ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 5339 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5340 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5341 | ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 5342 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5343 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5344 | |
wolfSSL | 16:8e0d178b1d1e | 5345 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 16:8e0d178b1d1e | 5346 | cert->maxIdx, 1, NULL); |
wolfSSL | 16:8e0d178b1d1e | 5347 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 5348 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5349 | |
wolfSSL | 16:8e0d178b1d1e | 5350 | ret = GetASNInt(cert->source, &cert->srcIdx, &length, cert->maxIdx); |
wolfSSL | 16:8e0d178b1d1e | 5351 | if (ret !=0) |
wolfSSL | 16:8e0d178b1d1e | 5352 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5353 | |
wolfSSL | 16:8e0d178b1d1e | 5354 | cert->publicKey = cert->source + tmpIdx; |
wolfSSL | 16:8e0d178b1d1e | 5355 | cert->pubKeySize = tmpLen; |
wolfSSL | 16:8e0d178b1d1e | 5356 | cert->srcIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 5357 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 5358 | } |
wolfSSL | 16:8e0d178b1d1e | 5359 | #endif /* NO_DSA && QT */ |
wolfSSL | 15:117db924cf7c | 5360 | default: |
wolfSSL | 15:117db924cf7c | 5361 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 15:117db924cf7c | 5362 | } |
wolfSSL | 15:117db924cf7c | 5363 | } |
wolfSSL | 15:117db924cf7c | 5364 | |
wolfSSL | 16:8e0d178b1d1e | 5365 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5366 | #if defined(HAVE_ECC) |
wolfSSL | 16:8e0d178b1d1e | 5367 | /* Converts ECC curve enum values in ecc_curve_id to the associated OpenSSL NID |
wolfSSL | 16:8e0d178b1d1e | 5368 | value */ |
wolfSSL | 16:8e0d178b1d1e | 5369 | WOLFSSL_API int EccEnumToNID(int n) |
wolfSSL | 16:8e0d178b1d1e | 5370 | { |
wolfSSL | 16:8e0d178b1d1e | 5371 | WOLFSSL_ENTER("EccEnumToNID()"); |
wolfSSL | 16:8e0d178b1d1e | 5372 | |
wolfSSL | 16:8e0d178b1d1e | 5373 | switch(n) { |
wolfSSL | 16:8e0d178b1d1e | 5374 | case ECC_SECP192R1: |
wolfSSL | 16:8e0d178b1d1e | 5375 | return NID_X9_62_prime192v1; |
wolfSSL | 16:8e0d178b1d1e | 5376 | case ECC_PRIME192V2: |
wolfSSL | 16:8e0d178b1d1e | 5377 | return NID_X9_62_prime192v2; |
wolfSSL | 16:8e0d178b1d1e | 5378 | case ECC_PRIME192V3: |
wolfSSL | 16:8e0d178b1d1e | 5379 | return NID_X9_62_prime192v3; |
wolfSSL | 16:8e0d178b1d1e | 5380 | case ECC_PRIME239V1: |
wolfSSL | 16:8e0d178b1d1e | 5381 | return NID_X9_62_prime239v1; |
wolfSSL | 16:8e0d178b1d1e | 5382 | case ECC_PRIME239V2: |
wolfSSL | 16:8e0d178b1d1e | 5383 | return NID_X9_62_prime239v2; |
wolfSSL | 16:8e0d178b1d1e | 5384 | case ECC_PRIME239V3: |
wolfSSL | 16:8e0d178b1d1e | 5385 | return NID_X9_62_prime239v3; |
wolfSSL | 16:8e0d178b1d1e | 5386 | case ECC_SECP256R1: |
wolfSSL | 16:8e0d178b1d1e | 5387 | return NID_X9_62_prime256v1; |
wolfSSL | 16:8e0d178b1d1e | 5388 | case ECC_SECP112R1: |
wolfSSL | 16:8e0d178b1d1e | 5389 | return NID_secp112r1; |
wolfSSL | 16:8e0d178b1d1e | 5390 | case ECC_SECP112R2: |
wolfSSL | 16:8e0d178b1d1e | 5391 | return NID_secp112r2; |
wolfSSL | 16:8e0d178b1d1e | 5392 | case ECC_SECP128R1: |
wolfSSL | 16:8e0d178b1d1e | 5393 | return NID_secp128r1; |
wolfSSL | 16:8e0d178b1d1e | 5394 | case ECC_SECP128R2: |
wolfSSL | 16:8e0d178b1d1e | 5395 | return NID_secp128r2; |
wolfSSL | 16:8e0d178b1d1e | 5396 | case ECC_SECP160R1: |
wolfSSL | 16:8e0d178b1d1e | 5397 | return NID_secp160r1; |
wolfSSL | 16:8e0d178b1d1e | 5398 | case ECC_SECP160R2: |
wolfSSL | 16:8e0d178b1d1e | 5399 | return NID_secp160r2; |
wolfSSL | 16:8e0d178b1d1e | 5400 | case ECC_SECP224R1: |
wolfSSL | 16:8e0d178b1d1e | 5401 | return NID_secp224r1; |
wolfSSL | 16:8e0d178b1d1e | 5402 | case ECC_SECP384R1: |
wolfSSL | 16:8e0d178b1d1e | 5403 | return NID_secp384r1; |
wolfSSL | 16:8e0d178b1d1e | 5404 | case ECC_SECP521R1: |
wolfSSL | 16:8e0d178b1d1e | 5405 | return NID_secp521r1; |
wolfSSL | 16:8e0d178b1d1e | 5406 | case ECC_SECP160K1: |
wolfSSL | 16:8e0d178b1d1e | 5407 | return NID_secp160k1; |
wolfSSL | 16:8e0d178b1d1e | 5408 | case ECC_SECP192K1: |
wolfSSL | 16:8e0d178b1d1e | 5409 | return NID_secp192k1; |
wolfSSL | 16:8e0d178b1d1e | 5410 | case ECC_SECP224K1: |
wolfSSL | 16:8e0d178b1d1e | 5411 | return NID_secp224k1; |
wolfSSL | 16:8e0d178b1d1e | 5412 | case ECC_SECP256K1: |
wolfSSL | 16:8e0d178b1d1e | 5413 | return NID_secp256k1; |
wolfSSL | 16:8e0d178b1d1e | 5414 | case ECC_BRAINPOOLP160R1: |
wolfSSL | 16:8e0d178b1d1e | 5415 | return NID_brainpoolP160r1; |
wolfSSL | 16:8e0d178b1d1e | 5416 | case ECC_BRAINPOOLP192R1: |
wolfSSL | 16:8e0d178b1d1e | 5417 | return NID_brainpoolP192r1; |
wolfSSL | 16:8e0d178b1d1e | 5418 | case ECC_BRAINPOOLP224R1: |
wolfSSL | 16:8e0d178b1d1e | 5419 | return NID_brainpoolP224r1; |
wolfSSL | 16:8e0d178b1d1e | 5420 | case ECC_BRAINPOOLP256R1: |
wolfSSL | 16:8e0d178b1d1e | 5421 | return NID_brainpoolP256r1; |
wolfSSL | 16:8e0d178b1d1e | 5422 | case ECC_BRAINPOOLP320R1: |
wolfSSL | 16:8e0d178b1d1e | 5423 | return NID_brainpoolP320r1; |
wolfSSL | 16:8e0d178b1d1e | 5424 | case ECC_BRAINPOOLP384R1: |
wolfSSL | 16:8e0d178b1d1e | 5425 | return NID_brainpoolP384r1; |
wolfSSL | 16:8e0d178b1d1e | 5426 | case ECC_BRAINPOOLP512R1: |
wolfSSL | 16:8e0d178b1d1e | 5427 | return NID_brainpoolP512r1; |
wolfSSL | 16:8e0d178b1d1e | 5428 | default: |
wolfSSL | 16:8e0d178b1d1e | 5429 | WOLFSSL_MSG("NID not found"); |
wolfSSL | 16:8e0d178b1d1e | 5430 | return -1; |
wolfSSL | 16:8e0d178b1d1e | 5431 | } |
wolfSSL | 16:8e0d178b1d1e | 5432 | } |
wolfSSL | 16:8e0d178b1d1e | 5433 | #endif /* HAVE_ECC */ |
wolfSSL | 16:8e0d178b1d1e | 5434 | #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ |
wolfSSL | 16:8e0d178b1d1e | 5435 | |
wolfSSL | 16:8e0d178b1d1e | 5436 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5437 | int wc_OBJ_sn2nid(const char *sn) |
wolfSSL | 16:8e0d178b1d1e | 5438 | { |
wolfSSL | 16:8e0d178b1d1e | 5439 | const struct { |
wolfSSL | 16:8e0d178b1d1e | 5440 | const char *sn; |
wolfSSL | 16:8e0d178b1d1e | 5441 | int nid; |
wolfSSL | 16:8e0d178b1d1e | 5442 | } sn2nid[] = { |
wolfSSL | 16:8e0d178b1d1e | 5443 | {WOLFSSL_COMMON_NAME, NID_commonName}, |
wolfSSL | 16:8e0d178b1d1e | 5444 | {WOLFSSL_COUNTRY_NAME, NID_countryName}, |
wolfSSL | 16:8e0d178b1d1e | 5445 | {WOLFSSL_LOCALITY_NAME, NID_localityName}, |
wolfSSL | 16:8e0d178b1d1e | 5446 | {WOLFSSL_STATE_NAME, NID_stateOrProvinceName}, |
wolfSSL | 16:8e0d178b1d1e | 5447 | {WOLFSSL_ORG_NAME, NID_organizationName}, |
wolfSSL | 16:8e0d178b1d1e | 5448 | {WOLFSSL_ORGUNIT_NAME, NID_organizationalUnitName}, |
wolfSSL | 16:8e0d178b1d1e | 5449 | {WOLFSSL_EMAIL_ADDR, NID_emailAddress}, |
wolfSSL | 16:8e0d178b1d1e | 5450 | {NULL, -1}}; |
wolfSSL | 16:8e0d178b1d1e | 5451 | |
wolfSSL | 16:8e0d178b1d1e | 5452 | int i; |
wolfSSL | 16:8e0d178b1d1e | 5453 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 5454 | int eccEnum; |
wolfSSL | 16:8e0d178b1d1e | 5455 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5456 | WOLFSSL_ENTER("OBJ_sn2nid"); |
wolfSSL | 16:8e0d178b1d1e | 5457 | for(i=0; sn2nid[i].sn != NULL; i++) { |
wolfSSL | 16:8e0d178b1d1e | 5458 | if(XSTRNCMP(sn, sn2nid[i].sn, XSTRLEN(sn2nid[i].sn)) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 5459 | return sn2nid[i].nid; |
wolfSSL | 16:8e0d178b1d1e | 5460 | } |
wolfSSL | 16:8e0d178b1d1e | 5461 | } |
wolfSSL | 16:8e0d178b1d1e | 5462 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 5463 | /* Nginx uses this OpenSSL string. */ |
wolfSSL | 16:8e0d178b1d1e | 5464 | if (XSTRNCMP(sn, "prime256v1", 10) == 0) |
wolfSSL | 16:8e0d178b1d1e | 5465 | sn = "SECP256R1"; |
wolfSSL | 16:8e0d178b1d1e | 5466 | if (XSTRNCMP(sn, "secp384r1", 10) == 0) |
wolfSSL | 16:8e0d178b1d1e | 5467 | sn = "SECP384R1"; |
wolfSSL | 16:8e0d178b1d1e | 5468 | /* find based on name and return NID */ |
wolfSSL | 16:8e0d178b1d1e | 5469 | for (i = 0; ecc_sets[i].size != 0 && ecc_sets[i].name != NULL; i++) { |
wolfSSL | 16:8e0d178b1d1e | 5470 | if (XSTRNCMP(sn, ecc_sets[i].name, ECC_MAXNAME) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 5471 | eccEnum = ecc_sets[i].id; |
wolfSSL | 16:8e0d178b1d1e | 5472 | /* Convert enum value in ecc_curve_id to OpenSSL NID */ |
wolfSSL | 16:8e0d178b1d1e | 5473 | return EccEnumToNID(eccEnum); |
wolfSSL | 16:8e0d178b1d1e | 5474 | } |
wolfSSL | 16:8e0d178b1d1e | 5475 | } |
wolfSSL | 16:8e0d178b1d1e | 5476 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5477 | |
wolfSSL | 16:8e0d178b1d1e | 5478 | return NID_undef; |
wolfSSL | 16:8e0d178b1d1e | 5479 | } |
wolfSSL | 16:8e0d178b1d1e | 5480 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5481 | |
wolfSSL | 16:8e0d178b1d1e | 5482 | /* Routine for calculating hashId */ |
wolfSSL | 16:8e0d178b1d1e | 5483 | int CalcHashId(const byte* data, word32 len, byte* hash) |
wolfSSL | 16:8e0d178b1d1e | 5484 | { |
wolfSSL | 16:8e0d178b1d1e | 5485 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 5486 | |
wolfSSL | 16:8e0d178b1d1e | 5487 | #ifdef WOLF_CRYPTO_CB |
wolfSSL | 16:8e0d178b1d1e | 5488 | /* try to use a registered crypto callback */ |
wolfSSL | 16:8e0d178b1d1e | 5489 | ret = wc_CryptoCb_Sha256Hash(NULL, data, len, hash); |
wolfSSL | 16:8e0d178b1d1e | 5490 | if (ret != CRYPTOCB_UNAVAILABLE) |
wolfSSL | 16:8e0d178b1d1e | 5491 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5492 | /* fall-through when unavailable */ |
wolfSSL | 16:8e0d178b1d1e | 5493 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5494 | |
wolfSSL | 16:8e0d178b1d1e | 5495 | #if defined(NO_SHA) && !defined(NO_SHA256) |
wolfSSL | 16:8e0d178b1d1e | 5496 | ret = wc_Sha256Hash(data, len, hash); |
wolfSSL | 16:8e0d178b1d1e | 5497 | #elif !defined(NO_SHA) |
wolfSSL | 16:8e0d178b1d1e | 5498 | ret = wc_ShaHash(data, len, hash); |
wolfSSL | 16:8e0d178b1d1e | 5499 | #else |
wolfSSL | 16:8e0d178b1d1e | 5500 | ret = NOT_COMPILED_IN; |
wolfSSL | 16:8e0d178b1d1e | 5501 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5502 | |
wolfSSL | 16:8e0d178b1d1e | 5503 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 5504 | } |
wolfSSL | 16:8e0d178b1d1e | 5505 | |
wolfSSL | 15:117db924cf7c | 5506 | /* process NAME, either issuer or subject */ |
wolfSSL | 16:8e0d178b1d1e | 5507 | static int GetName(DecodedCert* cert, int nameType, int maxIdx) |
wolfSSL | 15:117db924cf7c | 5508 | { |
wolfSSL | 15:117db924cf7c | 5509 | int length; /* length of all distinguished names */ |
wolfSSL | 15:117db924cf7c | 5510 | int dummy; |
wolfSSL | 15:117db924cf7c | 5511 | int ret; |
wolfSSL | 15:117db924cf7c | 5512 | char* full; |
wolfSSL | 15:117db924cf7c | 5513 | byte* hash; |
wolfSSL | 16:8e0d178b1d1e | 5514 | word32 idx, localIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 5515 | byte tag; |
wolfSSL | 15:117db924cf7c | 5516 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5517 | DecodedName* dName = |
wolfSSL | 15:117db924cf7c | 5518 | (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName; |
wolfSSL | 15:117db924cf7c | 5519 | int dcnum = 0; |
wolfSSL | 16:8e0d178b1d1e | 5520 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 5521 | int count = 0; |
wolfSSL | 16:8e0d178b1d1e | 5522 | #endif |
wolfSSL | 15:117db924cf7c | 5523 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5524 | |
wolfSSL | 15:117db924cf7c | 5525 | WOLFSSL_MSG("Getting Cert Name"); |
wolfSSL | 15:117db924cf7c | 5526 | |
wolfSSL | 15:117db924cf7c | 5527 | if (nameType == ISSUER) { |
wolfSSL | 15:117db924cf7c | 5528 | full = cert->issuer; |
wolfSSL | 15:117db924cf7c | 5529 | hash = cert->issuerHash; |
wolfSSL | 15:117db924cf7c | 5530 | } |
wolfSSL | 15:117db924cf7c | 5531 | else { |
wolfSSL | 15:117db924cf7c | 5532 | full = cert->subject; |
wolfSSL | 15:117db924cf7c | 5533 | hash = cert->subjectHash; |
wolfSSL | 15:117db924cf7c | 5534 | } |
wolfSSL | 15:117db924cf7c | 5535 | |
wolfSSL | 16:8e0d178b1d1e | 5536 | if (cert->srcIdx >= (word32)maxIdx) { |
wolfSSL | 16:8e0d178b1d1e | 5537 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 5538 | } |
wolfSSL | 16:8e0d178b1d1e | 5539 | |
wolfSSL | 16:8e0d178b1d1e | 5540 | localIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5541 | if (GetASNTag(cert->source, &localIdx, &tag, maxIdx) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 5542 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5543 | } |
wolfSSL | 16:8e0d178b1d1e | 5544 | |
wolfSSL | 16:8e0d178b1d1e | 5545 | if (tag == ASN_OBJECT_ID) { |
wolfSSL | 15:117db924cf7c | 5546 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 15:117db924cf7c | 5547 | |
wolfSSL | 16:8e0d178b1d1e | 5548 | if (SkipObjectId(cert->source, &cert->srcIdx, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5549 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5550 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 15:117db924cf7c | 5551 | } |
wolfSSL | 15:117db924cf7c | 5552 | |
wolfSSL | 15:117db924cf7c | 5553 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 15:117db924cf7c | 5554 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 15:117db924cf7c | 5555 | * the tag and length. */ |
wolfSSL | 15:117db924cf7c | 5556 | idx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5557 | if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0) |
wolfSSL | 16:8e0d178b1d1e | 5558 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5559 | |
wolfSSL | 16:8e0d178b1d1e | 5560 | ret = CalcHashId(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 15:117db924cf7c | 5561 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5562 | return ret; |
wolfSSL | 15:117db924cf7c | 5563 | |
wolfSSL | 15:117db924cf7c | 5564 | length += cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5565 | idx = 0; |
wolfSSL | 15:117db924cf7c | 5566 | |
wolfSSL | 16:8e0d178b1d1e | 5567 | #if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 15:117db924cf7c | 5568 | /* store pointer to raw issuer */ |
wolfSSL | 15:117db924cf7c | 5569 | if (nameType == ISSUER) { |
wolfSSL | 15:117db924cf7c | 5570 | cert->issuerRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5571 | cert->issuerRawLen = length - cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5572 | } |
wolfSSL | 15:117db924cf7c | 5573 | #endif |
wolfSSL | 15:117db924cf7c | 5574 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 5575 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5576 | cert->subjectRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5577 | cert->subjectRawLen = length - cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5578 | } |
wolfSSL | 15:117db924cf7c | 5579 | #endif |
wolfSSL | 15:117db924cf7c | 5580 | |
wolfSSL | 15:117db924cf7c | 5581 | while (cert->srcIdx < (word32)length) { |
wolfSSL | 16:8e0d178b1d1e | 5582 | byte b = 0; |
wolfSSL | 16:8e0d178b1d1e | 5583 | byte joint[3]; |
wolfSSL | 16:8e0d178b1d1e | 5584 | byte tooBig = FALSE; |
wolfSSL | 16:8e0d178b1d1e | 5585 | int oidSz; |
wolfSSL | 16:8e0d178b1d1e | 5586 | const char* copy = NULL; |
wolfSSL | 16:8e0d178b1d1e | 5587 | int copyLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 5588 | int strLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 5589 | byte id = 0; |
wolfSSL | 16:8e0d178b1d1e | 5590 | |
wolfSSL | 16:8e0d178b1d1e | 5591 | if (GetSet(cert->source, &cert->srcIdx, &dummy, maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 5592 | WOLFSSL_MSG("Cert name lacks set header, trying sequence"); |
wolfSSL | 15:117db924cf7c | 5593 | } |
wolfSSL | 15:117db924cf7c | 5594 | |
wolfSSL | 16:8e0d178b1d1e | 5595 | if (GetSequence(cert->source, &cert->srcIdx, &dummy, maxIdx) <= 0) |
wolfSSL | 16:8e0d178b1d1e | 5596 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5597 | |
wolfSSL | 16:8e0d178b1d1e | 5598 | ret = GetASNObjectId(cert->source, &cert->srcIdx, &oidSz, maxIdx); |
wolfSSL | 15:117db924cf7c | 5599 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5600 | return ret; |
wolfSSL | 15:117db924cf7c | 5601 | |
wolfSSL | 15:117db924cf7c | 5602 | /* make sure there is room for joint */ |
wolfSSL | 16:8e0d178b1d1e | 5603 | if ((cert->srcIdx + sizeof(joint)) > (word32)maxIdx) |
wolfSSL | 15:117db924cf7c | 5604 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5605 | |
wolfSSL | 15:117db924cf7c | 5606 | XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint)); |
wolfSSL | 15:117db924cf7c | 5607 | |
wolfSSL | 15:117db924cf7c | 5608 | /* v1 name types */ |
wolfSSL | 15:117db924cf7c | 5609 | if (joint[0] == 0x55 && joint[1] == 0x04) { |
wolfSSL | 16:8e0d178b1d1e | 5610 | cert->srcIdx += 3; |
wolfSSL | 16:8e0d178b1d1e | 5611 | id = joint[2]; |
wolfSSL | 16:8e0d178b1d1e | 5612 | if (GetHeader(cert->source, &b, &cert->srcIdx, &strLen, |
wolfSSL | 16:8e0d178b1d1e | 5613 | maxIdx, 1) < 0) { |
wolfSSL | 15:117db924cf7c | 5614 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5615 | } |
wolfSSL | 15:117db924cf7c | 5616 | |
wolfSSL | 15:117db924cf7c | 5617 | if (id == ASN_COMMON_NAME) { |
wolfSSL | 15:117db924cf7c | 5618 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5619 | cert->subjectCN = (char *)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5620 | cert->subjectCNLen = strLen; |
wolfSSL | 15:117db924cf7c | 5621 | cert->subjectCNEnc = b; |
wolfSSL | 15:117db924cf7c | 5622 | } |
wolfSSL | 15:117db924cf7c | 5623 | |
wolfSSL | 15:117db924cf7c | 5624 | copy = WOLFSSL_COMMON_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5625 | copyLen = sizeof(WOLFSSL_COMMON_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5626 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5627 | dName->cnIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5628 | dName->cnLen = strLen; |
wolfSSL | 15:117db924cf7c | 5629 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5630 | } |
wolfSSL | 15:117db924cf7c | 5631 | else if (id == ASN_SUR_NAME) { |
wolfSSL | 15:117db924cf7c | 5632 | copy = WOLFSSL_SUR_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5633 | copyLen = sizeof(WOLFSSL_SUR_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5634 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5635 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5636 | cert->subjectSN = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5637 | cert->subjectSNLen = strLen; |
wolfSSL | 15:117db924cf7c | 5638 | cert->subjectSNEnc = b; |
wolfSSL | 15:117db924cf7c | 5639 | } |
wolfSSL | 15:117db924cf7c | 5640 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5641 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5642 | dName->snIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5643 | dName->snLen = strLen; |
wolfSSL | 15:117db924cf7c | 5644 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5645 | } |
wolfSSL | 15:117db924cf7c | 5646 | else if (id == ASN_COUNTRY_NAME) { |
wolfSSL | 15:117db924cf7c | 5647 | copy = WOLFSSL_COUNTRY_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5648 | copyLen = sizeof(WOLFSSL_COUNTRY_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5649 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5650 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5651 | cert->subjectC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5652 | cert->subjectCLen = strLen; |
wolfSSL | 15:117db924cf7c | 5653 | cert->subjectCEnc = b; |
wolfSSL | 15:117db924cf7c | 5654 | } |
wolfSSL | 15:117db924cf7c | 5655 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5656 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5657 | dName->cIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5658 | dName->cLen = strLen; |
wolfSSL | 15:117db924cf7c | 5659 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5660 | } |
wolfSSL | 15:117db924cf7c | 5661 | else if (id == ASN_LOCALITY_NAME) { |
wolfSSL | 15:117db924cf7c | 5662 | copy = WOLFSSL_LOCALITY_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5663 | copyLen = sizeof(WOLFSSL_LOCALITY_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5664 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5665 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5666 | cert->subjectL = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5667 | cert->subjectLLen = strLen; |
wolfSSL | 15:117db924cf7c | 5668 | cert->subjectLEnc = b; |
wolfSSL | 15:117db924cf7c | 5669 | } |
wolfSSL | 15:117db924cf7c | 5670 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5671 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5672 | dName->lIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5673 | dName->lLen = strLen; |
wolfSSL | 15:117db924cf7c | 5674 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5675 | } |
wolfSSL | 15:117db924cf7c | 5676 | else if (id == ASN_STATE_NAME) { |
wolfSSL | 15:117db924cf7c | 5677 | copy = WOLFSSL_STATE_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5678 | copyLen = sizeof(WOLFSSL_STATE_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5679 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5680 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5681 | cert->subjectST = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5682 | cert->subjectSTLen = strLen; |
wolfSSL | 15:117db924cf7c | 5683 | cert->subjectSTEnc = b; |
wolfSSL | 15:117db924cf7c | 5684 | } |
wolfSSL | 15:117db924cf7c | 5685 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5686 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5687 | dName->stIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5688 | dName->stLen = strLen; |
wolfSSL | 15:117db924cf7c | 5689 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5690 | } |
wolfSSL | 15:117db924cf7c | 5691 | else if (id == ASN_ORG_NAME) { |
wolfSSL | 15:117db924cf7c | 5692 | copy = WOLFSSL_ORG_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5693 | copyLen = sizeof(WOLFSSL_ORG_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5694 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5695 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5696 | cert->subjectO = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5697 | cert->subjectOLen = strLen; |
wolfSSL | 15:117db924cf7c | 5698 | cert->subjectOEnc = b; |
wolfSSL | 15:117db924cf7c | 5699 | } |
wolfSSL | 15:117db924cf7c | 5700 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5701 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5702 | dName->oIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5703 | dName->oLen = strLen; |
wolfSSL | 15:117db924cf7c | 5704 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5705 | } |
wolfSSL | 15:117db924cf7c | 5706 | else if (id == ASN_ORGUNIT_NAME) { |
wolfSSL | 15:117db924cf7c | 5707 | copy = WOLFSSL_ORGUNIT_NAME; |
wolfSSL | 16:8e0d178b1d1e | 5708 | copyLen = sizeof(WOLFSSL_ORGUNIT_NAME) - 1; |
wolfSSL | 15:117db924cf7c | 5709 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5710 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5711 | cert->subjectOU = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 5712 | cert->subjectOULen = strLen; |
wolfSSL | 15:117db924cf7c | 5713 | cert->subjectOUEnc = b; |
wolfSSL | 15:117db924cf7c | 5714 | } |
wolfSSL | 15:117db924cf7c | 5715 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5716 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5717 | dName->ouIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5718 | dName->ouLen = strLen; |
wolfSSL | 15:117db924cf7c | 5719 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5720 | } |
wolfSSL | 15:117db924cf7c | 5721 | else if (id == ASN_SERIAL_NUMBER) { |
wolfSSL | 15:117db924cf7c | 5722 | copy = WOLFSSL_SERIAL_NUMBER; |
wolfSSL | 16:8e0d178b1d1e | 5723 | copyLen = sizeof(WOLFSSL_SERIAL_NUMBER) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5724 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 16:8e0d178b1d1e | 5725 | if (nameType == SUBJECT) { |
wolfSSL | 16:8e0d178b1d1e | 5726 | cert->subjectSND = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 16:8e0d178b1d1e | 5727 | cert->subjectSNDLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5728 | cert->subjectSNDEnc = b; |
wolfSSL | 16:8e0d178b1d1e | 5729 | } |
wolfSSL | 16:8e0d178b1d1e | 5730 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5731 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5732 | dName->snIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 5733 | dName->snLen = strLen; |
wolfSSL | 15:117db924cf7c | 5734 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5735 | } |
wolfSSL | 16:8e0d178b1d1e | 5736 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 5737 | else if (id == ASN_BUS_CAT) { |
wolfSSL | 16:8e0d178b1d1e | 5738 | copy = WOLFSSL_BUS_CAT; |
wolfSSL | 16:8e0d178b1d1e | 5739 | copyLen = sizeof(WOLFSSL_BUS_CAT) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5740 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 16:8e0d178b1d1e | 5741 | if (nameType == SUBJECT) { |
wolfSSL | 16:8e0d178b1d1e | 5742 | cert->subjectBC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 16:8e0d178b1d1e | 5743 | cert->subjectBCLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5744 | cert->subjectBCEnc = b; |
wolfSSL | 16:8e0d178b1d1e | 5745 | } |
wolfSSL | 16:8e0d178b1d1e | 5746 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 5747 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5748 | dName->bcIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5749 | dName->bcLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5750 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5751 | } |
wolfSSL | 16:8e0d178b1d1e | 5752 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 16:8e0d178b1d1e | 5753 | } |
wolfSSL | 16:8e0d178b1d1e | 5754 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 5755 | else if ((cert->srcIdx + ASN_JOI_PREFIX_SZ + 2 <= (word32)maxIdx) && |
wolfSSL | 16:8e0d178b1d1e | 5756 | (0 == XMEMCMP(&cert->source[cert->srcIdx], ASN_JOI_PREFIX, |
wolfSSL | 16:8e0d178b1d1e | 5757 | ASN_JOI_PREFIX_SZ)) && |
wolfSSL | 16:8e0d178b1d1e | 5758 | ((cert->source[cert->srcIdx+ASN_JOI_PREFIX_SZ] == ASN_JOI_C) || |
wolfSSL | 16:8e0d178b1d1e | 5759 | (cert->source[cert->srcIdx+ASN_JOI_PREFIX_SZ] == ASN_JOI_ST))) |
wolfSSL | 16:8e0d178b1d1e | 5760 | { |
wolfSSL | 16:8e0d178b1d1e | 5761 | cert->srcIdx += ASN_JOI_PREFIX_SZ; |
wolfSSL | 16:8e0d178b1d1e | 5762 | id = cert->source[cert->srcIdx++]; |
wolfSSL | 16:8e0d178b1d1e | 5763 | b = cert->source[cert->srcIdx++]; /* encoding */ |
wolfSSL | 16:8e0d178b1d1e | 5764 | |
wolfSSL | 16:8e0d178b1d1e | 5765 | if (GetLength(cert->source, &cert->srcIdx, &strLen, |
wolfSSL | 16:8e0d178b1d1e | 5766 | maxIdx) < 0) |
wolfSSL | 16:8e0d178b1d1e | 5767 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5768 | |
wolfSSL | 16:8e0d178b1d1e | 5769 | /* Check for jurisdiction of incorporation country name */ |
wolfSSL | 16:8e0d178b1d1e | 5770 | if (id == ASN_JOI_C) { |
wolfSSL | 16:8e0d178b1d1e | 5771 | copy = WOLFSSL_JOI_C; |
wolfSSL | 16:8e0d178b1d1e | 5772 | copyLen = sizeof(WOLFSSL_JOI_C) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5773 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 16:8e0d178b1d1e | 5774 | if (nameType == SUBJECT) { |
wolfSSL | 16:8e0d178b1d1e | 5775 | cert->subjectJC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 16:8e0d178b1d1e | 5776 | cert->subjectJCLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5777 | cert->subjectJCEnc = b; |
wolfSSL | 16:8e0d178b1d1e | 5778 | } |
wolfSSL | 16:8e0d178b1d1e | 5779 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 5780 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5781 | dName->jcIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5782 | dName->jcLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5783 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5784 | } |
wolfSSL | 16:8e0d178b1d1e | 5785 | |
wolfSSL | 16:8e0d178b1d1e | 5786 | /* Check for jurisdiction of incorporation state name */ |
wolfSSL | 16:8e0d178b1d1e | 5787 | else if (id == ASN_JOI_ST) { |
wolfSSL | 16:8e0d178b1d1e | 5788 | copy = WOLFSSL_JOI_ST; |
wolfSSL | 16:8e0d178b1d1e | 5789 | copyLen = sizeof(WOLFSSL_JOI_ST) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5790 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 16:8e0d178b1d1e | 5791 | if (nameType == SUBJECT) { |
wolfSSL | 16:8e0d178b1d1e | 5792 | cert->subjectJS = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 16:8e0d178b1d1e | 5793 | cert->subjectJSLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5794 | cert->subjectJSEnc = b; |
wolfSSL | 16:8e0d178b1d1e | 5795 | } |
wolfSSL | 16:8e0d178b1d1e | 5796 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 5797 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5798 | dName->jsIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5799 | dName->jsLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5800 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5801 | } |
wolfSSL | 16:8e0d178b1d1e | 5802 | |
wolfSSL | 16:8e0d178b1d1e | 5803 | if ((strLen + copyLen) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 16:8e0d178b1d1e | 5804 | WOLFSSL_MSG("ASN Name too big, skipping"); |
wolfSSL | 16:8e0d178b1d1e | 5805 | tooBig = TRUE; |
wolfSSL | 16:8e0d178b1d1e | 5806 | } |
wolfSSL | 16:8e0d178b1d1e | 5807 | } |
wolfSSL | 16:8e0d178b1d1e | 5808 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 5809 | else { |
wolfSSL | 15:117db924cf7c | 5810 | /* skip */ |
wolfSSL | 15:117db924cf7c | 5811 | byte email = FALSE; |
wolfSSL | 15:117db924cf7c | 5812 | byte pilot = FALSE; |
wolfSSL | 16:8e0d178b1d1e | 5813 | |
wolfSSL | 16:8e0d178b1d1e | 5814 | if (joint[0] == 0x2a && joint[1] == 0x86) { /* email id hdr */ |
wolfSSL | 16:8e0d178b1d1e | 5815 | id = ASN_EMAIL_NAME; |
wolfSSL | 15:117db924cf7c | 5816 | email = TRUE; |
wolfSSL | 16:8e0d178b1d1e | 5817 | } |
wolfSSL | 15:117db924cf7c | 5818 | |
wolfSSL | 15:117db924cf7c | 5819 | if (joint[0] == 0x9 && joint[1] == 0x92) { /* uid id hdr */ |
wolfSSL | 15:117db924cf7c | 5820 | /* last value of OID is the type of pilot attribute */ |
wolfSSL | 15:117db924cf7c | 5821 | id = cert->source[cert->srcIdx + oidSz - 1]; |
wolfSSL | 15:117db924cf7c | 5822 | pilot = TRUE; |
wolfSSL | 15:117db924cf7c | 5823 | } |
wolfSSL | 15:117db924cf7c | 5824 | |
wolfSSL | 15:117db924cf7c | 5825 | cert->srcIdx += oidSz + 1; |
wolfSSL | 15:117db924cf7c | 5826 | |
wolfSSL | 16:8e0d178b1d1e | 5827 | if (GetLength(cert->source, &cert->srcIdx, &strLen, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 5828 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 5829 | |
wolfSSL | 16:8e0d178b1d1e | 5830 | if (strLen > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 15:117db924cf7c | 5831 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 15:117db924cf7c | 5832 | tooBig = TRUE; |
wolfSSL | 15:117db924cf7c | 5833 | } |
wolfSSL | 15:117db924cf7c | 5834 | |
wolfSSL | 15:117db924cf7c | 5835 | if (email) { |
wolfSSL | 16:8e0d178b1d1e | 5836 | copyLen = sizeof(WOLFSSL_EMAIL_ADDR) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5837 | if ((copyLen + strLen) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 15:117db924cf7c | 5838 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 15:117db924cf7c | 5839 | tooBig = TRUE; |
wolfSSL | 15:117db924cf7c | 5840 | } |
wolfSSL | 16:8e0d178b1d1e | 5841 | else { |
wolfSSL | 16:8e0d178b1d1e | 5842 | copy = WOLFSSL_EMAIL_ADDR; |
wolfSSL | 15:117db924cf7c | 5843 | } |
wolfSSL | 15:117db924cf7c | 5844 | |
wolfSSL | 15:117db924cf7c | 5845 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 5846 | if (nameType == SUBJECT) { |
wolfSSL | 15:117db924cf7c | 5847 | cert->subjectEmail = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 16:8e0d178b1d1e | 5848 | cert->subjectEmailLen = strLen; |
wolfSSL | 15:117db924cf7c | 5849 | } |
wolfSSL | 15:117db924cf7c | 5850 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 5851 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5852 | dName->emailIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5853 | dName->emailLen = strLen; |
wolfSSL | 15:117db924cf7c | 5854 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 5855 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 5856 | { |
wolfSSL | 16:8e0d178b1d1e | 5857 | DNS_entry* emailName; |
wolfSSL | 15:117db924cf7c | 5858 | |
wolfSSL | 15:117db924cf7c | 5859 | emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), |
wolfSSL | 15:117db924cf7c | 5860 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 5861 | if (emailName == NULL) { |
wolfSSL | 15:117db924cf7c | 5862 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 5863 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 5864 | } |
wolfSSL | 15:117db924cf7c | 5865 | emailName->type = 0; |
wolfSSL | 16:8e0d178b1d1e | 5866 | emailName->name = (char*)XMALLOC(strLen + 1, |
wolfSSL | 15:117db924cf7c | 5867 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 5868 | if (emailName->name == NULL) { |
wolfSSL | 15:117db924cf7c | 5869 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 5870 | XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 5871 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 5872 | } |
wolfSSL | 16:8e0d178b1d1e | 5873 | emailName->len = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5874 | XMEMCPY(emailName->name, &cert->source[cert->srcIdx], |
wolfSSL | 16:8e0d178b1d1e | 5875 | strLen); |
wolfSSL | 16:8e0d178b1d1e | 5876 | emailName->name[strLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 5877 | |
wolfSSL | 15:117db924cf7c | 5878 | emailName->next = cert->altEmailNames; |
wolfSSL | 15:117db924cf7c | 5879 | cert->altEmailNames = emailName; |
wolfSSL | 15:117db924cf7c | 5880 | } |
wolfSSL | 15:117db924cf7c | 5881 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 5882 | } |
wolfSSL | 15:117db924cf7c | 5883 | |
wolfSSL | 15:117db924cf7c | 5884 | if (pilot) { |
wolfSSL | 16:8e0d178b1d1e | 5885 | switch (id) { |
wolfSSL | 16:8e0d178b1d1e | 5886 | case ASN_USER_ID: |
wolfSSL | 16:8e0d178b1d1e | 5887 | copy = WOLFSSL_USER_ID; |
wolfSSL | 16:8e0d178b1d1e | 5888 | copyLen = sizeof(WOLFSSL_USER_ID) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5889 | #if defined(OPENSSL_EXTRA) || \ |
wolfSSL | 16:8e0d178b1d1e | 5890 | defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5891 | dName->uidIdx = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5892 | dName->uidLen = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5893 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5894 | break; |
wolfSSL | 16:8e0d178b1d1e | 5895 | |
wolfSSL | 16:8e0d178b1d1e | 5896 | case ASN_DOMAIN_COMPONENT: |
wolfSSL | 16:8e0d178b1d1e | 5897 | copy = WOLFSSL_DOMAIN_COMPONENT; |
wolfSSL | 16:8e0d178b1d1e | 5898 | copyLen = sizeof(WOLFSSL_DOMAIN_COMPONENT) - 1; |
wolfSSL | 16:8e0d178b1d1e | 5899 | #if defined(OPENSSL_EXTRA) || \ |
wolfSSL | 16:8e0d178b1d1e | 5900 | defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 16:8e0d178b1d1e | 5901 | dName->dcIdx[dcnum] = cert->srcIdx; |
wolfSSL | 16:8e0d178b1d1e | 5902 | dName->dcLen[dcnum] = strLen; |
wolfSSL | 16:8e0d178b1d1e | 5903 | dName->dcNum = dcnum + 1; |
wolfSSL | 16:8e0d178b1d1e | 5904 | dcnum++; |
wolfSSL | 16:8e0d178b1d1e | 5905 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 5906 | break; |
wolfSSL | 16:8e0d178b1d1e | 5907 | |
wolfSSL | 16:8e0d178b1d1e | 5908 | default: |
wolfSSL | 16:8e0d178b1d1e | 5909 | WOLFSSL_MSG("Unknown pilot attribute type"); |
wolfSSL | 16:8e0d178b1d1e | 5910 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 5911 | } |
wolfSSL | 16:8e0d178b1d1e | 5912 | } |
wolfSSL | 16:8e0d178b1d1e | 5913 | } |
wolfSSL | 16:8e0d178b1d1e | 5914 | if ((copyLen + strLen) > (int)(ASN_NAME_MAX - idx)) |
wolfSSL | 16:8e0d178b1d1e | 5915 | { |
wolfSSL | 16:8e0d178b1d1e | 5916 | WOLFSSL_MSG("ASN Name too big, skipping"); |
wolfSSL | 16:8e0d178b1d1e | 5917 | tooBig = TRUE; |
wolfSSL | 16:8e0d178b1d1e | 5918 | } |
wolfSSL | 16:8e0d178b1d1e | 5919 | if ((copy != NULL) && !tooBig) { |
wolfSSL | 16:8e0d178b1d1e | 5920 | XMEMCPY(&full[idx], copy, copyLen); |
wolfSSL | 16:8e0d178b1d1e | 5921 | idx += copyLen; |
wolfSSL | 16:8e0d178b1d1e | 5922 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); |
wolfSSL | 16:8e0d178b1d1e | 5923 | idx += strLen; |
wolfSSL | 16:8e0d178b1d1e | 5924 | |
wolfSSL | 16:8e0d178b1d1e | 5925 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 5926 | if (count < DOMAIN_COMPONENT_MAX) { |
wolfSSL | 16:8e0d178b1d1e | 5927 | /* store order that DN was parsed */ |
wolfSSL | 16:8e0d178b1d1e | 5928 | dName->loc[count++] = id; |
wolfSSL | 16:8e0d178b1d1e | 5929 | } |
wolfSSL | 16:8e0d178b1d1e | 5930 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5931 | } |
wolfSSL | 16:8e0d178b1d1e | 5932 | cert->srcIdx += strLen; |
wolfSSL | 15:117db924cf7c | 5933 | } |
wolfSSL | 15:117db924cf7c | 5934 | full[idx++] = 0; |
wolfSSL | 16:8e0d178b1d1e | 5935 | #if defined(OPENSSL_EXTRA) |
wolfSSL | 16:8e0d178b1d1e | 5936 | /* store order that DN was parsed */ |
wolfSSL | 16:8e0d178b1d1e | 5937 | dName->locSz = count; |
wolfSSL | 16:8e0d178b1d1e | 5938 | #endif |
wolfSSL | 15:117db924cf7c | 5939 | |
wolfSSL | 15:117db924cf7c | 5940 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 5941 | { |
wolfSSL | 15:117db924cf7c | 5942 | int totalLen = 0; |
wolfSSL | 15:117db924cf7c | 5943 | int i = 0; |
wolfSSL | 15:117db924cf7c | 5944 | |
wolfSSL | 15:117db924cf7c | 5945 | if (dName->cnLen != 0) |
wolfSSL | 15:117db924cf7c | 5946 | totalLen += dName->cnLen + 4; |
wolfSSL | 15:117db924cf7c | 5947 | if (dName->snLen != 0) |
wolfSSL | 15:117db924cf7c | 5948 | totalLen += dName->snLen + 4; |
wolfSSL | 15:117db924cf7c | 5949 | if (dName->cLen != 0) |
wolfSSL | 15:117db924cf7c | 5950 | totalLen += dName->cLen + 3; |
wolfSSL | 15:117db924cf7c | 5951 | if (dName->lLen != 0) |
wolfSSL | 15:117db924cf7c | 5952 | totalLen += dName->lLen + 3; |
wolfSSL | 15:117db924cf7c | 5953 | if (dName->stLen != 0) |
wolfSSL | 15:117db924cf7c | 5954 | totalLen += dName->stLen + 4; |
wolfSSL | 15:117db924cf7c | 5955 | if (dName->oLen != 0) |
wolfSSL | 15:117db924cf7c | 5956 | totalLen += dName->oLen + 3; |
wolfSSL | 15:117db924cf7c | 5957 | if (dName->ouLen != 0) |
wolfSSL | 15:117db924cf7c | 5958 | totalLen += dName->ouLen + 4; |
wolfSSL | 15:117db924cf7c | 5959 | if (dName->emailLen != 0) |
wolfSSL | 15:117db924cf7c | 5960 | totalLen += dName->emailLen + 14; |
wolfSSL | 15:117db924cf7c | 5961 | if (dName->uidLen != 0) |
wolfSSL | 15:117db924cf7c | 5962 | totalLen += dName->uidLen + 5; |
wolfSSL | 15:117db924cf7c | 5963 | if (dName->serialLen != 0) |
wolfSSL | 15:117db924cf7c | 5964 | totalLen += dName->serialLen + 14; |
wolfSSL | 15:117db924cf7c | 5965 | if (dName->dcNum != 0){ |
wolfSSL | 15:117db924cf7c | 5966 | for (i = 0;i < dName->dcNum;i++) |
wolfSSL | 15:117db924cf7c | 5967 | totalLen += dName->dcLen[i] + 4; |
wolfSSL | 15:117db924cf7c | 5968 | } |
wolfSSL | 15:117db924cf7c | 5969 | |
wolfSSL | 15:117db924cf7c | 5970 | dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 5971 | DYNAMIC_TYPE_X509); |
wolfSSL | 15:117db924cf7c | 5972 | if (dName->fullName != NULL) { |
wolfSSL | 15:117db924cf7c | 5973 | idx = 0; |
wolfSSL | 15:117db924cf7c | 5974 | |
wolfSSL | 15:117db924cf7c | 5975 | if (dName->cnLen != 0) { |
wolfSSL | 15:117db924cf7c | 5976 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 5977 | XMEMCPY(&dName->fullName[idx], WOLFSSL_COMMON_NAME, 4); |
wolfSSL | 16:8e0d178b1d1e | 5978 | dName->cnNid = wc_OBJ_sn2nid((const char *)WOLFSSL_COMMON_NAME); |
wolfSSL | 15:117db924cf7c | 5979 | idx += 4; |
wolfSSL | 15:117db924cf7c | 5980 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 5981 | &cert->source[dName->cnIdx], dName->cnLen); |
wolfSSL | 15:117db924cf7c | 5982 | dName->cnIdx = idx; |
wolfSSL | 15:117db924cf7c | 5983 | idx += dName->cnLen; |
wolfSSL | 15:117db924cf7c | 5984 | } |
wolfSSL | 15:117db924cf7c | 5985 | if (dName->snLen != 0) { |
wolfSSL | 15:117db924cf7c | 5986 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 5987 | XMEMCPY(&dName->fullName[idx], WOLFSSL_SUR_NAME, 4); |
wolfSSL | 16:8e0d178b1d1e | 5988 | dName->snNid = wc_OBJ_sn2nid((const char *)WOLFSSL_SUR_NAME); |
wolfSSL | 15:117db924cf7c | 5989 | idx += 4; |
wolfSSL | 15:117db924cf7c | 5990 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 5991 | &cert->source[dName->snIdx], dName->snLen); |
wolfSSL | 15:117db924cf7c | 5992 | dName->snIdx = idx; |
wolfSSL | 15:117db924cf7c | 5993 | idx += dName->snLen; |
wolfSSL | 15:117db924cf7c | 5994 | } |
wolfSSL | 15:117db924cf7c | 5995 | if (dName->cLen != 0) { |
wolfSSL | 15:117db924cf7c | 5996 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 5997 | XMEMCPY(&dName->fullName[idx], WOLFSSL_COUNTRY_NAME, 3); |
wolfSSL | 16:8e0d178b1d1e | 5998 | dName->cNid = wc_OBJ_sn2nid((const char *)WOLFSSL_COUNTRY_NAME); |
wolfSSL | 15:117db924cf7c | 5999 | idx += 3; |
wolfSSL | 15:117db924cf7c | 6000 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6001 | &cert->source[dName->cIdx], dName->cLen); |
wolfSSL | 15:117db924cf7c | 6002 | dName->cIdx = idx; |
wolfSSL | 15:117db924cf7c | 6003 | idx += dName->cLen; |
wolfSSL | 15:117db924cf7c | 6004 | } |
wolfSSL | 15:117db924cf7c | 6005 | if (dName->lLen != 0) { |
wolfSSL | 15:117db924cf7c | 6006 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6007 | XMEMCPY(&dName->fullName[idx], WOLFSSL_LOCALITY_NAME, 3); |
wolfSSL | 16:8e0d178b1d1e | 6008 | dName->lNid = wc_OBJ_sn2nid((const char *)WOLFSSL_LOCALITY_NAME); |
wolfSSL | 15:117db924cf7c | 6009 | idx += 3; |
wolfSSL | 15:117db924cf7c | 6010 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6011 | &cert->source[dName->lIdx], dName->lLen); |
wolfSSL | 15:117db924cf7c | 6012 | dName->lIdx = idx; |
wolfSSL | 15:117db924cf7c | 6013 | idx += dName->lLen; |
wolfSSL | 15:117db924cf7c | 6014 | } |
wolfSSL | 15:117db924cf7c | 6015 | if (dName->stLen != 0) { |
wolfSSL | 15:117db924cf7c | 6016 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6017 | XMEMCPY(&dName->fullName[idx], WOLFSSL_STATE_NAME, 4); |
wolfSSL | 16:8e0d178b1d1e | 6018 | dName->stNid = wc_OBJ_sn2nid((const char *)WOLFSSL_STATE_NAME); |
wolfSSL | 15:117db924cf7c | 6019 | idx += 4; |
wolfSSL | 15:117db924cf7c | 6020 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6021 | &cert->source[dName->stIdx], dName->stLen); |
wolfSSL | 15:117db924cf7c | 6022 | dName->stIdx = idx; |
wolfSSL | 15:117db924cf7c | 6023 | idx += dName->stLen; |
wolfSSL | 15:117db924cf7c | 6024 | } |
wolfSSL | 15:117db924cf7c | 6025 | if (dName->oLen != 0) { |
wolfSSL | 15:117db924cf7c | 6026 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6027 | XMEMCPY(&dName->fullName[idx], WOLFSSL_ORG_NAME, 3); |
wolfSSL | 16:8e0d178b1d1e | 6028 | dName->oNid = wc_OBJ_sn2nid((const char *)WOLFSSL_ORG_NAME); |
wolfSSL | 15:117db924cf7c | 6029 | idx += 3; |
wolfSSL | 15:117db924cf7c | 6030 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6031 | &cert->source[dName->oIdx], dName->oLen); |
wolfSSL | 15:117db924cf7c | 6032 | dName->oIdx = idx; |
wolfSSL | 15:117db924cf7c | 6033 | idx += dName->oLen; |
wolfSSL | 15:117db924cf7c | 6034 | } |
wolfSSL | 15:117db924cf7c | 6035 | if (dName->ouLen != 0) { |
wolfSSL | 15:117db924cf7c | 6036 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6037 | XMEMCPY(&dName->fullName[idx], WOLFSSL_ORGUNIT_NAME, 4); |
wolfSSL | 16:8e0d178b1d1e | 6038 | dName->ouNid = wc_OBJ_sn2nid((const char *)WOLFSSL_ORGUNIT_NAME); |
wolfSSL | 15:117db924cf7c | 6039 | idx += 4; |
wolfSSL | 15:117db924cf7c | 6040 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6041 | &cert->source[dName->ouIdx], dName->ouLen); |
wolfSSL | 15:117db924cf7c | 6042 | dName->ouIdx = idx; |
wolfSSL | 15:117db924cf7c | 6043 | idx += dName->ouLen; |
wolfSSL | 15:117db924cf7c | 6044 | } |
wolfSSL | 15:117db924cf7c | 6045 | if (dName->emailLen != 0) { |
wolfSSL | 15:117db924cf7c | 6046 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6047 | XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14); |
wolfSSL | 16:8e0d178b1d1e | 6048 | dName->emailNid = wc_OBJ_sn2nid((const char *)"/emailAddress="); |
wolfSSL | 15:117db924cf7c | 6049 | idx += 14; |
wolfSSL | 15:117db924cf7c | 6050 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6051 | &cert->source[dName->emailIdx], dName->emailLen); |
wolfSSL | 15:117db924cf7c | 6052 | dName->emailIdx = idx; |
wolfSSL | 15:117db924cf7c | 6053 | idx += dName->emailLen; |
wolfSSL | 15:117db924cf7c | 6054 | } |
wolfSSL | 15:117db924cf7c | 6055 | for (i = 0;i < dName->dcNum;i++){ |
wolfSSL | 15:117db924cf7c | 6056 | if (dName->dcLen[i] != 0) { |
wolfSSL | 15:117db924cf7c | 6057 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6058 | XMEMCPY(&dName->fullName[idx], WOLFSSL_DOMAIN_COMPONENT, 4); |
wolfSSL | 15:117db924cf7c | 6059 | idx += 4; |
wolfSSL | 15:117db924cf7c | 6060 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6061 | &cert->source[dName->dcIdx[i]], dName->dcLen[i]); |
wolfSSL | 15:117db924cf7c | 6062 | dName->dcIdx[i] = idx; |
wolfSSL | 15:117db924cf7c | 6063 | idx += dName->dcLen[i]; |
wolfSSL | 15:117db924cf7c | 6064 | } |
wolfSSL | 15:117db924cf7c | 6065 | } |
wolfSSL | 15:117db924cf7c | 6066 | if (dName->uidLen != 0) { |
wolfSSL | 15:117db924cf7c | 6067 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6068 | XMEMCPY(&dName->fullName[idx], "/UID=", 5); |
wolfSSL | 16:8e0d178b1d1e | 6069 | dName->uidNid = wc_OBJ_sn2nid((const char *)"/UID="); |
wolfSSL | 15:117db924cf7c | 6070 | idx += 5; |
wolfSSL | 15:117db924cf7c | 6071 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6072 | &cert->source[dName->uidIdx], dName->uidLen); |
wolfSSL | 15:117db924cf7c | 6073 | dName->uidIdx = idx; |
wolfSSL | 15:117db924cf7c | 6074 | idx += dName->uidLen; |
wolfSSL | 15:117db924cf7c | 6075 | } |
wolfSSL | 15:117db924cf7c | 6076 | if (dName->serialLen != 0) { |
wolfSSL | 15:117db924cf7c | 6077 | dName->entryCount++; |
wolfSSL | 15:117db924cf7c | 6078 | XMEMCPY(&dName->fullName[idx], WOLFSSL_SERIAL_NUMBER, 14); |
wolfSSL | 16:8e0d178b1d1e | 6079 | dName->serialNid = wc_OBJ_sn2nid((const char *)WOLFSSL_SERIAL_NUMBER); |
wolfSSL | 15:117db924cf7c | 6080 | idx += 14; |
wolfSSL | 15:117db924cf7c | 6081 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 15:117db924cf7c | 6082 | &cert->source[dName->serialIdx], dName->serialLen); |
wolfSSL | 15:117db924cf7c | 6083 | dName->serialIdx = idx; |
wolfSSL | 15:117db924cf7c | 6084 | idx += dName->serialLen; |
wolfSSL | 15:117db924cf7c | 6085 | } |
wolfSSL | 15:117db924cf7c | 6086 | dName->fullName[idx] = '\0'; |
wolfSSL | 15:117db924cf7c | 6087 | dName->fullNameLen = totalLen; |
wolfSSL | 15:117db924cf7c | 6088 | } |
wolfSSL | 15:117db924cf7c | 6089 | } |
wolfSSL | 15:117db924cf7c | 6090 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 6091 | |
wolfSSL | 15:117db924cf7c | 6092 | return 0; |
wolfSSL | 15:117db924cf7c | 6093 | } |
wolfSSL | 15:117db924cf7c | 6094 | |
wolfSSL | 15:117db924cf7c | 6095 | |
wolfSSL | 15:117db924cf7c | 6096 | #ifndef NO_ASN_TIME |
wolfSSL | 15:117db924cf7c | 6097 | |
wolfSSL | 15:117db924cf7c | 6098 | /* two byte date/time, add to value */ |
wolfSSL | 16:8e0d178b1d1e | 6099 | static WC_INLINE int GetTime(int* value, const byte* date, int* idx) |
wolfSSL | 15:117db924cf7c | 6100 | { |
wolfSSL | 15:117db924cf7c | 6101 | int i = *idx; |
wolfSSL | 15:117db924cf7c | 6102 | |
wolfSSL | 16:8e0d178b1d1e | 6103 | if (date[i] < 0x30 || date[i] > 0x39 || date[i+1] < 0x30 || |
wolfSSL | 16:8e0d178b1d1e | 6104 | date[i+1] > 0x39) { |
wolfSSL | 16:8e0d178b1d1e | 6105 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 6106 | } |
wolfSSL | 16:8e0d178b1d1e | 6107 | |
wolfSSL | 15:117db924cf7c | 6108 | *value += btoi(date[i++]) * 10; |
wolfSSL | 15:117db924cf7c | 6109 | *value += btoi(date[i++]); |
wolfSSL | 15:117db924cf7c | 6110 | |
wolfSSL | 15:117db924cf7c | 6111 | *idx = i; |
wolfSSL | 16:8e0d178b1d1e | 6112 | |
wolfSSL | 16:8e0d178b1d1e | 6113 | return 0; |
wolfSSL | 15:117db924cf7c | 6114 | } |
wolfSSL | 15:117db924cf7c | 6115 | |
wolfSSL | 15:117db924cf7c | 6116 | int ExtractDate(const unsigned char* date, unsigned char format, |
wolfSSL | 15:117db924cf7c | 6117 | struct tm* certTime, int* idx) |
wolfSSL | 15:117db924cf7c | 6118 | { |
wolfSSL | 15:117db924cf7c | 6119 | XMEMSET(certTime, 0, sizeof(struct tm)); |
wolfSSL | 15:117db924cf7c | 6120 | |
wolfSSL | 15:117db924cf7c | 6121 | if (format == ASN_UTC_TIME) { |
wolfSSL | 16:8e0d178b1d1e | 6122 | if (btoi(date[*idx]) >= 5) |
wolfSSL | 15:117db924cf7c | 6123 | certTime->tm_year = 1900; |
wolfSSL | 15:117db924cf7c | 6124 | else |
wolfSSL | 15:117db924cf7c | 6125 | certTime->tm_year = 2000; |
wolfSSL | 15:117db924cf7c | 6126 | } |
wolfSSL | 15:117db924cf7c | 6127 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 16:8e0d178b1d1e | 6128 | if (GetTime(&certTime->tm_year, date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6129 | certTime->tm_year *= 100; |
wolfSSL | 15:117db924cf7c | 6130 | } |
wolfSSL | 15:117db924cf7c | 6131 | |
wolfSSL | 15:117db924cf7c | 6132 | /* adjust tm_year, tm_mon */ |
wolfSSL | 16:8e0d178b1d1e | 6133 | if (GetTime(&certTime->tm_year, date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6134 | certTime->tm_year -= 1900; |
wolfSSL | 16:8e0d178b1d1e | 6135 | if (GetTime(&certTime->tm_mon , date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6136 | certTime->tm_mon -= 1; |
wolfSSL | 16:8e0d178b1d1e | 6137 | if (GetTime(&certTime->tm_mday, date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6138 | if (GetTime(&certTime->tm_hour, date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6139 | if (GetTime(&certTime->tm_min , date, idx) != 0) return 0; |
wolfSSL | 16:8e0d178b1d1e | 6140 | if (GetTime(&certTime->tm_sec , date, idx) != 0) return 0; |
wolfSSL | 15:117db924cf7c | 6141 | |
wolfSSL | 15:117db924cf7c | 6142 | return 1; |
wolfSSL | 15:117db924cf7c | 6143 | } |
wolfSSL | 15:117db924cf7c | 6144 | |
wolfSSL | 15:117db924cf7c | 6145 | |
wolfSSL | 15:117db924cf7c | 6146 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ |
wolfSSL | 15:117db924cf7c | 6147 | defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 15:117db924cf7c | 6148 | int GetTimeString(byte* date, int format, char* buf, int len) |
wolfSSL | 15:117db924cf7c | 6149 | { |
wolfSSL | 15:117db924cf7c | 6150 | struct tm t; |
wolfSSL | 15:117db924cf7c | 6151 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 6152 | |
wolfSSL | 15:117db924cf7c | 6153 | if (!ExtractDate(date, (unsigned char)format, &t, &idx)) { |
wolfSSL | 15:117db924cf7c | 6154 | return 0; |
wolfSSL | 15:117db924cf7c | 6155 | } |
wolfSSL | 15:117db924cf7c | 6156 | |
wolfSSL | 15:117db924cf7c | 6157 | if (date[idx] != 'Z') { |
wolfSSL | 15:117db924cf7c | 6158 | WOLFSSL_MSG("UTCtime, not Zulu") ; |
wolfSSL | 15:117db924cf7c | 6159 | return 0; |
wolfSSL | 15:117db924cf7c | 6160 | } |
wolfSSL | 15:117db924cf7c | 6161 | |
wolfSSL | 15:117db924cf7c | 6162 | /* place month in buffer */ |
wolfSSL | 15:117db924cf7c | 6163 | buf[0] = '\0'; |
wolfSSL | 15:117db924cf7c | 6164 | switch(t.tm_mon) { |
wolfSSL | 16:8e0d178b1d1e | 6165 | case 0: XSTRNCAT(buf, "Jan ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6166 | case 1: XSTRNCAT(buf, "Feb ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6167 | case 2: XSTRNCAT(buf, "Mar ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6168 | case 3: XSTRNCAT(buf, "Apr ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6169 | case 4: XSTRNCAT(buf, "May ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6170 | case 5: XSTRNCAT(buf, "Jun ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6171 | case 6: XSTRNCAT(buf, "Jul ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6172 | case 7: XSTRNCAT(buf, "Aug ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6173 | case 8: XSTRNCAT(buf, "Sep ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6174 | case 9: XSTRNCAT(buf, "Oct ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6175 | case 10: XSTRNCAT(buf, "Nov ", 5); break; |
wolfSSL | 16:8e0d178b1d1e | 6176 | case 11: XSTRNCAT(buf, "Dec ", 5); break; |
wolfSSL | 15:117db924cf7c | 6177 | default: |
wolfSSL | 15:117db924cf7c | 6178 | return 0; |
wolfSSL | 15:117db924cf7c | 6179 | |
wolfSSL | 15:117db924cf7c | 6180 | } |
wolfSSL | 15:117db924cf7c | 6181 | idx = 4; /* use idx now for char buffer */ |
wolfSSL | 15:117db924cf7c | 6182 | |
wolfSSL | 15:117db924cf7c | 6183 | XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT", |
wolfSSL | 15:117db924cf7c | 6184 | t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900); |
wolfSSL | 15:117db924cf7c | 6185 | |
wolfSSL | 15:117db924cf7c | 6186 | return 1; |
wolfSSL | 15:117db924cf7c | 6187 | } |
wolfSSL | 15:117db924cf7c | 6188 | #endif /* OPENSSL_ALL || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ |
wolfSSL | 15:117db924cf7c | 6189 | |
wolfSSL | 15:117db924cf7c | 6190 | |
wolfSSL | 16:8e0d178b1d1e | 6191 | #if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7) |
wolfSSL | 16:8e0d178b1d1e | 6192 | |
wolfSSL | 16:8e0d178b1d1e | 6193 | /* Set current time string, either UTC or GeneralizedTime. |
wolfSSL | 16:8e0d178b1d1e | 6194 | * (void*) tm should be a pointer to time_t, output is placed in buf. |
wolfSSL | 16:8e0d178b1d1e | 6195 | * |
wolfSSL | 16:8e0d178b1d1e | 6196 | * Return time string length placed in buf on success, negative on error */ |
wolfSSL | 16:8e0d178b1d1e | 6197 | int GetAsnTimeString(void* currTime, byte* buf, word32 len) |
wolfSSL | 16:8e0d178b1d1e | 6198 | { |
wolfSSL | 16:8e0d178b1d1e | 6199 | struct tm* ts = NULL; |
wolfSSL | 16:8e0d178b1d1e | 6200 | struct tm* tmpTime = NULL; |
wolfSSL | 16:8e0d178b1d1e | 6201 | #if defined(NEED_TMP_TIME) |
wolfSSL | 16:8e0d178b1d1e | 6202 | struct tm tmpTimeStorage; |
wolfSSL | 16:8e0d178b1d1e | 6203 | tmpTime = &tmpTimeStorage; |
wolfSSL | 16:8e0d178b1d1e | 6204 | #else |
wolfSSL | 16:8e0d178b1d1e | 6205 | (void)tmpTime; |
wolfSSL | 16:8e0d178b1d1e | 6206 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6207 | byte* data_ptr = buf; |
wolfSSL | 16:8e0d178b1d1e | 6208 | word32 data_len = 0; |
wolfSSL | 16:8e0d178b1d1e | 6209 | int year, mon, day, hour, mini, sec; |
wolfSSL | 16:8e0d178b1d1e | 6210 | |
wolfSSL | 16:8e0d178b1d1e | 6211 | WOLFSSL_ENTER("SetAsnTimeString"); |
wolfSSL | 16:8e0d178b1d1e | 6212 | |
wolfSSL | 16:8e0d178b1d1e | 6213 | if (buf == NULL || len == 0) |
wolfSSL | 16:8e0d178b1d1e | 6214 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 6215 | |
wolfSSL | 16:8e0d178b1d1e | 6216 | ts = (struct tm *)XGMTIME((time_t*)currTime, tmpTime); |
wolfSSL | 16:8e0d178b1d1e | 6217 | if (ts == NULL){ |
wolfSSL | 16:8e0d178b1d1e | 6218 | WOLFSSL_MSG("failed to get time data."); |
wolfSSL | 16:8e0d178b1d1e | 6219 | return ASN_TIME_E; |
wolfSSL | 16:8e0d178b1d1e | 6220 | } |
wolfSSL | 16:8e0d178b1d1e | 6221 | |
wolfSSL | 16:8e0d178b1d1e | 6222 | /* Note ASN_UTC_TIME_SIZE and ASN_GENERALIZED_TIME_SIZE include space for |
wolfSSL | 16:8e0d178b1d1e | 6223 | * the null terminator. ASN encoded values leave off the terminator. */ |
wolfSSL | 16:8e0d178b1d1e | 6224 | |
wolfSSL | 16:8e0d178b1d1e | 6225 | if (ts->tm_year >= 50 && ts->tm_year < 150) { |
wolfSSL | 16:8e0d178b1d1e | 6226 | /* UTC Time */ |
wolfSSL | 16:8e0d178b1d1e | 6227 | char utc_str[ASN_UTC_TIME_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 6228 | data_len = ASN_UTC_TIME_SIZE - 1 + 2; |
wolfSSL | 16:8e0d178b1d1e | 6229 | |
wolfSSL | 16:8e0d178b1d1e | 6230 | if (len < data_len) |
wolfSSL | 16:8e0d178b1d1e | 6231 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 6232 | |
wolfSSL | 16:8e0d178b1d1e | 6233 | if (ts->tm_year >= 50 && ts->tm_year < 100) { |
wolfSSL | 16:8e0d178b1d1e | 6234 | year = ts->tm_year; |
wolfSSL | 16:8e0d178b1d1e | 6235 | } else if (ts->tm_year >= 100 && ts->tm_year < 150) { |
wolfSSL | 16:8e0d178b1d1e | 6236 | year = ts->tm_year - 100; |
wolfSSL | 16:8e0d178b1d1e | 6237 | } |
wolfSSL | 16:8e0d178b1d1e | 6238 | else { |
wolfSSL | 16:8e0d178b1d1e | 6239 | WOLFSSL_MSG("unsupported year range"); |
wolfSSL | 16:8e0d178b1d1e | 6240 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 6241 | } |
wolfSSL | 16:8e0d178b1d1e | 6242 | mon = ts->tm_mon + 1; |
wolfSSL | 16:8e0d178b1d1e | 6243 | day = ts->tm_mday; |
wolfSSL | 16:8e0d178b1d1e | 6244 | hour = ts->tm_hour; |
wolfSSL | 16:8e0d178b1d1e | 6245 | mini = ts->tm_min; |
wolfSSL | 16:8e0d178b1d1e | 6246 | sec = ts->tm_sec; |
wolfSSL | 16:8e0d178b1d1e | 6247 | XSNPRINTF((char *)utc_str, ASN_UTC_TIME_SIZE, |
wolfSSL | 16:8e0d178b1d1e | 6248 | "%02d%02d%02d%02d%02d%02dZ", year, mon, day, hour, mini, sec); |
wolfSSL | 16:8e0d178b1d1e | 6249 | *data_ptr = (byte) ASN_UTC_TIME; data_ptr++; |
wolfSSL | 16:8e0d178b1d1e | 6250 | /* -1 below excludes null terminator */ |
wolfSSL | 16:8e0d178b1d1e | 6251 | *data_ptr = (byte) ASN_UTC_TIME_SIZE - 1; data_ptr++; |
wolfSSL | 16:8e0d178b1d1e | 6252 | XMEMCPY(data_ptr,(byte *)utc_str, ASN_UTC_TIME_SIZE - 1); |
wolfSSL | 16:8e0d178b1d1e | 6253 | |
wolfSSL | 16:8e0d178b1d1e | 6254 | } else { |
wolfSSL | 16:8e0d178b1d1e | 6255 | /* GeneralizedTime */ |
wolfSSL | 16:8e0d178b1d1e | 6256 | char gt_str[ASN_GENERALIZED_TIME_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 6257 | data_len = ASN_GENERALIZED_TIME_SIZE - 1 + 2; |
wolfSSL | 16:8e0d178b1d1e | 6258 | |
wolfSSL | 16:8e0d178b1d1e | 6259 | if (len < data_len) |
wolfSSL | 16:8e0d178b1d1e | 6260 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 6261 | |
wolfSSL | 16:8e0d178b1d1e | 6262 | year = ts->tm_year + 1900; |
wolfSSL | 16:8e0d178b1d1e | 6263 | mon = ts->tm_mon + 1; |
wolfSSL | 16:8e0d178b1d1e | 6264 | day = ts->tm_mday; |
wolfSSL | 16:8e0d178b1d1e | 6265 | hour = ts->tm_hour; |
wolfSSL | 16:8e0d178b1d1e | 6266 | mini = ts->tm_min; |
wolfSSL | 16:8e0d178b1d1e | 6267 | sec = ts->tm_sec; |
wolfSSL | 16:8e0d178b1d1e | 6268 | XSNPRINTF((char *)gt_str, ASN_GENERALIZED_TIME_SIZE, |
wolfSSL | 16:8e0d178b1d1e | 6269 | "%4d%02d%02d%02d%02d%02dZ", year, mon, day, hour, mini, sec); |
wolfSSL | 16:8e0d178b1d1e | 6270 | *data_ptr = (byte) ASN_GENERALIZED_TIME; data_ptr++; |
wolfSSL | 16:8e0d178b1d1e | 6271 | /* -1 below excludes null terminator */ |
wolfSSL | 16:8e0d178b1d1e | 6272 | *data_ptr = (byte) ASN_GENERALIZED_TIME_SIZE - 1; data_ptr++; |
wolfSSL | 16:8e0d178b1d1e | 6273 | XMEMCPY(data_ptr,(byte *)gt_str, ASN_GENERALIZED_TIME_SIZE - 1); |
wolfSSL | 16:8e0d178b1d1e | 6274 | } |
wolfSSL | 16:8e0d178b1d1e | 6275 | |
wolfSSL | 16:8e0d178b1d1e | 6276 | return data_len; |
wolfSSL | 16:8e0d178b1d1e | 6277 | } |
wolfSSL | 16:8e0d178b1d1e | 6278 | |
wolfSSL | 16:8e0d178b1d1e | 6279 | #endif /* !NO_ASN_TIME && HAVE_PKCS7 */ |
wolfSSL | 16:8e0d178b1d1e | 6280 | |
wolfSSL | 16:8e0d178b1d1e | 6281 | |
wolfSSL | 15:117db924cf7c | 6282 | #if defined(USE_WOLF_VALIDDATE) |
wolfSSL | 15:117db924cf7c | 6283 | |
wolfSSL | 15:117db924cf7c | 6284 | /* to the second */ |
wolfSSL | 16:8e0d178b1d1e | 6285 | int DateGreaterThan(const struct tm* a, const struct tm* b) |
wolfSSL | 15:117db924cf7c | 6286 | { |
wolfSSL | 15:117db924cf7c | 6287 | if (a->tm_year > b->tm_year) |
wolfSSL | 15:117db924cf7c | 6288 | return 1; |
wolfSSL | 15:117db924cf7c | 6289 | |
wolfSSL | 15:117db924cf7c | 6290 | if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon) |
wolfSSL | 15:117db924cf7c | 6291 | return 1; |
wolfSSL | 15:117db924cf7c | 6292 | |
wolfSSL | 15:117db924cf7c | 6293 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 15:117db924cf7c | 6294 | a->tm_mday > b->tm_mday) |
wolfSSL | 15:117db924cf7c | 6295 | return 1; |
wolfSSL | 15:117db924cf7c | 6296 | |
wolfSSL | 15:117db924cf7c | 6297 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 15:117db924cf7c | 6298 | a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour) |
wolfSSL | 15:117db924cf7c | 6299 | return 1; |
wolfSSL | 15:117db924cf7c | 6300 | |
wolfSSL | 15:117db924cf7c | 6301 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 15:117db924cf7c | 6302 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 15:117db924cf7c | 6303 | a->tm_min > b->tm_min) |
wolfSSL | 15:117db924cf7c | 6304 | return 1; |
wolfSSL | 15:117db924cf7c | 6305 | |
wolfSSL | 15:117db924cf7c | 6306 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 15:117db924cf7c | 6307 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 15:117db924cf7c | 6308 | a->tm_min == b->tm_min && a->tm_sec > b->tm_sec) |
wolfSSL | 15:117db924cf7c | 6309 | return 1; |
wolfSSL | 15:117db924cf7c | 6310 | |
wolfSSL | 15:117db924cf7c | 6311 | return 0; /* false */ |
wolfSSL | 15:117db924cf7c | 6312 | } |
wolfSSL | 15:117db924cf7c | 6313 | |
wolfSSL | 15:117db924cf7c | 6314 | |
wolfSSL | 15:117db924cf7c | 6315 | static WC_INLINE int DateLessThan(const struct tm* a, const struct tm* b) |
wolfSSL | 15:117db924cf7c | 6316 | { |
wolfSSL | 15:117db924cf7c | 6317 | return DateGreaterThan(b,a); |
wolfSSL | 15:117db924cf7c | 6318 | } |
wolfSSL | 15:117db924cf7c | 6319 | |
wolfSSL | 15:117db924cf7c | 6320 | /* like atoi but only use first byte */ |
wolfSSL | 15:117db924cf7c | 6321 | /* Make sure before and after dates are valid */ |
wolfSSL | 15:117db924cf7c | 6322 | int ValidateDate(const byte* date, byte format, int dateType) |
wolfSSL | 15:117db924cf7c | 6323 | { |
wolfSSL | 15:117db924cf7c | 6324 | time_t ltime; |
wolfSSL | 15:117db924cf7c | 6325 | struct tm certTime; |
wolfSSL | 15:117db924cf7c | 6326 | struct tm* localTime; |
wolfSSL | 16:8e0d178b1d1e | 6327 | struct tm* tmpTime; |
wolfSSL | 15:117db924cf7c | 6328 | int i = 0; |
wolfSSL | 15:117db924cf7c | 6329 | int timeDiff = 0 ; |
wolfSSL | 15:117db924cf7c | 6330 | int diffHH = 0 ; int diffMM = 0 ; |
wolfSSL | 15:117db924cf7c | 6331 | int diffSign = 0 ; |
wolfSSL | 15:117db924cf7c | 6332 | |
wolfSSL | 15:117db924cf7c | 6333 | #if defined(NEED_TMP_TIME) |
wolfSSL | 15:117db924cf7c | 6334 | struct tm tmpTimeStorage; |
wolfSSL | 15:117db924cf7c | 6335 | tmpTime = &tmpTimeStorage; |
wolfSSL | 15:117db924cf7c | 6336 | #else |
wolfSSL | 16:8e0d178b1d1e | 6337 | tmpTime = NULL; |
wolfSSL | 16:8e0d178b1d1e | 6338 | #endif |
wolfSSL | 15:117db924cf7c | 6339 | (void)tmpTime; |
wolfSSL | 15:117db924cf7c | 6340 | |
wolfSSL | 15:117db924cf7c | 6341 | ltime = XTIME(0); |
wolfSSL | 15:117db924cf7c | 6342 | |
wolfSSL | 15:117db924cf7c | 6343 | #ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW |
wolfSSL | 15:117db924cf7c | 6344 | if (dateType == BEFORE) { |
wolfSSL | 15:117db924cf7c | 6345 | WOLFSSL_MSG("Skewing local time for before date check"); |
wolfSSL | 15:117db924cf7c | 6346 | ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW; |
wolfSSL | 15:117db924cf7c | 6347 | } |
wolfSSL | 15:117db924cf7c | 6348 | #endif |
wolfSSL | 15:117db924cf7c | 6349 | |
wolfSSL | 15:117db924cf7c | 6350 | #ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW |
wolfSSL | 15:117db924cf7c | 6351 | if (dateType == AFTER) { |
wolfSSL | 15:117db924cf7c | 6352 | WOLFSSL_MSG("Skewing local time for after date check"); |
wolfSSL | 15:117db924cf7c | 6353 | ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW; |
wolfSSL | 15:117db924cf7c | 6354 | } |
wolfSSL | 15:117db924cf7c | 6355 | #endif |
wolfSSL | 15:117db924cf7c | 6356 | |
wolfSSL | 15:117db924cf7c | 6357 | if (!ExtractDate(date, format, &certTime, &i)) { |
wolfSSL | 15:117db924cf7c | 6358 | WOLFSSL_MSG("Error extracting the date"); |
wolfSSL | 15:117db924cf7c | 6359 | return 0; |
wolfSSL | 15:117db924cf7c | 6360 | } |
wolfSSL | 15:117db924cf7c | 6361 | |
wolfSSL | 15:117db924cf7c | 6362 | if ((date[i] == '+') || (date[i] == '-')) { |
wolfSSL | 15:117db924cf7c | 6363 | WOLFSSL_MSG("Using time differential, not Zulu") ; |
wolfSSL | 15:117db924cf7c | 6364 | diffSign = date[i++] == '+' ? 1 : -1 ; |
wolfSSL | 16:8e0d178b1d1e | 6365 | if (GetTime(&diffHH, date, &i) != 0) |
wolfSSL | 16:8e0d178b1d1e | 6366 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 6367 | if (GetTime(&diffMM, date, &i) != 0) |
wolfSSL | 16:8e0d178b1d1e | 6368 | return 0; |
wolfSSL | 15:117db924cf7c | 6369 | timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ; |
wolfSSL | 15:117db924cf7c | 6370 | } else if (date[i] != 'Z') { |
wolfSSL | 16:8e0d178b1d1e | 6371 | WOLFSSL_MSG("UTCtime, neither Zulu or time differential") ; |
wolfSSL | 15:117db924cf7c | 6372 | return 0; |
wolfSSL | 15:117db924cf7c | 6373 | } |
wolfSSL | 15:117db924cf7c | 6374 | |
wolfSSL | 15:117db924cf7c | 6375 | ltime -= (time_t)timeDiff ; |
wolfSSL | 15:117db924cf7c | 6376 | localTime = XGMTIME(<ime, tmpTime); |
wolfSSL | 15:117db924cf7c | 6377 | |
wolfSSL | 15:117db924cf7c | 6378 | if (localTime == NULL) { |
wolfSSL | 15:117db924cf7c | 6379 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 15:117db924cf7c | 6380 | return 0; |
wolfSSL | 15:117db924cf7c | 6381 | } |
wolfSSL | 15:117db924cf7c | 6382 | |
wolfSSL | 15:117db924cf7c | 6383 | if (dateType == BEFORE) { |
wolfSSL | 15:117db924cf7c | 6384 | if (DateLessThan(localTime, &certTime)) { |
wolfSSL | 15:117db924cf7c | 6385 | WOLFSSL_MSG("Date BEFORE check failed"); |
wolfSSL | 15:117db924cf7c | 6386 | return 0; |
wolfSSL | 15:117db924cf7c | 6387 | } |
wolfSSL | 15:117db924cf7c | 6388 | } |
wolfSSL | 15:117db924cf7c | 6389 | else { /* dateType == AFTER */ |
wolfSSL | 15:117db924cf7c | 6390 | if (DateGreaterThan(localTime, &certTime)) { |
wolfSSL | 15:117db924cf7c | 6391 | WOLFSSL_MSG("Date AFTER check failed"); |
wolfSSL | 15:117db924cf7c | 6392 | return 0; |
wolfSSL | 15:117db924cf7c | 6393 | } |
wolfSSL | 15:117db924cf7c | 6394 | } |
wolfSSL | 15:117db924cf7c | 6395 | |
wolfSSL | 15:117db924cf7c | 6396 | return 1; |
wolfSSL | 15:117db924cf7c | 6397 | } |
wolfSSL | 15:117db924cf7c | 6398 | #endif /* USE_WOLF_VALIDDATE */ |
wolfSSL | 15:117db924cf7c | 6399 | |
wolfSSL | 15:117db924cf7c | 6400 | int wc_GetTime(void* timePtr, word32 timeSize) |
wolfSSL | 15:117db924cf7c | 6401 | { |
wolfSSL | 15:117db924cf7c | 6402 | time_t* ltime = (time_t*)timePtr; |
wolfSSL | 15:117db924cf7c | 6403 | |
wolfSSL | 15:117db924cf7c | 6404 | if (timePtr == NULL) { |
wolfSSL | 15:117db924cf7c | 6405 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 6406 | } |
wolfSSL | 15:117db924cf7c | 6407 | |
wolfSSL | 15:117db924cf7c | 6408 | if ((word32)sizeof(time_t) > timeSize) { |
wolfSSL | 15:117db924cf7c | 6409 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 6410 | } |
wolfSSL | 15:117db924cf7c | 6411 | |
wolfSSL | 15:117db924cf7c | 6412 | *ltime = XTIME(0); |
wolfSSL | 15:117db924cf7c | 6413 | |
wolfSSL | 15:117db924cf7c | 6414 | return 0; |
wolfSSL | 15:117db924cf7c | 6415 | } |
wolfSSL | 15:117db924cf7c | 6416 | |
wolfSSL | 15:117db924cf7c | 6417 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 15:117db924cf7c | 6418 | |
wolfSSL | 15:117db924cf7c | 6419 | |
wolfSSL | 15:117db924cf7c | 6420 | /* Get date buffer, format and length. Returns 0=success or error */ |
wolfSSL | 15:117db924cf7c | 6421 | static int GetDateInfo(const byte* source, word32* idx, const byte** pDate, |
wolfSSL | 15:117db924cf7c | 6422 | byte* pFormat, int* pLength, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 6423 | { |
wolfSSL | 15:117db924cf7c | 6424 | int length; |
wolfSSL | 15:117db924cf7c | 6425 | byte format; |
wolfSSL | 15:117db924cf7c | 6426 | |
wolfSSL | 15:117db924cf7c | 6427 | if (source == NULL || idx == NULL) |
wolfSSL | 15:117db924cf7c | 6428 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 6429 | |
wolfSSL | 15:117db924cf7c | 6430 | /* get ASN format header */ |
wolfSSL | 15:117db924cf7c | 6431 | if (*idx+1 > maxIdx) |
wolfSSL | 15:117db924cf7c | 6432 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 6433 | format = source[*idx]; |
wolfSSL | 15:117db924cf7c | 6434 | *idx += 1; |
wolfSSL | 15:117db924cf7c | 6435 | if (format != ASN_UTC_TIME && format != ASN_GENERALIZED_TIME) |
wolfSSL | 15:117db924cf7c | 6436 | return ASN_TIME_E; |
wolfSSL | 15:117db924cf7c | 6437 | |
wolfSSL | 15:117db924cf7c | 6438 | /* get length */ |
wolfSSL | 15:117db924cf7c | 6439 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 6440 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 6441 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 15:117db924cf7c | 6442 | return ASN_DATE_SZ_E; |
wolfSSL | 15:117db924cf7c | 6443 | |
wolfSSL | 15:117db924cf7c | 6444 | /* return format, date and length */ |
wolfSSL | 15:117db924cf7c | 6445 | if (pFormat) |
wolfSSL | 15:117db924cf7c | 6446 | *pFormat = format; |
wolfSSL | 15:117db924cf7c | 6447 | if (pDate) |
wolfSSL | 15:117db924cf7c | 6448 | *pDate = &source[*idx]; |
wolfSSL | 15:117db924cf7c | 6449 | if (pLength) |
wolfSSL | 15:117db924cf7c | 6450 | *pLength = length; |
wolfSSL | 15:117db924cf7c | 6451 | |
wolfSSL | 15:117db924cf7c | 6452 | *idx += length; |
wolfSSL | 15:117db924cf7c | 6453 | |
wolfSSL | 15:117db924cf7c | 6454 | return 0; |
wolfSSL | 15:117db924cf7c | 6455 | } |
wolfSSL | 15:117db924cf7c | 6456 | |
wolfSSL | 16:8e0d178b1d1e | 6457 | static int GetDate(DecodedCert* cert, int dateType, int verify, int maxIdx) |
wolfSSL | 15:117db924cf7c | 6458 | { |
wolfSSL | 15:117db924cf7c | 6459 | int ret, length; |
wolfSSL | 15:117db924cf7c | 6460 | const byte *datePtr = NULL; |
wolfSSL | 15:117db924cf7c | 6461 | byte date[MAX_DATE_SIZE]; |
wolfSSL | 15:117db924cf7c | 6462 | byte format; |
wolfSSL | 15:117db924cf7c | 6463 | word32 startIdx = 0; |
wolfSSL | 15:117db924cf7c | 6464 | |
wolfSSL | 15:117db924cf7c | 6465 | if (dateType == BEFORE) |
wolfSSL | 15:117db924cf7c | 6466 | cert->beforeDate = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 6467 | else |
wolfSSL | 15:117db924cf7c | 6468 | cert->afterDate = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 6469 | startIdx = cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 6470 | |
wolfSSL | 15:117db924cf7c | 6471 | ret = GetDateInfo(cert->source, &cert->srcIdx, &datePtr, &format, |
wolfSSL | 16:8e0d178b1d1e | 6472 | &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 6473 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 6474 | return ret; |
wolfSSL | 15:117db924cf7c | 6475 | |
wolfSSL | 15:117db924cf7c | 6476 | XMEMSET(date, 0, MAX_DATE_SIZE); |
wolfSSL | 15:117db924cf7c | 6477 | XMEMCPY(date, datePtr, length); |
wolfSSL | 15:117db924cf7c | 6478 | |
wolfSSL | 15:117db924cf7c | 6479 | if (dateType == BEFORE) |
wolfSSL | 15:117db924cf7c | 6480 | cert->beforeDateLen = cert->srcIdx - startIdx; |
wolfSSL | 15:117db924cf7c | 6481 | else |
wolfSSL | 15:117db924cf7c | 6482 | cert->afterDateLen = cert->srcIdx - startIdx; |
wolfSSL | 15:117db924cf7c | 6483 | |
wolfSSL | 15:117db924cf7c | 6484 | #ifndef NO_ASN_TIME |
wolfSSL | 16:8e0d178b1d1e | 6485 | if (verify != NO_VERIFY && verify != VERIFY_SKIP_DATE && |
wolfSSL | 16:8e0d178b1d1e | 6486 | !XVALIDATE_DATE(date, format, dateType)) { |
wolfSSL | 15:117db924cf7c | 6487 | if (dateType == BEFORE) |
wolfSSL | 15:117db924cf7c | 6488 | return ASN_BEFORE_DATE_E; |
wolfSSL | 15:117db924cf7c | 6489 | else |
wolfSSL | 15:117db924cf7c | 6490 | return ASN_AFTER_DATE_E; |
wolfSSL | 15:117db924cf7c | 6491 | } |
wolfSSL | 15:117db924cf7c | 6492 | #else |
wolfSSL | 15:117db924cf7c | 6493 | (void)verify; |
wolfSSL | 15:117db924cf7c | 6494 | #endif |
wolfSSL | 15:117db924cf7c | 6495 | |
wolfSSL | 15:117db924cf7c | 6496 | return 0; |
wolfSSL | 15:117db924cf7c | 6497 | } |
wolfSSL | 15:117db924cf7c | 6498 | |
wolfSSL | 16:8e0d178b1d1e | 6499 | static int GetValidity(DecodedCert* cert, int verify, int maxIdx) |
wolfSSL | 15:117db924cf7c | 6500 | { |
wolfSSL | 15:117db924cf7c | 6501 | int length; |
wolfSSL | 15:117db924cf7c | 6502 | int badDate = 0; |
wolfSSL | 15:117db924cf7c | 6503 | |
wolfSSL | 16:8e0d178b1d1e | 6504 | if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6505 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 6506 | |
wolfSSL | 16:8e0d178b1d1e | 6507 | maxIdx = cert->srcIdx + length; |
wolfSSL | 16:8e0d178b1d1e | 6508 | |
wolfSSL | 16:8e0d178b1d1e | 6509 | if (GetDate(cert, BEFORE, verify, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 6510 | badDate = ASN_BEFORE_DATE_E; /* continue parsing */ |
wolfSSL | 15:117db924cf7c | 6511 | |
wolfSSL | 16:8e0d178b1d1e | 6512 | if (GetDate(cert, AFTER, verify, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 6513 | return ASN_AFTER_DATE_E; |
wolfSSL | 15:117db924cf7c | 6514 | |
wolfSSL | 15:117db924cf7c | 6515 | if (badDate != 0) |
wolfSSL | 15:117db924cf7c | 6516 | return badDate; |
wolfSSL | 15:117db924cf7c | 6517 | |
wolfSSL | 15:117db924cf7c | 6518 | return 0; |
wolfSSL | 15:117db924cf7c | 6519 | } |
wolfSSL | 15:117db924cf7c | 6520 | |
wolfSSL | 15:117db924cf7c | 6521 | |
wolfSSL | 15:117db924cf7c | 6522 | int wc_GetDateInfo(const byte* certDate, int certDateSz, const byte** date, |
wolfSSL | 15:117db924cf7c | 6523 | byte* format, int* length) |
wolfSSL | 15:117db924cf7c | 6524 | { |
wolfSSL | 15:117db924cf7c | 6525 | int ret; |
wolfSSL | 15:117db924cf7c | 6526 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 6527 | |
wolfSSL | 15:117db924cf7c | 6528 | ret = GetDateInfo(certDate, &idx, date, format, length, certDateSz); |
wolfSSL | 15:117db924cf7c | 6529 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 6530 | return ret; |
wolfSSL | 15:117db924cf7c | 6531 | |
wolfSSL | 15:117db924cf7c | 6532 | return 0; |
wolfSSL | 15:117db924cf7c | 6533 | } |
wolfSSL | 15:117db924cf7c | 6534 | |
wolfSSL | 15:117db924cf7c | 6535 | #ifndef NO_ASN_TIME |
wolfSSL | 15:117db924cf7c | 6536 | int wc_GetDateAsCalendarTime(const byte* date, int length, byte format, |
wolfSSL | 15:117db924cf7c | 6537 | struct tm* timearg) |
wolfSSL | 15:117db924cf7c | 6538 | { |
wolfSSL | 15:117db924cf7c | 6539 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 6540 | (void)length; |
wolfSSL | 15:117db924cf7c | 6541 | if (!ExtractDate(date, format, timearg, &idx)) |
wolfSSL | 15:117db924cf7c | 6542 | return ASN_TIME_E; |
wolfSSL | 15:117db924cf7c | 6543 | return 0; |
wolfSSL | 15:117db924cf7c | 6544 | } |
wolfSSL | 15:117db924cf7c | 6545 | |
wolfSSL | 15:117db924cf7c | 6546 | #if defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) |
wolfSSL | 15:117db924cf7c | 6547 | int wc_GetCertDates(Cert* cert, struct tm* before, struct tm* after) |
wolfSSL | 15:117db924cf7c | 6548 | { |
wolfSSL | 15:117db924cf7c | 6549 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 6550 | const byte* date; |
wolfSSL | 15:117db924cf7c | 6551 | byte format; |
wolfSSL | 15:117db924cf7c | 6552 | int length; |
wolfSSL | 15:117db924cf7c | 6553 | |
wolfSSL | 15:117db924cf7c | 6554 | if (cert == NULL) |
wolfSSL | 15:117db924cf7c | 6555 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 6556 | |
wolfSSL | 15:117db924cf7c | 6557 | if (before && cert->beforeDateSz > 0) { |
wolfSSL | 15:117db924cf7c | 6558 | ret = wc_GetDateInfo(cert->beforeDate, cert->beforeDateSz, &date, |
wolfSSL | 15:117db924cf7c | 6559 | &format, &length); |
wolfSSL | 15:117db924cf7c | 6560 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 6561 | ret = wc_GetDateAsCalendarTime(date, length, format, before); |
wolfSSL | 15:117db924cf7c | 6562 | } |
wolfSSL | 15:117db924cf7c | 6563 | if (after && cert->afterDateSz > 0) { |
wolfSSL | 15:117db924cf7c | 6564 | ret = wc_GetDateInfo(cert->afterDate, cert->afterDateSz, &date, |
wolfSSL | 15:117db924cf7c | 6565 | &format, &length); |
wolfSSL | 15:117db924cf7c | 6566 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 6567 | ret = wc_GetDateAsCalendarTime(date, length, format, after); |
wolfSSL | 15:117db924cf7c | 6568 | } |
wolfSSL | 15:117db924cf7c | 6569 | |
wolfSSL | 15:117db924cf7c | 6570 | return ret; |
wolfSSL | 15:117db924cf7c | 6571 | } |
wolfSSL | 15:117db924cf7c | 6572 | #endif /* WOLFSSL_CERT_GEN && WOLFSSL_ALT_NAMES */ |
wolfSSL | 15:117db924cf7c | 6573 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 15:117db924cf7c | 6574 | |
wolfSSL | 16:8e0d178b1d1e | 6575 | /* parses certificate up to point of X.509 public key |
wolfSSL | 16:8e0d178b1d1e | 6576 | * |
wolfSSL | 16:8e0d178b1d1e | 6577 | * if cert date is invalid then badDate gets set to error value, otherwise is 0 |
wolfSSL | 16:8e0d178b1d1e | 6578 | * |
wolfSSL | 16:8e0d178b1d1e | 6579 | * returns a negative value on fail case |
wolfSSL | 16:8e0d178b1d1e | 6580 | */ |
wolfSSL | 16:8e0d178b1d1e | 6581 | int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate) |
wolfSSL | 16:8e0d178b1d1e | 6582 | { |
wolfSSL | 16:8e0d178b1d1e | 6583 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 6584 | |
wolfSSL | 16:8e0d178b1d1e | 6585 | if (cert == NULL || badDate == NULL) |
wolfSSL | 16:8e0d178b1d1e | 6586 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 6587 | |
wolfSSL | 16:8e0d178b1d1e | 6588 | *badDate = 0; |
wolfSSL | 16:8e0d178b1d1e | 6589 | if ( (ret = GetCertHeader(cert)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6590 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6591 | |
wolfSSL | 16:8e0d178b1d1e | 6592 | WOLFSSL_MSG("Got Cert Header"); |
wolfSSL | 16:8e0d178b1d1e | 6593 | |
wolfSSL | 16:8e0d178b1d1e | 6594 | /* Using the sigIndex as the upper bound because that's where the |
wolfSSL | 16:8e0d178b1d1e | 6595 | * actual certificate data ends. */ |
wolfSSL | 16:8e0d178b1d1e | 6596 | if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, |
wolfSSL | 16:8e0d178b1d1e | 6597 | oidSigType, cert->sigIndex)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6598 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6599 | |
wolfSSL | 16:8e0d178b1d1e | 6600 | WOLFSSL_MSG("Got Algo ID"); |
wolfSSL | 16:8e0d178b1d1e | 6601 | |
wolfSSL | 16:8e0d178b1d1e | 6602 | if ( (ret = GetName(cert, ISSUER, cert->sigIndex)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6603 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6604 | |
wolfSSL | 16:8e0d178b1d1e | 6605 | if ( (ret = GetValidity(cert, verify, cert->sigIndex)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6606 | *badDate = ret; |
wolfSSL | 16:8e0d178b1d1e | 6607 | |
wolfSSL | 16:8e0d178b1d1e | 6608 | if ( (ret = GetName(cert, SUBJECT, cert->sigIndex)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6609 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6610 | |
wolfSSL | 16:8e0d178b1d1e | 6611 | WOLFSSL_MSG("Got Subject Name"); |
wolfSSL | 16:8e0d178b1d1e | 6612 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6613 | } |
wolfSSL | 15:117db924cf7c | 6614 | |
wolfSSL | 15:117db924cf7c | 6615 | int DecodeToKey(DecodedCert* cert, int verify) |
wolfSSL | 15:117db924cf7c | 6616 | { |
wolfSSL | 15:117db924cf7c | 6617 | int badDate = 0; |
wolfSSL | 15:117db924cf7c | 6618 | int ret; |
wolfSSL | 15:117db924cf7c | 6619 | |
wolfSSL | 16:8e0d178b1d1e | 6620 | if ( (ret = wc_GetPubX509(cert, verify, &badDate)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 6621 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 6622 | |
wolfSSL | 16:8e0d178b1d1e | 6623 | /* Determine if self signed */ |
wolfSSL | 16:8e0d178b1d1e | 6624 | cert->selfSigned = XMEMCMP(cert->issuerHash, |
wolfSSL | 16:8e0d178b1d1e | 6625 | cert->subjectHash, |
wolfSSL | 16:8e0d178b1d1e | 6626 | KEYID_SIZE) == 0 ? 1 : 0; |
wolfSSL | 15:117db924cf7c | 6627 | |
wolfSSL | 15:117db924cf7c | 6628 | if ( (ret = GetKey(cert)) < 0) |
wolfSSL | 15:117db924cf7c | 6629 | return ret; |
wolfSSL | 15:117db924cf7c | 6630 | |
wolfSSL | 15:117db924cf7c | 6631 | WOLFSSL_MSG("Got Key"); |
wolfSSL | 15:117db924cf7c | 6632 | |
wolfSSL | 15:117db924cf7c | 6633 | if (badDate != 0) |
wolfSSL | 15:117db924cf7c | 6634 | return badDate; |
wolfSSL | 15:117db924cf7c | 6635 | |
wolfSSL | 15:117db924cf7c | 6636 | return ret; |
wolfSSL | 15:117db924cf7c | 6637 | } |
wolfSSL | 15:117db924cf7c | 6638 | |
wolfSSL | 15:117db924cf7c | 6639 | static int GetSignature(DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 6640 | { |
wolfSSL | 15:117db924cf7c | 6641 | int length; |
wolfSSL | 15:117db924cf7c | 6642 | int ret; |
wolfSSL | 15:117db924cf7c | 6643 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, cert->maxIdx, 1, |
wolfSSL | 15:117db924cf7c | 6644 | NULL); |
wolfSSL | 15:117db924cf7c | 6645 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6646 | return ret; |
wolfSSL | 15:117db924cf7c | 6647 | |
wolfSSL | 15:117db924cf7c | 6648 | cert->sigLength = length; |
wolfSSL | 15:117db924cf7c | 6649 | cert->signature = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 6650 | cert->srcIdx += cert->sigLength; |
wolfSSL | 15:117db924cf7c | 6651 | |
wolfSSL | 15:117db924cf7c | 6652 | return 0; |
wolfSSL | 15:117db924cf7c | 6653 | } |
wolfSSL | 15:117db924cf7c | 6654 | |
wolfSSL | 15:117db924cf7c | 6655 | static word32 SetOctetString8Bit(word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 6656 | { |
wolfSSL | 15:117db924cf7c | 6657 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 15:117db924cf7c | 6658 | output[1] = (byte)len; |
wolfSSL | 15:117db924cf7c | 6659 | return 2; |
wolfSSL | 15:117db924cf7c | 6660 | } |
wolfSSL | 15:117db924cf7c | 6661 | |
wolfSSL | 15:117db924cf7c | 6662 | static word32 SetDigest(const byte* digest, word32 digSz, byte* output) |
wolfSSL | 15:117db924cf7c | 6663 | { |
wolfSSL | 15:117db924cf7c | 6664 | word32 idx = SetOctetString8Bit(digSz, output); |
wolfSSL | 15:117db924cf7c | 6665 | XMEMCPY(&output[idx], digest, digSz); |
wolfSSL | 15:117db924cf7c | 6666 | |
wolfSSL | 15:117db924cf7c | 6667 | return idx + digSz; |
wolfSSL | 15:117db924cf7c | 6668 | } |
wolfSSL | 15:117db924cf7c | 6669 | |
wolfSSL | 15:117db924cf7c | 6670 | |
wolfSSL | 15:117db924cf7c | 6671 | static word32 BytePrecision(word32 value) |
wolfSSL | 15:117db924cf7c | 6672 | { |
wolfSSL | 15:117db924cf7c | 6673 | word32 i; |
wolfSSL | 15:117db924cf7c | 6674 | for (i = sizeof(value); i; --i) |
wolfSSL | 15:117db924cf7c | 6675 | if (value >> ((i - 1) * WOLFSSL_BIT_SIZE)) |
wolfSSL | 15:117db924cf7c | 6676 | break; |
wolfSSL | 15:117db924cf7c | 6677 | |
wolfSSL | 15:117db924cf7c | 6678 | return i; |
wolfSSL | 15:117db924cf7c | 6679 | } |
wolfSSL | 15:117db924cf7c | 6680 | |
wolfSSL | 15:117db924cf7c | 6681 | |
wolfSSL | 16:8e0d178b1d1e | 6682 | word32 SetLength(word32 length, byte* output) |
wolfSSL | 15:117db924cf7c | 6683 | { |
wolfSSL | 15:117db924cf7c | 6684 | word32 i = 0, j; |
wolfSSL | 15:117db924cf7c | 6685 | |
wolfSSL | 16:8e0d178b1d1e | 6686 | if (length < ASN_LONG_LENGTH) { |
wolfSSL | 16:8e0d178b1d1e | 6687 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 6688 | output[i] = (byte)length; |
wolfSSL | 16:8e0d178b1d1e | 6689 | i++; |
wolfSSL | 16:8e0d178b1d1e | 6690 | } |
wolfSSL | 15:117db924cf7c | 6691 | else { |
wolfSSL | 16:8e0d178b1d1e | 6692 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 6693 | output[i] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); |
wolfSSL | 16:8e0d178b1d1e | 6694 | i++; |
wolfSSL | 15:117db924cf7c | 6695 | |
wolfSSL | 15:117db924cf7c | 6696 | for (j = BytePrecision(length); j; --j) { |
wolfSSL | 16:8e0d178b1d1e | 6697 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 6698 | output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE)); |
wolfSSL | 15:117db924cf7c | 6699 | i++; |
wolfSSL | 15:117db924cf7c | 6700 | } |
wolfSSL | 15:117db924cf7c | 6701 | } |
wolfSSL | 15:117db924cf7c | 6702 | |
wolfSSL | 15:117db924cf7c | 6703 | return i; |
wolfSSL | 15:117db924cf7c | 6704 | } |
wolfSSL | 15:117db924cf7c | 6705 | |
wolfSSL | 16:8e0d178b1d1e | 6706 | word32 SetSequence(word32 len, byte* output) |
wolfSSL | 16:8e0d178b1d1e | 6707 | { |
wolfSSL | 16:8e0d178b1d1e | 6708 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 6709 | output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED; |
wolfSSL | 16:8e0d178b1d1e | 6710 | return SetLength(len, output ? output + 1 : NULL) + 1; |
wolfSSL | 16:8e0d178b1d1e | 6711 | } |
wolfSSL | 16:8e0d178b1d1e | 6712 | |
wolfSSL | 16:8e0d178b1d1e | 6713 | word32 SetOctetString(word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 6714 | { |
wolfSSL | 15:117db924cf7c | 6715 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 15:117db924cf7c | 6716 | return SetLength(len, output + 1) + 1; |
wolfSSL | 15:117db924cf7c | 6717 | } |
wolfSSL | 15:117db924cf7c | 6718 | |
wolfSSL | 15:117db924cf7c | 6719 | /* Write a set header to output */ |
wolfSSL | 16:8e0d178b1d1e | 6720 | word32 SetSet(word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 6721 | { |
wolfSSL | 15:117db924cf7c | 6722 | output[0] = ASN_SET | ASN_CONSTRUCTED; |
wolfSSL | 15:117db924cf7c | 6723 | return SetLength(len, output + 1) + 1; |
wolfSSL | 15:117db924cf7c | 6724 | } |
wolfSSL | 15:117db924cf7c | 6725 | |
wolfSSL | 16:8e0d178b1d1e | 6726 | word32 SetImplicit(byte tag, byte number, word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 6727 | { |
wolfSSL | 15:117db924cf7c | 6728 | |
wolfSSL | 15:117db924cf7c | 6729 | output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0) |
wolfSSL | 15:117db924cf7c | 6730 | | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 15:117db924cf7c | 6731 | return SetLength(len, output + 1) + 1; |
wolfSSL | 15:117db924cf7c | 6732 | } |
wolfSSL | 15:117db924cf7c | 6733 | |
wolfSSL | 16:8e0d178b1d1e | 6734 | word32 SetExplicit(byte number, word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 6735 | { |
wolfSSL | 15:117db924cf7c | 6736 | output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 15:117db924cf7c | 6737 | return SetLength(len, output + 1) + 1; |
wolfSSL | 15:117db924cf7c | 6738 | } |
wolfSSL | 15:117db924cf7c | 6739 | |
wolfSSL | 15:117db924cf7c | 6740 | |
wolfSSL | 16:8e0d178b1d1e | 6741 | #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) |
wolfSSL | 15:117db924cf7c | 6742 | |
wolfSSL | 15:117db924cf7c | 6743 | static int SetCurve(ecc_key* key, byte* output) |
wolfSSL | 15:117db924cf7c | 6744 | { |
wolfSSL | 15:117db924cf7c | 6745 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 15:117db924cf7c | 6746 | int ret; |
wolfSSL | 15:117db924cf7c | 6747 | #endif |
wolfSSL | 15:117db924cf7c | 6748 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 6749 | word32 oidSz = 0; |
wolfSSL | 15:117db924cf7c | 6750 | |
wolfSSL | 15:117db924cf7c | 6751 | /* validate key */ |
wolfSSL | 15:117db924cf7c | 6752 | if (key == NULL || key->dp == NULL) { |
wolfSSL | 15:117db924cf7c | 6753 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 6754 | } |
wolfSSL | 15:117db924cf7c | 6755 | |
wolfSSL | 15:117db924cf7c | 6756 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 15:117db924cf7c | 6757 | ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, NULL, &oidSz); |
wolfSSL | 15:117db924cf7c | 6758 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 6759 | return ret; |
wolfSSL | 15:117db924cf7c | 6760 | } |
wolfSSL | 15:117db924cf7c | 6761 | #else |
wolfSSL | 15:117db924cf7c | 6762 | oidSz = key->dp->oidSz; |
wolfSSL | 15:117db924cf7c | 6763 | #endif |
wolfSSL | 15:117db924cf7c | 6764 | |
wolfSSL | 15:117db924cf7c | 6765 | idx += SetObjectId(oidSz, output); |
wolfSSL | 15:117db924cf7c | 6766 | |
wolfSSL | 15:117db924cf7c | 6767 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 15:117db924cf7c | 6768 | ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz); |
wolfSSL | 15:117db924cf7c | 6769 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 6770 | return ret; |
wolfSSL | 15:117db924cf7c | 6771 | } |
wolfSSL | 15:117db924cf7c | 6772 | #else |
wolfSSL | 15:117db924cf7c | 6773 | XMEMCPY(output+idx, key->dp->oid, oidSz); |
wolfSSL | 15:117db924cf7c | 6774 | #endif |
wolfSSL | 15:117db924cf7c | 6775 | idx += oidSz; |
wolfSSL | 15:117db924cf7c | 6776 | |
wolfSSL | 15:117db924cf7c | 6777 | return idx; |
wolfSSL | 15:117db924cf7c | 6778 | } |
wolfSSL | 15:117db924cf7c | 6779 | |
wolfSSL | 16:8e0d178b1d1e | 6780 | #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */ |
wolfSSL | 15:117db924cf7c | 6781 | |
wolfSSL | 15:117db924cf7c | 6782 | |
wolfSSL | 15:117db924cf7c | 6783 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6784 | static WC_INLINE int IsSigAlgoECDSA(int algoOID) |
wolfSSL | 15:117db924cf7c | 6785 | { |
wolfSSL | 15:117db924cf7c | 6786 | /* ECDSA sigAlgo must not have ASN1 NULL parameters */ |
wolfSSL | 15:117db924cf7c | 6787 | if (algoOID == CTC_SHAwECDSA || algoOID == CTC_SHA256wECDSA || |
wolfSSL | 15:117db924cf7c | 6788 | algoOID == CTC_SHA384wECDSA || algoOID == CTC_SHA512wECDSA) { |
wolfSSL | 15:117db924cf7c | 6789 | return 1; |
wolfSSL | 15:117db924cf7c | 6790 | } |
wolfSSL | 15:117db924cf7c | 6791 | |
wolfSSL | 15:117db924cf7c | 6792 | return 0; |
wolfSSL | 15:117db924cf7c | 6793 | } |
wolfSSL | 15:117db924cf7c | 6794 | #endif |
wolfSSL | 15:117db924cf7c | 6795 | |
wolfSSL | 16:8e0d178b1d1e | 6796 | word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) |
wolfSSL | 15:117db924cf7c | 6797 | { |
wolfSSL | 15:117db924cf7c | 6798 | word32 tagSz, idSz, seqSz, algoSz = 0; |
wolfSSL | 15:117db924cf7c | 6799 | const byte* algoName = 0; |
wolfSSL | 15:117db924cf7c | 6800 | byte ID_Length[1 + MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 6801 | byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ |
wolfSSL | 16:8e0d178b1d1e | 6802 | int length = 0; |
wolfSSL | 15:117db924cf7c | 6803 | |
wolfSSL | 15:117db924cf7c | 6804 | tagSz = (type == oidHashType || |
wolfSSL | 15:117db924cf7c | 6805 | (type == oidSigType |
wolfSSL | 15:117db924cf7c | 6806 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6807 | && !IsSigAlgoECDSA(algoOID) |
wolfSSL | 15:117db924cf7c | 6808 | #endif |
wolfSSL | 15:117db924cf7c | 6809 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 6810 | && algoOID != ED25519k |
wolfSSL | 15:117db924cf7c | 6811 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6812 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 6813 | && algoOID != ED448k |
wolfSSL | 16:8e0d178b1d1e | 6814 | #endif |
wolfSSL | 15:117db924cf7c | 6815 | ) || |
wolfSSL | 15:117db924cf7c | 6816 | (type == oidKeyType && algoOID == RSAk)) ? 2 : 0; |
wolfSSL | 15:117db924cf7c | 6817 | |
wolfSSL | 15:117db924cf7c | 6818 | algoName = OidFromId(algoOID, type, &algoSz); |
wolfSSL | 15:117db924cf7c | 6819 | |
wolfSSL | 15:117db924cf7c | 6820 | if (algoName == NULL) { |
wolfSSL | 15:117db924cf7c | 6821 | WOLFSSL_MSG("Unknown Algorithm"); |
wolfSSL | 15:117db924cf7c | 6822 | return 0; |
wolfSSL | 15:117db924cf7c | 6823 | } |
wolfSSL | 15:117db924cf7c | 6824 | |
wolfSSL | 15:117db924cf7c | 6825 | idSz = SetObjectId(algoSz, ID_Length); |
wolfSSL | 15:117db924cf7c | 6826 | seqSz = SetSequence(idSz + algoSz + tagSz + curveSz, seqArray); |
wolfSSL | 15:117db924cf7c | 6827 | |
wolfSSL | 16:8e0d178b1d1e | 6828 | /* Copy only algo to output for DSA keys */ |
wolfSSL | 16:8e0d178b1d1e | 6829 | if (algoOID == DSAk && output) { |
wolfSSL | 16:8e0d178b1d1e | 6830 | XMEMCPY(output, ID_Length, idSz); |
wolfSSL | 16:8e0d178b1d1e | 6831 | XMEMCPY(output + idSz, algoName, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 6832 | if (tagSz == 2) |
wolfSSL | 16:8e0d178b1d1e | 6833 | SetASNNull(&output[seqSz + idSz + algoSz]); |
wolfSSL | 16:8e0d178b1d1e | 6834 | } |
wolfSSL | 16:8e0d178b1d1e | 6835 | else if (output) { |
wolfSSL | 16:8e0d178b1d1e | 6836 | XMEMCPY(output, seqArray, seqSz); |
wolfSSL | 16:8e0d178b1d1e | 6837 | XMEMCPY(output + seqSz, ID_Length, idSz); |
wolfSSL | 16:8e0d178b1d1e | 6838 | XMEMCPY(output + seqSz + idSz, algoName, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 6839 | if (tagSz == 2) |
wolfSSL | 16:8e0d178b1d1e | 6840 | SetASNNull(&output[seqSz + idSz + algoSz]); |
wolfSSL | 16:8e0d178b1d1e | 6841 | } |
wolfSSL | 16:8e0d178b1d1e | 6842 | |
wolfSSL | 16:8e0d178b1d1e | 6843 | if (algoOID == DSAk) |
wolfSSL | 16:8e0d178b1d1e | 6844 | length = idSz + algoSz + tagSz; |
wolfSSL | 16:8e0d178b1d1e | 6845 | else |
wolfSSL | 16:8e0d178b1d1e | 6846 | length = seqSz + idSz + algoSz + tagSz; |
wolfSSL | 16:8e0d178b1d1e | 6847 | |
wolfSSL | 16:8e0d178b1d1e | 6848 | return length; |
wolfSSL | 15:117db924cf7c | 6849 | } |
wolfSSL | 15:117db924cf7c | 6850 | |
wolfSSL | 15:117db924cf7c | 6851 | |
wolfSSL | 15:117db924cf7c | 6852 | word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz, |
wolfSSL | 15:117db924cf7c | 6853 | int hashOID) |
wolfSSL | 15:117db924cf7c | 6854 | { |
wolfSSL | 15:117db924cf7c | 6855 | byte digArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 15:117db924cf7c | 6856 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 6857 | byte seqArray[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 6858 | word32 encDigSz, algoSz, seqSz; |
wolfSSL | 15:117db924cf7c | 6859 | |
wolfSSL | 15:117db924cf7c | 6860 | encDigSz = SetDigest(digest, digSz, digArray); |
wolfSSL | 15:117db924cf7c | 6861 | algoSz = SetAlgoID(hashOID, algoArray, oidHashType, 0); |
wolfSSL | 15:117db924cf7c | 6862 | seqSz = SetSequence(encDigSz + algoSz, seqArray); |
wolfSSL | 15:117db924cf7c | 6863 | |
wolfSSL | 15:117db924cf7c | 6864 | XMEMCPY(out, seqArray, seqSz); |
wolfSSL | 15:117db924cf7c | 6865 | XMEMCPY(out + seqSz, algoArray, algoSz); |
wolfSSL | 15:117db924cf7c | 6866 | XMEMCPY(out + seqSz + algoSz, digArray, encDigSz); |
wolfSSL | 15:117db924cf7c | 6867 | |
wolfSSL | 15:117db924cf7c | 6868 | return encDigSz + algoSz + seqSz; |
wolfSSL | 15:117db924cf7c | 6869 | } |
wolfSSL | 15:117db924cf7c | 6870 | |
wolfSSL | 15:117db924cf7c | 6871 | |
wolfSSL | 16:8e0d178b1d1e | 6872 | #ifndef NO_CERTS |
wolfSSL | 16:8e0d178b1d1e | 6873 | |
wolfSSL | 15:117db924cf7c | 6874 | int wc_GetCTC_HashOID(int type) |
wolfSSL | 15:117db924cf7c | 6875 | { |
wolfSSL | 15:117db924cf7c | 6876 | int ret; |
wolfSSL | 15:117db924cf7c | 6877 | enum wc_HashType hType; |
wolfSSL | 15:117db924cf7c | 6878 | |
wolfSSL | 15:117db924cf7c | 6879 | hType = wc_HashTypeConvert(type); |
wolfSSL | 15:117db924cf7c | 6880 | ret = wc_HashGetOID(hType); |
wolfSSL | 15:117db924cf7c | 6881 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 6882 | ret = 0; /* backwards compatibility */ |
wolfSSL | 15:117db924cf7c | 6883 | |
wolfSSL | 15:117db924cf7c | 6884 | return ret; |
wolfSSL | 15:117db924cf7c | 6885 | } |
wolfSSL | 15:117db924cf7c | 6886 | |
wolfSSL | 15:117db924cf7c | 6887 | void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId) |
wolfSSL | 15:117db924cf7c | 6888 | { |
wolfSSL | 15:117db924cf7c | 6889 | if (sigCtx) { |
wolfSSL | 15:117db924cf7c | 6890 | XMEMSET(sigCtx, 0, sizeof(SignatureCtx)); |
wolfSSL | 15:117db924cf7c | 6891 | sigCtx->devId = devId; |
wolfSSL | 15:117db924cf7c | 6892 | sigCtx->heap = heap; |
wolfSSL | 15:117db924cf7c | 6893 | } |
wolfSSL | 15:117db924cf7c | 6894 | } |
wolfSSL | 15:117db924cf7c | 6895 | |
wolfSSL | 15:117db924cf7c | 6896 | void FreeSignatureCtx(SignatureCtx* sigCtx) |
wolfSSL | 15:117db924cf7c | 6897 | { |
wolfSSL | 15:117db924cf7c | 6898 | if (sigCtx == NULL) |
wolfSSL | 15:117db924cf7c | 6899 | return; |
wolfSSL | 15:117db924cf7c | 6900 | |
wolfSSL | 15:117db924cf7c | 6901 | if (sigCtx->digest) { |
wolfSSL | 15:117db924cf7c | 6902 | XFREE(sigCtx->digest, sigCtx->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 6903 | sigCtx->digest = NULL; |
wolfSSL | 15:117db924cf7c | 6904 | } |
wolfSSL | 15:117db924cf7c | 6905 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 6906 | if (sigCtx->plain) { |
wolfSSL | 15:117db924cf7c | 6907 | XFREE(sigCtx->plain, sigCtx->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 6908 | sigCtx->plain = NULL; |
wolfSSL | 15:117db924cf7c | 6909 | } |
wolfSSL | 15:117db924cf7c | 6910 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6911 | #ifndef NO_ASN_CRYPT |
wolfSSL | 15:117db924cf7c | 6912 | if (sigCtx->key.ptr) { |
wolfSSL | 15:117db924cf7c | 6913 | switch (sigCtx->keyOID) { |
wolfSSL | 15:117db924cf7c | 6914 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 6915 | case RSAk: |
wolfSSL | 15:117db924cf7c | 6916 | wc_FreeRsaKey(sigCtx->key.rsa); |
wolfSSL | 15:117db924cf7c | 6917 | XFREE(sigCtx->key.ptr, sigCtx->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 6918 | break; |
wolfSSL | 15:117db924cf7c | 6919 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 6920 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6921 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 6922 | wc_ecc_free(sigCtx->key.ecc); |
wolfSSL | 15:117db924cf7c | 6923 | XFREE(sigCtx->key.ecc, sigCtx->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 6924 | break; |
wolfSSL | 15:117db924cf7c | 6925 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 6926 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 6927 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 6928 | wc_ed25519_free(sigCtx->key.ed25519); |
wolfSSL | 15:117db924cf7c | 6929 | XFREE(sigCtx->key.ed25519, sigCtx->heap, DYNAMIC_TYPE_ED25519); |
wolfSSL | 15:117db924cf7c | 6930 | break; |
wolfSSL | 15:117db924cf7c | 6931 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 6932 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 6933 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 6934 | wc_ed448_free(sigCtx->key.ed448); |
wolfSSL | 16:8e0d178b1d1e | 6935 | XFREE(sigCtx->key.ed448, sigCtx->heap, DYNAMIC_TYPE_ED448); |
wolfSSL | 16:8e0d178b1d1e | 6936 | break; |
wolfSSL | 16:8e0d178b1d1e | 6937 | #endif /* HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 6938 | default: |
wolfSSL | 15:117db924cf7c | 6939 | break; |
wolfSSL | 15:117db924cf7c | 6940 | } /* switch (keyOID) */ |
wolfSSL | 15:117db924cf7c | 6941 | sigCtx->key.ptr = NULL; |
wolfSSL | 15:117db924cf7c | 6942 | } |
wolfSSL | 16:8e0d178b1d1e | 6943 | #endif |
wolfSSL | 15:117db924cf7c | 6944 | |
wolfSSL | 15:117db924cf7c | 6945 | /* reset state, we are done */ |
wolfSSL | 15:117db924cf7c | 6946 | sigCtx->state = SIG_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 6947 | } |
wolfSSL | 15:117db924cf7c | 6948 | |
wolfSSL | 16:8e0d178b1d1e | 6949 | #ifndef NO_ASN_CRYPT |
wolfSSL | 15:117db924cf7c | 6950 | static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, |
wolfSSL | 15:117db924cf7c | 6951 | byte* digest, int* typeH, int* digestSz, int verify) |
wolfSSL | 15:117db924cf7c | 6952 | { |
wolfSSL | 15:117db924cf7c | 6953 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 6954 | |
wolfSSL | 15:117db924cf7c | 6955 | (void)verify; |
wolfSSL | 15:117db924cf7c | 6956 | |
wolfSSL | 15:117db924cf7c | 6957 | switch (sigOID) { |
wolfSSL | 15:117db924cf7c | 6958 | #if defined(WOLFSSL_MD2) |
wolfSSL | 15:117db924cf7c | 6959 | case CTC_MD2wRSA: |
wolfSSL | 15:117db924cf7c | 6960 | if (!verify) { |
wolfSSL | 15:117db924cf7c | 6961 | ret = HASH_TYPE_E; |
wolfSSL | 15:117db924cf7c | 6962 | WOLFSSL_MSG("MD2 not supported for signing"); |
wolfSSL | 15:117db924cf7c | 6963 | } |
wolfSSL | 15:117db924cf7c | 6964 | else if ((ret = wc_Md2Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 6965 | *typeH = MD2h; |
wolfSSL | 15:117db924cf7c | 6966 | *digestSz = MD2_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 6967 | } |
wolfSSL | 15:117db924cf7c | 6968 | break; |
wolfSSL | 15:117db924cf7c | 6969 | #endif |
wolfSSL | 15:117db924cf7c | 6970 | #ifndef NO_MD5 |
wolfSSL | 15:117db924cf7c | 6971 | case CTC_MD5wRSA: |
wolfSSL | 15:117db924cf7c | 6972 | if ((ret = wc_Md5Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 6973 | *typeH = MD5h; |
wolfSSL | 15:117db924cf7c | 6974 | *digestSz = WC_MD5_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 6975 | } |
wolfSSL | 15:117db924cf7c | 6976 | break; |
wolfSSL | 15:117db924cf7c | 6977 | #endif |
wolfSSL | 15:117db924cf7c | 6978 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 6979 | case CTC_SHAwRSA: |
wolfSSL | 15:117db924cf7c | 6980 | case CTC_SHAwDSA: |
wolfSSL | 15:117db924cf7c | 6981 | case CTC_SHAwECDSA: |
wolfSSL | 15:117db924cf7c | 6982 | if ((ret = wc_ShaHash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 6983 | *typeH = SHAh; |
wolfSSL | 15:117db924cf7c | 6984 | *digestSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 6985 | } |
wolfSSL | 15:117db924cf7c | 6986 | break; |
wolfSSL | 15:117db924cf7c | 6987 | #endif |
wolfSSL | 15:117db924cf7c | 6988 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 15:117db924cf7c | 6989 | case CTC_SHA224wRSA: |
wolfSSL | 15:117db924cf7c | 6990 | case CTC_SHA224wECDSA: |
wolfSSL | 15:117db924cf7c | 6991 | if ((ret = wc_Sha224Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 6992 | *typeH = SHA224h; |
wolfSSL | 15:117db924cf7c | 6993 | *digestSz = WC_SHA224_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 6994 | } |
wolfSSL | 15:117db924cf7c | 6995 | break; |
wolfSSL | 15:117db924cf7c | 6996 | #endif |
wolfSSL | 15:117db924cf7c | 6997 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 6998 | case CTC_SHA256wRSA: |
wolfSSL | 15:117db924cf7c | 6999 | case CTC_SHA256wECDSA: |
wolfSSL | 15:117db924cf7c | 7000 | if ((ret = wc_Sha256Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 7001 | *typeH = SHA256h; |
wolfSSL | 15:117db924cf7c | 7002 | *digestSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 7003 | } |
wolfSSL | 15:117db924cf7c | 7004 | break; |
wolfSSL | 15:117db924cf7c | 7005 | #endif |
wolfSSL | 15:117db924cf7c | 7006 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 7007 | case CTC_SHA384wRSA: |
wolfSSL | 15:117db924cf7c | 7008 | case CTC_SHA384wECDSA: |
wolfSSL | 15:117db924cf7c | 7009 | if ((ret = wc_Sha384Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 7010 | *typeH = SHA384h; |
wolfSSL | 15:117db924cf7c | 7011 | *digestSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 7012 | } |
wolfSSL | 15:117db924cf7c | 7013 | break; |
wolfSSL | 15:117db924cf7c | 7014 | #endif |
wolfSSL | 15:117db924cf7c | 7015 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 7016 | case CTC_SHA512wRSA: |
wolfSSL | 15:117db924cf7c | 7017 | case CTC_SHA512wECDSA: |
wolfSSL | 15:117db924cf7c | 7018 | if ((ret = wc_Sha512Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 15:117db924cf7c | 7019 | *typeH = SHA512h; |
wolfSSL | 15:117db924cf7c | 7020 | *digestSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 7021 | } |
wolfSSL | 15:117db924cf7c | 7022 | break; |
wolfSSL | 15:117db924cf7c | 7023 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7024 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 7025 | case CTC_ED25519: |
wolfSSL | 15:117db924cf7c | 7026 | /* Hashes done in signing operation. |
wolfSSL | 15:117db924cf7c | 7027 | * Two dependent hashes with prefixes performed. |
wolfSSL | 15:117db924cf7c | 7028 | */ |
wolfSSL | 15:117db924cf7c | 7029 | break; |
wolfSSL | 16:8e0d178b1d1e | 7030 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7031 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 7032 | case CTC_ED448: |
wolfSSL | 16:8e0d178b1d1e | 7033 | /* Hashes done in signing operation. |
wolfSSL | 16:8e0d178b1d1e | 7034 | * Two dependent hashes with prefixes performed. |
wolfSSL | 16:8e0d178b1d1e | 7035 | */ |
wolfSSL | 16:8e0d178b1d1e | 7036 | break; |
wolfSSL | 16:8e0d178b1d1e | 7037 | #endif |
wolfSSL | 15:117db924cf7c | 7038 | default: |
wolfSSL | 15:117db924cf7c | 7039 | ret = HASH_TYPE_E; |
wolfSSL | 15:117db924cf7c | 7040 | WOLFSSL_MSG("Hash for Signature has unsupported type"); |
wolfSSL | 15:117db924cf7c | 7041 | } |
wolfSSL | 15:117db924cf7c | 7042 | |
wolfSSL | 15:117db924cf7c | 7043 | return ret; |
wolfSSL | 15:117db924cf7c | 7044 | } |
wolfSSL | 16:8e0d178b1d1e | 7045 | #endif /* !NO_ASN_CRYPT */ |
wolfSSL | 15:117db924cf7c | 7046 | |
wolfSSL | 15:117db924cf7c | 7047 | /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ |
wolfSSL | 15:117db924cf7c | 7048 | static int ConfirmSignature(SignatureCtx* sigCtx, |
wolfSSL | 15:117db924cf7c | 7049 | const byte* buf, word32 bufSz, |
wolfSSL | 15:117db924cf7c | 7050 | const byte* key, word32 keySz, word32 keyOID, |
wolfSSL | 16:8e0d178b1d1e | 7051 | const byte* sig, word32 sigSz, word32 sigOID, byte* rsaKeyIdx) |
wolfSSL | 15:117db924cf7c | 7052 | { |
wolfSSL | 15:117db924cf7c | 7053 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 7054 | #ifndef WOLFSSL_RENESAS_TSIP_TLS |
wolfSSL | 16:8e0d178b1d1e | 7055 | (void)rsaKeyIdx; |
wolfSSL | 16:8e0d178b1d1e | 7056 | #endif |
wolfSSL | 15:117db924cf7c | 7057 | if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL || |
wolfSSL | 15:117db924cf7c | 7058 | keySz == 0 || sig == NULL || sigSz == 0) { |
wolfSSL | 15:117db924cf7c | 7059 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7060 | } |
wolfSSL | 15:117db924cf7c | 7061 | |
wolfSSL | 15:117db924cf7c | 7062 | (void)key; |
wolfSSL | 15:117db924cf7c | 7063 | (void)keySz; |
wolfSSL | 15:117db924cf7c | 7064 | (void)sig; |
wolfSSL | 15:117db924cf7c | 7065 | (void)sigSz; |
wolfSSL | 15:117db924cf7c | 7066 | |
wolfSSL | 15:117db924cf7c | 7067 | WOLFSSL_ENTER("ConfirmSignature"); |
wolfSSL | 15:117db924cf7c | 7068 | |
wolfSSL | 16:8e0d178b1d1e | 7069 | #ifndef NO_ASN_CRYPT |
wolfSSL | 15:117db924cf7c | 7070 | switch (sigCtx->state) { |
wolfSSL | 15:117db924cf7c | 7071 | case SIG_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 7072 | { |
wolfSSL | 16:8e0d178b1d1e | 7073 | sigCtx->keyOID = keyOID; /* must set early for cleanup */ |
wolfSSL | 16:8e0d178b1d1e | 7074 | |
wolfSSL | 15:117db924cf7c | 7075 | sigCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, sigCtx->heap, |
wolfSSL | 15:117db924cf7c | 7076 | DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 7077 | if (sigCtx->digest == NULL) { |
wolfSSL | 15:117db924cf7c | 7078 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7079 | } |
wolfSSL | 15:117db924cf7c | 7080 | |
wolfSSL | 15:117db924cf7c | 7081 | sigCtx->state = SIG_STATE_HASH; |
wolfSSL | 15:117db924cf7c | 7082 | } /* SIG_STATE_BEGIN */ |
wolfSSL | 15:117db924cf7c | 7083 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7084 | |
wolfSSL | 15:117db924cf7c | 7085 | case SIG_STATE_HASH: |
wolfSSL | 15:117db924cf7c | 7086 | { |
wolfSSL | 15:117db924cf7c | 7087 | ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, |
wolfSSL | 15:117db924cf7c | 7088 | &sigCtx->typeH, &sigCtx->digestSz, 1); |
wolfSSL | 15:117db924cf7c | 7089 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 7090 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7091 | } |
wolfSSL | 15:117db924cf7c | 7092 | |
wolfSSL | 15:117db924cf7c | 7093 | sigCtx->state = SIG_STATE_KEY; |
wolfSSL | 15:117db924cf7c | 7094 | } /* SIG_STATE_HASH */ |
wolfSSL | 15:117db924cf7c | 7095 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7096 | |
wolfSSL | 15:117db924cf7c | 7097 | case SIG_STATE_KEY: |
wolfSSL | 15:117db924cf7c | 7098 | { |
wolfSSL | 15:117db924cf7c | 7099 | switch (keyOID) { |
wolfSSL | 15:117db924cf7c | 7100 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 7101 | case RSAk: |
wolfSSL | 15:117db924cf7c | 7102 | { |
wolfSSL | 15:117db924cf7c | 7103 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7104 | |
wolfSSL | 15:117db924cf7c | 7105 | sigCtx->key.rsa = (RsaKey*)XMALLOC(sizeof(RsaKey), |
wolfSSL | 15:117db924cf7c | 7106 | sigCtx->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 7107 | sigCtx->plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, |
wolfSSL | 15:117db924cf7c | 7108 | sigCtx->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 7109 | if (sigCtx->key.rsa == NULL || sigCtx->plain == NULL) { |
wolfSSL | 15:117db924cf7c | 7110 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7111 | } |
wolfSSL | 15:117db924cf7c | 7112 | if ((ret = wc_InitRsaKey_ex(sigCtx->key.rsa, sigCtx->heap, |
wolfSSL | 15:117db924cf7c | 7113 | sigCtx->devId)) != 0) { |
wolfSSL | 15:117db924cf7c | 7114 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7115 | } |
wolfSSL | 15:117db924cf7c | 7116 | if (sigSz > MAX_ENCODED_SIG_SZ) { |
wolfSSL | 15:117db924cf7c | 7117 | WOLFSSL_MSG("Verify Signature is too big"); |
wolfSSL | 15:117db924cf7c | 7118 | ERROR_OUT(BUFFER_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7119 | } |
wolfSSL | 15:117db924cf7c | 7120 | if ((ret = wc_RsaPublicKeyDecode(key, &idx, sigCtx->key.rsa, |
wolfSSL | 15:117db924cf7c | 7121 | keySz)) != 0) { |
wolfSSL | 15:117db924cf7c | 7122 | WOLFSSL_MSG("ASN Key decode error RSA"); |
wolfSSL | 15:117db924cf7c | 7123 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7124 | } |
wolfSSL | 15:117db924cf7c | 7125 | XMEMCPY(sigCtx->plain, sig, sigSz); |
wolfSSL | 15:117db924cf7c | 7126 | sigCtx->out = NULL; |
wolfSSL | 15:117db924cf7c | 7127 | |
wolfSSL | 15:117db924cf7c | 7128 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7129 | sigCtx->asyncDev = &sigCtx->key.rsa->asyncDev; |
wolfSSL | 15:117db924cf7c | 7130 | #endif |
wolfSSL | 15:117db924cf7c | 7131 | break; |
wolfSSL | 15:117db924cf7c | 7132 | } |
wolfSSL | 15:117db924cf7c | 7133 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 7134 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 7135 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 7136 | { |
wolfSSL | 15:117db924cf7c | 7137 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7138 | |
wolfSSL | 15:117db924cf7c | 7139 | sigCtx->verify = 0; |
wolfSSL | 15:117db924cf7c | 7140 | sigCtx->key.ecc = (ecc_key*)XMALLOC(sizeof(ecc_key), |
wolfSSL | 15:117db924cf7c | 7141 | sigCtx->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 7142 | if (sigCtx->key.ecc == NULL) { |
wolfSSL | 15:117db924cf7c | 7143 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7144 | } |
wolfSSL | 15:117db924cf7c | 7145 | if ((ret = wc_ecc_init_ex(sigCtx->key.ecc, sigCtx->heap, |
wolfSSL | 15:117db924cf7c | 7146 | sigCtx->devId)) < 0) { |
wolfSSL | 15:117db924cf7c | 7147 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7148 | } |
wolfSSL | 15:117db924cf7c | 7149 | ret = wc_EccPublicKeyDecode(key, &idx, sigCtx->key.ecc, |
wolfSSL | 15:117db924cf7c | 7150 | keySz); |
wolfSSL | 15:117db924cf7c | 7151 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 7152 | WOLFSSL_MSG("ASN Key import error ECC"); |
wolfSSL | 15:117db924cf7c | 7153 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7154 | } |
wolfSSL | 15:117db924cf7c | 7155 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7156 | sigCtx->asyncDev = &sigCtx->key.ecc->asyncDev; |
wolfSSL | 15:117db924cf7c | 7157 | #endif |
wolfSSL | 15:117db924cf7c | 7158 | break; |
wolfSSL | 15:117db924cf7c | 7159 | } |
wolfSSL | 15:117db924cf7c | 7160 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 7161 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 7162 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 7163 | { |
wolfSSL | 15:117db924cf7c | 7164 | sigCtx->verify = 0; |
wolfSSL | 15:117db924cf7c | 7165 | sigCtx->key.ed25519 = (ed25519_key*)XMALLOC( |
wolfSSL | 15:117db924cf7c | 7166 | sizeof(ed25519_key), sigCtx->heap, |
wolfSSL | 15:117db924cf7c | 7167 | DYNAMIC_TYPE_ED25519); |
wolfSSL | 15:117db924cf7c | 7168 | if (sigCtx->key.ed25519 == NULL) { |
wolfSSL | 15:117db924cf7c | 7169 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7170 | } |
wolfSSL | 15:117db924cf7c | 7171 | if ((ret = wc_ed25519_init(sigCtx->key.ed25519)) < 0) { |
wolfSSL | 15:117db924cf7c | 7172 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7173 | } |
wolfSSL | 15:117db924cf7c | 7174 | if ((ret = wc_ed25519_import_public(key, keySz, |
wolfSSL | 15:117db924cf7c | 7175 | sigCtx->key.ed25519)) < 0) { |
wolfSSL | 15:117db924cf7c | 7176 | WOLFSSL_MSG("ASN Key import error ED25519"); |
wolfSSL | 15:117db924cf7c | 7177 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7178 | } |
wolfSSL | 15:117db924cf7c | 7179 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7180 | sigCtx->asyncDev = &sigCtx->key.ed25519->asyncDev; |
wolfSSL | 15:117db924cf7c | 7181 | #endif |
wolfSSL | 15:117db924cf7c | 7182 | break; |
wolfSSL | 15:117db924cf7c | 7183 | } |
wolfSSL | 15:117db924cf7c | 7184 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7185 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 7186 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 7187 | { |
wolfSSL | 16:8e0d178b1d1e | 7188 | sigCtx->verify = 0; |
wolfSSL | 16:8e0d178b1d1e | 7189 | sigCtx->key.ed448 = (ed448_key*)XMALLOC( |
wolfSSL | 16:8e0d178b1d1e | 7190 | sizeof(ed448_key), sigCtx->heap, |
wolfSSL | 16:8e0d178b1d1e | 7191 | DYNAMIC_TYPE_ED448); |
wolfSSL | 16:8e0d178b1d1e | 7192 | if (sigCtx->key.ed448 == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 7193 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 16:8e0d178b1d1e | 7194 | } |
wolfSSL | 16:8e0d178b1d1e | 7195 | if ((ret = wc_ed448_init(sigCtx->key.ed448)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7196 | goto exit_cs; |
wolfSSL | 16:8e0d178b1d1e | 7197 | } |
wolfSSL | 16:8e0d178b1d1e | 7198 | if ((ret = wc_ed448_import_public(key, keySz, |
wolfSSL | 16:8e0d178b1d1e | 7199 | sigCtx->key.ed448)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7200 | WOLFSSL_MSG("ASN Key import error ED448"); |
wolfSSL | 16:8e0d178b1d1e | 7201 | goto exit_cs; |
wolfSSL | 16:8e0d178b1d1e | 7202 | } |
wolfSSL | 16:8e0d178b1d1e | 7203 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 7204 | sigCtx->asyncDev = &sigCtx->key.ed448->asyncDev; |
wolfSSL | 16:8e0d178b1d1e | 7205 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7206 | break; |
wolfSSL | 16:8e0d178b1d1e | 7207 | } |
wolfSSL | 16:8e0d178b1d1e | 7208 | #endif |
wolfSSL | 15:117db924cf7c | 7209 | default: |
wolfSSL | 15:117db924cf7c | 7210 | WOLFSSL_MSG("Verify Key type unknown"); |
wolfSSL | 15:117db924cf7c | 7211 | ret = ASN_UNKNOWN_OID_E; |
wolfSSL | 15:117db924cf7c | 7212 | break; |
wolfSSL | 15:117db924cf7c | 7213 | } /* switch (keyOID) */ |
wolfSSL | 15:117db924cf7c | 7214 | |
wolfSSL | 15:117db924cf7c | 7215 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 7216 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7217 | } |
wolfSSL | 15:117db924cf7c | 7218 | |
wolfSSL | 15:117db924cf7c | 7219 | sigCtx->state = SIG_STATE_DO; |
wolfSSL | 15:117db924cf7c | 7220 | |
wolfSSL | 15:117db924cf7c | 7221 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7222 | if (sigCtx->devId != INVALID_DEVID && sigCtx->asyncDev && sigCtx->asyncCtx) { |
wolfSSL | 16:8e0d178b1d1e | 7223 | /* make sure event is initialized */ |
wolfSSL | 15:117db924cf7c | 7224 | WOLF_EVENT* event = &sigCtx->asyncDev->event; |
wolfSSL | 15:117db924cf7c | 7225 | ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL, |
wolfSSL | 15:117db924cf7c | 7226 | sigCtx->asyncCtx, WC_ASYNC_FLAG_CALL_AGAIN); |
wolfSSL | 15:117db924cf7c | 7227 | } |
wolfSSL | 15:117db924cf7c | 7228 | #endif |
wolfSSL | 15:117db924cf7c | 7229 | } /* SIG_STATE_KEY */ |
wolfSSL | 15:117db924cf7c | 7230 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7231 | |
wolfSSL | 15:117db924cf7c | 7232 | case SIG_STATE_DO: |
wolfSSL | 15:117db924cf7c | 7233 | { |
wolfSSL | 15:117db924cf7c | 7234 | switch (keyOID) { |
wolfSSL | 15:117db924cf7c | 7235 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 7236 | case RSAk: |
wolfSSL | 15:117db924cf7c | 7237 | { |
wolfSSL | 15:117db924cf7c | 7238 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 7239 | if (sigCtx->pkCbRsa) { |
wolfSSL | 15:117db924cf7c | 7240 | ret = sigCtx->pkCbRsa( |
wolfSSL | 15:117db924cf7c | 7241 | sigCtx->plain, sigSz, &sigCtx->out, |
wolfSSL | 15:117db924cf7c | 7242 | key, keySz, |
wolfSSL | 15:117db924cf7c | 7243 | sigCtx->pkCtxRsa); |
wolfSSL | 15:117db924cf7c | 7244 | } |
wolfSSL | 15:117db924cf7c | 7245 | else |
wolfSSL | 15:117db924cf7c | 7246 | #endif /* HAVE_PK_CALLBACKS */ |
wolfSSL | 15:117db924cf7c | 7247 | { |
wolfSSL | 16:8e0d178b1d1e | 7248 | #ifdef WOLFSSL_RENESAS_TSIP_TLS |
wolfSSL | 16:8e0d178b1d1e | 7249 | if (rsaKeyIdx != NULL) |
wolfSSL | 16:8e0d178b1d1e | 7250 | { |
wolfSSL | 16:8e0d178b1d1e | 7251 | ret = tsip_tls_CertVerify(buf, bufSz, sigCtx->plain, |
wolfSSL | 16:8e0d178b1d1e | 7252 | sigSz, |
wolfSSL | 16:8e0d178b1d1e | 7253 | sigCtx->pubkey_n_start - sigCtx->certBegin, |
wolfSSL | 16:8e0d178b1d1e | 7254 | sigCtx->pubkey_n_len - 1, |
wolfSSL | 16:8e0d178b1d1e | 7255 | sigCtx->pubkey_e_start - sigCtx->certBegin, |
wolfSSL | 16:8e0d178b1d1e | 7256 | sigCtx->pubkey_e_len - 1, |
wolfSSL | 16:8e0d178b1d1e | 7257 | rsaKeyIdx); |
wolfSSL | 16:8e0d178b1d1e | 7258 | |
wolfSSL | 16:8e0d178b1d1e | 7259 | if (ret == 0){ |
wolfSSL | 16:8e0d178b1d1e | 7260 | sigCtx->verifyByTSIP = 1; |
wolfSSL | 16:8e0d178b1d1e | 7261 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 7262 | } else { |
wolfSSL | 16:8e0d178b1d1e | 7263 | WOLFSSL_MSG("RSA Verify by tsip didn't match"); |
wolfSSL | 16:8e0d178b1d1e | 7264 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 16:8e0d178b1d1e | 7265 | } |
wolfSSL | 16:8e0d178b1d1e | 7266 | } else |
wolfSSL | 16:8e0d178b1d1e | 7267 | #endif |
wolfSSL | 15:117db924cf7c | 7268 | ret = wc_RsaSSL_VerifyInline(sigCtx->plain, sigSz, |
wolfSSL | 15:117db924cf7c | 7269 | &sigCtx->out, sigCtx->key.rsa); |
wolfSSL | 15:117db924cf7c | 7270 | } |
wolfSSL | 15:117db924cf7c | 7271 | break; |
wolfSSL | 15:117db924cf7c | 7272 | } |
wolfSSL | 15:117db924cf7c | 7273 | #endif /* !NO_RSA */ |
wolfSSL | 16:8e0d178b1d1e | 7274 | #if defined(HAVE_ECC) |
wolfSSL | 15:117db924cf7c | 7275 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 7276 | { |
wolfSSL | 15:117db924cf7c | 7277 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 7278 | if (sigCtx->pkCbEcc) { |
wolfSSL | 15:117db924cf7c | 7279 | ret = sigCtx->pkCbEcc( |
wolfSSL | 15:117db924cf7c | 7280 | sig, sigSz, |
wolfSSL | 15:117db924cf7c | 7281 | sigCtx->digest, sigCtx->digestSz, |
wolfSSL | 15:117db924cf7c | 7282 | key, keySz, &sigCtx->verify, |
wolfSSL | 15:117db924cf7c | 7283 | sigCtx->pkCtxEcc); |
wolfSSL | 15:117db924cf7c | 7284 | } |
wolfSSL | 15:117db924cf7c | 7285 | else |
wolfSSL | 15:117db924cf7c | 7286 | #endif /* HAVE_PK_CALLBACKS */ |
wolfSSL | 15:117db924cf7c | 7287 | { |
wolfSSL | 15:117db924cf7c | 7288 | ret = wc_ecc_verify_hash(sig, sigSz, sigCtx->digest, |
wolfSSL | 15:117db924cf7c | 7289 | sigCtx->digestSz, &sigCtx->verify, |
wolfSSL | 15:117db924cf7c | 7290 | sigCtx->key.ecc); |
wolfSSL | 15:117db924cf7c | 7291 | } |
wolfSSL | 15:117db924cf7c | 7292 | break; |
wolfSSL | 15:117db924cf7c | 7293 | } |
wolfSSL | 15:117db924cf7c | 7294 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 7295 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 7296 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 7297 | { |
wolfSSL | 15:117db924cf7c | 7298 | ret = wc_ed25519_verify_msg(sig, sigSz, buf, bufSz, |
wolfSSL | 15:117db924cf7c | 7299 | &sigCtx->verify, sigCtx->key.ed25519); |
wolfSSL | 15:117db924cf7c | 7300 | break; |
wolfSSL | 15:117db924cf7c | 7301 | } |
wolfSSL | 15:117db924cf7c | 7302 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7303 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 7304 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 7305 | { |
wolfSSL | 16:8e0d178b1d1e | 7306 | ret = wc_ed448_verify_msg(sig, sigSz, buf, bufSz, |
wolfSSL | 16:8e0d178b1d1e | 7307 | &sigCtx->verify, sigCtx->key.ed448, |
wolfSSL | 16:8e0d178b1d1e | 7308 | NULL, 0); |
wolfSSL | 16:8e0d178b1d1e | 7309 | break; |
wolfSSL | 16:8e0d178b1d1e | 7310 | } |
wolfSSL | 16:8e0d178b1d1e | 7311 | #endif |
wolfSSL | 15:117db924cf7c | 7312 | default: |
wolfSSL | 15:117db924cf7c | 7313 | break; |
wolfSSL | 15:117db924cf7c | 7314 | } /* switch (keyOID) */ |
wolfSSL | 15:117db924cf7c | 7315 | |
wolfSSL | 16:8e0d178b1d1e | 7316 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 7317 | if (ret == WC_PENDING_E) { |
wolfSSL | 16:8e0d178b1d1e | 7318 | goto exit_cs; |
wolfSSL | 16:8e0d178b1d1e | 7319 | } |
wolfSSL | 16:8e0d178b1d1e | 7320 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7321 | |
wolfSSL | 15:117db924cf7c | 7322 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7323 | /* treat all RSA errors as ASN_SIG_CONFIRM_E */ |
wolfSSL | 16:8e0d178b1d1e | 7324 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 7325 | goto exit_cs; |
wolfSSL | 15:117db924cf7c | 7326 | } |
wolfSSL | 15:117db924cf7c | 7327 | |
wolfSSL | 15:117db924cf7c | 7328 | sigCtx->state = SIG_STATE_CHECK; |
wolfSSL | 15:117db924cf7c | 7329 | } /* SIG_STATE_DO */ |
wolfSSL | 15:117db924cf7c | 7330 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7331 | |
wolfSSL | 15:117db924cf7c | 7332 | case SIG_STATE_CHECK: |
wolfSSL | 15:117db924cf7c | 7333 | { |
wolfSSL | 15:117db924cf7c | 7334 | switch (keyOID) { |
wolfSSL | 15:117db924cf7c | 7335 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 7336 | case RSAk: |
wolfSSL | 15:117db924cf7c | 7337 | { |
wolfSSL | 15:117db924cf7c | 7338 | int encodedSigSz, verifySz; |
wolfSSL | 16:8e0d178b1d1e | 7339 | #ifdef WOLFSSL_RENESAS_TSIP |
wolfSSL | 16:8e0d178b1d1e | 7340 | if (sigCtx->verifyByTSIP == 1) break; |
wolfSSL | 16:8e0d178b1d1e | 7341 | #endif |
wolfSSL | 15:117db924cf7c | 7342 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 7343 | byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, |
wolfSSL | 15:117db924cf7c | 7344 | sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 7345 | if (encodedSig == NULL) { |
wolfSSL | 15:117db924cf7c | 7346 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 15:117db924cf7c | 7347 | } |
wolfSSL | 15:117db924cf7c | 7348 | #else |
wolfSSL | 15:117db924cf7c | 7349 | byte encodedSig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 15:117db924cf7c | 7350 | #endif |
wolfSSL | 15:117db924cf7c | 7351 | |
wolfSSL | 15:117db924cf7c | 7352 | verifySz = ret; |
wolfSSL | 15:117db924cf7c | 7353 | |
wolfSSL | 15:117db924cf7c | 7354 | /* make sure we're right justified */ |
wolfSSL | 15:117db924cf7c | 7355 | encodedSigSz = wc_EncodeSignature(encodedSig, |
wolfSSL | 15:117db924cf7c | 7356 | sigCtx->digest, sigCtx->digestSz, sigCtx->typeH); |
wolfSSL | 15:117db924cf7c | 7357 | if (encodedSigSz == verifySz && sigCtx->out != NULL && |
wolfSSL | 15:117db924cf7c | 7358 | XMEMCMP(sigCtx->out, encodedSig, encodedSigSz) == 0) { |
wolfSSL | 15:117db924cf7c | 7359 | ret = 0; |
wolfSSL | 15:117db924cf7c | 7360 | } |
wolfSSL | 15:117db924cf7c | 7361 | else { |
wolfSSL | 15:117db924cf7c | 7362 | WOLFSSL_MSG("RSA SSL verify match encode error"); |
wolfSSL | 15:117db924cf7c | 7363 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 7364 | } |
wolfSSL | 15:117db924cf7c | 7365 | |
wolfSSL | 15:117db924cf7c | 7366 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 7367 | XFREE(encodedSig, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 7368 | #endif |
wolfSSL | 15:117db924cf7c | 7369 | break; |
wolfSSL | 15:117db924cf7c | 7370 | } |
wolfSSL | 15:117db924cf7c | 7371 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 7372 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 7373 | case ECDSAk: |
wolfSSL | 15:117db924cf7c | 7374 | { |
wolfSSL | 15:117db924cf7c | 7375 | if (sigCtx->verify == 1) { |
wolfSSL | 15:117db924cf7c | 7376 | ret = 0; |
wolfSSL | 15:117db924cf7c | 7377 | } |
wolfSSL | 15:117db924cf7c | 7378 | else { |
wolfSSL | 15:117db924cf7c | 7379 | WOLFSSL_MSG("ECC Verify didn't match"); |
wolfSSL | 15:117db924cf7c | 7380 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 7381 | } |
wolfSSL | 15:117db924cf7c | 7382 | break; |
wolfSSL | 15:117db924cf7c | 7383 | } |
wolfSSL | 15:117db924cf7c | 7384 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 7385 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 7386 | case ED25519k: |
wolfSSL | 15:117db924cf7c | 7387 | { |
wolfSSL | 15:117db924cf7c | 7388 | if (sigCtx->verify == 1) { |
wolfSSL | 15:117db924cf7c | 7389 | ret = 0; |
wolfSSL | 15:117db924cf7c | 7390 | } |
wolfSSL | 15:117db924cf7c | 7391 | else { |
wolfSSL | 15:117db924cf7c | 7392 | WOLFSSL_MSG("ED25519 Verify didn't match"); |
wolfSSL | 15:117db924cf7c | 7393 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 7394 | } |
wolfSSL | 15:117db924cf7c | 7395 | break; |
wolfSSL | 15:117db924cf7c | 7396 | } |
wolfSSL | 15:117db924cf7c | 7397 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 7398 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 7399 | case ED448k: |
wolfSSL | 16:8e0d178b1d1e | 7400 | { |
wolfSSL | 16:8e0d178b1d1e | 7401 | if (sigCtx->verify == 1) { |
wolfSSL | 16:8e0d178b1d1e | 7402 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 7403 | } |
wolfSSL | 16:8e0d178b1d1e | 7404 | else { |
wolfSSL | 16:8e0d178b1d1e | 7405 | WOLFSSL_MSG("ED448 Verify didn't match"); |
wolfSSL | 16:8e0d178b1d1e | 7406 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 16:8e0d178b1d1e | 7407 | } |
wolfSSL | 16:8e0d178b1d1e | 7408 | break; |
wolfSSL | 16:8e0d178b1d1e | 7409 | } |
wolfSSL | 16:8e0d178b1d1e | 7410 | #endif /* HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 7411 | default: |
wolfSSL | 15:117db924cf7c | 7412 | break; |
wolfSSL | 15:117db924cf7c | 7413 | } /* switch (keyOID) */ |
wolfSSL | 15:117db924cf7c | 7414 | |
wolfSSL | 15:117db924cf7c | 7415 | break; |
wolfSSL | 15:117db924cf7c | 7416 | } /* SIG_STATE_CHECK */ |
wolfSSL | 15:117db924cf7c | 7417 | } /* switch (sigCtx->state) */ |
wolfSSL | 15:117db924cf7c | 7418 | |
wolfSSL | 15:117db924cf7c | 7419 | exit_cs: |
wolfSSL | 15:117db924cf7c | 7420 | |
wolfSSL | 16:8e0d178b1d1e | 7421 | #endif /* !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 7422 | |
wolfSSL | 16:8e0d178b1d1e | 7423 | (void)keyOID; |
wolfSSL | 16:8e0d178b1d1e | 7424 | (void)sigOID; |
wolfSSL | 16:8e0d178b1d1e | 7425 | |
wolfSSL | 15:117db924cf7c | 7426 | WOLFSSL_LEAVE("ConfirmSignature", ret); |
wolfSSL | 15:117db924cf7c | 7427 | |
wolfSSL | 16:8e0d178b1d1e | 7428 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 7429 | if (ret == WC_PENDING_E) |
wolfSSL | 16:8e0d178b1d1e | 7430 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 7431 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7432 | |
wolfSSL | 16:8e0d178b1d1e | 7433 | FreeSignatureCtx(sigCtx); |
wolfSSL | 15:117db924cf7c | 7434 | |
wolfSSL | 15:117db924cf7c | 7435 | return ret; |
wolfSSL | 15:117db924cf7c | 7436 | } |
wolfSSL | 15:117db924cf7c | 7437 | |
wolfSSL | 15:117db924cf7c | 7438 | |
wolfSSL | 15:117db924cf7c | 7439 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 7440 | |
wolfSSL | 15:117db924cf7c | 7441 | static int MatchBaseName(int type, const char* name, int nameSz, |
wolfSSL | 15:117db924cf7c | 7442 | const char* base, int baseSz) |
wolfSSL | 15:117db924cf7c | 7443 | { |
wolfSSL | 15:117db924cf7c | 7444 | if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 || |
wolfSSL | 15:117db924cf7c | 7445 | name[0] == '.' || nameSz < baseSz || |
wolfSSL | 15:117db924cf7c | 7446 | (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE)) |
wolfSSL | 15:117db924cf7c | 7447 | return 0; |
wolfSSL | 15:117db924cf7c | 7448 | |
wolfSSL | 15:117db924cf7c | 7449 | /* If an email type, handle special cases where the base is only |
wolfSSL | 15:117db924cf7c | 7450 | * a domain, or is an email address itself. */ |
wolfSSL | 15:117db924cf7c | 7451 | if (type == ASN_RFC822_TYPE) { |
wolfSSL | 15:117db924cf7c | 7452 | const char* p = NULL; |
wolfSSL | 15:117db924cf7c | 7453 | int count = 0; |
wolfSSL | 15:117db924cf7c | 7454 | |
wolfSSL | 15:117db924cf7c | 7455 | if (base[0] != '.') { |
wolfSSL | 15:117db924cf7c | 7456 | p = base; |
wolfSSL | 15:117db924cf7c | 7457 | count = 0; |
wolfSSL | 15:117db924cf7c | 7458 | |
wolfSSL | 15:117db924cf7c | 7459 | /* find the '@' in the base */ |
wolfSSL | 15:117db924cf7c | 7460 | while (*p != '@' && count < baseSz) { |
wolfSSL | 15:117db924cf7c | 7461 | count++; |
wolfSSL | 15:117db924cf7c | 7462 | p++; |
wolfSSL | 15:117db924cf7c | 7463 | } |
wolfSSL | 15:117db924cf7c | 7464 | |
wolfSSL | 15:117db924cf7c | 7465 | /* No '@' in base, reset p to NULL */ |
wolfSSL | 15:117db924cf7c | 7466 | if (count >= baseSz) |
wolfSSL | 15:117db924cf7c | 7467 | p = NULL; |
wolfSSL | 15:117db924cf7c | 7468 | } |
wolfSSL | 15:117db924cf7c | 7469 | |
wolfSSL | 15:117db924cf7c | 7470 | if (p == NULL) { |
wolfSSL | 15:117db924cf7c | 7471 | /* Base isn't an email address, it is a domain name, |
wolfSSL | 15:117db924cf7c | 7472 | * wind the name forward one character past its '@'. */ |
wolfSSL | 15:117db924cf7c | 7473 | p = name; |
wolfSSL | 15:117db924cf7c | 7474 | count = 0; |
wolfSSL | 15:117db924cf7c | 7475 | while (*p != '@' && count < baseSz) { |
wolfSSL | 15:117db924cf7c | 7476 | count++; |
wolfSSL | 15:117db924cf7c | 7477 | p++; |
wolfSSL | 15:117db924cf7c | 7478 | } |
wolfSSL | 15:117db924cf7c | 7479 | |
wolfSSL | 15:117db924cf7c | 7480 | if (count < baseSz && *p == '@') { |
wolfSSL | 15:117db924cf7c | 7481 | name = p + 1; |
wolfSSL | 15:117db924cf7c | 7482 | nameSz -= count + 1; |
wolfSSL | 15:117db924cf7c | 7483 | } |
wolfSSL | 15:117db924cf7c | 7484 | } |
wolfSSL | 15:117db924cf7c | 7485 | } |
wolfSSL | 15:117db924cf7c | 7486 | |
wolfSSL | 15:117db924cf7c | 7487 | if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') { |
wolfSSL | 15:117db924cf7c | 7488 | int szAdjust = nameSz - baseSz; |
wolfSSL | 15:117db924cf7c | 7489 | name += szAdjust; |
wolfSSL | 15:117db924cf7c | 7490 | nameSz -= szAdjust; |
wolfSSL | 15:117db924cf7c | 7491 | } |
wolfSSL | 15:117db924cf7c | 7492 | |
wolfSSL | 15:117db924cf7c | 7493 | while (nameSz > 0) { |
wolfSSL | 15:117db924cf7c | 7494 | if (XTOLOWER((unsigned char)*name++) != |
wolfSSL | 15:117db924cf7c | 7495 | XTOLOWER((unsigned char)*base++)) |
wolfSSL | 15:117db924cf7c | 7496 | return 0; |
wolfSSL | 15:117db924cf7c | 7497 | nameSz--; |
wolfSSL | 15:117db924cf7c | 7498 | } |
wolfSSL | 15:117db924cf7c | 7499 | |
wolfSSL | 15:117db924cf7c | 7500 | return 1; |
wolfSSL | 15:117db924cf7c | 7501 | } |
wolfSSL | 15:117db924cf7c | 7502 | |
wolfSSL | 15:117db924cf7c | 7503 | |
wolfSSL | 15:117db924cf7c | 7504 | static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 7505 | { |
wolfSSL | 15:117db924cf7c | 7506 | if (signer == NULL || cert == NULL) |
wolfSSL | 15:117db924cf7c | 7507 | return 0; |
wolfSSL | 15:117db924cf7c | 7508 | |
wolfSSL | 15:117db924cf7c | 7509 | /* Check against the excluded list */ |
wolfSSL | 15:117db924cf7c | 7510 | if (signer->excludedNames) { |
wolfSSL | 15:117db924cf7c | 7511 | Base_entry* base = signer->excludedNames; |
wolfSSL | 15:117db924cf7c | 7512 | |
wolfSSL | 15:117db924cf7c | 7513 | while (base != NULL) { |
wolfSSL | 15:117db924cf7c | 7514 | switch (base->type) { |
wolfSSL | 15:117db924cf7c | 7515 | case ASN_DNS_TYPE: |
wolfSSL | 15:117db924cf7c | 7516 | { |
wolfSSL | 15:117db924cf7c | 7517 | DNS_entry* name = cert->altNames; |
wolfSSL | 15:117db924cf7c | 7518 | while (name != NULL) { |
wolfSSL | 15:117db924cf7c | 7519 | if (MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 15:117db924cf7c | 7520 | name->name, name->len, |
wolfSSL | 15:117db924cf7c | 7521 | base->name, base->nameSz)) { |
wolfSSL | 15:117db924cf7c | 7522 | return 0; |
wolfSSL | 15:117db924cf7c | 7523 | } |
wolfSSL | 15:117db924cf7c | 7524 | name = name->next; |
wolfSSL | 15:117db924cf7c | 7525 | } |
wolfSSL | 15:117db924cf7c | 7526 | break; |
wolfSSL | 15:117db924cf7c | 7527 | } |
wolfSSL | 15:117db924cf7c | 7528 | case ASN_RFC822_TYPE: |
wolfSSL | 15:117db924cf7c | 7529 | { |
wolfSSL | 15:117db924cf7c | 7530 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 15:117db924cf7c | 7531 | while (name != NULL) { |
wolfSSL | 15:117db924cf7c | 7532 | if (MatchBaseName(ASN_RFC822_TYPE, |
wolfSSL | 15:117db924cf7c | 7533 | name->name, name->len, |
wolfSSL | 15:117db924cf7c | 7534 | base->name, base->nameSz)) { |
wolfSSL | 15:117db924cf7c | 7535 | return 0; |
wolfSSL | 15:117db924cf7c | 7536 | } |
wolfSSL | 15:117db924cf7c | 7537 | name = name->next; |
wolfSSL | 15:117db924cf7c | 7538 | } |
wolfSSL | 15:117db924cf7c | 7539 | break; |
wolfSSL | 15:117db924cf7c | 7540 | } |
wolfSSL | 15:117db924cf7c | 7541 | case ASN_DIR_TYPE: |
wolfSSL | 15:117db924cf7c | 7542 | { |
wolfSSL | 15:117db924cf7c | 7543 | /* allow permitted dirName smaller than actual subject */ |
wolfSSL | 15:117db924cf7c | 7544 | if (cert->subjectRawLen >= base->nameSz && |
wolfSSL | 15:117db924cf7c | 7545 | XMEMCMP(cert->subjectRaw, base->name, |
wolfSSL | 15:117db924cf7c | 7546 | base->nameSz) == 0) { |
wolfSSL | 15:117db924cf7c | 7547 | return 0; |
wolfSSL | 15:117db924cf7c | 7548 | } |
wolfSSL | 15:117db924cf7c | 7549 | break; |
wolfSSL | 15:117db924cf7c | 7550 | } |
wolfSSL | 15:117db924cf7c | 7551 | }; /* switch */ |
wolfSSL | 15:117db924cf7c | 7552 | base = base->next; |
wolfSSL | 15:117db924cf7c | 7553 | } |
wolfSSL | 15:117db924cf7c | 7554 | } |
wolfSSL | 15:117db924cf7c | 7555 | |
wolfSSL | 15:117db924cf7c | 7556 | /* Check against the permitted list */ |
wolfSSL | 15:117db924cf7c | 7557 | if (signer->permittedNames != NULL) { |
wolfSSL | 15:117db924cf7c | 7558 | int needDns = 0; |
wolfSSL | 15:117db924cf7c | 7559 | int matchDns = 0; |
wolfSSL | 15:117db924cf7c | 7560 | int needEmail = 0; |
wolfSSL | 15:117db924cf7c | 7561 | int matchEmail = 0; |
wolfSSL | 15:117db924cf7c | 7562 | int needDir = 0; |
wolfSSL | 15:117db924cf7c | 7563 | int matchDir = 0; |
wolfSSL | 15:117db924cf7c | 7564 | Base_entry* base = signer->permittedNames; |
wolfSSL | 15:117db924cf7c | 7565 | |
wolfSSL | 15:117db924cf7c | 7566 | while (base != NULL) { |
wolfSSL | 15:117db924cf7c | 7567 | switch (base->type) { |
wolfSSL | 15:117db924cf7c | 7568 | case ASN_DNS_TYPE: |
wolfSSL | 15:117db924cf7c | 7569 | { |
wolfSSL | 15:117db924cf7c | 7570 | DNS_entry* name = cert->altNames; |
wolfSSL | 15:117db924cf7c | 7571 | |
wolfSSL | 15:117db924cf7c | 7572 | if (name != NULL) |
wolfSSL | 15:117db924cf7c | 7573 | needDns = 1; |
wolfSSL | 15:117db924cf7c | 7574 | |
wolfSSL | 15:117db924cf7c | 7575 | while (name != NULL) { |
wolfSSL | 15:117db924cf7c | 7576 | matchDns = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 15:117db924cf7c | 7577 | name->name, name->len, |
wolfSSL | 15:117db924cf7c | 7578 | base->name, base->nameSz); |
wolfSSL | 15:117db924cf7c | 7579 | name = name->next; |
wolfSSL | 15:117db924cf7c | 7580 | } |
wolfSSL | 15:117db924cf7c | 7581 | break; |
wolfSSL | 15:117db924cf7c | 7582 | } |
wolfSSL | 15:117db924cf7c | 7583 | case ASN_RFC822_TYPE: |
wolfSSL | 15:117db924cf7c | 7584 | { |
wolfSSL | 15:117db924cf7c | 7585 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 15:117db924cf7c | 7586 | |
wolfSSL | 15:117db924cf7c | 7587 | if (name != NULL) |
wolfSSL | 15:117db924cf7c | 7588 | needEmail = 1; |
wolfSSL | 15:117db924cf7c | 7589 | |
wolfSSL | 15:117db924cf7c | 7590 | while (name != NULL) { |
wolfSSL | 15:117db924cf7c | 7591 | matchEmail = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 15:117db924cf7c | 7592 | name->name, name->len, |
wolfSSL | 15:117db924cf7c | 7593 | base->name, base->nameSz); |
wolfSSL | 15:117db924cf7c | 7594 | name = name->next; |
wolfSSL | 15:117db924cf7c | 7595 | } |
wolfSSL | 15:117db924cf7c | 7596 | break; |
wolfSSL | 15:117db924cf7c | 7597 | } |
wolfSSL | 15:117db924cf7c | 7598 | case ASN_DIR_TYPE: |
wolfSSL | 15:117db924cf7c | 7599 | { |
wolfSSL | 15:117db924cf7c | 7600 | /* allow permitted dirName smaller than actual subject */ |
wolfSSL | 15:117db924cf7c | 7601 | needDir = 1; |
wolfSSL | 15:117db924cf7c | 7602 | if (cert->subjectRaw != NULL && |
wolfSSL | 15:117db924cf7c | 7603 | cert->subjectRawLen >= base->nameSz && |
wolfSSL | 15:117db924cf7c | 7604 | XMEMCMP(cert->subjectRaw, base->name, |
wolfSSL | 15:117db924cf7c | 7605 | base->nameSz) == 0) { |
wolfSSL | 15:117db924cf7c | 7606 | matchDir = 1; |
wolfSSL | 15:117db924cf7c | 7607 | } |
wolfSSL | 15:117db924cf7c | 7608 | break; |
wolfSSL | 15:117db924cf7c | 7609 | } |
wolfSSL | 15:117db924cf7c | 7610 | } /* switch */ |
wolfSSL | 15:117db924cf7c | 7611 | base = base->next; |
wolfSSL | 15:117db924cf7c | 7612 | } |
wolfSSL | 15:117db924cf7c | 7613 | |
wolfSSL | 15:117db924cf7c | 7614 | if ((needDns && !matchDns) || |
wolfSSL | 15:117db924cf7c | 7615 | (needEmail && !matchEmail) || |
wolfSSL | 15:117db924cf7c | 7616 | (needDir && !matchDir)) { |
wolfSSL | 15:117db924cf7c | 7617 | return 0; |
wolfSSL | 15:117db924cf7c | 7618 | } |
wolfSSL | 15:117db924cf7c | 7619 | } |
wolfSSL | 15:117db924cf7c | 7620 | |
wolfSSL | 15:117db924cf7c | 7621 | return 1; |
wolfSSL | 15:117db924cf7c | 7622 | } |
wolfSSL | 15:117db924cf7c | 7623 | |
wolfSSL | 15:117db924cf7c | 7624 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 7625 | |
wolfSSL | 16:8e0d178b1d1e | 7626 | static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 7627 | { |
wolfSSL | 15:117db924cf7c | 7628 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7629 | int length = 0; |
wolfSSL | 15:117db924cf7c | 7630 | |
wolfSSL | 15:117db924cf7c | 7631 | WOLFSSL_ENTER("DecodeAltNames"); |
wolfSSL | 15:117db924cf7c | 7632 | |
wolfSSL | 15:117db924cf7c | 7633 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7634 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 15:117db924cf7c | 7635 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7636 | } |
wolfSSL | 15:117db924cf7c | 7637 | |
wolfSSL | 16:8e0d178b1d1e | 7638 | if (length == 0) { |
wolfSSL | 16:8e0d178b1d1e | 7639 | /* RFC 5280 4.2.1.6. Subject Alternative Name |
wolfSSL | 16:8e0d178b1d1e | 7640 | If the subjectAltName extension is present, the sequence MUST |
wolfSSL | 16:8e0d178b1d1e | 7641 | contain at least one entry. */ |
wolfSSL | 16:8e0d178b1d1e | 7642 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 7643 | } |
wolfSSL | 16:8e0d178b1d1e | 7644 | |
wolfSSL | 15:117db924cf7c | 7645 | cert->weOwnAltNames = 1; |
wolfSSL | 15:117db924cf7c | 7646 | |
wolfSSL | 15:117db924cf7c | 7647 | while (length > 0) { |
wolfSSL | 15:117db924cf7c | 7648 | byte b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 7649 | |
wolfSSL | 15:117db924cf7c | 7650 | length--; |
wolfSSL | 15:117db924cf7c | 7651 | |
wolfSSL | 15:117db924cf7c | 7652 | /* Save DNS Type names in the altNames list. */ |
wolfSSL | 15:117db924cf7c | 7653 | /* Save Other Type names in the cert's OidMap */ |
wolfSSL | 15:117db924cf7c | 7654 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) { |
wolfSSL | 15:117db924cf7c | 7655 | DNS_entry* dnsEntry; |
wolfSSL | 15:117db924cf7c | 7656 | int strLen; |
wolfSSL | 15:117db924cf7c | 7657 | word32 lenStartIdx = idx; |
wolfSSL | 15:117db924cf7c | 7658 | |
wolfSSL | 15:117db924cf7c | 7659 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7660 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 15:117db924cf7c | 7661 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7662 | } |
wolfSSL | 15:117db924cf7c | 7663 | length -= (idx - lenStartIdx); |
wolfSSL | 15:117db924cf7c | 7664 | |
wolfSSL | 15:117db924cf7c | 7665 | dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 15:117db924cf7c | 7666 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7667 | if (dnsEntry == NULL) { |
wolfSSL | 15:117db924cf7c | 7668 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7669 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7670 | } |
wolfSSL | 15:117db924cf7c | 7671 | |
wolfSSL | 15:117db924cf7c | 7672 | dnsEntry->type = ASN_DNS_TYPE; |
wolfSSL | 15:117db924cf7c | 7673 | dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 7674 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7675 | if (dnsEntry->name == NULL) { |
wolfSSL | 15:117db924cf7c | 7676 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7677 | XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7678 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7679 | } |
wolfSSL | 15:117db924cf7c | 7680 | dnsEntry->len = strLen; |
wolfSSL | 15:117db924cf7c | 7681 | XMEMCPY(dnsEntry->name, &input[idx], strLen); |
wolfSSL | 15:117db924cf7c | 7682 | dnsEntry->name[strLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 7683 | |
wolfSSL | 15:117db924cf7c | 7684 | dnsEntry->next = cert->altNames; |
wolfSSL | 15:117db924cf7c | 7685 | cert->altNames = dnsEntry; |
wolfSSL | 15:117db924cf7c | 7686 | |
wolfSSL | 15:117db924cf7c | 7687 | length -= strLen; |
wolfSSL | 15:117db924cf7c | 7688 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7689 | } |
wolfSSL | 15:117db924cf7c | 7690 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 7691 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) { |
wolfSSL | 15:117db924cf7c | 7692 | DNS_entry* emailEntry; |
wolfSSL | 15:117db924cf7c | 7693 | int strLen; |
wolfSSL | 15:117db924cf7c | 7694 | word32 lenStartIdx = idx; |
wolfSSL | 15:117db924cf7c | 7695 | |
wolfSSL | 15:117db924cf7c | 7696 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7697 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 15:117db924cf7c | 7698 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7699 | } |
wolfSSL | 15:117db924cf7c | 7700 | length -= (idx - lenStartIdx); |
wolfSSL | 15:117db924cf7c | 7701 | |
wolfSSL | 15:117db924cf7c | 7702 | emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 15:117db924cf7c | 7703 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7704 | if (emailEntry == NULL) { |
wolfSSL | 15:117db924cf7c | 7705 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7706 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7707 | } |
wolfSSL | 15:117db924cf7c | 7708 | |
wolfSSL | 15:117db924cf7c | 7709 | emailEntry->type = ASN_RFC822_TYPE; |
wolfSSL | 15:117db924cf7c | 7710 | emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 7711 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7712 | if (emailEntry->name == NULL) { |
wolfSSL | 15:117db924cf7c | 7713 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7714 | XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7715 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7716 | } |
wolfSSL | 15:117db924cf7c | 7717 | emailEntry->len = strLen; |
wolfSSL | 15:117db924cf7c | 7718 | XMEMCPY(emailEntry->name, &input[idx], strLen); |
wolfSSL | 15:117db924cf7c | 7719 | emailEntry->name[strLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 7720 | |
wolfSSL | 15:117db924cf7c | 7721 | emailEntry->next = cert->altEmailNames; |
wolfSSL | 15:117db924cf7c | 7722 | cert->altEmailNames = emailEntry; |
wolfSSL | 15:117db924cf7c | 7723 | |
wolfSSL | 15:117db924cf7c | 7724 | length -= strLen; |
wolfSSL | 15:117db924cf7c | 7725 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7726 | } |
wolfSSL | 15:117db924cf7c | 7727 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) { |
wolfSSL | 15:117db924cf7c | 7728 | DNS_entry* uriEntry; |
wolfSSL | 15:117db924cf7c | 7729 | int strLen; |
wolfSSL | 15:117db924cf7c | 7730 | word32 lenStartIdx = idx; |
wolfSSL | 15:117db924cf7c | 7731 | |
wolfSSL | 15:117db924cf7c | 7732 | WOLFSSL_MSG("\tPutting URI into list but not using"); |
wolfSSL | 15:117db924cf7c | 7733 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7734 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 15:117db924cf7c | 7735 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7736 | } |
wolfSSL | 15:117db924cf7c | 7737 | length -= (idx - lenStartIdx); |
wolfSSL | 15:117db924cf7c | 7738 | |
wolfSSL | 15:117db924cf7c | 7739 | /* check that strLen at index is not past input buffer */ |
wolfSSL | 15:117db924cf7c | 7740 | if (strLen + (int)idx > sz) { |
wolfSSL | 15:117db924cf7c | 7741 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 7742 | } |
wolfSSL | 15:117db924cf7c | 7743 | |
wolfSSL | 15:117db924cf7c | 7744 | #ifndef WOLFSSL_NO_ASN_STRICT |
wolfSSL | 15:117db924cf7c | 7745 | /* Verify RFC 5280 Sec 4.2.1.6 rule: |
wolfSSL | 15:117db924cf7c | 7746 | "The name MUST NOT be a relative URI" */ |
wolfSSL | 15:117db924cf7c | 7747 | |
wolfSSL | 15:117db924cf7c | 7748 | { |
wolfSSL | 15:117db924cf7c | 7749 | int i; |
wolfSSL | 15:117db924cf7c | 7750 | |
wolfSSL | 15:117db924cf7c | 7751 | /* skip past scheme (i.e http,ftp,...) finding first ':' char */ |
wolfSSL | 15:117db924cf7c | 7752 | for (i = 0; i < strLen; i++) { |
wolfSSL | 15:117db924cf7c | 7753 | if (input[idx + i] == ':') { |
wolfSSL | 15:117db924cf7c | 7754 | break; |
wolfSSL | 15:117db924cf7c | 7755 | } |
wolfSSL | 15:117db924cf7c | 7756 | if (input[idx + i] == '/') { |
wolfSSL | 15:117db924cf7c | 7757 | i = strLen; /* error, found relative path since '/' was |
wolfSSL | 15:117db924cf7c | 7758 | * encountered before ':'. Returning error |
wolfSSL | 15:117db924cf7c | 7759 | * value in next if statement. */ |
wolfSSL | 15:117db924cf7c | 7760 | } |
wolfSSL | 15:117db924cf7c | 7761 | } |
wolfSSL | 15:117db924cf7c | 7762 | |
wolfSSL | 15:117db924cf7c | 7763 | /* test if no ':' char was found and test that the next two |
wolfSSL | 15:117db924cf7c | 7764 | * chars are // to match the pattern "://" */ |
wolfSSL | 15:117db924cf7c | 7765 | if (i >= strLen - 2 || (input[idx + i + 1] != '/' || |
wolfSSL | 15:117db924cf7c | 7766 | input[idx + i + 2] != '/')) { |
wolfSSL | 15:117db924cf7c | 7767 | WOLFSSL_MSG("\tAlt Name must be absolute URI"); |
wolfSSL | 15:117db924cf7c | 7768 | return ASN_ALT_NAME_E; |
wolfSSL | 15:117db924cf7c | 7769 | } |
wolfSSL | 15:117db924cf7c | 7770 | } |
wolfSSL | 15:117db924cf7c | 7771 | #endif |
wolfSSL | 15:117db924cf7c | 7772 | |
wolfSSL | 15:117db924cf7c | 7773 | uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 15:117db924cf7c | 7774 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7775 | if (uriEntry == NULL) { |
wolfSSL | 15:117db924cf7c | 7776 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7777 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7778 | } |
wolfSSL | 15:117db924cf7c | 7779 | |
wolfSSL | 15:117db924cf7c | 7780 | uriEntry->type = ASN_URI_TYPE; |
wolfSSL | 15:117db924cf7c | 7781 | uriEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 7782 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7783 | if (uriEntry->name == NULL) { |
wolfSSL | 15:117db924cf7c | 7784 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7785 | XFREE(uriEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 7786 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7787 | } |
wolfSSL | 15:117db924cf7c | 7788 | uriEntry->len = strLen; |
wolfSSL | 15:117db924cf7c | 7789 | XMEMCPY(uriEntry->name, &input[idx], strLen); |
wolfSSL | 15:117db924cf7c | 7790 | uriEntry->name[strLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 7791 | |
wolfSSL | 15:117db924cf7c | 7792 | uriEntry->next = cert->altNames; |
wolfSSL | 15:117db924cf7c | 7793 | cert->altNames = uriEntry; |
wolfSSL | 15:117db924cf7c | 7794 | |
wolfSSL | 15:117db924cf7c | 7795 | length -= strLen; |
wolfSSL | 15:117db924cf7c | 7796 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7797 | } |
wolfSSL | 16:8e0d178b1d1e | 7798 | #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) |
wolfSSL | 16:8e0d178b1d1e | 7799 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) { |
wolfSSL | 16:8e0d178b1d1e | 7800 | DNS_entry* ipAddr; |
wolfSSL | 16:8e0d178b1d1e | 7801 | int strLen; |
wolfSSL | 16:8e0d178b1d1e | 7802 | word32 lenStartIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 7803 | WOLFSSL_MSG("Decoding Subject Alt. Name: IP Address"); |
wolfSSL | 16:8e0d178b1d1e | 7804 | |
wolfSSL | 16:8e0d178b1d1e | 7805 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7806 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 16:8e0d178b1d1e | 7807 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 7808 | } |
wolfSSL | 16:8e0d178b1d1e | 7809 | length -= (idx - lenStartIdx); |
wolfSSL | 16:8e0d178b1d1e | 7810 | /* check that strLen at index is not past input buffer */ |
wolfSSL | 16:8e0d178b1d1e | 7811 | if (strLen + (int)idx > sz) { |
wolfSSL | 16:8e0d178b1d1e | 7812 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 7813 | } |
wolfSSL | 16:8e0d178b1d1e | 7814 | |
wolfSSL | 16:8e0d178b1d1e | 7815 | ipAddr = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 7816 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 16:8e0d178b1d1e | 7817 | if (ipAddr == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 7818 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 16:8e0d178b1d1e | 7819 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 7820 | } |
wolfSSL | 16:8e0d178b1d1e | 7821 | |
wolfSSL | 16:8e0d178b1d1e | 7822 | ipAddr->type = ASN_IP_TYPE; |
wolfSSL | 16:8e0d178b1d1e | 7823 | ipAddr->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 7824 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 16:8e0d178b1d1e | 7825 | if (ipAddr->name == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 7826 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 16:8e0d178b1d1e | 7827 | XFREE(ipAddr, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 16:8e0d178b1d1e | 7828 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 7829 | } |
wolfSSL | 16:8e0d178b1d1e | 7830 | ipAddr->len = strLen; |
wolfSSL | 16:8e0d178b1d1e | 7831 | XMEMCPY(ipAddr->name, &input[idx], strLen); |
wolfSSL | 16:8e0d178b1d1e | 7832 | ipAddr->name[strLen] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 7833 | |
wolfSSL | 16:8e0d178b1d1e | 7834 | ipAddr->next = cert->altNames; |
wolfSSL | 16:8e0d178b1d1e | 7835 | cert->altNames = ipAddr; |
wolfSSL | 16:8e0d178b1d1e | 7836 | |
wolfSSL | 16:8e0d178b1d1e | 7837 | length -= strLen; |
wolfSSL | 16:8e0d178b1d1e | 7838 | idx += strLen; |
wolfSSL | 16:8e0d178b1d1e | 7839 | } |
wolfSSL | 16:8e0d178b1d1e | 7840 | #endif /* WOLFSSL_QT || OPENSSL_ALL */ |
wolfSSL | 15:117db924cf7c | 7841 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 7842 | #ifdef WOLFSSL_SEP |
wolfSSL | 15:117db924cf7c | 7843 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) |
wolfSSL | 15:117db924cf7c | 7844 | { |
wolfSSL | 15:117db924cf7c | 7845 | int strLen; |
wolfSSL | 15:117db924cf7c | 7846 | word32 lenStartIdx = idx; |
wolfSSL | 15:117db924cf7c | 7847 | word32 oid = 0; |
wolfSSL | 15:117db924cf7c | 7848 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 7849 | byte tag; |
wolfSSL | 15:117db924cf7c | 7850 | |
wolfSSL | 15:117db924cf7c | 7851 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7852 | WOLFSSL_MSG("\tfail: other name length"); |
wolfSSL | 15:117db924cf7c | 7853 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7854 | } |
wolfSSL | 15:117db924cf7c | 7855 | /* Consume the rest of this sequence. */ |
wolfSSL | 15:117db924cf7c | 7856 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 15:117db924cf7c | 7857 | |
wolfSSL | 15:117db924cf7c | 7858 | if (GetObjectId(input, &idx, &oid, oidCertAltNameType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7859 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 15:117db924cf7c | 7860 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7861 | } |
wolfSSL | 15:117db924cf7c | 7862 | |
wolfSSL | 15:117db924cf7c | 7863 | if (oid != HW_NAME_OID) { |
wolfSSL | 15:117db924cf7c | 7864 | WOLFSSL_MSG("\tincorrect OID"); |
wolfSSL | 15:117db924cf7c | 7865 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7866 | } |
wolfSSL | 15:117db924cf7c | 7867 | |
wolfSSL | 16:8e0d178b1d1e | 7868 | if (GetASNTag(input, &idx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7869 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 7870 | } |
wolfSSL | 16:8e0d178b1d1e | 7871 | |
wolfSSL | 16:8e0d178b1d1e | 7872 | if (tag != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 15:117db924cf7c | 7873 | WOLFSSL_MSG("\twrong type"); |
wolfSSL | 15:117db924cf7c | 7874 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7875 | } |
wolfSSL | 15:117db924cf7c | 7876 | |
wolfSSL | 15:117db924cf7c | 7877 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7878 | WOLFSSL_MSG("\tfail: str len"); |
wolfSSL | 15:117db924cf7c | 7879 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7880 | } |
wolfSSL | 15:117db924cf7c | 7881 | |
wolfSSL | 15:117db924cf7c | 7882 | if (GetSequence(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7883 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 15:117db924cf7c | 7884 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7885 | } |
wolfSSL | 15:117db924cf7c | 7886 | |
wolfSSL | 15:117db924cf7c | 7887 | ret = GetASNObjectId(input, &idx, &strLen, sz); |
wolfSSL | 15:117db924cf7c | 7888 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 7889 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 15:117db924cf7c | 7890 | return ret; |
wolfSSL | 15:117db924cf7c | 7891 | } |
wolfSSL | 15:117db924cf7c | 7892 | |
wolfSSL | 15:117db924cf7c | 7893 | cert->hwType = (byte*)XMALLOC(strLen, cert->heap, |
wolfSSL | 15:117db924cf7c | 7894 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 7895 | if (cert->hwType == NULL) { |
wolfSSL | 15:117db924cf7c | 7896 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7897 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7898 | } |
wolfSSL | 15:117db924cf7c | 7899 | |
wolfSSL | 15:117db924cf7c | 7900 | XMEMCPY(cert->hwType, &input[idx], strLen); |
wolfSSL | 15:117db924cf7c | 7901 | cert->hwTypeSz = strLen; |
wolfSSL | 15:117db924cf7c | 7902 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7903 | |
wolfSSL | 15:117db924cf7c | 7904 | ret = GetOctetString(input, &idx, &strLen, sz); |
wolfSSL | 15:117db924cf7c | 7905 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 7906 | return ret; |
wolfSSL | 15:117db924cf7c | 7907 | |
wolfSSL | 15:117db924cf7c | 7908 | cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 7909 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 7910 | if (cert->hwSerialNum == NULL) { |
wolfSSL | 15:117db924cf7c | 7911 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 15:117db924cf7c | 7912 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7913 | } |
wolfSSL | 15:117db924cf7c | 7914 | |
wolfSSL | 15:117db924cf7c | 7915 | XMEMCPY(cert->hwSerialNum, &input[idx], strLen); |
wolfSSL | 15:117db924cf7c | 7916 | cert->hwSerialNum[strLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 7917 | cert->hwSerialNumSz = strLen; |
wolfSSL | 15:117db924cf7c | 7918 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7919 | } |
wolfSSL | 15:117db924cf7c | 7920 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 15:117db924cf7c | 7921 | else { |
wolfSSL | 15:117db924cf7c | 7922 | int strLen; |
wolfSSL | 15:117db924cf7c | 7923 | word32 lenStartIdx = idx; |
wolfSSL | 15:117db924cf7c | 7924 | |
wolfSSL | 15:117db924cf7c | 7925 | WOLFSSL_MSG("\tUnsupported name type, skipping"); |
wolfSSL | 15:117db924cf7c | 7926 | |
wolfSSL | 15:117db924cf7c | 7927 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7928 | WOLFSSL_MSG("\tfail: unsupported name length"); |
wolfSSL | 15:117db924cf7c | 7929 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7930 | } |
wolfSSL | 15:117db924cf7c | 7931 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 15:117db924cf7c | 7932 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 7933 | } |
wolfSSL | 15:117db924cf7c | 7934 | } |
wolfSSL | 15:117db924cf7c | 7935 | return 0; |
wolfSSL | 15:117db924cf7c | 7936 | } |
wolfSSL | 15:117db924cf7c | 7937 | |
wolfSSL | 16:8e0d178b1d1e | 7938 | static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 7939 | { |
wolfSSL | 15:117db924cf7c | 7940 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7941 | int length = 0; |
wolfSSL | 15:117db924cf7c | 7942 | int ret; |
wolfSSL | 15:117db924cf7c | 7943 | |
wolfSSL | 15:117db924cf7c | 7944 | WOLFSSL_ENTER("DecodeBasicCaConstraint"); |
wolfSSL | 15:117db924cf7c | 7945 | |
wolfSSL | 15:117db924cf7c | 7946 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 7947 | WOLFSSL_MSG("\tfail: bad SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 7948 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 7949 | } |
wolfSSL | 15:117db924cf7c | 7950 | |
wolfSSL | 15:117db924cf7c | 7951 | if (length == 0) |
wolfSSL | 15:117db924cf7c | 7952 | return 0; |
wolfSSL | 15:117db924cf7c | 7953 | |
wolfSSL | 15:117db924cf7c | 7954 | /* If the basic ca constraint is false, this extension may be named, but |
wolfSSL | 15:117db924cf7c | 7955 | * left empty. So, if the length is 0, just return. */ |
wolfSSL | 15:117db924cf7c | 7956 | |
wolfSSL | 15:117db924cf7c | 7957 | ret = GetBoolean(input, &idx, sz); |
wolfSSL | 16:8e0d178b1d1e | 7958 | |
wolfSSL | 16:8e0d178b1d1e | 7959 | #ifndef WOLFSSL_X509_BASICCONS_INT |
wolfSSL | 15:117db924cf7c | 7960 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 7961 | WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN"); |
wolfSSL | 15:117db924cf7c | 7962 | return ret; |
wolfSSL | 15:117db924cf7c | 7963 | } |
wolfSSL | 15:117db924cf7c | 7964 | |
wolfSSL | 15:117db924cf7c | 7965 | cert->isCA = (byte)ret; |
wolfSSL | 16:8e0d178b1d1e | 7966 | #else |
wolfSSL | 16:8e0d178b1d1e | 7967 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 7968 | if(input[idx] == ASN_INTEGER) { |
wolfSSL | 16:8e0d178b1d1e | 7969 | /* For OpenSSL compatibility, if ASN_INTEGER it is valid format */ |
wolfSSL | 16:8e0d178b1d1e | 7970 | cert->isCA = FALSE; |
wolfSSL | 16:8e0d178b1d1e | 7971 | } else return ret; |
wolfSSL | 16:8e0d178b1d1e | 7972 | } else |
wolfSSL | 16:8e0d178b1d1e | 7973 | cert->isCA = (byte)ret; |
wolfSSL | 16:8e0d178b1d1e | 7974 | #endif |
wolfSSL | 15:117db924cf7c | 7975 | |
wolfSSL | 15:117db924cf7c | 7976 | /* If there isn't any more data, return. */ |
wolfSSL | 16:8e0d178b1d1e | 7977 | if (idx >= (word32)sz) { |
wolfSSL | 15:117db924cf7c | 7978 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 7979 | } |
wolfSSL | 15:117db924cf7c | 7980 | |
wolfSSL | 15:117db924cf7c | 7981 | ret = GetInteger7Bit(input, &idx, sz); |
wolfSSL | 15:117db924cf7c | 7982 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 7983 | return ret; |
wolfSSL | 15:117db924cf7c | 7984 | cert->pathLength = (byte)ret; |
wolfSSL | 15:117db924cf7c | 7985 | cert->pathLengthSet = 1; |
wolfSSL | 15:117db924cf7c | 7986 | |
wolfSSL | 15:117db924cf7c | 7987 | return 0; |
wolfSSL | 15:117db924cf7c | 7988 | } |
wolfSSL | 15:117db924cf7c | 7989 | |
wolfSSL | 15:117db924cf7c | 7990 | |
wolfSSL | 15:117db924cf7c | 7991 | #define CRLDP_FULL_NAME 0 |
wolfSSL | 15:117db924cf7c | 7992 | /* From RFC3280 SS4.2.1.14, Distribution Point Name*/ |
wolfSSL | 15:117db924cf7c | 7993 | #define GENERALNAME_URI 6 |
wolfSSL | 15:117db924cf7c | 7994 | /* From RFC3280 SS4.2.1.7, GeneralName */ |
wolfSSL | 15:117db924cf7c | 7995 | |
wolfSSL | 16:8e0d178b1d1e | 7996 | static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 16:8e0d178b1d1e | 7997 | { |
wolfSSL | 16:8e0d178b1d1e | 7998 | word32 idx = 0, localIdx; |
wolfSSL | 15:117db924cf7c | 7999 | int length = 0; |
wolfSSL | 16:8e0d178b1d1e | 8000 | byte tag = 0; |
wolfSSL | 15:117db924cf7c | 8001 | |
wolfSSL | 15:117db924cf7c | 8002 | WOLFSSL_ENTER("DecodeCrlDist"); |
wolfSSL | 15:117db924cf7c | 8003 | |
wolfSSL | 15:117db924cf7c | 8004 | /* Unwrap the list of Distribution Points*/ |
wolfSSL | 15:117db924cf7c | 8005 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8006 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8007 | |
wolfSSL | 15:117db924cf7c | 8008 | /* Unwrap a single Distribution Point */ |
wolfSSL | 15:117db924cf7c | 8009 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8010 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8011 | |
wolfSSL | 15:117db924cf7c | 8012 | /* The Distribution Point has three explicit optional members |
wolfSSL | 15:117db924cf7c | 8013 | * First check for a DistributionPointName |
wolfSSL | 15:117db924cf7c | 8014 | */ |
wolfSSL | 16:8e0d178b1d1e | 8015 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8016 | if (GetASNTag(input, &localIdx, &tag, sz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 8017 | tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 15:117db924cf7c | 8018 | { |
wolfSSL | 15:117db924cf7c | 8019 | idx++; |
wolfSSL | 15:117db924cf7c | 8020 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8021 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8022 | |
wolfSSL | 16:8e0d178b1d1e | 8023 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8024 | if (GetASNTag(input, &localIdx, &tag, sz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 8025 | tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | |
wolfSSL | 16:8e0d178b1d1e | 8026 | CRLDP_FULL_NAME)) |
wolfSSL | 15:117db924cf7c | 8027 | { |
wolfSSL | 15:117db924cf7c | 8028 | idx++; |
wolfSSL | 15:117db924cf7c | 8029 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8030 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8031 | |
wolfSSL | 16:8e0d178b1d1e | 8032 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8033 | if (GetASNTag(input, &localIdx, &tag, sz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 8034 | tag == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) |
wolfSSL | 15:117db924cf7c | 8035 | { |
wolfSSL | 15:117db924cf7c | 8036 | idx++; |
wolfSSL | 15:117db924cf7c | 8037 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8038 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8039 | |
wolfSSL | 15:117db924cf7c | 8040 | cert->extCrlInfoSz = length; |
wolfSSL | 15:117db924cf7c | 8041 | cert->extCrlInfo = input + idx; |
wolfSSL | 15:117db924cf7c | 8042 | idx += length; |
wolfSSL | 15:117db924cf7c | 8043 | } |
wolfSSL | 15:117db924cf7c | 8044 | else |
wolfSSL | 15:117db924cf7c | 8045 | /* This isn't a URI, skip it. */ |
wolfSSL | 15:117db924cf7c | 8046 | idx += length; |
wolfSSL | 15:117db924cf7c | 8047 | } |
wolfSSL | 15:117db924cf7c | 8048 | else { |
wolfSSL | 15:117db924cf7c | 8049 | /* This isn't a FULLNAME, skip it. */ |
wolfSSL | 15:117db924cf7c | 8050 | idx += length; |
wolfSSL | 15:117db924cf7c | 8051 | } |
wolfSSL | 15:117db924cf7c | 8052 | } |
wolfSSL | 15:117db924cf7c | 8053 | |
wolfSSL | 15:117db924cf7c | 8054 | /* Check for reasonFlags */ |
wolfSSL | 16:8e0d178b1d1e | 8055 | localIdx = idx; |
wolfSSL | 15:117db924cf7c | 8056 | if (idx < (word32)sz && |
wolfSSL | 16:8e0d178b1d1e | 8057 | GetASNTag(input, &localIdx, &tag, sz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 8058 | tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 15:117db924cf7c | 8059 | { |
wolfSSL | 15:117db924cf7c | 8060 | idx++; |
wolfSSL | 15:117db924cf7c | 8061 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8062 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8063 | idx += length; |
wolfSSL | 15:117db924cf7c | 8064 | } |
wolfSSL | 15:117db924cf7c | 8065 | |
wolfSSL | 15:117db924cf7c | 8066 | /* Check for cRLIssuer */ |
wolfSSL | 16:8e0d178b1d1e | 8067 | localIdx = idx; |
wolfSSL | 15:117db924cf7c | 8068 | if (idx < (word32)sz && |
wolfSSL | 16:8e0d178b1d1e | 8069 | GetASNTag(input, &localIdx, &tag, sz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 8070 | tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2)) |
wolfSSL | 15:117db924cf7c | 8071 | { |
wolfSSL | 15:117db924cf7c | 8072 | idx++; |
wolfSSL | 15:117db924cf7c | 8073 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8074 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8075 | idx += length; |
wolfSSL | 15:117db924cf7c | 8076 | } |
wolfSSL | 15:117db924cf7c | 8077 | |
wolfSSL | 15:117db924cf7c | 8078 | if (idx < (word32)sz) |
wolfSSL | 15:117db924cf7c | 8079 | { |
wolfSSL | 15:117db924cf7c | 8080 | WOLFSSL_MSG("\tThere are more CRL Distribution Point records, " |
wolfSSL | 15:117db924cf7c | 8081 | "but we only use the first one."); |
wolfSSL | 15:117db924cf7c | 8082 | } |
wolfSSL | 15:117db924cf7c | 8083 | |
wolfSSL | 15:117db924cf7c | 8084 | return 0; |
wolfSSL | 15:117db924cf7c | 8085 | } |
wolfSSL | 15:117db924cf7c | 8086 | |
wolfSSL | 15:117db924cf7c | 8087 | |
wolfSSL | 16:8e0d178b1d1e | 8088 | static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8089 | /* |
wolfSSL | 16:8e0d178b1d1e | 8090 | * Read Authority Information Access records. If there are |
wolfSSL | 15:117db924cf7c | 8091 | * any issues, return without saving the record. |
wolfSSL | 15:117db924cf7c | 8092 | */ |
wolfSSL | 15:117db924cf7c | 8093 | { |
wolfSSL | 15:117db924cf7c | 8094 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8095 | int length = 0; |
wolfSSL | 16:8e0d178b1d1e | 8096 | int count = 0; |
wolfSSL | 16:8e0d178b1d1e | 8097 | byte b = 0; |
wolfSSL | 15:117db924cf7c | 8098 | word32 oid; |
wolfSSL | 15:117db924cf7c | 8099 | |
wolfSSL | 15:117db924cf7c | 8100 | WOLFSSL_ENTER("DecodeAuthInfo"); |
wolfSSL | 15:117db924cf7c | 8101 | |
wolfSSL | 15:117db924cf7c | 8102 | /* Unwrap the list of AIAs */ |
wolfSSL | 15:117db924cf7c | 8103 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8104 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8105 | |
wolfSSL | 16:8e0d178b1d1e | 8106 | while ((idx < (word32)sz) && (count < MAX_AIA_SZ)) { |
wolfSSL | 15:117db924cf7c | 8107 | /* Unwrap a single AIA */ |
wolfSSL | 15:117db924cf7c | 8108 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8109 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8110 | |
wolfSSL | 15:117db924cf7c | 8111 | oid = 0; |
wolfSSL | 15:117db924cf7c | 8112 | if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8113 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8114 | |
wolfSSL | 15:117db924cf7c | 8115 | /* Only supporting URIs right now. */ |
wolfSSL | 16:8e0d178b1d1e | 8116 | if (GetASNTag(input, &idx, &b, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 8117 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8118 | |
wolfSSL | 15:117db924cf7c | 8119 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 8120 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8121 | |
wolfSSL | 16:8e0d178b1d1e | 8122 | /* Set ocsp entry */ |
wolfSSL | 15:117db924cf7c | 8123 | if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) && |
wolfSSL | 15:117db924cf7c | 8124 | oid == AIA_OCSP_OID) |
wolfSSL | 15:117db924cf7c | 8125 | { |
wolfSSL | 15:117db924cf7c | 8126 | cert->extAuthInfoSz = length; |
wolfSSL | 15:117db924cf7c | 8127 | cert->extAuthInfo = input + idx; |
wolfSSL | 16:8e0d178b1d1e | 8128 | count++; |
wolfSSL | 16:8e0d178b1d1e | 8129 | #if !defined(OPENSSL_ALL) || !defined(WOLFSSL_QT) |
wolfSSL | 16:8e0d178b1d1e | 8130 | break; |
wolfSSL | 16:8e0d178b1d1e | 8131 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8132 | } |
wolfSSL | 16:8e0d178b1d1e | 8133 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) |
wolfSSL | 16:8e0d178b1d1e | 8134 | /* Set CaIssuers entry */ |
wolfSSL | 16:8e0d178b1d1e | 8135 | else if ((b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) && |
wolfSSL | 16:8e0d178b1d1e | 8136 | oid == AIA_CA_ISSUER_OID) |
wolfSSL | 16:8e0d178b1d1e | 8137 | { |
wolfSSL | 16:8e0d178b1d1e | 8138 | cert->extAuthInfoCaIssuerSz = length; |
wolfSSL | 16:8e0d178b1d1e | 8139 | cert->extAuthInfoCaIssuer = input + idx; |
wolfSSL | 16:8e0d178b1d1e | 8140 | count++; |
wolfSSL | 16:8e0d178b1d1e | 8141 | } |
wolfSSL | 16:8e0d178b1d1e | 8142 | #endif |
wolfSSL | 15:117db924cf7c | 8143 | idx += length; |
wolfSSL | 15:117db924cf7c | 8144 | } |
wolfSSL | 15:117db924cf7c | 8145 | |
wolfSSL | 15:117db924cf7c | 8146 | return 0; |
wolfSSL | 15:117db924cf7c | 8147 | } |
wolfSSL | 15:117db924cf7c | 8148 | |
wolfSSL | 15:117db924cf7c | 8149 | |
wolfSSL | 16:8e0d178b1d1e | 8150 | static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8151 | { |
wolfSSL | 15:117db924cf7c | 8152 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8153 | int length = 0, ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 8154 | byte tag; |
wolfSSL | 15:117db924cf7c | 8155 | |
wolfSSL | 15:117db924cf7c | 8156 | WOLFSSL_ENTER("DecodeAuthKeyId"); |
wolfSSL | 15:117db924cf7c | 8157 | |
wolfSSL | 15:117db924cf7c | 8158 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8159 | WOLFSSL_MSG("\tfail: should be a SEQUENCE\n"); |
wolfSSL | 15:117db924cf7c | 8160 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8161 | } |
wolfSSL | 15:117db924cf7c | 8162 | |
wolfSSL | 16:8e0d178b1d1e | 8163 | if (GetASNTag(input, &idx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 8164 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8165 | } |
wolfSSL | 16:8e0d178b1d1e | 8166 | |
wolfSSL | 16:8e0d178b1d1e | 8167 | if (tag != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 15:117db924cf7c | 8168 | WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n"); |
wolfSSL | 16:8e0d178b1d1e | 8169 | cert->extAuthKeyIdSet = 0; |
wolfSSL | 15:117db924cf7c | 8170 | return 0; |
wolfSSL | 15:117db924cf7c | 8171 | } |
wolfSSL | 15:117db924cf7c | 8172 | |
wolfSSL | 15:117db924cf7c | 8173 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 15:117db924cf7c | 8174 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 15:117db924cf7c | 8175 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8176 | } |
wolfSSL | 15:117db924cf7c | 8177 | |
wolfSSL | 15:117db924cf7c | 8178 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8179 | cert->extAuthKeyIdSrc = &input[idx]; |
wolfSSL | 15:117db924cf7c | 8180 | cert->extAuthKeyIdSz = length; |
wolfSSL | 15:117db924cf7c | 8181 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 8182 | |
wolfSSL | 15:117db924cf7c | 8183 | if (length == KEYID_SIZE) { |
wolfSSL | 15:117db924cf7c | 8184 | XMEMCPY(cert->extAuthKeyId, input + idx, length); |
wolfSSL | 15:117db924cf7c | 8185 | } |
wolfSSL | 16:8e0d178b1d1e | 8186 | else |
wolfSSL | 16:8e0d178b1d1e | 8187 | ret = CalcHashId(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 16:8e0d178b1d1e | 8188 | |
wolfSSL | 16:8e0d178b1d1e | 8189 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 8190 | } |
wolfSSL | 16:8e0d178b1d1e | 8191 | |
wolfSSL | 16:8e0d178b1d1e | 8192 | |
wolfSSL | 16:8e0d178b1d1e | 8193 | static int DecodeSubjKeyId(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8194 | { |
wolfSSL | 15:117db924cf7c | 8195 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8196 | int length = 0, ret = 0; |
wolfSSL | 15:117db924cf7c | 8197 | |
wolfSSL | 15:117db924cf7c | 8198 | WOLFSSL_ENTER("DecodeSubjKeyId"); |
wolfSSL | 15:117db924cf7c | 8199 | |
wolfSSL | 15:117db924cf7c | 8200 | if (sz <= 0) |
wolfSSL | 15:117db924cf7c | 8201 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8202 | |
wolfSSL | 15:117db924cf7c | 8203 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 15:117db924cf7c | 8204 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8205 | return ret; |
wolfSSL | 15:117db924cf7c | 8206 | |
wolfSSL | 15:117db924cf7c | 8207 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8208 | cert->extSubjKeyIdSrc = &input[idx]; |
wolfSSL | 15:117db924cf7c | 8209 | cert->extSubjKeyIdSz = length; |
wolfSSL | 15:117db924cf7c | 8210 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 15:117db924cf7c | 8211 | |
wolfSSL | 16:8e0d178b1d1e | 8212 | if (length == KEYID_SIZE) { |
wolfSSL | 15:117db924cf7c | 8213 | XMEMCPY(cert->extSubjKeyId, input + idx, length); |
wolfSSL | 15:117db924cf7c | 8214 | } |
wolfSSL | 16:8e0d178b1d1e | 8215 | else |
wolfSSL | 16:8e0d178b1d1e | 8216 | ret = CalcHashId(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 16:8e0d178b1d1e | 8217 | |
wolfSSL | 16:8e0d178b1d1e | 8218 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 8219 | } |
wolfSSL | 16:8e0d178b1d1e | 8220 | |
wolfSSL | 16:8e0d178b1d1e | 8221 | |
wolfSSL | 16:8e0d178b1d1e | 8222 | static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8223 | { |
wolfSSL | 15:117db924cf7c | 8224 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8225 | int length; |
wolfSSL | 15:117db924cf7c | 8226 | int ret; |
wolfSSL | 15:117db924cf7c | 8227 | WOLFSSL_ENTER("DecodeKeyUsage"); |
wolfSSL | 15:117db924cf7c | 8228 | |
wolfSSL | 15:117db924cf7c | 8229 | ret = CheckBitString(input, &idx, &length, sz, 0, NULL); |
wolfSSL | 15:117db924cf7c | 8230 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 8231 | return ret; |
wolfSSL | 15:117db924cf7c | 8232 | |
wolfSSL | 15:117db924cf7c | 8233 | cert->extKeyUsage = (word16)(input[idx]); |
wolfSSL | 15:117db924cf7c | 8234 | if (length == 2) |
wolfSSL | 15:117db924cf7c | 8235 | cert->extKeyUsage |= (word16)(input[idx+1] << 8); |
wolfSSL | 15:117db924cf7c | 8236 | |
wolfSSL | 15:117db924cf7c | 8237 | return 0; |
wolfSSL | 15:117db924cf7c | 8238 | } |
wolfSSL | 15:117db924cf7c | 8239 | |
wolfSSL | 15:117db924cf7c | 8240 | |
wolfSSL | 16:8e0d178b1d1e | 8241 | static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8242 | { |
wolfSSL | 15:117db924cf7c | 8243 | word32 idx = 0, oid; |
wolfSSL | 16:8e0d178b1d1e | 8244 | int length, ret; |
wolfSSL | 16:8e0d178b1d1e | 8245 | |
wolfSSL | 16:8e0d178b1d1e | 8246 | WOLFSSL_MSG("DecodeExtKeyUsage"); |
wolfSSL | 15:117db924cf7c | 8247 | |
wolfSSL | 15:117db924cf7c | 8248 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8249 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 8250 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8251 | } |
wolfSSL | 15:117db924cf7c | 8252 | |
wolfSSL | 15:117db924cf7c | 8253 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8254 | cert->extExtKeyUsageSrc = input + idx; |
wolfSSL | 15:117db924cf7c | 8255 | cert->extExtKeyUsageSz = length; |
wolfSSL | 15:117db924cf7c | 8256 | #endif |
wolfSSL | 15:117db924cf7c | 8257 | |
wolfSSL | 15:117db924cf7c | 8258 | while (idx < (word32)sz) { |
wolfSSL | 16:8e0d178b1d1e | 8259 | ret = GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz); |
wolfSSL | 16:8e0d178b1d1e | 8260 | if (ret == ASN_UNKNOWN_OID_E) |
wolfSSL | 16:8e0d178b1d1e | 8261 | continue; |
wolfSSL | 16:8e0d178b1d1e | 8262 | else if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 8263 | return ret; |
wolfSSL | 15:117db924cf7c | 8264 | |
wolfSSL | 15:117db924cf7c | 8265 | switch (oid) { |
wolfSSL | 15:117db924cf7c | 8266 | case EKU_ANY_OID: |
wolfSSL | 15:117db924cf7c | 8267 | cert->extExtKeyUsage |= EXTKEYUSE_ANY; |
wolfSSL | 15:117db924cf7c | 8268 | break; |
wolfSSL | 15:117db924cf7c | 8269 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 15:117db924cf7c | 8270 | cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH; |
wolfSSL | 15:117db924cf7c | 8271 | break; |
wolfSSL | 15:117db924cf7c | 8272 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 15:117db924cf7c | 8273 | cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH; |
wolfSSL | 15:117db924cf7c | 8274 | break; |
wolfSSL | 15:117db924cf7c | 8275 | case EKU_CODESIGNING_OID: |
wolfSSL | 15:117db924cf7c | 8276 | cert->extExtKeyUsage |= EXTKEYUSE_CODESIGN; |
wolfSSL | 15:117db924cf7c | 8277 | break; |
wolfSSL | 15:117db924cf7c | 8278 | case EKU_EMAILPROTECT_OID: |
wolfSSL | 15:117db924cf7c | 8279 | cert->extExtKeyUsage |= EXTKEYUSE_EMAILPROT; |
wolfSSL | 15:117db924cf7c | 8280 | break; |
wolfSSL | 15:117db924cf7c | 8281 | case EKU_TIMESTAMP_OID: |
wolfSSL | 15:117db924cf7c | 8282 | cert->extExtKeyUsage |= EXTKEYUSE_TIMESTAMP; |
wolfSSL | 15:117db924cf7c | 8283 | break; |
wolfSSL | 15:117db924cf7c | 8284 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 15:117db924cf7c | 8285 | cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; |
wolfSSL | 15:117db924cf7c | 8286 | break; |
wolfSSL | 15:117db924cf7c | 8287 | } |
wolfSSL | 15:117db924cf7c | 8288 | |
wolfSSL | 15:117db924cf7c | 8289 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8290 | cert->extExtKeyUsageCount++; |
wolfSSL | 15:117db924cf7c | 8291 | #endif |
wolfSSL | 15:117db924cf7c | 8292 | } |
wolfSSL | 15:117db924cf7c | 8293 | |
wolfSSL | 15:117db924cf7c | 8294 | return 0; |
wolfSSL | 15:117db924cf7c | 8295 | } |
wolfSSL | 15:117db924cf7c | 8296 | |
wolfSSL | 15:117db924cf7c | 8297 | |
wolfSSL | 15:117db924cf7c | 8298 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 8299 | #define ASN_TYPE_MASK 0xF |
wolfSSL | 16:8e0d178b1d1e | 8300 | static int DecodeSubtree(const byte* input, int sz, |
wolfSSL | 16:8e0d178b1d1e | 8301 | Base_entry** head, void* heap) |
wolfSSL | 15:117db924cf7c | 8302 | { |
wolfSSL | 15:117db924cf7c | 8303 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8304 | |
wolfSSL | 15:117db924cf7c | 8305 | (void)heap; |
wolfSSL | 15:117db924cf7c | 8306 | |
wolfSSL | 15:117db924cf7c | 8307 | while (idx < (word32)sz) { |
wolfSSL | 15:117db924cf7c | 8308 | int seqLength, strLength; |
wolfSSL | 15:117db924cf7c | 8309 | word32 nameIdx; |
wolfSSL | 15:117db924cf7c | 8310 | byte b, bType; |
wolfSSL | 15:117db924cf7c | 8311 | |
wolfSSL | 15:117db924cf7c | 8312 | if (GetSequence(input, &idx, &seqLength, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8313 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 8314 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8315 | } |
wolfSSL | 15:117db924cf7c | 8316 | nameIdx = idx; |
wolfSSL | 15:117db924cf7c | 8317 | b = input[nameIdx++]; |
wolfSSL | 15:117db924cf7c | 8318 | |
wolfSSL | 15:117db924cf7c | 8319 | if (GetLength(input, &nameIdx, &strLength, sz) <= 0) { |
wolfSSL | 15:117db924cf7c | 8320 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 15:117db924cf7c | 8321 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8322 | } |
wolfSSL | 15:117db924cf7c | 8323 | |
wolfSSL | 15:117db924cf7c | 8324 | /* Get type, LSB 4-bits */ |
wolfSSL | 15:117db924cf7c | 8325 | bType = (b & ASN_TYPE_MASK); |
wolfSSL | 15:117db924cf7c | 8326 | |
wolfSSL | 15:117db924cf7c | 8327 | if (bType == ASN_DNS_TYPE || bType == ASN_RFC822_TYPE || |
wolfSSL | 15:117db924cf7c | 8328 | bType == ASN_DIR_TYPE) { |
wolfSSL | 15:117db924cf7c | 8329 | Base_entry* entry; |
wolfSSL | 15:117db924cf7c | 8330 | |
wolfSSL | 15:117db924cf7c | 8331 | /* if constructed has leading sequence */ |
wolfSSL | 15:117db924cf7c | 8332 | if (b & ASN_CONSTRUCTED) { |
wolfSSL | 15:117db924cf7c | 8333 | if (GetSequence(input, &nameIdx, &strLength, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8334 | WOLFSSL_MSG("\tfail: constructed be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 8335 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8336 | } |
wolfSSL | 15:117db924cf7c | 8337 | } |
wolfSSL | 15:117db924cf7c | 8338 | |
wolfSSL | 15:117db924cf7c | 8339 | entry = (Base_entry*)XMALLOC(sizeof(Base_entry), heap, |
wolfSSL | 15:117db924cf7c | 8340 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 8341 | if (entry == NULL) { |
wolfSSL | 15:117db924cf7c | 8342 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 15:117db924cf7c | 8343 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8344 | } |
wolfSSL | 15:117db924cf7c | 8345 | |
wolfSSL | 15:117db924cf7c | 8346 | entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 8347 | if (entry->name == NULL) { |
wolfSSL | 15:117db924cf7c | 8348 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 15:117db924cf7c | 8349 | XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 15:117db924cf7c | 8350 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8351 | } |
wolfSSL | 15:117db924cf7c | 8352 | |
wolfSSL | 15:117db924cf7c | 8353 | XMEMCPY(entry->name, &input[nameIdx], strLength); |
wolfSSL | 15:117db924cf7c | 8354 | entry->nameSz = strLength; |
wolfSSL | 15:117db924cf7c | 8355 | entry->type = bType; |
wolfSSL | 15:117db924cf7c | 8356 | |
wolfSSL | 15:117db924cf7c | 8357 | entry->next = *head; |
wolfSSL | 15:117db924cf7c | 8358 | *head = entry; |
wolfSSL | 15:117db924cf7c | 8359 | } |
wolfSSL | 15:117db924cf7c | 8360 | |
wolfSSL | 15:117db924cf7c | 8361 | idx += seqLength; |
wolfSSL | 15:117db924cf7c | 8362 | } |
wolfSSL | 15:117db924cf7c | 8363 | |
wolfSSL | 15:117db924cf7c | 8364 | return 0; |
wolfSSL | 15:117db924cf7c | 8365 | } |
wolfSSL | 15:117db924cf7c | 8366 | |
wolfSSL | 15:117db924cf7c | 8367 | |
wolfSSL | 16:8e0d178b1d1e | 8368 | static int DecodeNameConstraints(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8369 | { |
wolfSSL | 15:117db924cf7c | 8370 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8371 | int length = 0; |
wolfSSL | 15:117db924cf7c | 8372 | |
wolfSSL | 15:117db924cf7c | 8373 | WOLFSSL_ENTER("DecodeNameConstraints"); |
wolfSSL | 15:117db924cf7c | 8374 | |
wolfSSL | 15:117db924cf7c | 8375 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8376 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 8377 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8378 | } |
wolfSSL | 15:117db924cf7c | 8379 | |
wolfSSL | 15:117db924cf7c | 8380 | while (idx < (word32)sz) { |
wolfSSL | 15:117db924cf7c | 8381 | byte b = input[idx++]; |
wolfSSL | 15:117db924cf7c | 8382 | Base_entry** subtree = NULL; |
wolfSSL | 15:117db924cf7c | 8383 | |
wolfSSL | 15:117db924cf7c | 8384 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 15:117db924cf7c | 8385 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 15:117db924cf7c | 8386 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8387 | } |
wolfSSL | 15:117db924cf7c | 8388 | |
wolfSSL | 15:117db924cf7c | 8389 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) |
wolfSSL | 15:117db924cf7c | 8390 | subtree = &cert->permittedNames; |
wolfSSL | 15:117db924cf7c | 8391 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) |
wolfSSL | 15:117db924cf7c | 8392 | subtree = &cert->excludedNames; |
wolfSSL | 15:117db924cf7c | 8393 | else { |
wolfSSL | 15:117db924cf7c | 8394 | WOLFSSL_MSG("\tinvalid subtree"); |
wolfSSL | 15:117db924cf7c | 8395 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8396 | } |
wolfSSL | 15:117db924cf7c | 8397 | |
wolfSSL | 15:117db924cf7c | 8398 | DecodeSubtree(input + idx, length, subtree, cert->heap); |
wolfSSL | 15:117db924cf7c | 8399 | |
wolfSSL | 15:117db924cf7c | 8400 | idx += length; |
wolfSSL | 15:117db924cf7c | 8401 | } |
wolfSSL | 15:117db924cf7c | 8402 | |
wolfSSL | 15:117db924cf7c | 8403 | return 0; |
wolfSSL | 15:117db924cf7c | 8404 | } |
wolfSSL | 15:117db924cf7c | 8405 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 8406 | |
wolfSSL | 15:117db924cf7c | 8407 | #if (defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)) || defined(OPENSSL_EXTRA) |
wolfSSL | 15:117db924cf7c | 8408 | |
wolfSSL | 15:117db924cf7c | 8409 | /* Decode ITU-T X.690 OID format to a string representation |
wolfSSL | 15:117db924cf7c | 8410 | * return string length */ |
wolfSSL | 16:8e0d178b1d1e | 8411 | int DecodePolicyOID(char *out, word32 outSz, const byte *in, word32 inSz) |
wolfSSL | 16:8e0d178b1d1e | 8412 | { |
wolfSSL | 16:8e0d178b1d1e | 8413 | word32 val, inIdx = 0, outIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8414 | int w = 0; |
wolfSSL | 15:117db924cf7c | 8415 | |
wolfSSL | 15:117db924cf7c | 8416 | if (out == NULL || in == NULL || outSz < 4 || inSz < 2) |
wolfSSL | 15:117db924cf7c | 8417 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8418 | |
wolfSSL | 16:8e0d178b1d1e | 8419 | /* The first byte expands into b/40 dot b%40. */ |
wolfSSL | 16:8e0d178b1d1e | 8420 | val = in[inIdx++]; |
wolfSSL | 16:8e0d178b1d1e | 8421 | |
wolfSSL | 16:8e0d178b1d1e | 8422 | w = XSNPRINTF(out, outSz, "%u.%u", val / 40, val % 40); |
wolfSSL | 16:8e0d178b1d1e | 8423 | if (w < 0) |
wolfSSL | 16:8e0d178b1d1e | 8424 | goto exit; |
wolfSSL | 16:8e0d178b1d1e | 8425 | outIdx += w; |
wolfSSL | 16:8e0d178b1d1e | 8426 | val = 0; |
wolfSSL | 16:8e0d178b1d1e | 8427 | |
wolfSSL | 16:8e0d178b1d1e | 8428 | while (inIdx < inSz && outIdx < outSz) { |
wolfSSL | 16:8e0d178b1d1e | 8429 | /* extract the next OID digit from in to val */ |
wolfSSL | 15:117db924cf7c | 8430 | /* first bit is used to set if value is coded on 1 or multiple bytes */ |
wolfSSL | 16:8e0d178b1d1e | 8431 | if (in[inIdx] & 0x80) { |
wolfSSL | 16:8e0d178b1d1e | 8432 | val += in[inIdx] & 0x7F; |
wolfSSL | 16:8e0d178b1d1e | 8433 | val *= 128; |
wolfSSL | 16:8e0d178b1d1e | 8434 | } |
wolfSSL | 15:117db924cf7c | 8435 | else { |
wolfSSL | 16:8e0d178b1d1e | 8436 | /* write val as text into out */ |
wolfSSL | 16:8e0d178b1d1e | 8437 | val += in[inIdx]; |
wolfSSL | 16:8e0d178b1d1e | 8438 | w = XSNPRINTF(out + outIdx, outSz - outIdx, ".%u", val); |
wolfSSL | 16:8e0d178b1d1e | 8439 | if (w < 0) |
wolfSSL | 16:8e0d178b1d1e | 8440 | goto exit; |
wolfSSL | 16:8e0d178b1d1e | 8441 | outIdx += w; |
wolfSSL | 16:8e0d178b1d1e | 8442 | val = 0; |
wolfSSL | 16:8e0d178b1d1e | 8443 | } |
wolfSSL | 16:8e0d178b1d1e | 8444 | inIdx++; |
wolfSSL | 16:8e0d178b1d1e | 8445 | } |
wolfSSL | 16:8e0d178b1d1e | 8446 | if (outIdx == outSz) |
wolfSSL | 16:8e0d178b1d1e | 8447 | outIdx--; |
wolfSSL | 16:8e0d178b1d1e | 8448 | out[outIdx] = 0; |
wolfSSL | 16:8e0d178b1d1e | 8449 | |
wolfSSL | 16:8e0d178b1d1e | 8450 | w = (int)outIdx; |
wolfSSL | 16:8e0d178b1d1e | 8451 | |
wolfSSL | 16:8e0d178b1d1e | 8452 | exit: |
wolfSSL | 16:8e0d178b1d1e | 8453 | return w; |
wolfSSL | 15:117db924cf7c | 8454 | } |
wolfSSL | 15:117db924cf7c | 8455 | #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */ |
wolfSSL | 15:117db924cf7c | 8456 | |
wolfSSL | 16:8e0d178b1d1e | 8457 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_QT) |
wolfSSL | 15:117db924cf7c | 8458 | /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */ |
wolfSSL | 16:8e0d178b1d1e | 8459 | static int DecodeCertPolicy(const byte* input, int sz, DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8460 | { |
wolfSSL | 15:117db924cf7c | 8461 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8462 | word32 oldIdx; |
wolfSSL | 15:117db924cf7c | 8463 | int ret; |
wolfSSL | 15:117db924cf7c | 8464 | int total_length = 0, policy_length = 0, length = 0; |
wolfSSL | 15:117db924cf7c | 8465 | #if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \ |
wolfSSL | 15:117db924cf7c | 8466 | !defined(WOLFSSL_DUP_CERTPOL) |
wolfSSL | 15:117db924cf7c | 8467 | int i; |
wolfSSL | 15:117db924cf7c | 8468 | #endif |
wolfSSL | 15:117db924cf7c | 8469 | |
wolfSSL | 15:117db924cf7c | 8470 | WOLFSSL_ENTER("DecodeCertPolicy"); |
wolfSSL | 16:8e0d178b1d1e | 8471 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 16:8e0d178b1d1e | 8472 | /* Check if cert is null before dereferencing below */ |
wolfSSL | 16:8e0d178b1d1e | 8473 | if (cert == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8474 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 8475 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8476 | |
wolfSSL | 16:8e0d178b1d1e | 8477 | #if defined(WOLFSSL_CERT_EXT) |
wolfSSL | 16:8e0d178b1d1e | 8478 | cert->extCertPoliciesNb = 0; |
wolfSSL | 16:8e0d178b1d1e | 8479 | #endif |
wolfSSL | 15:117db924cf7c | 8480 | |
wolfSSL | 15:117db924cf7c | 8481 | if (GetSequence(input, &idx, &total_length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8482 | WOLFSSL_MSG("\tGet CertPolicy total seq failed"); |
wolfSSL | 15:117db924cf7c | 8483 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8484 | } |
wolfSSL | 15:117db924cf7c | 8485 | |
wolfSSL | 15:117db924cf7c | 8486 | /* Validate total length */ |
wolfSSL | 15:117db924cf7c | 8487 | if (total_length > (sz - (int)idx)) { |
wolfSSL | 15:117db924cf7c | 8488 | WOLFSSL_MSG("\tCertPolicy length mismatch"); |
wolfSSL | 15:117db924cf7c | 8489 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8490 | } |
wolfSSL | 15:117db924cf7c | 8491 | |
wolfSSL | 15:117db924cf7c | 8492 | /* Unwrap certificatePolicies */ |
wolfSSL | 15:117db924cf7c | 8493 | do { |
wolfSSL | 15:117db924cf7c | 8494 | if (GetSequence(input, &idx, &policy_length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8495 | WOLFSSL_MSG("\tGet CertPolicy seq failed"); |
wolfSSL | 15:117db924cf7c | 8496 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8497 | } |
wolfSSL | 15:117db924cf7c | 8498 | |
wolfSSL | 15:117db924cf7c | 8499 | oldIdx = idx; |
wolfSSL | 15:117db924cf7c | 8500 | ret = GetASNObjectId(input, &idx, &length, sz); |
wolfSSL | 15:117db924cf7c | 8501 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 8502 | return ret; |
wolfSSL | 15:117db924cf7c | 8503 | policy_length -= idx - oldIdx; |
wolfSSL | 15:117db924cf7c | 8504 | |
wolfSSL | 15:117db924cf7c | 8505 | if (length > 0) { |
wolfSSL | 15:117db924cf7c | 8506 | /* Verify length won't overrun buffer */ |
wolfSSL | 15:117db924cf7c | 8507 | if (length > (sz - (int)idx)) { |
wolfSSL | 15:117db924cf7c | 8508 | WOLFSSL_MSG("\tCertPolicy length exceeds input buffer"); |
wolfSSL | 15:117db924cf7c | 8509 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8510 | } |
wolfSSL | 15:117db924cf7c | 8511 | |
wolfSSL | 15:117db924cf7c | 8512 | #if defined(WOLFSSL_SEP) |
wolfSSL | 15:117db924cf7c | 8513 | cert->deviceType = (byte*)XMALLOC(length, cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 8514 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 15:117db924cf7c | 8515 | if (cert->deviceType == NULL) { |
wolfSSL | 15:117db924cf7c | 8516 | WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); |
wolfSSL | 15:117db924cf7c | 8517 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8518 | } |
wolfSSL | 15:117db924cf7c | 8519 | cert->deviceTypeSz = length; |
wolfSSL | 15:117db924cf7c | 8520 | XMEMCPY(cert->deviceType, input + idx, length); |
wolfSSL | 15:117db924cf7c | 8521 | break; |
wolfSSL | 15:117db924cf7c | 8522 | #elif defined(WOLFSSL_CERT_EXT) |
wolfSSL | 15:117db924cf7c | 8523 | /* decode cert policy */ |
wolfSSL | 16:8e0d178b1d1e | 8524 | if (DecodePolicyOID(cert->extCertPolicies[ |
wolfSSL | 16:8e0d178b1d1e | 8525 | cert->extCertPoliciesNb], MAX_CERTPOL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 8526 | input + idx, length) <= 0) { |
wolfSSL | 15:117db924cf7c | 8527 | WOLFSSL_MSG("\tCouldn't decode CertPolicy"); |
wolfSSL | 15:117db924cf7c | 8528 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8529 | } |
wolfSSL | 15:117db924cf7c | 8530 | #ifndef WOLFSSL_DUP_CERTPOL |
wolfSSL | 15:117db924cf7c | 8531 | /* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST |
wolfSSL | 15:117db924cf7c | 8532 | * NOT appear more than once in a certificate policies |
wolfSSL | 15:117db924cf7c | 8533 | * extension". This is a sanity check for duplicates. |
wolfSSL | 15:117db924cf7c | 8534 | * extCertPolicies should only have OID values, additional |
wolfSSL | 16:8e0d178b1d1e | 8535 | * qualifiers need to be stored in a separate array. */ |
wolfSSL | 15:117db924cf7c | 8536 | for (i = 0; i < cert->extCertPoliciesNb; i++) { |
wolfSSL | 15:117db924cf7c | 8537 | if (XMEMCMP(cert->extCertPolicies[i], |
wolfSSL | 15:117db924cf7c | 8538 | cert->extCertPolicies[cert->extCertPoliciesNb], |
wolfSSL | 15:117db924cf7c | 8539 | MAX_CERTPOL_SZ) == 0) { |
wolfSSL | 15:117db924cf7c | 8540 | WOLFSSL_MSG("Duplicate policy OIDs not allowed"); |
wolfSSL | 15:117db924cf7c | 8541 | WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted"); |
wolfSSL | 15:117db924cf7c | 8542 | return CERTPOLICIES_E; |
wolfSSL | 15:117db924cf7c | 8543 | } |
wolfSSL | 15:117db924cf7c | 8544 | } |
wolfSSL | 15:117db924cf7c | 8545 | #endif /* !WOLFSSL_DUP_CERTPOL */ |
wolfSSL | 15:117db924cf7c | 8546 | cert->extCertPoliciesNb++; |
wolfSSL | 15:117db924cf7c | 8547 | #else |
wolfSSL | 15:117db924cf7c | 8548 | WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0); |
wolfSSL | 15:117db924cf7c | 8549 | return 0; |
wolfSSL | 15:117db924cf7c | 8550 | #endif |
wolfSSL | 15:117db924cf7c | 8551 | } |
wolfSSL | 15:117db924cf7c | 8552 | idx += policy_length; |
wolfSSL | 15:117db924cf7c | 8553 | } while((int)idx < total_length |
wolfSSL | 15:117db924cf7c | 8554 | #if defined(WOLFSSL_CERT_EXT) |
wolfSSL | 15:117db924cf7c | 8555 | && cert->extCertPoliciesNb < MAX_CERTPOL_NB |
wolfSSL | 15:117db924cf7c | 8556 | #endif |
wolfSSL | 15:117db924cf7c | 8557 | ); |
wolfSSL | 15:117db924cf7c | 8558 | |
wolfSSL | 15:117db924cf7c | 8559 | WOLFSSL_LEAVE("DecodeCertPolicy", 0); |
wolfSSL | 15:117db924cf7c | 8560 | return 0; |
wolfSSL | 15:117db924cf7c | 8561 | } |
wolfSSL | 15:117db924cf7c | 8562 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 15:117db924cf7c | 8563 | |
wolfSSL | 15:117db924cf7c | 8564 | /* Macro to check if bit is set, if not sets and return success. |
wolfSSL | 15:117db924cf7c | 8565 | Otherwise returns failure */ |
wolfSSL | 15:117db924cf7c | 8566 | /* Macro required here because bit-field operation */ |
wolfSSL | 15:117db924cf7c | 8567 | #ifndef WOLFSSL_NO_ASN_STRICT |
wolfSSL | 15:117db924cf7c | 8568 | #define VERIFY_AND_SET_OID(bit) \ |
wolfSSL | 15:117db924cf7c | 8569 | if (bit == 0) \ |
wolfSSL | 15:117db924cf7c | 8570 | bit = 1; \ |
wolfSSL | 15:117db924cf7c | 8571 | else \ |
wolfSSL | 15:117db924cf7c | 8572 | return ASN_OBJECT_ID_E; |
wolfSSL | 15:117db924cf7c | 8573 | #else |
wolfSSL | 15:117db924cf7c | 8574 | /* With no strict defined, the verify is skipped */ |
wolfSSL | 15:117db924cf7c | 8575 | #define VERIFY_AND_SET_OID(bit) bit = 1; |
wolfSSL | 15:117db924cf7c | 8576 | #endif |
wolfSSL | 15:117db924cf7c | 8577 | |
wolfSSL | 15:117db924cf7c | 8578 | static int DecodeCertExtensions(DecodedCert* cert) |
wolfSSL | 15:117db924cf7c | 8579 | /* |
wolfSSL | 15:117db924cf7c | 8580 | * Processing the Certificate Extensions. This does not modify the current |
wolfSSL | 15:117db924cf7c | 8581 | * index. It is works starting with the recorded extensions pointer. |
wolfSSL | 15:117db924cf7c | 8582 | */ |
wolfSSL | 15:117db924cf7c | 8583 | { |
wolfSSL | 15:117db924cf7c | 8584 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 8585 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 8586 | int sz = cert->extensionsSz; |
wolfSSL | 16:8e0d178b1d1e | 8587 | const byte* input = cert->extensions; |
wolfSSL | 15:117db924cf7c | 8588 | int length; |
wolfSSL | 15:117db924cf7c | 8589 | word32 oid; |
wolfSSL | 15:117db924cf7c | 8590 | byte critical = 0; |
wolfSSL | 15:117db924cf7c | 8591 | byte criticalFail = 0; |
wolfSSL | 16:8e0d178b1d1e | 8592 | byte tag = 0; |
wolfSSL | 15:117db924cf7c | 8593 | |
wolfSSL | 15:117db924cf7c | 8594 | WOLFSSL_ENTER("DecodeCertExtensions"); |
wolfSSL | 15:117db924cf7c | 8595 | |
wolfSSL | 15:117db924cf7c | 8596 | if (input == NULL || sz == 0) |
wolfSSL | 15:117db924cf7c | 8597 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8598 | |
wolfSSL | 16:8e0d178b1d1e | 8599 | if (GetASNTag(input, &idx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 8600 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8601 | } |
wolfSSL | 16:8e0d178b1d1e | 8602 | |
wolfSSL | 16:8e0d178b1d1e | 8603 | if (tag != ASN_EXTENSIONS) { |
wolfSSL | 15:117db924cf7c | 8604 | WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); |
wolfSSL | 15:117db924cf7c | 8605 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8606 | } |
wolfSSL | 15:117db924cf7c | 8607 | |
wolfSSL | 15:117db924cf7c | 8608 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8609 | WOLFSSL_MSG("\tfail: invalid length"); |
wolfSSL | 15:117db924cf7c | 8610 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8611 | } |
wolfSSL | 15:117db924cf7c | 8612 | |
wolfSSL | 15:117db924cf7c | 8613 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8614 | WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); |
wolfSSL | 15:117db924cf7c | 8615 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8616 | } |
wolfSSL | 15:117db924cf7c | 8617 | |
wolfSSL | 15:117db924cf7c | 8618 | while (idx < (word32)sz) { |
wolfSSL | 16:8e0d178b1d1e | 8619 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 8620 | |
wolfSSL | 15:117db924cf7c | 8621 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 8622 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 8623 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8624 | } |
wolfSSL | 15:117db924cf7c | 8625 | |
wolfSSL | 15:117db924cf7c | 8626 | oid = 0; |
wolfSSL | 15:117db924cf7c | 8627 | if ((ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz)) < 0) { |
wolfSSL | 15:117db924cf7c | 8628 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 15:117db924cf7c | 8629 | return ret; |
wolfSSL | 15:117db924cf7c | 8630 | } |
wolfSSL | 15:117db924cf7c | 8631 | |
wolfSSL | 15:117db924cf7c | 8632 | /* check for critical flag */ |
wolfSSL | 15:117db924cf7c | 8633 | critical = 0; |
wolfSSL | 16:8e0d178b1d1e | 8634 | if ((idx + 1) > (word32)sz) { |
wolfSSL | 16:8e0d178b1d1e | 8635 | WOLFSSL_MSG("\tfail: malformed buffer"); |
wolfSSL | 16:8e0d178b1d1e | 8636 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 8637 | } |
wolfSSL | 16:8e0d178b1d1e | 8638 | |
wolfSSL | 16:8e0d178b1d1e | 8639 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8640 | if (GetASNTag(input, &localIdx, &tag, sz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8641 | if (tag == ASN_BOOLEAN) { |
wolfSSL | 16:8e0d178b1d1e | 8642 | ret = GetBoolean(input, &idx, sz); |
wolfSSL | 16:8e0d178b1d1e | 8643 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 8644 | WOLFSSL_MSG("\tfail: critical boolean"); |
wolfSSL | 16:8e0d178b1d1e | 8645 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 8646 | } |
wolfSSL | 16:8e0d178b1d1e | 8647 | |
wolfSSL | 16:8e0d178b1d1e | 8648 | critical = (byte)ret; |
wolfSSL | 16:8e0d178b1d1e | 8649 | } |
wolfSSL | 15:117db924cf7c | 8650 | } |
wolfSSL | 15:117db924cf7c | 8651 | |
wolfSSL | 15:117db924cf7c | 8652 | /* process the extension based on the OID */ |
wolfSSL | 15:117db924cf7c | 8653 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 15:117db924cf7c | 8654 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 8655 | WOLFSSL_MSG("\tfail: bad OCTET STRING"); |
wolfSSL | 15:117db924cf7c | 8656 | return ret; |
wolfSSL | 15:117db924cf7c | 8657 | } |
wolfSSL | 15:117db924cf7c | 8658 | |
wolfSSL | 15:117db924cf7c | 8659 | switch (oid) { |
wolfSSL | 15:117db924cf7c | 8660 | case BASIC_CA_OID: |
wolfSSL | 15:117db924cf7c | 8661 | VERIFY_AND_SET_OID(cert->extBasicConstSet); |
wolfSSL | 15:117db924cf7c | 8662 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8663 | cert->extBasicConstCrit = critical; |
wolfSSL | 15:117db924cf7c | 8664 | #endif |
wolfSSL | 15:117db924cf7c | 8665 | if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8666 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8667 | break; |
wolfSSL | 15:117db924cf7c | 8668 | |
wolfSSL | 15:117db924cf7c | 8669 | case CRL_DIST_OID: |
wolfSSL | 15:117db924cf7c | 8670 | VERIFY_AND_SET_OID(cert->extCRLdistSet); |
wolfSSL | 15:117db924cf7c | 8671 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8672 | cert->extCRLdistCrit = critical; |
wolfSSL | 15:117db924cf7c | 8673 | #endif |
wolfSSL | 15:117db924cf7c | 8674 | if (DecodeCrlDist(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8675 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8676 | break; |
wolfSSL | 15:117db924cf7c | 8677 | |
wolfSSL | 15:117db924cf7c | 8678 | case AUTH_INFO_OID: |
wolfSSL | 15:117db924cf7c | 8679 | VERIFY_AND_SET_OID(cert->extAuthInfoSet); |
wolfSSL | 15:117db924cf7c | 8680 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8681 | cert->extAuthInfoCrit = critical; |
wolfSSL | 15:117db924cf7c | 8682 | #endif |
wolfSSL | 15:117db924cf7c | 8683 | if (DecodeAuthInfo(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8684 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8685 | break; |
wolfSSL | 15:117db924cf7c | 8686 | |
wolfSSL | 15:117db924cf7c | 8687 | case ALT_NAMES_OID: |
wolfSSL | 15:117db924cf7c | 8688 | VERIFY_AND_SET_OID(cert->extSubjAltNameSet); |
wolfSSL | 15:117db924cf7c | 8689 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8690 | cert->extSubjAltNameCrit = critical; |
wolfSSL | 15:117db924cf7c | 8691 | #endif |
wolfSSL | 15:117db924cf7c | 8692 | ret = DecodeAltNames(&input[idx], length, cert); |
wolfSSL | 15:117db924cf7c | 8693 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8694 | return ret; |
wolfSSL | 15:117db924cf7c | 8695 | break; |
wolfSSL | 15:117db924cf7c | 8696 | |
wolfSSL | 15:117db924cf7c | 8697 | case AUTH_KEY_OID: |
wolfSSL | 15:117db924cf7c | 8698 | VERIFY_AND_SET_OID(cert->extAuthKeyIdSet); |
wolfSSL | 15:117db924cf7c | 8699 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8700 | cert->extAuthKeyIdCrit = critical; |
wolfSSL | 15:117db924cf7c | 8701 | #endif |
wolfSSL | 15:117db924cf7c | 8702 | #ifndef WOLFSSL_ALLOW_CRIT_SKID |
wolfSSL | 15:117db924cf7c | 8703 | /* This check is added due to RFC 5280 section 4.2.1.1 |
wolfSSL | 15:117db924cf7c | 8704 | * stating that conforming CA's must mark this extension |
wolfSSL | 15:117db924cf7c | 8705 | * as non-critical. When parsing extensions check that |
wolfSSL | 15:117db924cf7c | 8706 | * certificate was made in compliance with this. */ |
wolfSSL | 15:117db924cf7c | 8707 | if (critical) { |
wolfSSL | 15:117db924cf7c | 8708 | WOLFSSL_MSG("Critical Auth Key ID is not allowed"); |
wolfSSL | 15:117db924cf7c | 8709 | WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted"); |
wolfSSL | 15:117db924cf7c | 8710 | return ASN_CRIT_EXT_E; |
wolfSSL | 15:117db924cf7c | 8711 | } |
wolfSSL | 15:117db924cf7c | 8712 | #endif |
wolfSSL | 15:117db924cf7c | 8713 | if (DecodeAuthKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8714 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8715 | break; |
wolfSSL | 15:117db924cf7c | 8716 | |
wolfSSL | 15:117db924cf7c | 8717 | case SUBJ_KEY_OID: |
wolfSSL | 15:117db924cf7c | 8718 | VERIFY_AND_SET_OID(cert->extSubjKeyIdSet); |
wolfSSL | 15:117db924cf7c | 8719 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8720 | cert->extSubjKeyIdCrit = critical; |
wolfSSL | 15:117db924cf7c | 8721 | #endif |
wolfSSL | 15:117db924cf7c | 8722 | #ifndef WOLFSSL_ALLOW_CRIT_SKID |
wolfSSL | 15:117db924cf7c | 8723 | /* This check is added due to RFC 5280 section 4.2.1.2 |
wolfSSL | 15:117db924cf7c | 8724 | * stating that conforming CA's must mark this extension |
wolfSSL | 15:117db924cf7c | 8725 | * as non-critical. When parsing extensions check that |
wolfSSL | 15:117db924cf7c | 8726 | * certificate was made in compliance with this. */ |
wolfSSL | 15:117db924cf7c | 8727 | if (critical) { |
wolfSSL | 15:117db924cf7c | 8728 | WOLFSSL_MSG("Critical Subject Key ID is not allowed"); |
wolfSSL | 15:117db924cf7c | 8729 | WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted"); |
wolfSSL | 15:117db924cf7c | 8730 | return ASN_CRIT_EXT_E; |
wolfSSL | 15:117db924cf7c | 8731 | } |
wolfSSL | 15:117db924cf7c | 8732 | #endif |
wolfSSL | 15:117db924cf7c | 8733 | |
wolfSSL | 15:117db924cf7c | 8734 | if (DecodeSubjKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8735 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8736 | break; |
wolfSSL | 15:117db924cf7c | 8737 | |
wolfSSL | 15:117db924cf7c | 8738 | case CERT_POLICY_OID: |
wolfSSL | 16:8e0d178b1d1e | 8739 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) |
wolfSSL | 15:117db924cf7c | 8740 | VERIFY_AND_SET_OID(cert->extCertPolicySet); |
wolfSSL | 15:117db924cf7c | 8741 | #if defined(OPENSSL_EXTRA) || \ |
wolfSSL | 15:117db924cf7c | 8742 | defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8743 | cert->extCertPolicyCrit = critical; |
wolfSSL | 15:117db924cf7c | 8744 | #endif |
wolfSSL | 15:117db924cf7c | 8745 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8746 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || \ |
wolfSSL | 16:8e0d178b1d1e | 8747 | defined(WOLFSSL_QT) |
wolfSSL | 15:117db924cf7c | 8748 | if (DecodeCertPolicy(&input[idx], length, cert) < 0) { |
wolfSSL | 15:117db924cf7c | 8749 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8750 | } |
wolfSSL | 15:117db924cf7c | 8751 | #else |
wolfSSL | 15:117db924cf7c | 8752 | WOLFSSL_MSG("Certificate Policy extension not supported yet."); |
wolfSSL | 15:117db924cf7c | 8753 | #endif |
wolfSSL | 15:117db924cf7c | 8754 | break; |
wolfSSL | 15:117db924cf7c | 8755 | |
wolfSSL | 15:117db924cf7c | 8756 | case KEY_USAGE_OID: |
wolfSSL | 15:117db924cf7c | 8757 | VERIFY_AND_SET_OID(cert->extKeyUsageSet); |
wolfSSL | 15:117db924cf7c | 8758 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8759 | cert->extKeyUsageCrit = critical; |
wolfSSL | 15:117db924cf7c | 8760 | #endif |
wolfSSL | 15:117db924cf7c | 8761 | if (DecodeKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8762 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8763 | break; |
wolfSSL | 15:117db924cf7c | 8764 | |
wolfSSL | 15:117db924cf7c | 8765 | case EXT_KEY_USAGE_OID: |
wolfSSL | 15:117db924cf7c | 8766 | VERIFY_AND_SET_OID(cert->extExtKeyUsageSet); |
wolfSSL | 15:117db924cf7c | 8767 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8768 | cert->extExtKeyUsageCrit = critical; |
wolfSSL | 15:117db924cf7c | 8769 | #endif |
wolfSSL | 15:117db924cf7c | 8770 | if (DecodeExtKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8771 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8772 | break; |
wolfSSL | 15:117db924cf7c | 8773 | |
wolfSSL | 15:117db924cf7c | 8774 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 8775 | case NAME_CONS_OID: |
wolfSSL | 15:117db924cf7c | 8776 | #ifndef WOLFSSL_NO_ASN_STRICT |
wolfSSL | 15:117db924cf7c | 8777 | /* Verify RFC 5280 Sec 4.2.1.10 rule: |
wolfSSL | 15:117db924cf7c | 8778 | "The name constraints extension, |
wolfSSL | 15:117db924cf7c | 8779 | which MUST be used only in a CA certificate" */ |
wolfSSL | 15:117db924cf7c | 8780 | if (!cert->isCA) { |
wolfSSL | 15:117db924cf7c | 8781 | WOLFSSL_MSG("Name constraints allowed only for CA certs"); |
wolfSSL | 15:117db924cf7c | 8782 | return ASN_NAME_INVALID_E; |
wolfSSL | 15:117db924cf7c | 8783 | } |
wolfSSL | 15:117db924cf7c | 8784 | #endif |
wolfSSL | 15:117db924cf7c | 8785 | VERIFY_AND_SET_OID(cert->extNameConstraintSet); |
wolfSSL | 15:117db924cf7c | 8786 | #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) |
wolfSSL | 15:117db924cf7c | 8787 | cert->extNameConstraintCrit = critical; |
wolfSSL | 15:117db924cf7c | 8788 | #endif |
wolfSSL | 15:117db924cf7c | 8789 | if (DecodeNameConstraints(&input[idx], length, cert) < 0) |
wolfSSL | 15:117db924cf7c | 8790 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 8791 | break; |
wolfSSL | 15:117db924cf7c | 8792 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 8793 | |
wolfSSL | 15:117db924cf7c | 8794 | case INHIBIT_ANY_OID: |
wolfSSL | 15:117db924cf7c | 8795 | VERIFY_AND_SET_OID(cert->inhibitAnyOidSet); |
wolfSSL | 15:117db924cf7c | 8796 | WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); |
wolfSSL | 15:117db924cf7c | 8797 | break; |
wolfSSL | 15:117db924cf7c | 8798 | |
wolfSSL | 16:8e0d178b1d1e | 8799 | #ifndef IGNORE_NETSCAPE_CERT_TYPE |
wolfSSL | 16:8e0d178b1d1e | 8800 | case NETSCAPE_CT_OID: |
wolfSSL | 16:8e0d178b1d1e | 8801 | WOLFSSL_MSG("Netscape certificate type extension not supported " |
wolfSSL | 16:8e0d178b1d1e | 8802 | "yet."); |
wolfSSL | 16:8e0d178b1d1e | 8803 | if (CheckBitString(input, &idx, &length, idx + length, 0, |
wolfSSL | 16:8e0d178b1d1e | 8804 | NULL) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 8805 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8806 | } |
wolfSSL | 16:8e0d178b1d1e | 8807 | break; |
wolfSSL | 16:8e0d178b1d1e | 8808 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8809 | |
wolfSSL | 15:117db924cf7c | 8810 | default: |
wolfSSL | 16:8e0d178b1d1e | 8811 | #ifndef WOLFSSL_NO_ASN_STRICT |
wolfSSL | 15:117db924cf7c | 8812 | /* While it is a failure to not support critical extensions, |
wolfSSL | 15:117db924cf7c | 8813 | * still parse the certificate ignoring the unsupported |
wolfSSL | 15:117db924cf7c | 8814 | * extension to allow caller to accept it with the verify |
wolfSSL | 15:117db924cf7c | 8815 | * callback. */ |
wolfSSL | 15:117db924cf7c | 8816 | if (critical) |
wolfSSL | 15:117db924cf7c | 8817 | criticalFail = 1; |
wolfSSL | 16:8e0d178b1d1e | 8818 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8819 | break; |
wolfSSL | 15:117db924cf7c | 8820 | } |
wolfSSL | 15:117db924cf7c | 8821 | idx += length; |
wolfSSL | 15:117db924cf7c | 8822 | } |
wolfSSL | 15:117db924cf7c | 8823 | |
wolfSSL | 15:117db924cf7c | 8824 | return criticalFail ? ASN_CRIT_EXT_E : 0; |
wolfSSL | 15:117db924cf7c | 8825 | } |
wolfSSL | 15:117db924cf7c | 8826 | |
wolfSSL | 15:117db924cf7c | 8827 | int ParseCert(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 15:117db924cf7c | 8828 | { |
wolfSSL | 15:117db924cf7c | 8829 | int ret; |
wolfSSL | 15:117db924cf7c | 8830 | char* ptr; |
wolfSSL | 15:117db924cf7c | 8831 | |
wolfSSL | 15:117db924cf7c | 8832 | ret = ParseCertRelative(cert, type, verify, cm); |
wolfSSL | 15:117db924cf7c | 8833 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8834 | return ret; |
wolfSSL | 15:117db924cf7c | 8835 | |
wolfSSL | 15:117db924cf7c | 8836 | if (cert->subjectCNLen > 0) { |
wolfSSL | 15:117db924cf7c | 8837 | ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap, |
wolfSSL | 15:117db924cf7c | 8838 | DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 15:117db924cf7c | 8839 | if (ptr == NULL) |
wolfSSL | 15:117db924cf7c | 8840 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8841 | XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen); |
wolfSSL | 15:117db924cf7c | 8842 | ptr[cert->subjectCNLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 8843 | cert->subjectCN = ptr; |
wolfSSL | 15:117db924cf7c | 8844 | cert->subjectCNStored = 1; |
wolfSSL | 15:117db924cf7c | 8845 | } |
wolfSSL | 15:117db924cf7c | 8846 | |
wolfSSL | 15:117db924cf7c | 8847 | if (cert->keyOID == RSAk && |
wolfSSL | 15:117db924cf7c | 8848 | cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 15:117db924cf7c | 8849 | ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, |
wolfSSL | 15:117db924cf7c | 8850 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 15:117db924cf7c | 8851 | if (ptr == NULL) |
wolfSSL | 15:117db924cf7c | 8852 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8853 | XMEMCPY(ptr, cert->publicKey, cert->pubKeySize); |
wolfSSL | 15:117db924cf7c | 8854 | cert->publicKey = (byte *)ptr; |
wolfSSL | 15:117db924cf7c | 8855 | cert->pubKeyStored = 1; |
wolfSSL | 15:117db924cf7c | 8856 | } |
wolfSSL | 15:117db924cf7c | 8857 | |
wolfSSL | 15:117db924cf7c | 8858 | return ret; |
wolfSSL | 15:117db924cf7c | 8859 | } |
wolfSSL | 15:117db924cf7c | 8860 | |
wolfSSL | 15:117db924cf7c | 8861 | /* from SSL proper, for locking can't do find here anymore */ |
wolfSSL | 15:117db924cf7c | 8862 | #ifdef __cplusplus |
wolfSSL | 15:117db924cf7c | 8863 | extern "C" { |
wolfSSL | 15:117db924cf7c | 8864 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8865 | Signer* GetCA(void* signers, byte* hash); |
wolfSSL | 15:117db924cf7c | 8866 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 8867 | Signer* GetCAByName(void* signers, byte* hash); |
wolfSSL | 15:117db924cf7c | 8868 | #endif |
wolfSSL | 15:117db924cf7c | 8869 | #ifdef __cplusplus |
wolfSSL | 15:117db924cf7c | 8870 | } |
wolfSSL | 15:117db924cf7c | 8871 | #endif |
wolfSSL | 15:117db924cf7c | 8872 | |
wolfSSL | 15:117db924cf7c | 8873 | #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS) |
wolfSSL | 15:117db924cf7c | 8874 | |
wolfSSL | 15:117db924cf7c | 8875 | /* dummy functions, not using wolfSSL so don't need actual ones */ |
wolfSSL | 15:117db924cf7c | 8876 | Signer* GetCA(void* signers, byte* hash) |
wolfSSL | 15:117db924cf7c | 8877 | { |
wolfSSL | 15:117db924cf7c | 8878 | (void)hash; |
wolfSSL | 15:117db924cf7c | 8879 | |
wolfSSL | 15:117db924cf7c | 8880 | return (Signer*)signers; |
wolfSSL | 15:117db924cf7c | 8881 | } |
wolfSSL | 15:117db924cf7c | 8882 | |
wolfSSL | 15:117db924cf7c | 8883 | #ifndef NO_SKID |
wolfSSL | 15:117db924cf7c | 8884 | Signer* GetCAByName(void* signers, byte* hash) |
wolfSSL | 15:117db924cf7c | 8885 | { |
wolfSSL | 15:117db924cf7c | 8886 | (void)hash; |
wolfSSL | 15:117db924cf7c | 8887 | |
wolfSSL | 15:117db924cf7c | 8888 | return (Signer*)signers; |
wolfSSL | 15:117db924cf7c | 8889 | } |
wolfSSL | 15:117db924cf7c | 8890 | #endif /* NO_SKID */ |
wolfSSL | 15:117db924cf7c | 8891 | |
wolfSSL | 15:117db924cf7c | 8892 | #endif /* WOLFCRYPT_ONLY || NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 8893 | |
wolfSSL | 16:8e0d178b1d1e | 8894 | #if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID) |
wolfSSL | 15:117db924cf7c | 8895 | static Signer* GetCABySubjectAndPubKey(DecodedCert* cert, void* cm) |
wolfSSL | 15:117db924cf7c | 8896 | { |
wolfSSL | 15:117db924cf7c | 8897 | Signer* ca = NULL; |
wolfSSL | 15:117db924cf7c | 8898 | if (cert->extSubjKeyIdSet) |
wolfSSL | 15:117db924cf7c | 8899 | ca = GetCA(cm, cert->extSubjKeyId); |
wolfSSL | 15:117db924cf7c | 8900 | if (ca == NULL) |
wolfSSL | 15:117db924cf7c | 8901 | ca = GetCAByName(cm, cert->subjectHash); |
wolfSSL | 15:117db924cf7c | 8902 | if (ca) { |
wolfSSL | 15:117db924cf7c | 8903 | if ((ca->pubKeySize == cert->pubKeySize) && |
wolfSSL | 15:117db924cf7c | 8904 | (XMEMCMP(ca->publicKey, cert->publicKey, ca->pubKeySize) == 0)) { |
wolfSSL | 15:117db924cf7c | 8905 | return ca; |
wolfSSL | 15:117db924cf7c | 8906 | } |
wolfSSL | 15:117db924cf7c | 8907 | } |
wolfSSL | 15:117db924cf7c | 8908 | return NULL; |
wolfSSL | 15:117db924cf7c | 8909 | } |
wolfSSL | 15:117db924cf7c | 8910 | #endif |
wolfSSL | 15:117db924cf7c | 8911 | |
wolfSSL | 16:8e0d178b1d1e | 8912 | #if defined(WOLFSSL_SMALL_CERT_VERIFY) || defined(OPENSSL_EXTRA) |
wolfSSL | 16:8e0d178b1d1e | 8913 | /* Only quick step through the certificate to find fields that are then used |
wolfSSL | 16:8e0d178b1d1e | 8914 | * in certificate signature verification. |
wolfSSL | 16:8e0d178b1d1e | 8915 | * Must use the signature OID from the signed part of the certificate. |
wolfSSL | 16:8e0d178b1d1e | 8916 | * |
wolfSSL | 16:8e0d178b1d1e | 8917 | * This is only for minimizing dynamic memory usage during TLS certificate |
wolfSSL | 16:8e0d178b1d1e | 8918 | * chain processing. |
wolfSSL | 16:8e0d178b1d1e | 8919 | * Doesn't support: |
wolfSSL | 16:8e0d178b1d1e | 8920 | * OCSP Only: alt lookup using subject and pub key w/o sig check |
wolfSSL | 16:8e0d178b1d1e | 8921 | */ |
wolfSSL | 16:8e0d178b1d1e | 8922 | static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, |
wolfSSL | 16:8e0d178b1d1e | 8923 | void* cm, const byte* pubKey, word32 pubKeySz, int pubKeyOID) |
wolfSSL | 16:8e0d178b1d1e | 8924 | { |
wolfSSL | 16:8e0d178b1d1e | 8925 | #ifndef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 8926 | SignatureCtx sigCtx[1]; |
wolfSSL | 16:8e0d178b1d1e | 8927 | #else |
wolfSSL | 16:8e0d178b1d1e | 8928 | SignatureCtx* sigCtx; |
wolfSSL | 16:8e0d178b1d1e | 8929 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8930 | byte hash[KEYID_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 8931 | Signer* ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 8932 | word32 idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8933 | int len; |
wolfSSL | 16:8e0d178b1d1e | 8934 | word32 tbsCertIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8935 | word32 sigIndex = 0; |
wolfSSL | 16:8e0d178b1d1e | 8936 | word32 signatureOID = 0; |
wolfSSL | 16:8e0d178b1d1e | 8937 | word32 oid = 0; |
wolfSSL | 16:8e0d178b1d1e | 8938 | word32 issuerIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8939 | word32 issuerSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 8940 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 8941 | int extLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 8942 | word32 extIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8943 | word32 extEndIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 8944 | int extAuthKeyIdSet = 0; |
wolfSSL | 16:8e0d178b1d1e | 8945 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8946 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 8947 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 8948 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 8949 | |
wolfSSL | 16:8e0d178b1d1e | 8950 | |
wolfSSL | 16:8e0d178b1d1e | 8951 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 8952 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 8953 | } |
wolfSSL | 16:8e0d178b1d1e | 8954 | |
wolfSSL | 16:8e0d178b1d1e | 8955 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 8956 | sigCtx = (SignatureCtx*)XMALLOC(sizeof(*sigCtx), heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 16:8e0d178b1d1e | 8957 | if (sigCtx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8958 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 8959 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8960 | InitSignatureCtx(sigCtx, heap, INVALID_DEVID); |
wolfSSL | 16:8e0d178b1d1e | 8961 | |
wolfSSL | 16:8e0d178b1d1e | 8962 | /* Certificate SEQUENCE */ |
wolfSSL | 16:8e0d178b1d1e | 8963 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 8964 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8965 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8966 | tbsCertIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8967 | |
wolfSSL | 16:8e0d178b1d1e | 8968 | /* TBSCertificate SEQUENCE */ |
wolfSSL | 16:8e0d178b1d1e | 8969 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 8970 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8971 | } |
wolfSSL | 16:8e0d178b1d1e | 8972 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8973 | sigIndex = len + idx; |
wolfSSL | 16:8e0d178b1d1e | 8974 | |
wolfSSL | 16:8e0d178b1d1e | 8975 | if ((idx + 1) > certSz) |
wolfSSL | 16:8e0d178b1d1e | 8976 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 8977 | } |
wolfSSL | 16:8e0d178b1d1e | 8978 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8979 | /* version - optional */ |
wolfSSL | 16:8e0d178b1d1e | 8980 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 8981 | if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8982 | if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 16:8e0d178b1d1e | 8983 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 8984 | if (GetLength(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 8985 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8986 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 8987 | } |
wolfSSL | 16:8e0d178b1d1e | 8988 | } |
wolfSSL | 16:8e0d178b1d1e | 8989 | } |
wolfSSL | 16:8e0d178b1d1e | 8990 | |
wolfSSL | 16:8e0d178b1d1e | 8991 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8992 | /* serialNumber */ |
wolfSSL | 16:8e0d178b1d1e | 8993 | if (GetASNHeader(cert, ASN_INTEGER, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 8994 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 8995 | } |
wolfSSL | 16:8e0d178b1d1e | 8996 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 8997 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 8998 | |
wolfSSL | 16:8e0d178b1d1e | 8999 | /* signature */ |
wolfSSL | 16:8e0d178b1d1e | 9000 | if (GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9001 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9002 | } |
wolfSSL | 16:8e0d178b1d1e | 9003 | |
wolfSSL | 16:8e0d178b1d1e | 9004 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9005 | issuerIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 9006 | /* issuer */ |
wolfSSL | 16:8e0d178b1d1e | 9007 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9008 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9009 | } |
wolfSSL | 16:8e0d178b1d1e | 9010 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9011 | issuerSz = len + idx - issuerIdx; |
wolfSSL | 16:8e0d178b1d1e | 9012 | } |
wolfSSL | 16:8e0d178b1d1e | 9013 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 9014 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9015 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9016 | |
wolfSSL | 16:8e0d178b1d1e | 9017 | /* validity */ |
wolfSSL | 16:8e0d178b1d1e | 9018 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9019 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9020 | } |
wolfSSL | 16:8e0d178b1d1e | 9021 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9022 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9023 | |
wolfSSL | 16:8e0d178b1d1e | 9024 | /* subject */ |
wolfSSL | 16:8e0d178b1d1e | 9025 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9026 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9027 | } |
wolfSSL | 16:8e0d178b1d1e | 9028 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9029 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9030 | |
wolfSSL | 16:8e0d178b1d1e | 9031 | /* subjectPublicKeyInfo */ |
wolfSSL | 16:8e0d178b1d1e | 9032 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9033 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9034 | } |
wolfSSL | 16:8e0d178b1d1e | 9035 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9036 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9037 | |
wolfSSL | 16:8e0d178b1d1e | 9038 | if ((idx + 1) > certSz) |
wolfSSL | 16:8e0d178b1d1e | 9039 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9040 | } |
wolfSSL | 16:8e0d178b1d1e | 9041 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9042 | /* issuerUniqueID - optional */ |
wolfSSL | 16:8e0d178b1d1e | 9043 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 9044 | if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9045 | if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) { |
wolfSSL | 16:8e0d178b1d1e | 9046 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 9047 | if (GetLength(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9048 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9049 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9050 | } |
wolfSSL | 16:8e0d178b1d1e | 9051 | } |
wolfSSL | 16:8e0d178b1d1e | 9052 | } |
wolfSSL | 16:8e0d178b1d1e | 9053 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9054 | if ((idx + 1) > certSz) |
wolfSSL | 16:8e0d178b1d1e | 9055 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9056 | } |
wolfSSL | 16:8e0d178b1d1e | 9057 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9058 | /* subjectUniqueID - optional */ |
wolfSSL | 16:8e0d178b1d1e | 9059 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 9060 | if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9061 | if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)) { |
wolfSSL | 16:8e0d178b1d1e | 9062 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 9063 | if (GetLength(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9064 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9065 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9066 | } |
wolfSSL | 16:8e0d178b1d1e | 9067 | } |
wolfSSL | 16:8e0d178b1d1e | 9068 | } |
wolfSSL | 16:8e0d178b1d1e | 9069 | |
wolfSSL | 16:8e0d178b1d1e | 9070 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9071 | if ((idx + 1) > certSz) |
wolfSSL | 16:8e0d178b1d1e | 9072 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9073 | } |
wolfSSL | 16:8e0d178b1d1e | 9074 | /* extensions - optional */ |
wolfSSL | 16:8e0d178b1d1e | 9075 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 9076 | if (ret == 0 && GetASNTag(cert, &localIdx, &tag, certSz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 9077 | tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 3)) { |
wolfSSL | 16:8e0d178b1d1e | 9078 | idx++; |
wolfSSL | 16:8e0d178b1d1e | 9079 | if (GetLength(cert, &idx, &extLen, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9080 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9081 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9082 | if (GetSequence(cert, &idx, &extLen, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9083 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9084 | } |
wolfSSL | 16:8e0d178b1d1e | 9085 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9086 | extEndIdx = idx + extLen; |
wolfSSL | 16:8e0d178b1d1e | 9087 | |
wolfSSL | 16:8e0d178b1d1e | 9088 | /* Check each extension for the ones we want. */ |
wolfSSL | 16:8e0d178b1d1e | 9089 | while (ret == 0 && idx < extEndIdx) { |
wolfSSL | 16:8e0d178b1d1e | 9090 | if (GetSequence(cert, &idx, &len, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9091 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9092 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9093 | extIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 9094 | if (GetObjectId(cert, &extIdx, &oid, oidCertExtType, |
wolfSSL | 16:8e0d178b1d1e | 9095 | certSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 9096 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9097 | } |
wolfSSL | 16:8e0d178b1d1e | 9098 | |
wolfSSL | 16:8e0d178b1d1e | 9099 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9100 | if ((extIdx + 1) > certSz) |
wolfSSL | 16:8e0d178b1d1e | 9101 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9102 | } |
wolfSSL | 16:8e0d178b1d1e | 9103 | } |
wolfSSL | 16:8e0d178b1d1e | 9104 | |
wolfSSL | 16:8e0d178b1d1e | 9105 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9106 | localIdx = extIdx; |
wolfSSL | 16:8e0d178b1d1e | 9107 | if (GetASNTag(cert, &localIdx, &tag, certSz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 9108 | tag == ASN_BOOLEAN) { |
wolfSSL | 16:8e0d178b1d1e | 9109 | if (GetBoolean(cert, &extIdx, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9110 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9111 | } |
wolfSSL | 16:8e0d178b1d1e | 9112 | } |
wolfSSL | 16:8e0d178b1d1e | 9113 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9114 | if (GetOctetString(cert, &extIdx, &extLen, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9115 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9116 | } |
wolfSSL | 16:8e0d178b1d1e | 9117 | |
wolfSSL | 16:8e0d178b1d1e | 9118 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9119 | switch (oid) { |
wolfSSL | 16:8e0d178b1d1e | 9120 | case AUTH_KEY_OID: |
wolfSSL | 16:8e0d178b1d1e | 9121 | if (GetSequence(cert, &extIdx, &extLen, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9122 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9123 | |
wolfSSL | 16:8e0d178b1d1e | 9124 | if (ret == 0 && (extIdx + 1) >= certSz) |
wolfSSL | 16:8e0d178b1d1e | 9125 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9126 | |
wolfSSL | 16:8e0d178b1d1e | 9127 | if (ret == 0 && |
wolfSSL | 16:8e0d178b1d1e | 9128 | GetASNTag(cert, &extIdx, &tag, certSz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 9129 | tag == (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 16:8e0d178b1d1e | 9130 | if (GetLength(cert, &extIdx, &extLen, certSz) <= 0) |
wolfSSL | 16:8e0d178b1d1e | 9131 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9132 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9133 | extAuthKeyIdSet = 1; |
wolfSSL | 16:8e0d178b1d1e | 9134 | if (extLen == KEYID_SIZE) |
wolfSSL | 16:8e0d178b1d1e | 9135 | XMEMCPY(hash, cert + extIdx, extLen); |
wolfSSL | 16:8e0d178b1d1e | 9136 | else { |
wolfSSL | 16:8e0d178b1d1e | 9137 | ret = CalcHashId(cert + extIdx, extLen, |
wolfSSL | 16:8e0d178b1d1e | 9138 | hash); |
wolfSSL | 16:8e0d178b1d1e | 9139 | } |
wolfSSL | 16:8e0d178b1d1e | 9140 | } |
wolfSSL | 16:8e0d178b1d1e | 9141 | } |
wolfSSL | 16:8e0d178b1d1e | 9142 | break; |
wolfSSL | 16:8e0d178b1d1e | 9143 | |
wolfSSL | 16:8e0d178b1d1e | 9144 | default: |
wolfSSL | 16:8e0d178b1d1e | 9145 | break; |
wolfSSL | 16:8e0d178b1d1e | 9146 | } |
wolfSSL | 16:8e0d178b1d1e | 9147 | } |
wolfSSL | 16:8e0d178b1d1e | 9148 | idx += len; |
wolfSSL | 16:8e0d178b1d1e | 9149 | } |
wolfSSL | 16:8e0d178b1d1e | 9150 | } |
wolfSSL | 16:8e0d178b1d1e | 9151 | } |
wolfSSL | 16:8e0d178b1d1e | 9152 | |
wolfSSL | 16:8e0d178b1d1e | 9153 | if (ret == 0 && pubKey == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 9154 | if (extAuthKeyIdSet) |
wolfSSL | 16:8e0d178b1d1e | 9155 | ca = GetCA(cm, hash); |
wolfSSL | 16:8e0d178b1d1e | 9156 | if (ca == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 9157 | ret = CalcHashId(cert + issuerIdx, issuerSz, hash); |
wolfSSL | 16:8e0d178b1d1e | 9158 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 9159 | ca = GetCAByName(cm, hash); |
wolfSSL | 16:8e0d178b1d1e | 9160 | } |
wolfSSL | 16:8e0d178b1d1e | 9161 | } |
wolfSSL | 16:8e0d178b1d1e | 9162 | #else |
wolfSSL | 16:8e0d178b1d1e | 9163 | if (ret == 0 && pubKey == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 9164 | ret = CalcHashId(cert + issuerIdx, issuerSz, hash); |
wolfSSL | 16:8e0d178b1d1e | 9165 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 9166 | ca = GetCA(cm, hash); |
wolfSSL | 16:8e0d178b1d1e | 9167 | } |
wolfSSL | 16:8e0d178b1d1e | 9168 | #endif /* !NO_SKID */ |
wolfSSL | 16:8e0d178b1d1e | 9169 | if (ca == NULL && pubKey == NULL) |
wolfSSL | 16:8e0d178b1d1e | 9170 | ret = ASN_NO_SIGNER_E; |
wolfSSL | 16:8e0d178b1d1e | 9171 | |
wolfSSL | 16:8e0d178b1d1e | 9172 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9173 | idx = sigIndex; |
wolfSSL | 16:8e0d178b1d1e | 9174 | /* signatureAlgorithm */ |
wolfSSL | 16:8e0d178b1d1e | 9175 | if (GetAlgoId(cert, &idx, &oid, oidSigType, certSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9176 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9177 | } |
wolfSSL | 16:8e0d178b1d1e | 9178 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9179 | if (oid != signatureOID) |
wolfSSL | 16:8e0d178b1d1e | 9180 | ret = ASN_SIG_OID_E; |
wolfSSL | 16:8e0d178b1d1e | 9181 | } |
wolfSSL | 16:8e0d178b1d1e | 9182 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9183 | /* signatureValue */ |
wolfSSL | 16:8e0d178b1d1e | 9184 | if (CheckBitString(cert, &idx, &len, certSz, 1, NULL) < 0) |
wolfSSL | 16:8e0d178b1d1e | 9185 | ret = ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 9186 | } |
wolfSSL | 16:8e0d178b1d1e | 9187 | |
wolfSSL | 16:8e0d178b1d1e | 9188 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9189 | if (pubKey != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 9190 | ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, |
wolfSSL | 16:8e0d178b1d1e | 9191 | sigIndex - tbsCertIdx, |
wolfSSL | 16:8e0d178b1d1e | 9192 | pubKey, pubKeySz, pubKeyOID, |
wolfSSL | 16:8e0d178b1d1e | 9193 | cert + idx, len, signatureOID, NULL); |
wolfSSL | 16:8e0d178b1d1e | 9194 | } |
wolfSSL | 16:8e0d178b1d1e | 9195 | else { |
wolfSSL | 16:8e0d178b1d1e | 9196 | ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, |
wolfSSL | 16:8e0d178b1d1e | 9197 | sigIndex - tbsCertIdx, |
wolfSSL | 16:8e0d178b1d1e | 9198 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 16:8e0d178b1d1e | 9199 | cert + idx, len, signatureOID, NULL); |
wolfSSL | 16:8e0d178b1d1e | 9200 | } |
wolfSSL | 16:8e0d178b1d1e | 9201 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9202 | WOLFSSL_MSG("Confirm signature failed"); |
wolfSSL | 16:8e0d178b1d1e | 9203 | } |
wolfSSL | 16:8e0d178b1d1e | 9204 | } |
wolfSSL | 16:8e0d178b1d1e | 9205 | |
wolfSSL | 16:8e0d178b1d1e | 9206 | FreeSignatureCtx(sigCtx); |
wolfSSL | 16:8e0d178b1d1e | 9207 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 9208 | if (sigCtx != NULL) |
wolfSSL | 16:8e0d178b1d1e | 9209 | XFREE(sigCtx, heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 16:8e0d178b1d1e | 9210 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9211 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 9212 | } |
wolfSSL | 16:8e0d178b1d1e | 9213 | |
wolfSSL | 16:8e0d178b1d1e | 9214 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 9215 | /* Call CheckCertSignature_ex using a public key buffer for verification |
wolfSSL | 16:8e0d178b1d1e | 9216 | */ |
wolfSSL | 16:8e0d178b1d1e | 9217 | int CheckCertSignaturePubKey(const byte* cert, word32 certSz, void* heap, |
wolfSSL | 16:8e0d178b1d1e | 9218 | const byte* pubKey, word32 pubKeySz, int pubKeyOID) |
wolfSSL | 16:8e0d178b1d1e | 9219 | { |
wolfSSL | 16:8e0d178b1d1e | 9220 | return CheckCertSignature_ex(cert, certSz, heap, NULL, |
wolfSSL | 16:8e0d178b1d1e | 9221 | pubKey, pubKeySz, pubKeyOID); |
wolfSSL | 16:8e0d178b1d1e | 9222 | } |
wolfSSL | 16:8e0d178b1d1e | 9223 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 9224 | #ifdef WOLFSSL_SMALL_CERT_VERIFY |
wolfSSL | 16:8e0d178b1d1e | 9225 | /* Call CheckCertSignature_ex using a certificate manager (cm) |
wolfSSL | 16:8e0d178b1d1e | 9226 | */ |
wolfSSL | 16:8e0d178b1d1e | 9227 | int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm) |
wolfSSL | 16:8e0d178b1d1e | 9228 | { |
wolfSSL | 16:8e0d178b1d1e | 9229 | return CheckCertSignature_ex(cert, certSz, heap, cm, NULL, 0, 0); |
wolfSSL | 16:8e0d178b1d1e | 9230 | } |
wolfSSL | 16:8e0d178b1d1e | 9231 | #endif /* WOLFSSL_SMALL_CERT_VERIFY */ |
wolfSSL | 16:8e0d178b1d1e | 9232 | #endif /* WOLFSSL_SMALL_CERT_VERIFY || OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 9233 | |
wolfSSL | 15:117db924cf7c | 9234 | int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 15:117db924cf7c | 9235 | { |
wolfSSL | 15:117db924cf7c | 9236 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 9237 | int checkPathLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 9238 | int decrementMaxPathLen = 0; |
wolfSSL | 15:117db924cf7c | 9239 | word32 confirmOID; |
wolfSSL | 16:8e0d178b1d1e | 9240 | #if defined(WOLFSSL_RENESAS_TSIP) |
wolfSSL | 16:8e0d178b1d1e | 9241 | int idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 9242 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9243 | byte* tsip_encRsaKeyIdx; |
wolfSSL | 15:117db924cf7c | 9244 | |
wolfSSL | 15:117db924cf7c | 9245 | if (cert == NULL) { |
wolfSSL | 15:117db924cf7c | 9246 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9247 | } |
wolfSSL | 15:117db924cf7c | 9248 | |
wolfSSL | 15:117db924cf7c | 9249 | if (cert->sigCtx.state == SIG_STATE_BEGIN) { |
wolfSSL | 16:8e0d178b1d1e | 9250 | cert->badDate = 0; |
wolfSSL | 16:8e0d178b1d1e | 9251 | cert->criticalExt = 0; |
wolfSSL | 15:117db924cf7c | 9252 | if ((ret = DecodeToKey(cert, verify)) < 0) { |
wolfSSL | 15:117db924cf7c | 9253 | if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) |
wolfSSL | 16:8e0d178b1d1e | 9254 | cert->badDate = ret; |
wolfSSL | 15:117db924cf7c | 9255 | else |
wolfSSL | 15:117db924cf7c | 9256 | return ret; |
wolfSSL | 15:117db924cf7c | 9257 | } |
wolfSSL | 15:117db924cf7c | 9258 | |
wolfSSL | 15:117db924cf7c | 9259 | WOLFSSL_MSG("Parsed Past Key"); |
wolfSSL | 15:117db924cf7c | 9260 | |
wolfSSL | 15:117db924cf7c | 9261 | if (cert->srcIdx < cert->sigIndex) { |
wolfSSL | 15:117db924cf7c | 9262 | #ifndef ALLOW_V1_EXTENSIONS |
wolfSSL | 15:117db924cf7c | 9263 | if (cert->version < 2) { |
wolfSSL | 15:117db924cf7c | 9264 | WOLFSSL_MSG("\tv1 and v2 certs not allowed extensions"); |
wolfSSL | 15:117db924cf7c | 9265 | return ASN_VERSION_E; |
wolfSSL | 15:117db924cf7c | 9266 | } |
wolfSSL | 15:117db924cf7c | 9267 | #endif |
wolfSSL | 15:117db924cf7c | 9268 | |
wolfSSL | 15:117db924cf7c | 9269 | /* save extensions */ |
wolfSSL | 15:117db924cf7c | 9270 | cert->extensions = &cert->source[cert->srcIdx]; |
wolfSSL | 15:117db924cf7c | 9271 | cert->extensionsSz = cert->sigIndex - cert->srcIdx; |
wolfSSL | 15:117db924cf7c | 9272 | cert->extensionsIdx = cert->srcIdx; /* for potential later use */ |
wolfSSL | 15:117db924cf7c | 9273 | |
wolfSSL | 15:117db924cf7c | 9274 | if ((ret = DecodeCertExtensions(cert)) < 0) { |
wolfSSL | 15:117db924cf7c | 9275 | if (ret == ASN_CRIT_EXT_E) |
wolfSSL | 16:8e0d178b1d1e | 9276 | cert->criticalExt = ret; |
wolfSSL | 15:117db924cf7c | 9277 | else |
wolfSSL | 15:117db924cf7c | 9278 | return ret; |
wolfSSL | 15:117db924cf7c | 9279 | } |
wolfSSL | 15:117db924cf7c | 9280 | |
wolfSSL | 15:117db924cf7c | 9281 | /* advance past extensions */ |
wolfSSL | 15:117db924cf7c | 9282 | cert->srcIdx = cert->sigIndex; |
wolfSSL | 15:117db924cf7c | 9283 | } |
wolfSSL | 15:117db924cf7c | 9284 | |
wolfSSL | 15:117db924cf7c | 9285 | if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID, |
wolfSSL | 15:117db924cf7c | 9286 | oidSigType, cert->maxIdx)) < 0) |
wolfSSL | 15:117db924cf7c | 9287 | return ret; |
wolfSSL | 15:117db924cf7c | 9288 | |
wolfSSL | 15:117db924cf7c | 9289 | if ((ret = GetSignature(cert)) < 0) |
wolfSSL | 15:117db924cf7c | 9290 | return ret; |
wolfSSL | 15:117db924cf7c | 9291 | |
wolfSSL | 15:117db924cf7c | 9292 | if (confirmOID != cert->signatureOID) |
wolfSSL | 15:117db924cf7c | 9293 | return ASN_SIG_OID_E; |
wolfSSL | 15:117db924cf7c | 9294 | |
wolfSSL | 15:117db924cf7c | 9295 | #ifndef NO_SKID |
wolfSSL | 15:117db924cf7c | 9296 | if (cert->extSubjKeyIdSet == 0 && cert->publicKey != NULL && |
wolfSSL | 16:8e0d178b1d1e | 9297 | cert->pubKeySize > 0) { |
wolfSSL | 16:8e0d178b1d1e | 9298 | ret = CalcHashId(cert->publicKey, cert->pubKeySize, |
wolfSSL | 15:117db924cf7c | 9299 | cert->extSubjKeyId); |
wolfSSL | 15:117db924cf7c | 9300 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 9301 | return ret; |
wolfSSL | 15:117db924cf7c | 9302 | } |
wolfSSL | 15:117db924cf7c | 9303 | #endif /* !NO_SKID */ |
wolfSSL | 15:117db924cf7c | 9304 | |
wolfSSL | 16:8e0d178b1d1e | 9305 | if (!cert->selfSigned || (verify != NO_VERIFY && type != CA_TYPE && |
wolfSSL | 16:8e0d178b1d1e | 9306 | type != TRUSTED_PEER_TYPE)) { |
wolfSSL | 15:117db924cf7c | 9307 | cert->ca = NULL; |
wolfSSL | 15:117db924cf7c | 9308 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 9309 | if (cert->extAuthKeyIdSet) { |
wolfSSL | 15:117db924cf7c | 9310 | cert->ca = GetCA(cm, cert->extAuthKeyId); |
wolfSSL | 16:8e0d178b1d1e | 9311 | } |
wolfSSL | 16:8e0d178b1d1e | 9312 | if (cert->ca == NULL && cert->extSubjKeyIdSet |
wolfSSL | 16:8e0d178b1d1e | 9313 | && verify != VERIFY_OCSP) { |
wolfSSL | 16:8e0d178b1d1e | 9314 | cert->ca = GetCA(cm, cert->extSubjKeyId); |
wolfSSL | 16:8e0d178b1d1e | 9315 | } |
wolfSSL | 16:8e0d178b1d1e | 9316 | if (cert->ca != NULL && XMEMCMP(cert->issuerHash, |
wolfSSL | 16:8e0d178b1d1e | 9317 | cert->ca->subjectNameHash, KEYID_SIZE) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9318 | cert->ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 9319 | } |
wolfSSL | 16:8e0d178b1d1e | 9320 | if (cert->ca == NULL) { |
wolfSSL | 15:117db924cf7c | 9321 | cert->ca = GetCAByName(cm, cert->issuerHash); |
wolfSSL | 16:8e0d178b1d1e | 9322 | /* If AKID is available then this CA doesn't have the public |
wolfSSL | 16:8e0d178b1d1e | 9323 | * key required */ |
wolfSSL | 16:8e0d178b1d1e | 9324 | if (cert->ca && cert->extAuthKeyIdSet) { |
wolfSSL | 16:8e0d178b1d1e | 9325 | WOLFSSL_MSG("CA SKID doesn't match AKID"); |
wolfSSL | 16:8e0d178b1d1e | 9326 | cert->ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 9327 | } |
wolfSSL | 16:8e0d178b1d1e | 9328 | } |
wolfSSL | 15:117db924cf7c | 9329 | |
wolfSSL | 15:117db924cf7c | 9330 | /* OCSP Only: alt lookup using subject and pub key w/o sig check */ |
wolfSSL | 15:117db924cf7c | 9331 | #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY |
wolfSSL | 15:117db924cf7c | 9332 | if (cert->ca == NULL && verify == VERIFY_OCSP) { |
wolfSSL | 15:117db924cf7c | 9333 | cert->ca = GetCABySubjectAndPubKey(cert, cm); |
wolfSSL | 15:117db924cf7c | 9334 | if (cert->ca) { |
wolfSSL | 15:117db924cf7c | 9335 | ret = 0; /* success */ |
wolfSSL | 15:117db924cf7c | 9336 | goto exit_pcr; |
wolfSSL | 15:117db924cf7c | 9337 | } |
wolfSSL | 15:117db924cf7c | 9338 | } |
wolfSSL | 15:117db924cf7c | 9339 | #endif /* WOLFSSL_NO_TRUSTED_CERTS_VERIFY */ |
wolfSSL | 15:117db924cf7c | 9340 | #else |
wolfSSL | 15:117db924cf7c | 9341 | cert->ca = GetCA(cm, cert->issuerHash); |
wolfSSL | 15:117db924cf7c | 9342 | #endif /* !NO_SKID */ |
wolfSSL | 16:8e0d178b1d1e | 9343 | } |
wolfSSL | 16:8e0d178b1d1e | 9344 | |
wolfSSL | 16:8e0d178b1d1e | 9345 | if (cert->selfSigned) { |
wolfSSL | 16:8e0d178b1d1e | 9346 | cert->maxPathLen = WOLFSSL_MAX_PATH_LEN; |
wolfSSL | 16:8e0d178b1d1e | 9347 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9348 | /* RFC 5280 Section 4.2.1.9: |
wolfSSL | 16:8e0d178b1d1e | 9349 | * |
wolfSSL | 16:8e0d178b1d1e | 9350 | * load/receive check |
wolfSSL | 16:8e0d178b1d1e | 9351 | * |
wolfSSL | 16:8e0d178b1d1e | 9352 | * 1) Is CA boolean set? |
wolfSSL | 16:8e0d178b1d1e | 9353 | * No - SKIP CHECK |
wolfSSL | 16:8e0d178b1d1e | 9354 | * Yes - Check key usage |
wolfSSL | 16:8e0d178b1d1e | 9355 | * 2) Is Key usage extension present? |
wolfSSL | 16:8e0d178b1d1e | 9356 | * No - goto 3 |
wolfSSL | 16:8e0d178b1d1e | 9357 | * Yes - check keyCertSign assertion |
wolfSSL | 16:8e0d178b1d1e | 9358 | * 2.a) Is keyCertSign asserted? |
wolfSSL | 16:8e0d178b1d1e | 9359 | * No - goto 4 |
wolfSSL | 16:8e0d178b1d1e | 9360 | * Yes - goto 3 |
wolfSSL | 16:8e0d178b1d1e | 9361 | * 3) Is pathLen set? |
wolfSSL | 16:8e0d178b1d1e | 9362 | * No - goto 4 |
wolfSSL | 16:8e0d178b1d1e | 9363 | * Yes - check pathLen against maxPathLen. |
wolfSSL | 16:8e0d178b1d1e | 9364 | * 3.a) Is pathLen less than maxPathLen? |
wolfSSL | 16:8e0d178b1d1e | 9365 | * No - goto 4 |
wolfSSL | 16:8e0d178b1d1e | 9366 | * Yes - set maxPathLen to pathLen and EXIT |
wolfSSL | 16:8e0d178b1d1e | 9367 | * 4) Is maxPathLen > 0? |
wolfSSL | 16:8e0d178b1d1e | 9368 | * Yes - Reduce by 1 |
wolfSSL | 16:8e0d178b1d1e | 9369 | * No - ERROR |
wolfSSL | 16:8e0d178b1d1e | 9370 | */ |
wolfSSL | 16:8e0d178b1d1e | 9371 | |
wolfSSL | 16:8e0d178b1d1e | 9372 | if (cert->ca && cert->pathLengthSet) { |
wolfSSL | 16:8e0d178b1d1e | 9373 | cert->maxPathLen = cert->pathLength; |
wolfSSL | 16:8e0d178b1d1e | 9374 | if (cert->isCA) { |
wolfSSL | 16:8e0d178b1d1e | 9375 | WOLFSSL_MSG("\tCA boolean set"); |
wolfSSL | 16:8e0d178b1d1e | 9376 | if (cert->extKeyUsageSet) { |
wolfSSL | 16:8e0d178b1d1e | 9377 | WOLFSSL_MSG("\tExtension Key Usage Set"); |
wolfSSL | 16:8e0d178b1d1e | 9378 | if ((cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9379 | checkPathLen = 1; |
wolfSSL | 16:8e0d178b1d1e | 9380 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9381 | decrementMaxPathLen = 1; |
wolfSSL | 16:8e0d178b1d1e | 9382 | } |
wolfSSL | 16:8e0d178b1d1e | 9383 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9384 | checkPathLen = 1; |
wolfSSL | 16:8e0d178b1d1e | 9385 | } /* !cert->ca check */ |
wolfSSL | 16:8e0d178b1d1e | 9386 | } /* cert is not a CA (assuming entity cert) */ |
wolfSSL | 16:8e0d178b1d1e | 9387 | |
wolfSSL | 16:8e0d178b1d1e | 9388 | if (checkPathLen && cert->pathLengthSet) { |
wolfSSL | 16:8e0d178b1d1e | 9389 | if (cert->pathLength < cert->ca->maxPathLen) { |
wolfSSL | 16:8e0d178b1d1e | 9390 | WOLFSSL_MSG("\tmaxPathLen status: set to pathLength"); |
wolfSSL | 16:8e0d178b1d1e | 9391 | cert->maxPathLen = cert->pathLength; |
wolfSSL | 16:8e0d178b1d1e | 9392 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9393 | decrementMaxPathLen = 1; |
wolfSSL | 16:8e0d178b1d1e | 9394 | } |
wolfSSL | 16:8e0d178b1d1e | 9395 | } |
wolfSSL | 16:8e0d178b1d1e | 9396 | |
wolfSSL | 16:8e0d178b1d1e | 9397 | if (decrementMaxPathLen && cert->ca->maxPathLen > 0) { |
wolfSSL | 16:8e0d178b1d1e | 9398 | WOLFSSL_MSG("\tmaxPathLen status: reduce by 1"); |
wolfSSL | 16:8e0d178b1d1e | 9399 | cert->maxPathLen = cert->ca->maxPathLen - 1; |
wolfSSL | 16:8e0d178b1d1e | 9400 | if (verify != NO_VERIFY && type != CA_TYPE && |
wolfSSL | 16:8e0d178b1d1e | 9401 | type != TRUSTED_PEER_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 9402 | WOLFSSL_MSG("\tmaxPathLen status: OK"); |
wolfSSL | 16:8e0d178b1d1e | 9403 | } |
wolfSSL | 16:8e0d178b1d1e | 9404 | } else if (decrementMaxPathLen && cert->ca->maxPathLen == 0) { |
wolfSSL | 16:8e0d178b1d1e | 9405 | cert->maxPathLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 9406 | if (verify != NO_VERIFY && type != CA_TYPE && |
wolfSSL | 16:8e0d178b1d1e | 9407 | type != TRUSTED_PEER_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 9408 | WOLFSSL_MSG("\tNon-entity cert, maxPathLen is 0"); |
wolfSSL | 16:8e0d178b1d1e | 9409 | WOLFSSL_MSG("\tmaxPathLen status: ERROR"); |
wolfSSL | 16:8e0d178b1d1e | 9410 | return ASN_PATHLEN_INV_E; |
wolfSSL | 16:8e0d178b1d1e | 9411 | } |
wolfSSL | 16:8e0d178b1d1e | 9412 | } |
wolfSSL | 16:8e0d178b1d1e | 9413 | } else if (cert->ca && cert->isCA) { |
wolfSSL | 16:8e0d178b1d1e | 9414 | /* case where cert->pathLength extension is not set */ |
wolfSSL | 16:8e0d178b1d1e | 9415 | if (cert->ca->maxPathLen > 0) { |
wolfSSL | 16:8e0d178b1d1e | 9416 | cert->maxPathLen = cert->ca->maxPathLen - 1; |
wolfSSL | 16:8e0d178b1d1e | 9417 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9418 | cert->maxPathLen = 0; |
wolfSSL | 16:8e0d178b1d1e | 9419 | if (verify != NO_VERIFY && type != CA_TYPE && |
wolfSSL | 16:8e0d178b1d1e | 9420 | type != TRUSTED_PEER_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 9421 | WOLFSSL_MSG("\tNon-entity cert, maxPathLen is 0"); |
wolfSSL | 16:8e0d178b1d1e | 9422 | WOLFSSL_MSG("\tmaxPathLen status: ERROR"); |
wolfSSL | 16:8e0d178b1d1e | 9423 | return ASN_PATHLEN_INV_E; |
wolfSSL | 16:8e0d178b1d1e | 9424 | } |
wolfSSL | 16:8e0d178b1d1e | 9425 | } |
wolfSSL | 16:8e0d178b1d1e | 9426 | } |
wolfSSL | 16:8e0d178b1d1e | 9427 | #ifdef HAVE_OCSP |
wolfSSL | 16:8e0d178b1d1e | 9428 | if (verify != NO_VERIFY && type != CA_TYPE && |
wolfSSL | 16:8e0d178b1d1e | 9429 | type != TRUSTED_PEER_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 9430 | if (cert->ca) { |
wolfSSL | 16:8e0d178b1d1e | 9431 | /* Need the CA's public key hash for OCSP */ |
wolfSSL | 16:8e0d178b1d1e | 9432 | XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, |
wolfSSL | 16:8e0d178b1d1e | 9433 | KEYID_SIZE); |
wolfSSL | 16:8e0d178b1d1e | 9434 | } |
wolfSSL | 16:8e0d178b1d1e | 9435 | |
wolfSSL | 16:8e0d178b1d1e | 9436 | } |
wolfSSL | 16:8e0d178b1d1e | 9437 | #endif /* HAVE_OCSP */ |
wolfSSL | 16:8e0d178b1d1e | 9438 | } |
wolfSSL | 16:8e0d178b1d1e | 9439 | } |
wolfSSL | 16:8e0d178b1d1e | 9440 | #if defined(WOLFSSL_RENESAS_TSIP) |
wolfSSL | 16:8e0d178b1d1e | 9441 | /* prepare for TSIP TLS cert verification API use */ |
wolfSSL | 16:8e0d178b1d1e | 9442 | if (cert->keyOID == RSAk) { |
wolfSSL | 16:8e0d178b1d1e | 9443 | /* to call TSIP API, it needs keys position info in bytes */ |
wolfSSL | 16:8e0d178b1d1e | 9444 | if ((ret = RsaPublicKeyDecodeRawIndex(cert->publicKey, (word32*)&idx, |
wolfSSL | 16:8e0d178b1d1e | 9445 | cert->pubKeySize, |
wolfSSL | 16:8e0d178b1d1e | 9446 | &cert->sigCtx.pubkey_n_start, |
wolfSSL | 16:8e0d178b1d1e | 9447 | &cert->sigCtx.pubkey_n_len, |
wolfSSL | 16:8e0d178b1d1e | 9448 | &cert->sigCtx.pubkey_e_start, |
wolfSSL | 16:8e0d178b1d1e | 9449 | &cert->sigCtx.pubkey_e_len)) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9450 | WOLFSSL_MSG("Decoding index from cert failed."); |
wolfSSL | 16:8e0d178b1d1e | 9451 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 9452 | } |
wolfSSL | 16:8e0d178b1d1e | 9453 | cert->sigCtx.certBegin = cert->certBegin; |
wolfSSL | 16:8e0d178b1d1e | 9454 | } |
wolfSSL | 16:8e0d178b1d1e | 9455 | /* check if we can use TSIP for cert verification */ |
wolfSSL | 16:8e0d178b1d1e | 9456 | /* if the ca is verified as tsip root ca. */ |
wolfSSL | 16:8e0d178b1d1e | 9457 | /* TSIP can only handle 2048 bits(256 byte) key. */ |
wolfSSL | 16:8e0d178b1d1e | 9458 | if (cert->ca && tsip_checkCA(cert->ca->cm_idx) != 0 && |
wolfSSL | 16:8e0d178b1d1e | 9459 | cert->sigCtx.pubkey_n_len == 256) { |
wolfSSL | 16:8e0d178b1d1e | 9460 | |
wolfSSL | 16:8e0d178b1d1e | 9461 | /* assign memory to encrypted tsip Rsa key index */ |
wolfSSL | 16:8e0d178b1d1e | 9462 | if (!cert->tsip_encRsaKeyIdx) |
wolfSSL | 16:8e0d178b1d1e | 9463 | cert->tsip_encRsaKeyIdx = |
wolfSSL | 16:8e0d178b1d1e | 9464 | (byte*)XMALLOC(TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY, |
wolfSSL | 16:8e0d178b1d1e | 9465 | cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 16:8e0d178b1d1e | 9466 | if (cert->tsip_encRsaKeyIdx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 9467 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 9468 | } else { |
wolfSSL | 16:8e0d178b1d1e | 9469 | if (cert->ca) { |
wolfSSL | 16:8e0d178b1d1e | 9470 | /* TSIP isn't usable */ |
wolfSSL | 16:8e0d178b1d1e | 9471 | if (tsip_checkCA(cert->ca->cm_idx) == 0) |
wolfSSL | 16:8e0d178b1d1e | 9472 | WOLFSSL_MSG("TSIP isn't usable because the ca isn't verified " |
wolfSSL | 16:8e0d178b1d1e | 9473 | "by TSIP."); |
wolfSSL | 16:8e0d178b1d1e | 9474 | else if (cert->sigCtx.pubkey_n_len != 256) |
wolfSSL | 16:8e0d178b1d1e | 9475 | WOLFSSL_MSG("TSIP isn't usable because the ca isn't signed by " |
wolfSSL | 16:8e0d178b1d1e | 9476 | "RSA 2048."); |
wolfSSL | 16:8e0d178b1d1e | 9477 | else |
wolfSSL | 16:8e0d178b1d1e | 9478 | WOLFSSL_MSG("TSIP isn't usable"); |
wolfSSL | 16:8e0d178b1d1e | 9479 | } |
wolfSSL | 16:8e0d178b1d1e | 9480 | cert->tsip_encRsaKeyIdx = NULL; |
wolfSSL | 16:8e0d178b1d1e | 9481 | } |
wolfSSL | 16:8e0d178b1d1e | 9482 | |
wolfSSL | 16:8e0d178b1d1e | 9483 | tsip_encRsaKeyIdx = cert->tsip_encRsaKeyIdx; |
wolfSSL | 16:8e0d178b1d1e | 9484 | #else |
wolfSSL | 16:8e0d178b1d1e | 9485 | tsip_encRsaKeyIdx = NULL; |
wolfSSL | 16:8e0d178b1d1e | 9486 | #endif |
wolfSSL | 15:117db924cf7c | 9487 | |
wolfSSL | 15:117db924cf7c | 9488 | if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { |
wolfSSL | 15:117db924cf7c | 9489 | if (cert->ca) { |
wolfSSL | 16:8e0d178b1d1e | 9490 | if (verify == VERIFY || verify == VERIFY_OCSP || |
wolfSSL | 16:8e0d178b1d1e | 9491 | verify == VERIFY_SKIP_DATE) { |
wolfSSL | 15:117db924cf7c | 9492 | /* try to confirm/verify signature */ |
wolfSSL | 15:117db924cf7c | 9493 | if ((ret = ConfirmSignature(&cert->sigCtx, |
wolfSSL | 15:117db924cf7c | 9494 | cert->source + cert->certBegin, |
wolfSSL | 15:117db924cf7c | 9495 | cert->sigIndex - cert->certBegin, |
wolfSSL | 15:117db924cf7c | 9496 | cert->ca->publicKey, cert->ca->pubKeySize, |
wolfSSL | 15:117db924cf7c | 9497 | cert->ca->keyOID, cert->signature, |
wolfSSL | 16:8e0d178b1d1e | 9498 | cert->sigLength, cert->signatureOID, |
wolfSSL | 16:8e0d178b1d1e | 9499 | tsip_encRsaKeyIdx)) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9500 | if (ret != 0 && ret != WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 9501 | WOLFSSL_MSG("Confirm signature failed"); |
wolfSSL | 15:117db924cf7c | 9502 | } |
wolfSSL | 15:117db924cf7c | 9503 | return ret; |
wolfSSL | 15:117db924cf7c | 9504 | } |
wolfSSL | 16:8e0d178b1d1e | 9505 | } |
wolfSSL | 16:8e0d178b1d1e | 9506 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 16:8e0d178b1d1e | 9507 | if (verify == VERIFY || verify == VERIFY_OCSP || |
wolfSSL | 16:8e0d178b1d1e | 9508 | verify == VERIFY_NAME || verify == VERIFY_SKIP_DATE) { |
wolfSSL | 15:117db924cf7c | 9509 | /* check that this cert's name is permitted by the signer's |
wolfSSL | 15:117db924cf7c | 9510 | * name constraints */ |
wolfSSL | 15:117db924cf7c | 9511 | if (!ConfirmNameConstraints(cert->ca, cert)) { |
wolfSSL | 15:117db924cf7c | 9512 | WOLFSSL_MSG("Confirm name constraint failed"); |
wolfSSL | 15:117db924cf7c | 9513 | return ASN_NAME_INVALID_E; |
wolfSSL | 15:117db924cf7c | 9514 | } |
wolfSSL | 16:8e0d178b1d1e | 9515 | } |
wolfSSL | 16:8e0d178b1d1e | 9516 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 15:117db924cf7c | 9517 | } |
wolfSSL | 15:117db924cf7c | 9518 | else { |
wolfSSL | 15:117db924cf7c | 9519 | /* no signer */ |
wolfSSL | 15:117db924cf7c | 9520 | WOLFSSL_MSG("No CA signer to verify with"); |
wolfSSL | 15:117db924cf7c | 9521 | return ASN_NO_SIGNER_E; |
wolfSSL | 15:117db924cf7c | 9522 | } |
wolfSSL | 15:117db924cf7c | 9523 | } |
wolfSSL | 15:117db924cf7c | 9524 | |
wolfSSL | 15:117db924cf7c | 9525 | #if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID) |
wolfSSL | 15:117db924cf7c | 9526 | exit_pcr: |
wolfSSL | 15:117db924cf7c | 9527 | #endif |
wolfSSL | 15:117db924cf7c | 9528 | |
wolfSSL | 16:8e0d178b1d1e | 9529 | if (cert->badDate != 0) { |
wolfSSL | 16:8e0d178b1d1e | 9530 | if (verify != VERIFY_SKIP_DATE) { |
wolfSSL | 16:8e0d178b1d1e | 9531 | return cert->badDate; |
wolfSSL | 16:8e0d178b1d1e | 9532 | } |
wolfSSL | 16:8e0d178b1d1e | 9533 | WOLFSSL_MSG("Date error: Verify option is skipping"); |
wolfSSL | 16:8e0d178b1d1e | 9534 | } |
wolfSSL | 16:8e0d178b1d1e | 9535 | |
wolfSSL | 16:8e0d178b1d1e | 9536 | if (cert->criticalExt != 0) |
wolfSSL | 16:8e0d178b1d1e | 9537 | return cert->criticalExt; |
wolfSSL | 15:117db924cf7c | 9538 | |
wolfSSL | 15:117db924cf7c | 9539 | return ret; |
wolfSSL | 15:117db924cf7c | 9540 | } |
wolfSSL | 15:117db924cf7c | 9541 | |
wolfSSL | 15:117db924cf7c | 9542 | /* Create and init an new signer */ |
wolfSSL | 15:117db924cf7c | 9543 | Signer* MakeSigner(void* heap) |
wolfSSL | 15:117db924cf7c | 9544 | { |
wolfSSL | 15:117db924cf7c | 9545 | Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap, |
wolfSSL | 15:117db924cf7c | 9546 | DYNAMIC_TYPE_SIGNER); |
wolfSSL | 15:117db924cf7c | 9547 | if (signer) { |
wolfSSL | 16:8e0d178b1d1e | 9548 | XMEMSET(signer, 0, sizeof(Signer)); |
wolfSSL | 15:117db924cf7c | 9549 | } |
wolfSSL | 15:117db924cf7c | 9550 | (void)heap; |
wolfSSL | 15:117db924cf7c | 9551 | |
wolfSSL | 15:117db924cf7c | 9552 | return signer; |
wolfSSL | 15:117db924cf7c | 9553 | } |
wolfSSL | 15:117db924cf7c | 9554 | |
wolfSSL | 15:117db924cf7c | 9555 | |
wolfSSL | 15:117db924cf7c | 9556 | /* Free an individual signer */ |
wolfSSL | 15:117db924cf7c | 9557 | void FreeSigner(Signer* signer, void* heap) |
wolfSSL | 15:117db924cf7c | 9558 | { |
wolfSSL | 15:117db924cf7c | 9559 | XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 16:8e0d178b1d1e | 9560 | XFREE((void*)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 15:117db924cf7c | 9561 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 9562 | if (signer->permittedNames) |
wolfSSL | 15:117db924cf7c | 9563 | FreeNameSubtrees(signer->permittedNames, heap); |
wolfSSL | 15:117db924cf7c | 9564 | if (signer->excludedNames) |
wolfSSL | 15:117db924cf7c | 9565 | FreeNameSubtrees(signer->excludedNames, heap); |
wolfSSL | 15:117db924cf7c | 9566 | #endif |
wolfSSL | 15:117db924cf7c | 9567 | #ifdef WOLFSSL_SIGNER_DER_CERT |
wolfSSL | 15:117db924cf7c | 9568 | FreeDer(&signer->derCert); |
wolfSSL | 15:117db924cf7c | 9569 | #endif |
wolfSSL | 15:117db924cf7c | 9570 | XFREE(signer, heap, DYNAMIC_TYPE_SIGNER); |
wolfSSL | 15:117db924cf7c | 9571 | |
wolfSSL | 15:117db924cf7c | 9572 | (void)heap; |
wolfSSL | 15:117db924cf7c | 9573 | } |
wolfSSL | 15:117db924cf7c | 9574 | |
wolfSSL | 15:117db924cf7c | 9575 | |
wolfSSL | 15:117db924cf7c | 9576 | /* Free the whole singer table with number of rows */ |
wolfSSL | 15:117db924cf7c | 9577 | void FreeSignerTable(Signer** table, int rows, void* heap) |
wolfSSL | 15:117db924cf7c | 9578 | { |
wolfSSL | 15:117db924cf7c | 9579 | int i; |
wolfSSL | 15:117db924cf7c | 9580 | |
wolfSSL | 15:117db924cf7c | 9581 | for (i = 0; i < rows; i++) { |
wolfSSL | 15:117db924cf7c | 9582 | Signer* signer = table[i]; |
wolfSSL | 15:117db924cf7c | 9583 | while (signer) { |
wolfSSL | 15:117db924cf7c | 9584 | Signer* next = signer->next; |
wolfSSL | 15:117db924cf7c | 9585 | FreeSigner(signer, heap); |
wolfSSL | 15:117db924cf7c | 9586 | signer = next; |
wolfSSL | 15:117db924cf7c | 9587 | } |
wolfSSL | 15:117db924cf7c | 9588 | table[i] = NULL; |
wolfSSL | 15:117db924cf7c | 9589 | } |
wolfSSL | 15:117db924cf7c | 9590 | } |
wolfSSL | 15:117db924cf7c | 9591 | |
wolfSSL | 15:117db924cf7c | 9592 | #ifdef WOLFSSL_TRUST_PEER_CERT |
wolfSSL | 15:117db924cf7c | 9593 | /* Free an individual trusted peer cert */ |
wolfSSL | 15:117db924cf7c | 9594 | void FreeTrustedPeer(TrustedPeerCert* tp, void* heap) |
wolfSSL | 15:117db924cf7c | 9595 | { |
wolfSSL | 15:117db924cf7c | 9596 | if (tp == NULL) { |
wolfSSL | 15:117db924cf7c | 9597 | return; |
wolfSSL | 15:117db924cf7c | 9598 | } |
wolfSSL | 15:117db924cf7c | 9599 | |
wolfSSL | 15:117db924cf7c | 9600 | if (tp->name) { |
wolfSSL | 15:117db924cf7c | 9601 | XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 15:117db924cf7c | 9602 | } |
wolfSSL | 15:117db924cf7c | 9603 | |
wolfSSL | 15:117db924cf7c | 9604 | if (tp->sig) { |
wolfSSL | 15:117db924cf7c | 9605 | XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 9606 | } |
wolfSSL | 15:117db924cf7c | 9607 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 15:117db924cf7c | 9608 | if (tp->permittedNames) |
wolfSSL | 15:117db924cf7c | 9609 | FreeNameSubtrees(tp->permittedNames, heap); |
wolfSSL | 15:117db924cf7c | 9610 | if (tp->excludedNames) |
wolfSSL | 15:117db924cf7c | 9611 | FreeNameSubtrees(tp->excludedNames, heap); |
wolfSSL | 15:117db924cf7c | 9612 | #endif |
wolfSSL | 15:117db924cf7c | 9613 | XFREE(tp, heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 9614 | |
wolfSSL | 15:117db924cf7c | 9615 | (void)heap; |
wolfSSL | 15:117db924cf7c | 9616 | } |
wolfSSL | 15:117db924cf7c | 9617 | |
wolfSSL | 15:117db924cf7c | 9618 | /* Free the whole Trusted Peer linked list */ |
wolfSSL | 15:117db924cf7c | 9619 | void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap) |
wolfSSL | 15:117db924cf7c | 9620 | { |
wolfSSL | 15:117db924cf7c | 9621 | int i; |
wolfSSL | 15:117db924cf7c | 9622 | |
wolfSSL | 15:117db924cf7c | 9623 | for (i = 0; i < rows; i++) { |
wolfSSL | 15:117db924cf7c | 9624 | TrustedPeerCert* tp = table[i]; |
wolfSSL | 15:117db924cf7c | 9625 | while (tp) { |
wolfSSL | 15:117db924cf7c | 9626 | TrustedPeerCert* next = tp->next; |
wolfSSL | 15:117db924cf7c | 9627 | FreeTrustedPeer(tp, heap); |
wolfSSL | 15:117db924cf7c | 9628 | tp = next; |
wolfSSL | 15:117db924cf7c | 9629 | } |
wolfSSL | 15:117db924cf7c | 9630 | table[i] = NULL; |
wolfSSL | 15:117db924cf7c | 9631 | } |
wolfSSL | 15:117db924cf7c | 9632 | } |
wolfSSL | 15:117db924cf7c | 9633 | #endif /* WOLFSSL_TRUST_PEER_CERT */ |
wolfSSL | 15:117db924cf7c | 9634 | |
wolfSSL | 16:8e0d178b1d1e | 9635 | int SetMyVersion(word32 version, byte* output, int header) |
wolfSSL | 15:117db924cf7c | 9636 | { |
wolfSSL | 15:117db924cf7c | 9637 | int i = 0; |
wolfSSL | 15:117db924cf7c | 9638 | |
wolfSSL | 15:117db924cf7c | 9639 | if (output == NULL) |
wolfSSL | 15:117db924cf7c | 9640 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9641 | |
wolfSSL | 15:117db924cf7c | 9642 | if (header) { |
wolfSSL | 15:117db924cf7c | 9643 | output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED; |
wolfSSL | 15:117db924cf7c | 9644 | output[i++] = 3; |
wolfSSL | 15:117db924cf7c | 9645 | } |
wolfSSL | 15:117db924cf7c | 9646 | output[i++] = ASN_INTEGER; |
wolfSSL | 15:117db924cf7c | 9647 | output[i++] = 0x01; |
wolfSSL | 15:117db924cf7c | 9648 | output[i++] = (byte)version; |
wolfSSL | 15:117db924cf7c | 9649 | |
wolfSSL | 15:117db924cf7c | 9650 | return i; |
wolfSSL | 15:117db924cf7c | 9651 | } |
wolfSSL | 15:117db924cf7c | 9652 | |
wolfSSL | 16:8e0d178b1d1e | 9653 | int SetSerialNumber(const byte* sn, word32 snSz, byte* output, |
wolfSSL | 16:8e0d178b1d1e | 9654 | word32 outputSz, int maxSnSz) |
wolfSSL | 16:8e0d178b1d1e | 9655 | { |
wolfSSL | 16:8e0d178b1d1e | 9656 | int i; |
wolfSSL | 15:117db924cf7c | 9657 | int snSzInt = (int)snSz; |
wolfSSL | 15:117db924cf7c | 9658 | |
wolfSSL | 15:117db924cf7c | 9659 | if (sn == NULL || output == NULL || snSzInt < 0) |
wolfSSL | 15:117db924cf7c | 9660 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9661 | |
wolfSSL | 15:117db924cf7c | 9662 | /* remove leading zeros */ |
wolfSSL | 15:117db924cf7c | 9663 | while (snSzInt > 0 && sn[0] == 0) { |
wolfSSL | 15:117db924cf7c | 9664 | snSzInt--; |
wolfSSL | 15:117db924cf7c | 9665 | sn++; |
wolfSSL | 15:117db924cf7c | 9666 | } |
wolfSSL | 16:8e0d178b1d1e | 9667 | /* RFC 5280 - 4.1.2.2: |
wolfSSL | 16:8e0d178b1d1e | 9668 | * Serial numbers must be a positive value (and not zero) */ |
wolfSSL | 16:8e0d178b1d1e | 9669 | if (snSzInt == 0) |
wolfSSL | 16:8e0d178b1d1e | 9670 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 9671 | |
wolfSSL | 16:8e0d178b1d1e | 9672 | if (sn[0] & 0x80) |
wolfSSL | 16:8e0d178b1d1e | 9673 | maxSnSz--; |
wolfSSL | 15:117db924cf7c | 9674 | /* truncate if input is too long */ |
wolfSSL | 15:117db924cf7c | 9675 | if (snSzInt > maxSnSz) |
wolfSSL | 15:117db924cf7c | 9676 | snSzInt = maxSnSz; |
wolfSSL | 15:117db924cf7c | 9677 | |
wolfSSL | 16:8e0d178b1d1e | 9678 | i = SetASNInt(snSzInt, sn[0], NULL); |
wolfSSL | 16:8e0d178b1d1e | 9679 | /* truncate if input is too long */ |
wolfSSL | 16:8e0d178b1d1e | 9680 | if (snSzInt > (int)outputSz - i) |
wolfSSL | 16:8e0d178b1d1e | 9681 | snSzInt = (int)outputSz - i; |
wolfSSL | 16:8e0d178b1d1e | 9682 | /* sanity check number of bytes to copy */ |
wolfSSL | 16:8e0d178b1d1e | 9683 | if (snSzInt <= 0) { |
wolfSSL | 16:8e0d178b1d1e | 9684 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 9685 | } |
wolfSSL | 16:8e0d178b1d1e | 9686 | |
wolfSSL | 16:8e0d178b1d1e | 9687 | /* write out ASN.1 Integer */ |
wolfSSL | 16:8e0d178b1d1e | 9688 | (void)SetASNInt(snSzInt, sn[0], output); |
wolfSSL | 16:8e0d178b1d1e | 9689 | XMEMCPY(output + i, sn, snSzInt); |
wolfSSL | 15:117db924cf7c | 9690 | |
wolfSSL | 15:117db924cf7c | 9691 | /* compute final length */ |
wolfSSL | 15:117db924cf7c | 9692 | i += snSzInt; |
wolfSSL | 15:117db924cf7c | 9693 | |
wolfSSL | 15:117db924cf7c | 9694 | return i; |
wolfSSL | 15:117db924cf7c | 9695 | } |
wolfSSL | 15:117db924cf7c | 9696 | |
wolfSSL | 16:8e0d178b1d1e | 9697 | #endif /* !NO_CERTS */ |
wolfSSL | 16:8e0d178b1d1e | 9698 | |
wolfSSL | 16:8e0d178b1d1e | 9699 | int GetSerialNumber(const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 9700 | byte* serial, int* serialSz, word32 maxIdx) |
wolfSSL | 15:117db924cf7c | 9701 | { |
wolfSSL | 15:117db924cf7c | 9702 | int result = 0; |
wolfSSL | 15:117db924cf7c | 9703 | int ret; |
wolfSSL | 15:117db924cf7c | 9704 | |
wolfSSL | 15:117db924cf7c | 9705 | WOLFSSL_ENTER("GetSerialNumber"); |
wolfSSL | 15:117db924cf7c | 9706 | |
wolfSSL | 15:117db924cf7c | 9707 | if (serial == NULL || input == NULL || serialSz == NULL) { |
wolfSSL | 15:117db924cf7c | 9708 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9709 | } |
wolfSSL | 15:117db924cf7c | 9710 | |
wolfSSL | 15:117db924cf7c | 9711 | /* First byte is ASN type */ |
wolfSSL | 15:117db924cf7c | 9712 | if ((*inOutIdx+1) > maxIdx) { |
wolfSSL | 15:117db924cf7c | 9713 | WOLFSSL_MSG("Bad idx first"); |
wolfSSL | 15:117db924cf7c | 9714 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 9715 | } |
wolfSSL | 15:117db924cf7c | 9716 | |
wolfSSL | 15:117db924cf7c | 9717 | ret = GetASNInt(input, inOutIdx, serialSz, maxIdx); |
wolfSSL | 15:117db924cf7c | 9718 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 9719 | return ret; |
wolfSSL | 15:117db924cf7c | 9720 | |
wolfSSL | 15:117db924cf7c | 9721 | if (*serialSz > EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 15:117db924cf7c | 9722 | WOLFSSL_MSG("Serial size bad"); |
wolfSSL | 15:117db924cf7c | 9723 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 9724 | } |
wolfSSL | 15:117db924cf7c | 9725 | |
wolfSSL | 15:117db924cf7c | 9726 | /* return serial */ |
wolfSSL | 15:117db924cf7c | 9727 | XMEMCPY(serial, &input[*inOutIdx], *serialSz); |
wolfSSL | 15:117db924cf7c | 9728 | *inOutIdx += *serialSz; |
wolfSSL | 15:117db924cf7c | 9729 | |
wolfSSL | 15:117db924cf7c | 9730 | return result; |
wolfSSL | 15:117db924cf7c | 9731 | } |
wolfSSL | 15:117db924cf7c | 9732 | |
wolfSSL | 16:8e0d178b1d1e | 9733 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 9734 | |
wolfSSL | 15:117db924cf7c | 9735 | int AllocDer(DerBuffer** pDer, word32 length, int type, void* heap) |
wolfSSL | 15:117db924cf7c | 9736 | { |
wolfSSL | 15:117db924cf7c | 9737 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9738 | if (pDer) { |
wolfSSL | 15:117db924cf7c | 9739 | int dynType = 0; |
wolfSSL | 15:117db924cf7c | 9740 | DerBuffer* der; |
wolfSSL | 15:117db924cf7c | 9741 | |
wolfSSL | 15:117db924cf7c | 9742 | /* Determine dynamic type */ |
wolfSSL | 15:117db924cf7c | 9743 | switch (type) { |
wolfSSL | 15:117db924cf7c | 9744 | case CA_TYPE: dynType = DYNAMIC_TYPE_CA; break; |
wolfSSL | 15:117db924cf7c | 9745 | case CERT_TYPE: dynType = DYNAMIC_TYPE_CERT; break; |
wolfSSL | 15:117db924cf7c | 9746 | case CRL_TYPE: dynType = DYNAMIC_TYPE_CRL; break; |
wolfSSL | 15:117db924cf7c | 9747 | case DSA_TYPE: dynType = DYNAMIC_TYPE_DSA; break; |
wolfSSL | 15:117db924cf7c | 9748 | case ECC_TYPE: dynType = DYNAMIC_TYPE_ECC; break; |
wolfSSL | 15:117db924cf7c | 9749 | case RSA_TYPE: dynType = DYNAMIC_TYPE_RSA; break; |
wolfSSL | 15:117db924cf7c | 9750 | default: dynType = DYNAMIC_TYPE_KEY; break; |
wolfSSL | 15:117db924cf7c | 9751 | } |
wolfSSL | 15:117db924cf7c | 9752 | |
wolfSSL | 15:117db924cf7c | 9753 | /* Setup new buffer */ |
wolfSSL | 15:117db924cf7c | 9754 | *pDer = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + length, heap, dynType); |
wolfSSL | 15:117db924cf7c | 9755 | if (*pDer == NULL) { |
wolfSSL | 15:117db924cf7c | 9756 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 9757 | } |
wolfSSL | 15:117db924cf7c | 9758 | XMEMSET(*pDer, 0, sizeof(DerBuffer) + length); |
wolfSSL | 15:117db924cf7c | 9759 | |
wolfSSL | 15:117db924cf7c | 9760 | der = *pDer; |
wolfSSL | 15:117db924cf7c | 9761 | der->type = type; |
wolfSSL | 15:117db924cf7c | 9762 | der->dynType = dynType; /* Cache this for FreeDer */ |
wolfSSL | 15:117db924cf7c | 9763 | der->heap = heap; |
wolfSSL | 15:117db924cf7c | 9764 | der->buffer = (byte*)der + sizeof(DerBuffer); |
wolfSSL | 15:117db924cf7c | 9765 | der->length = length; |
wolfSSL | 15:117db924cf7c | 9766 | ret = 0; /* Success */ |
wolfSSL | 15:117db924cf7c | 9767 | } |
wolfSSL | 15:117db924cf7c | 9768 | return ret; |
wolfSSL | 15:117db924cf7c | 9769 | } |
wolfSSL | 15:117db924cf7c | 9770 | |
wolfSSL | 15:117db924cf7c | 9771 | void FreeDer(DerBuffer** pDer) |
wolfSSL | 15:117db924cf7c | 9772 | { |
wolfSSL | 15:117db924cf7c | 9773 | if (pDer && *pDer) |
wolfSSL | 15:117db924cf7c | 9774 | { |
wolfSSL | 15:117db924cf7c | 9775 | DerBuffer* der = (DerBuffer*)*pDer; |
wolfSSL | 15:117db924cf7c | 9776 | |
wolfSSL | 15:117db924cf7c | 9777 | /* ForceZero private keys */ |
wolfSSL | 15:117db924cf7c | 9778 | if (der->type == PRIVATEKEY_TYPE) { |
wolfSSL | 15:117db924cf7c | 9779 | ForceZero(der->buffer, der->length); |
wolfSSL | 15:117db924cf7c | 9780 | } |
wolfSSL | 15:117db924cf7c | 9781 | der->buffer = NULL; |
wolfSSL | 15:117db924cf7c | 9782 | der->length = 0; |
wolfSSL | 15:117db924cf7c | 9783 | XFREE(der, der->heap, der->dynType); |
wolfSSL | 15:117db924cf7c | 9784 | |
wolfSSL | 15:117db924cf7c | 9785 | *pDer = NULL; |
wolfSSL | 15:117db924cf7c | 9786 | } |
wolfSSL | 15:117db924cf7c | 9787 | } |
wolfSSL | 15:117db924cf7c | 9788 | |
wolfSSL | 16:8e0d178b1d1e | 9789 | int wc_AllocDer(DerBuffer** pDer, word32 length, int type, void* heap) |
wolfSSL | 16:8e0d178b1d1e | 9790 | { |
wolfSSL | 16:8e0d178b1d1e | 9791 | return AllocDer(pDer, length, type, heap); |
wolfSSL | 16:8e0d178b1d1e | 9792 | } |
wolfSSL | 16:8e0d178b1d1e | 9793 | void wc_FreeDer(DerBuffer** pDer) |
wolfSSL | 16:8e0d178b1d1e | 9794 | { |
wolfSSL | 16:8e0d178b1d1e | 9795 | FreeDer(pDer); |
wolfSSL | 16:8e0d178b1d1e | 9796 | } |
wolfSSL | 16:8e0d178b1d1e | 9797 | |
wolfSSL | 15:117db924cf7c | 9798 | |
wolfSSL | 15:117db924cf7c | 9799 | #if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) |
wolfSSL | 15:117db924cf7c | 9800 | |
wolfSSL | 15:117db924cf7c | 9801 | /* Max X509 header length indicates the max length + 2 ('\n', '\0') */ |
wolfSSL | 15:117db924cf7c | 9802 | #define MAX_X509_HEADER_SZ (37 + 2) |
wolfSSL | 15:117db924cf7c | 9803 | |
wolfSSL | 16:8e0d178b1d1e | 9804 | wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; |
wolfSSL | 16:8e0d178b1d1e | 9805 | wcchar END_CERT = "-----END CERTIFICATE-----"; |
wolfSSL | 15:117db924cf7c | 9806 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 16:8e0d178b1d1e | 9807 | wcchar BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; |
wolfSSL | 16:8e0d178b1d1e | 9808 | wcchar END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; |
wolfSSL | 15:117db924cf7c | 9809 | #endif |
wolfSSL | 15:117db924cf7c | 9810 | #ifndef NO_DH |
wolfSSL | 16:8e0d178b1d1e | 9811 | wcchar BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; |
wolfSSL | 16:8e0d178b1d1e | 9812 | wcchar END_DH_PARAM = "-----END DH PARAMETERS-----"; |
wolfSSL | 15:117db924cf7c | 9813 | #endif |
wolfSSL | 15:117db924cf7c | 9814 | #ifndef NO_DSA |
wolfSSL | 16:8e0d178b1d1e | 9815 | wcchar BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; |
wolfSSL | 16:8e0d178b1d1e | 9816 | wcchar END_DSA_PARAM = "-----END DSA PARAMETERS-----"; |
wolfSSL | 16:8e0d178b1d1e | 9817 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9818 | wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; |
wolfSSL | 16:8e0d178b1d1e | 9819 | wcchar END_X509_CRL = "-----END X509 CRL-----"; |
wolfSSL | 16:8e0d178b1d1e | 9820 | wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9821 | wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9822 | wcchar BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9823 | wcchar END_PRIV_KEY = "-----END PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9824 | wcchar BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9825 | wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 15:117db924cf7c | 9826 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 9827 | wcchar BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9828 | wcchar END_EC_PRIV = "-----END EC PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9829 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9830 | #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ |
wolfSSL | 16:8e0d178b1d1e | 9831 | !defined(NO_DSA) |
wolfSSL | 16:8e0d178b1d1e | 9832 | wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9833 | wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9834 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9835 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 9836 | const char BEGIN_PRIV_KEY_PREFIX[] = "-----BEGIN"; |
wolfSSL | 16:8e0d178b1d1e | 9837 | const char PRIV_KEY_SUFFIX[] = "PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9838 | const char END_PRIV_KEY_PREFIX[] = "-----END"; |
wolfSSL | 16:8e0d178b1d1e | 9839 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9840 | wcchar BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9841 | wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9842 | #if defined(HAVE_ED25519) || defined(HAVE_ED448) |
wolfSSL | 16:8e0d178b1d1e | 9843 | wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; |
wolfSSL | 16:8e0d178b1d1e | 9844 | wcchar END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; |
wolfSSL | 15:117db924cf7c | 9845 | #endif |
wolfSSL | 15:117db924cf7c | 9846 | #ifdef HAVE_CRL |
wolfSSL | 15:117db924cf7c | 9847 | const char *const BEGIN_CRL = "-----BEGIN X509 CRL-----"; |
wolfSSL | 16:8e0d178b1d1e | 9848 | wcchar END_CRL = "-----END X509 CRL-----"; |
wolfSSL | 16:8e0d178b1d1e | 9849 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9850 | |
wolfSSL | 16:8e0d178b1d1e | 9851 | |
wolfSSL | 16:8e0d178b1d1e | 9852 | static WC_INLINE char* SkipEndOfLineChars(char* line, const char* endOfLine) |
wolfSSL | 16:8e0d178b1d1e | 9853 | { |
wolfSSL | 16:8e0d178b1d1e | 9854 | /* eat end of line characters */ |
wolfSSL | 16:8e0d178b1d1e | 9855 | while (line < endOfLine && |
wolfSSL | 16:8e0d178b1d1e | 9856 | (line[0] == '\r' || line[0] == '\n')) { |
wolfSSL | 16:8e0d178b1d1e | 9857 | line++; |
wolfSSL | 16:8e0d178b1d1e | 9858 | } |
wolfSSL | 16:8e0d178b1d1e | 9859 | return line; |
wolfSSL | 16:8e0d178b1d1e | 9860 | } |
wolfSSL | 15:117db924cf7c | 9861 | |
wolfSSL | 15:117db924cf7c | 9862 | int wc_PemGetHeaderFooter(int type, const char** header, const char** footer) |
wolfSSL | 15:117db924cf7c | 9863 | { |
wolfSSL | 15:117db924cf7c | 9864 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9865 | |
wolfSSL | 15:117db924cf7c | 9866 | switch (type) { |
wolfSSL | 15:117db924cf7c | 9867 | case CA_TYPE: /* same as below */ |
wolfSSL | 15:117db924cf7c | 9868 | case TRUSTED_PEER_TYPE: |
wolfSSL | 15:117db924cf7c | 9869 | case CERT_TYPE: |
wolfSSL | 15:117db924cf7c | 9870 | if (header) *header = BEGIN_CERT; |
wolfSSL | 15:117db924cf7c | 9871 | if (footer) *footer = END_CERT; |
wolfSSL | 15:117db924cf7c | 9872 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9873 | break; |
wolfSSL | 15:117db924cf7c | 9874 | |
wolfSSL | 15:117db924cf7c | 9875 | case CRL_TYPE: |
wolfSSL | 15:117db924cf7c | 9876 | if (header) *header = BEGIN_X509_CRL; |
wolfSSL | 15:117db924cf7c | 9877 | if (footer) *footer = END_X509_CRL; |
wolfSSL | 15:117db924cf7c | 9878 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9879 | break; |
wolfSSL | 15:117db924cf7c | 9880 | #ifndef NO_DH |
wolfSSL | 15:117db924cf7c | 9881 | case DH_PARAM_TYPE: |
wolfSSL | 15:117db924cf7c | 9882 | if (header) *header = BEGIN_DH_PARAM; |
wolfSSL | 15:117db924cf7c | 9883 | if (footer) *footer = END_DH_PARAM; |
wolfSSL | 15:117db924cf7c | 9884 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9885 | break; |
wolfSSL | 15:117db924cf7c | 9886 | #endif |
wolfSSL | 15:117db924cf7c | 9887 | #ifndef NO_DSA |
wolfSSL | 15:117db924cf7c | 9888 | case DSA_PARAM_TYPE: |
wolfSSL | 15:117db924cf7c | 9889 | if (header) *header = BEGIN_DSA_PARAM; |
wolfSSL | 15:117db924cf7c | 9890 | if (footer) *footer = END_DSA_PARAM; |
wolfSSL | 15:117db924cf7c | 9891 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9892 | break; |
wolfSSL | 15:117db924cf7c | 9893 | #endif |
wolfSSL | 15:117db924cf7c | 9894 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 15:117db924cf7c | 9895 | case CERTREQ_TYPE: |
wolfSSL | 15:117db924cf7c | 9896 | if (header) *header = BEGIN_CERT_REQ; |
wolfSSL | 15:117db924cf7c | 9897 | if (footer) *footer = END_CERT_REQ; |
wolfSSL | 15:117db924cf7c | 9898 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9899 | break; |
wolfSSL | 15:117db924cf7c | 9900 | #endif |
wolfSSL | 15:117db924cf7c | 9901 | #ifndef NO_DSA |
wolfSSL | 15:117db924cf7c | 9902 | case DSA_TYPE: |
wolfSSL | 15:117db924cf7c | 9903 | case DSA_PRIVATEKEY_TYPE: |
wolfSSL | 15:117db924cf7c | 9904 | if (header) *header = BEGIN_DSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9905 | if (footer) *footer = END_DSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9906 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9907 | break; |
wolfSSL | 15:117db924cf7c | 9908 | #endif |
wolfSSL | 15:117db924cf7c | 9909 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 9910 | case ECC_TYPE: |
wolfSSL | 15:117db924cf7c | 9911 | case ECC_PRIVATEKEY_TYPE: |
wolfSSL | 15:117db924cf7c | 9912 | if (header) *header = BEGIN_EC_PRIV; |
wolfSSL | 15:117db924cf7c | 9913 | if (footer) *footer = END_EC_PRIV; |
wolfSSL | 15:117db924cf7c | 9914 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9915 | break; |
wolfSSL | 15:117db924cf7c | 9916 | #endif |
wolfSSL | 15:117db924cf7c | 9917 | case RSA_TYPE: |
wolfSSL | 15:117db924cf7c | 9918 | case PRIVATEKEY_TYPE: |
wolfSSL | 15:117db924cf7c | 9919 | if (header) *header = BEGIN_RSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9920 | if (footer) *footer = END_RSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9921 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9922 | break; |
wolfSSL | 15:117db924cf7c | 9923 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 9924 | case ED25519_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9925 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9926 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 9927 | case ED448_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9928 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9929 | #if defined(HAVE_ED25519) || defined(HAVE_ED448) |
wolfSSL | 15:117db924cf7c | 9930 | case EDDSA_PRIVATEKEY_TYPE: |
wolfSSL | 15:117db924cf7c | 9931 | if (header) *header = BEGIN_EDDSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9932 | if (footer) *footer = END_EDDSA_PRIV; |
wolfSSL | 15:117db924cf7c | 9933 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9934 | break; |
wolfSSL | 15:117db924cf7c | 9935 | #endif |
wolfSSL | 15:117db924cf7c | 9936 | case PUBLICKEY_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9937 | case ECC_PUBLICKEY_TYPE: |
wolfSSL | 15:117db924cf7c | 9938 | if (header) *header = BEGIN_PUB_KEY; |
wolfSSL | 15:117db924cf7c | 9939 | if (footer) *footer = END_PUB_KEY; |
wolfSSL | 15:117db924cf7c | 9940 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9941 | break; |
wolfSSL | 16:8e0d178b1d1e | 9942 | #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) |
wolfSSL | 16:8e0d178b1d1e | 9943 | case DH_PRIVATEKEY_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9944 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9945 | case PKCS8_PRIVATEKEY_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9946 | if (header) *header = BEGIN_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 9947 | if (footer) *footer = END_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 9948 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 9949 | break; |
wolfSSL | 16:8e0d178b1d1e | 9950 | case PKCS8_ENC_PRIVATEKEY_TYPE: |
wolfSSL | 16:8e0d178b1d1e | 9951 | if (header) *header = BEGIN_ENC_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 9952 | if (footer) *footer = END_ENC_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 9953 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 9954 | break; |
wolfSSL | 15:117db924cf7c | 9955 | default: |
wolfSSL | 15:117db924cf7c | 9956 | break; |
wolfSSL | 15:117db924cf7c | 9957 | } |
wolfSSL | 15:117db924cf7c | 9958 | return ret; |
wolfSSL | 15:117db924cf7c | 9959 | } |
wolfSSL | 15:117db924cf7c | 9960 | |
wolfSSL | 15:117db924cf7c | 9961 | #ifdef WOLFSSL_ENCRYPTED_KEYS |
wolfSSL | 15:117db924cf7c | 9962 | |
wolfSSL | 16:8e0d178b1d1e | 9963 | static wcchar kProcTypeHeader = "Proc-Type"; |
wolfSSL | 16:8e0d178b1d1e | 9964 | static wcchar kDecInfoHeader = "DEK-Info"; |
wolfSSL | 15:117db924cf7c | 9965 | |
wolfSSL | 15:117db924cf7c | 9966 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 9967 | #ifndef NO_DES3 |
wolfSSL | 16:8e0d178b1d1e | 9968 | static wcchar kEncTypeDes = "DES-CBC"; |
wolfSSL | 16:8e0d178b1d1e | 9969 | static wcchar kEncTypeDes3 = "DES-EDE3-CBC"; |
wolfSSL | 15:117db924cf7c | 9970 | #endif |
wolfSSL | 15:117db924cf7c | 9971 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) |
wolfSSL | 16:8e0d178b1d1e | 9972 | static wcchar kEncTypeAesCbc128 = "AES-128-CBC"; |
wolfSSL | 15:117db924cf7c | 9973 | #endif |
wolfSSL | 15:117db924cf7c | 9974 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_192) |
wolfSSL | 16:8e0d178b1d1e | 9975 | static wcchar kEncTypeAesCbc192 = "AES-192-CBC"; |
wolfSSL | 15:117db924cf7c | 9976 | #endif |
wolfSSL | 15:117db924cf7c | 9977 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) |
wolfSSL | 16:8e0d178b1d1e | 9978 | static wcchar kEncTypeAesCbc256 = "AES-256-CBC"; |
wolfSSL | 15:117db924cf7c | 9979 | #endif |
wolfSSL | 15:117db924cf7c | 9980 | |
wolfSSL | 15:117db924cf7c | 9981 | int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo) |
wolfSSL | 15:117db924cf7c | 9982 | { |
wolfSSL | 15:117db924cf7c | 9983 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 9984 | |
wolfSSL | 15:117db924cf7c | 9985 | if (info == NULL || cipherInfo == NULL) |
wolfSSL | 15:117db924cf7c | 9986 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 9987 | |
wolfSSL | 15:117db924cf7c | 9988 | /* determine cipher information */ |
wolfSSL | 15:117db924cf7c | 9989 | #ifndef NO_DES3 |
wolfSSL | 15:117db924cf7c | 9990 | if (XSTRNCMP(cipherInfo, kEncTypeDes, XSTRLEN(kEncTypeDes)) == 0) { |
wolfSSL | 15:117db924cf7c | 9991 | info->cipherType = WC_CIPHER_DES; |
wolfSSL | 15:117db924cf7c | 9992 | info->keySz = DES_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 9993 | if (info->ivSz == 0) info->ivSz = DES_IV_SIZE; |
wolfSSL | 15:117db924cf7c | 9994 | } |
wolfSSL | 15:117db924cf7c | 9995 | else if (XSTRNCMP(cipherInfo, kEncTypeDes3, XSTRLEN(kEncTypeDes3)) == 0) { |
wolfSSL | 15:117db924cf7c | 9996 | info->cipherType = WC_CIPHER_DES3; |
wolfSSL | 15:117db924cf7c | 9997 | info->keySz = DES3_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 9998 | if (info->ivSz == 0) info->ivSz = DES_IV_SIZE; |
wolfSSL | 15:117db924cf7c | 9999 | } |
wolfSSL | 15:117db924cf7c | 10000 | else |
wolfSSL | 15:117db924cf7c | 10001 | #endif /* !NO_DES3 */ |
wolfSSL | 15:117db924cf7c | 10002 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) |
wolfSSL | 15:117db924cf7c | 10003 | if (XSTRNCMP(cipherInfo, kEncTypeAesCbc128, XSTRLEN(kEncTypeAesCbc128)) == 0) { |
wolfSSL | 15:117db924cf7c | 10004 | info->cipherType = WC_CIPHER_AES_CBC; |
wolfSSL | 15:117db924cf7c | 10005 | info->keySz = AES_128_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 10006 | if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; |
wolfSSL | 15:117db924cf7c | 10007 | } |
wolfSSL | 15:117db924cf7c | 10008 | else |
wolfSSL | 15:117db924cf7c | 10009 | #endif |
wolfSSL | 15:117db924cf7c | 10010 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_192) |
wolfSSL | 15:117db924cf7c | 10011 | if (XSTRNCMP(cipherInfo, kEncTypeAesCbc192, XSTRLEN(kEncTypeAesCbc192)) == 0) { |
wolfSSL | 15:117db924cf7c | 10012 | info->cipherType = WC_CIPHER_AES_CBC; |
wolfSSL | 15:117db924cf7c | 10013 | info->keySz = AES_192_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 10014 | if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; |
wolfSSL | 15:117db924cf7c | 10015 | } |
wolfSSL | 15:117db924cf7c | 10016 | else |
wolfSSL | 15:117db924cf7c | 10017 | #endif |
wolfSSL | 15:117db924cf7c | 10018 | #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) |
wolfSSL | 15:117db924cf7c | 10019 | if (XSTRNCMP(cipherInfo, kEncTypeAesCbc256, XSTRLEN(kEncTypeAesCbc256)) == 0) { |
wolfSSL | 15:117db924cf7c | 10020 | info->cipherType = WC_CIPHER_AES_CBC; |
wolfSSL | 15:117db924cf7c | 10021 | info->keySz = AES_256_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 10022 | if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; |
wolfSSL | 15:117db924cf7c | 10023 | } |
wolfSSL | 15:117db924cf7c | 10024 | else |
wolfSSL | 15:117db924cf7c | 10025 | #endif |
wolfSSL | 15:117db924cf7c | 10026 | { |
wolfSSL | 15:117db924cf7c | 10027 | ret = NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 10028 | } |
wolfSSL | 15:117db924cf7c | 10029 | return ret; |
wolfSSL | 15:117db924cf7c | 10030 | } |
wolfSSL | 15:117db924cf7c | 10031 | |
wolfSSL | 16:8e0d178b1d1e | 10032 | int wc_EncryptedInfoParse(EncryptedInfo* info, char** pBuffer, size_t bufSz) |
wolfSSL | 15:117db924cf7c | 10033 | { |
wolfSSL | 15:117db924cf7c | 10034 | int err = 0; |
wolfSSL | 15:117db924cf7c | 10035 | char* bufferStart; |
wolfSSL | 15:117db924cf7c | 10036 | char* bufferEnd; |
wolfSSL | 15:117db924cf7c | 10037 | char* line; |
wolfSSL | 15:117db924cf7c | 10038 | word32 lineSz; |
wolfSSL | 15:117db924cf7c | 10039 | char* finish; |
wolfSSL | 15:117db924cf7c | 10040 | word32 finishSz; |
wolfSSL | 15:117db924cf7c | 10041 | char* start = NULL; |
wolfSSL | 15:117db924cf7c | 10042 | word32 startSz; |
wolfSSL | 15:117db924cf7c | 10043 | char* newline = NULL; |
wolfSSL | 15:117db924cf7c | 10044 | |
wolfSSL | 15:117db924cf7c | 10045 | if (info == NULL || pBuffer == NULL || bufSz == 0) |
wolfSSL | 15:117db924cf7c | 10046 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10047 | |
wolfSSL | 15:117db924cf7c | 10048 | bufferStart = *pBuffer; |
wolfSSL | 15:117db924cf7c | 10049 | bufferEnd = bufferStart + bufSz; |
wolfSSL | 15:117db924cf7c | 10050 | |
wolfSSL | 15:117db924cf7c | 10051 | /* find encrypted info marker */ |
wolfSSL | 15:117db924cf7c | 10052 | line = XSTRNSTR(bufferStart, kProcTypeHeader, |
wolfSSL | 15:117db924cf7c | 10053 | min((word32)bufSz, PEM_LINE_LEN)); |
wolfSSL | 15:117db924cf7c | 10054 | if (line != NULL) { |
wolfSSL | 15:117db924cf7c | 10055 | if (line >= bufferEnd) { |
wolfSSL | 15:117db924cf7c | 10056 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10057 | } |
wolfSSL | 15:117db924cf7c | 10058 | |
wolfSSL | 15:117db924cf7c | 10059 | lineSz = (word32)(bufferEnd - line); |
wolfSSL | 15:117db924cf7c | 10060 | |
wolfSSL | 15:117db924cf7c | 10061 | /* find DEC-Info marker */ |
wolfSSL | 15:117db924cf7c | 10062 | start = XSTRNSTR(line, kDecInfoHeader, min(lineSz, PEM_LINE_LEN)); |
wolfSSL | 15:117db924cf7c | 10063 | |
wolfSSL | 15:117db924cf7c | 10064 | if (start == NULL) |
wolfSSL | 15:117db924cf7c | 10065 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10066 | |
wolfSSL | 15:117db924cf7c | 10067 | /* skip dec-info and ": " */ |
wolfSSL | 15:117db924cf7c | 10068 | start += XSTRLEN(kDecInfoHeader); |
wolfSSL | 15:117db924cf7c | 10069 | if (start >= bufferEnd) |
wolfSSL | 15:117db924cf7c | 10070 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10071 | |
wolfSSL | 15:117db924cf7c | 10072 | if (start[0] == ':') { |
wolfSSL | 15:117db924cf7c | 10073 | start++; |
wolfSSL | 15:117db924cf7c | 10074 | if (start >= bufferEnd) |
wolfSSL | 15:117db924cf7c | 10075 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10076 | } |
wolfSSL | 15:117db924cf7c | 10077 | if (start[0] == ' ') |
wolfSSL | 15:117db924cf7c | 10078 | start++; |
wolfSSL | 15:117db924cf7c | 10079 | |
wolfSSL | 15:117db924cf7c | 10080 | startSz = (word32)(bufferEnd - start); |
wolfSSL | 15:117db924cf7c | 10081 | finish = XSTRNSTR(start, ",", min(startSz, PEM_LINE_LEN)); |
wolfSSL | 15:117db924cf7c | 10082 | |
wolfSSL | 15:117db924cf7c | 10083 | if ((start != NULL) && (finish != NULL) && (start < finish)) { |
wolfSSL | 15:117db924cf7c | 10084 | if (finish >= bufferEnd) { |
wolfSSL | 15:117db924cf7c | 10085 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10086 | } |
wolfSSL | 15:117db924cf7c | 10087 | |
wolfSSL | 15:117db924cf7c | 10088 | finishSz = (word32)(bufferEnd - finish); |
wolfSSL | 15:117db924cf7c | 10089 | newline = XSTRNSTR(finish, "\r", min(finishSz, PEM_LINE_LEN)); |
wolfSSL | 15:117db924cf7c | 10090 | |
wolfSSL | 15:117db924cf7c | 10091 | /* get cipher name */ |
wolfSSL | 15:117db924cf7c | 10092 | if (NAME_SZ < (finish - start)) /* buffer size of info->name */ |
wolfSSL | 15:117db924cf7c | 10093 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10094 | if (XMEMCPY(info->name, start, finish - start) == NULL) |
wolfSSL | 15:117db924cf7c | 10095 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10096 | info->name[finish - start] = '\0'; /* null term */ |
wolfSSL | 15:117db924cf7c | 10097 | |
wolfSSL | 16:8e0d178b1d1e | 10098 | /* populate info */ |
wolfSSL | 16:8e0d178b1d1e | 10099 | err = wc_EncryptedInfoGet(info, info->name); |
wolfSSL | 16:8e0d178b1d1e | 10100 | if (err != 0) |
wolfSSL | 16:8e0d178b1d1e | 10101 | return err; |
wolfSSL | 16:8e0d178b1d1e | 10102 | |
wolfSSL | 15:117db924cf7c | 10103 | /* get IV */ |
wolfSSL | 16:8e0d178b1d1e | 10104 | if (finishSz < info->ivSz + 1) |
wolfSSL | 15:117db924cf7c | 10105 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 10106 | |
wolfSSL | 16:8e0d178b1d1e | 10107 | if (newline == NULL) { |
wolfSSL | 15:117db924cf7c | 10108 | newline = XSTRNSTR(finish, "\n", min(finishSz, |
wolfSSL | 15:117db924cf7c | 10109 | PEM_LINE_LEN)); |
wolfSSL | 16:8e0d178b1d1e | 10110 | } |
wolfSSL | 15:117db924cf7c | 10111 | if ((newline != NULL) && (newline > finish)) { |
wolfSSL | 16:8e0d178b1d1e | 10112 | finish++; |
wolfSSL | 16:8e0d178b1d1e | 10113 | info->ivSz = (word32)(newline - finish); |
wolfSSL | 16:8e0d178b1d1e | 10114 | if (info->ivSz > IV_SZ) |
wolfSSL | 16:8e0d178b1d1e | 10115 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 10116 | if (XMEMCPY(info->iv, finish, info->ivSz) == NULL) |
wolfSSL | 16:8e0d178b1d1e | 10117 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10118 | info->set = 1; |
wolfSSL | 15:117db924cf7c | 10119 | } |
wolfSSL | 15:117db924cf7c | 10120 | else |
wolfSSL | 15:117db924cf7c | 10121 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10122 | } |
wolfSSL | 15:117db924cf7c | 10123 | else |
wolfSSL | 15:117db924cf7c | 10124 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10125 | |
wolfSSL | 16:8e0d178b1d1e | 10126 | /* eat end of line characters */ |
wolfSSL | 16:8e0d178b1d1e | 10127 | newline = SkipEndOfLineChars(newline, bufferEnd); |
wolfSSL | 15:117db924cf7c | 10128 | |
wolfSSL | 15:117db924cf7c | 10129 | /* return new headerEnd */ |
wolfSSL | 16:8e0d178b1d1e | 10130 | |
wolfSSL | 16:8e0d178b1d1e | 10131 | *pBuffer = newline; |
wolfSSL | 15:117db924cf7c | 10132 | } |
wolfSSL | 15:117db924cf7c | 10133 | |
wolfSSL | 15:117db924cf7c | 10134 | return err; |
wolfSSL | 15:117db924cf7c | 10135 | } |
wolfSSL | 15:117db924cf7c | 10136 | #endif /* WOLFSSL_PEM_TO_DER */ |
wolfSSL | 15:117db924cf7c | 10137 | |
wolfSSL | 15:117db924cf7c | 10138 | #ifdef WOLFSSL_DER_TO_PEM |
wolfSSL | 16:8e0d178b1d1e | 10139 | static int wc_EncryptedInfoAppend(char* dest, int destSz, char* cipherInfo) |
wolfSSL | 15:117db924cf7c | 10140 | { |
wolfSSL | 15:117db924cf7c | 10141 | if (cipherInfo != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 10142 | int cipherInfoStrLen = (int)XSTRLEN((char*)cipherInfo); |
wolfSSL | 16:8e0d178b1d1e | 10143 | |
wolfSSL | 15:117db924cf7c | 10144 | if (cipherInfoStrLen > HEADER_ENCRYPTED_KEY_SIZE - (9+14+10+3)) |
wolfSSL | 15:117db924cf7c | 10145 | cipherInfoStrLen = HEADER_ENCRYPTED_KEY_SIZE - (9+14+10+3); |
wolfSSL | 15:117db924cf7c | 10146 | |
wolfSSL | 16:8e0d178b1d1e | 10147 | if (destSz - (int)XSTRLEN(dest) >= cipherInfoStrLen + (9+14+8+2+2+1)) { |
wolfSSL | 16:8e0d178b1d1e | 10148 | /* strncat's src length needs to include the NULL */ |
wolfSSL | 16:8e0d178b1d1e | 10149 | XSTRNCAT(dest, kProcTypeHeader, 10); |
wolfSSL | 16:8e0d178b1d1e | 10150 | XSTRNCAT(dest, ": 4,ENCRYPTED\n", 15); |
wolfSSL | 16:8e0d178b1d1e | 10151 | XSTRNCAT(dest, kDecInfoHeader, 9); |
wolfSSL | 16:8e0d178b1d1e | 10152 | XSTRNCAT(dest, ": ", 3); |
wolfSSL | 16:8e0d178b1d1e | 10153 | XSTRNCAT(dest, cipherInfo, destSz - (int)XSTRLEN(dest) - 1); |
wolfSSL | 16:8e0d178b1d1e | 10154 | XSTRNCAT(dest, "\n\n", 4); |
wolfSSL | 16:8e0d178b1d1e | 10155 | } |
wolfSSL | 15:117db924cf7c | 10156 | } |
wolfSSL | 15:117db924cf7c | 10157 | return 0; |
wolfSSL | 15:117db924cf7c | 10158 | } |
wolfSSL | 15:117db924cf7c | 10159 | #endif /* WOLFSSL_DER_TO_PEM */ |
wolfSSL | 15:117db924cf7c | 10160 | #endif /* WOLFSSL_ENCRYPTED_KEYS */ |
wolfSSL | 15:117db924cf7c | 10161 | |
wolfSSL | 15:117db924cf7c | 10162 | #ifdef WOLFSSL_DER_TO_PEM |
wolfSSL | 15:117db924cf7c | 10163 | |
wolfSSL | 15:117db924cf7c | 10164 | /* Used for compatibility API */ |
wolfSSL | 15:117db924cf7c | 10165 | int wc_DerToPem(const byte* der, word32 derSz, |
wolfSSL | 15:117db924cf7c | 10166 | byte* output, word32 outSz, int type) |
wolfSSL | 15:117db924cf7c | 10167 | { |
wolfSSL | 15:117db924cf7c | 10168 | return wc_DerToPemEx(der, derSz, output, outSz, NULL, type); |
wolfSSL | 15:117db924cf7c | 10169 | } |
wolfSSL | 15:117db924cf7c | 10170 | |
wolfSSL | 15:117db924cf7c | 10171 | /* convert der buffer to pem into output, can't do inplace, der and output |
wolfSSL | 15:117db924cf7c | 10172 | need to be different */ |
wolfSSL | 15:117db924cf7c | 10173 | int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, |
wolfSSL | 15:117db924cf7c | 10174 | byte *cipher_info, int type) |
wolfSSL | 15:117db924cf7c | 10175 | { |
wolfSSL | 15:117db924cf7c | 10176 | const char* headerStr = NULL; |
wolfSSL | 15:117db924cf7c | 10177 | const char* footerStr = NULL; |
wolfSSL | 15:117db924cf7c | 10178 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10179 | char* header = NULL; |
wolfSSL | 15:117db924cf7c | 10180 | char* footer = NULL; |
wolfSSL | 15:117db924cf7c | 10181 | #else |
wolfSSL | 15:117db924cf7c | 10182 | char header[MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE]; |
wolfSSL | 15:117db924cf7c | 10183 | char footer[MAX_X509_HEADER_SZ]; |
wolfSSL | 15:117db924cf7c | 10184 | #endif |
wolfSSL | 15:117db924cf7c | 10185 | int headerLen = MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 10186 | int footerLen = MAX_X509_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 10187 | int i; |
wolfSSL | 15:117db924cf7c | 10188 | int err; |
wolfSSL | 15:117db924cf7c | 10189 | int outLen; /* return length or error */ |
wolfSSL | 15:117db924cf7c | 10190 | |
wolfSSL | 15:117db924cf7c | 10191 | (void)cipher_info; |
wolfSSL | 15:117db924cf7c | 10192 | |
wolfSSL | 15:117db924cf7c | 10193 | if (der == output) /* no in place conversion */ |
wolfSSL | 15:117db924cf7c | 10194 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10195 | |
wolfSSL | 15:117db924cf7c | 10196 | err = wc_PemGetHeaderFooter(type, &headerStr, &footerStr); |
wolfSSL | 15:117db924cf7c | 10197 | if (err != 0) |
wolfSSL | 15:117db924cf7c | 10198 | return err; |
wolfSSL | 15:117db924cf7c | 10199 | |
wolfSSL | 15:117db924cf7c | 10200 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10201 | header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10202 | if (header == NULL) |
wolfSSL | 15:117db924cf7c | 10203 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10204 | |
wolfSSL | 15:117db924cf7c | 10205 | footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10206 | if (footer == NULL) { |
wolfSSL | 15:117db924cf7c | 10207 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10208 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10209 | } |
wolfSSL | 15:117db924cf7c | 10210 | #endif |
wolfSSL | 15:117db924cf7c | 10211 | |
wolfSSL | 15:117db924cf7c | 10212 | /* build header and footer based on type */ |
wolfSSL | 16:8e0d178b1d1e | 10213 | XSTRNCPY(header, headerStr, headerLen - 1); |
wolfSSL | 16:8e0d178b1d1e | 10214 | header[headerLen - 2] = 0; |
wolfSSL | 16:8e0d178b1d1e | 10215 | XSTRNCPY(footer, footerStr, footerLen - 1); |
wolfSSL | 16:8e0d178b1d1e | 10216 | footer[footerLen - 2] = 0; |
wolfSSL | 15:117db924cf7c | 10217 | |
wolfSSL | 15:117db924cf7c | 10218 | /* add new line to end */ |
wolfSSL | 15:117db924cf7c | 10219 | XSTRNCAT(header, "\n", 2); |
wolfSSL | 15:117db924cf7c | 10220 | XSTRNCAT(footer, "\n", 2); |
wolfSSL | 15:117db924cf7c | 10221 | |
wolfSSL | 15:117db924cf7c | 10222 | #ifdef WOLFSSL_ENCRYPTED_KEYS |
wolfSSL | 16:8e0d178b1d1e | 10223 | err = wc_EncryptedInfoAppend(header, headerLen, (char*)cipher_info); |
wolfSSL | 15:117db924cf7c | 10224 | if (err != 0) { |
wolfSSL | 15:117db924cf7c | 10225 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10226 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10227 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10228 | #endif |
wolfSSL | 15:117db924cf7c | 10229 | return err; |
wolfSSL | 15:117db924cf7c | 10230 | } |
wolfSSL | 15:117db924cf7c | 10231 | #endif |
wolfSSL | 15:117db924cf7c | 10232 | |
wolfSSL | 15:117db924cf7c | 10233 | headerLen = (int)XSTRLEN(header); |
wolfSSL | 15:117db924cf7c | 10234 | footerLen = (int)XSTRLEN(footer); |
wolfSSL | 15:117db924cf7c | 10235 | |
wolfSSL | 15:117db924cf7c | 10236 | /* if null output and 0 size passed in then return size needed */ |
wolfSSL | 15:117db924cf7c | 10237 | if (!output && outSz == 0) { |
wolfSSL | 15:117db924cf7c | 10238 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10239 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10240 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10241 | #endif |
wolfSSL | 15:117db924cf7c | 10242 | outLen = 0; |
wolfSSL | 15:117db924cf7c | 10243 | if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen)) |
wolfSSL | 15:117db924cf7c | 10244 | != LENGTH_ONLY_E) { |
wolfSSL | 15:117db924cf7c | 10245 | return err; |
wolfSSL | 15:117db924cf7c | 10246 | } |
wolfSSL | 15:117db924cf7c | 10247 | return headerLen + footerLen + outLen; |
wolfSSL | 15:117db924cf7c | 10248 | } |
wolfSSL | 15:117db924cf7c | 10249 | |
wolfSSL | 15:117db924cf7c | 10250 | if (!der || !output) { |
wolfSSL | 15:117db924cf7c | 10251 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10252 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10253 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10254 | #endif |
wolfSSL | 15:117db924cf7c | 10255 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10256 | } |
wolfSSL | 15:117db924cf7c | 10257 | |
wolfSSL | 15:117db924cf7c | 10258 | /* don't even try if outSz too short */ |
wolfSSL | 15:117db924cf7c | 10259 | if (outSz < headerLen + footerLen + derSz) { |
wolfSSL | 15:117db924cf7c | 10260 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10261 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10262 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10263 | #endif |
wolfSSL | 15:117db924cf7c | 10264 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10265 | } |
wolfSSL | 15:117db924cf7c | 10266 | |
wolfSSL | 15:117db924cf7c | 10267 | /* header */ |
wolfSSL | 15:117db924cf7c | 10268 | XMEMCPY(output, header, headerLen); |
wolfSSL | 15:117db924cf7c | 10269 | i = headerLen; |
wolfSSL | 15:117db924cf7c | 10270 | |
wolfSSL | 15:117db924cf7c | 10271 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10272 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10273 | #endif |
wolfSSL | 15:117db924cf7c | 10274 | |
wolfSSL | 15:117db924cf7c | 10275 | /* body */ |
wolfSSL | 15:117db924cf7c | 10276 | outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */ |
wolfSSL | 15:117db924cf7c | 10277 | if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) { |
wolfSSL | 15:117db924cf7c | 10278 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10279 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10280 | #endif |
wolfSSL | 15:117db924cf7c | 10281 | return err; |
wolfSSL | 15:117db924cf7c | 10282 | } |
wolfSSL | 15:117db924cf7c | 10283 | i += outLen; |
wolfSSL | 15:117db924cf7c | 10284 | |
wolfSSL | 15:117db924cf7c | 10285 | /* footer */ |
wolfSSL | 15:117db924cf7c | 10286 | if ( (i + footerLen) > (int)outSz) { |
wolfSSL | 15:117db924cf7c | 10287 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10288 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10289 | #endif |
wolfSSL | 15:117db924cf7c | 10290 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10291 | } |
wolfSSL | 15:117db924cf7c | 10292 | XMEMCPY(output + i, footer, footerLen); |
wolfSSL | 15:117db924cf7c | 10293 | |
wolfSSL | 15:117db924cf7c | 10294 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10295 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10296 | #endif |
wolfSSL | 15:117db924cf7c | 10297 | |
wolfSSL | 15:117db924cf7c | 10298 | return outLen + headerLen + footerLen; |
wolfSSL | 15:117db924cf7c | 10299 | } |
wolfSSL | 15:117db924cf7c | 10300 | |
wolfSSL | 15:117db924cf7c | 10301 | #endif /* WOLFSSL_DER_TO_PEM */ |
wolfSSL | 15:117db924cf7c | 10302 | |
wolfSSL | 15:117db924cf7c | 10303 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 10304 | |
wolfSSL | 15:117db924cf7c | 10305 | /* Remove PEM header/footer, convert to ASN1, store any encrypted data |
wolfSSL | 15:117db924cf7c | 10306 | info->consumed tracks of PEM bytes consumed in case multiple parts */ |
wolfSSL | 15:117db924cf7c | 10307 | int PemToDer(const unsigned char* buff, long longSz, int type, |
wolfSSL | 16:8e0d178b1d1e | 10308 | DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat) |
wolfSSL | 15:117db924cf7c | 10309 | { |
wolfSSL | 15:117db924cf7c | 10310 | const char* header = NULL; |
wolfSSL | 15:117db924cf7c | 10311 | const char* footer = NULL; |
wolfSSL | 15:117db924cf7c | 10312 | char* headerEnd; |
wolfSSL | 15:117db924cf7c | 10313 | char* footerEnd; |
wolfSSL | 15:117db924cf7c | 10314 | char* consumedEnd; |
wolfSSL | 15:117db924cf7c | 10315 | char* bufferEnd = (char*)(buff + longSz); |
wolfSSL | 15:117db924cf7c | 10316 | long neededSz; |
wolfSSL | 15:117db924cf7c | 10317 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 10318 | int sz = (int)longSz; |
wolfSSL | 15:117db924cf7c | 10319 | int encrypted_key = 0; |
wolfSSL | 15:117db924cf7c | 10320 | DerBuffer* der; |
wolfSSL | 16:8e0d178b1d1e | 10321 | #if defined(HAVE_PKCS8) || defined(WOLFSSL_ENCRYPTED_KEYS) |
wolfSSL | 16:8e0d178b1d1e | 10322 | word32 algId = 0; |
wolfSSL | 16:8e0d178b1d1e | 10323 | #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_WOLFSSL_SKIP_TRAILING_PAD) |
wolfSSL | 16:8e0d178b1d1e | 10324 | int padVal = 0; |
wolfSSL | 16:8e0d178b1d1e | 10325 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10326 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10327 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 10328 | char beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ |
wolfSSL | 16:8e0d178b1d1e | 10329 | char endBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ |
wolfSSL | 16:8e0d178b1d1e | 10330 | #endif |
wolfSSL | 15:117db924cf7c | 10331 | |
wolfSSL | 15:117db924cf7c | 10332 | WOLFSSL_ENTER("PemToDer"); |
wolfSSL | 15:117db924cf7c | 10333 | |
wolfSSL | 15:117db924cf7c | 10334 | /* get PEM header and footer based on type */ |
wolfSSL | 15:117db924cf7c | 10335 | ret = wc_PemGetHeaderFooter(type, &header, &footer); |
wolfSSL | 15:117db924cf7c | 10336 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 10337 | return ret; |
wolfSSL | 15:117db924cf7c | 10338 | |
wolfSSL | 15:117db924cf7c | 10339 | /* map header if not found for type */ |
wolfSSL | 15:117db924cf7c | 10340 | for (;;) { |
wolfSSL | 15:117db924cf7c | 10341 | headerEnd = XSTRNSTR((char*)buff, header, sz); |
wolfSSL | 15:117db924cf7c | 10342 | |
wolfSSL | 16:8e0d178b1d1e | 10343 | if (headerEnd) { |
wolfSSL | 15:117db924cf7c | 10344 | break; |
wolfSSL | 15:117db924cf7c | 10345 | } else |
wolfSSL | 16:8e0d178b1d1e | 10346 | if (type == PRIVATEKEY_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 10347 | if (header == BEGIN_RSA_PRIV) { |
wolfSSL | 16:8e0d178b1d1e | 10348 | header = BEGIN_PRIV_KEY; footer = END_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 10349 | } else |
wolfSSL | 16:8e0d178b1d1e | 10350 | if (header == BEGIN_PRIV_KEY) { |
wolfSSL | 16:8e0d178b1d1e | 10351 | header = BEGIN_ENC_PRIV_KEY; footer = END_ENC_PRIV_KEY; |
wolfSSL | 16:8e0d178b1d1e | 10352 | } else |
wolfSSL | 16:8e0d178b1d1e | 10353 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 10354 | if (header == BEGIN_ENC_PRIV_KEY) { |
wolfSSL | 16:8e0d178b1d1e | 10355 | header = BEGIN_EC_PRIV; footer = END_EC_PRIV; |
wolfSSL | 16:8e0d178b1d1e | 10356 | } else |
wolfSSL | 16:8e0d178b1d1e | 10357 | if (header == BEGIN_EC_PRIV) { |
wolfSSL | 16:8e0d178b1d1e | 10358 | header = BEGIN_DSA_PRIV; footer = END_DSA_PRIV; |
wolfSSL | 16:8e0d178b1d1e | 10359 | } else |
wolfSSL | 16:8e0d178b1d1e | 10360 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10361 | #if defined(HAVE_ED25519) || defined(HAVE_ED448) |
wolfSSL | 16:8e0d178b1d1e | 10362 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 10363 | if (header == BEGIN_DSA_PRIV) |
wolfSSL | 16:8e0d178b1d1e | 10364 | #else |
wolfSSL | 16:8e0d178b1d1e | 10365 | if (header == BEGIN_ENC_PRIV_KEY) |
wolfSSL | 16:8e0d178b1d1e | 10366 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10367 | { |
wolfSSL | 16:8e0d178b1d1e | 10368 | header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV; |
wolfSSL | 16:8e0d178b1d1e | 10369 | } else |
wolfSSL | 16:8e0d178b1d1e | 10370 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10371 | { |
wolfSSL | 16:8e0d178b1d1e | 10372 | break; |
wolfSSL | 16:8e0d178b1d1e | 10373 | } |
wolfSSL | 15:117db924cf7c | 10374 | } else |
wolfSSL | 15:117db924cf7c | 10375 | #ifdef HAVE_CRL |
wolfSSL | 16:8e0d178b1d1e | 10376 | if ((type == CRL_TYPE) && (header != BEGIN_CRL)) { |
wolfSSL | 16:8e0d178b1d1e | 10377 | header = BEGIN_CRL; footer = END_CRL; |
wolfSSL | 15:117db924cf7c | 10378 | } else |
wolfSSL | 15:117db924cf7c | 10379 | #endif |
wolfSSL | 15:117db924cf7c | 10380 | { |
wolfSSL | 15:117db924cf7c | 10381 | break; |
wolfSSL | 15:117db924cf7c | 10382 | } |
wolfSSL | 15:117db924cf7c | 10383 | } |
wolfSSL | 15:117db924cf7c | 10384 | |
wolfSSL | 15:117db924cf7c | 10385 | if (!headerEnd) { |
wolfSSL | 16:8e0d178b1d1e | 10386 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 10387 | char* beginEnd; |
wolfSSL | 16:8e0d178b1d1e | 10388 | int endLen; |
wolfSSL | 16:8e0d178b1d1e | 10389 | /* see if there is a -----BEGIN * PRIVATE KEY----- header */ |
wolfSSL | 16:8e0d178b1d1e | 10390 | headerEnd = XSTRNSTR((char*)buff, PRIV_KEY_SUFFIX, sz); |
wolfSSL | 16:8e0d178b1d1e | 10391 | if (headerEnd) { |
wolfSSL | 16:8e0d178b1d1e | 10392 | beginEnd = headerEnd + XSTR_SIZEOF(PRIV_KEY_SUFFIX); |
wolfSSL | 16:8e0d178b1d1e | 10393 | /* back up to BEGIN_PRIV_KEY_PREFIX */ |
wolfSSL | 16:8e0d178b1d1e | 10394 | headerEnd -= XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX); |
wolfSSL | 16:8e0d178b1d1e | 10395 | while (headerEnd > (char*)buff && |
wolfSSL | 16:8e0d178b1d1e | 10396 | XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX, |
wolfSSL | 16:8e0d178b1d1e | 10397 | XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 10398 | headerEnd--; |
wolfSSL | 16:8e0d178b1d1e | 10399 | } |
wolfSSL | 16:8e0d178b1d1e | 10400 | if (headerEnd <= (char*)buff || |
wolfSSL | 16:8e0d178b1d1e | 10401 | XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX, |
wolfSSL | 16:8e0d178b1d1e | 10402 | XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 || |
wolfSSL | 16:8e0d178b1d1e | 10403 | beginEnd - headerEnd > PEM_LINE_LEN) { |
wolfSSL | 16:8e0d178b1d1e | 10404 | WOLFSSL_MSG("Couldn't find PEM header"); |
wolfSSL | 16:8e0d178b1d1e | 10405 | return ASN_NO_PEM_HEADER; |
wolfSSL | 16:8e0d178b1d1e | 10406 | } |
wolfSSL | 16:8e0d178b1d1e | 10407 | /* headerEnd now points to beginning of header */ |
wolfSSL | 16:8e0d178b1d1e | 10408 | XMEMCPY(beginBuf, headerEnd, beginEnd - headerEnd); |
wolfSSL | 16:8e0d178b1d1e | 10409 | beginBuf[beginEnd - headerEnd] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 10410 | /* look for matching footer */ |
wolfSSL | 16:8e0d178b1d1e | 10411 | footer = XSTRNSTR(beginEnd, |
wolfSSL | 16:8e0d178b1d1e | 10412 | beginBuf + XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX), |
wolfSSL | 16:8e0d178b1d1e | 10413 | (unsigned int)((char*)buff + sz - beginEnd)); |
wolfSSL | 16:8e0d178b1d1e | 10414 | if (!footer) { |
wolfSSL | 16:8e0d178b1d1e | 10415 | WOLFSSL_MSG("Couldn't find PEM footer"); |
wolfSSL | 16:8e0d178b1d1e | 10416 | return ASN_NO_PEM_HEADER; |
wolfSSL | 16:8e0d178b1d1e | 10417 | } |
wolfSSL | 16:8e0d178b1d1e | 10418 | footer -= XSTR_SIZEOF(END_PRIV_KEY_PREFIX); |
wolfSSL | 16:8e0d178b1d1e | 10419 | endLen = (unsigned int)(beginEnd - headerEnd - |
wolfSSL | 16:8e0d178b1d1e | 10420 | (XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX) - |
wolfSSL | 16:8e0d178b1d1e | 10421 | XSTR_SIZEOF(END_PRIV_KEY_PREFIX))); |
wolfSSL | 16:8e0d178b1d1e | 10422 | XMEMCPY(endBuf, footer, endLen); |
wolfSSL | 16:8e0d178b1d1e | 10423 | endBuf[endLen] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 10424 | |
wolfSSL | 16:8e0d178b1d1e | 10425 | header = beginBuf; |
wolfSSL | 16:8e0d178b1d1e | 10426 | footer = endBuf; |
wolfSSL | 16:8e0d178b1d1e | 10427 | headerEnd = beginEnd; |
wolfSSL | 16:8e0d178b1d1e | 10428 | } else { |
wolfSSL | 16:8e0d178b1d1e | 10429 | WOLFSSL_MSG("Couldn't find PEM header"); |
wolfSSL | 16:8e0d178b1d1e | 10430 | return ASN_NO_PEM_HEADER; |
wolfSSL | 16:8e0d178b1d1e | 10431 | } |
wolfSSL | 16:8e0d178b1d1e | 10432 | #else |
wolfSSL | 15:117db924cf7c | 10433 | WOLFSSL_MSG("Couldn't find PEM header"); |
wolfSSL | 15:117db924cf7c | 10434 | return ASN_NO_PEM_HEADER; |
wolfSSL | 16:8e0d178b1d1e | 10435 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10436 | } else { |
wolfSSL | 16:8e0d178b1d1e | 10437 | headerEnd += XSTRLEN(header); |
wolfSSL | 16:8e0d178b1d1e | 10438 | } |
wolfSSL | 16:8e0d178b1d1e | 10439 | |
wolfSSL | 16:8e0d178b1d1e | 10440 | /* eat end of line characters */ |
wolfSSL | 16:8e0d178b1d1e | 10441 | headerEnd = SkipEndOfLineChars(headerEnd, bufferEnd); |
wolfSSL | 15:117db924cf7c | 10442 | |
wolfSSL | 15:117db924cf7c | 10443 | if (type == PRIVATEKEY_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 10444 | /* keyFormat is Key_Sum enum */ |
wolfSSL | 16:8e0d178b1d1e | 10445 | if (keyFormat) { |
wolfSSL | 15:117db924cf7c | 10446 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 10447 | if (header == BEGIN_EC_PRIV) |
wolfSSL | 16:8e0d178b1d1e | 10448 | *keyFormat = ECDSAk; |
wolfSSL | 16:8e0d178b1d1e | 10449 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10450 | #if !defined(NO_DSA) |
wolfSSL | 16:8e0d178b1d1e | 10451 | if (header == BEGIN_DSA_PRIV) |
wolfSSL | 16:8e0d178b1d1e | 10452 | *keyFormat = DSAk; |
wolfSSL | 15:117db924cf7c | 10453 | #endif |
wolfSSL | 15:117db924cf7c | 10454 | } |
wolfSSL | 15:117db924cf7c | 10455 | } |
wolfSSL | 15:117db924cf7c | 10456 | |
wolfSSL | 15:117db924cf7c | 10457 | #ifdef WOLFSSL_ENCRYPTED_KEYS |
wolfSSL | 15:117db924cf7c | 10458 | if (info) { |
wolfSSL | 15:117db924cf7c | 10459 | ret = wc_EncryptedInfoParse(info, &headerEnd, bufferEnd - headerEnd); |
wolfSSL | 15:117db924cf7c | 10460 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 10461 | return ret; |
wolfSSL | 15:117db924cf7c | 10462 | if (info->set) |
wolfSSL | 15:117db924cf7c | 10463 | encrypted_key = 1; |
wolfSSL | 15:117db924cf7c | 10464 | } |
wolfSSL | 15:117db924cf7c | 10465 | #endif /* WOLFSSL_ENCRYPTED_KEYS */ |
wolfSSL | 15:117db924cf7c | 10466 | |
wolfSSL | 15:117db924cf7c | 10467 | /* find footer */ |
wolfSSL | 16:8e0d178b1d1e | 10468 | footerEnd = XSTRNSTR(headerEnd, footer, (unsigned int)((char*)buff + sz - headerEnd)); |
wolfSSL | 15:117db924cf7c | 10469 | if (!footerEnd) { |
wolfSSL | 15:117db924cf7c | 10470 | if (info) |
wolfSSL | 15:117db924cf7c | 10471 | info->consumed = longSz; /* No more certs if no footer */ |
wolfSSL | 15:117db924cf7c | 10472 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10473 | } |
wolfSSL | 15:117db924cf7c | 10474 | |
wolfSSL | 15:117db924cf7c | 10475 | consumedEnd = footerEnd + XSTRLEN(footer); |
wolfSSL | 15:117db924cf7c | 10476 | |
wolfSSL | 16:8e0d178b1d1e | 10477 | if (consumedEnd < bufferEnd) { /* handle no end of line on last line */ |
wolfSSL | 16:8e0d178b1d1e | 10478 | /* eat end of line characters */ |
wolfSSL | 16:8e0d178b1d1e | 10479 | consumedEnd = SkipEndOfLineChars(consumedEnd, bufferEnd); |
wolfSSL | 16:8e0d178b1d1e | 10480 | /* skip possible null term */ |
wolfSSL | 16:8e0d178b1d1e | 10481 | if (consumedEnd < bufferEnd && consumedEnd[0] == '\0') |
wolfSSL | 15:117db924cf7c | 10482 | consumedEnd++; |
wolfSSL | 15:117db924cf7c | 10483 | } |
wolfSSL | 15:117db924cf7c | 10484 | |
wolfSSL | 15:117db924cf7c | 10485 | if (info) |
wolfSSL | 15:117db924cf7c | 10486 | info->consumed = (long)(consumedEnd - (char*)buff); |
wolfSSL | 15:117db924cf7c | 10487 | |
wolfSSL | 15:117db924cf7c | 10488 | /* set up der buffer */ |
wolfSSL | 15:117db924cf7c | 10489 | neededSz = (long)(footerEnd - headerEnd); |
wolfSSL | 15:117db924cf7c | 10490 | if (neededSz > sz || neededSz <= 0) |
wolfSSL | 15:117db924cf7c | 10491 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10492 | |
wolfSSL | 15:117db924cf7c | 10493 | ret = AllocDer(pDer, (word32)neededSz, type, heap); |
wolfSSL | 15:117db924cf7c | 10494 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 10495 | return ret; |
wolfSSL | 15:117db924cf7c | 10496 | } |
wolfSSL | 15:117db924cf7c | 10497 | der = *pDer; |
wolfSSL | 15:117db924cf7c | 10498 | |
wolfSSL | 15:117db924cf7c | 10499 | if (Base64_Decode((byte*)headerEnd, (word32)neededSz, |
wolfSSL | 15:117db924cf7c | 10500 | der->buffer, &der->length) < 0) |
wolfSSL | 15:117db924cf7c | 10501 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10502 | |
wolfSSL | 16:8e0d178b1d1e | 10503 | if ((header == BEGIN_PRIV_KEY |
wolfSSL | 16:8e0d178b1d1e | 10504 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 10505 | || header == beginBuf |
wolfSSL | 16:8e0d178b1d1e | 10506 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10507 | #ifdef HAVE_ECC |
wolfSSL | 16:8e0d178b1d1e | 10508 | || header == BEGIN_EC_PRIV |
wolfSSL | 16:8e0d178b1d1e | 10509 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10510 | ) && !encrypted_key) |
wolfSSL | 16:8e0d178b1d1e | 10511 | { |
wolfSSL | 16:8e0d178b1d1e | 10512 | #ifdef HAVE_PKCS8 |
wolfSSL | 15:117db924cf7c | 10513 | /* pkcs8 key, convert and adjust length */ |
wolfSSL | 16:8e0d178b1d1e | 10514 | if ((ret = ToTraditional_ex(der->buffer, der->length, &algId)) > 0) { |
wolfSSL | 16:8e0d178b1d1e | 10515 | der->length = ret; |
wolfSSL | 16:8e0d178b1d1e | 10516 | if (keyFormat) { |
wolfSSL | 16:8e0d178b1d1e | 10517 | *keyFormat = algId; |
wolfSSL | 16:8e0d178b1d1e | 10518 | } |
wolfSSL | 16:8e0d178b1d1e | 10519 | } |
wolfSSL | 16:8e0d178b1d1e | 10520 | else { |
wolfSSL | 16:8e0d178b1d1e | 10521 | /* ignore failure here and assume key is not pkcs8 wrapped */ |
wolfSSL | 16:8e0d178b1d1e | 10522 | } |
wolfSSL | 16:8e0d178b1d1e | 10523 | #endif |
wolfSSL | 16:8e0d178b1d1e | 10524 | |
wolfSSL | 15:117db924cf7c | 10525 | return 0; |
wolfSSL | 15:117db924cf7c | 10526 | } |
wolfSSL | 15:117db924cf7c | 10527 | |
wolfSSL | 15:117db924cf7c | 10528 | #ifdef WOLFSSL_ENCRYPTED_KEYS |
wolfSSL | 15:117db924cf7c | 10529 | if (encrypted_key || header == BEGIN_ENC_PRIV_KEY) { |
wolfSSL | 15:117db924cf7c | 10530 | int passwordSz = NAME_SZ; |
wolfSSL | 15:117db924cf7c | 10531 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10532 | char* password = NULL; |
wolfSSL | 15:117db924cf7c | 10533 | #else |
wolfSSL | 15:117db924cf7c | 10534 | char password[NAME_SZ]; |
wolfSSL | 15:117db924cf7c | 10535 | #endif |
wolfSSL | 15:117db924cf7c | 10536 | |
wolfSSL | 15:117db924cf7c | 10537 | if (!info || !info->passwd_cb) { |
wolfSSL | 15:117db924cf7c | 10538 | WOLFSSL_MSG("No password callback set"); |
wolfSSL | 15:117db924cf7c | 10539 | return NO_PASSWORD; |
wolfSSL | 15:117db924cf7c | 10540 | } |
wolfSSL | 15:117db924cf7c | 10541 | |
wolfSSL | 15:117db924cf7c | 10542 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10543 | password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING); |
wolfSSL | 15:117db924cf7c | 10544 | if (password == NULL) |
wolfSSL | 15:117db924cf7c | 10545 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10546 | #endif |
wolfSSL | 15:117db924cf7c | 10547 | |
wolfSSL | 15:117db924cf7c | 10548 | /* get password */ |
wolfSSL | 15:117db924cf7c | 10549 | ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ, |
wolfSSL | 15:117db924cf7c | 10550 | info->passwd_userdata); |
wolfSSL | 15:117db924cf7c | 10551 | if (ret >= 0) { |
wolfSSL | 15:117db924cf7c | 10552 | passwordSz = ret; |
wolfSSL | 15:117db924cf7c | 10553 | |
wolfSSL | 15:117db924cf7c | 10554 | /* convert and adjust length */ |
wolfSSL | 15:117db924cf7c | 10555 | if (header == BEGIN_ENC_PRIV_KEY) { |
wolfSSL | 15:117db924cf7c | 10556 | #ifndef NO_PWDBASED |
wolfSSL | 15:117db924cf7c | 10557 | ret = ToTraditionalEnc(der->buffer, der->length, |
wolfSSL | 16:8e0d178b1d1e | 10558 | password, passwordSz, &algId); |
wolfSSL | 15:117db924cf7c | 10559 | |
wolfSSL | 15:117db924cf7c | 10560 | if (ret >= 0) { |
wolfSSL | 15:117db924cf7c | 10561 | der->length = ret; |
wolfSSL | 16:8e0d178b1d1e | 10562 | if (keyFormat) { |
wolfSSL | 16:8e0d178b1d1e | 10563 | *keyFormat = algId; |
wolfSSL | 16:8e0d178b1d1e | 10564 | } |
wolfSSL | 16:8e0d178b1d1e | 10565 | ret = 0; |
wolfSSL | 15:117db924cf7c | 10566 | } |
wolfSSL | 15:117db924cf7c | 10567 | #else |
wolfSSL | 15:117db924cf7c | 10568 | ret = NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 10569 | #endif |
wolfSSL | 15:117db924cf7c | 10570 | } |
wolfSSL | 15:117db924cf7c | 10571 | /* decrypt the key */ |
wolfSSL | 15:117db924cf7c | 10572 | else { |
wolfSSL | 16:8e0d178b1d1e | 10573 | if (passwordSz == 0) { |
wolfSSL | 16:8e0d178b1d1e | 10574 | /* The key is encrypted but does not have a password */ |
wolfSSL | 16:8e0d178b1d1e | 10575 | WOLFSSL_MSG("No password for encrypted key"); |
wolfSSL | 16:8e0d178b1d1e | 10576 | ret = NO_PASSWORD; |
wolfSSL | 16:8e0d178b1d1e | 10577 | } |
wolfSSL | 16:8e0d178b1d1e | 10578 | else { |
wolfSSL | 16:8e0d178b1d1e | 10579 | ret = wc_BufferKeyDecrypt(info, der->buffer, der->length, |
wolfSSL | 16:8e0d178b1d1e | 10580 | (byte*)password, passwordSz, WC_MD5); |
wolfSSL | 16:8e0d178b1d1e | 10581 | |
wolfSSL | 16:8e0d178b1d1e | 10582 | #ifndef NO_WOLFSSL_SKIP_TRAILING_PAD |
wolfSSL | 16:8e0d178b1d1e | 10583 | #ifndef NO_DES3 |
wolfSSL | 16:8e0d178b1d1e | 10584 | if (info->cipherType == WC_CIPHER_DES3) { |
wolfSSL | 16:8e0d178b1d1e | 10585 | padVal = der->buffer[der->length-1]; |
wolfSSL | 16:8e0d178b1d1e | 10586 | if (padVal <= DES_BLOCK_SIZE) { |
wolfSSL | 16:8e0d178b1d1e | 10587 | der->length -= padVal; |
wolfSSL | 16:8e0d178b1d1e | 10588 | } |
wolfSSL | 16:8e0d178b1d1e | 10589 | } |
wolfSSL | 16:8e0d178b1d1e | 10590 | #endif /* !NO_DES3 */ |
wolfSSL | 16:8e0d178b1d1e | 10591 | #endif /* !NO_WOLFSSL_SKIP_TRAILING_PAD */ |
wolfSSL | 16:8e0d178b1d1e | 10592 | } |
wolfSSL | 16:8e0d178b1d1e | 10593 | } |
wolfSSL | 16:8e0d178b1d1e | 10594 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 10595 | if (ret) { |
wolfSSL | 16:8e0d178b1d1e | 10596 | PEMerr(0, PEM_R_BAD_DECRYPT); |
wolfSSL | 16:8e0d178b1d1e | 10597 | } |
wolfSSL | 16:8e0d178b1d1e | 10598 | #endif |
wolfSSL | 15:117db924cf7c | 10599 | ForceZero(password, passwordSz); |
wolfSSL | 15:117db924cf7c | 10600 | } |
wolfSSL | 16:8e0d178b1d1e | 10601 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 10602 | else { |
wolfSSL | 16:8e0d178b1d1e | 10603 | PEMerr(0, PEM_R_BAD_PASSWORD_READ); |
wolfSSL | 16:8e0d178b1d1e | 10604 | } |
wolfSSL | 16:8e0d178b1d1e | 10605 | #endif |
wolfSSL | 15:117db924cf7c | 10606 | |
wolfSSL | 15:117db924cf7c | 10607 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10608 | XFREE(password, heap, DYNAMIC_TYPE_STRING); |
wolfSSL | 15:117db924cf7c | 10609 | #endif |
wolfSSL | 15:117db924cf7c | 10610 | } |
wolfSSL | 15:117db924cf7c | 10611 | #endif /* WOLFSSL_ENCRYPTED_KEYS */ |
wolfSSL | 15:117db924cf7c | 10612 | |
wolfSSL | 15:117db924cf7c | 10613 | return ret; |
wolfSSL | 15:117db924cf7c | 10614 | } |
wolfSSL | 15:117db924cf7c | 10615 | |
wolfSSL | 15:117db924cf7c | 10616 | int wc_PemToDer(const unsigned char* buff, long longSz, int type, |
wolfSSL | 15:117db924cf7c | 10617 | DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey) |
wolfSSL | 15:117db924cf7c | 10618 | { |
wolfSSL | 15:117db924cf7c | 10619 | return PemToDer(buff, longSz, type, pDer, heap, info, eccKey); |
wolfSSL | 15:117db924cf7c | 10620 | } |
wolfSSL | 15:117db924cf7c | 10621 | |
wolfSSL | 15:117db924cf7c | 10622 | |
wolfSSL | 15:117db924cf7c | 10623 | /* our KeyPemToDer password callback, password in userData */ |
wolfSSL | 15:117db924cf7c | 10624 | static WC_INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata) |
wolfSSL | 15:117db924cf7c | 10625 | { |
wolfSSL | 15:117db924cf7c | 10626 | (void)rw; |
wolfSSL | 15:117db924cf7c | 10627 | |
wolfSSL | 15:117db924cf7c | 10628 | if (userdata == NULL) |
wolfSSL | 15:117db924cf7c | 10629 | return 0; |
wolfSSL | 15:117db924cf7c | 10630 | |
wolfSSL | 15:117db924cf7c | 10631 | XSTRNCPY(passwd, (char*)userdata, sz); |
wolfSSL | 15:117db924cf7c | 10632 | return min((word32)sz, (word32)XSTRLEN((char*)userdata)); |
wolfSSL | 15:117db924cf7c | 10633 | } |
wolfSSL | 15:117db924cf7c | 10634 | |
wolfSSL | 15:117db924cf7c | 10635 | /* Return bytes written to buff or < 0 for error */ |
wolfSSL | 15:117db924cf7c | 10636 | int wc_KeyPemToDer(const unsigned char* pem, int pemSz, |
wolfSSL | 15:117db924cf7c | 10637 | unsigned char* buff, int buffSz, const char* pass) |
wolfSSL | 15:117db924cf7c | 10638 | { |
wolfSSL | 15:117db924cf7c | 10639 | int eccKey = 0; |
wolfSSL | 15:117db924cf7c | 10640 | int ret; |
wolfSSL | 15:117db924cf7c | 10641 | DerBuffer* der = NULL; |
wolfSSL | 15:117db924cf7c | 10642 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10643 | EncryptedInfo* info = NULL; |
wolfSSL | 15:117db924cf7c | 10644 | #else |
wolfSSL | 15:117db924cf7c | 10645 | EncryptedInfo info[1]; |
wolfSSL | 15:117db924cf7c | 10646 | #endif |
wolfSSL | 15:117db924cf7c | 10647 | |
wolfSSL | 15:117db924cf7c | 10648 | WOLFSSL_ENTER("wc_KeyPemToDer"); |
wolfSSL | 15:117db924cf7c | 10649 | |
wolfSSL | 15:117db924cf7c | 10650 | if (pem == NULL || buff == NULL || buffSz <= 0) { |
wolfSSL | 15:117db924cf7c | 10651 | WOLFSSL_MSG("Bad pem der args"); |
wolfSSL | 15:117db924cf7c | 10652 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10653 | } |
wolfSSL | 15:117db924cf7c | 10654 | |
wolfSSL | 15:117db924cf7c | 10655 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10656 | info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, |
wolfSSL | 15:117db924cf7c | 10657 | DYNAMIC_TYPE_ENCRYPTEDINFO); |
wolfSSL | 15:117db924cf7c | 10658 | if (info == NULL) |
wolfSSL | 15:117db924cf7c | 10659 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10660 | #endif |
wolfSSL | 15:117db924cf7c | 10661 | |
wolfSSL | 15:117db924cf7c | 10662 | XMEMSET(info, 0, sizeof(EncryptedInfo)); |
wolfSSL | 15:117db924cf7c | 10663 | info->passwd_cb = OurPasswordCb; |
wolfSSL | 15:117db924cf7c | 10664 | info->passwd_userdata = (void*)pass; |
wolfSSL | 15:117db924cf7c | 10665 | |
wolfSSL | 15:117db924cf7c | 10666 | ret = PemToDer(pem, pemSz, PRIVATEKEY_TYPE, &der, NULL, info, &eccKey); |
wolfSSL | 15:117db924cf7c | 10667 | |
wolfSSL | 15:117db924cf7c | 10668 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10669 | XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); |
wolfSSL | 15:117db924cf7c | 10670 | #endif |
wolfSSL | 15:117db924cf7c | 10671 | |
wolfSSL | 16:8e0d178b1d1e | 10672 | if (ret < 0 || der == NULL) { |
wolfSSL | 15:117db924cf7c | 10673 | WOLFSSL_MSG("Bad Pem To Der"); |
wolfSSL | 15:117db924cf7c | 10674 | } |
wolfSSL | 15:117db924cf7c | 10675 | else { |
wolfSSL | 15:117db924cf7c | 10676 | if (der->length <= (word32)buffSz) { |
wolfSSL | 15:117db924cf7c | 10677 | XMEMCPY(buff, der->buffer, der->length); |
wolfSSL | 15:117db924cf7c | 10678 | ret = der->length; |
wolfSSL | 15:117db924cf7c | 10679 | } |
wolfSSL | 15:117db924cf7c | 10680 | else { |
wolfSSL | 15:117db924cf7c | 10681 | WOLFSSL_MSG("Bad der length"); |
wolfSSL | 15:117db924cf7c | 10682 | ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10683 | } |
wolfSSL | 15:117db924cf7c | 10684 | } |
wolfSSL | 15:117db924cf7c | 10685 | |
wolfSSL | 15:117db924cf7c | 10686 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 10687 | return ret; |
wolfSSL | 15:117db924cf7c | 10688 | } |
wolfSSL | 15:117db924cf7c | 10689 | |
wolfSSL | 15:117db924cf7c | 10690 | |
wolfSSL | 15:117db924cf7c | 10691 | /* Return bytes written to buff or < 0 for error */ |
wolfSSL | 15:117db924cf7c | 10692 | int wc_CertPemToDer(const unsigned char* pem, int pemSz, |
wolfSSL | 15:117db924cf7c | 10693 | unsigned char* buff, int buffSz, int type) |
wolfSSL | 15:117db924cf7c | 10694 | { |
wolfSSL | 15:117db924cf7c | 10695 | int eccKey = 0; |
wolfSSL | 15:117db924cf7c | 10696 | int ret; |
wolfSSL | 15:117db924cf7c | 10697 | DerBuffer* der = NULL; |
wolfSSL | 15:117db924cf7c | 10698 | |
wolfSSL | 15:117db924cf7c | 10699 | WOLFSSL_ENTER("wc_CertPemToDer"); |
wolfSSL | 15:117db924cf7c | 10700 | |
wolfSSL | 15:117db924cf7c | 10701 | if (pem == NULL || buff == NULL || buffSz <= 0) { |
wolfSSL | 15:117db924cf7c | 10702 | WOLFSSL_MSG("Bad pem der args"); |
wolfSSL | 15:117db924cf7c | 10703 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10704 | } |
wolfSSL | 15:117db924cf7c | 10705 | |
wolfSSL | 15:117db924cf7c | 10706 | if (type != CERT_TYPE && type != CA_TYPE && type != CERTREQ_TYPE) { |
wolfSSL | 15:117db924cf7c | 10707 | WOLFSSL_MSG("Bad cert type"); |
wolfSSL | 15:117db924cf7c | 10708 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10709 | } |
wolfSSL | 15:117db924cf7c | 10710 | |
wolfSSL | 15:117db924cf7c | 10711 | |
wolfSSL | 15:117db924cf7c | 10712 | ret = PemToDer(pem, pemSz, type, &der, NULL, NULL, &eccKey); |
wolfSSL | 16:8e0d178b1d1e | 10713 | if (ret < 0 || der == NULL) { |
wolfSSL | 15:117db924cf7c | 10714 | WOLFSSL_MSG("Bad Pem To Der"); |
wolfSSL | 15:117db924cf7c | 10715 | } |
wolfSSL | 15:117db924cf7c | 10716 | else { |
wolfSSL | 15:117db924cf7c | 10717 | if (der->length <= (word32)buffSz) { |
wolfSSL | 15:117db924cf7c | 10718 | XMEMCPY(buff, der->buffer, der->length); |
wolfSSL | 15:117db924cf7c | 10719 | ret = der->length; |
wolfSSL | 15:117db924cf7c | 10720 | } |
wolfSSL | 15:117db924cf7c | 10721 | else { |
wolfSSL | 15:117db924cf7c | 10722 | WOLFSSL_MSG("Bad der length"); |
wolfSSL | 15:117db924cf7c | 10723 | ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10724 | } |
wolfSSL | 15:117db924cf7c | 10725 | } |
wolfSSL | 15:117db924cf7c | 10726 | |
wolfSSL | 15:117db924cf7c | 10727 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 10728 | return ret; |
wolfSSL | 15:117db924cf7c | 10729 | } |
wolfSSL | 15:117db924cf7c | 10730 | |
wolfSSL | 15:117db924cf7c | 10731 | #endif /* WOLFSSL_PEM_TO_DER */ |
wolfSSL | 15:117db924cf7c | 10732 | #endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ |
wolfSSL | 15:117db924cf7c | 10733 | |
wolfSSL | 15:117db924cf7c | 10734 | |
wolfSSL | 15:117db924cf7c | 10735 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 10736 | #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER) |
wolfSSL | 15:117db924cf7c | 10737 | /* Return bytes written to buff or < 0 for error */ |
wolfSSL | 15:117db924cf7c | 10738 | int wc_PubKeyPemToDer(const unsigned char* pem, int pemSz, |
wolfSSL | 15:117db924cf7c | 10739 | unsigned char* buff, int buffSz) |
wolfSSL | 15:117db924cf7c | 10740 | { |
wolfSSL | 15:117db924cf7c | 10741 | int ret; |
wolfSSL | 15:117db924cf7c | 10742 | DerBuffer* der = NULL; |
wolfSSL | 15:117db924cf7c | 10743 | |
wolfSSL | 15:117db924cf7c | 10744 | WOLFSSL_ENTER("wc_PubKeyPemToDer"); |
wolfSSL | 15:117db924cf7c | 10745 | |
wolfSSL | 15:117db924cf7c | 10746 | if (pem == NULL || buff == NULL || buffSz <= 0) { |
wolfSSL | 15:117db924cf7c | 10747 | WOLFSSL_MSG("Bad pem der args"); |
wolfSSL | 15:117db924cf7c | 10748 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10749 | } |
wolfSSL | 15:117db924cf7c | 10750 | |
wolfSSL | 15:117db924cf7c | 10751 | ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL); |
wolfSSL | 16:8e0d178b1d1e | 10752 | if (ret < 0 || der == NULL) { |
wolfSSL | 15:117db924cf7c | 10753 | WOLFSSL_MSG("Bad Pem To Der"); |
wolfSSL | 15:117db924cf7c | 10754 | } |
wolfSSL | 15:117db924cf7c | 10755 | else { |
wolfSSL | 15:117db924cf7c | 10756 | if (der->length <= (word32)buffSz) { |
wolfSSL | 15:117db924cf7c | 10757 | XMEMCPY(buff, der->buffer, der->length); |
wolfSSL | 15:117db924cf7c | 10758 | ret = der->length; |
wolfSSL | 15:117db924cf7c | 10759 | } |
wolfSSL | 15:117db924cf7c | 10760 | else { |
wolfSSL | 15:117db924cf7c | 10761 | WOLFSSL_MSG("Bad der length"); |
wolfSSL | 15:117db924cf7c | 10762 | ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10763 | } |
wolfSSL | 15:117db924cf7c | 10764 | } |
wolfSSL | 15:117db924cf7c | 10765 | |
wolfSSL | 15:117db924cf7c | 10766 | FreeDer(&der); |
wolfSSL | 15:117db924cf7c | 10767 | return ret; |
wolfSSL | 15:117db924cf7c | 10768 | } |
wolfSSL | 15:117db924cf7c | 10769 | #endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */ |
wolfSSL | 15:117db924cf7c | 10770 | #endif /* WOLFSSL_PEM_TO_DER */ |
wolfSSL | 15:117db924cf7c | 10771 | |
wolfSSL | 15:117db924cf7c | 10772 | #ifndef NO_FILESYSTEM |
wolfSSL | 15:117db924cf7c | 10773 | |
wolfSSL | 15:117db924cf7c | 10774 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 10775 | /* load pem cert from file into der buffer, return der size or error */ |
wolfSSL | 15:117db924cf7c | 10776 | int wc_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) |
wolfSSL | 15:117db924cf7c | 10777 | { |
wolfSSL | 15:117db924cf7c | 10778 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10779 | byte staticBuffer[1]; /* force XMALLOC */ |
wolfSSL | 15:117db924cf7c | 10780 | #else |
wolfSSL | 15:117db924cf7c | 10781 | byte staticBuffer[FILE_BUFFER_SIZE]; |
wolfSSL | 15:117db924cf7c | 10782 | #endif |
wolfSSL | 15:117db924cf7c | 10783 | byte* fileBuf = staticBuffer; |
wolfSSL | 15:117db924cf7c | 10784 | int dynamic = 0; |
wolfSSL | 15:117db924cf7c | 10785 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 10786 | long sz = 0; |
wolfSSL | 16:8e0d178b1d1e | 10787 | XFILE file; |
wolfSSL | 15:117db924cf7c | 10788 | DerBuffer* converted = NULL; |
wolfSSL | 15:117db924cf7c | 10789 | |
wolfSSL | 15:117db924cf7c | 10790 | WOLFSSL_ENTER("wc_PemCertToDer"); |
wolfSSL | 15:117db924cf7c | 10791 | |
wolfSSL | 16:8e0d178b1d1e | 10792 | if (fileName == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 10793 | ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10794 | } |
wolfSSL | 15:117db924cf7c | 10795 | else { |
wolfSSL | 16:8e0d178b1d1e | 10796 | file = XFOPEN(fileName, "rb"); |
wolfSSL | 16:8e0d178b1d1e | 10797 | if (file == XBADFILE) { |
wolfSSL | 16:8e0d178b1d1e | 10798 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 10799 | } |
wolfSSL | 16:8e0d178b1d1e | 10800 | } |
wolfSSL | 16:8e0d178b1d1e | 10801 | |
wolfSSL | 16:8e0d178b1d1e | 10802 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 10803 | if(XFSEEK(file, 0, XSEEK_END) != 0) |
wolfSSL | 16:8e0d178b1d1e | 10804 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10805 | sz = XFTELL(file); |
wolfSSL | 15:117db924cf7c | 10806 | XREWIND(file); |
wolfSSL | 15:117db924cf7c | 10807 | |
wolfSSL | 15:117db924cf7c | 10808 | if (sz <= 0) { |
wolfSSL | 15:117db924cf7c | 10809 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10810 | } |
wolfSSL | 15:117db924cf7c | 10811 | else if (sz > (long)sizeof(staticBuffer)) { |
wolfSSL | 15:117db924cf7c | 10812 | #ifdef WOLFSSL_STATIC_MEMORY |
wolfSSL | 15:117db924cf7c | 10813 | WOLFSSL_MSG("File was larger then static buffer"); |
wolfSSL | 15:117db924cf7c | 10814 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10815 | #endif |
wolfSSL | 15:117db924cf7c | 10816 | fileBuf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE); |
wolfSSL | 15:117db924cf7c | 10817 | if (fileBuf == NULL) |
wolfSSL | 15:117db924cf7c | 10818 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10819 | else |
wolfSSL | 15:117db924cf7c | 10820 | dynamic = 1; |
wolfSSL | 15:117db924cf7c | 10821 | } |
wolfSSL | 15:117db924cf7c | 10822 | |
wolfSSL | 15:117db924cf7c | 10823 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 10824 | if ( (ret = (int)XFREAD(fileBuf, 1, sz, file)) != sz) { |
wolfSSL | 15:117db924cf7c | 10825 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10826 | } |
wolfSSL | 15:117db924cf7c | 10827 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 10828 | else { |
wolfSSL | 15:117db924cf7c | 10829 | ret = PemToDer(fileBuf, sz, CA_TYPE, &converted, 0, NULL,NULL); |
wolfSSL | 15:117db924cf7c | 10830 | } |
wolfSSL | 15:117db924cf7c | 10831 | #endif |
wolfSSL | 15:117db924cf7c | 10832 | |
wolfSSL | 15:117db924cf7c | 10833 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 10834 | if (converted->length < (word32)derSz) { |
wolfSSL | 15:117db924cf7c | 10835 | XMEMCPY(derBuf, converted->buffer, converted->length); |
wolfSSL | 15:117db924cf7c | 10836 | ret = converted->length; |
wolfSSL | 15:117db924cf7c | 10837 | } |
wolfSSL | 15:117db924cf7c | 10838 | else |
wolfSSL | 15:117db924cf7c | 10839 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10840 | } |
wolfSSL | 15:117db924cf7c | 10841 | |
wolfSSL | 15:117db924cf7c | 10842 | FreeDer(&converted); |
wolfSSL | 15:117db924cf7c | 10843 | } |
wolfSSL | 15:117db924cf7c | 10844 | |
wolfSSL | 15:117db924cf7c | 10845 | XFCLOSE(file); |
wolfSSL | 15:117db924cf7c | 10846 | if (dynamic) |
wolfSSL | 15:117db924cf7c | 10847 | XFREE(fileBuf, NULL, DYNAMIC_TYPE_FILE); |
wolfSSL | 15:117db924cf7c | 10848 | } |
wolfSSL | 15:117db924cf7c | 10849 | |
wolfSSL | 15:117db924cf7c | 10850 | return ret; |
wolfSSL | 15:117db924cf7c | 10851 | } |
wolfSSL | 15:117db924cf7c | 10852 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 10853 | |
wolfSSL | 15:117db924cf7c | 10854 | #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER) |
wolfSSL | 15:117db924cf7c | 10855 | /* load pem public key from file into der buffer, return der size or error */ |
wolfSSL | 15:117db924cf7c | 10856 | int wc_PemPubKeyToDer(const char* fileName, |
wolfSSL | 15:117db924cf7c | 10857 | unsigned char* derBuf, int derSz) |
wolfSSL | 15:117db924cf7c | 10858 | { |
wolfSSL | 15:117db924cf7c | 10859 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10860 | byte staticBuffer[1]; /* force XMALLOC */ |
wolfSSL | 15:117db924cf7c | 10861 | #else |
wolfSSL | 15:117db924cf7c | 10862 | byte staticBuffer[FILE_BUFFER_SIZE]; |
wolfSSL | 15:117db924cf7c | 10863 | #endif |
wolfSSL | 15:117db924cf7c | 10864 | byte* fileBuf = staticBuffer; |
wolfSSL | 15:117db924cf7c | 10865 | int dynamic = 0; |
wolfSSL | 15:117db924cf7c | 10866 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 10867 | long sz = 0; |
wolfSSL | 16:8e0d178b1d1e | 10868 | XFILE file; |
wolfSSL | 15:117db924cf7c | 10869 | DerBuffer* converted = NULL; |
wolfSSL | 15:117db924cf7c | 10870 | |
wolfSSL | 15:117db924cf7c | 10871 | WOLFSSL_ENTER("wc_PemPubKeyToDer"); |
wolfSSL | 15:117db924cf7c | 10872 | |
wolfSSL | 16:8e0d178b1d1e | 10873 | if (fileName == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 10874 | ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10875 | } |
wolfSSL | 15:117db924cf7c | 10876 | else { |
wolfSSL | 16:8e0d178b1d1e | 10877 | file = XFOPEN(fileName, "rb"); |
wolfSSL | 16:8e0d178b1d1e | 10878 | if (file == XBADFILE) { |
wolfSSL | 16:8e0d178b1d1e | 10879 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 10880 | } |
wolfSSL | 16:8e0d178b1d1e | 10881 | } |
wolfSSL | 16:8e0d178b1d1e | 10882 | |
wolfSSL | 16:8e0d178b1d1e | 10883 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 10884 | if(XFSEEK(file, 0, XSEEK_END) != 0) |
wolfSSL | 16:8e0d178b1d1e | 10885 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10886 | sz = XFTELL(file); |
wolfSSL | 15:117db924cf7c | 10887 | XREWIND(file); |
wolfSSL | 15:117db924cf7c | 10888 | |
wolfSSL | 15:117db924cf7c | 10889 | if (sz <= 0) { |
wolfSSL | 15:117db924cf7c | 10890 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10891 | } |
wolfSSL | 15:117db924cf7c | 10892 | else if (sz > (long)sizeof(staticBuffer)) { |
wolfSSL | 15:117db924cf7c | 10893 | #ifdef WOLFSSL_STATIC_MEMORY |
wolfSSL | 15:117db924cf7c | 10894 | WOLFSSL_MSG("File was larger then static buffer"); |
wolfSSL | 15:117db924cf7c | 10895 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10896 | #endif |
wolfSSL | 15:117db924cf7c | 10897 | fileBuf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE); |
wolfSSL | 15:117db924cf7c | 10898 | if (fileBuf == NULL) |
wolfSSL | 15:117db924cf7c | 10899 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10900 | else |
wolfSSL | 15:117db924cf7c | 10901 | dynamic = 1; |
wolfSSL | 15:117db924cf7c | 10902 | } |
wolfSSL | 15:117db924cf7c | 10903 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 10904 | if ( (ret = (int)XFREAD(fileBuf, 1, sz, file)) != sz) { |
wolfSSL | 15:117db924cf7c | 10905 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10906 | } |
wolfSSL | 15:117db924cf7c | 10907 | #ifdef WOLFSSL_PEM_TO_DER |
wolfSSL | 15:117db924cf7c | 10908 | else { |
wolfSSL | 15:117db924cf7c | 10909 | ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted, |
wolfSSL | 15:117db924cf7c | 10910 | 0, NULL, NULL); |
wolfSSL | 15:117db924cf7c | 10911 | } |
wolfSSL | 15:117db924cf7c | 10912 | #endif |
wolfSSL | 15:117db924cf7c | 10913 | |
wolfSSL | 15:117db924cf7c | 10914 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 10915 | if (converted->length < (word32)derSz) { |
wolfSSL | 15:117db924cf7c | 10916 | XMEMCPY(derBuf, converted->buffer, converted->length); |
wolfSSL | 15:117db924cf7c | 10917 | ret = converted->length; |
wolfSSL | 15:117db924cf7c | 10918 | } |
wolfSSL | 15:117db924cf7c | 10919 | else |
wolfSSL | 15:117db924cf7c | 10920 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 10921 | } |
wolfSSL | 15:117db924cf7c | 10922 | |
wolfSSL | 15:117db924cf7c | 10923 | FreeDer(&converted); |
wolfSSL | 15:117db924cf7c | 10924 | } |
wolfSSL | 15:117db924cf7c | 10925 | |
wolfSSL | 15:117db924cf7c | 10926 | XFCLOSE(file); |
wolfSSL | 15:117db924cf7c | 10927 | if (dynamic) |
wolfSSL | 15:117db924cf7c | 10928 | XFREE(fileBuf, NULL, DYNAMIC_TYPE_FILE); |
wolfSSL | 15:117db924cf7c | 10929 | } |
wolfSSL | 15:117db924cf7c | 10930 | |
wolfSSL | 15:117db924cf7c | 10931 | return ret; |
wolfSSL | 15:117db924cf7c | 10932 | } |
wolfSSL | 15:117db924cf7c | 10933 | #endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */ |
wolfSSL | 15:117db924cf7c | 10934 | |
wolfSSL | 15:117db924cf7c | 10935 | #endif /* !NO_FILESYSTEM */ |
wolfSSL | 15:117db924cf7c | 10936 | |
wolfSSL | 15:117db924cf7c | 10937 | |
wolfSSL | 15:117db924cf7c | 10938 | #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 15:117db924cf7c | 10939 | ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(HAVE_USER_RSA))) |
wolfSSL | 15:117db924cf7c | 10940 | /* USER RSA ifdef portions used instead of refactor in consideration for |
wolfSSL | 15:117db924cf7c | 10941 | possible fips build */ |
wolfSSL | 15:117db924cf7c | 10942 | /* Write a public RSA key to output */ |
wolfSSL | 15:117db924cf7c | 10943 | static int SetRsaPublicKey(byte* output, RsaKey* key, |
wolfSSL | 15:117db924cf7c | 10944 | int outLen, int with_header) |
wolfSSL | 15:117db924cf7c | 10945 | { |
wolfSSL | 15:117db924cf7c | 10946 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10947 | byte* n = NULL; |
wolfSSL | 15:117db924cf7c | 10948 | byte* e = NULL; |
wolfSSL | 15:117db924cf7c | 10949 | #else |
wolfSSL | 15:117db924cf7c | 10950 | byte n[MAX_RSA_INT_SZ]; |
wolfSSL | 15:117db924cf7c | 10951 | byte e[MAX_RSA_E_SZ]; |
wolfSSL | 15:117db924cf7c | 10952 | #endif |
wolfSSL | 15:117db924cf7c | 10953 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 10954 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 15:117db924cf7c | 10955 | int nSz; |
wolfSSL | 15:117db924cf7c | 10956 | int eSz; |
wolfSSL | 15:117db924cf7c | 10957 | int seqSz; |
wolfSSL | 15:117db924cf7c | 10958 | int bitStringSz; |
wolfSSL | 15:117db924cf7c | 10959 | int idx; |
wolfSSL | 15:117db924cf7c | 10960 | |
wolfSSL | 15:117db924cf7c | 10961 | if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) |
wolfSSL | 15:117db924cf7c | 10962 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 10963 | |
wolfSSL | 15:117db924cf7c | 10964 | /* n */ |
wolfSSL | 15:117db924cf7c | 10965 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10966 | n = (byte*)XMALLOC(MAX_RSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10967 | if (n == NULL) |
wolfSSL | 15:117db924cf7c | 10968 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10969 | #endif |
wolfSSL | 15:117db924cf7c | 10970 | |
wolfSSL | 15:117db924cf7c | 10971 | #ifdef HAVE_USER_RSA |
wolfSSL | 15:117db924cf7c | 10972 | nSz = SetASNIntRSA(key->n, n); |
wolfSSL | 15:117db924cf7c | 10973 | #else |
wolfSSL | 15:117db924cf7c | 10974 | nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, n); |
wolfSSL | 15:117db924cf7c | 10975 | #endif |
wolfSSL | 15:117db924cf7c | 10976 | if (nSz < 0) { |
wolfSSL | 15:117db924cf7c | 10977 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10978 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10979 | #endif |
wolfSSL | 15:117db924cf7c | 10980 | return nSz; |
wolfSSL | 15:117db924cf7c | 10981 | } |
wolfSSL | 15:117db924cf7c | 10982 | |
wolfSSL | 15:117db924cf7c | 10983 | /* e */ |
wolfSSL | 15:117db924cf7c | 10984 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10985 | e = (byte*)XMALLOC(MAX_RSA_E_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10986 | if (e == NULL) { |
wolfSSL | 15:117db924cf7c | 10987 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 10988 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 10989 | #endif |
wolfSSL | 15:117db924cf7c | 10990 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 10991 | } |
wolfSSL | 15:117db924cf7c | 10992 | #endif |
wolfSSL | 15:117db924cf7c | 10993 | |
wolfSSL | 15:117db924cf7c | 10994 | #ifdef HAVE_USER_RSA |
wolfSSL | 15:117db924cf7c | 10995 | eSz = SetASNIntRSA(key->e, e); |
wolfSSL | 15:117db924cf7c | 10996 | #else |
wolfSSL | 15:117db924cf7c | 10997 | eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, e); |
wolfSSL | 15:117db924cf7c | 10998 | #endif |
wolfSSL | 15:117db924cf7c | 10999 | if (eSz < 0) { |
wolfSSL | 15:117db924cf7c | 11000 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11001 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11002 | XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11003 | #endif |
wolfSSL | 15:117db924cf7c | 11004 | return eSz; |
wolfSSL | 15:117db924cf7c | 11005 | } |
wolfSSL | 15:117db924cf7c | 11006 | |
wolfSSL | 15:117db924cf7c | 11007 | seqSz = SetSequence(nSz + eSz, seq); |
wolfSSL | 15:117db924cf7c | 11008 | |
wolfSSL | 15:117db924cf7c | 11009 | /* check output size */ |
wolfSSL | 15:117db924cf7c | 11010 | if ( (seqSz + nSz + eSz) > outLen) { |
wolfSSL | 15:117db924cf7c | 11011 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11012 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11013 | XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11014 | #endif |
wolfSSL | 15:117db924cf7c | 11015 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 11016 | } |
wolfSSL | 15:117db924cf7c | 11017 | |
wolfSSL | 15:117db924cf7c | 11018 | /* headers */ |
wolfSSL | 15:117db924cf7c | 11019 | if (with_header) { |
wolfSSL | 15:117db924cf7c | 11020 | int algoSz; |
wolfSSL | 15:117db924cf7c | 11021 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11022 | byte* algo; |
wolfSSL | 15:117db924cf7c | 11023 | |
wolfSSL | 15:117db924cf7c | 11024 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11025 | if (algo == NULL) { |
wolfSSL | 15:117db924cf7c | 11026 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11027 | XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11028 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11029 | } |
wolfSSL | 15:117db924cf7c | 11030 | #else |
wolfSSL | 15:117db924cf7c | 11031 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 11032 | #endif |
wolfSSL | 15:117db924cf7c | 11033 | algoSz = SetAlgoID(RSAk, algo, oidKeyType, 0); |
wolfSSL | 15:117db924cf7c | 11034 | bitStringSz = SetBitString(seqSz + nSz + eSz, 0, bitString); |
wolfSSL | 15:117db924cf7c | 11035 | |
wolfSSL | 15:117db924cf7c | 11036 | idx = SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, output); |
wolfSSL | 15:117db924cf7c | 11037 | |
wolfSSL | 15:117db924cf7c | 11038 | /* check output size */ |
wolfSSL | 15:117db924cf7c | 11039 | if ( (idx + algoSz + bitStringSz + seqSz + nSz + eSz) > outLen) { |
wolfSSL | 15:117db924cf7c | 11040 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11041 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11042 | XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11043 | XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11044 | #endif |
wolfSSL | 15:117db924cf7c | 11045 | |
wolfSSL | 15:117db924cf7c | 11046 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 11047 | } |
wolfSSL | 15:117db924cf7c | 11048 | |
wolfSSL | 15:117db924cf7c | 11049 | /* algo */ |
wolfSSL | 15:117db924cf7c | 11050 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 15:117db924cf7c | 11051 | idx += algoSz; |
wolfSSL | 15:117db924cf7c | 11052 | /* bit string */ |
wolfSSL | 15:117db924cf7c | 11053 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 15:117db924cf7c | 11054 | idx += bitStringSz; |
wolfSSL | 15:117db924cf7c | 11055 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11056 | XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11057 | #endif |
wolfSSL | 15:117db924cf7c | 11058 | } |
wolfSSL | 15:117db924cf7c | 11059 | else |
wolfSSL | 15:117db924cf7c | 11060 | idx = 0; |
wolfSSL | 15:117db924cf7c | 11061 | |
wolfSSL | 15:117db924cf7c | 11062 | /* seq */ |
wolfSSL | 15:117db924cf7c | 11063 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 15:117db924cf7c | 11064 | idx += seqSz; |
wolfSSL | 15:117db924cf7c | 11065 | /* n */ |
wolfSSL | 15:117db924cf7c | 11066 | XMEMCPY(output + idx, n, nSz); |
wolfSSL | 15:117db924cf7c | 11067 | idx += nSz; |
wolfSSL | 15:117db924cf7c | 11068 | /* e */ |
wolfSSL | 15:117db924cf7c | 11069 | XMEMCPY(output + idx, e, eSz); |
wolfSSL | 15:117db924cf7c | 11070 | idx += eSz; |
wolfSSL | 15:117db924cf7c | 11071 | |
wolfSSL | 15:117db924cf7c | 11072 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11073 | XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11074 | XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11075 | #endif |
wolfSSL | 15:117db924cf7c | 11076 | |
wolfSSL | 15:117db924cf7c | 11077 | return idx; |
wolfSSL | 15:117db924cf7c | 11078 | } |
wolfSSL | 15:117db924cf7c | 11079 | |
wolfSSL | 16:8e0d178b1d1e | 11080 | #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN && |
wolfSSL | 16:8e0d178b1d1e | 11081 | !HAVE_USER_RSA))) */ |
wolfSSL | 16:8e0d178b1d1e | 11082 | |
wolfSSL | 16:8e0d178b1d1e | 11083 | #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA)) |
wolfSSL | 16:8e0d178b1d1e | 11084 | int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header) |
wolfSSL | 16:8e0d178b1d1e | 11085 | { |
wolfSSL | 16:8e0d178b1d1e | 11086 | int idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 11087 | int nSz, eSz, seqSz, bitStringSz, algoSz; |
wolfSSL | 15:117db924cf7c | 11088 | |
wolfSSL | 15:117db924cf7c | 11089 | if (key == NULL) |
wolfSSL | 15:117db924cf7c | 11090 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11091 | |
wolfSSL | 15:117db924cf7c | 11092 | /* n */ |
wolfSSL | 15:117db924cf7c | 11093 | #ifdef HAVE_USER_RSA |
wolfSSL | 16:8e0d178b1d1e | 11094 | nSz = SetASNIntRSA(key->n, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11095 | #else |
wolfSSL | 16:8e0d178b1d1e | 11096 | nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11097 | #endif |
wolfSSL | 15:117db924cf7c | 11098 | if (nSz < 0) { |
wolfSSL | 15:117db924cf7c | 11099 | return nSz; |
wolfSSL | 15:117db924cf7c | 11100 | } |
wolfSSL | 15:117db924cf7c | 11101 | |
wolfSSL | 15:117db924cf7c | 11102 | /* e */ |
wolfSSL | 15:117db924cf7c | 11103 | #ifdef HAVE_USER_RSA |
wolfSSL | 16:8e0d178b1d1e | 11104 | eSz = SetASNIntRSA(key->e, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11105 | #else |
wolfSSL | 16:8e0d178b1d1e | 11106 | eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11107 | #endif |
wolfSSL | 15:117db924cf7c | 11108 | if (eSz < 0) { |
wolfSSL | 15:117db924cf7c | 11109 | return eSz; |
wolfSSL | 15:117db924cf7c | 11110 | } |
wolfSSL | 15:117db924cf7c | 11111 | |
wolfSSL | 16:8e0d178b1d1e | 11112 | seqSz = SetSequence(nSz + eSz, NULL); |
wolfSSL | 15:117db924cf7c | 11113 | |
wolfSSL | 15:117db924cf7c | 11114 | /* headers */ |
wolfSSL | 15:117db924cf7c | 11115 | if (with_header) { |
wolfSSL | 16:8e0d178b1d1e | 11116 | algoSz = SetAlgoID(RSAk, NULL, oidKeyType, 0); |
wolfSSL | 16:8e0d178b1d1e | 11117 | bitStringSz = SetBitString(seqSz + nSz + eSz, 0, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11118 | |
wolfSSL | 16:8e0d178b1d1e | 11119 | idx += SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, NULL); |
wolfSSL | 15:117db924cf7c | 11120 | |
wolfSSL | 15:117db924cf7c | 11121 | /* algo */ |
wolfSSL | 15:117db924cf7c | 11122 | idx += algoSz; |
wolfSSL | 15:117db924cf7c | 11123 | /* bit string */ |
wolfSSL | 15:117db924cf7c | 11124 | idx += bitStringSz; |
wolfSSL | 15:117db924cf7c | 11125 | } |
wolfSSL | 15:117db924cf7c | 11126 | |
wolfSSL | 15:117db924cf7c | 11127 | /* seq */ |
wolfSSL | 15:117db924cf7c | 11128 | idx += seqSz; |
wolfSSL | 15:117db924cf7c | 11129 | /* n */ |
wolfSSL | 15:117db924cf7c | 11130 | idx += nSz; |
wolfSSL | 15:117db924cf7c | 11131 | /* e */ |
wolfSSL | 15:117db924cf7c | 11132 | idx += eSz; |
wolfSSL | 15:117db924cf7c | 11133 | |
wolfSSL | 15:117db924cf7c | 11134 | return idx; |
wolfSSL | 15:117db924cf7c | 11135 | } |
wolfSSL | 16:8e0d178b1d1e | 11136 | |
wolfSSL | 16:8e0d178b1d1e | 11137 | #endif /* !NO_RSA && WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 11138 | |
wolfSSL | 15:117db924cf7c | 11139 | |
wolfSSL | 15:117db924cf7c | 11140 | #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) |
wolfSSL | 15:117db924cf7c | 11141 | |
wolfSSL | 15:117db924cf7c | 11142 | static mp_int* GetRsaInt(RsaKey* key, int idx) |
wolfSSL | 15:117db924cf7c | 11143 | { |
wolfSSL | 15:117db924cf7c | 11144 | if (idx == 0) |
wolfSSL | 15:117db924cf7c | 11145 | return &key->n; |
wolfSSL | 15:117db924cf7c | 11146 | if (idx == 1) |
wolfSSL | 15:117db924cf7c | 11147 | return &key->e; |
wolfSSL | 15:117db924cf7c | 11148 | if (idx == 2) |
wolfSSL | 15:117db924cf7c | 11149 | return &key->d; |
wolfSSL | 15:117db924cf7c | 11150 | if (idx == 3) |
wolfSSL | 15:117db924cf7c | 11151 | return &key->p; |
wolfSSL | 15:117db924cf7c | 11152 | if (idx == 4) |
wolfSSL | 15:117db924cf7c | 11153 | return &key->q; |
wolfSSL | 15:117db924cf7c | 11154 | if (idx == 5) |
wolfSSL | 15:117db924cf7c | 11155 | return &key->dP; |
wolfSSL | 15:117db924cf7c | 11156 | if (idx == 6) |
wolfSSL | 15:117db924cf7c | 11157 | return &key->dQ; |
wolfSSL | 15:117db924cf7c | 11158 | if (idx == 7) |
wolfSSL | 15:117db924cf7c | 11159 | return &key->u; |
wolfSSL | 15:117db924cf7c | 11160 | |
wolfSSL | 15:117db924cf7c | 11161 | return NULL; |
wolfSSL | 15:117db924cf7c | 11162 | } |
wolfSSL | 15:117db924cf7c | 11163 | |
wolfSSL | 15:117db924cf7c | 11164 | |
wolfSSL | 15:117db924cf7c | 11165 | /* Release Tmp RSA resources */ |
wolfSSL | 15:117db924cf7c | 11166 | static WC_INLINE void FreeTmpRsas(byte** tmps, void* heap) |
wolfSSL | 15:117db924cf7c | 11167 | { |
wolfSSL | 15:117db924cf7c | 11168 | int i; |
wolfSSL | 15:117db924cf7c | 11169 | |
wolfSSL | 15:117db924cf7c | 11170 | (void)heap; |
wolfSSL | 15:117db924cf7c | 11171 | |
wolfSSL | 15:117db924cf7c | 11172 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 15:117db924cf7c | 11173 | XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 11174 | } |
wolfSSL | 15:117db924cf7c | 11175 | |
wolfSSL | 15:117db924cf7c | 11176 | |
wolfSSL | 15:117db924cf7c | 11177 | /* Convert RsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 15:117db924cf7c | 11178 | written */ |
wolfSSL | 15:117db924cf7c | 11179 | int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 11180 | { |
wolfSSL | 15:117db924cf7c | 11181 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 15:117db924cf7c | 11182 | word32 sizes[RSA_INTS]; |
wolfSSL | 15:117db924cf7c | 11183 | int i, j, outLen, ret = 0, mpSz; |
wolfSSL | 15:117db924cf7c | 11184 | |
wolfSSL | 15:117db924cf7c | 11185 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 11186 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 15:117db924cf7c | 11187 | byte* tmps[RSA_INTS]; |
wolfSSL | 15:117db924cf7c | 11188 | |
wolfSSL | 16:8e0d178b1d1e | 11189 | if (!key) |
wolfSSL | 15:117db924cf7c | 11190 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11191 | |
wolfSSL | 15:117db924cf7c | 11192 | if (key->type != RSA_PRIVATE) |
wolfSSL | 15:117db924cf7c | 11193 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11194 | |
wolfSSL | 15:117db924cf7c | 11195 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 15:117db924cf7c | 11196 | tmps[i] = NULL; |
wolfSSL | 15:117db924cf7c | 11197 | |
wolfSSL | 15:117db924cf7c | 11198 | /* write all big ints from key to DER tmps */ |
wolfSSL | 15:117db924cf7c | 11199 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 15:117db924cf7c | 11200 | mp_int* keyInt = GetRsaInt(key, i); |
wolfSSL | 15:117db924cf7c | 11201 | |
wolfSSL | 15:117db924cf7c | 11202 | rawLen = mp_unsigned_bin_size(keyInt) + 1; |
wolfSSL | 15:117db924cf7c | 11203 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 15:117db924cf7c | 11204 | DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 11205 | if (tmps[i] == NULL) { |
wolfSSL | 15:117db924cf7c | 11206 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11207 | break; |
wolfSSL | 15:117db924cf7c | 11208 | } |
wolfSSL | 15:117db924cf7c | 11209 | |
wolfSSL | 15:117db924cf7c | 11210 | mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]); |
wolfSSL | 15:117db924cf7c | 11211 | if (mpSz < 0) { |
wolfSSL | 15:117db924cf7c | 11212 | ret = mpSz; |
wolfSSL | 15:117db924cf7c | 11213 | break; |
wolfSSL | 15:117db924cf7c | 11214 | } |
wolfSSL | 15:117db924cf7c | 11215 | intTotalLen += (sizes[i] = mpSz); |
wolfSSL | 15:117db924cf7c | 11216 | } |
wolfSSL | 15:117db924cf7c | 11217 | |
wolfSSL | 15:117db924cf7c | 11218 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 11219 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 15:117db924cf7c | 11220 | return ret; |
wolfSSL | 15:117db924cf7c | 11221 | } |
wolfSSL | 15:117db924cf7c | 11222 | |
wolfSSL | 15:117db924cf7c | 11223 | /* make headers */ |
wolfSSL | 15:117db924cf7c | 11224 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 15:117db924cf7c | 11225 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 15:117db924cf7c | 11226 | |
wolfSSL | 15:117db924cf7c | 11227 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 16:8e0d178b1d1e | 11228 | if (output) { |
wolfSSL | 16:8e0d178b1d1e | 11229 | if (outLen > (int)inLen) { |
wolfSSL | 16:8e0d178b1d1e | 11230 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 16:8e0d178b1d1e | 11231 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 11232 | } |
wolfSSL | 16:8e0d178b1d1e | 11233 | |
wolfSSL | 16:8e0d178b1d1e | 11234 | /* write to output */ |
wolfSSL | 16:8e0d178b1d1e | 11235 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 16:8e0d178b1d1e | 11236 | j = seqSz; |
wolfSSL | 16:8e0d178b1d1e | 11237 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 16:8e0d178b1d1e | 11238 | j += verSz; |
wolfSSL | 16:8e0d178b1d1e | 11239 | |
wolfSSL | 16:8e0d178b1d1e | 11240 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 16:8e0d178b1d1e | 11241 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 16:8e0d178b1d1e | 11242 | j += sizes[i]; |
wolfSSL | 16:8e0d178b1d1e | 11243 | } |
wolfSSL | 15:117db924cf7c | 11244 | } |
wolfSSL | 15:117db924cf7c | 11245 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 15:117db924cf7c | 11246 | |
wolfSSL | 15:117db924cf7c | 11247 | return outLen; |
wolfSSL | 15:117db924cf7c | 11248 | } |
wolfSSL | 15:117db924cf7c | 11249 | #endif |
wolfSSL | 15:117db924cf7c | 11250 | |
wolfSSL | 15:117db924cf7c | 11251 | #if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) |
wolfSSL | 15:117db924cf7c | 11252 | /* Convert Rsa Public key to DER format, write to output (inLen), return bytes |
wolfSSL | 15:117db924cf7c | 11253 | written */ |
wolfSSL | 15:117db924cf7c | 11254 | int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 11255 | { |
wolfSSL | 15:117db924cf7c | 11256 | return SetRsaPublicKey(output, key, inLen, 1); |
wolfSSL | 15:117db924cf7c | 11257 | } |
wolfSSL | 15:117db924cf7c | 11258 | |
wolfSSL | 16:8e0d178b1d1e | 11259 | #endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA && !HAVE_USER_RSA */ |
wolfSSL | 15:117db924cf7c | 11260 | |
wolfSSL | 15:117db924cf7c | 11261 | |
wolfSSL | 15:117db924cf7c | 11262 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 11263 | |
wolfSSL | 15:117db924cf7c | 11264 | /* Initialize and Set Certificate defaults: |
wolfSSL | 15:117db924cf7c | 11265 | version = 3 (0x2) |
wolfSSL | 15:117db924cf7c | 11266 | serial = 0 |
wolfSSL | 15:117db924cf7c | 11267 | sigType = SHA_WITH_RSA |
wolfSSL | 15:117db924cf7c | 11268 | issuer = blank |
wolfSSL | 15:117db924cf7c | 11269 | daysValid = 500 |
wolfSSL | 15:117db924cf7c | 11270 | selfSigned = 1 (true) use subject as issuer |
wolfSSL | 15:117db924cf7c | 11271 | subject = blank |
wolfSSL | 15:117db924cf7c | 11272 | */ |
wolfSSL | 15:117db924cf7c | 11273 | int wc_InitCert(Cert* cert) |
wolfSSL | 15:117db924cf7c | 11274 | { |
wolfSSL | 15:117db924cf7c | 11275 | #ifdef WOLFSSL_MULTI_ATTRIB |
wolfSSL | 15:117db924cf7c | 11276 | int i = 0; |
wolfSSL | 15:117db924cf7c | 11277 | #endif |
wolfSSL | 15:117db924cf7c | 11278 | if (cert == NULL) { |
wolfSSL | 15:117db924cf7c | 11279 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11280 | } |
wolfSSL | 15:117db924cf7c | 11281 | |
wolfSSL | 15:117db924cf7c | 11282 | XMEMSET(cert, 0, sizeof(Cert)); |
wolfSSL | 15:117db924cf7c | 11283 | |
wolfSSL | 15:117db924cf7c | 11284 | cert->version = 2; /* version 3 is hex 2 */ |
wolfSSL | 15:117db924cf7c | 11285 | #ifndef NO_SHA |
wolfSSL | 15:117db924cf7c | 11286 | cert->sigType = CTC_SHAwRSA; |
wolfSSL | 15:117db924cf7c | 11287 | #elif !defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 11288 | cert->sigType = CTC_SHA256wRSA; |
wolfSSL | 15:117db924cf7c | 11289 | #else |
wolfSSL | 15:117db924cf7c | 11290 | cert->sigType = 0; |
wolfSSL | 15:117db924cf7c | 11291 | #endif |
wolfSSL | 15:117db924cf7c | 11292 | cert->daysValid = 500; |
wolfSSL | 15:117db924cf7c | 11293 | cert->selfSigned = 1; |
wolfSSL | 15:117db924cf7c | 11294 | cert->keyType = RSA_KEY; |
wolfSSL | 15:117db924cf7c | 11295 | |
wolfSSL | 15:117db924cf7c | 11296 | cert->issuer.countryEnc = CTC_PRINTABLE; |
wolfSSL | 15:117db924cf7c | 11297 | cert->issuer.stateEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11298 | cert->issuer.localityEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11299 | cert->issuer.surEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11300 | cert->issuer.orgEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11301 | cert->issuer.unitEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11302 | cert->issuer.commonNameEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11303 | |
wolfSSL | 15:117db924cf7c | 11304 | cert->subject.countryEnc = CTC_PRINTABLE; |
wolfSSL | 15:117db924cf7c | 11305 | cert->subject.stateEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11306 | cert->subject.localityEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11307 | cert->subject.surEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11308 | cert->subject.orgEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11309 | cert->subject.unitEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11310 | cert->subject.commonNameEnc = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11311 | |
wolfSSL | 15:117db924cf7c | 11312 | #ifdef WOLFSSL_MULTI_ATTRIB |
wolfSSL | 15:117db924cf7c | 11313 | for (i = 0; i < CTC_MAX_ATTRIB; i++) { |
wolfSSL | 15:117db924cf7c | 11314 | cert->issuer.name[i].type = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11315 | cert->subject.name[i].type = CTC_UTF8; |
wolfSSL | 15:117db924cf7c | 11316 | } |
wolfSSL | 15:117db924cf7c | 11317 | #endif /* WOLFSSL_MULTI_ATTRIB */ |
wolfSSL | 15:117db924cf7c | 11318 | |
wolfSSL | 15:117db924cf7c | 11319 | #ifdef WOLFSSL_HEAP_TEST |
wolfSSL | 15:117db924cf7c | 11320 | cert->heap = (void*)WOLFSSL_HEAP_TEST; |
wolfSSL | 15:117db924cf7c | 11321 | #endif |
wolfSSL | 15:117db924cf7c | 11322 | |
wolfSSL | 15:117db924cf7c | 11323 | return 0; |
wolfSSL | 15:117db924cf7c | 11324 | } |
wolfSSL | 15:117db924cf7c | 11325 | |
wolfSSL | 15:117db924cf7c | 11326 | |
wolfSSL | 15:117db924cf7c | 11327 | /* DER encoded x509 Certificate */ |
wolfSSL | 15:117db924cf7c | 11328 | typedef struct DerCert { |
wolfSSL | 15:117db924cf7c | 11329 | byte size[MAX_LENGTH_SZ]; /* length encoded */ |
wolfSSL | 15:117db924cf7c | 11330 | byte version[MAX_VERSION_SZ]; /* version encoded */ |
wolfSSL | 15:117db924cf7c | 11331 | byte serial[(int)CTC_SERIAL_SIZE + (int)MAX_LENGTH_SZ]; /* serial number encoded */ |
wolfSSL | 15:117db924cf7c | 11332 | byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */ |
wolfSSL | 15:117db924cf7c | 11333 | byte issuer[ASN_NAME_MAX]; /* issuer encoded */ |
wolfSSL | 15:117db924cf7c | 11334 | byte subject[ASN_NAME_MAX]; /* subject encoded */ |
wolfSSL | 15:117db924cf7c | 11335 | byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */ |
wolfSSL | 15:117db924cf7c | 11336 | byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */ |
wolfSSL | 15:117db924cf7c | 11337 | byte ca[MAX_CA_SZ]; /* basic constraint CA true size */ |
wolfSSL | 15:117db924cf7c | 11338 | byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ |
wolfSSL | 15:117db924cf7c | 11339 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 11340 | byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ |
wolfSSL | 15:117db924cf7c | 11341 | byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ |
wolfSSL | 15:117db924cf7c | 11342 | byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ |
wolfSSL | 15:117db924cf7c | 11343 | byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */ |
wolfSSL | 15:117db924cf7c | 11344 | byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ |
wolfSSL | 15:117db924cf7c | 11345 | #endif |
wolfSSL | 15:117db924cf7c | 11346 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 15:117db924cf7c | 11347 | byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ |
wolfSSL | 15:117db924cf7c | 11348 | #endif |
wolfSSL | 15:117db924cf7c | 11349 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 11350 | byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */ |
wolfSSL | 15:117db924cf7c | 11351 | #endif |
wolfSSL | 15:117db924cf7c | 11352 | int sizeSz; /* encoded size length */ |
wolfSSL | 15:117db924cf7c | 11353 | int versionSz; /* encoded version length */ |
wolfSSL | 15:117db924cf7c | 11354 | int serialSz; /* encoded serial length */ |
wolfSSL | 16:8e0d178b1d1e | 11355 | int sigAlgoSz; /* encoded sig algo length */ |
wolfSSL | 15:117db924cf7c | 11356 | int issuerSz; /* encoded issuer length */ |
wolfSSL | 15:117db924cf7c | 11357 | int subjectSz; /* encoded subject length */ |
wolfSSL | 15:117db924cf7c | 11358 | int validitySz; /* encoded validity length */ |
wolfSSL | 15:117db924cf7c | 11359 | int publicKeySz; /* encoded public key length */ |
wolfSSL | 15:117db924cf7c | 11360 | int caSz; /* encoded CA extension length */ |
wolfSSL | 15:117db924cf7c | 11361 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 11362 | int skidSz; /* encoded SKID extension length */ |
wolfSSL | 15:117db924cf7c | 11363 | int akidSz; /* encoded SKID extension length */ |
wolfSSL | 15:117db924cf7c | 11364 | int keyUsageSz; /* encoded KeyUsage extension length */ |
wolfSSL | 15:117db924cf7c | 11365 | int extKeyUsageSz; /* encoded ExtendedKeyUsage extension length */ |
wolfSSL | 15:117db924cf7c | 11366 | int certPoliciesSz; /* encoded CertPolicies extension length*/ |
wolfSSL | 15:117db924cf7c | 11367 | #endif |
wolfSSL | 15:117db924cf7c | 11368 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 11369 | int altNamesSz; /* encoded AltNames extension length */ |
wolfSSL | 15:117db924cf7c | 11370 | #endif |
wolfSSL | 15:117db924cf7c | 11371 | int extensionsSz; /* encoded extensions total length */ |
wolfSSL | 15:117db924cf7c | 11372 | int total; /* total encoded lengths */ |
wolfSSL | 15:117db924cf7c | 11373 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 15:117db924cf7c | 11374 | int attribSz; |
wolfSSL | 15:117db924cf7c | 11375 | #endif |
wolfSSL | 15:117db924cf7c | 11376 | } DerCert; |
wolfSSL | 15:117db924cf7c | 11377 | |
wolfSSL | 15:117db924cf7c | 11378 | |
wolfSSL | 15:117db924cf7c | 11379 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 15:117db924cf7c | 11380 | |
wolfSSL | 15:117db924cf7c | 11381 | /* Write a set header to output */ |
wolfSSL | 16:8e0d178b1d1e | 11382 | static word32 SetPrintableString(word32 len, byte* output) |
wolfSSL | 16:8e0d178b1d1e | 11383 | { |
wolfSSL | 16:8e0d178b1d1e | 11384 | output[0] = ASN_PRINTABLE_STRING; |
wolfSSL | 16:8e0d178b1d1e | 11385 | return SetLength(len, output + 1) + 1; |
wolfSSL | 16:8e0d178b1d1e | 11386 | } |
wolfSSL | 16:8e0d178b1d1e | 11387 | |
wolfSSL | 15:117db924cf7c | 11388 | static word32 SetUTF8String(word32 len, byte* output) |
wolfSSL | 15:117db924cf7c | 11389 | { |
wolfSSL | 15:117db924cf7c | 11390 | output[0] = ASN_UTF8STRING; |
wolfSSL | 15:117db924cf7c | 11391 | return SetLength(len, output + 1) + 1; |
wolfSSL | 15:117db924cf7c | 11392 | } |
wolfSSL | 15:117db924cf7c | 11393 | |
wolfSSL | 15:117db924cf7c | 11394 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 15:117db924cf7c | 11395 | |
wolfSSL | 16:8e0d178b1d1e | 11396 | |
wolfSSL | 16:8e0d178b1d1e | 11397 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 11398 | /* wc_SetCert_Free is only public when WOLFSSL_CERT_GEN_CACHE is not defined */ |
wolfSSL | 16:8e0d178b1d1e | 11399 | static |
wolfSSL | 16:8e0d178b1d1e | 11400 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11401 | void wc_SetCert_Free(Cert* cert) |
wolfSSL | 16:8e0d178b1d1e | 11402 | { |
wolfSSL | 16:8e0d178b1d1e | 11403 | if (cert != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11404 | cert->der = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11405 | if (cert->decodedCert) { |
wolfSSL | 16:8e0d178b1d1e | 11406 | FreeDecodedCert((DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 11407 | |
wolfSSL | 16:8e0d178b1d1e | 11408 | XFREE(cert->decodedCert, cert->heap, DYNAMIC_TYPE_DCERT); |
wolfSSL | 16:8e0d178b1d1e | 11409 | cert->decodedCert = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11410 | } |
wolfSSL | 16:8e0d178b1d1e | 11411 | } |
wolfSSL | 16:8e0d178b1d1e | 11412 | } |
wolfSSL | 16:8e0d178b1d1e | 11413 | |
wolfSSL | 16:8e0d178b1d1e | 11414 | static int wc_SetCert_LoadDer(Cert* cert, const byte* der, word32 derSz) |
wolfSSL | 16:8e0d178b1d1e | 11415 | { |
wolfSSL | 16:8e0d178b1d1e | 11416 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 11417 | |
wolfSSL | 16:8e0d178b1d1e | 11418 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11419 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 11420 | } |
wolfSSL | 16:8e0d178b1d1e | 11421 | else { |
wolfSSL | 16:8e0d178b1d1e | 11422 | /* Allocate DecodedCert struct and Zero */ |
wolfSSL | 16:8e0d178b1d1e | 11423 | cert->decodedCert = (void*)XMALLOC(sizeof(DecodedCert), cert->heap, |
wolfSSL | 16:8e0d178b1d1e | 11424 | DYNAMIC_TYPE_DCERT); |
wolfSSL | 16:8e0d178b1d1e | 11425 | |
wolfSSL | 16:8e0d178b1d1e | 11426 | if (cert->decodedCert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11427 | ret = MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 11428 | } |
wolfSSL | 16:8e0d178b1d1e | 11429 | else { |
wolfSSL | 16:8e0d178b1d1e | 11430 | XMEMSET(cert->decodedCert, 0, sizeof(DecodedCert)); |
wolfSSL | 16:8e0d178b1d1e | 11431 | |
wolfSSL | 16:8e0d178b1d1e | 11432 | InitDecodedCert((DecodedCert*)cert->decodedCert, der, derSz, |
wolfSSL | 16:8e0d178b1d1e | 11433 | cert->heap); |
wolfSSL | 16:8e0d178b1d1e | 11434 | ret = ParseCertRelative((DecodedCert*)cert->decodedCert, |
wolfSSL | 16:8e0d178b1d1e | 11435 | CERT_TYPE, 0, NULL); |
wolfSSL | 16:8e0d178b1d1e | 11436 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 11437 | cert->der = (byte*)der; |
wolfSSL | 16:8e0d178b1d1e | 11438 | } |
wolfSSL | 16:8e0d178b1d1e | 11439 | else { |
wolfSSL | 16:8e0d178b1d1e | 11440 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 11441 | } |
wolfSSL | 16:8e0d178b1d1e | 11442 | } |
wolfSSL | 16:8e0d178b1d1e | 11443 | } |
wolfSSL | 16:8e0d178b1d1e | 11444 | |
wolfSSL | 16:8e0d178b1d1e | 11445 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 11446 | } |
wolfSSL | 16:8e0d178b1d1e | 11447 | |
wolfSSL | 16:8e0d178b1d1e | 11448 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 11449 | |
wolfSSL | 16:8e0d178b1d1e | 11450 | |
wolfSSL | 16:8e0d178b1d1e | 11451 | #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) |
wolfSSL | 15:117db924cf7c | 11452 | |
wolfSSL | 15:117db924cf7c | 11453 | /* Write a public ECC key to output */ |
wolfSSL | 15:117db924cf7c | 11454 | static int SetEccPublicKey(byte* output, ecc_key* key, int with_header) |
wolfSSL | 15:117db924cf7c | 11455 | { |
wolfSSL | 15:117db924cf7c | 11456 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 15:117db924cf7c | 11457 | int algoSz; |
wolfSSL | 15:117db924cf7c | 11458 | int curveSz; |
wolfSSL | 15:117db924cf7c | 11459 | int bitStringSz; |
wolfSSL | 15:117db924cf7c | 11460 | int idx; |
wolfSSL | 15:117db924cf7c | 11461 | word32 pubSz = ECC_BUFSIZE; |
wolfSSL | 15:117db924cf7c | 11462 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11463 | byte* algo = NULL; |
wolfSSL | 15:117db924cf7c | 11464 | byte* curve = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11465 | byte* pub; |
wolfSSL | 15:117db924cf7c | 11466 | #else |
wolfSSL | 15:117db924cf7c | 11467 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 11468 | byte curve[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 11469 | byte pub[ECC_BUFSIZE]; |
wolfSSL | 15:117db924cf7c | 11470 | #endif |
wolfSSL | 15:117db924cf7c | 11471 | int ret; |
wolfSSL | 15:117db924cf7c | 11472 | |
wolfSSL | 15:117db924cf7c | 11473 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11474 | pub = (byte*)XMALLOC(ECC_BUFSIZE, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11475 | if (pub == NULL) |
wolfSSL | 15:117db924cf7c | 11476 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11477 | #endif |
wolfSSL | 15:117db924cf7c | 11478 | |
wolfSSL | 16:8e0d178b1d1e | 11479 | #ifdef HAVE_SELFTEST |
wolfSSL | 16:8e0d178b1d1e | 11480 | /* older version of ecc.c can not handle dp being NULL */ |
wolfSSL | 16:8e0d178b1d1e | 11481 | if (key != NULL && key->dp == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11482 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 11483 | } |
wolfSSL | 16:8e0d178b1d1e | 11484 | else { |
wolfSSL | 16:8e0d178b1d1e | 11485 | ret = wc_ecc_export_x963(key, pub, &pubSz); |
wolfSSL | 16:8e0d178b1d1e | 11486 | } |
wolfSSL | 16:8e0d178b1d1e | 11487 | #else |
wolfSSL | 15:117db924cf7c | 11488 | ret = wc_ecc_export_x963(key, pub, &pubSz); |
wolfSSL | 16:8e0d178b1d1e | 11489 | #endif |
wolfSSL | 15:117db924cf7c | 11490 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 11491 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11492 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11493 | #endif |
wolfSSL | 15:117db924cf7c | 11494 | return ret; |
wolfSSL | 15:117db924cf7c | 11495 | } |
wolfSSL | 15:117db924cf7c | 11496 | |
wolfSSL | 15:117db924cf7c | 11497 | /* headers */ |
wolfSSL | 15:117db924cf7c | 11498 | if (with_header) { |
wolfSSL | 15:117db924cf7c | 11499 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11500 | curve = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11501 | if (curve == NULL) { |
wolfSSL | 15:117db924cf7c | 11502 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11503 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11504 | } |
wolfSSL | 15:117db924cf7c | 11505 | #endif |
wolfSSL | 15:117db924cf7c | 11506 | curveSz = SetCurve(key, curve); |
wolfSSL | 15:117db924cf7c | 11507 | if (curveSz <= 0) { |
wolfSSL | 15:117db924cf7c | 11508 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11509 | XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11510 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11511 | #endif |
wolfSSL | 15:117db924cf7c | 11512 | return curveSz; |
wolfSSL | 15:117db924cf7c | 11513 | } |
wolfSSL | 15:117db924cf7c | 11514 | |
wolfSSL | 15:117db924cf7c | 11515 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11516 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11517 | if (algo == NULL) { |
wolfSSL | 15:117db924cf7c | 11518 | XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11519 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11520 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11521 | } |
wolfSSL | 15:117db924cf7c | 11522 | #endif |
wolfSSL | 15:117db924cf7c | 11523 | algoSz = SetAlgoID(ECDSAk, algo, oidKeyType, curveSz); |
wolfSSL | 15:117db924cf7c | 11524 | |
wolfSSL | 15:117db924cf7c | 11525 | bitStringSz = SetBitString(pubSz, 0, bitString); |
wolfSSL | 15:117db924cf7c | 11526 | |
wolfSSL | 15:117db924cf7c | 11527 | idx = SetSequence(pubSz + curveSz + bitStringSz + algoSz, output); |
wolfSSL | 15:117db924cf7c | 11528 | /* algo */ |
wolfSSL | 16:8e0d178b1d1e | 11529 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 11530 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 15:117db924cf7c | 11531 | idx += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 11532 | /* curve */ |
wolfSSL | 16:8e0d178b1d1e | 11533 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 11534 | XMEMCPY(output + idx, curve, curveSz); |
wolfSSL | 15:117db924cf7c | 11535 | idx += curveSz; |
wolfSSL | 15:117db924cf7c | 11536 | /* bit string */ |
wolfSSL | 16:8e0d178b1d1e | 11537 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 11538 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 15:117db924cf7c | 11539 | idx += bitStringSz; |
wolfSSL | 15:117db924cf7c | 11540 | } |
wolfSSL | 15:117db924cf7c | 11541 | else |
wolfSSL | 15:117db924cf7c | 11542 | idx = 0; |
wolfSSL | 15:117db924cf7c | 11543 | |
wolfSSL | 15:117db924cf7c | 11544 | /* pub */ |
wolfSSL | 16:8e0d178b1d1e | 11545 | if (output) |
wolfSSL | 16:8e0d178b1d1e | 11546 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 15:117db924cf7c | 11547 | idx += pubSz; |
wolfSSL | 15:117db924cf7c | 11548 | |
wolfSSL | 15:117db924cf7c | 11549 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11550 | if (with_header) { |
wolfSSL | 15:117db924cf7c | 11551 | XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11552 | XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11553 | } |
wolfSSL | 15:117db924cf7c | 11554 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11555 | #endif |
wolfSSL | 15:117db924cf7c | 11556 | |
wolfSSL | 15:117db924cf7c | 11557 | return idx; |
wolfSSL | 15:117db924cf7c | 11558 | } |
wolfSSL | 15:117db924cf7c | 11559 | |
wolfSSL | 15:117db924cf7c | 11560 | |
wolfSSL | 15:117db924cf7c | 11561 | /* returns the size of buffer used, the public ECC key in DER format is stored |
wolfSSL | 15:117db924cf7c | 11562 | in output buffer |
wolfSSL | 15:117db924cf7c | 11563 | with_AlgCurve is a flag for when to include a header that has the Algorithm |
wolfSSL | 16:8e0d178b1d1e | 11564 | and Curve information */ |
wolfSSL | 15:117db924cf7c | 11565 | int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen, |
wolfSSL | 15:117db924cf7c | 11566 | int with_AlgCurve) |
wolfSSL | 15:117db924cf7c | 11567 | { |
wolfSSL | 15:117db924cf7c | 11568 | word32 infoSz = 0; |
wolfSSL | 15:117db924cf7c | 11569 | word32 keySz = 0; |
wolfSSL | 15:117db924cf7c | 11570 | int ret; |
wolfSSL | 15:117db924cf7c | 11571 | |
wolfSSL | 16:8e0d178b1d1e | 11572 | if (key == NULL) { |
wolfSSL | 15:117db924cf7c | 11573 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11574 | } |
wolfSSL | 15:117db924cf7c | 11575 | |
wolfSSL | 15:117db924cf7c | 11576 | if (with_AlgCurve) { |
wolfSSL | 15:117db924cf7c | 11577 | /* buffer space for algorithm/curve */ |
wolfSSL | 15:117db924cf7c | 11578 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 15:117db924cf7c | 11579 | infoSz += 2 * MAX_ALGO_SZ; |
wolfSSL | 15:117db924cf7c | 11580 | |
wolfSSL | 15:117db924cf7c | 11581 | /* buffer space for public key sequence */ |
wolfSSL | 15:117db924cf7c | 11582 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 15:117db924cf7c | 11583 | infoSz += TRAILING_ZERO; |
wolfSSL | 15:117db924cf7c | 11584 | } |
wolfSSL | 15:117db924cf7c | 11585 | |
wolfSSL | 16:8e0d178b1d1e | 11586 | #ifdef HAVE_SELFTEST |
wolfSSL | 16:8e0d178b1d1e | 11587 | /* older version of ecc.c can not handle dp being NULL */ |
wolfSSL | 16:8e0d178b1d1e | 11588 | if (key != NULL && key->dp == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11589 | keySz = 1 + 2 * MAX_ECC_BYTES; |
wolfSSL | 16:8e0d178b1d1e | 11590 | ret = LENGTH_ONLY_E; |
wolfSSL | 16:8e0d178b1d1e | 11591 | } |
wolfSSL | 16:8e0d178b1d1e | 11592 | else { |
wolfSSL | 16:8e0d178b1d1e | 11593 | ret = wc_ecc_export_x963(key, NULL, &keySz); |
wolfSSL | 16:8e0d178b1d1e | 11594 | } |
wolfSSL | 16:8e0d178b1d1e | 11595 | #else |
wolfSSL | 16:8e0d178b1d1e | 11596 | ret = wc_ecc_export_x963(key, NULL, &keySz); |
wolfSSL | 16:8e0d178b1d1e | 11597 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11598 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 15:117db924cf7c | 11599 | WOLFSSL_MSG("Error in getting ECC public key size"); |
wolfSSL | 15:117db924cf7c | 11600 | return ret; |
wolfSSL | 15:117db924cf7c | 11601 | } |
wolfSSL | 15:117db924cf7c | 11602 | |
wolfSSL | 16:8e0d178b1d1e | 11603 | /* if output null then just return size */ |
wolfSSL | 16:8e0d178b1d1e | 11604 | if (output == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11605 | return keySz + infoSz; |
wolfSSL | 16:8e0d178b1d1e | 11606 | } |
wolfSSL | 16:8e0d178b1d1e | 11607 | |
wolfSSL | 15:117db924cf7c | 11608 | if (inLen < keySz + infoSz) { |
wolfSSL | 15:117db924cf7c | 11609 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 11610 | } |
wolfSSL | 15:117db924cf7c | 11611 | |
wolfSSL | 15:117db924cf7c | 11612 | return SetEccPublicKey(output, key, with_AlgCurve); |
wolfSSL | 15:117db924cf7c | 11613 | } |
wolfSSL | 16:8e0d178b1d1e | 11614 | |
wolfSSL | 16:8e0d178b1d1e | 11615 | int wc_EccPublicKeyDerSize(ecc_key* key, int with_AlgCurve) |
wolfSSL | 16:8e0d178b1d1e | 11616 | { |
wolfSSL | 16:8e0d178b1d1e | 11617 | return wc_EccPublicKeyToDer(key, NULL, 0, with_AlgCurve); |
wolfSSL | 16:8e0d178b1d1e | 11618 | } |
wolfSSL | 16:8e0d178b1d1e | 11619 | |
wolfSSL | 16:8e0d178b1d1e | 11620 | #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */ |
wolfSSL | 15:117db924cf7c | 11621 | |
wolfSSL | 15:117db924cf7c | 11622 | #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 15:117db924cf7c | 11623 | defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 15:117db924cf7c | 11624 | |
wolfSSL | 15:117db924cf7c | 11625 | /* Write a public ECC key to output */ |
wolfSSL | 15:117db924cf7c | 11626 | static int SetEd25519PublicKey(byte* output, ed25519_key* key, int with_header) |
wolfSSL | 15:117db924cf7c | 11627 | { |
wolfSSL | 15:117db924cf7c | 11628 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 15:117db924cf7c | 11629 | int algoSz; |
wolfSSL | 15:117db924cf7c | 11630 | int bitStringSz; |
wolfSSL | 15:117db924cf7c | 11631 | int idx; |
wolfSSL | 15:117db924cf7c | 11632 | word32 pubSz = ED25519_PUB_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 11633 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11634 | byte* algo = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11635 | byte* pub; |
wolfSSL | 15:117db924cf7c | 11636 | #else |
wolfSSL | 15:117db924cf7c | 11637 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 11638 | byte pub[ED25519_PUB_KEY_SIZE]; |
wolfSSL | 15:117db924cf7c | 11639 | #endif |
wolfSSL | 15:117db924cf7c | 11640 | |
wolfSSL | 15:117db924cf7c | 11641 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11642 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11643 | if (pub == NULL) |
wolfSSL | 15:117db924cf7c | 11644 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11645 | #endif |
wolfSSL | 15:117db924cf7c | 11646 | |
wolfSSL | 16:8e0d178b1d1e | 11647 | idx = wc_ed25519_export_public(key, pub, &pubSz); |
wolfSSL | 16:8e0d178b1d1e | 11648 | if (idx != 0) { |
wolfSSL | 15:117db924cf7c | 11649 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11650 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11651 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11652 | return idx; |
wolfSSL | 15:117db924cf7c | 11653 | } |
wolfSSL | 15:117db924cf7c | 11654 | |
wolfSSL | 15:117db924cf7c | 11655 | /* headers */ |
wolfSSL | 15:117db924cf7c | 11656 | if (with_header) { |
wolfSSL | 15:117db924cf7c | 11657 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11658 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11659 | if (algo == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11660 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11661 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 11662 | } |
wolfSSL | 15:117db924cf7c | 11663 | #endif |
wolfSSL | 15:117db924cf7c | 11664 | algoSz = SetAlgoID(ED25519k, algo, oidKeyType, 0); |
wolfSSL | 15:117db924cf7c | 11665 | |
wolfSSL | 15:117db924cf7c | 11666 | bitStringSz = SetBitString(pubSz, 0, bitString); |
wolfSSL | 15:117db924cf7c | 11667 | |
wolfSSL | 15:117db924cf7c | 11668 | idx = SetSequence(pubSz + bitStringSz + algoSz, output); |
wolfSSL | 15:117db924cf7c | 11669 | /* algo */ |
wolfSSL | 15:117db924cf7c | 11670 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 15:117db924cf7c | 11671 | idx += algoSz; |
wolfSSL | 15:117db924cf7c | 11672 | /* bit string */ |
wolfSSL | 15:117db924cf7c | 11673 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 15:117db924cf7c | 11674 | idx += bitStringSz; |
wolfSSL | 15:117db924cf7c | 11675 | } |
wolfSSL | 15:117db924cf7c | 11676 | else |
wolfSSL | 15:117db924cf7c | 11677 | idx = 0; |
wolfSSL | 15:117db924cf7c | 11678 | |
wolfSSL | 15:117db924cf7c | 11679 | /* pub */ |
wolfSSL | 15:117db924cf7c | 11680 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 15:117db924cf7c | 11681 | idx += pubSz; |
wolfSSL | 15:117db924cf7c | 11682 | |
wolfSSL | 15:117db924cf7c | 11683 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 11684 | if (with_header) { |
wolfSSL | 15:117db924cf7c | 11685 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11686 | } |
wolfSSL | 15:117db924cf7c | 11687 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 11688 | #endif |
wolfSSL | 15:117db924cf7c | 11689 | |
wolfSSL | 15:117db924cf7c | 11690 | return idx; |
wolfSSL | 15:117db924cf7c | 11691 | } |
wolfSSL | 15:117db924cf7c | 11692 | |
wolfSSL | 15:117db924cf7c | 11693 | int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen, |
wolfSSL | 15:117db924cf7c | 11694 | int withAlg) |
wolfSSL | 15:117db924cf7c | 11695 | { |
wolfSSL | 15:117db924cf7c | 11696 | word32 infoSz = 0; |
wolfSSL | 15:117db924cf7c | 11697 | word32 keySz = 0; |
wolfSSL | 15:117db924cf7c | 11698 | int ret; |
wolfSSL | 15:117db924cf7c | 11699 | |
wolfSSL | 15:117db924cf7c | 11700 | if (output == NULL || key == NULL) { |
wolfSSL | 15:117db924cf7c | 11701 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 11702 | } |
wolfSSL | 15:117db924cf7c | 11703 | |
wolfSSL | 15:117db924cf7c | 11704 | if (withAlg) { |
wolfSSL | 15:117db924cf7c | 11705 | /* buffer space for algorithm */ |
wolfSSL | 15:117db924cf7c | 11706 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 15:117db924cf7c | 11707 | infoSz += MAX_ALGO_SZ; |
wolfSSL | 15:117db924cf7c | 11708 | |
wolfSSL | 15:117db924cf7c | 11709 | /* buffer space for public key sequence */ |
wolfSSL | 15:117db924cf7c | 11710 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 15:117db924cf7c | 11711 | infoSz += TRAILING_ZERO; |
wolfSSL | 15:117db924cf7c | 11712 | } |
wolfSSL | 15:117db924cf7c | 11713 | |
wolfSSL | 15:117db924cf7c | 11714 | if ((ret = wc_ed25519_export_public(key, output, &keySz)) != BUFFER_E) { |
wolfSSL | 15:117db924cf7c | 11715 | WOLFSSL_MSG("Error in getting ECC public key size"); |
wolfSSL | 15:117db924cf7c | 11716 | return ret; |
wolfSSL | 15:117db924cf7c | 11717 | } |
wolfSSL | 15:117db924cf7c | 11718 | |
wolfSSL | 15:117db924cf7c | 11719 | if (inLen < keySz + infoSz) { |
wolfSSL | 15:117db924cf7c | 11720 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 11721 | } |
wolfSSL | 15:117db924cf7c | 11722 | |
wolfSSL | 15:117db924cf7c | 11723 | return SetEd25519PublicKey(output, key, withAlg); |
wolfSSL | 15:117db924cf7c | 11724 | } |
wolfSSL | 15:117db924cf7c | 11725 | #endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ |
wolfSSL | 16:8e0d178b1d1e | 11726 | #if defined(HAVE_ED448) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 16:8e0d178b1d1e | 11727 | defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 16:8e0d178b1d1e | 11728 | |
wolfSSL | 16:8e0d178b1d1e | 11729 | /* Write a public ECC key to output */ |
wolfSSL | 16:8e0d178b1d1e | 11730 | static int SetEd448PublicKey(byte* output, ed448_key* key, int with_header) |
wolfSSL | 16:8e0d178b1d1e | 11731 | { |
wolfSSL | 16:8e0d178b1d1e | 11732 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 16:8e0d178b1d1e | 11733 | int algoSz; |
wolfSSL | 16:8e0d178b1d1e | 11734 | int bitStringSz; |
wolfSSL | 16:8e0d178b1d1e | 11735 | int idx; |
wolfSSL | 16:8e0d178b1d1e | 11736 | word32 pubSz = ED448_PUB_KEY_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 11737 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11738 | byte* algo = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11739 | byte* pub = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11740 | #else |
wolfSSL | 16:8e0d178b1d1e | 11741 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 11742 | byte pub[ED448_PUB_KEY_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 11743 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11744 | |
wolfSSL | 16:8e0d178b1d1e | 11745 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11746 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11747 | if (pub == NULL) |
wolfSSL | 16:8e0d178b1d1e | 11748 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 11749 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11750 | |
wolfSSL | 16:8e0d178b1d1e | 11751 | idx = wc_ed448_export_public(key, pub, &pubSz); |
wolfSSL | 16:8e0d178b1d1e | 11752 | if (idx != 0) { |
wolfSSL | 16:8e0d178b1d1e | 11753 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11754 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11755 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11756 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 11757 | } |
wolfSSL | 16:8e0d178b1d1e | 11758 | |
wolfSSL | 16:8e0d178b1d1e | 11759 | /* headers */ |
wolfSSL | 16:8e0d178b1d1e | 11760 | if (with_header) { |
wolfSSL | 16:8e0d178b1d1e | 11761 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11762 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11763 | if (algo == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11764 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11765 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 11766 | } |
wolfSSL | 16:8e0d178b1d1e | 11767 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11768 | algoSz = SetAlgoID(ED448k, algo, oidKeyType, 0); |
wolfSSL | 16:8e0d178b1d1e | 11769 | |
wolfSSL | 16:8e0d178b1d1e | 11770 | bitStringSz = SetBitString(pubSz, 0, bitString); |
wolfSSL | 16:8e0d178b1d1e | 11771 | |
wolfSSL | 16:8e0d178b1d1e | 11772 | idx = SetSequence(pubSz + bitStringSz + algoSz, output); |
wolfSSL | 16:8e0d178b1d1e | 11773 | /* algo */ |
wolfSSL | 16:8e0d178b1d1e | 11774 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 11775 | idx += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 11776 | /* bit string */ |
wolfSSL | 16:8e0d178b1d1e | 11777 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 16:8e0d178b1d1e | 11778 | idx += bitStringSz; |
wolfSSL | 16:8e0d178b1d1e | 11779 | } |
wolfSSL | 16:8e0d178b1d1e | 11780 | else |
wolfSSL | 16:8e0d178b1d1e | 11781 | idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 11782 | |
wolfSSL | 16:8e0d178b1d1e | 11783 | /* pub */ |
wolfSSL | 16:8e0d178b1d1e | 11784 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 16:8e0d178b1d1e | 11785 | idx += pubSz; |
wolfSSL | 16:8e0d178b1d1e | 11786 | |
wolfSSL | 16:8e0d178b1d1e | 11787 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 11788 | if (with_header) { |
wolfSSL | 16:8e0d178b1d1e | 11789 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11790 | } |
wolfSSL | 16:8e0d178b1d1e | 11791 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 11792 | #endif |
wolfSSL | 16:8e0d178b1d1e | 11793 | |
wolfSSL | 16:8e0d178b1d1e | 11794 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 11795 | } |
wolfSSL | 16:8e0d178b1d1e | 11796 | |
wolfSSL | 16:8e0d178b1d1e | 11797 | int wc_Ed448PublicKeyToDer(ed448_key* key, byte* output, word32 inLen, |
wolfSSL | 16:8e0d178b1d1e | 11798 | int withAlg) |
wolfSSL | 16:8e0d178b1d1e | 11799 | { |
wolfSSL | 16:8e0d178b1d1e | 11800 | word32 infoSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 11801 | word32 keySz = 0; |
wolfSSL | 16:8e0d178b1d1e | 11802 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 11803 | |
wolfSSL | 16:8e0d178b1d1e | 11804 | if (output == NULL || key == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 11805 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 11806 | } |
wolfSSL | 16:8e0d178b1d1e | 11807 | |
wolfSSL | 16:8e0d178b1d1e | 11808 | if (withAlg) { |
wolfSSL | 16:8e0d178b1d1e | 11809 | /* buffer space for algorithm */ |
wolfSSL | 16:8e0d178b1d1e | 11810 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 16:8e0d178b1d1e | 11811 | infoSz += MAX_ALGO_SZ; |
wolfSSL | 16:8e0d178b1d1e | 11812 | |
wolfSSL | 16:8e0d178b1d1e | 11813 | /* buffer space for public key sequence */ |
wolfSSL | 16:8e0d178b1d1e | 11814 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 16:8e0d178b1d1e | 11815 | infoSz += TRAILING_ZERO; |
wolfSSL | 16:8e0d178b1d1e | 11816 | } |
wolfSSL | 16:8e0d178b1d1e | 11817 | |
wolfSSL | 16:8e0d178b1d1e | 11818 | if ((ret = wc_ed448_export_public(key, output, &keySz)) != BUFFER_E) { |
wolfSSL | 16:8e0d178b1d1e | 11819 | WOLFSSL_MSG("Error in getting ECC public key size"); |
wolfSSL | 16:8e0d178b1d1e | 11820 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 11821 | } |
wolfSSL | 16:8e0d178b1d1e | 11822 | |
wolfSSL | 16:8e0d178b1d1e | 11823 | if (inLen < keySz + infoSz) { |
wolfSSL | 16:8e0d178b1d1e | 11824 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 11825 | } |
wolfSSL | 16:8e0d178b1d1e | 11826 | |
wolfSSL | 16:8e0d178b1d1e | 11827 | return SetEd448PublicKey(output, key, withAlg); |
wolfSSL | 16:8e0d178b1d1e | 11828 | } |
wolfSSL | 16:8e0d178b1d1e | 11829 | #endif /* HAVE_ED448 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ |
wolfSSL | 15:117db924cf7c | 11830 | |
wolfSSL | 15:117db924cf7c | 11831 | |
wolfSSL | 15:117db924cf7c | 11832 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 15:117db924cf7c | 11833 | |
wolfSSL | 15:117db924cf7c | 11834 | static WC_INLINE byte itob(int number) |
wolfSSL | 15:117db924cf7c | 11835 | { |
wolfSSL | 15:117db924cf7c | 11836 | return (byte)number + 0x30; |
wolfSSL | 15:117db924cf7c | 11837 | } |
wolfSSL | 15:117db924cf7c | 11838 | |
wolfSSL | 15:117db924cf7c | 11839 | |
wolfSSL | 15:117db924cf7c | 11840 | /* write time to output, format */ |
wolfSSL | 15:117db924cf7c | 11841 | static void SetTime(struct tm* date, byte* output) |
wolfSSL | 15:117db924cf7c | 11842 | { |
wolfSSL | 15:117db924cf7c | 11843 | int i = 0; |
wolfSSL | 15:117db924cf7c | 11844 | |
wolfSSL | 15:117db924cf7c | 11845 | output[i++] = itob((date->tm_year % 10000) / 1000); |
wolfSSL | 15:117db924cf7c | 11846 | output[i++] = itob((date->tm_year % 1000) / 100); |
wolfSSL | 15:117db924cf7c | 11847 | output[i++] = itob((date->tm_year % 100) / 10); |
wolfSSL | 15:117db924cf7c | 11848 | output[i++] = itob( date->tm_year % 10); |
wolfSSL | 15:117db924cf7c | 11849 | |
wolfSSL | 15:117db924cf7c | 11850 | output[i++] = itob(date->tm_mon / 10); |
wolfSSL | 15:117db924cf7c | 11851 | output[i++] = itob(date->tm_mon % 10); |
wolfSSL | 15:117db924cf7c | 11852 | |
wolfSSL | 15:117db924cf7c | 11853 | output[i++] = itob(date->tm_mday / 10); |
wolfSSL | 15:117db924cf7c | 11854 | output[i++] = itob(date->tm_mday % 10); |
wolfSSL | 15:117db924cf7c | 11855 | |
wolfSSL | 15:117db924cf7c | 11856 | output[i++] = itob(date->tm_hour / 10); |
wolfSSL | 15:117db924cf7c | 11857 | output[i++] = itob(date->tm_hour % 10); |
wolfSSL | 15:117db924cf7c | 11858 | |
wolfSSL | 15:117db924cf7c | 11859 | output[i++] = itob(date->tm_min / 10); |
wolfSSL | 15:117db924cf7c | 11860 | output[i++] = itob(date->tm_min % 10); |
wolfSSL | 15:117db924cf7c | 11861 | |
wolfSSL | 15:117db924cf7c | 11862 | output[i++] = itob(date->tm_sec / 10); |
wolfSSL | 15:117db924cf7c | 11863 | output[i++] = itob(date->tm_sec % 10); |
wolfSSL | 15:117db924cf7c | 11864 | |
wolfSSL | 15:117db924cf7c | 11865 | output[i] = 'Z'; /* Zulu profile */ |
wolfSSL | 15:117db924cf7c | 11866 | } |
wolfSSL | 15:117db924cf7c | 11867 | |
wolfSSL | 15:117db924cf7c | 11868 | |
wolfSSL | 15:117db924cf7c | 11869 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 11870 | |
wolfSSL | 15:117db924cf7c | 11871 | /* Copy Dates from cert, return bytes written */ |
wolfSSL | 15:117db924cf7c | 11872 | static int CopyValidity(byte* output, Cert* cert) |
wolfSSL | 15:117db924cf7c | 11873 | { |
wolfSSL | 15:117db924cf7c | 11874 | int seqSz; |
wolfSSL | 15:117db924cf7c | 11875 | |
wolfSSL | 15:117db924cf7c | 11876 | WOLFSSL_ENTER("CopyValidity"); |
wolfSSL | 15:117db924cf7c | 11877 | |
wolfSSL | 15:117db924cf7c | 11878 | /* headers and output */ |
wolfSSL | 15:117db924cf7c | 11879 | seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output); |
wolfSSL | 16:8e0d178b1d1e | 11880 | if (output) { |
wolfSSL | 16:8e0d178b1d1e | 11881 | XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz); |
wolfSSL | 16:8e0d178b1d1e | 11882 | XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate, |
wolfSSL | 16:8e0d178b1d1e | 11883 | cert->afterDateSz); |
wolfSSL | 16:8e0d178b1d1e | 11884 | } |
wolfSSL | 15:117db924cf7c | 11885 | return seqSz + cert->beforeDateSz + cert->afterDateSz; |
wolfSSL | 15:117db924cf7c | 11886 | } |
wolfSSL | 15:117db924cf7c | 11887 | |
wolfSSL | 15:117db924cf7c | 11888 | #endif |
wolfSSL | 15:117db924cf7c | 11889 | |
wolfSSL | 15:117db924cf7c | 11890 | |
wolfSSL | 15:117db924cf7c | 11891 | /* Set Date validity from now until now + daysValid |
wolfSSL | 15:117db924cf7c | 11892 | * return size in bytes written to output, 0 on error */ |
wolfSSL | 15:117db924cf7c | 11893 | static int SetValidity(byte* output, int daysValid) |
wolfSSL | 15:117db924cf7c | 11894 | { |
wolfSSL | 15:117db924cf7c | 11895 | byte before[MAX_DATE_SIZE]; |
wolfSSL | 15:117db924cf7c | 11896 | byte after[MAX_DATE_SIZE]; |
wolfSSL | 15:117db924cf7c | 11897 | |
wolfSSL | 15:117db924cf7c | 11898 | int beforeSz; |
wolfSSL | 15:117db924cf7c | 11899 | int afterSz; |
wolfSSL | 15:117db924cf7c | 11900 | int seqSz; |
wolfSSL | 15:117db924cf7c | 11901 | |
wolfSSL | 15:117db924cf7c | 11902 | time_t now; |
wolfSSL | 15:117db924cf7c | 11903 | time_t then; |
wolfSSL | 16:8e0d178b1d1e | 11904 | struct tm* tmpTime; |
wolfSSL | 15:117db924cf7c | 11905 | struct tm* expandedTime; |
wolfSSL | 15:117db924cf7c | 11906 | struct tm localTime; |
wolfSSL | 15:117db924cf7c | 11907 | |
wolfSSL | 15:117db924cf7c | 11908 | #if defined(NEED_TMP_TIME) |
wolfSSL | 15:117db924cf7c | 11909 | /* for use with gmtime_r */ |
wolfSSL | 15:117db924cf7c | 11910 | struct tm tmpTimeStorage; |
wolfSSL | 15:117db924cf7c | 11911 | tmpTime = &tmpTimeStorage; |
wolfSSL | 15:117db924cf7c | 11912 | #else |
wolfSSL | 16:8e0d178b1d1e | 11913 | tmpTime = NULL; |
wolfSSL | 16:8e0d178b1d1e | 11914 | #endif |
wolfSSL | 15:117db924cf7c | 11915 | (void)tmpTime; |
wolfSSL | 15:117db924cf7c | 11916 | |
wolfSSL | 15:117db924cf7c | 11917 | now = XTIME(0); |
wolfSSL | 15:117db924cf7c | 11918 | |
wolfSSL | 15:117db924cf7c | 11919 | /* before now */ |
wolfSSL | 15:117db924cf7c | 11920 | before[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 15:117db924cf7c | 11921 | beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */ |
wolfSSL | 15:117db924cf7c | 11922 | |
wolfSSL | 15:117db924cf7c | 11923 | /* subtract 1 day of seconds for more compliance */ |
wolfSSL | 15:117db924cf7c | 11924 | then = now - 86400; |
wolfSSL | 15:117db924cf7c | 11925 | expandedTime = XGMTIME(&then, tmpTime); |
wolfSSL | 15:117db924cf7c | 11926 | if (expandedTime == NULL) { |
wolfSSL | 15:117db924cf7c | 11927 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 15:117db924cf7c | 11928 | return 0; /* error */ |
wolfSSL | 15:117db924cf7c | 11929 | } |
wolfSSL | 15:117db924cf7c | 11930 | localTime = *expandedTime; |
wolfSSL | 15:117db924cf7c | 11931 | |
wolfSSL | 15:117db924cf7c | 11932 | /* adjust */ |
wolfSSL | 15:117db924cf7c | 11933 | localTime.tm_year += 1900; |
wolfSSL | 15:117db924cf7c | 11934 | localTime.tm_mon += 1; |
wolfSSL | 15:117db924cf7c | 11935 | |
wolfSSL | 15:117db924cf7c | 11936 | SetTime(&localTime, before + beforeSz); |
wolfSSL | 15:117db924cf7c | 11937 | beforeSz += ASN_GEN_TIME_SZ; |
wolfSSL | 15:117db924cf7c | 11938 | |
wolfSSL | 15:117db924cf7c | 11939 | after[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 15:117db924cf7c | 11940 | afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */ |
wolfSSL | 15:117db924cf7c | 11941 | |
wolfSSL | 15:117db924cf7c | 11942 | /* add daysValid of seconds */ |
wolfSSL | 16:8e0d178b1d1e | 11943 | then = now + (daysValid * (time_t)86400); |
wolfSSL | 15:117db924cf7c | 11944 | expandedTime = XGMTIME(&then, tmpTime); |
wolfSSL | 15:117db924cf7c | 11945 | if (expandedTime == NULL) { |
wolfSSL | 15:117db924cf7c | 11946 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 15:117db924cf7c | 11947 | return 0; /* error */ |
wolfSSL | 15:117db924cf7c | 11948 | } |
wolfSSL | 15:117db924cf7c | 11949 | localTime = *expandedTime; |
wolfSSL | 15:117db924cf7c | 11950 | |
wolfSSL | 15:117db924cf7c | 11951 | /* adjust */ |
wolfSSL | 15:117db924cf7c | 11952 | localTime.tm_year += 1900; |
wolfSSL | 15:117db924cf7c | 11953 | localTime.tm_mon += 1; |
wolfSSL | 15:117db924cf7c | 11954 | |
wolfSSL | 15:117db924cf7c | 11955 | SetTime(&localTime, after + afterSz); |
wolfSSL | 15:117db924cf7c | 11956 | afterSz += ASN_GEN_TIME_SZ; |
wolfSSL | 15:117db924cf7c | 11957 | |
wolfSSL | 15:117db924cf7c | 11958 | /* headers and output */ |
wolfSSL | 15:117db924cf7c | 11959 | seqSz = SetSequence(beforeSz + afterSz, output); |
wolfSSL | 15:117db924cf7c | 11960 | XMEMCPY(output + seqSz, before, beforeSz); |
wolfSSL | 15:117db924cf7c | 11961 | XMEMCPY(output + seqSz + beforeSz, after, afterSz); |
wolfSSL | 15:117db924cf7c | 11962 | |
wolfSSL | 15:117db924cf7c | 11963 | return seqSz + beforeSz + afterSz; |
wolfSSL | 15:117db924cf7c | 11964 | } |
wolfSSL | 15:117db924cf7c | 11965 | |
wolfSSL | 15:117db924cf7c | 11966 | |
wolfSSL | 15:117db924cf7c | 11967 | /* ASN Encoded Name field */ |
wolfSSL | 15:117db924cf7c | 11968 | typedef struct EncodedName { |
wolfSSL | 15:117db924cf7c | 11969 | int nameLen; /* actual string value length */ |
wolfSSL | 15:117db924cf7c | 11970 | int totalLen; /* total encoded length */ |
wolfSSL | 15:117db924cf7c | 11971 | int type; /* type of name */ |
wolfSSL | 15:117db924cf7c | 11972 | int used; /* are we actually using this one */ |
wolfSSL | 15:117db924cf7c | 11973 | byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ |
wolfSSL | 15:117db924cf7c | 11974 | } EncodedName; |
wolfSSL | 15:117db924cf7c | 11975 | |
wolfSSL | 15:117db924cf7c | 11976 | |
wolfSSL | 15:117db924cf7c | 11977 | /* Get Which Name from index */ |
wolfSSL | 15:117db924cf7c | 11978 | static const char* GetOneName(CertName* name, int idx) |
wolfSSL | 15:117db924cf7c | 11979 | { |
wolfSSL | 15:117db924cf7c | 11980 | switch (idx) { |
wolfSSL | 15:117db924cf7c | 11981 | case 0: |
wolfSSL | 15:117db924cf7c | 11982 | return name->country; |
wolfSSL | 15:117db924cf7c | 11983 | |
wolfSSL | 15:117db924cf7c | 11984 | case 1: |
wolfSSL | 15:117db924cf7c | 11985 | return name->state; |
wolfSSL | 15:117db924cf7c | 11986 | |
wolfSSL | 15:117db924cf7c | 11987 | case 2: |
wolfSSL | 15:117db924cf7c | 11988 | return name->locality; |
wolfSSL | 15:117db924cf7c | 11989 | |
wolfSSL | 15:117db924cf7c | 11990 | case 3: |
wolfSSL | 15:117db924cf7c | 11991 | return name->sur; |
wolfSSL | 15:117db924cf7c | 11992 | |
wolfSSL | 15:117db924cf7c | 11993 | case 4: |
wolfSSL | 15:117db924cf7c | 11994 | return name->org; |
wolfSSL | 15:117db924cf7c | 11995 | |
wolfSSL | 15:117db924cf7c | 11996 | case 5: |
wolfSSL | 15:117db924cf7c | 11997 | return name->unit; |
wolfSSL | 15:117db924cf7c | 11998 | |
wolfSSL | 15:117db924cf7c | 11999 | case 6: |
wolfSSL | 15:117db924cf7c | 12000 | return name->commonName; |
wolfSSL | 15:117db924cf7c | 12001 | |
wolfSSL | 15:117db924cf7c | 12002 | case 7: |
wolfSSL | 16:8e0d178b1d1e | 12003 | return name->serialDev; |
wolfSSL | 16:8e0d178b1d1e | 12004 | |
wolfSSL | 16:8e0d178b1d1e | 12005 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 12006 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12007 | return name->busCat; |
wolfSSL | 16:8e0d178b1d1e | 12008 | |
wolfSSL | 16:8e0d178b1d1e | 12009 | case 9: |
wolfSSL | 16:8e0d178b1d1e | 12010 | #else |
wolfSSL | 16:8e0d178b1d1e | 12011 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12012 | #endif |
wolfSSL | 15:117db924cf7c | 12013 | return name->email; |
wolfSSL | 15:117db924cf7c | 12014 | |
wolfSSL | 15:117db924cf7c | 12015 | default: |
wolfSSL | 15:117db924cf7c | 12016 | return 0; |
wolfSSL | 15:117db924cf7c | 12017 | } |
wolfSSL | 15:117db924cf7c | 12018 | } |
wolfSSL | 15:117db924cf7c | 12019 | |
wolfSSL | 15:117db924cf7c | 12020 | |
wolfSSL | 15:117db924cf7c | 12021 | /* Get Which Name Encoding from index */ |
wolfSSL | 15:117db924cf7c | 12022 | static char GetNameType(CertName* name, int idx) |
wolfSSL | 15:117db924cf7c | 12023 | { |
wolfSSL | 15:117db924cf7c | 12024 | switch (idx) { |
wolfSSL | 15:117db924cf7c | 12025 | case 0: |
wolfSSL | 15:117db924cf7c | 12026 | return name->countryEnc; |
wolfSSL | 15:117db924cf7c | 12027 | |
wolfSSL | 15:117db924cf7c | 12028 | case 1: |
wolfSSL | 15:117db924cf7c | 12029 | return name->stateEnc; |
wolfSSL | 15:117db924cf7c | 12030 | |
wolfSSL | 15:117db924cf7c | 12031 | case 2: |
wolfSSL | 15:117db924cf7c | 12032 | return name->localityEnc; |
wolfSSL | 15:117db924cf7c | 12033 | |
wolfSSL | 15:117db924cf7c | 12034 | case 3: |
wolfSSL | 15:117db924cf7c | 12035 | return name->surEnc; |
wolfSSL | 15:117db924cf7c | 12036 | |
wolfSSL | 15:117db924cf7c | 12037 | case 4: |
wolfSSL | 15:117db924cf7c | 12038 | return name->orgEnc; |
wolfSSL | 15:117db924cf7c | 12039 | |
wolfSSL | 15:117db924cf7c | 12040 | case 5: |
wolfSSL | 15:117db924cf7c | 12041 | return name->unitEnc; |
wolfSSL | 15:117db924cf7c | 12042 | |
wolfSSL | 15:117db924cf7c | 12043 | case 6: |
wolfSSL | 15:117db924cf7c | 12044 | return name->commonNameEnc; |
wolfSSL | 15:117db924cf7c | 12045 | |
wolfSSL | 16:8e0d178b1d1e | 12046 | case 7: |
wolfSSL | 16:8e0d178b1d1e | 12047 | return name->serialDevEnc; |
wolfSSL | 16:8e0d178b1d1e | 12048 | |
wolfSSL | 16:8e0d178b1d1e | 12049 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 12050 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12051 | return name->busCatEnc; |
wolfSSL | 16:8e0d178b1d1e | 12052 | |
wolfSSL | 16:8e0d178b1d1e | 12053 | case 9: |
wolfSSL | 16:8e0d178b1d1e | 12054 | #else |
wolfSSL | 16:8e0d178b1d1e | 12055 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12056 | #endif |
wolfSSL | 16:8e0d178b1d1e | 12057 | /* FALL THROUGH */ |
wolfSSL | 16:8e0d178b1d1e | 12058 | /* The last index, email name, does not have encoding type. |
wolfSSL | 16:8e0d178b1d1e | 12059 | The empty case here is to keep track of it for future reference. */ |
wolfSSL | 15:117db924cf7c | 12060 | default: |
wolfSSL | 15:117db924cf7c | 12061 | return 0; |
wolfSSL | 15:117db924cf7c | 12062 | } |
wolfSSL | 15:117db924cf7c | 12063 | } |
wolfSSL | 15:117db924cf7c | 12064 | |
wolfSSL | 15:117db924cf7c | 12065 | |
wolfSSL | 15:117db924cf7c | 12066 | /* Get ASN Name from index */ |
wolfSSL | 15:117db924cf7c | 12067 | static byte GetNameId(int idx) |
wolfSSL | 15:117db924cf7c | 12068 | { |
wolfSSL | 15:117db924cf7c | 12069 | switch (idx) { |
wolfSSL | 15:117db924cf7c | 12070 | case 0: |
wolfSSL | 15:117db924cf7c | 12071 | return ASN_COUNTRY_NAME; |
wolfSSL | 15:117db924cf7c | 12072 | |
wolfSSL | 15:117db924cf7c | 12073 | case 1: |
wolfSSL | 15:117db924cf7c | 12074 | return ASN_STATE_NAME; |
wolfSSL | 15:117db924cf7c | 12075 | |
wolfSSL | 15:117db924cf7c | 12076 | case 2: |
wolfSSL | 15:117db924cf7c | 12077 | return ASN_LOCALITY_NAME; |
wolfSSL | 15:117db924cf7c | 12078 | |
wolfSSL | 15:117db924cf7c | 12079 | case 3: |
wolfSSL | 15:117db924cf7c | 12080 | return ASN_SUR_NAME; |
wolfSSL | 15:117db924cf7c | 12081 | |
wolfSSL | 15:117db924cf7c | 12082 | case 4: |
wolfSSL | 15:117db924cf7c | 12083 | return ASN_ORG_NAME; |
wolfSSL | 15:117db924cf7c | 12084 | |
wolfSSL | 15:117db924cf7c | 12085 | case 5: |
wolfSSL | 15:117db924cf7c | 12086 | return ASN_ORGUNIT_NAME; |
wolfSSL | 15:117db924cf7c | 12087 | |
wolfSSL | 15:117db924cf7c | 12088 | case 6: |
wolfSSL | 15:117db924cf7c | 12089 | return ASN_COMMON_NAME; |
wolfSSL | 15:117db924cf7c | 12090 | |
wolfSSL | 15:117db924cf7c | 12091 | case 7: |
wolfSSL | 16:8e0d178b1d1e | 12092 | return ASN_SERIAL_NUMBER; |
wolfSSL | 16:8e0d178b1d1e | 12093 | |
wolfSSL | 16:8e0d178b1d1e | 12094 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 12095 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12096 | return ASN_BUS_CAT; |
wolfSSL | 16:8e0d178b1d1e | 12097 | |
wolfSSL | 16:8e0d178b1d1e | 12098 | case 9: |
wolfSSL | 16:8e0d178b1d1e | 12099 | #else |
wolfSSL | 16:8e0d178b1d1e | 12100 | case 8: |
wolfSSL | 16:8e0d178b1d1e | 12101 | #endif |
wolfSSL | 16:8e0d178b1d1e | 12102 | return ASN_EMAIL_NAME; |
wolfSSL | 15:117db924cf7c | 12103 | |
wolfSSL | 15:117db924cf7c | 12104 | default: |
wolfSSL | 15:117db924cf7c | 12105 | return 0; |
wolfSSL | 15:117db924cf7c | 12106 | } |
wolfSSL | 15:117db924cf7c | 12107 | } |
wolfSSL | 15:117db924cf7c | 12108 | |
wolfSSL | 15:117db924cf7c | 12109 | /* |
wolfSSL | 15:117db924cf7c | 12110 | Extensions ::= SEQUENCE OF Extension |
wolfSSL | 15:117db924cf7c | 12111 | |
wolfSSL | 15:117db924cf7c | 12112 | Extension ::= SEQUENCE { |
wolfSSL | 15:117db924cf7c | 12113 | extnId OBJECT IDENTIFIER, |
wolfSSL | 15:117db924cf7c | 12114 | critical BOOLEAN DEFAULT FALSE, |
wolfSSL | 15:117db924cf7c | 12115 | extnValue OCTET STRING } |
wolfSSL | 15:117db924cf7c | 12116 | */ |
wolfSSL | 15:117db924cf7c | 12117 | |
wolfSSL | 15:117db924cf7c | 12118 | /* encode all extensions, return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12119 | static int SetExtensions(byte* out, word32 outSz, int *IdxInOut, |
wolfSSL | 15:117db924cf7c | 12120 | const byte* ext, int extSz) |
wolfSSL | 15:117db924cf7c | 12121 | { |
wolfSSL | 15:117db924cf7c | 12122 | if (out == NULL || IdxInOut == NULL || ext == NULL) |
wolfSSL | 15:117db924cf7c | 12123 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12124 | |
wolfSSL | 15:117db924cf7c | 12125 | if (outSz < (word32)(*IdxInOut+extSz)) |
wolfSSL | 15:117db924cf7c | 12126 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12127 | |
wolfSSL | 15:117db924cf7c | 12128 | XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */ |
wolfSSL | 15:117db924cf7c | 12129 | *IdxInOut += extSz; |
wolfSSL | 15:117db924cf7c | 12130 | |
wolfSSL | 15:117db924cf7c | 12131 | return *IdxInOut; |
wolfSSL | 15:117db924cf7c | 12132 | } |
wolfSSL | 15:117db924cf7c | 12133 | |
wolfSSL | 15:117db924cf7c | 12134 | /* encode extensions header, return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12135 | static int SetExtensionsHeader(byte* out, word32 outSz, int extSz) |
wolfSSL | 15:117db924cf7c | 12136 | { |
wolfSSL | 15:117db924cf7c | 12137 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 12138 | byte len[MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 12139 | int seqSz, lenSz, idx = 0; |
wolfSSL | 15:117db924cf7c | 12140 | |
wolfSSL | 15:117db924cf7c | 12141 | if (out == NULL) |
wolfSSL | 15:117db924cf7c | 12142 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12143 | |
wolfSSL | 15:117db924cf7c | 12144 | if (outSz < 3) |
wolfSSL | 15:117db924cf7c | 12145 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12146 | |
wolfSSL | 15:117db924cf7c | 12147 | seqSz = SetSequence(extSz, sequence); |
wolfSSL | 15:117db924cf7c | 12148 | |
wolfSSL | 15:117db924cf7c | 12149 | /* encode extensions length provided */ |
wolfSSL | 15:117db924cf7c | 12150 | lenSz = SetLength(extSz+seqSz, len); |
wolfSSL | 15:117db924cf7c | 12151 | |
wolfSSL | 15:117db924cf7c | 12152 | if (outSz < (word32)(lenSz+seqSz+1)) |
wolfSSL | 15:117db924cf7c | 12153 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12154 | |
wolfSSL | 15:117db924cf7c | 12155 | out[idx++] = ASN_EXTENSIONS; /* extensions id */ |
wolfSSL | 15:117db924cf7c | 12156 | XMEMCPY(&out[idx], len, lenSz); /* length */ |
wolfSSL | 15:117db924cf7c | 12157 | idx += lenSz; |
wolfSSL | 15:117db924cf7c | 12158 | |
wolfSSL | 15:117db924cf7c | 12159 | XMEMCPY(&out[idx], sequence, seqSz); /* sequence */ |
wolfSSL | 15:117db924cf7c | 12160 | idx += seqSz; |
wolfSSL | 15:117db924cf7c | 12161 | |
wolfSSL | 15:117db924cf7c | 12162 | return idx; |
wolfSSL | 15:117db924cf7c | 12163 | } |
wolfSSL | 15:117db924cf7c | 12164 | |
wolfSSL | 15:117db924cf7c | 12165 | |
wolfSSL | 15:117db924cf7c | 12166 | /* encode CA basic constraint true, return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12167 | static int SetCa(byte* out, word32 outSz) |
wolfSSL | 15:117db924cf7c | 12168 | { |
wolfSSL | 16:8e0d178b1d1e | 12169 | const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, |
wolfSSL | 15:117db924cf7c | 12170 | 0x05, 0x30, 0x03, 0x01, 0x01, 0xff }; |
wolfSSL | 15:117db924cf7c | 12171 | |
wolfSSL | 15:117db924cf7c | 12172 | if (out == NULL) |
wolfSSL | 15:117db924cf7c | 12173 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12174 | |
wolfSSL | 15:117db924cf7c | 12175 | if (outSz < sizeof(ca)) |
wolfSSL | 15:117db924cf7c | 12176 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12177 | |
wolfSSL | 15:117db924cf7c | 12178 | XMEMCPY(out, ca, sizeof(ca)); |
wolfSSL | 15:117db924cf7c | 12179 | |
wolfSSL | 15:117db924cf7c | 12180 | return (int)sizeof(ca); |
wolfSSL | 15:117db924cf7c | 12181 | } |
wolfSSL | 15:117db924cf7c | 12182 | |
wolfSSL | 15:117db924cf7c | 12183 | |
wolfSSL | 15:117db924cf7c | 12184 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 12185 | /* encode OID and associated value, return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12186 | static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz, |
wolfSSL | 15:117db924cf7c | 12187 | byte *in, word32 inSz) |
wolfSSL | 15:117db924cf7c | 12188 | { |
wolfSSL | 15:117db924cf7c | 12189 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 12190 | |
wolfSSL | 15:117db924cf7c | 12191 | if (out == NULL || oid == NULL || in == NULL) |
wolfSSL | 15:117db924cf7c | 12192 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12193 | |
wolfSSL | 15:117db924cf7c | 12194 | if (outSz < 3) |
wolfSSL | 15:117db924cf7c | 12195 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12196 | |
wolfSSL | 15:117db924cf7c | 12197 | /* sequence, + 1 => byte to put value size */ |
wolfSSL | 15:117db924cf7c | 12198 | idx = SetSequence(inSz + oidSz + 1, out); |
wolfSSL | 15:117db924cf7c | 12199 | |
wolfSSL | 15:117db924cf7c | 12200 | if ((idx + inSz + oidSz + 1) > outSz) |
wolfSSL | 15:117db924cf7c | 12201 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12202 | |
wolfSSL | 15:117db924cf7c | 12203 | XMEMCPY(out+idx, oid, oidSz); |
wolfSSL | 15:117db924cf7c | 12204 | idx += oidSz; |
wolfSSL | 15:117db924cf7c | 12205 | out[idx++] = (byte)inSz; |
wolfSSL | 15:117db924cf7c | 12206 | XMEMCPY(out+idx, in, inSz); |
wolfSSL | 15:117db924cf7c | 12207 | |
wolfSSL | 15:117db924cf7c | 12208 | return (idx+inSz); |
wolfSSL | 15:117db924cf7c | 12209 | } |
wolfSSL | 15:117db924cf7c | 12210 | |
wolfSSL | 15:117db924cf7c | 12211 | /* encode Subject Key Identifier, return total bytes written |
wolfSSL | 15:117db924cf7c | 12212 | * RFC5280 : non-critical */ |
wolfSSL | 15:117db924cf7c | 12213 | static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) |
wolfSSL | 15:117db924cf7c | 12214 | { |
wolfSSL | 15:117db924cf7c | 12215 | byte skid_len[1 + MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 12216 | byte skid_enc_len[MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 12217 | int idx = 0, skid_lenSz, skid_enc_lenSz; |
wolfSSL | 16:8e0d178b1d1e | 12218 | const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 }; |
wolfSSL | 15:117db924cf7c | 12219 | |
wolfSSL | 15:117db924cf7c | 12220 | if (output == NULL || input == NULL) |
wolfSSL | 15:117db924cf7c | 12221 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12222 | |
wolfSSL | 15:117db924cf7c | 12223 | /* Octet String header */ |
wolfSSL | 15:117db924cf7c | 12224 | skid_lenSz = SetOctetString(length, skid_len); |
wolfSSL | 15:117db924cf7c | 12225 | |
wolfSSL | 15:117db924cf7c | 12226 | /* length of encoded value */ |
wolfSSL | 15:117db924cf7c | 12227 | skid_enc_lenSz = SetLength(length + skid_lenSz, skid_enc_len); |
wolfSSL | 15:117db924cf7c | 12228 | |
wolfSSL | 15:117db924cf7c | 12229 | if (outSz < 3) |
wolfSSL | 15:117db924cf7c | 12230 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12231 | |
wolfSSL | 15:117db924cf7c | 12232 | idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz, |
wolfSSL | 15:117db924cf7c | 12233 | output); |
wolfSSL | 15:117db924cf7c | 12234 | |
wolfSSL | 15:117db924cf7c | 12235 | if ((length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz) > outSz) |
wolfSSL | 15:117db924cf7c | 12236 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12237 | |
wolfSSL | 15:117db924cf7c | 12238 | /* put oid */ |
wolfSSL | 15:117db924cf7c | 12239 | XMEMCPY(output+idx, skid_oid, sizeof(skid_oid)); |
wolfSSL | 15:117db924cf7c | 12240 | idx += sizeof(skid_oid); |
wolfSSL | 15:117db924cf7c | 12241 | |
wolfSSL | 15:117db924cf7c | 12242 | /* put encoded len */ |
wolfSSL | 15:117db924cf7c | 12243 | XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz); |
wolfSSL | 15:117db924cf7c | 12244 | idx += skid_enc_lenSz; |
wolfSSL | 15:117db924cf7c | 12245 | |
wolfSSL | 15:117db924cf7c | 12246 | /* put octet header */ |
wolfSSL | 15:117db924cf7c | 12247 | XMEMCPY(output+idx, skid_len, skid_lenSz); |
wolfSSL | 15:117db924cf7c | 12248 | idx += skid_lenSz; |
wolfSSL | 15:117db924cf7c | 12249 | |
wolfSSL | 15:117db924cf7c | 12250 | /* put value */ |
wolfSSL | 15:117db924cf7c | 12251 | XMEMCPY(output+idx, input, length); |
wolfSSL | 15:117db924cf7c | 12252 | idx += length; |
wolfSSL | 15:117db924cf7c | 12253 | |
wolfSSL | 15:117db924cf7c | 12254 | return idx; |
wolfSSL | 15:117db924cf7c | 12255 | } |
wolfSSL | 15:117db924cf7c | 12256 | |
wolfSSL | 15:117db924cf7c | 12257 | /* encode Authority Key Identifier, return total bytes written |
wolfSSL | 15:117db924cf7c | 12258 | * RFC5280 : non-critical */ |
wolfSSL | 15:117db924cf7c | 12259 | static int SetAKID(byte* output, word32 outSz, |
wolfSSL | 15:117db924cf7c | 12260 | byte *input, word32 length, void* heap) |
wolfSSL | 15:117db924cf7c | 12261 | { |
wolfSSL | 15:117db924cf7c | 12262 | byte *enc_val; |
wolfSSL | 15:117db924cf7c | 12263 | int ret, enc_valSz; |
wolfSSL | 16:8e0d178b1d1e | 12264 | const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; |
wolfSSL | 16:8e0d178b1d1e | 12265 | const byte akid_cs[] = { 0x80 }; |
wolfSSL | 16:8e0d178b1d1e | 12266 | |
wolfSSL | 16:8e0d178b1d1e | 12267 | (void)heap; |
wolfSSL | 15:117db924cf7c | 12268 | |
wolfSSL | 15:117db924cf7c | 12269 | if (output == NULL || input == NULL) |
wolfSSL | 15:117db924cf7c | 12270 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12271 | |
wolfSSL | 15:117db924cf7c | 12272 | enc_valSz = length + 3 + sizeof(akid_cs); |
wolfSSL | 15:117db924cf7c | 12273 | enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12274 | if (enc_val == NULL) |
wolfSSL | 15:117db924cf7c | 12275 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 12276 | |
wolfSSL | 15:117db924cf7c | 12277 | /* sequence for ContentSpec & value */ |
wolfSSL | 15:117db924cf7c | 12278 | ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), |
wolfSSL | 15:117db924cf7c | 12279 | input, length); |
wolfSSL | 15:117db924cf7c | 12280 | if (ret > 0) { |
wolfSSL | 15:117db924cf7c | 12281 | enc_valSz = ret; |
wolfSSL | 15:117db924cf7c | 12282 | |
wolfSSL | 15:117db924cf7c | 12283 | ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid), |
wolfSSL | 15:117db924cf7c | 12284 | enc_val, enc_valSz); |
wolfSSL | 15:117db924cf7c | 12285 | } |
wolfSSL | 15:117db924cf7c | 12286 | |
wolfSSL | 15:117db924cf7c | 12287 | XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12288 | return ret; |
wolfSSL | 15:117db924cf7c | 12289 | } |
wolfSSL | 15:117db924cf7c | 12290 | |
wolfSSL | 15:117db924cf7c | 12291 | /* encode Key Usage, return total bytes written |
wolfSSL | 15:117db924cf7c | 12292 | * RFC5280 : critical */ |
wolfSSL | 15:117db924cf7c | 12293 | static int SetKeyUsage(byte* output, word32 outSz, word16 input) |
wolfSSL | 15:117db924cf7c | 12294 | { |
wolfSSL | 15:117db924cf7c | 12295 | byte ku[5]; |
wolfSSL | 15:117db924cf7c | 12296 | int idx; |
wolfSSL | 16:8e0d178b1d1e | 12297 | const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f, |
wolfSSL | 15:117db924cf7c | 12298 | 0x01, 0x01, 0xff, 0x04}; |
wolfSSL | 15:117db924cf7c | 12299 | if (output == NULL) |
wolfSSL | 15:117db924cf7c | 12300 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12301 | |
wolfSSL | 15:117db924cf7c | 12302 | idx = SetBitString16Bit(input, ku); |
wolfSSL | 15:117db924cf7c | 12303 | return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid), |
wolfSSL | 15:117db924cf7c | 12304 | ku, idx); |
wolfSSL | 15:117db924cf7c | 12305 | } |
wolfSSL | 15:117db924cf7c | 12306 | |
wolfSSL | 15:117db924cf7c | 12307 | static int SetOjectIdValue(byte* output, word32 outSz, int* idx, |
wolfSSL | 15:117db924cf7c | 12308 | const byte* oid, word32 oidSz) |
wolfSSL | 15:117db924cf7c | 12309 | { |
wolfSSL | 15:117db924cf7c | 12310 | /* verify room */ |
wolfSSL | 15:117db924cf7c | 12311 | if (*idx + 2 + oidSz >= outSz) |
wolfSSL | 15:117db924cf7c | 12312 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 12313 | |
wolfSSL | 15:117db924cf7c | 12314 | *idx += SetObjectId(oidSz, &output[*idx]); |
wolfSSL | 15:117db924cf7c | 12315 | XMEMCPY(&output[*idx], oid, oidSz); |
wolfSSL | 15:117db924cf7c | 12316 | *idx += oidSz; |
wolfSSL | 15:117db924cf7c | 12317 | |
wolfSSL | 15:117db924cf7c | 12318 | return 0; |
wolfSSL | 15:117db924cf7c | 12319 | } |
wolfSSL | 15:117db924cf7c | 12320 | |
wolfSSL | 15:117db924cf7c | 12321 | /* encode Extended Key Usage (RFC 5280 4.2.1.12), return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12322 | static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input) |
wolfSSL | 15:117db924cf7c | 12323 | { |
wolfSSL | 15:117db924cf7c | 12324 | int idx = 0, oidListSz = 0, totalSz, ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 12325 | const byte extkeyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; |
wolfSSL | 15:117db924cf7c | 12326 | |
wolfSSL | 15:117db924cf7c | 12327 | if (output == NULL) |
wolfSSL | 15:117db924cf7c | 12328 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12329 | |
wolfSSL | 15:117db924cf7c | 12330 | /* Skip to OID List */ |
wolfSSL | 15:117db924cf7c | 12331 | totalSz = 2 + sizeof(extkeyusage_oid) + 4; |
wolfSSL | 15:117db924cf7c | 12332 | idx = totalSz; |
wolfSSL | 15:117db924cf7c | 12333 | |
wolfSSL | 15:117db924cf7c | 12334 | /* Build OID List */ |
wolfSSL | 15:117db924cf7c | 12335 | /* If any set, then just use it */ |
wolfSSL | 15:117db924cf7c | 12336 | if (input & EXTKEYUSE_ANY) { |
wolfSSL | 15:117db924cf7c | 12337 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12338 | extExtKeyUsageAnyOid, sizeof(extExtKeyUsageAnyOid)); |
wolfSSL | 15:117db924cf7c | 12339 | } |
wolfSSL | 15:117db924cf7c | 12340 | else { |
wolfSSL | 15:117db924cf7c | 12341 | if (input & EXTKEYUSE_SERVER_AUTH) |
wolfSSL | 15:117db924cf7c | 12342 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12343 | extExtKeyUsageServerAuthOid, sizeof(extExtKeyUsageServerAuthOid)); |
wolfSSL | 15:117db924cf7c | 12344 | if (input & EXTKEYUSE_CLIENT_AUTH) |
wolfSSL | 15:117db924cf7c | 12345 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12346 | extExtKeyUsageClientAuthOid, sizeof(extExtKeyUsageClientAuthOid)); |
wolfSSL | 15:117db924cf7c | 12347 | if (input & EXTKEYUSE_CODESIGN) |
wolfSSL | 15:117db924cf7c | 12348 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12349 | extExtKeyUsageCodeSigningOid, sizeof(extExtKeyUsageCodeSigningOid)); |
wolfSSL | 15:117db924cf7c | 12350 | if (input & EXTKEYUSE_EMAILPROT) |
wolfSSL | 15:117db924cf7c | 12351 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12352 | extExtKeyUsageEmailProtectOid, sizeof(extExtKeyUsageEmailProtectOid)); |
wolfSSL | 15:117db924cf7c | 12353 | if (input & EXTKEYUSE_TIMESTAMP) |
wolfSSL | 15:117db924cf7c | 12354 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12355 | extExtKeyUsageTimestampOid, sizeof(extExtKeyUsageTimestampOid)); |
wolfSSL | 15:117db924cf7c | 12356 | if (input & EXTKEYUSE_OCSP_SIGN) |
wolfSSL | 15:117db924cf7c | 12357 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12358 | extExtKeyUsageOcspSignOid, sizeof(extExtKeyUsageOcspSignOid)); |
wolfSSL | 15:117db924cf7c | 12359 | #ifdef WOLFSSL_EKU_OID |
wolfSSL | 15:117db924cf7c | 12360 | /* iterate through OID values */ |
wolfSSL | 15:117db924cf7c | 12361 | if (input & EXTKEYUSE_USER) { |
wolfSSL | 15:117db924cf7c | 12362 | int i, sz; |
wolfSSL | 15:117db924cf7c | 12363 | for (i = 0; i < CTC_MAX_EKU_NB; i++) { |
wolfSSL | 15:117db924cf7c | 12364 | sz = cert->extKeyUsageOIDSz[i]; |
wolfSSL | 15:117db924cf7c | 12365 | if (sz > 0) { |
wolfSSL | 15:117db924cf7c | 12366 | ret |= SetOjectIdValue(output, outSz, &idx, |
wolfSSL | 15:117db924cf7c | 12367 | cert->extKeyUsageOID[i], sz); |
wolfSSL | 15:117db924cf7c | 12368 | } |
wolfSSL | 15:117db924cf7c | 12369 | } |
wolfSSL | 15:117db924cf7c | 12370 | } |
wolfSSL | 15:117db924cf7c | 12371 | #endif /* WOLFSSL_EKU_OID */ |
wolfSSL | 15:117db924cf7c | 12372 | } |
wolfSSL | 15:117db924cf7c | 12373 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 12374 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 12375 | |
wolfSSL | 15:117db924cf7c | 12376 | /* Calculate Sizes */ |
wolfSSL | 15:117db924cf7c | 12377 | oidListSz = idx - totalSz; |
wolfSSL | 15:117db924cf7c | 12378 | totalSz = idx - 2; /* exclude first seq/len (2) */ |
wolfSSL | 15:117db924cf7c | 12379 | |
wolfSSL | 15:117db924cf7c | 12380 | /* 1. Seq + Total Len (2) */ |
wolfSSL | 15:117db924cf7c | 12381 | idx = SetSequence(totalSz, output); |
wolfSSL | 15:117db924cf7c | 12382 | |
wolfSSL | 15:117db924cf7c | 12383 | /* 2. Object ID (2) */ |
wolfSSL | 15:117db924cf7c | 12384 | XMEMCPY(&output[idx], extkeyusage_oid, sizeof(extkeyusage_oid)); |
wolfSSL | 15:117db924cf7c | 12385 | idx += sizeof(extkeyusage_oid); |
wolfSSL | 15:117db924cf7c | 12386 | |
wolfSSL | 16:8e0d178b1d1e | 12387 | /* 3. Octet String (2) */ |
wolfSSL | 15:117db924cf7c | 12388 | idx += SetOctetString(totalSz - idx, &output[idx]); |
wolfSSL | 15:117db924cf7c | 12389 | |
wolfSSL | 15:117db924cf7c | 12390 | /* 4. Seq + OidListLen (2) */ |
wolfSSL | 15:117db924cf7c | 12391 | idx += SetSequence(oidListSz, &output[idx]); |
wolfSSL | 15:117db924cf7c | 12392 | |
wolfSSL | 15:117db924cf7c | 12393 | /* 5. Oid List (already set in-place above) */ |
wolfSSL | 15:117db924cf7c | 12394 | idx += oidListSz; |
wolfSSL | 15:117db924cf7c | 12395 | |
wolfSSL | 15:117db924cf7c | 12396 | (void)cert; |
wolfSSL | 15:117db924cf7c | 12397 | return idx; |
wolfSSL | 15:117db924cf7c | 12398 | } |
wolfSSL | 15:117db924cf7c | 12399 | |
wolfSSL | 15:117db924cf7c | 12400 | /* encode Certificate Policies, return total bytes written |
wolfSSL | 15:117db924cf7c | 12401 | * each input value must be ITU-T X.690 formatted : a.b.c... |
wolfSSL | 15:117db924cf7c | 12402 | * input must be an array of values with a NULL terminated for the latest |
wolfSSL | 15:117db924cf7c | 12403 | * RFC5280 : non-critical */ |
wolfSSL | 15:117db924cf7c | 12404 | static int SetCertificatePolicies(byte *output, |
wolfSSL | 15:117db924cf7c | 12405 | word32 outputSz, |
wolfSSL | 15:117db924cf7c | 12406 | char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ], |
wolfSSL | 15:117db924cf7c | 12407 | word16 nb_certpol, |
wolfSSL | 15:117db924cf7c | 12408 | void* heap) |
wolfSSL | 15:117db924cf7c | 12409 | { |
wolfSSL | 15:117db924cf7c | 12410 | byte oid[MAX_OID_SZ], |
wolfSSL | 15:117db924cf7c | 12411 | der_oid[MAX_CERTPOL_NB][MAX_OID_SZ], |
wolfSSL | 15:117db924cf7c | 12412 | out[MAX_CERTPOL_SZ]; |
wolfSSL | 15:117db924cf7c | 12413 | word32 oidSz; |
wolfSSL | 15:117db924cf7c | 12414 | word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB]; |
wolfSSL | 15:117db924cf7c | 12415 | int ret; |
wolfSSL | 15:117db924cf7c | 12416 | |
wolfSSL | 16:8e0d178b1d1e | 12417 | const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 }; |
wolfSSL | 16:8e0d178b1d1e | 12418 | const byte oid_oid[] = { 0x06 }; |
wolfSSL | 15:117db924cf7c | 12419 | |
wolfSSL | 15:117db924cf7c | 12420 | if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB) |
wolfSSL | 15:117db924cf7c | 12421 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12422 | |
wolfSSL | 15:117db924cf7c | 12423 | for (i = 0; i < nb_certpol; i++) { |
wolfSSL | 15:117db924cf7c | 12424 | oidSz = sizeof(oid); |
wolfSSL | 15:117db924cf7c | 12425 | XMEMSET(oid, 0, oidSz); |
wolfSSL | 15:117db924cf7c | 12426 | |
wolfSSL | 15:117db924cf7c | 12427 | ret = EncodePolicyOID(oid, &oidSz, input[i], heap); |
wolfSSL | 15:117db924cf7c | 12428 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 12429 | return ret; |
wolfSSL | 15:117db924cf7c | 12430 | |
wolfSSL | 15:117db924cf7c | 12431 | /* compute sequence value for the oid */ |
wolfSSL | 15:117db924cf7c | 12432 | ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid, |
wolfSSL | 15:117db924cf7c | 12433 | sizeof(oid_oid), oid, oidSz); |
wolfSSL | 15:117db924cf7c | 12434 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 12435 | return ret; |
wolfSSL | 15:117db924cf7c | 12436 | else |
wolfSSL | 15:117db924cf7c | 12437 | der_oidSz[i] = (word32)ret; |
wolfSSL | 15:117db924cf7c | 12438 | } |
wolfSSL | 15:117db924cf7c | 12439 | |
wolfSSL | 15:117db924cf7c | 12440 | /* concatenate oid, keep two byte for sequence/size of the created value */ |
wolfSSL | 15:117db924cf7c | 12441 | for (i = 0, outSz = 2; i < nb_certpol; i++) { |
wolfSSL | 15:117db924cf7c | 12442 | XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]); |
wolfSSL | 15:117db924cf7c | 12443 | outSz += der_oidSz[i]; |
wolfSSL | 15:117db924cf7c | 12444 | } |
wolfSSL | 15:117db924cf7c | 12445 | |
wolfSSL | 15:117db924cf7c | 12446 | /* add sequence */ |
wolfSSL | 15:117db924cf7c | 12447 | ret = SetSequence(outSz-2, out); |
wolfSSL | 15:117db924cf7c | 12448 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 12449 | return ret; |
wolfSSL | 15:117db924cf7c | 12450 | |
wolfSSL | 15:117db924cf7c | 12451 | /* add Policy OID to compute final value */ |
wolfSSL | 15:117db924cf7c | 12452 | return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid), |
wolfSSL | 15:117db924cf7c | 12453 | out, outSz); |
wolfSSL | 15:117db924cf7c | 12454 | } |
wolfSSL | 15:117db924cf7c | 12455 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 12456 | |
wolfSSL | 16:8e0d178b1d1e | 12457 | |
wolfSSL | 15:117db924cf7c | 12458 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 16:8e0d178b1d1e | 12459 | |
wolfSSL | 15:117db924cf7c | 12460 | /* encode Alternative Names, return total bytes written */ |
wolfSSL | 16:8e0d178b1d1e | 12461 | static int SetAltNames(byte *output, word32 outSz, |
wolfSSL | 16:8e0d178b1d1e | 12462 | const byte *input, word32 length) |
wolfSSL | 16:8e0d178b1d1e | 12463 | { |
wolfSSL | 16:8e0d178b1d1e | 12464 | byte san_len[1 + MAX_LENGTH_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 12465 | int idx = 0, san_lenSz; |
wolfSSL | 16:8e0d178b1d1e | 12466 | const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; |
wolfSSL | 16:8e0d178b1d1e | 12467 | |
wolfSSL | 16:8e0d178b1d1e | 12468 | if (output == NULL || input == NULL) |
wolfSSL | 15:117db924cf7c | 12469 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12470 | |
wolfSSL | 15:117db924cf7c | 12471 | if (outSz < length) |
wolfSSL | 15:117db924cf7c | 12472 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12473 | |
wolfSSL | 16:8e0d178b1d1e | 12474 | /* Octet String header */ |
wolfSSL | 16:8e0d178b1d1e | 12475 | san_lenSz = SetOctetString(length, san_len); |
wolfSSL | 16:8e0d178b1d1e | 12476 | |
wolfSSL | 16:8e0d178b1d1e | 12477 | if (outSz < MAX_SEQ_SZ) |
wolfSSL | 16:8e0d178b1d1e | 12478 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 12479 | |
wolfSSL | 16:8e0d178b1d1e | 12480 | idx = SetSequence(length + sizeof(san_oid) + san_lenSz, output); |
wolfSSL | 16:8e0d178b1d1e | 12481 | |
wolfSSL | 16:8e0d178b1d1e | 12482 | if ((length + sizeof(san_oid) + san_lenSz) > outSz) |
wolfSSL | 16:8e0d178b1d1e | 12483 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 12484 | |
wolfSSL | 16:8e0d178b1d1e | 12485 | /* put oid */ |
wolfSSL | 16:8e0d178b1d1e | 12486 | XMEMCPY(output+idx, san_oid, sizeof(san_oid)); |
wolfSSL | 16:8e0d178b1d1e | 12487 | idx += sizeof(san_oid); |
wolfSSL | 16:8e0d178b1d1e | 12488 | |
wolfSSL | 16:8e0d178b1d1e | 12489 | /* put octet header */ |
wolfSSL | 16:8e0d178b1d1e | 12490 | XMEMCPY(output+idx, san_len, san_lenSz); |
wolfSSL | 16:8e0d178b1d1e | 12491 | idx += san_lenSz; |
wolfSSL | 16:8e0d178b1d1e | 12492 | |
wolfSSL | 16:8e0d178b1d1e | 12493 | /* put value */ |
wolfSSL | 16:8e0d178b1d1e | 12494 | XMEMCPY(output+idx, input, length); |
wolfSSL | 16:8e0d178b1d1e | 12495 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 12496 | |
wolfSSL | 16:8e0d178b1d1e | 12497 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 12498 | } |
wolfSSL | 16:8e0d178b1d1e | 12499 | |
wolfSSL | 16:8e0d178b1d1e | 12500 | |
wolfSSL | 16:8e0d178b1d1e | 12501 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 16:8e0d178b1d1e | 12502 | |
wolfSSL | 16:8e0d178b1d1e | 12503 | int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names) |
wolfSSL | 16:8e0d178b1d1e | 12504 | { |
wolfSSL | 16:8e0d178b1d1e | 12505 | word32 idx; |
wolfSSL | 16:8e0d178b1d1e | 12506 | const DNS_entry* curName; |
wolfSSL | 16:8e0d178b1d1e | 12507 | word32 namesSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 12508 | |
wolfSSL | 16:8e0d178b1d1e | 12509 | if (output == NULL) |
wolfSSL | 16:8e0d178b1d1e | 12510 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 12511 | |
wolfSSL | 16:8e0d178b1d1e | 12512 | if (names == NULL) |
wolfSSL | 16:8e0d178b1d1e | 12513 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 12514 | |
wolfSSL | 16:8e0d178b1d1e | 12515 | curName = names; |
wolfSSL | 16:8e0d178b1d1e | 12516 | do { |
wolfSSL | 16:8e0d178b1d1e | 12517 | namesSz += curName->len + 2 + |
wolfSSL | 16:8e0d178b1d1e | 12518 | ((curName->len < ASN_LONG_LENGTH) ? 0 |
wolfSSL | 16:8e0d178b1d1e | 12519 | : BytePrecision(curName->len)); |
wolfSSL | 16:8e0d178b1d1e | 12520 | curName = curName->next; |
wolfSSL | 16:8e0d178b1d1e | 12521 | } while (curName != NULL); |
wolfSSL | 16:8e0d178b1d1e | 12522 | |
wolfSSL | 16:8e0d178b1d1e | 12523 | if (outputSz < MAX_SEQ_SZ + namesSz) |
wolfSSL | 16:8e0d178b1d1e | 12524 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 12525 | |
wolfSSL | 16:8e0d178b1d1e | 12526 | idx = SetSequence(namesSz, output); |
wolfSSL | 16:8e0d178b1d1e | 12527 | |
wolfSSL | 16:8e0d178b1d1e | 12528 | curName = names; |
wolfSSL | 16:8e0d178b1d1e | 12529 | do { |
wolfSSL | 16:8e0d178b1d1e | 12530 | output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type; |
wolfSSL | 16:8e0d178b1d1e | 12531 | idx += SetLength(curName->len, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 12532 | XMEMCPY(output + idx, curName->name, curName->len); |
wolfSSL | 16:8e0d178b1d1e | 12533 | idx += curName->len; |
wolfSSL | 16:8e0d178b1d1e | 12534 | curName = curName->next; |
wolfSSL | 16:8e0d178b1d1e | 12535 | } while (curName != NULL); |
wolfSSL | 16:8e0d178b1d1e | 12536 | |
wolfSSL | 16:8e0d178b1d1e | 12537 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 12538 | } |
wolfSSL | 16:8e0d178b1d1e | 12539 | |
wolfSSL | 16:8e0d178b1d1e | 12540 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 12541 | |
wolfSSL | 16:8e0d178b1d1e | 12542 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 15:117db924cf7c | 12543 | |
wolfSSL | 15:117db924cf7c | 12544 | /* Encodes one attribute of the name (issuer/subject) |
wolfSSL | 15:117db924cf7c | 12545 | * |
wolfSSL | 15:117db924cf7c | 12546 | * name structure to hold result of encoding |
wolfSSL | 15:117db924cf7c | 12547 | * nameStr value to be encoded |
wolfSSL | 15:117db924cf7c | 12548 | * nameType type of encoding i.e CTC_UTF8 |
wolfSSL | 15:117db924cf7c | 12549 | * type id of attribute i.e ASN_COMMON_NAME |
wolfSSL | 15:117db924cf7c | 12550 | * |
wolfSSL | 15:117db924cf7c | 12551 | * returns length on success |
wolfSSL | 15:117db924cf7c | 12552 | */ |
wolfSSL | 15:117db924cf7c | 12553 | static int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, |
wolfSSL | 15:117db924cf7c | 12554 | byte type) |
wolfSSL | 15:117db924cf7c | 12555 | { |
wolfSSL | 15:117db924cf7c | 12556 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 12557 | |
wolfSSL | 15:117db924cf7c | 12558 | if (nameStr) { |
wolfSSL | 15:117db924cf7c | 12559 | /* bottom up */ |
wolfSSL | 15:117db924cf7c | 12560 | byte firstLen[1 + MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 12561 | byte secondLen[MAX_LENGTH_SZ]; |
wolfSSL | 15:117db924cf7c | 12562 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 12563 | byte set[MAX_SET_SZ]; |
wolfSSL | 15:117db924cf7c | 12564 | |
wolfSSL | 15:117db924cf7c | 12565 | int strLen = (int)XSTRLEN(nameStr); |
wolfSSL | 15:117db924cf7c | 12566 | int thisLen = strLen; |
wolfSSL | 15:117db924cf7c | 12567 | int firstSz, secondSz, seqSz, setSz; |
wolfSSL | 15:117db924cf7c | 12568 | |
wolfSSL | 15:117db924cf7c | 12569 | if (strLen == 0) { /* no user data for this item */ |
wolfSSL | 15:117db924cf7c | 12570 | name->used = 0; |
wolfSSL | 15:117db924cf7c | 12571 | return 0; |
wolfSSL | 15:117db924cf7c | 12572 | } |
wolfSSL | 15:117db924cf7c | 12573 | |
wolfSSL | 15:117db924cf7c | 12574 | /* Restrict country code size */ |
wolfSSL | 15:117db924cf7c | 12575 | if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) { |
wolfSSL | 15:117db924cf7c | 12576 | return ASN_COUNTRY_SIZE_E; |
wolfSSL | 15:117db924cf7c | 12577 | } |
wolfSSL | 15:117db924cf7c | 12578 | |
wolfSSL | 15:117db924cf7c | 12579 | secondSz = SetLength(strLen, secondLen); |
wolfSSL | 15:117db924cf7c | 12580 | thisLen += secondSz; |
wolfSSL | 15:117db924cf7c | 12581 | switch (type) { |
wolfSSL | 15:117db924cf7c | 12582 | case ASN_EMAIL_NAME: /* email */ |
wolfSSL | 15:117db924cf7c | 12583 | thisLen += EMAIL_JOINT_LEN; |
wolfSSL | 15:117db924cf7c | 12584 | firstSz = EMAIL_JOINT_LEN; |
wolfSSL | 15:117db924cf7c | 12585 | break; |
wolfSSL | 15:117db924cf7c | 12586 | |
wolfSSL | 15:117db924cf7c | 12587 | case ASN_DOMAIN_COMPONENT: |
wolfSSL | 15:117db924cf7c | 12588 | thisLen += PILOT_JOINT_LEN; |
wolfSSL | 15:117db924cf7c | 12589 | firstSz = PILOT_JOINT_LEN; |
wolfSSL | 15:117db924cf7c | 12590 | break; |
wolfSSL | 15:117db924cf7c | 12591 | |
wolfSSL | 15:117db924cf7c | 12592 | default: |
wolfSSL | 15:117db924cf7c | 12593 | thisLen++; /* str type */ |
wolfSSL | 15:117db924cf7c | 12594 | thisLen += JOINT_LEN; |
wolfSSL | 15:117db924cf7c | 12595 | firstSz = JOINT_LEN + 1; |
wolfSSL | 15:117db924cf7c | 12596 | } |
wolfSSL | 15:117db924cf7c | 12597 | thisLen++; /* id type */ |
wolfSSL | 15:117db924cf7c | 12598 | firstSz = SetObjectId(firstSz, firstLen); |
wolfSSL | 15:117db924cf7c | 12599 | thisLen += firstSz; |
wolfSSL | 15:117db924cf7c | 12600 | |
wolfSSL | 15:117db924cf7c | 12601 | seqSz = SetSequence(thisLen, sequence); |
wolfSSL | 15:117db924cf7c | 12602 | thisLen += seqSz; |
wolfSSL | 15:117db924cf7c | 12603 | setSz = SetSet(thisLen, set); |
wolfSSL | 15:117db924cf7c | 12604 | thisLen += setSz; |
wolfSSL | 15:117db924cf7c | 12605 | |
wolfSSL | 15:117db924cf7c | 12606 | if (thisLen > (int)sizeof(name->encoded)) { |
wolfSSL | 15:117db924cf7c | 12607 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12608 | } |
wolfSSL | 15:117db924cf7c | 12609 | |
wolfSSL | 15:117db924cf7c | 12610 | /* store it */ |
wolfSSL | 15:117db924cf7c | 12611 | idx = 0; |
wolfSSL | 15:117db924cf7c | 12612 | /* set */ |
wolfSSL | 15:117db924cf7c | 12613 | XMEMCPY(name->encoded, set, setSz); |
wolfSSL | 15:117db924cf7c | 12614 | idx += setSz; |
wolfSSL | 15:117db924cf7c | 12615 | /* seq */ |
wolfSSL | 15:117db924cf7c | 12616 | XMEMCPY(name->encoded + idx, sequence, seqSz); |
wolfSSL | 15:117db924cf7c | 12617 | idx += seqSz; |
wolfSSL | 15:117db924cf7c | 12618 | /* asn object id */ |
wolfSSL | 15:117db924cf7c | 12619 | XMEMCPY(name->encoded + idx, firstLen, firstSz); |
wolfSSL | 15:117db924cf7c | 12620 | idx += firstSz; |
wolfSSL | 15:117db924cf7c | 12621 | switch (type) { |
wolfSSL | 15:117db924cf7c | 12622 | case ASN_EMAIL_NAME: |
wolfSSL | 15:117db924cf7c | 12623 | { |
wolfSSL | 15:117db924cf7c | 12624 | const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 15:117db924cf7c | 12625 | 0x01, 0x09, 0x01, 0x16 }; |
wolfSSL | 15:117db924cf7c | 12626 | /* email joint id */ |
wolfSSL | 15:117db924cf7c | 12627 | XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); |
wolfSSL | 15:117db924cf7c | 12628 | idx += (int)sizeof(EMAIL_OID); |
wolfSSL | 15:117db924cf7c | 12629 | } |
wolfSSL | 15:117db924cf7c | 12630 | break; |
wolfSSL | 15:117db924cf7c | 12631 | |
wolfSSL | 15:117db924cf7c | 12632 | case ASN_DOMAIN_COMPONENT: |
wolfSSL | 15:117db924cf7c | 12633 | { |
wolfSSL | 15:117db924cf7c | 12634 | const byte PILOT_OID[] = { 0x09, 0x92, 0x26, 0x89, |
wolfSSL | 15:117db924cf7c | 12635 | 0x93, 0xF2, 0x2C, 0x64, 0x01 |
wolfSSL | 15:117db924cf7c | 12636 | }; |
wolfSSL | 15:117db924cf7c | 12637 | |
wolfSSL | 15:117db924cf7c | 12638 | XMEMCPY(name->encoded + idx, PILOT_OID, |
wolfSSL | 15:117db924cf7c | 12639 | sizeof(PILOT_OID)); |
wolfSSL | 15:117db924cf7c | 12640 | idx += (int)sizeof(PILOT_OID); |
wolfSSL | 15:117db924cf7c | 12641 | /* id type */ |
wolfSSL | 15:117db924cf7c | 12642 | name->encoded[idx++] = type; |
wolfSSL | 15:117db924cf7c | 12643 | /* str type */ |
wolfSSL | 15:117db924cf7c | 12644 | name->encoded[idx++] = nameType; |
wolfSSL | 15:117db924cf7c | 12645 | } |
wolfSSL | 15:117db924cf7c | 12646 | break; |
wolfSSL | 15:117db924cf7c | 12647 | |
wolfSSL | 15:117db924cf7c | 12648 | default: |
wolfSSL | 15:117db924cf7c | 12649 | name->encoded[idx++] = 0x55; |
wolfSSL | 15:117db924cf7c | 12650 | name->encoded[idx++] = 0x04; |
wolfSSL | 15:117db924cf7c | 12651 | /* id type */ |
wolfSSL | 15:117db924cf7c | 12652 | name->encoded[idx++] = type; |
wolfSSL | 15:117db924cf7c | 12653 | /* str type */ |
wolfSSL | 15:117db924cf7c | 12654 | name->encoded[idx++] = nameType; |
wolfSSL | 15:117db924cf7c | 12655 | } |
wolfSSL | 15:117db924cf7c | 12656 | /* second length */ |
wolfSSL | 15:117db924cf7c | 12657 | XMEMCPY(name->encoded + idx, secondLen, secondSz); |
wolfSSL | 15:117db924cf7c | 12658 | idx += secondSz; |
wolfSSL | 15:117db924cf7c | 12659 | /* str value */ |
wolfSSL | 15:117db924cf7c | 12660 | XMEMCPY(name->encoded + idx, nameStr, strLen); |
wolfSSL | 15:117db924cf7c | 12661 | idx += strLen; |
wolfSSL | 15:117db924cf7c | 12662 | |
wolfSSL | 15:117db924cf7c | 12663 | name->type = type; |
wolfSSL | 15:117db924cf7c | 12664 | name->totalLen = idx; |
wolfSSL | 15:117db924cf7c | 12665 | name->used = 1; |
wolfSSL | 15:117db924cf7c | 12666 | } |
wolfSSL | 15:117db924cf7c | 12667 | else |
wolfSSL | 15:117db924cf7c | 12668 | name->used = 0; |
wolfSSL | 15:117db924cf7c | 12669 | |
wolfSSL | 15:117db924cf7c | 12670 | return idx; |
wolfSSL | 15:117db924cf7c | 12671 | } |
wolfSSL | 15:117db924cf7c | 12672 | |
wolfSSL | 15:117db924cf7c | 12673 | /* encode CertName into output, return total bytes written */ |
wolfSSL | 15:117db924cf7c | 12674 | int SetName(byte* output, word32 outputSz, CertName* name) |
wolfSSL | 15:117db924cf7c | 12675 | { |
wolfSSL | 15:117db924cf7c | 12676 | int totalBytes = 0, i, idx; |
wolfSSL | 15:117db924cf7c | 12677 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12678 | EncodedName* names = NULL; |
wolfSSL | 15:117db924cf7c | 12679 | #else |
wolfSSL | 15:117db924cf7c | 12680 | EncodedName names[NAME_ENTRIES]; |
wolfSSL | 15:117db924cf7c | 12681 | #endif |
wolfSSL | 15:117db924cf7c | 12682 | #ifdef WOLFSSL_MULTI_ATTRIB |
wolfSSL | 15:117db924cf7c | 12683 | EncodedName addNames[CTC_MAX_ATTRIB]; |
wolfSSL | 15:117db924cf7c | 12684 | int j, type; |
wolfSSL | 15:117db924cf7c | 12685 | #endif |
wolfSSL | 15:117db924cf7c | 12686 | |
wolfSSL | 15:117db924cf7c | 12687 | if (output == NULL || name == NULL) |
wolfSSL | 15:117db924cf7c | 12688 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12689 | |
wolfSSL | 15:117db924cf7c | 12690 | if (outputSz < 3) |
wolfSSL | 15:117db924cf7c | 12691 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12692 | |
wolfSSL | 15:117db924cf7c | 12693 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12694 | names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL, |
wolfSSL | 15:117db924cf7c | 12695 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12696 | if (names == NULL) |
wolfSSL | 15:117db924cf7c | 12697 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 12698 | #endif |
wolfSSL | 15:117db924cf7c | 12699 | |
wolfSSL | 15:117db924cf7c | 12700 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 15:117db924cf7c | 12701 | int ret; |
wolfSSL | 15:117db924cf7c | 12702 | const char* nameStr = GetOneName(name, i); |
wolfSSL | 15:117db924cf7c | 12703 | |
wolfSSL | 15:117db924cf7c | 12704 | ret = wc_EncodeName(&names[i], nameStr, GetNameType(name, i), |
wolfSSL | 15:117db924cf7c | 12705 | GetNameId(i)); |
wolfSSL | 15:117db924cf7c | 12706 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 12707 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12708 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12709 | #endif |
wolfSSL | 15:117db924cf7c | 12710 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12711 | } |
wolfSSL | 15:117db924cf7c | 12712 | totalBytes += ret; |
wolfSSL | 15:117db924cf7c | 12713 | } |
wolfSSL | 15:117db924cf7c | 12714 | #ifdef WOLFSSL_MULTI_ATTRIB |
wolfSSL | 15:117db924cf7c | 12715 | for (i = 0; i < CTC_MAX_ATTRIB; i++) { |
wolfSSL | 15:117db924cf7c | 12716 | if (name->name[i].sz > 0) { |
wolfSSL | 15:117db924cf7c | 12717 | int ret; |
wolfSSL | 15:117db924cf7c | 12718 | ret = wc_EncodeName(&addNames[i], name->name[i].value, |
wolfSSL | 15:117db924cf7c | 12719 | name->name[i].type, name->name[i].id); |
wolfSSL | 15:117db924cf7c | 12720 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 12721 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12722 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12723 | #endif |
wolfSSL | 15:117db924cf7c | 12724 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12725 | } |
wolfSSL | 15:117db924cf7c | 12726 | totalBytes += ret; |
wolfSSL | 15:117db924cf7c | 12727 | } |
wolfSSL | 15:117db924cf7c | 12728 | else { |
wolfSSL | 15:117db924cf7c | 12729 | addNames[i].used = 0; |
wolfSSL | 15:117db924cf7c | 12730 | } |
wolfSSL | 15:117db924cf7c | 12731 | } |
wolfSSL | 15:117db924cf7c | 12732 | #endif /* WOLFSSL_MULTI_ATTRIB */ |
wolfSSL | 15:117db924cf7c | 12733 | |
wolfSSL | 15:117db924cf7c | 12734 | /* header */ |
wolfSSL | 15:117db924cf7c | 12735 | idx = SetSequence(totalBytes, output); |
wolfSSL | 15:117db924cf7c | 12736 | totalBytes += idx; |
wolfSSL | 15:117db924cf7c | 12737 | if (totalBytes > ASN_NAME_MAX) { |
wolfSSL | 15:117db924cf7c | 12738 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12739 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12740 | #endif |
wolfSSL | 15:117db924cf7c | 12741 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12742 | } |
wolfSSL | 15:117db924cf7c | 12743 | |
wolfSSL | 15:117db924cf7c | 12744 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 15:117db924cf7c | 12745 | #ifdef WOLFSSL_MULTI_ATTRIB |
wolfSSL | 15:117db924cf7c | 12746 | type = GetNameId(i); |
wolfSSL | 15:117db924cf7c | 12747 | |
wolfSSL | 15:117db924cf7c | 12748 | /* list all DC values before OUs */ |
wolfSSL | 15:117db924cf7c | 12749 | if (type == ASN_ORGUNIT_NAME) { |
wolfSSL | 15:117db924cf7c | 12750 | type = ASN_DOMAIN_COMPONENT; |
wolfSSL | 15:117db924cf7c | 12751 | for (j = 0; j < CTC_MAX_ATTRIB; j++) { |
wolfSSL | 15:117db924cf7c | 12752 | if (name->name[j].sz > 0 && type == name->name[j].id) { |
wolfSSL | 15:117db924cf7c | 12753 | if (outputSz < (word32)(idx+addNames[j].totalLen)) { |
wolfSSL | 15:117db924cf7c | 12754 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12755 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12756 | #endif |
wolfSSL | 15:117db924cf7c | 12757 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12758 | } |
wolfSSL | 15:117db924cf7c | 12759 | |
wolfSSL | 15:117db924cf7c | 12760 | XMEMCPY(output + idx, addNames[j].encoded, |
wolfSSL | 15:117db924cf7c | 12761 | addNames[j].totalLen); |
wolfSSL | 15:117db924cf7c | 12762 | idx += addNames[j].totalLen; |
wolfSSL | 15:117db924cf7c | 12763 | } |
wolfSSL | 15:117db924cf7c | 12764 | } |
wolfSSL | 15:117db924cf7c | 12765 | type = ASN_ORGUNIT_NAME; |
wolfSSL | 15:117db924cf7c | 12766 | } |
wolfSSL | 15:117db924cf7c | 12767 | |
wolfSSL | 15:117db924cf7c | 12768 | /* write all similar types to the buffer */ |
wolfSSL | 15:117db924cf7c | 12769 | for (j = 0; j < CTC_MAX_ATTRIB; j++) { |
wolfSSL | 15:117db924cf7c | 12770 | if (name->name[j].sz > 0 && type == name->name[j].id) { |
wolfSSL | 15:117db924cf7c | 12771 | if (outputSz < (word32)(idx+addNames[j].totalLen)) { |
wolfSSL | 15:117db924cf7c | 12772 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12773 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12774 | #endif |
wolfSSL | 15:117db924cf7c | 12775 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12776 | } |
wolfSSL | 15:117db924cf7c | 12777 | |
wolfSSL | 15:117db924cf7c | 12778 | XMEMCPY(output + idx, addNames[j].encoded, |
wolfSSL | 15:117db924cf7c | 12779 | addNames[j].totalLen); |
wolfSSL | 15:117db924cf7c | 12780 | idx += addNames[j].totalLen; |
wolfSSL | 15:117db924cf7c | 12781 | } |
wolfSSL | 15:117db924cf7c | 12782 | } |
wolfSSL | 15:117db924cf7c | 12783 | #endif /* WOLFSSL_MULTI_ATTRIB */ |
wolfSSL | 15:117db924cf7c | 12784 | |
wolfSSL | 15:117db924cf7c | 12785 | if (names[i].used) { |
wolfSSL | 15:117db924cf7c | 12786 | if (outputSz < (word32)(idx+names[i].totalLen)) { |
wolfSSL | 15:117db924cf7c | 12787 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12788 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12789 | #endif |
wolfSSL | 15:117db924cf7c | 12790 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 12791 | } |
wolfSSL | 15:117db924cf7c | 12792 | |
wolfSSL | 15:117db924cf7c | 12793 | XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); |
wolfSSL | 15:117db924cf7c | 12794 | idx += names[i].totalLen; |
wolfSSL | 15:117db924cf7c | 12795 | } |
wolfSSL | 15:117db924cf7c | 12796 | } |
wolfSSL | 15:117db924cf7c | 12797 | |
wolfSSL | 15:117db924cf7c | 12798 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 12799 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 12800 | #endif |
wolfSSL | 15:117db924cf7c | 12801 | |
wolfSSL | 15:117db924cf7c | 12802 | return totalBytes; |
wolfSSL | 15:117db924cf7c | 12803 | } |
wolfSSL | 15:117db924cf7c | 12804 | |
wolfSSL | 15:117db924cf7c | 12805 | /* encode info from cert into DER encoded format */ |
wolfSSL | 15:117db924cf7c | 12806 | static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 15:117db924cf7c | 12807 | WC_RNG* rng, const byte* ntruKey, word16 ntruSz, |
wolfSSL | 16:8e0d178b1d1e | 12808 | ed25519_key* ed25519Key, ed448_key* ed448Key) |
wolfSSL | 15:117db924cf7c | 12809 | { |
wolfSSL | 15:117db924cf7c | 12810 | int ret; |
wolfSSL | 15:117db924cf7c | 12811 | |
wolfSSL | 15:117db924cf7c | 12812 | if (cert == NULL || der == NULL || rng == NULL) |
wolfSSL | 15:117db924cf7c | 12813 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 12814 | |
wolfSSL | 15:117db924cf7c | 12815 | /* make sure at least one key type is provided */ |
wolfSSL | 16:8e0d178b1d1e | 12816 | if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && |
wolfSSL | 16:8e0d178b1d1e | 12817 | ed448Key == NULL && ntruKey == NULL) { |
wolfSSL | 15:117db924cf7c | 12818 | return PUBLIC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 12819 | } |
wolfSSL | 15:117db924cf7c | 12820 | |
wolfSSL | 15:117db924cf7c | 12821 | /* init */ |
wolfSSL | 15:117db924cf7c | 12822 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 15:117db924cf7c | 12823 | |
wolfSSL | 15:117db924cf7c | 12824 | /* version */ |
wolfSSL | 15:117db924cf7c | 12825 | der->versionSz = SetMyVersion(cert->version, der->version, TRUE); |
wolfSSL | 15:117db924cf7c | 12826 | |
wolfSSL | 15:117db924cf7c | 12827 | /* serial number (must be positive) */ |
wolfSSL | 15:117db924cf7c | 12828 | if (cert->serialSz == 0) { |
wolfSSL | 15:117db924cf7c | 12829 | /* generate random serial */ |
wolfSSL | 16:8e0d178b1d1e | 12830 | cert->serialSz = CTC_GEN_SERIAL_SZ; |
wolfSSL | 15:117db924cf7c | 12831 | ret = wc_RNG_GenerateBlock(rng, cert->serial, cert->serialSz); |
wolfSSL | 15:117db924cf7c | 12832 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 12833 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 12834 | /* Clear the top bit to avoid a negative value */ |
wolfSSL | 16:8e0d178b1d1e | 12835 | cert->serial[0] &= 0x7f; |
wolfSSL | 15:117db924cf7c | 12836 | } |
wolfSSL | 15:117db924cf7c | 12837 | der->serialSz = SetSerialNumber(cert->serial, cert->serialSz, der->serial, |
wolfSSL | 16:8e0d178b1d1e | 12838 | sizeof(der->serial), CTC_SERIAL_SIZE); |
wolfSSL | 15:117db924cf7c | 12839 | if (der->serialSz < 0) |
wolfSSL | 15:117db924cf7c | 12840 | return der->serialSz; |
wolfSSL | 15:117db924cf7c | 12841 | |
wolfSSL | 15:117db924cf7c | 12842 | /* signature algo */ |
wolfSSL | 15:117db924cf7c | 12843 | der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, oidSigType, 0); |
wolfSSL | 15:117db924cf7c | 12844 | if (der->sigAlgoSz <= 0) |
wolfSSL | 15:117db924cf7c | 12845 | return ALGO_ID_E; |
wolfSSL | 15:117db924cf7c | 12846 | |
wolfSSL | 15:117db924cf7c | 12847 | /* public key */ |
wolfSSL | 15:117db924cf7c | 12848 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 12849 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 15:117db924cf7c | 12850 | if (rsaKey == NULL) |
wolfSSL | 15:117db924cf7c | 12851 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12852 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 15:117db924cf7c | 12853 | sizeof(der->publicKey), 1); |
wolfSSL | 15:117db924cf7c | 12854 | } |
wolfSSL | 15:117db924cf7c | 12855 | #endif |
wolfSSL | 15:117db924cf7c | 12856 | |
wolfSSL | 15:117db924cf7c | 12857 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 12858 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 15:117db924cf7c | 12859 | if (eccKey == NULL) |
wolfSSL | 15:117db924cf7c | 12860 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12861 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 15:117db924cf7c | 12862 | } |
wolfSSL | 15:117db924cf7c | 12863 | #endif |
wolfSSL | 15:117db924cf7c | 12864 | |
wolfSSL | 15:117db924cf7c | 12865 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 12866 | if (cert->keyType == ED25519_KEY) { |
wolfSSL | 15:117db924cf7c | 12867 | if (ed25519Key == NULL) |
wolfSSL | 15:117db924cf7c | 12868 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12869 | der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); |
wolfSSL | 15:117db924cf7c | 12870 | } |
wolfSSL | 15:117db924cf7c | 12871 | #endif |
wolfSSL | 15:117db924cf7c | 12872 | |
wolfSSL | 16:8e0d178b1d1e | 12873 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 12874 | if (cert->keyType == ED448_KEY) { |
wolfSSL | 16:8e0d178b1d1e | 12875 | if (ed448Key == NULL) |
wolfSSL | 16:8e0d178b1d1e | 12876 | return PUBLIC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 12877 | der->publicKeySz = SetEd448PublicKey(der->publicKey, ed448Key, 1); |
wolfSSL | 16:8e0d178b1d1e | 12878 | } |
wolfSSL | 16:8e0d178b1d1e | 12879 | #endif |
wolfSSL | 16:8e0d178b1d1e | 12880 | |
wolfSSL | 15:117db924cf7c | 12881 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 12882 | if (cert->keyType == NTRU_KEY) { |
wolfSSL | 15:117db924cf7c | 12883 | word32 rc; |
wolfSSL | 15:117db924cf7c | 12884 | word16 encodedSz; |
wolfSSL | 15:117db924cf7c | 12885 | |
wolfSSL | 15:117db924cf7c | 12886 | if (ntruKey == NULL) |
wolfSSL | 15:117db924cf7c | 12887 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12888 | |
wolfSSL | 15:117db924cf7c | 12889 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, |
wolfSSL | 15:117db924cf7c | 12890 | ntruKey, &encodedSz, NULL); |
wolfSSL | 15:117db924cf7c | 12891 | if (rc != NTRU_OK) |
wolfSSL | 15:117db924cf7c | 12892 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12893 | if (encodedSz > MAX_PUBLIC_KEY_SZ) |
wolfSSL | 15:117db924cf7c | 12894 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12895 | |
wolfSSL | 15:117db924cf7c | 12896 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, |
wolfSSL | 15:117db924cf7c | 12897 | ntruKey, &encodedSz, der->publicKey); |
wolfSSL | 15:117db924cf7c | 12898 | if (rc != NTRU_OK) |
wolfSSL | 15:117db924cf7c | 12899 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12900 | |
wolfSSL | 15:117db924cf7c | 12901 | der->publicKeySz = encodedSz; |
wolfSSL | 15:117db924cf7c | 12902 | } |
wolfSSL | 15:117db924cf7c | 12903 | #else |
wolfSSL | 15:117db924cf7c | 12904 | (void)ntruSz; |
wolfSSL | 15:117db924cf7c | 12905 | #endif /* HAVE_NTRU */ |
wolfSSL | 15:117db924cf7c | 12906 | |
wolfSSL | 15:117db924cf7c | 12907 | if (der->publicKeySz <= 0) |
wolfSSL | 15:117db924cf7c | 12908 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 12909 | |
wolfSSL | 15:117db924cf7c | 12910 | der->validitySz = 0; |
wolfSSL | 15:117db924cf7c | 12911 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 12912 | /* date validity copy ? */ |
wolfSSL | 15:117db924cf7c | 12913 | if (cert->beforeDateSz && cert->afterDateSz) { |
wolfSSL | 15:117db924cf7c | 12914 | der->validitySz = CopyValidity(der->validity, cert); |
wolfSSL | 15:117db924cf7c | 12915 | if (der->validitySz <= 0) |
wolfSSL | 15:117db924cf7c | 12916 | return DATE_E; |
wolfSSL | 15:117db924cf7c | 12917 | } |
wolfSSL | 15:117db924cf7c | 12918 | #endif |
wolfSSL | 15:117db924cf7c | 12919 | |
wolfSSL | 15:117db924cf7c | 12920 | /* date validity */ |
wolfSSL | 15:117db924cf7c | 12921 | if (der->validitySz == 0) { |
wolfSSL | 15:117db924cf7c | 12922 | der->validitySz = SetValidity(der->validity, cert->daysValid); |
wolfSSL | 15:117db924cf7c | 12923 | if (der->validitySz <= 0) |
wolfSSL | 15:117db924cf7c | 12924 | return DATE_E; |
wolfSSL | 15:117db924cf7c | 12925 | } |
wolfSSL | 15:117db924cf7c | 12926 | |
wolfSSL | 15:117db924cf7c | 12927 | /* subject name */ |
wolfSSL | 16:8e0d178b1d1e | 12928 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 12929 | if (XSTRLEN((const char*)cert->sbjRaw) > 0) { |
wolfSSL | 16:8e0d178b1d1e | 12930 | /* Use the raw subject */ |
wolfSSL | 16:8e0d178b1d1e | 12931 | int idx; |
wolfSSL | 16:8e0d178b1d1e | 12932 | |
wolfSSL | 16:8e0d178b1d1e | 12933 | der->subjectSz = min(sizeof(der->subject), |
wolfSSL | 16:8e0d178b1d1e | 12934 | (word32)XSTRLEN((const char*)cert->sbjRaw)); |
wolfSSL | 16:8e0d178b1d1e | 12935 | /* header */ |
wolfSSL | 16:8e0d178b1d1e | 12936 | idx = SetSequence(der->subjectSz, der->subject); |
wolfSSL | 16:8e0d178b1d1e | 12937 | if (der->subjectSz + idx > (int)sizeof(der->subject)) { |
wolfSSL | 16:8e0d178b1d1e | 12938 | return SUBJECT_E; |
wolfSSL | 16:8e0d178b1d1e | 12939 | } |
wolfSSL | 16:8e0d178b1d1e | 12940 | |
wolfSSL | 16:8e0d178b1d1e | 12941 | XMEMCPY((char*)der->subject + idx, (const char*)cert->sbjRaw, |
wolfSSL | 16:8e0d178b1d1e | 12942 | der->subjectSz); |
wolfSSL | 16:8e0d178b1d1e | 12943 | der->subjectSz += idx; |
wolfSSL | 16:8e0d178b1d1e | 12944 | } |
wolfSSL | 16:8e0d178b1d1e | 12945 | else |
wolfSSL | 16:8e0d178b1d1e | 12946 | #endif |
wolfSSL | 16:8e0d178b1d1e | 12947 | { |
wolfSSL | 16:8e0d178b1d1e | 12948 | /* Use the name structure */ |
wolfSSL | 16:8e0d178b1d1e | 12949 | der->subjectSz = SetName(der->subject, sizeof(der->subject), |
wolfSSL | 16:8e0d178b1d1e | 12950 | &cert->subject); |
wolfSSL | 16:8e0d178b1d1e | 12951 | } |
wolfSSL | 15:117db924cf7c | 12952 | if (der->subjectSz <= 0) |
wolfSSL | 15:117db924cf7c | 12953 | return SUBJECT_E; |
wolfSSL | 15:117db924cf7c | 12954 | |
wolfSSL | 15:117db924cf7c | 12955 | /* issuer name */ |
wolfSSL | 16:8e0d178b1d1e | 12956 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 12957 | if (XSTRLEN((const char*)cert->issRaw) > 0) { |
wolfSSL | 16:8e0d178b1d1e | 12958 | /* Use the raw issuer */ |
wolfSSL | 16:8e0d178b1d1e | 12959 | int idx; |
wolfSSL | 16:8e0d178b1d1e | 12960 | |
wolfSSL | 16:8e0d178b1d1e | 12961 | der->issuerSz = min(sizeof(der->issuer), |
wolfSSL | 16:8e0d178b1d1e | 12962 | (word32)XSTRLEN((const char*)cert->issRaw)); |
wolfSSL | 16:8e0d178b1d1e | 12963 | /* header */ |
wolfSSL | 16:8e0d178b1d1e | 12964 | idx = SetSequence(der->issuerSz, der->issuer); |
wolfSSL | 16:8e0d178b1d1e | 12965 | if (der->issuerSz + idx > (int)sizeof(der->issuer)) { |
wolfSSL | 16:8e0d178b1d1e | 12966 | return ISSUER_E; |
wolfSSL | 16:8e0d178b1d1e | 12967 | } |
wolfSSL | 16:8e0d178b1d1e | 12968 | |
wolfSSL | 16:8e0d178b1d1e | 12969 | XMEMCPY((char*)der->issuer + idx, (const char*)cert->issRaw, |
wolfSSL | 16:8e0d178b1d1e | 12970 | der->issuerSz); |
wolfSSL | 16:8e0d178b1d1e | 12971 | der->issuerSz += idx; |
wolfSSL | 16:8e0d178b1d1e | 12972 | } |
wolfSSL | 16:8e0d178b1d1e | 12973 | else |
wolfSSL | 16:8e0d178b1d1e | 12974 | #endif |
wolfSSL | 16:8e0d178b1d1e | 12975 | { |
wolfSSL | 16:8e0d178b1d1e | 12976 | /* Use the name structure */ |
wolfSSL | 16:8e0d178b1d1e | 12977 | der->issuerSz = SetName(der->issuer, sizeof(der->issuer), |
wolfSSL | 16:8e0d178b1d1e | 12978 | cert->selfSigned ? &cert->subject : &cert->issuer); |
wolfSSL | 16:8e0d178b1d1e | 12979 | } |
wolfSSL | 15:117db924cf7c | 12980 | if (der->issuerSz <= 0) |
wolfSSL | 15:117db924cf7c | 12981 | return ISSUER_E; |
wolfSSL | 15:117db924cf7c | 12982 | |
wolfSSL | 15:117db924cf7c | 12983 | /* set the extensions */ |
wolfSSL | 15:117db924cf7c | 12984 | der->extensionsSz = 0; |
wolfSSL | 15:117db924cf7c | 12985 | |
wolfSSL | 15:117db924cf7c | 12986 | /* CA */ |
wolfSSL | 15:117db924cf7c | 12987 | if (cert->isCA) { |
wolfSSL | 15:117db924cf7c | 12988 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 15:117db924cf7c | 12989 | if (der->caSz <= 0) |
wolfSSL | 15:117db924cf7c | 12990 | return CA_TRUE_E; |
wolfSSL | 15:117db924cf7c | 12991 | |
wolfSSL | 15:117db924cf7c | 12992 | der->extensionsSz += der->caSz; |
wolfSSL | 15:117db924cf7c | 12993 | } |
wolfSSL | 15:117db924cf7c | 12994 | else |
wolfSSL | 15:117db924cf7c | 12995 | der->caSz = 0; |
wolfSSL | 15:117db924cf7c | 12996 | |
wolfSSL | 15:117db924cf7c | 12997 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 12998 | /* Alternative Name */ |
wolfSSL | 15:117db924cf7c | 12999 | if (cert->altNamesSz) { |
wolfSSL | 15:117db924cf7c | 13000 | der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames), |
wolfSSL | 15:117db924cf7c | 13001 | cert->altNames, cert->altNamesSz); |
wolfSSL | 15:117db924cf7c | 13002 | if (der->altNamesSz <= 0) |
wolfSSL | 15:117db924cf7c | 13003 | return ALT_NAME_E; |
wolfSSL | 15:117db924cf7c | 13004 | |
wolfSSL | 15:117db924cf7c | 13005 | der->extensionsSz += der->altNamesSz; |
wolfSSL | 15:117db924cf7c | 13006 | } |
wolfSSL | 15:117db924cf7c | 13007 | else |
wolfSSL | 15:117db924cf7c | 13008 | der->altNamesSz = 0; |
wolfSSL | 15:117db924cf7c | 13009 | #endif |
wolfSSL | 15:117db924cf7c | 13010 | |
wolfSSL | 15:117db924cf7c | 13011 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 13012 | /* SKID */ |
wolfSSL | 15:117db924cf7c | 13013 | if (cert->skidSz) { |
wolfSSL | 15:117db924cf7c | 13014 | /* check the provided SKID size */ |
wolfSSL | 15:117db924cf7c | 13015 | if (cert->skidSz > (int)min(CTC_MAX_SKID_SIZE, sizeof(der->skid))) |
wolfSSL | 15:117db924cf7c | 13016 | return SKID_E; |
wolfSSL | 15:117db924cf7c | 13017 | |
wolfSSL | 15:117db924cf7c | 13018 | /* Note: different skid buffers sizes for der (MAX_KID_SZ) and |
wolfSSL | 15:117db924cf7c | 13019 | cert (CTC_MAX_SKID_SIZE). */ |
wolfSSL | 15:117db924cf7c | 13020 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 15:117db924cf7c | 13021 | cert->skid, cert->skidSz); |
wolfSSL | 15:117db924cf7c | 13022 | if (der->skidSz <= 0) |
wolfSSL | 15:117db924cf7c | 13023 | return SKID_E; |
wolfSSL | 15:117db924cf7c | 13024 | |
wolfSSL | 15:117db924cf7c | 13025 | der->extensionsSz += der->skidSz; |
wolfSSL | 15:117db924cf7c | 13026 | } |
wolfSSL | 15:117db924cf7c | 13027 | else |
wolfSSL | 15:117db924cf7c | 13028 | der->skidSz = 0; |
wolfSSL | 15:117db924cf7c | 13029 | |
wolfSSL | 15:117db924cf7c | 13030 | /* AKID */ |
wolfSSL | 15:117db924cf7c | 13031 | if (cert->akidSz) { |
wolfSSL | 15:117db924cf7c | 13032 | /* check the provided AKID size */ |
wolfSSL | 15:117db924cf7c | 13033 | if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) |
wolfSSL | 15:117db924cf7c | 13034 | return AKID_E; |
wolfSSL | 15:117db924cf7c | 13035 | |
wolfSSL | 15:117db924cf7c | 13036 | der->akidSz = SetAKID(der->akid, sizeof(der->akid), |
wolfSSL | 15:117db924cf7c | 13037 | cert->akid, cert->akidSz, cert->heap); |
wolfSSL | 15:117db924cf7c | 13038 | if (der->akidSz <= 0) |
wolfSSL | 15:117db924cf7c | 13039 | return AKID_E; |
wolfSSL | 15:117db924cf7c | 13040 | |
wolfSSL | 15:117db924cf7c | 13041 | der->extensionsSz += der->akidSz; |
wolfSSL | 15:117db924cf7c | 13042 | } |
wolfSSL | 15:117db924cf7c | 13043 | else |
wolfSSL | 15:117db924cf7c | 13044 | der->akidSz = 0; |
wolfSSL | 15:117db924cf7c | 13045 | |
wolfSSL | 15:117db924cf7c | 13046 | /* Key Usage */ |
wolfSSL | 15:117db924cf7c | 13047 | if (cert->keyUsage != 0){ |
wolfSSL | 15:117db924cf7c | 13048 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 15:117db924cf7c | 13049 | cert->keyUsage); |
wolfSSL | 15:117db924cf7c | 13050 | if (der->keyUsageSz <= 0) |
wolfSSL | 15:117db924cf7c | 13051 | return KEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 13052 | |
wolfSSL | 15:117db924cf7c | 13053 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 15:117db924cf7c | 13054 | } |
wolfSSL | 15:117db924cf7c | 13055 | else |
wolfSSL | 15:117db924cf7c | 13056 | der->keyUsageSz = 0; |
wolfSSL | 15:117db924cf7c | 13057 | |
wolfSSL | 15:117db924cf7c | 13058 | /* Extended Key Usage */ |
wolfSSL | 15:117db924cf7c | 13059 | if (cert->extKeyUsage != 0){ |
wolfSSL | 15:117db924cf7c | 13060 | der->extKeyUsageSz = SetExtKeyUsage(cert, der->extKeyUsage, |
wolfSSL | 15:117db924cf7c | 13061 | sizeof(der->extKeyUsage), cert->extKeyUsage); |
wolfSSL | 15:117db924cf7c | 13062 | if (der->extKeyUsageSz <= 0) |
wolfSSL | 15:117db924cf7c | 13063 | return EXTKEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 13064 | |
wolfSSL | 15:117db924cf7c | 13065 | der->extensionsSz += der->extKeyUsageSz; |
wolfSSL | 15:117db924cf7c | 13066 | } |
wolfSSL | 15:117db924cf7c | 13067 | else |
wolfSSL | 15:117db924cf7c | 13068 | der->extKeyUsageSz = 0; |
wolfSSL | 15:117db924cf7c | 13069 | |
wolfSSL | 15:117db924cf7c | 13070 | /* Certificate Policies */ |
wolfSSL | 15:117db924cf7c | 13071 | if (cert->certPoliciesNb != 0) { |
wolfSSL | 15:117db924cf7c | 13072 | der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, |
wolfSSL | 15:117db924cf7c | 13073 | sizeof(der->certPolicies), |
wolfSSL | 15:117db924cf7c | 13074 | cert->certPolicies, |
wolfSSL | 15:117db924cf7c | 13075 | cert->certPoliciesNb, |
wolfSSL | 15:117db924cf7c | 13076 | cert->heap); |
wolfSSL | 15:117db924cf7c | 13077 | if (der->certPoliciesSz <= 0) |
wolfSSL | 15:117db924cf7c | 13078 | return CERTPOLICIES_E; |
wolfSSL | 15:117db924cf7c | 13079 | |
wolfSSL | 15:117db924cf7c | 13080 | der->extensionsSz += der->certPoliciesSz; |
wolfSSL | 15:117db924cf7c | 13081 | } |
wolfSSL | 15:117db924cf7c | 13082 | else |
wolfSSL | 15:117db924cf7c | 13083 | der->certPoliciesSz = 0; |
wolfSSL | 15:117db924cf7c | 13084 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 13085 | |
wolfSSL | 15:117db924cf7c | 13086 | /* put extensions */ |
wolfSSL | 15:117db924cf7c | 13087 | if (der->extensionsSz > 0) { |
wolfSSL | 15:117db924cf7c | 13088 | |
wolfSSL | 15:117db924cf7c | 13089 | /* put the start of extensions sequence (ID, Size) */ |
wolfSSL | 15:117db924cf7c | 13090 | der->extensionsSz = SetExtensionsHeader(der->extensions, |
wolfSSL | 15:117db924cf7c | 13091 | sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13092 | der->extensionsSz); |
wolfSSL | 15:117db924cf7c | 13093 | if (der->extensionsSz <= 0) |
wolfSSL | 15:117db924cf7c | 13094 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13095 | |
wolfSSL | 15:117db924cf7c | 13096 | /* put CA */ |
wolfSSL | 15:117db924cf7c | 13097 | if (der->caSz) { |
wolfSSL | 15:117db924cf7c | 13098 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13099 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13100 | der->ca, der->caSz); |
wolfSSL | 15:117db924cf7c | 13101 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 13102 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13103 | } |
wolfSSL | 15:117db924cf7c | 13104 | |
wolfSSL | 15:117db924cf7c | 13105 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 13106 | /* put Alternative Names */ |
wolfSSL | 15:117db924cf7c | 13107 | if (der->altNamesSz) { |
wolfSSL | 15:117db924cf7c | 13108 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13109 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13110 | der->altNames, der->altNamesSz); |
wolfSSL | 15:117db924cf7c | 13111 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13112 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13113 | } |
wolfSSL | 15:117db924cf7c | 13114 | #endif |
wolfSSL | 15:117db924cf7c | 13115 | |
wolfSSL | 15:117db924cf7c | 13116 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 13117 | /* put SKID */ |
wolfSSL | 15:117db924cf7c | 13118 | if (der->skidSz) { |
wolfSSL | 15:117db924cf7c | 13119 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13120 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13121 | der->skid, der->skidSz); |
wolfSSL | 15:117db924cf7c | 13122 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13123 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13124 | } |
wolfSSL | 15:117db924cf7c | 13125 | |
wolfSSL | 15:117db924cf7c | 13126 | /* put AKID */ |
wolfSSL | 15:117db924cf7c | 13127 | if (der->akidSz) { |
wolfSSL | 15:117db924cf7c | 13128 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13129 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13130 | der->akid, der->akidSz); |
wolfSSL | 15:117db924cf7c | 13131 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13132 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13133 | } |
wolfSSL | 15:117db924cf7c | 13134 | |
wolfSSL | 15:117db924cf7c | 13135 | /* put KeyUsage */ |
wolfSSL | 15:117db924cf7c | 13136 | if (der->keyUsageSz) { |
wolfSSL | 15:117db924cf7c | 13137 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13138 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13139 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 15:117db924cf7c | 13140 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13141 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13142 | } |
wolfSSL | 15:117db924cf7c | 13143 | |
wolfSSL | 15:117db924cf7c | 13144 | /* put ExtendedKeyUsage */ |
wolfSSL | 15:117db924cf7c | 13145 | if (der->extKeyUsageSz) { |
wolfSSL | 15:117db924cf7c | 13146 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13147 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13148 | der->extKeyUsage, der->extKeyUsageSz); |
wolfSSL | 15:117db924cf7c | 13149 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13150 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13151 | } |
wolfSSL | 15:117db924cf7c | 13152 | |
wolfSSL | 15:117db924cf7c | 13153 | /* put Certificate Policies */ |
wolfSSL | 15:117db924cf7c | 13154 | if (der->certPoliciesSz) { |
wolfSSL | 15:117db924cf7c | 13155 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13156 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13157 | der->certPolicies, der->certPoliciesSz); |
wolfSSL | 15:117db924cf7c | 13158 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13159 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13160 | } |
wolfSSL | 15:117db924cf7c | 13161 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 13162 | } |
wolfSSL | 15:117db924cf7c | 13163 | |
wolfSSL | 15:117db924cf7c | 13164 | der->total = der->versionSz + der->serialSz + der->sigAlgoSz + |
wolfSSL | 15:117db924cf7c | 13165 | der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + |
wolfSSL | 15:117db924cf7c | 13166 | der->extensionsSz; |
wolfSSL | 15:117db924cf7c | 13167 | |
wolfSSL | 15:117db924cf7c | 13168 | return 0; |
wolfSSL | 15:117db924cf7c | 13169 | } |
wolfSSL | 15:117db924cf7c | 13170 | |
wolfSSL | 15:117db924cf7c | 13171 | |
wolfSSL | 15:117db924cf7c | 13172 | /* write DER encoded cert to buffer, size already checked */ |
wolfSSL | 16:8e0d178b1d1e | 13173 | static int WriteCertBody(DerCert* der, byte* buf) |
wolfSSL | 15:117db924cf7c | 13174 | { |
wolfSSL | 15:117db924cf7c | 13175 | int idx; |
wolfSSL | 15:117db924cf7c | 13176 | |
wolfSSL | 15:117db924cf7c | 13177 | /* signed part header */ |
wolfSSL | 16:8e0d178b1d1e | 13178 | idx = SetSequence(der->total, buf); |
wolfSSL | 15:117db924cf7c | 13179 | /* version */ |
wolfSSL | 16:8e0d178b1d1e | 13180 | XMEMCPY(buf + idx, der->version, der->versionSz); |
wolfSSL | 15:117db924cf7c | 13181 | idx += der->versionSz; |
wolfSSL | 15:117db924cf7c | 13182 | /* serial */ |
wolfSSL | 16:8e0d178b1d1e | 13183 | XMEMCPY(buf + idx, der->serial, der->serialSz); |
wolfSSL | 15:117db924cf7c | 13184 | idx += der->serialSz; |
wolfSSL | 15:117db924cf7c | 13185 | /* sig algo */ |
wolfSSL | 16:8e0d178b1d1e | 13186 | XMEMCPY(buf + idx, der->sigAlgo, der->sigAlgoSz); |
wolfSSL | 15:117db924cf7c | 13187 | idx += der->sigAlgoSz; |
wolfSSL | 15:117db924cf7c | 13188 | /* issuer */ |
wolfSSL | 16:8e0d178b1d1e | 13189 | XMEMCPY(buf + idx, der->issuer, der->issuerSz); |
wolfSSL | 15:117db924cf7c | 13190 | idx += der->issuerSz; |
wolfSSL | 15:117db924cf7c | 13191 | /* validity */ |
wolfSSL | 16:8e0d178b1d1e | 13192 | XMEMCPY(buf + idx, der->validity, der->validitySz); |
wolfSSL | 15:117db924cf7c | 13193 | idx += der->validitySz; |
wolfSSL | 15:117db924cf7c | 13194 | /* subject */ |
wolfSSL | 16:8e0d178b1d1e | 13195 | XMEMCPY(buf + idx, der->subject, der->subjectSz); |
wolfSSL | 15:117db924cf7c | 13196 | idx += der->subjectSz; |
wolfSSL | 15:117db924cf7c | 13197 | /* public key */ |
wolfSSL | 16:8e0d178b1d1e | 13198 | XMEMCPY(buf + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 15:117db924cf7c | 13199 | idx += der->publicKeySz; |
wolfSSL | 15:117db924cf7c | 13200 | if (der->extensionsSz) { |
wolfSSL | 15:117db924cf7c | 13201 | /* extensions */ |
wolfSSL | 16:8e0d178b1d1e | 13202 | XMEMCPY(buf + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13203 | (int)sizeof(der->extensions))); |
wolfSSL | 15:117db924cf7c | 13204 | idx += der->extensionsSz; |
wolfSSL | 15:117db924cf7c | 13205 | } |
wolfSSL | 15:117db924cf7c | 13206 | |
wolfSSL | 15:117db924cf7c | 13207 | return idx; |
wolfSSL | 15:117db924cf7c | 13208 | } |
wolfSSL | 15:117db924cf7c | 13209 | |
wolfSSL | 15:117db924cf7c | 13210 | |
wolfSSL | 15:117db924cf7c | 13211 | /* Make RSA signature from buffer (sz), write to sig (sigSz) */ |
wolfSSL | 16:8e0d178b1d1e | 13212 | static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz, |
wolfSSL | 15:117db924cf7c | 13213 | byte* sig, int sigSz, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 16:8e0d178b1d1e | 13214 | ed25519_key* ed25519Key, ed448_key* ed448Key, WC_RNG* rng, int sigAlgoType, |
wolfSSL | 16:8e0d178b1d1e | 13215 | void* heap) |
wolfSSL | 15:117db924cf7c | 13216 | { |
wolfSSL | 15:117db924cf7c | 13217 | int digestSz = 0, typeH = 0, ret = 0; |
wolfSSL | 15:117db924cf7c | 13218 | |
wolfSSL | 15:117db924cf7c | 13219 | (void)digestSz; |
wolfSSL | 15:117db924cf7c | 13220 | (void)typeH; |
wolfSSL | 16:8e0d178b1d1e | 13221 | (void)buf; |
wolfSSL | 15:117db924cf7c | 13222 | (void)sz; |
wolfSSL | 15:117db924cf7c | 13223 | (void)sig; |
wolfSSL | 15:117db924cf7c | 13224 | (void)sigSz; |
wolfSSL | 15:117db924cf7c | 13225 | (void)rsaKey; |
wolfSSL | 15:117db924cf7c | 13226 | (void)eccKey; |
wolfSSL | 15:117db924cf7c | 13227 | (void)ed25519Key; |
wolfSSL | 16:8e0d178b1d1e | 13228 | (void)ed448Key; |
wolfSSL | 15:117db924cf7c | 13229 | (void)rng; |
wolfSSL | 16:8e0d178b1d1e | 13230 | (void)heap; |
wolfSSL | 15:117db924cf7c | 13231 | |
wolfSSL | 15:117db924cf7c | 13232 | switch (certSignCtx->state) { |
wolfSSL | 15:117db924cf7c | 13233 | case CERTSIGN_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 13234 | case CERTSIGN_STATE_DIGEST: |
wolfSSL | 15:117db924cf7c | 13235 | |
wolfSSL | 15:117db924cf7c | 13236 | certSignCtx->state = CERTSIGN_STATE_DIGEST; |
wolfSSL | 15:117db924cf7c | 13237 | certSignCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, |
wolfSSL | 15:117db924cf7c | 13238 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13239 | if (certSignCtx->digest == NULL) { |
wolfSSL | 15:117db924cf7c | 13240 | ret = MEMORY_E; goto exit_ms; |
wolfSSL | 15:117db924cf7c | 13241 | } |
wolfSSL | 15:117db924cf7c | 13242 | |
wolfSSL | 16:8e0d178b1d1e | 13243 | ret = HashForSignature(buf, sz, sigAlgoType, certSignCtx->digest, |
wolfSSL | 15:117db924cf7c | 13244 | &typeH, &digestSz, 0); |
wolfSSL | 16:8e0d178b1d1e | 13245 | /* set next state, since WC_PENDING_E rentry for these are not "call again" */ |
wolfSSL | 15:117db924cf7c | 13246 | certSignCtx->state = CERTSIGN_STATE_ENCODE; |
wolfSSL | 15:117db924cf7c | 13247 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 13248 | goto exit_ms; |
wolfSSL | 15:117db924cf7c | 13249 | } |
wolfSSL | 15:117db924cf7c | 13250 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 13251 | |
wolfSSL | 15:117db924cf7c | 13252 | case CERTSIGN_STATE_ENCODE: |
wolfSSL | 15:117db924cf7c | 13253 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13254 | if (rsaKey) { |
wolfSSL | 15:117db924cf7c | 13255 | certSignCtx->encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ, heap, |
wolfSSL | 15:117db924cf7c | 13256 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13257 | if (certSignCtx->encSig == NULL) { |
wolfSSL | 15:117db924cf7c | 13258 | ret = MEMORY_E; goto exit_ms; |
wolfSSL | 15:117db924cf7c | 13259 | } |
wolfSSL | 15:117db924cf7c | 13260 | |
wolfSSL | 15:117db924cf7c | 13261 | /* signature */ |
wolfSSL | 15:117db924cf7c | 13262 | certSignCtx->encSigSz = wc_EncodeSignature(certSignCtx->encSig, |
wolfSSL | 15:117db924cf7c | 13263 | certSignCtx->digest, digestSz, typeH); |
wolfSSL | 15:117db924cf7c | 13264 | } |
wolfSSL | 15:117db924cf7c | 13265 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 13266 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 13267 | |
wolfSSL | 15:117db924cf7c | 13268 | case CERTSIGN_STATE_DO: |
wolfSSL | 15:117db924cf7c | 13269 | certSignCtx->state = CERTSIGN_STATE_DO; |
wolfSSL | 15:117db924cf7c | 13270 | ret = ALGO_ID_E; /* default to error */ |
wolfSSL | 15:117db924cf7c | 13271 | |
wolfSSL | 15:117db924cf7c | 13272 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13273 | if (rsaKey) { |
wolfSSL | 15:117db924cf7c | 13274 | /* signature */ |
wolfSSL | 15:117db924cf7c | 13275 | ret = wc_RsaSSL_Sign(certSignCtx->encSig, certSignCtx->encSigSz, |
wolfSSL | 15:117db924cf7c | 13276 | sig, sigSz, rsaKey, rng); |
wolfSSL | 15:117db924cf7c | 13277 | } |
wolfSSL | 15:117db924cf7c | 13278 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 13279 | |
wolfSSL | 15:117db924cf7c | 13280 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 13281 | if (!rsaKey && eccKey) { |
wolfSSL | 15:117db924cf7c | 13282 | word32 outSz = sigSz; |
wolfSSL | 15:117db924cf7c | 13283 | |
wolfSSL | 15:117db924cf7c | 13284 | ret = wc_ecc_sign_hash(certSignCtx->digest, digestSz, |
wolfSSL | 15:117db924cf7c | 13285 | sig, &outSz, rng, eccKey); |
wolfSSL | 15:117db924cf7c | 13286 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 13287 | ret = outSz; |
wolfSSL | 15:117db924cf7c | 13288 | } |
wolfSSL | 15:117db924cf7c | 13289 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 13290 | |
wolfSSL | 15:117db924cf7c | 13291 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 13292 | if (!rsaKey && !eccKey && ed25519Key) { |
wolfSSL | 15:117db924cf7c | 13293 | word32 outSz = sigSz; |
wolfSSL | 15:117db924cf7c | 13294 | |
wolfSSL | 16:8e0d178b1d1e | 13295 | ret = wc_ed25519_sign_msg(buf, sz, sig, &outSz, ed25519Key); |
wolfSSL | 16:8e0d178b1d1e | 13296 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 13297 | ret = outSz; |
wolfSSL | 16:8e0d178b1d1e | 13298 | } |
wolfSSL | 16:8e0d178b1d1e | 13299 | #endif /* HAVE_ECC */ |
wolfSSL | 16:8e0d178b1d1e | 13300 | |
wolfSSL | 16:8e0d178b1d1e | 13301 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 13302 | if (!rsaKey && !eccKey && !ed25519Key && ed448Key) { |
wolfSSL | 16:8e0d178b1d1e | 13303 | word32 outSz = sigSz; |
wolfSSL | 16:8e0d178b1d1e | 13304 | |
wolfSSL | 16:8e0d178b1d1e | 13305 | ret = wc_ed448_sign_msg(buf, sz, sig, &outSz, ed448Key, NULL, 0); |
wolfSSL | 15:117db924cf7c | 13306 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 13307 | ret = outSz; |
wolfSSL | 15:117db924cf7c | 13308 | } |
wolfSSL | 15:117db924cf7c | 13309 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 13310 | break; |
wolfSSL | 15:117db924cf7c | 13311 | } |
wolfSSL | 15:117db924cf7c | 13312 | |
wolfSSL | 15:117db924cf7c | 13313 | exit_ms: |
wolfSSL | 15:117db924cf7c | 13314 | |
wolfSSL | 16:8e0d178b1d1e | 13315 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13316 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 13317 | return ret; |
wolfSSL | 15:117db924cf7c | 13318 | } |
wolfSSL | 16:8e0d178b1d1e | 13319 | #endif |
wolfSSL | 15:117db924cf7c | 13320 | |
wolfSSL | 15:117db924cf7c | 13321 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13322 | if (rsaKey) { |
wolfSSL | 15:117db924cf7c | 13323 | XFREE(certSignCtx->encSig, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13324 | } |
wolfSSL | 15:117db924cf7c | 13325 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 13326 | |
wolfSSL | 15:117db924cf7c | 13327 | XFREE(certSignCtx->digest, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13328 | certSignCtx->digest = NULL; |
wolfSSL | 15:117db924cf7c | 13329 | |
wolfSSL | 15:117db924cf7c | 13330 | /* reset state */ |
wolfSSL | 15:117db924cf7c | 13331 | certSignCtx->state = CERTSIGN_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 13332 | |
wolfSSL | 15:117db924cf7c | 13333 | return ret; |
wolfSSL | 15:117db924cf7c | 13334 | } |
wolfSSL | 15:117db924cf7c | 13335 | |
wolfSSL | 15:117db924cf7c | 13336 | |
wolfSSL | 15:117db924cf7c | 13337 | /* add signature to end of buffer, size of buffer assumed checked, return |
wolfSSL | 15:117db924cf7c | 13338 | new length */ |
wolfSSL | 16:8e0d178b1d1e | 13339 | static int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz, |
wolfSSL | 15:117db924cf7c | 13340 | int sigAlgoType) |
wolfSSL | 15:117db924cf7c | 13341 | { |
wolfSSL | 15:117db924cf7c | 13342 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 13343 | int idx = bodySz, seqSz; |
wolfSSL | 15:117db924cf7c | 13344 | |
wolfSSL | 15:117db924cf7c | 13345 | /* algo */ |
wolfSSL | 16:8e0d178b1d1e | 13346 | idx += SetAlgoID(sigAlgoType, buf ? buf + idx : NULL, oidSigType, 0); |
wolfSSL | 15:117db924cf7c | 13347 | /* bit string */ |
wolfSSL | 16:8e0d178b1d1e | 13348 | idx += SetBitString(sigSz, 0, buf ? buf + idx : NULL); |
wolfSSL | 15:117db924cf7c | 13349 | /* signature */ |
wolfSSL | 16:8e0d178b1d1e | 13350 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13351 | XMEMCPY(buf + idx, sig, sigSz); |
wolfSSL | 15:117db924cf7c | 13352 | idx += sigSz; |
wolfSSL | 15:117db924cf7c | 13353 | |
wolfSSL | 15:117db924cf7c | 13354 | /* make room for overall header */ |
wolfSSL | 15:117db924cf7c | 13355 | seqSz = SetSequence(idx, seq); |
wolfSSL | 16:8e0d178b1d1e | 13356 | if (buf) { |
wolfSSL | 16:8e0d178b1d1e | 13357 | XMEMMOVE(buf + seqSz, buf, idx); |
wolfSSL | 16:8e0d178b1d1e | 13358 | XMEMCPY(buf, seq, seqSz); |
wolfSSL | 16:8e0d178b1d1e | 13359 | } |
wolfSSL | 15:117db924cf7c | 13360 | |
wolfSSL | 15:117db924cf7c | 13361 | return idx + seqSz; |
wolfSSL | 15:117db924cf7c | 13362 | } |
wolfSSL | 15:117db924cf7c | 13363 | |
wolfSSL | 15:117db924cf7c | 13364 | |
wolfSSL | 15:117db924cf7c | 13365 | /* Make an x509 Certificate v3 any key type from cert input, write to buffer */ |
wolfSSL | 15:117db924cf7c | 13366 | static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 15:117db924cf7c | 13367 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng, |
wolfSSL | 15:117db924cf7c | 13368 | const byte* ntruKey, word16 ntruSz, |
wolfSSL | 16:8e0d178b1d1e | 13369 | ed25519_key* ed25519Key, ed448_key* ed448Key) |
wolfSSL | 15:117db924cf7c | 13370 | { |
wolfSSL | 15:117db924cf7c | 13371 | int ret; |
wolfSSL | 15:117db924cf7c | 13372 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13373 | DerCert* der; |
wolfSSL | 15:117db924cf7c | 13374 | #else |
wolfSSL | 15:117db924cf7c | 13375 | DerCert der[1]; |
wolfSSL | 15:117db924cf7c | 13376 | #endif |
wolfSSL | 15:117db924cf7c | 13377 | |
wolfSSL | 16:8e0d178b1d1e | 13378 | if (derBuffer == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 13379 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 13380 | } |
wolfSSL | 16:8e0d178b1d1e | 13381 | |
wolfSSL | 15:117db924cf7c | 13382 | cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : |
wolfSSL | 16:8e0d178b1d1e | 13383 | (ed25519Key ? ED25519_KEY : (ed448Key ? ED448_KEY : NTRU_KEY))); |
wolfSSL | 15:117db924cf7c | 13384 | |
wolfSSL | 15:117db924cf7c | 13385 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13386 | der = (DerCert*)XMALLOC(sizeof(DerCert), cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13387 | if (der == NULL) |
wolfSSL | 15:117db924cf7c | 13388 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 13389 | #endif |
wolfSSL | 15:117db924cf7c | 13390 | |
wolfSSL | 15:117db924cf7c | 13391 | ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz, |
wolfSSL | 16:8e0d178b1d1e | 13392 | ed25519Key, ed448Key); |
wolfSSL | 15:117db924cf7c | 13393 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 13394 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 15:117db924cf7c | 13395 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 13396 | else |
wolfSSL | 15:117db924cf7c | 13397 | ret = cert->bodySz = WriteCertBody(der, derBuffer); |
wolfSSL | 15:117db924cf7c | 13398 | } |
wolfSSL | 15:117db924cf7c | 13399 | |
wolfSSL | 15:117db924cf7c | 13400 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13401 | XFREE(der, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13402 | #endif |
wolfSSL | 15:117db924cf7c | 13403 | |
wolfSSL | 15:117db924cf7c | 13404 | return ret; |
wolfSSL | 15:117db924cf7c | 13405 | } |
wolfSSL | 15:117db924cf7c | 13406 | |
wolfSSL | 15:117db924cf7c | 13407 | |
wolfSSL | 15:117db924cf7c | 13408 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 15:117db924cf7c | 13409 | int wc_MakeCert_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType, |
wolfSSL | 15:117db924cf7c | 13410 | void* key, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13411 | { |
wolfSSL | 16:8e0d178b1d1e | 13412 | RsaKey* rsaKey = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13413 | ecc_key* eccKey = NULL; |
wolfSSL | 15:117db924cf7c | 13414 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13415 | ed448_key* ed448Key = NULL; |
wolfSSL | 15:117db924cf7c | 13416 | |
wolfSSL | 15:117db924cf7c | 13417 | if (keyType == RSA_TYPE) |
wolfSSL | 15:117db924cf7c | 13418 | rsaKey = (RsaKey*)key; |
wolfSSL | 15:117db924cf7c | 13419 | else if (keyType == ECC_TYPE) |
wolfSSL | 15:117db924cf7c | 13420 | eccKey = (ecc_key*)key; |
wolfSSL | 15:117db924cf7c | 13421 | else if (keyType == ED25519_TYPE) |
wolfSSL | 15:117db924cf7c | 13422 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 13423 | else if (keyType == ED448_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 13424 | ed448Key = (ed448_key*)key; |
wolfSSL | 15:117db924cf7c | 13425 | |
wolfSSL | 15:117db924cf7c | 13426 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0, |
wolfSSL | 16:8e0d178b1d1e | 13427 | ed25519Key, ed448Key); |
wolfSSL | 15:117db924cf7c | 13428 | } |
wolfSSL | 15:117db924cf7c | 13429 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 15:117db924cf7c | 13430 | int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, |
wolfSSL | 15:117db924cf7c | 13431 | ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13432 | { |
wolfSSL | 15:117db924cf7c | 13433 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0, |
wolfSSL | 16:8e0d178b1d1e | 13434 | NULL, NULL); |
wolfSSL | 15:117db924cf7c | 13435 | } |
wolfSSL | 15:117db924cf7c | 13436 | |
wolfSSL | 15:117db924cf7c | 13437 | |
wolfSSL | 15:117db924cf7c | 13438 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 13439 | |
wolfSSL | 15:117db924cf7c | 13440 | int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 15:117db924cf7c | 13441 | const byte* ntruKey, word16 keySz, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13442 | { |
wolfSSL | 15:117db924cf7c | 13443 | return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz, NULL); |
wolfSSL | 15:117db924cf7c | 13444 | } |
wolfSSL | 15:117db924cf7c | 13445 | |
wolfSSL | 15:117db924cf7c | 13446 | #endif /* HAVE_NTRU */ |
wolfSSL | 15:117db924cf7c | 13447 | |
wolfSSL | 15:117db924cf7c | 13448 | |
wolfSSL | 15:117db924cf7c | 13449 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 15:117db924cf7c | 13450 | |
wolfSSL | 16:8e0d178b1d1e | 13451 | static int SetReqAttrib(byte* output, char* pw, int pwPrintableString, |
wolfSSL | 16:8e0d178b1d1e | 13452 | int extSz) |
wolfSSL | 16:8e0d178b1d1e | 13453 | { |
wolfSSL | 16:8e0d178b1d1e | 13454 | const byte cpOid[] = |
wolfSSL | 15:117db924cf7c | 13455 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 15:117db924cf7c | 13456 | 0x09, 0x07 }; |
wolfSSL | 16:8e0d178b1d1e | 13457 | const byte erOid[] = |
wolfSSL | 15:117db924cf7c | 13458 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 15:117db924cf7c | 13459 | 0x09, 0x0e }; |
wolfSSL | 15:117db924cf7c | 13460 | |
wolfSSL | 15:117db924cf7c | 13461 | int sz = 0; /* overall size */ |
wolfSSL | 15:117db924cf7c | 13462 | int cpSz = 0; /* Challenge Password section size */ |
wolfSSL | 15:117db924cf7c | 13463 | int cpSeqSz = 0; |
wolfSSL | 15:117db924cf7c | 13464 | int cpSetSz = 0; |
wolfSSL | 15:117db924cf7c | 13465 | int cpStrSz = 0; |
wolfSSL | 15:117db924cf7c | 13466 | int pwSz = 0; |
wolfSSL | 15:117db924cf7c | 13467 | int erSz = 0; /* Extension Request section size */ |
wolfSSL | 15:117db924cf7c | 13468 | int erSeqSz = 0; |
wolfSSL | 15:117db924cf7c | 13469 | int erSetSz = 0; |
wolfSSL | 15:117db924cf7c | 13470 | byte cpSeq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 13471 | byte cpSet[MAX_SET_SZ]; |
wolfSSL | 15:117db924cf7c | 13472 | byte cpStr[MAX_PRSTR_SZ]; |
wolfSSL | 15:117db924cf7c | 13473 | byte erSeq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 13474 | byte erSet[MAX_SET_SZ]; |
wolfSSL | 15:117db924cf7c | 13475 | |
wolfSSL | 15:117db924cf7c | 13476 | output[0] = 0xa0; |
wolfSSL | 15:117db924cf7c | 13477 | sz++; |
wolfSSL | 15:117db924cf7c | 13478 | |
wolfSSL | 15:117db924cf7c | 13479 | if (pw && pw[0]) { |
wolfSSL | 15:117db924cf7c | 13480 | pwSz = (int)XSTRLEN(pw); |
wolfSSL | 16:8e0d178b1d1e | 13481 | if (pwPrintableString) { |
wolfSSL | 16:8e0d178b1d1e | 13482 | cpStrSz = SetPrintableString(pwSz, cpStr); |
wolfSSL | 16:8e0d178b1d1e | 13483 | } else { |
wolfSSL | 16:8e0d178b1d1e | 13484 | cpStrSz = SetUTF8String(pwSz, cpStr); |
wolfSSL | 16:8e0d178b1d1e | 13485 | } |
wolfSSL | 15:117db924cf7c | 13486 | cpSetSz = SetSet(cpStrSz + pwSz, cpSet); |
wolfSSL | 15:117db924cf7c | 13487 | cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq); |
wolfSSL | 15:117db924cf7c | 13488 | cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz; |
wolfSSL | 15:117db924cf7c | 13489 | } |
wolfSSL | 15:117db924cf7c | 13490 | |
wolfSSL | 15:117db924cf7c | 13491 | if (extSz) { |
wolfSSL | 15:117db924cf7c | 13492 | erSetSz = SetSet(extSz, erSet); |
wolfSSL | 15:117db924cf7c | 13493 | erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq); |
wolfSSL | 15:117db924cf7c | 13494 | erSz = extSz + erSetSz + erSeqSz + sizeof(erOid); |
wolfSSL | 15:117db924cf7c | 13495 | } |
wolfSSL | 15:117db924cf7c | 13496 | |
wolfSSL | 15:117db924cf7c | 13497 | /* Put the pieces together. */ |
wolfSSL | 15:117db924cf7c | 13498 | sz += SetLength(cpSz + erSz, &output[sz]); |
wolfSSL | 15:117db924cf7c | 13499 | |
wolfSSL | 15:117db924cf7c | 13500 | if (cpSz) { |
wolfSSL | 15:117db924cf7c | 13501 | XMEMCPY(&output[sz], cpSeq, cpSeqSz); |
wolfSSL | 15:117db924cf7c | 13502 | sz += cpSeqSz; |
wolfSSL | 15:117db924cf7c | 13503 | XMEMCPY(&output[sz], cpOid, sizeof(cpOid)); |
wolfSSL | 15:117db924cf7c | 13504 | sz += sizeof(cpOid); |
wolfSSL | 15:117db924cf7c | 13505 | XMEMCPY(&output[sz], cpSet, cpSetSz); |
wolfSSL | 15:117db924cf7c | 13506 | sz += cpSetSz; |
wolfSSL | 15:117db924cf7c | 13507 | XMEMCPY(&output[sz], cpStr, cpStrSz); |
wolfSSL | 15:117db924cf7c | 13508 | sz += cpStrSz; |
wolfSSL | 15:117db924cf7c | 13509 | XMEMCPY(&output[sz], pw, pwSz); |
wolfSSL | 15:117db924cf7c | 13510 | sz += pwSz; |
wolfSSL | 15:117db924cf7c | 13511 | } |
wolfSSL | 15:117db924cf7c | 13512 | |
wolfSSL | 15:117db924cf7c | 13513 | if (erSz) { |
wolfSSL | 15:117db924cf7c | 13514 | XMEMCPY(&output[sz], erSeq, erSeqSz); |
wolfSSL | 15:117db924cf7c | 13515 | sz += erSeqSz; |
wolfSSL | 15:117db924cf7c | 13516 | XMEMCPY(&output[sz], erOid, sizeof(erOid)); |
wolfSSL | 15:117db924cf7c | 13517 | sz += sizeof(erOid); |
wolfSSL | 15:117db924cf7c | 13518 | XMEMCPY(&output[sz], erSet, erSetSz); |
wolfSSL | 15:117db924cf7c | 13519 | sz += erSetSz; |
wolfSSL | 15:117db924cf7c | 13520 | /* The actual extension data will be tacked onto the output later. */ |
wolfSSL | 15:117db924cf7c | 13521 | } |
wolfSSL | 15:117db924cf7c | 13522 | |
wolfSSL | 15:117db924cf7c | 13523 | return sz; |
wolfSSL | 15:117db924cf7c | 13524 | } |
wolfSSL | 15:117db924cf7c | 13525 | |
wolfSSL | 15:117db924cf7c | 13526 | |
wolfSSL | 15:117db924cf7c | 13527 | /* encode info from cert into DER encoded format */ |
wolfSSL | 15:117db924cf7c | 13528 | static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey, |
wolfSSL | 16:8e0d178b1d1e | 13529 | ecc_key* eccKey, ed25519_key* ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 13530 | ed448_key* ed448Key) |
wolfSSL | 15:117db924cf7c | 13531 | { |
wolfSSL | 15:117db924cf7c | 13532 | (void)eccKey; |
wolfSSL | 15:117db924cf7c | 13533 | (void)ed25519Key; |
wolfSSL | 16:8e0d178b1d1e | 13534 | (void)ed448Key; |
wolfSSL | 15:117db924cf7c | 13535 | |
wolfSSL | 15:117db924cf7c | 13536 | if (cert == NULL || der == NULL) |
wolfSSL | 15:117db924cf7c | 13537 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 13538 | |
wolfSSL | 16:8e0d178b1d1e | 13539 | if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && |
wolfSSL | 16:8e0d178b1d1e | 13540 | ed448Key == NULL) { |
wolfSSL | 15:117db924cf7c | 13541 | return PUBLIC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 13542 | } |
wolfSSL | 15:117db924cf7c | 13543 | |
wolfSSL | 15:117db924cf7c | 13544 | /* init */ |
wolfSSL | 15:117db924cf7c | 13545 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 15:117db924cf7c | 13546 | |
wolfSSL | 15:117db924cf7c | 13547 | /* version */ |
wolfSSL | 15:117db924cf7c | 13548 | der->versionSz = SetMyVersion(cert->version, der->version, FALSE); |
wolfSSL | 15:117db924cf7c | 13549 | |
wolfSSL | 15:117db924cf7c | 13550 | /* subject name */ |
wolfSSL | 15:117db924cf7c | 13551 | der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject); |
wolfSSL | 15:117db924cf7c | 13552 | if (der->subjectSz <= 0) |
wolfSSL | 15:117db924cf7c | 13553 | return SUBJECT_E; |
wolfSSL | 15:117db924cf7c | 13554 | |
wolfSSL | 15:117db924cf7c | 13555 | /* public key */ |
wolfSSL | 15:117db924cf7c | 13556 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13557 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 15:117db924cf7c | 13558 | if (rsaKey == NULL) |
wolfSSL | 15:117db924cf7c | 13559 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 13560 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 15:117db924cf7c | 13561 | sizeof(der->publicKey), 1); |
wolfSSL | 15:117db924cf7c | 13562 | } |
wolfSSL | 15:117db924cf7c | 13563 | #endif |
wolfSSL | 15:117db924cf7c | 13564 | |
wolfSSL | 15:117db924cf7c | 13565 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 13566 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 15:117db924cf7c | 13567 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 15:117db924cf7c | 13568 | } |
wolfSSL | 15:117db924cf7c | 13569 | #endif |
wolfSSL | 15:117db924cf7c | 13570 | |
wolfSSL | 15:117db924cf7c | 13571 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 13572 | if (cert->keyType == ED25519_KEY) { |
wolfSSL | 15:117db924cf7c | 13573 | if (ed25519Key == NULL) |
wolfSSL | 15:117db924cf7c | 13574 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 13575 | der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); |
wolfSSL | 15:117db924cf7c | 13576 | } |
wolfSSL | 15:117db924cf7c | 13577 | #endif |
wolfSSL | 15:117db924cf7c | 13578 | |
wolfSSL | 16:8e0d178b1d1e | 13579 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 13580 | if (cert->keyType == ED448_KEY) { |
wolfSSL | 16:8e0d178b1d1e | 13581 | if (ed448Key == NULL) |
wolfSSL | 16:8e0d178b1d1e | 13582 | return PUBLIC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 13583 | der->publicKeySz = SetEd448PublicKey(der->publicKey, ed448Key, 1); |
wolfSSL | 16:8e0d178b1d1e | 13584 | } |
wolfSSL | 16:8e0d178b1d1e | 13585 | #endif |
wolfSSL | 15:117db924cf7c | 13586 | if (der->publicKeySz <= 0) |
wolfSSL | 15:117db924cf7c | 13587 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 13588 | |
wolfSSL | 15:117db924cf7c | 13589 | /* set the extensions */ |
wolfSSL | 15:117db924cf7c | 13590 | der->extensionsSz = 0; |
wolfSSL | 15:117db924cf7c | 13591 | |
wolfSSL | 15:117db924cf7c | 13592 | /* CA */ |
wolfSSL | 15:117db924cf7c | 13593 | if (cert->isCA) { |
wolfSSL | 15:117db924cf7c | 13594 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 15:117db924cf7c | 13595 | if (der->caSz <= 0) |
wolfSSL | 15:117db924cf7c | 13596 | return CA_TRUE_E; |
wolfSSL | 15:117db924cf7c | 13597 | |
wolfSSL | 15:117db924cf7c | 13598 | der->extensionsSz += der->caSz; |
wolfSSL | 15:117db924cf7c | 13599 | } |
wolfSSL | 15:117db924cf7c | 13600 | else |
wolfSSL | 15:117db924cf7c | 13601 | der->caSz = 0; |
wolfSSL | 15:117db924cf7c | 13602 | |
wolfSSL | 15:117db924cf7c | 13603 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 13604 | /* SKID */ |
wolfSSL | 15:117db924cf7c | 13605 | if (cert->skidSz) { |
wolfSSL | 15:117db924cf7c | 13606 | /* check the provided SKID size */ |
wolfSSL | 15:117db924cf7c | 13607 | if (cert->skidSz > (int)min(CTC_MAX_SKID_SIZE, sizeof(der->skid))) |
wolfSSL | 15:117db924cf7c | 13608 | return SKID_E; |
wolfSSL | 15:117db924cf7c | 13609 | |
wolfSSL | 15:117db924cf7c | 13610 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 15:117db924cf7c | 13611 | cert->skid, cert->skidSz); |
wolfSSL | 15:117db924cf7c | 13612 | if (der->skidSz <= 0) |
wolfSSL | 15:117db924cf7c | 13613 | return SKID_E; |
wolfSSL | 15:117db924cf7c | 13614 | |
wolfSSL | 15:117db924cf7c | 13615 | der->extensionsSz += der->skidSz; |
wolfSSL | 15:117db924cf7c | 13616 | } |
wolfSSL | 15:117db924cf7c | 13617 | else |
wolfSSL | 15:117db924cf7c | 13618 | der->skidSz = 0; |
wolfSSL | 15:117db924cf7c | 13619 | |
wolfSSL | 15:117db924cf7c | 13620 | /* Key Usage */ |
wolfSSL | 15:117db924cf7c | 13621 | if (cert->keyUsage != 0){ |
wolfSSL | 15:117db924cf7c | 13622 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 15:117db924cf7c | 13623 | cert->keyUsage); |
wolfSSL | 15:117db924cf7c | 13624 | if (der->keyUsageSz <= 0) |
wolfSSL | 15:117db924cf7c | 13625 | return KEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 13626 | |
wolfSSL | 15:117db924cf7c | 13627 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 15:117db924cf7c | 13628 | } |
wolfSSL | 15:117db924cf7c | 13629 | else |
wolfSSL | 15:117db924cf7c | 13630 | der->keyUsageSz = 0; |
wolfSSL | 15:117db924cf7c | 13631 | |
wolfSSL | 15:117db924cf7c | 13632 | /* Extended Key Usage */ |
wolfSSL | 15:117db924cf7c | 13633 | if (cert->extKeyUsage != 0){ |
wolfSSL | 15:117db924cf7c | 13634 | der->extKeyUsageSz = SetExtKeyUsage(cert, der->extKeyUsage, |
wolfSSL | 15:117db924cf7c | 13635 | sizeof(der->extKeyUsage), cert->extKeyUsage); |
wolfSSL | 15:117db924cf7c | 13636 | if (der->extKeyUsageSz <= 0) |
wolfSSL | 15:117db924cf7c | 13637 | return EXTKEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 13638 | |
wolfSSL | 15:117db924cf7c | 13639 | der->extensionsSz += der->extKeyUsageSz; |
wolfSSL | 15:117db924cf7c | 13640 | } |
wolfSSL | 15:117db924cf7c | 13641 | else |
wolfSSL | 15:117db924cf7c | 13642 | der->extKeyUsageSz = 0; |
wolfSSL | 15:117db924cf7c | 13643 | |
wolfSSL | 15:117db924cf7c | 13644 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 13645 | |
wolfSSL | 15:117db924cf7c | 13646 | /* put extensions */ |
wolfSSL | 15:117db924cf7c | 13647 | if (der->extensionsSz > 0) { |
wolfSSL | 15:117db924cf7c | 13648 | int ret; |
wolfSSL | 15:117db924cf7c | 13649 | |
wolfSSL | 15:117db924cf7c | 13650 | /* put the start of sequence (ID, Size) */ |
wolfSSL | 15:117db924cf7c | 13651 | der->extensionsSz = SetSequence(der->extensionsSz, der->extensions); |
wolfSSL | 15:117db924cf7c | 13652 | if (der->extensionsSz <= 0) |
wolfSSL | 15:117db924cf7c | 13653 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13654 | |
wolfSSL | 15:117db924cf7c | 13655 | /* put CA */ |
wolfSSL | 15:117db924cf7c | 13656 | if (der->caSz) { |
wolfSSL | 15:117db924cf7c | 13657 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13658 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13659 | der->ca, der->caSz); |
wolfSSL | 15:117db924cf7c | 13660 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13661 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13662 | } |
wolfSSL | 15:117db924cf7c | 13663 | |
wolfSSL | 15:117db924cf7c | 13664 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 13665 | /* put SKID */ |
wolfSSL | 15:117db924cf7c | 13666 | if (der->skidSz) { |
wolfSSL | 15:117db924cf7c | 13667 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13668 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13669 | der->skid, der->skidSz); |
wolfSSL | 15:117db924cf7c | 13670 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13671 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13672 | } |
wolfSSL | 15:117db924cf7c | 13673 | |
wolfSSL | 15:117db924cf7c | 13674 | /* put AKID */ |
wolfSSL | 15:117db924cf7c | 13675 | if (der->akidSz) { |
wolfSSL | 15:117db924cf7c | 13676 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13677 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13678 | der->akid, der->akidSz); |
wolfSSL | 15:117db924cf7c | 13679 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13680 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13681 | } |
wolfSSL | 15:117db924cf7c | 13682 | |
wolfSSL | 15:117db924cf7c | 13683 | /* put KeyUsage */ |
wolfSSL | 15:117db924cf7c | 13684 | if (der->keyUsageSz) { |
wolfSSL | 15:117db924cf7c | 13685 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13686 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13687 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 15:117db924cf7c | 13688 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13689 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13690 | } |
wolfSSL | 15:117db924cf7c | 13691 | |
wolfSSL | 15:117db924cf7c | 13692 | /* put ExtendedKeyUsage */ |
wolfSSL | 15:117db924cf7c | 13693 | if (der->extKeyUsageSz) { |
wolfSSL | 15:117db924cf7c | 13694 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 15:117db924cf7c | 13695 | &der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13696 | der->extKeyUsage, der->extKeyUsageSz); |
wolfSSL | 15:117db924cf7c | 13697 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 13698 | return EXTENSIONS_E; |
wolfSSL | 15:117db924cf7c | 13699 | } |
wolfSSL | 15:117db924cf7c | 13700 | |
wolfSSL | 15:117db924cf7c | 13701 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 13702 | } |
wolfSSL | 15:117db924cf7c | 13703 | |
wolfSSL | 16:8e0d178b1d1e | 13704 | der->attribSz = SetReqAttrib(der->attrib, cert->challengePw, |
wolfSSL | 16:8e0d178b1d1e | 13705 | cert->challengePwPrintableString, |
wolfSSL | 16:8e0d178b1d1e | 13706 | der->extensionsSz); |
wolfSSL | 15:117db924cf7c | 13707 | if (der->attribSz <= 0) |
wolfSSL | 15:117db924cf7c | 13708 | return REQ_ATTRIBUTE_E; |
wolfSSL | 15:117db924cf7c | 13709 | |
wolfSSL | 15:117db924cf7c | 13710 | der->total = der->versionSz + der->subjectSz + der->publicKeySz + |
wolfSSL | 15:117db924cf7c | 13711 | der->extensionsSz + der->attribSz; |
wolfSSL | 15:117db924cf7c | 13712 | |
wolfSSL | 15:117db924cf7c | 13713 | return 0; |
wolfSSL | 15:117db924cf7c | 13714 | } |
wolfSSL | 15:117db924cf7c | 13715 | |
wolfSSL | 15:117db924cf7c | 13716 | |
wolfSSL | 15:117db924cf7c | 13717 | /* write DER encoded cert req to buffer, size already checked */ |
wolfSSL | 16:8e0d178b1d1e | 13718 | static int WriteCertReqBody(DerCert* der, byte* buf) |
wolfSSL | 15:117db924cf7c | 13719 | { |
wolfSSL | 15:117db924cf7c | 13720 | int idx; |
wolfSSL | 15:117db924cf7c | 13721 | |
wolfSSL | 15:117db924cf7c | 13722 | /* signed part header */ |
wolfSSL | 16:8e0d178b1d1e | 13723 | idx = SetSequence(der->total, buf); |
wolfSSL | 15:117db924cf7c | 13724 | /* version */ |
wolfSSL | 16:8e0d178b1d1e | 13725 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13726 | XMEMCPY(buf + idx, der->version, der->versionSz); |
wolfSSL | 15:117db924cf7c | 13727 | idx += der->versionSz; |
wolfSSL | 15:117db924cf7c | 13728 | /* subject */ |
wolfSSL | 16:8e0d178b1d1e | 13729 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13730 | XMEMCPY(buf + idx, der->subject, der->subjectSz); |
wolfSSL | 15:117db924cf7c | 13731 | idx += der->subjectSz; |
wolfSSL | 15:117db924cf7c | 13732 | /* public key */ |
wolfSSL | 16:8e0d178b1d1e | 13733 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13734 | XMEMCPY(buf + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 15:117db924cf7c | 13735 | idx += der->publicKeySz; |
wolfSSL | 15:117db924cf7c | 13736 | /* attributes */ |
wolfSSL | 16:8e0d178b1d1e | 13737 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13738 | XMEMCPY(buf + idx, der->attrib, der->attribSz); |
wolfSSL | 15:117db924cf7c | 13739 | idx += der->attribSz; |
wolfSSL | 15:117db924cf7c | 13740 | /* extensions */ |
wolfSSL | 15:117db924cf7c | 13741 | if (der->extensionsSz) { |
wolfSSL | 16:8e0d178b1d1e | 13742 | if (buf) |
wolfSSL | 16:8e0d178b1d1e | 13743 | XMEMCPY(buf + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 15:117db924cf7c | 13744 | (int)sizeof(der->extensions))); |
wolfSSL | 15:117db924cf7c | 13745 | idx += der->extensionsSz; |
wolfSSL | 15:117db924cf7c | 13746 | } |
wolfSSL | 15:117db924cf7c | 13747 | |
wolfSSL | 15:117db924cf7c | 13748 | return idx; |
wolfSSL | 15:117db924cf7c | 13749 | } |
wolfSSL | 15:117db924cf7c | 13750 | |
wolfSSL | 15:117db924cf7c | 13751 | |
wolfSSL | 15:117db924cf7c | 13752 | static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 16:8e0d178b1d1e | 13753 | RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 13754 | ed448_key* ed448Key) |
wolfSSL | 15:117db924cf7c | 13755 | { |
wolfSSL | 15:117db924cf7c | 13756 | int ret; |
wolfSSL | 15:117db924cf7c | 13757 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13758 | DerCert* der; |
wolfSSL | 15:117db924cf7c | 13759 | #else |
wolfSSL | 15:117db924cf7c | 13760 | DerCert der[1]; |
wolfSSL | 15:117db924cf7c | 13761 | #endif |
wolfSSL | 15:117db924cf7c | 13762 | |
wolfSSL | 16:8e0d178b1d1e | 13763 | cert->keyType = eccKey ? ECC_KEY : (ed25519Key ? ED25519_KEY : |
wolfSSL | 16:8e0d178b1d1e | 13764 | (ed448Key ? ED448_KEY: RSA_KEY)); |
wolfSSL | 15:117db924cf7c | 13765 | |
wolfSSL | 15:117db924cf7c | 13766 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13767 | der = (DerCert*)XMALLOC(sizeof(DerCert), cert->heap, |
wolfSSL | 15:117db924cf7c | 13768 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13769 | if (der == NULL) |
wolfSSL | 15:117db924cf7c | 13770 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 13771 | #endif |
wolfSSL | 15:117db924cf7c | 13772 | |
wolfSSL | 16:8e0d178b1d1e | 13773 | ret = EncodeCertReq(cert, der, rsaKey, eccKey, ed25519Key, ed448Key); |
wolfSSL | 15:117db924cf7c | 13774 | |
wolfSSL | 15:117db924cf7c | 13775 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 13776 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 15:117db924cf7c | 13777 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 13778 | else |
wolfSSL | 15:117db924cf7c | 13779 | ret = cert->bodySz = WriteCertReqBody(der, derBuffer); |
wolfSSL | 15:117db924cf7c | 13780 | } |
wolfSSL | 15:117db924cf7c | 13781 | |
wolfSSL | 15:117db924cf7c | 13782 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 13783 | XFREE(der, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13784 | #endif |
wolfSSL | 15:117db924cf7c | 13785 | |
wolfSSL | 15:117db924cf7c | 13786 | return ret; |
wolfSSL | 15:117db924cf7c | 13787 | } |
wolfSSL | 15:117db924cf7c | 13788 | |
wolfSSL | 15:117db924cf7c | 13789 | int wc_MakeCertReq_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType, |
wolfSSL | 15:117db924cf7c | 13790 | void* key) |
wolfSSL | 15:117db924cf7c | 13791 | { |
wolfSSL | 16:8e0d178b1d1e | 13792 | RsaKey* rsaKey = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13793 | ecc_key* eccKey = NULL; |
wolfSSL | 15:117db924cf7c | 13794 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13795 | ed448_key* ed448Key = NULL; |
wolfSSL | 15:117db924cf7c | 13796 | |
wolfSSL | 15:117db924cf7c | 13797 | if (keyType == RSA_TYPE) |
wolfSSL | 15:117db924cf7c | 13798 | rsaKey = (RsaKey*)key; |
wolfSSL | 15:117db924cf7c | 13799 | else if (keyType == ECC_TYPE) |
wolfSSL | 15:117db924cf7c | 13800 | eccKey = (ecc_key*)key; |
wolfSSL | 15:117db924cf7c | 13801 | else if (keyType == ED25519_TYPE) |
wolfSSL | 15:117db924cf7c | 13802 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 13803 | else if (keyType == ED448_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 13804 | ed448Key = (ed448_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 13805 | |
wolfSSL | 16:8e0d178b1d1e | 13806 | return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 13807 | ed448Key); |
wolfSSL | 15:117db924cf7c | 13808 | } |
wolfSSL | 15:117db924cf7c | 13809 | |
wolfSSL | 15:117db924cf7c | 13810 | int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 15:117db924cf7c | 13811 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 15:117db924cf7c | 13812 | { |
wolfSSL | 16:8e0d178b1d1e | 13813 | return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, NULL, NULL); |
wolfSSL | 15:117db924cf7c | 13814 | } |
wolfSSL | 15:117db924cf7c | 13815 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 15:117db924cf7c | 13816 | |
wolfSSL | 15:117db924cf7c | 13817 | |
wolfSSL | 16:8e0d178b1d1e | 13818 | static int SignCert(int requestSz, int sType, byte* buf, word32 buffSz, |
wolfSSL | 15:117db924cf7c | 13819 | RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 13820 | ed448_key* ed448Key, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13821 | { |
wolfSSL | 15:117db924cf7c | 13822 | int sigSz = 0; |
wolfSSL | 15:117db924cf7c | 13823 | void* heap = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13824 | CertSignCtx* certSignCtx; |
wolfSSL | 15:117db924cf7c | 13825 | #ifndef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13826 | CertSignCtx certSignCtx_lcl; |
wolfSSL | 16:8e0d178b1d1e | 13827 | |
wolfSSL | 15:117db924cf7c | 13828 | certSignCtx = &certSignCtx_lcl; |
wolfSSL | 15:117db924cf7c | 13829 | XMEMSET(certSignCtx, 0, sizeof(CertSignCtx)); |
wolfSSL | 16:8e0d178b1d1e | 13830 | #else |
wolfSSL | 16:8e0d178b1d1e | 13831 | certSignCtx = NULL; |
wolfSSL | 15:117db924cf7c | 13832 | #endif |
wolfSSL | 15:117db924cf7c | 13833 | |
wolfSSL | 15:117db924cf7c | 13834 | if (requestSz < 0) |
wolfSSL | 15:117db924cf7c | 13835 | return requestSz; |
wolfSSL | 15:117db924cf7c | 13836 | |
wolfSSL | 15:117db924cf7c | 13837 | /* locate ctx */ |
wolfSSL | 15:117db924cf7c | 13838 | if (rsaKey) { |
wolfSSL | 15:117db924cf7c | 13839 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13840 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13841 | certSignCtx = &rsaKey->certSignCtx; |
wolfSSL | 15:117db924cf7c | 13842 | #endif |
wolfSSL | 15:117db924cf7c | 13843 | heap = rsaKey->heap; |
wolfSSL | 15:117db924cf7c | 13844 | #else |
wolfSSL | 15:117db924cf7c | 13845 | return NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 13846 | #endif /* NO_RSA */ |
wolfSSL | 15:117db924cf7c | 13847 | } |
wolfSSL | 15:117db924cf7c | 13848 | else if (eccKey) { |
wolfSSL | 15:117db924cf7c | 13849 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 13850 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13851 | certSignCtx = &eccKey->certSignCtx; |
wolfSSL | 15:117db924cf7c | 13852 | #endif |
wolfSSL | 15:117db924cf7c | 13853 | heap = eccKey->heap; |
wolfSSL | 15:117db924cf7c | 13854 | #else |
wolfSSL | 15:117db924cf7c | 13855 | return NOT_COMPILED_IN; |
wolfSSL | 15:117db924cf7c | 13856 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 13857 | } |
wolfSSL | 15:117db924cf7c | 13858 | |
wolfSSL | 15:117db924cf7c | 13859 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13860 | if (certSignCtx == NULL) { |
wolfSSL | 15:117db924cf7c | 13861 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 13862 | } |
wolfSSL | 15:117db924cf7c | 13863 | #endif |
wolfSSL | 15:117db924cf7c | 13864 | |
wolfSSL | 15:117db924cf7c | 13865 | if (certSignCtx->sig == NULL) { |
wolfSSL | 15:117db924cf7c | 13866 | certSignCtx->sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, heap, |
wolfSSL | 15:117db924cf7c | 13867 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13868 | if (certSignCtx->sig == NULL) |
wolfSSL | 15:117db924cf7c | 13869 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 13870 | } |
wolfSSL | 15:117db924cf7c | 13871 | |
wolfSSL | 16:8e0d178b1d1e | 13872 | sigSz = MakeSignature(certSignCtx, buf, requestSz, certSignCtx->sig, |
wolfSSL | 16:8e0d178b1d1e | 13873 | MAX_ENCODED_SIG_SZ, rsaKey, eccKey, ed25519Key, ed448Key, rng, sType, |
wolfSSL | 16:8e0d178b1d1e | 13874 | heap); |
wolfSSL | 16:8e0d178b1d1e | 13875 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 13876 | if (sigSz == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 13877 | /* Not free'ing certSignCtx->sig here because it could still be in use |
wolfSSL | 15:117db924cf7c | 13878 | * with async operations. */ |
wolfSSL | 15:117db924cf7c | 13879 | return sigSz; |
wolfSSL | 15:117db924cf7c | 13880 | } |
wolfSSL | 16:8e0d178b1d1e | 13881 | #endif |
wolfSSL | 15:117db924cf7c | 13882 | |
wolfSSL | 15:117db924cf7c | 13883 | if (sigSz >= 0) { |
wolfSSL | 15:117db924cf7c | 13884 | if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz) |
wolfSSL | 15:117db924cf7c | 13885 | sigSz = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 13886 | else |
wolfSSL | 16:8e0d178b1d1e | 13887 | sigSz = AddSignature(buf, requestSz, certSignCtx->sig, sigSz, |
wolfSSL | 15:117db924cf7c | 13888 | sType); |
wolfSSL | 15:117db924cf7c | 13889 | } |
wolfSSL | 15:117db924cf7c | 13890 | |
wolfSSL | 15:117db924cf7c | 13891 | XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 13892 | certSignCtx->sig = NULL; |
wolfSSL | 15:117db924cf7c | 13893 | |
wolfSSL | 15:117db924cf7c | 13894 | return sigSz; |
wolfSSL | 15:117db924cf7c | 13895 | } |
wolfSSL | 15:117db924cf7c | 13896 | |
wolfSSL | 16:8e0d178b1d1e | 13897 | int wc_SignCert_ex(int requestSz, int sType, byte* buf, word32 buffSz, |
wolfSSL | 15:117db924cf7c | 13898 | int keyType, void* key, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13899 | { |
wolfSSL | 16:8e0d178b1d1e | 13900 | RsaKey* rsaKey = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13901 | ecc_key* eccKey = NULL; |
wolfSSL | 15:117db924cf7c | 13902 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 13903 | ed448_key* ed448Key = NULL; |
wolfSSL | 15:117db924cf7c | 13904 | |
wolfSSL | 15:117db924cf7c | 13905 | if (keyType == RSA_TYPE) |
wolfSSL | 15:117db924cf7c | 13906 | rsaKey = (RsaKey*)key; |
wolfSSL | 15:117db924cf7c | 13907 | else if (keyType == ECC_TYPE) |
wolfSSL | 15:117db924cf7c | 13908 | eccKey = (ecc_key*)key; |
wolfSSL | 15:117db924cf7c | 13909 | else if (keyType == ED25519_TYPE) |
wolfSSL | 15:117db924cf7c | 13910 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 13911 | else if (keyType == ED448_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 13912 | ed448Key = (ed448_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 13913 | |
wolfSSL | 16:8e0d178b1d1e | 13914 | return SignCert(requestSz, sType, buf, buffSz, rsaKey, eccKey, ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 13915 | ed448Key, rng); |
wolfSSL | 16:8e0d178b1d1e | 13916 | } |
wolfSSL | 16:8e0d178b1d1e | 13917 | |
wolfSSL | 16:8e0d178b1d1e | 13918 | int wc_SignCert(int requestSz, int sType, byte* buf, word32 buffSz, |
wolfSSL | 15:117db924cf7c | 13919 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13920 | { |
wolfSSL | 16:8e0d178b1d1e | 13921 | return SignCert(requestSz, sType, buf, buffSz, rsaKey, eccKey, NULL, NULL, |
wolfSSL | 15:117db924cf7c | 13922 | rng); |
wolfSSL | 15:117db924cf7c | 13923 | } |
wolfSSL | 15:117db924cf7c | 13924 | |
wolfSSL | 16:8e0d178b1d1e | 13925 | int wc_MakeSelfCert(Cert* cert, byte* buf, word32 buffSz, |
wolfSSL | 15:117db924cf7c | 13926 | RsaKey* key, WC_RNG* rng) |
wolfSSL | 15:117db924cf7c | 13927 | { |
wolfSSL | 15:117db924cf7c | 13928 | int ret; |
wolfSSL | 15:117db924cf7c | 13929 | |
wolfSSL | 16:8e0d178b1d1e | 13930 | ret = wc_MakeCert(cert, buf, buffSz, key, NULL, rng); |
wolfSSL | 15:117db924cf7c | 13931 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 13932 | return ret; |
wolfSSL | 15:117db924cf7c | 13933 | |
wolfSSL | 15:117db924cf7c | 13934 | return wc_SignCert(cert->bodySz, cert->sigType, |
wolfSSL | 16:8e0d178b1d1e | 13935 | buf, buffSz, key, NULL, rng); |
wolfSSL | 15:117db924cf7c | 13936 | } |
wolfSSL | 15:117db924cf7c | 13937 | |
wolfSSL | 15:117db924cf7c | 13938 | |
wolfSSL | 15:117db924cf7c | 13939 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 15:117db924cf7c | 13940 | |
wolfSSL | 16:8e0d178b1d1e | 13941 | /* Get raw subject from cert, which may contain OIDs not parsed by Decode. |
wolfSSL | 16:8e0d178b1d1e | 13942 | The raw subject pointer will only be valid while "cert" is valid. */ |
wolfSSL | 16:8e0d178b1d1e | 13943 | int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert) |
wolfSSL | 16:8e0d178b1d1e | 13944 | { |
wolfSSL | 16:8e0d178b1d1e | 13945 | int rc = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 13946 | if ((subjectRaw != NULL) && (cert != NULL)) { |
wolfSSL | 16:8e0d178b1d1e | 13947 | *subjectRaw = cert->sbjRaw; |
wolfSSL | 16:8e0d178b1d1e | 13948 | rc = 0; |
wolfSSL | 16:8e0d178b1d1e | 13949 | } |
wolfSSL | 16:8e0d178b1d1e | 13950 | return rc; |
wolfSSL | 16:8e0d178b1d1e | 13951 | } |
wolfSSL | 16:8e0d178b1d1e | 13952 | |
wolfSSL | 15:117db924cf7c | 13953 | /* Set KID from public key */ |
wolfSSL | 15:117db924cf7c | 13954 | static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, |
wolfSSL | 15:117db924cf7c | 13955 | byte *ntruKey, word16 ntruKeySz, |
wolfSSL | 16:8e0d178b1d1e | 13956 | ed25519_key* ed25519Key, ed448_key* ed448Key, |
wolfSSL | 16:8e0d178b1d1e | 13957 | int kid_type) |
wolfSSL | 16:8e0d178b1d1e | 13958 | { |
wolfSSL | 16:8e0d178b1d1e | 13959 | byte *buf; |
wolfSSL | 15:117db924cf7c | 13960 | int bufferSz, ret; |
wolfSSL | 15:117db924cf7c | 13961 | |
wolfSSL | 15:117db924cf7c | 13962 | if (cert == NULL || |
wolfSSL | 15:117db924cf7c | 13963 | (rsakey == NULL && eckey == NULL && ntruKey == NULL && |
wolfSSL | 16:8e0d178b1d1e | 13964 | ed25519Key == NULL && ed448Key == NULL) || |
wolfSSL | 15:117db924cf7c | 13965 | (kid_type != SKID_TYPE && kid_type != AKID_TYPE)) |
wolfSSL | 15:117db924cf7c | 13966 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 13967 | |
wolfSSL | 16:8e0d178b1d1e | 13968 | buf = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, |
wolfSSL | 15:117db924cf7c | 13969 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 13970 | if (buf == NULL) |
wolfSSL | 15:117db924cf7c | 13971 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 13972 | |
wolfSSL | 15:117db924cf7c | 13973 | /* Public Key */ |
wolfSSL | 15:117db924cf7c | 13974 | bufferSz = -1; |
wolfSSL | 15:117db924cf7c | 13975 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 13976 | /* RSA public key */ |
wolfSSL | 15:117db924cf7c | 13977 | if (rsakey != NULL) |
wolfSSL | 16:8e0d178b1d1e | 13978 | bufferSz = SetRsaPublicKey(buf, rsakey, MAX_PUBLIC_KEY_SZ, 0); |
wolfSSL | 15:117db924cf7c | 13979 | #endif |
wolfSSL | 15:117db924cf7c | 13980 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 13981 | /* ECC public key */ |
wolfSSL | 15:117db924cf7c | 13982 | if (eckey != NULL) |
wolfSSL | 16:8e0d178b1d1e | 13983 | bufferSz = SetEccPublicKey(buf, eckey, 0); |
wolfSSL | 15:117db924cf7c | 13984 | #endif |
wolfSSL | 15:117db924cf7c | 13985 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 13986 | /* NTRU public key */ |
wolfSSL | 15:117db924cf7c | 13987 | if (ntruKey != NULL) { |
wolfSSL | 15:117db924cf7c | 13988 | bufferSz = MAX_PUBLIC_KEY_SZ; |
wolfSSL | 15:117db924cf7c | 13989 | ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( |
wolfSSL | 16:8e0d178b1d1e | 13990 | ntruKeySz, ntruKey, (word16 *)(&bufferSz), buf); |
wolfSSL | 15:117db924cf7c | 13991 | if (ret != NTRU_OK) |
wolfSSL | 15:117db924cf7c | 13992 | bufferSz = -1; |
wolfSSL | 15:117db924cf7c | 13993 | } |
wolfSSL | 15:117db924cf7c | 13994 | #else |
wolfSSL | 15:117db924cf7c | 13995 | (void)ntruKeySz; |
wolfSSL | 15:117db924cf7c | 13996 | #endif |
wolfSSL | 15:117db924cf7c | 13997 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 13998 | /* ED25519 public key */ |
wolfSSL | 15:117db924cf7c | 13999 | if (ed25519Key != NULL) |
wolfSSL | 16:8e0d178b1d1e | 14000 | bufferSz = SetEd25519PublicKey(buf, ed25519Key, 0); |
wolfSSL | 16:8e0d178b1d1e | 14001 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14002 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 14003 | /* ED448 public key */ |
wolfSSL | 16:8e0d178b1d1e | 14004 | if (ed448Key != NULL) |
wolfSSL | 16:8e0d178b1d1e | 14005 | bufferSz = SetEd448PublicKey(buffer, ed448Key, 0); |
wolfSSL | 15:117db924cf7c | 14006 | #endif |
wolfSSL | 15:117db924cf7c | 14007 | |
wolfSSL | 15:117db924cf7c | 14008 | if (bufferSz <= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14009 | XFREE(buf, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14010 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 14011 | } |
wolfSSL | 15:117db924cf7c | 14012 | |
wolfSSL | 15:117db924cf7c | 14013 | /* Compute SKID by hashing public key */ |
wolfSSL | 15:117db924cf7c | 14014 | if (kid_type == SKID_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 14015 | ret = CalcHashId(buf, bufferSz, cert->skid); |
wolfSSL | 16:8e0d178b1d1e | 14016 | cert->skidSz = KEYID_SIZE; |
wolfSSL | 15:117db924cf7c | 14017 | } |
wolfSSL | 15:117db924cf7c | 14018 | else if (kid_type == AKID_TYPE) { |
wolfSSL | 16:8e0d178b1d1e | 14019 | ret = CalcHashId(buf, bufferSz, cert->akid); |
wolfSSL | 16:8e0d178b1d1e | 14020 | cert->akidSz = KEYID_SIZE; |
wolfSSL | 15:117db924cf7c | 14021 | } |
wolfSSL | 15:117db924cf7c | 14022 | else |
wolfSSL | 15:117db924cf7c | 14023 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14024 | |
wolfSSL | 16:8e0d178b1d1e | 14025 | XFREE(buf, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14026 | return ret; |
wolfSSL | 15:117db924cf7c | 14027 | } |
wolfSSL | 15:117db924cf7c | 14028 | |
wolfSSL | 15:117db924cf7c | 14029 | int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) |
wolfSSL | 15:117db924cf7c | 14030 | { |
wolfSSL | 16:8e0d178b1d1e | 14031 | RsaKey* rsaKey = NULL; |
wolfSSL | 16:8e0d178b1d1e | 14032 | ecc_key* eccKey = NULL; |
wolfSSL | 15:117db924cf7c | 14033 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 14034 | ed448_key* ed448Key = NULL; |
wolfSSL | 15:117db924cf7c | 14035 | |
wolfSSL | 15:117db924cf7c | 14036 | if (keyType == RSA_TYPE) |
wolfSSL | 15:117db924cf7c | 14037 | rsaKey = (RsaKey*)key; |
wolfSSL | 15:117db924cf7c | 14038 | else if (keyType == ECC_TYPE) |
wolfSSL | 15:117db924cf7c | 14039 | eccKey = (ecc_key*)key; |
wolfSSL | 15:117db924cf7c | 14040 | else if (keyType == ED25519_TYPE) |
wolfSSL | 15:117db924cf7c | 14041 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 14042 | else if (keyType == ED448_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 14043 | ed448Key = (ed448_key*)key; |
wolfSSL | 15:117db924cf7c | 14044 | |
wolfSSL | 15:117db924cf7c | 14045 | return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 14046 | ed448Key, SKID_TYPE); |
wolfSSL | 15:117db924cf7c | 14047 | } |
wolfSSL | 15:117db924cf7c | 14048 | |
wolfSSL | 15:117db924cf7c | 14049 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 15:117db924cf7c | 14050 | int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 15:117db924cf7c | 14051 | { |
wolfSSL | 16:8e0d178b1d1e | 14052 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL, |
wolfSSL | 16:8e0d178b1d1e | 14053 | SKID_TYPE); |
wolfSSL | 15:117db924cf7c | 14054 | } |
wolfSSL | 15:117db924cf7c | 14055 | |
wolfSSL | 15:117db924cf7c | 14056 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 14057 | /* Set SKID from NTRU public key */ |
wolfSSL | 15:117db924cf7c | 14058 | int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, |
wolfSSL | 15:117db924cf7c | 14059 | byte *ntruKey, word16 ntruKeySz) |
wolfSSL | 15:117db924cf7c | 14060 | { |
wolfSSL | 16:8e0d178b1d1e | 14061 | return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, NULL, NULL, |
wolfSSL | 15:117db924cf7c | 14062 | SKID_TYPE); |
wolfSSL | 15:117db924cf7c | 14063 | } |
wolfSSL | 15:117db924cf7c | 14064 | #endif |
wolfSSL | 15:117db924cf7c | 14065 | |
wolfSSL | 15:117db924cf7c | 14066 | int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) |
wolfSSL | 15:117db924cf7c | 14067 | { |
wolfSSL | 16:8e0d178b1d1e | 14068 | RsaKey* rsaKey = NULL; |
wolfSSL | 16:8e0d178b1d1e | 14069 | ecc_key* eccKey = NULL; |
wolfSSL | 15:117db924cf7c | 14070 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 16:8e0d178b1d1e | 14071 | ed448_key* ed448Key = NULL; |
wolfSSL | 15:117db924cf7c | 14072 | |
wolfSSL | 15:117db924cf7c | 14073 | if (keyType == RSA_TYPE) |
wolfSSL | 15:117db924cf7c | 14074 | rsaKey = (RsaKey*)key; |
wolfSSL | 15:117db924cf7c | 14075 | else if (keyType == ECC_TYPE) |
wolfSSL | 15:117db924cf7c | 14076 | eccKey = (ecc_key*)key; |
wolfSSL | 15:117db924cf7c | 14077 | else if (keyType == ED25519_TYPE) |
wolfSSL | 15:117db924cf7c | 14078 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 16:8e0d178b1d1e | 14079 | else if (keyType == ED448_TYPE) |
wolfSSL | 16:8e0d178b1d1e | 14080 | ed448Key = (ed448_key*)key; |
wolfSSL | 15:117db924cf7c | 14081 | |
wolfSSL | 15:117db924cf7c | 14082 | return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, |
wolfSSL | 16:8e0d178b1d1e | 14083 | ed448Key, AKID_TYPE); |
wolfSSL | 15:117db924cf7c | 14084 | } |
wolfSSL | 15:117db924cf7c | 14085 | |
wolfSSL | 15:117db924cf7c | 14086 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 15:117db924cf7c | 14087 | int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 15:117db924cf7c | 14088 | { |
wolfSSL | 16:8e0d178b1d1e | 14089 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL, |
wolfSSL | 16:8e0d178b1d1e | 14090 | AKID_TYPE); |
wolfSSL | 16:8e0d178b1d1e | 14091 | } |
wolfSSL | 16:8e0d178b1d1e | 14092 | |
wolfSSL | 16:8e0d178b1d1e | 14093 | |
wolfSSL | 16:8e0d178b1d1e | 14094 | #if !defined(NO_FILESYSTEM) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 14095 | |
wolfSSL | 15:117db924cf7c | 14096 | /* Set SKID from public key file in PEM */ |
wolfSSL | 15:117db924cf7c | 14097 | int wc_SetSubjectKeyId(Cert *cert, const char* file) |
wolfSSL | 15:117db924cf7c | 14098 | { |
wolfSSL | 15:117db924cf7c | 14099 | int ret, derSz; |
wolfSSL | 15:117db924cf7c | 14100 | byte* der; |
wolfSSL | 15:117db924cf7c | 14101 | word32 idx; |
wolfSSL | 15:117db924cf7c | 14102 | RsaKey *rsakey = NULL; |
wolfSSL | 15:117db924cf7c | 14103 | ecc_key *eckey = NULL; |
wolfSSL | 15:117db924cf7c | 14104 | |
wolfSSL | 15:117db924cf7c | 14105 | if (cert == NULL || file == NULL) |
wolfSSL | 15:117db924cf7c | 14106 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 14107 | |
wolfSSL | 15:117db924cf7c | 14108 | der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14109 | if (der == NULL) { |
wolfSSL | 15:117db924cf7c | 14110 | WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem"); |
wolfSSL | 15:117db924cf7c | 14111 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14112 | } |
wolfSSL | 16:8e0d178b1d1e | 14113 | derSz = MAX_PUBLIC_KEY_SZ; |
wolfSSL | 16:8e0d178b1d1e | 14114 | |
wolfSSL | 16:8e0d178b1d1e | 14115 | XMEMSET(der, 0, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14116 | derSz = wc_PemPubKeyToDer(file, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14117 | if (derSz <= 0) { |
wolfSSL | 15:117db924cf7c | 14118 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14119 | return derSz; |
wolfSSL | 15:117db924cf7c | 14120 | } |
wolfSSL | 15:117db924cf7c | 14121 | |
wolfSSL | 15:117db924cf7c | 14122 | /* Load PubKey in internal structure */ |
wolfSSL | 15:117db924cf7c | 14123 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 14124 | rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 14125 | if (rsakey == NULL) { |
wolfSSL | 15:117db924cf7c | 14126 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14127 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14128 | } |
wolfSSL | 15:117db924cf7c | 14129 | |
wolfSSL | 15:117db924cf7c | 14130 | if (wc_InitRsaKey(rsakey, cert->heap) != 0) { |
wolfSSL | 15:117db924cf7c | 14131 | WOLFSSL_MSG("wc_InitRsaKey failure"); |
wolfSSL | 15:117db924cf7c | 14132 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 14133 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14134 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14135 | } |
wolfSSL | 15:117db924cf7c | 14136 | |
wolfSSL | 15:117db924cf7c | 14137 | idx = 0; |
wolfSSL | 15:117db924cf7c | 14138 | ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz); |
wolfSSL | 15:117db924cf7c | 14139 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 14140 | #endif |
wolfSSL | 15:117db924cf7c | 14141 | { |
wolfSSL | 15:117db924cf7c | 14142 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 14143 | WOLFSSL_MSG("wc_RsaPublicKeyDecode failed"); |
wolfSSL | 15:117db924cf7c | 14144 | wc_FreeRsaKey(rsakey); |
wolfSSL | 15:117db924cf7c | 14145 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 14146 | rsakey = NULL; |
wolfSSL | 15:117db924cf7c | 14147 | #endif |
wolfSSL | 15:117db924cf7c | 14148 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 14149 | /* Check to load ecc public key */ |
wolfSSL | 15:117db924cf7c | 14150 | eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap, |
wolfSSL | 15:117db924cf7c | 14151 | DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 14152 | if (eckey == NULL) { |
wolfSSL | 15:117db924cf7c | 14153 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14154 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14155 | } |
wolfSSL | 15:117db924cf7c | 14156 | |
wolfSSL | 15:117db924cf7c | 14157 | if (wc_ecc_init(eckey) != 0) { |
wolfSSL | 15:117db924cf7c | 14158 | WOLFSSL_MSG("wc_ecc_init failure"); |
wolfSSL | 15:117db924cf7c | 14159 | wc_ecc_free(eckey); |
wolfSSL | 15:117db924cf7c | 14160 | XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 14161 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14162 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14163 | } |
wolfSSL | 15:117db924cf7c | 14164 | |
wolfSSL | 15:117db924cf7c | 14165 | idx = 0; |
wolfSSL | 15:117db924cf7c | 14166 | ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz); |
wolfSSL | 15:117db924cf7c | 14167 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 14168 | WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); |
wolfSSL | 15:117db924cf7c | 14169 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14170 | wc_ecc_free(eckey); |
wolfSSL | 15:117db924cf7c | 14171 | XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 14172 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 14173 | } |
wolfSSL | 15:117db924cf7c | 14174 | #else |
wolfSSL | 15:117db924cf7c | 14175 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14176 | return PUBLIC_KEY_E; |
wolfSSL | 15:117db924cf7c | 14177 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 14178 | } |
wolfSSL | 15:117db924cf7c | 14179 | |
wolfSSL | 15:117db924cf7c | 14180 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14181 | |
wolfSSL | 15:117db924cf7c | 14182 | ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey); |
wolfSSL | 15:117db924cf7c | 14183 | |
wolfSSL | 15:117db924cf7c | 14184 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 14185 | wc_FreeRsaKey(rsakey); |
wolfSSL | 15:117db924cf7c | 14186 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 15:117db924cf7c | 14187 | #endif |
wolfSSL | 15:117db924cf7c | 14188 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 14189 | wc_ecc_free(eckey); |
wolfSSL | 15:117db924cf7c | 14190 | XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 15:117db924cf7c | 14191 | #endif |
wolfSSL | 15:117db924cf7c | 14192 | return ret; |
wolfSSL | 15:117db924cf7c | 14193 | } |
wolfSSL | 15:117db924cf7c | 14194 | |
wolfSSL | 16:8e0d178b1d1e | 14195 | #endif /* !NO_FILESYSTEM && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 14196 | |
wolfSSL | 16:8e0d178b1d1e | 14197 | static int SetAuthKeyIdFromDcert(Cert* cert, DecodedCert* decoded) |
wolfSSL | 16:8e0d178b1d1e | 14198 | { |
wolfSSL | 16:8e0d178b1d1e | 14199 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14200 | |
wolfSSL | 16:8e0d178b1d1e | 14201 | /* Subject Key Id not found !! */ |
wolfSSL | 16:8e0d178b1d1e | 14202 | if (decoded->extSubjKeyIdSet == 0) { |
wolfSSL | 16:8e0d178b1d1e | 14203 | ret = ASN_NO_SKID; |
wolfSSL | 16:8e0d178b1d1e | 14204 | } |
wolfSSL | 16:8e0d178b1d1e | 14205 | |
wolfSSL | 16:8e0d178b1d1e | 14206 | /* SKID invalid size */ |
wolfSSL | 16:8e0d178b1d1e | 14207 | else if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) { |
wolfSSL | 16:8e0d178b1d1e | 14208 | ret = MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 14209 | } |
wolfSSL | 16:8e0d178b1d1e | 14210 | |
wolfSSL | 16:8e0d178b1d1e | 14211 | else { |
wolfSSL | 16:8e0d178b1d1e | 14212 | /* Put the SKID of CA to AKID of certificate */ |
wolfSSL | 16:8e0d178b1d1e | 14213 | XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE); |
wolfSSL | 16:8e0d178b1d1e | 14214 | cert->akidSz = KEYID_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 14215 | } |
wolfSSL | 16:8e0d178b1d1e | 14216 | |
wolfSSL | 16:8e0d178b1d1e | 14217 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14218 | } |
wolfSSL | 15:117db924cf7c | 14219 | |
wolfSSL | 15:117db924cf7c | 14220 | /* Set AKID from certificate contains in buffer (DER encoded) */ |
wolfSSL | 15:117db924cf7c | 14221 | int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) |
wolfSSL | 15:117db924cf7c | 14222 | { |
wolfSSL | 16:8e0d178b1d1e | 14223 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14224 | |
wolfSSL | 16:8e0d178b1d1e | 14225 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14226 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14227 | } |
wolfSSL | 16:8e0d178b1d1e | 14228 | else { |
wolfSSL | 16:8e0d178b1d1e | 14229 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14230 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14231 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14232 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14233 | } |
wolfSSL | 16:8e0d178b1d1e | 14234 | |
wolfSSL | 16:8e0d178b1d1e | 14235 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14236 | ret = SetAuthKeyIdFromDcert(cert, (DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 14237 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14238 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14239 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14240 | } |
wolfSSL | 16:8e0d178b1d1e | 14241 | } |
wolfSSL | 16:8e0d178b1d1e | 14242 | |
wolfSSL | 16:8e0d178b1d1e | 14243 | return ret; |
wolfSSL | 15:117db924cf7c | 14244 | } |
wolfSSL | 15:117db924cf7c | 14245 | |
wolfSSL | 15:117db924cf7c | 14246 | |
wolfSSL | 15:117db924cf7c | 14247 | #ifndef NO_FILESYSTEM |
wolfSSL | 15:117db924cf7c | 14248 | |
wolfSSL | 15:117db924cf7c | 14249 | /* Set AKID from certificate file in PEM */ |
wolfSSL | 15:117db924cf7c | 14250 | int wc_SetAuthKeyId(Cert *cert, const char* file) |
wolfSSL | 15:117db924cf7c | 14251 | { |
wolfSSL | 15:117db924cf7c | 14252 | int ret; |
wolfSSL | 15:117db924cf7c | 14253 | int derSz; |
wolfSSL | 15:117db924cf7c | 14254 | byte* der; |
wolfSSL | 15:117db924cf7c | 14255 | |
wolfSSL | 15:117db924cf7c | 14256 | if (cert == NULL || file == NULL) |
wolfSSL | 15:117db924cf7c | 14257 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 14258 | |
wolfSSL | 15:117db924cf7c | 14259 | der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14260 | if (der == NULL) { |
wolfSSL | 15:117db924cf7c | 14261 | WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem"); |
wolfSSL | 15:117db924cf7c | 14262 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14263 | } |
wolfSSL | 15:117db924cf7c | 14264 | |
wolfSSL | 15:117db924cf7c | 14265 | derSz = wc_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 15:117db924cf7c | 14266 | if (derSz <= 0) |
wolfSSL | 15:117db924cf7c | 14267 | { |
wolfSSL | 15:117db924cf7c | 14268 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14269 | return derSz; |
wolfSSL | 15:117db924cf7c | 14270 | } |
wolfSSL | 15:117db924cf7c | 14271 | |
wolfSSL | 15:117db924cf7c | 14272 | ret = wc_SetAuthKeyIdFromCert(cert, der, derSz); |
wolfSSL | 15:117db924cf7c | 14273 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14274 | |
wolfSSL | 15:117db924cf7c | 14275 | return ret; |
wolfSSL | 15:117db924cf7c | 14276 | } |
wolfSSL | 15:117db924cf7c | 14277 | |
wolfSSL | 16:8e0d178b1d1e | 14278 | #endif /* !NO_FILESYSTEM */ |
wolfSSL | 15:117db924cf7c | 14279 | |
wolfSSL | 15:117db924cf7c | 14280 | /* Set KeyUsage from human readable string */ |
wolfSSL | 15:117db924cf7c | 14281 | int wc_SetKeyUsage(Cert *cert, const char *value) |
wolfSSL | 15:117db924cf7c | 14282 | { |
wolfSSL | 15:117db924cf7c | 14283 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 14284 | char *token, *str, *ptr; |
wolfSSL | 15:117db924cf7c | 14285 | word32 len; |
wolfSSL | 15:117db924cf7c | 14286 | |
wolfSSL | 15:117db924cf7c | 14287 | if (cert == NULL || value == NULL) |
wolfSSL | 15:117db924cf7c | 14288 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 14289 | |
wolfSSL | 15:117db924cf7c | 14290 | cert->keyUsage = 0; |
wolfSSL | 15:117db924cf7c | 14291 | |
wolfSSL | 16:8e0d178b1d1e | 14292 | /* duplicate string (including terminator) */ |
wolfSSL | 15:117db924cf7c | 14293 | len = (word32)XSTRLEN(value); |
wolfSSL | 15:117db924cf7c | 14294 | str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14295 | if (str == NULL) |
wolfSSL | 15:117db924cf7c | 14296 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 14297 | XMEMCPY(str, value, len+1); |
wolfSSL | 15:117db924cf7c | 14298 | |
wolfSSL | 15:117db924cf7c | 14299 | /* parse value, and set corresponding Key Usage value */ |
wolfSSL | 15:117db924cf7c | 14300 | if ((token = XSTRTOK(str, ",", &ptr)) == NULL) { |
wolfSSL | 15:117db924cf7c | 14301 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14302 | return KEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 14303 | } |
wolfSSL | 15:117db924cf7c | 14304 | while (token != NULL) |
wolfSSL | 15:117db924cf7c | 14305 | { |
wolfSSL | 15:117db924cf7c | 14306 | len = (word32)XSTRLEN(token); |
wolfSSL | 15:117db924cf7c | 14307 | |
wolfSSL | 15:117db924cf7c | 14308 | if (!XSTRNCASECMP(token, "digitalSignature", len)) |
wolfSSL | 15:117db924cf7c | 14309 | cert->keyUsage |= KEYUSE_DIGITAL_SIG; |
wolfSSL | 15:117db924cf7c | 14310 | else if (!XSTRNCASECMP(token, "nonRepudiation", len) || |
wolfSSL | 15:117db924cf7c | 14311 | !XSTRNCASECMP(token, "contentCommitment", len)) |
wolfSSL | 15:117db924cf7c | 14312 | cert->keyUsage |= KEYUSE_CONTENT_COMMIT; |
wolfSSL | 15:117db924cf7c | 14313 | else if (!XSTRNCASECMP(token, "keyEncipherment", len)) |
wolfSSL | 15:117db924cf7c | 14314 | cert->keyUsage |= KEYUSE_KEY_ENCIPHER; |
wolfSSL | 15:117db924cf7c | 14315 | else if (!XSTRNCASECMP(token, "dataEncipherment", len)) |
wolfSSL | 15:117db924cf7c | 14316 | cert->keyUsage |= KEYUSE_DATA_ENCIPHER; |
wolfSSL | 15:117db924cf7c | 14317 | else if (!XSTRNCASECMP(token, "keyAgreement", len)) |
wolfSSL | 15:117db924cf7c | 14318 | cert->keyUsage |= KEYUSE_KEY_AGREE; |
wolfSSL | 15:117db924cf7c | 14319 | else if (!XSTRNCASECMP(token, "keyCertSign", len)) |
wolfSSL | 15:117db924cf7c | 14320 | cert->keyUsage |= KEYUSE_KEY_CERT_SIGN; |
wolfSSL | 15:117db924cf7c | 14321 | else if (!XSTRNCASECMP(token, "cRLSign", len)) |
wolfSSL | 15:117db924cf7c | 14322 | cert->keyUsage |= KEYUSE_CRL_SIGN; |
wolfSSL | 15:117db924cf7c | 14323 | else if (!XSTRNCASECMP(token, "encipherOnly", len)) |
wolfSSL | 15:117db924cf7c | 14324 | cert->keyUsage |= KEYUSE_ENCIPHER_ONLY; |
wolfSSL | 15:117db924cf7c | 14325 | else if (!XSTRNCASECMP(token, "decipherOnly", len)) |
wolfSSL | 15:117db924cf7c | 14326 | cert->keyUsage |= KEYUSE_DECIPHER_ONLY; |
wolfSSL | 15:117db924cf7c | 14327 | else { |
wolfSSL | 15:117db924cf7c | 14328 | ret = KEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 14329 | break; |
wolfSSL | 15:117db924cf7c | 14330 | } |
wolfSSL | 15:117db924cf7c | 14331 | |
wolfSSL | 15:117db924cf7c | 14332 | token = XSTRTOK(NULL, ",", &ptr); |
wolfSSL | 15:117db924cf7c | 14333 | } |
wolfSSL | 15:117db924cf7c | 14334 | |
wolfSSL | 15:117db924cf7c | 14335 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14336 | return ret; |
wolfSSL | 15:117db924cf7c | 14337 | } |
wolfSSL | 15:117db924cf7c | 14338 | |
wolfSSL | 15:117db924cf7c | 14339 | /* Set ExtendedKeyUsage from human readable string */ |
wolfSSL | 15:117db924cf7c | 14340 | int wc_SetExtKeyUsage(Cert *cert, const char *value) |
wolfSSL | 15:117db924cf7c | 14341 | { |
wolfSSL | 15:117db924cf7c | 14342 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 14343 | char *token, *str, *ptr; |
wolfSSL | 15:117db924cf7c | 14344 | word32 len; |
wolfSSL | 15:117db924cf7c | 14345 | |
wolfSSL | 15:117db924cf7c | 14346 | if (cert == NULL || value == NULL) |
wolfSSL | 15:117db924cf7c | 14347 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 14348 | |
wolfSSL | 15:117db924cf7c | 14349 | cert->extKeyUsage = 0; |
wolfSSL | 15:117db924cf7c | 14350 | |
wolfSSL | 16:8e0d178b1d1e | 14351 | /* duplicate string (including terminator) */ |
wolfSSL | 15:117db924cf7c | 14352 | len = (word32)XSTRLEN(value); |
wolfSSL | 15:117db924cf7c | 14353 | str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14354 | if (str == NULL) |
wolfSSL | 15:117db924cf7c | 14355 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 14356 | XMEMCPY(str, value, len+1); |
wolfSSL | 15:117db924cf7c | 14357 | |
wolfSSL | 15:117db924cf7c | 14358 | /* parse value, and set corresponding Key Usage value */ |
wolfSSL | 15:117db924cf7c | 14359 | if ((token = XSTRTOK(str, ",", &ptr)) == NULL) { |
wolfSSL | 15:117db924cf7c | 14360 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14361 | return EXTKEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 14362 | } |
wolfSSL | 15:117db924cf7c | 14363 | |
wolfSSL | 15:117db924cf7c | 14364 | while (token != NULL) |
wolfSSL | 15:117db924cf7c | 14365 | { |
wolfSSL | 15:117db924cf7c | 14366 | len = (word32)XSTRLEN(token); |
wolfSSL | 15:117db924cf7c | 14367 | |
wolfSSL | 15:117db924cf7c | 14368 | if (!XSTRNCASECMP(token, "any", len)) |
wolfSSL | 15:117db924cf7c | 14369 | cert->extKeyUsage |= EXTKEYUSE_ANY; |
wolfSSL | 15:117db924cf7c | 14370 | else if (!XSTRNCASECMP(token, "serverAuth", len)) |
wolfSSL | 15:117db924cf7c | 14371 | cert->extKeyUsage |= EXTKEYUSE_SERVER_AUTH; |
wolfSSL | 15:117db924cf7c | 14372 | else if (!XSTRNCASECMP(token, "clientAuth", len)) |
wolfSSL | 15:117db924cf7c | 14373 | cert->extKeyUsage |= EXTKEYUSE_CLIENT_AUTH; |
wolfSSL | 15:117db924cf7c | 14374 | else if (!XSTRNCASECMP(token, "codeSigning", len)) |
wolfSSL | 15:117db924cf7c | 14375 | cert->extKeyUsage |= EXTKEYUSE_CODESIGN; |
wolfSSL | 15:117db924cf7c | 14376 | else if (!XSTRNCASECMP(token, "emailProtection", len)) |
wolfSSL | 15:117db924cf7c | 14377 | cert->extKeyUsage |= EXTKEYUSE_EMAILPROT; |
wolfSSL | 15:117db924cf7c | 14378 | else if (!XSTRNCASECMP(token, "timeStamping", len)) |
wolfSSL | 15:117db924cf7c | 14379 | cert->extKeyUsage |= EXTKEYUSE_TIMESTAMP; |
wolfSSL | 15:117db924cf7c | 14380 | else if (!XSTRNCASECMP(token, "OCSPSigning", len)) |
wolfSSL | 15:117db924cf7c | 14381 | cert->extKeyUsage |= EXTKEYUSE_OCSP_SIGN; |
wolfSSL | 15:117db924cf7c | 14382 | else { |
wolfSSL | 15:117db924cf7c | 14383 | ret = EXTKEYUSAGE_E; |
wolfSSL | 15:117db924cf7c | 14384 | break; |
wolfSSL | 15:117db924cf7c | 14385 | } |
wolfSSL | 15:117db924cf7c | 14386 | |
wolfSSL | 15:117db924cf7c | 14387 | token = XSTRTOK(NULL, ",", &ptr); |
wolfSSL | 15:117db924cf7c | 14388 | } |
wolfSSL | 15:117db924cf7c | 14389 | |
wolfSSL | 15:117db924cf7c | 14390 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14391 | return ret; |
wolfSSL | 15:117db924cf7c | 14392 | } |
wolfSSL | 15:117db924cf7c | 14393 | |
wolfSSL | 15:117db924cf7c | 14394 | #ifdef WOLFSSL_EKU_OID |
wolfSSL | 15:117db924cf7c | 14395 | /* |
wolfSSL | 15:117db924cf7c | 14396 | * cert structure to set EKU oid in |
wolfSSL | 15:117db924cf7c | 14397 | * oid the oid in byte representation |
wolfSSL | 15:117db924cf7c | 14398 | * sz size of oid buffer |
wolfSSL | 15:117db924cf7c | 14399 | * idx index of array to place oid |
wolfSSL | 15:117db924cf7c | 14400 | * |
wolfSSL | 15:117db924cf7c | 14401 | * returns 0 on success |
wolfSSL | 15:117db924cf7c | 14402 | */ |
wolfSSL | 15:117db924cf7c | 14403 | int wc_SetExtKeyUsageOID(Cert *cert, const char *in, word32 sz, byte idx, |
wolfSSL | 15:117db924cf7c | 14404 | void* heap) |
wolfSSL | 15:117db924cf7c | 14405 | { |
wolfSSL | 15:117db924cf7c | 14406 | byte oid[MAX_OID_SZ]; |
wolfSSL | 15:117db924cf7c | 14407 | word32 oidSz = MAX_OID_SZ; |
wolfSSL | 15:117db924cf7c | 14408 | |
wolfSSL | 15:117db924cf7c | 14409 | if (idx >= CTC_MAX_EKU_NB || sz >= CTC_MAX_EKU_OID_SZ) { |
wolfSSL | 15:117db924cf7c | 14410 | WOLFSSL_MSG("Either idx or sz was too large"); |
wolfSSL | 15:117db924cf7c | 14411 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 14412 | } |
wolfSSL | 15:117db924cf7c | 14413 | |
wolfSSL | 15:117db924cf7c | 14414 | if (EncodePolicyOID(oid, &oidSz, in, heap) != 0) { |
wolfSSL | 15:117db924cf7c | 14415 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 14416 | } |
wolfSSL | 15:117db924cf7c | 14417 | |
wolfSSL | 15:117db924cf7c | 14418 | XMEMCPY(cert->extKeyUsageOID[idx], oid, oidSz); |
wolfSSL | 15:117db924cf7c | 14419 | cert->extKeyUsageOIDSz[idx] = oidSz; |
wolfSSL | 15:117db924cf7c | 14420 | cert->extKeyUsage |= EXTKEYUSE_USER; |
wolfSSL | 15:117db924cf7c | 14421 | |
wolfSSL | 15:117db924cf7c | 14422 | return 0; |
wolfSSL | 15:117db924cf7c | 14423 | } |
wolfSSL | 15:117db924cf7c | 14424 | #endif /* WOLFSSL_EKU_OID */ |
wolfSSL | 15:117db924cf7c | 14425 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 15:117db924cf7c | 14426 | |
wolfSSL | 15:117db924cf7c | 14427 | |
wolfSSL | 15:117db924cf7c | 14428 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 14429 | |
wolfSSL | 16:8e0d178b1d1e | 14430 | static int SetAltNamesFromDcert(Cert* cert, DecodedCert* decoded) |
wolfSSL | 16:8e0d178b1d1e | 14431 | { |
wolfSSL | 16:8e0d178b1d1e | 14432 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14433 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 14434 | |
wolfSSL | 16:8e0d178b1d1e | 14435 | if (decoded->extensions) { |
wolfSSL | 15:117db924cf7c | 14436 | int length; |
wolfSSL | 15:117db924cf7c | 14437 | word32 maxExtensionsIdx; |
wolfSSL | 15:117db924cf7c | 14438 | |
wolfSSL | 15:117db924cf7c | 14439 | decoded->srcIdx = decoded->extensionsIdx; |
wolfSSL | 16:8e0d178b1d1e | 14440 | if (GetASNTag(decoded->source, &decoded->srcIdx, &tag, decoded->maxIdx) |
wolfSSL | 16:8e0d178b1d1e | 14441 | != 0) { |
wolfSSL | 16:8e0d178b1d1e | 14442 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 14443 | } |
wolfSSL | 16:8e0d178b1d1e | 14444 | |
wolfSSL | 16:8e0d178b1d1e | 14445 | if (tag != ASN_EXTENSIONS) { |
wolfSSL | 15:117db924cf7c | 14446 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 14447 | } |
wolfSSL | 15:117db924cf7c | 14448 | else if (GetLength(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 14449 | decoded->maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 14450 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 14451 | } |
wolfSSL | 15:117db924cf7c | 14452 | else if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 14453 | decoded->maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 14454 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 14455 | } |
wolfSSL | 15:117db924cf7c | 14456 | else { |
wolfSSL | 15:117db924cf7c | 14457 | maxExtensionsIdx = decoded->srcIdx + length; |
wolfSSL | 15:117db924cf7c | 14458 | |
wolfSSL | 15:117db924cf7c | 14459 | while (decoded->srcIdx < maxExtensionsIdx) { |
wolfSSL | 15:117db924cf7c | 14460 | word32 oid; |
wolfSSL | 15:117db924cf7c | 14461 | word32 startIdx = decoded->srcIdx; |
wolfSSL | 15:117db924cf7c | 14462 | word32 tmpIdx; |
wolfSSL | 15:117db924cf7c | 14463 | |
wolfSSL | 15:117db924cf7c | 14464 | if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 15:117db924cf7c | 14465 | decoded->maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 14466 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 14467 | break; |
wolfSSL | 15:117db924cf7c | 14468 | } |
wolfSSL | 15:117db924cf7c | 14469 | |
wolfSSL | 15:117db924cf7c | 14470 | tmpIdx = decoded->srcIdx; |
wolfSSL | 15:117db924cf7c | 14471 | decoded->srcIdx = startIdx; |
wolfSSL | 15:117db924cf7c | 14472 | |
wolfSSL | 15:117db924cf7c | 14473 | if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid, |
wolfSSL | 15:117db924cf7c | 14474 | oidCertExtType, decoded->maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 14475 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 14476 | break; |
wolfSSL | 15:117db924cf7c | 14477 | } |
wolfSSL | 15:117db924cf7c | 14478 | |
wolfSSL | 15:117db924cf7c | 14479 | if (oid == ALT_NAMES_OID) { |
wolfSSL | 15:117db924cf7c | 14480 | cert->altNamesSz = length + (tmpIdx - startIdx); |
wolfSSL | 15:117db924cf7c | 14481 | |
wolfSSL | 15:117db924cf7c | 14482 | if (cert->altNamesSz < (int)sizeof(cert->altNames)) |
wolfSSL | 15:117db924cf7c | 14483 | XMEMCPY(cert->altNames, &decoded->source[startIdx], |
wolfSSL | 15:117db924cf7c | 14484 | cert->altNamesSz); |
wolfSSL | 15:117db924cf7c | 14485 | else { |
wolfSSL | 15:117db924cf7c | 14486 | cert->altNamesSz = 0; |
wolfSSL | 15:117db924cf7c | 14487 | WOLFSSL_MSG("AltNames extensions too big"); |
wolfSSL | 15:117db924cf7c | 14488 | ret = ALT_NAME_E; |
wolfSSL | 15:117db924cf7c | 14489 | break; |
wolfSSL | 15:117db924cf7c | 14490 | } |
wolfSSL | 15:117db924cf7c | 14491 | } |
wolfSSL | 15:117db924cf7c | 14492 | decoded->srcIdx = tmpIdx + length; |
wolfSSL | 15:117db924cf7c | 14493 | } |
wolfSSL | 15:117db924cf7c | 14494 | } |
wolfSSL | 15:117db924cf7c | 14495 | } |
wolfSSL | 15:117db924cf7c | 14496 | |
wolfSSL | 16:8e0d178b1d1e | 14497 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14498 | } |
wolfSSL | 16:8e0d178b1d1e | 14499 | |
wolfSSL | 16:8e0d178b1d1e | 14500 | #ifndef NO_FILESYSTEM |
wolfSSL | 16:8e0d178b1d1e | 14501 | |
wolfSSL | 16:8e0d178b1d1e | 14502 | /* Set Alt Names from der cert, return 0 on success */ |
wolfSSL | 16:8e0d178b1d1e | 14503 | static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14504 | { |
wolfSSL | 15:117db924cf7c | 14505 | int ret; |
wolfSSL | 15:117db924cf7c | 14506 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 14507 | DecodedCert* decoded; |
wolfSSL | 15:117db924cf7c | 14508 | #else |
wolfSSL | 15:117db924cf7c | 14509 | DecodedCert decoded[1]; |
wolfSSL | 15:117db924cf7c | 14510 | #endif |
wolfSSL | 15:117db924cf7c | 14511 | |
wolfSSL | 15:117db924cf7c | 14512 | if (derSz < 0) |
wolfSSL | 15:117db924cf7c | 14513 | return derSz; |
wolfSSL | 15:117db924cf7c | 14514 | |
wolfSSL | 15:117db924cf7c | 14515 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 14516 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cert->heap, |
wolfSSL | 15:117db924cf7c | 14517 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14518 | if (decoded == NULL) |
wolfSSL | 15:117db924cf7c | 14519 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14520 | #endif |
wolfSSL | 15:117db924cf7c | 14521 | |
wolfSSL | 16:8e0d178b1d1e | 14522 | InitDecodedCert(decoded, der, derSz, NULL); |
wolfSSL | 15:117db924cf7c | 14523 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 15:117db924cf7c | 14524 | |
wolfSSL | 15:117db924cf7c | 14525 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 14526 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 15:117db924cf7c | 14527 | } |
wolfSSL | 16:8e0d178b1d1e | 14528 | else { |
wolfSSL | 16:8e0d178b1d1e | 14529 | ret = SetAltNamesFromDcert(cert, decoded); |
wolfSSL | 16:8e0d178b1d1e | 14530 | } |
wolfSSL | 16:8e0d178b1d1e | 14531 | |
wolfSSL | 16:8e0d178b1d1e | 14532 | FreeDecodedCert(decoded); |
wolfSSL | 16:8e0d178b1d1e | 14533 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 16:8e0d178b1d1e | 14534 | XFREE(decoded, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 14535 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14536 | |
wolfSSL | 16:8e0d178b1d1e | 14537 | return ret < 0 ? ret : 0; |
wolfSSL | 16:8e0d178b1d1e | 14538 | } |
wolfSSL | 16:8e0d178b1d1e | 14539 | |
wolfSSL | 16:8e0d178b1d1e | 14540 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14541 | |
wolfSSL | 16:8e0d178b1d1e | 14542 | static int SetDatesFromDcert(Cert* cert, DecodedCert* decoded) |
wolfSSL | 16:8e0d178b1d1e | 14543 | { |
wolfSSL | 16:8e0d178b1d1e | 14544 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14545 | |
wolfSSL | 16:8e0d178b1d1e | 14546 | if (decoded->beforeDate == NULL || decoded->afterDate == NULL) { |
wolfSSL | 15:117db924cf7c | 14547 | WOLFSSL_MSG("Couldn't extract dates"); |
wolfSSL | 15:117db924cf7c | 14548 | ret = -1; |
wolfSSL | 15:117db924cf7c | 14549 | } |
wolfSSL | 15:117db924cf7c | 14550 | else if (decoded->beforeDateLen > MAX_DATE_SIZE || |
wolfSSL | 15:117db924cf7c | 14551 | decoded->afterDateLen > MAX_DATE_SIZE) { |
wolfSSL | 15:117db924cf7c | 14552 | WOLFSSL_MSG("Bad date size"); |
wolfSSL | 15:117db924cf7c | 14553 | ret = -1; |
wolfSSL | 15:117db924cf7c | 14554 | } |
wolfSSL | 15:117db924cf7c | 14555 | else { |
wolfSSL | 15:117db924cf7c | 14556 | XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen); |
wolfSSL | 15:117db924cf7c | 14557 | XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen); |
wolfSSL | 15:117db924cf7c | 14558 | |
wolfSSL | 15:117db924cf7c | 14559 | cert->beforeDateSz = decoded->beforeDateLen; |
wolfSSL | 15:117db924cf7c | 14560 | cert->afterDateSz = decoded->afterDateLen; |
wolfSSL | 15:117db924cf7c | 14561 | } |
wolfSSL | 15:117db924cf7c | 14562 | |
wolfSSL | 16:8e0d178b1d1e | 14563 | return ret; |
wolfSSL | 15:117db924cf7c | 14564 | } |
wolfSSL | 15:117db924cf7c | 14565 | |
wolfSSL | 15:117db924cf7c | 14566 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 15:117db924cf7c | 14567 | |
wolfSSL | 16:8e0d178b1d1e | 14568 | static void SetNameFromDcert(CertName* cn, DecodedCert* decoded) |
wolfSSL | 16:8e0d178b1d1e | 14569 | { |
wolfSSL | 16:8e0d178b1d1e | 14570 | int sz; |
wolfSSL | 16:8e0d178b1d1e | 14571 | |
wolfSSL | 16:8e0d178b1d1e | 14572 | if (decoded->subjectCN) { |
wolfSSL | 16:8e0d178b1d1e | 14573 | sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen |
wolfSSL | 16:8e0d178b1d1e | 14574 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14575 | XSTRNCPY(cn->commonName, decoded->subjectCN, sz); |
wolfSSL | 16:8e0d178b1d1e | 14576 | cn->commonName[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14577 | cn->commonNameEnc = decoded->subjectCNEnc; |
wolfSSL | 16:8e0d178b1d1e | 14578 | } |
wolfSSL | 16:8e0d178b1d1e | 14579 | if (decoded->subjectC) { |
wolfSSL | 16:8e0d178b1d1e | 14580 | sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen |
wolfSSL | 16:8e0d178b1d1e | 14581 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14582 | XSTRNCPY(cn->country, decoded->subjectC, sz); |
wolfSSL | 16:8e0d178b1d1e | 14583 | cn->country[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14584 | cn->countryEnc = decoded->subjectCEnc; |
wolfSSL | 16:8e0d178b1d1e | 14585 | } |
wolfSSL | 16:8e0d178b1d1e | 14586 | if (decoded->subjectST) { |
wolfSSL | 16:8e0d178b1d1e | 14587 | sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen |
wolfSSL | 16:8e0d178b1d1e | 14588 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14589 | XSTRNCPY(cn->state, decoded->subjectST, sz); |
wolfSSL | 16:8e0d178b1d1e | 14590 | cn->state[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14591 | cn->stateEnc = decoded->subjectSTEnc; |
wolfSSL | 16:8e0d178b1d1e | 14592 | } |
wolfSSL | 16:8e0d178b1d1e | 14593 | if (decoded->subjectL) { |
wolfSSL | 16:8e0d178b1d1e | 14594 | sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen |
wolfSSL | 16:8e0d178b1d1e | 14595 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14596 | XSTRNCPY(cn->locality, decoded->subjectL, sz); |
wolfSSL | 16:8e0d178b1d1e | 14597 | cn->locality[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14598 | cn->localityEnc = decoded->subjectLEnc; |
wolfSSL | 16:8e0d178b1d1e | 14599 | } |
wolfSSL | 16:8e0d178b1d1e | 14600 | if (decoded->subjectO) { |
wolfSSL | 16:8e0d178b1d1e | 14601 | sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen |
wolfSSL | 16:8e0d178b1d1e | 14602 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14603 | XSTRNCPY(cn->org, decoded->subjectO, sz); |
wolfSSL | 16:8e0d178b1d1e | 14604 | cn->org[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14605 | cn->orgEnc = decoded->subjectOEnc; |
wolfSSL | 16:8e0d178b1d1e | 14606 | } |
wolfSSL | 16:8e0d178b1d1e | 14607 | if (decoded->subjectOU) { |
wolfSSL | 16:8e0d178b1d1e | 14608 | sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen |
wolfSSL | 16:8e0d178b1d1e | 14609 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14610 | XSTRNCPY(cn->unit, decoded->subjectOU, sz); |
wolfSSL | 16:8e0d178b1d1e | 14611 | cn->unit[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14612 | cn->unitEnc = decoded->subjectOUEnc; |
wolfSSL | 16:8e0d178b1d1e | 14613 | } |
wolfSSL | 16:8e0d178b1d1e | 14614 | if (decoded->subjectSN) { |
wolfSSL | 16:8e0d178b1d1e | 14615 | sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen |
wolfSSL | 16:8e0d178b1d1e | 14616 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14617 | XSTRNCPY(cn->sur, decoded->subjectSN, sz); |
wolfSSL | 16:8e0d178b1d1e | 14618 | cn->sur[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14619 | cn->surEnc = decoded->subjectSNEnc; |
wolfSSL | 16:8e0d178b1d1e | 14620 | } |
wolfSSL | 16:8e0d178b1d1e | 14621 | if (decoded->subjectSND) { |
wolfSSL | 16:8e0d178b1d1e | 14622 | sz = (decoded->subjectSNDLen < CTC_NAME_SIZE) ? decoded->subjectSNDLen |
wolfSSL | 16:8e0d178b1d1e | 14623 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14624 | XSTRNCPY(cn->serialDev, decoded->subjectSND, sz); |
wolfSSL | 16:8e0d178b1d1e | 14625 | cn->serialDev[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14626 | cn->serialDevEnc = decoded->subjectSNDEnc; |
wolfSSL | 16:8e0d178b1d1e | 14627 | } |
wolfSSL | 16:8e0d178b1d1e | 14628 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 14629 | if (decoded->subjectBC) { |
wolfSSL | 16:8e0d178b1d1e | 14630 | sz = (decoded->subjectBCLen < CTC_NAME_SIZE) ? decoded->subjectBCLen |
wolfSSL | 16:8e0d178b1d1e | 14631 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14632 | XSTRNCPY(cn->busCat, decoded->subjectBC, sz); |
wolfSSL | 16:8e0d178b1d1e | 14633 | cn->busCat[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14634 | cn->busCatEnc = decoded->subjectBCEnc; |
wolfSSL | 16:8e0d178b1d1e | 14635 | } |
wolfSSL | 16:8e0d178b1d1e | 14636 | if (decoded->subjectJC) { |
wolfSSL | 16:8e0d178b1d1e | 14637 | sz = (decoded->subjectJCLen < CTC_NAME_SIZE) ? decoded->subjectJCLen |
wolfSSL | 16:8e0d178b1d1e | 14638 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14639 | XSTRNCPY(cn->joiC, decoded->subjectJC, sz); |
wolfSSL | 16:8e0d178b1d1e | 14640 | cn->joiC[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14641 | cn->joiCEnc = decoded->subjectJCEnc; |
wolfSSL | 16:8e0d178b1d1e | 14642 | } |
wolfSSL | 16:8e0d178b1d1e | 14643 | if (decoded->subjectJS) { |
wolfSSL | 16:8e0d178b1d1e | 14644 | sz = (decoded->subjectJSLen < CTC_NAME_SIZE) ? decoded->subjectJSLen |
wolfSSL | 16:8e0d178b1d1e | 14645 | : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14646 | XSTRNCPY(cn->joiSt, decoded->subjectJS, sz); |
wolfSSL | 16:8e0d178b1d1e | 14647 | cn->joiSt[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14648 | cn->joiStEnc = decoded->subjectJSEnc; |
wolfSSL | 16:8e0d178b1d1e | 14649 | } |
wolfSSL | 16:8e0d178b1d1e | 14650 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14651 | if (decoded->subjectEmail) { |
wolfSSL | 16:8e0d178b1d1e | 14652 | sz = (decoded->subjectEmailLen < CTC_NAME_SIZE) |
wolfSSL | 16:8e0d178b1d1e | 14653 | ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1; |
wolfSSL | 16:8e0d178b1d1e | 14654 | XSTRNCPY(cn->email, decoded->subjectEmail, sz); |
wolfSSL | 16:8e0d178b1d1e | 14655 | cn->email[sz] = '\0'; |
wolfSSL | 16:8e0d178b1d1e | 14656 | } |
wolfSSL | 16:8e0d178b1d1e | 14657 | } |
wolfSSL | 16:8e0d178b1d1e | 14658 | |
wolfSSL | 16:8e0d178b1d1e | 14659 | #ifndef NO_FILESYSTEM |
wolfSSL | 16:8e0d178b1d1e | 14660 | |
wolfSSL | 15:117db924cf7c | 14661 | /* Set cn name from der buffer, return 0 on success */ |
wolfSSL | 15:117db924cf7c | 14662 | static int SetNameFromCert(CertName* cn, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14663 | { |
wolfSSL | 16:8e0d178b1d1e | 14664 | int ret; |
wolfSSL | 15:117db924cf7c | 14665 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 14666 | DecodedCert* decoded; |
wolfSSL | 15:117db924cf7c | 14667 | #else |
wolfSSL | 15:117db924cf7c | 14668 | DecodedCert decoded[1]; |
wolfSSL | 15:117db924cf7c | 14669 | #endif |
wolfSSL | 15:117db924cf7c | 14670 | |
wolfSSL | 15:117db924cf7c | 14671 | if (derSz < 0) |
wolfSSL | 15:117db924cf7c | 14672 | return derSz; |
wolfSSL | 15:117db924cf7c | 14673 | |
wolfSSL | 15:117db924cf7c | 14674 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 14675 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 15:117db924cf7c | 14676 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14677 | if (decoded == NULL) |
wolfSSL | 15:117db924cf7c | 14678 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14679 | #endif |
wolfSSL | 15:117db924cf7c | 14680 | |
wolfSSL | 16:8e0d178b1d1e | 14681 | InitDecodedCert(decoded, der, derSz, NULL); |
wolfSSL | 15:117db924cf7c | 14682 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 15:117db924cf7c | 14683 | |
wolfSSL | 15:117db924cf7c | 14684 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 14685 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 15:117db924cf7c | 14686 | } |
wolfSSL | 15:117db924cf7c | 14687 | else { |
wolfSSL | 16:8e0d178b1d1e | 14688 | SetNameFromDcert(cn, decoded); |
wolfSSL | 15:117db924cf7c | 14689 | } |
wolfSSL | 15:117db924cf7c | 14690 | |
wolfSSL | 15:117db924cf7c | 14691 | FreeDecodedCert(decoded); |
wolfSSL | 15:117db924cf7c | 14692 | |
wolfSSL | 15:117db924cf7c | 14693 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 14694 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 14695 | #endif |
wolfSSL | 15:117db924cf7c | 14696 | |
wolfSSL | 15:117db924cf7c | 14697 | return ret < 0 ? ret : 0; |
wolfSSL | 15:117db924cf7c | 14698 | } |
wolfSSL | 15:117db924cf7c | 14699 | |
wolfSSL | 15:117db924cf7c | 14700 | /* Set cert issuer from issuerFile in PEM */ |
wolfSSL | 15:117db924cf7c | 14701 | int wc_SetIssuer(Cert* cert, const char* issuerFile) |
wolfSSL | 15:117db924cf7c | 14702 | { |
wolfSSL | 15:117db924cf7c | 14703 | int ret; |
wolfSSL | 15:117db924cf7c | 14704 | int derSz; |
wolfSSL | 16:8e0d178b1d1e | 14705 | byte* der; |
wolfSSL | 16:8e0d178b1d1e | 14706 | |
wolfSSL | 16:8e0d178b1d1e | 14707 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14708 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14709 | } |
wolfSSL | 16:8e0d178b1d1e | 14710 | |
wolfSSL | 16:8e0d178b1d1e | 14711 | der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14712 | if (der == NULL) { |
wolfSSL | 15:117db924cf7c | 14713 | WOLFSSL_MSG("wc_SetIssuer OOF Problem"); |
wolfSSL | 15:117db924cf7c | 14714 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14715 | } |
wolfSSL | 15:117db924cf7c | 14716 | derSz = wc_PemCertToDer(issuerFile, der, EIGHTK_BUF); |
wolfSSL | 15:117db924cf7c | 14717 | cert->selfSigned = 0; |
wolfSSL | 15:117db924cf7c | 14718 | ret = SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 15:117db924cf7c | 14719 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14720 | |
wolfSSL | 15:117db924cf7c | 14721 | return ret; |
wolfSSL | 15:117db924cf7c | 14722 | } |
wolfSSL | 15:117db924cf7c | 14723 | |
wolfSSL | 15:117db924cf7c | 14724 | |
wolfSSL | 15:117db924cf7c | 14725 | /* Set cert subject from subjectFile in PEM */ |
wolfSSL | 15:117db924cf7c | 14726 | int wc_SetSubject(Cert* cert, const char* subjectFile) |
wolfSSL | 15:117db924cf7c | 14727 | { |
wolfSSL | 15:117db924cf7c | 14728 | int ret; |
wolfSSL | 15:117db924cf7c | 14729 | int derSz; |
wolfSSL | 16:8e0d178b1d1e | 14730 | byte* der; |
wolfSSL | 16:8e0d178b1d1e | 14731 | |
wolfSSL | 16:8e0d178b1d1e | 14732 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14733 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14734 | } |
wolfSSL | 16:8e0d178b1d1e | 14735 | |
wolfSSL | 16:8e0d178b1d1e | 14736 | der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14737 | if (der == NULL) { |
wolfSSL | 15:117db924cf7c | 14738 | WOLFSSL_MSG("wc_SetSubject OOF Problem"); |
wolfSSL | 15:117db924cf7c | 14739 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14740 | } |
wolfSSL | 16:8e0d178b1d1e | 14741 | |
wolfSSL | 15:117db924cf7c | 14742 | derSz = wc_PemCertToDer(subjectFile, der, EIGHTK_BUF); |
wolfSSL | 15:117db924cf7c | 14743 | ret = SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 15:117db924cf7c | 14744 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14745 | |
wolfSSL | 15:117db924cf7c | 14746 | return ret; |
wolfSSL | 15:117db924cf7c | 14747 | } |
wolfSSL | 15:117db924cf7c | 14748 | |
wolfSSL | 15:117db924cf7c | 14749 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 14750 | |
wolfSSL | 15:117db924cf7c | 14751 | /* Set alt names from file in PEM */ |
wolfSSL | 15:117db924cf7c | 14752 | int wc_SetAltNames(Cert* cert, const char* file) |
wolfSSL | 15:117db924cf7c | 14753 | { |
wolfSSL | 15:117db924cf7c | 14754 | int ret; |
wolfSSL | 15:117db924cf7c | 14755 | int derSz; |
wolfSSL | 16:8e0d178b1d1e | 14756 | byte* der; |
wolfSSL | 16:8e0d178b1d1e | 14757 | |
wolfSSL | 16:8e0d178b1d1e | 14758 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14759 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14760 | } |
wolfSSL | 16:8e0d178b1d1e | 14761 | |
wolfSSL | 16:8e0d178b1d1e | 14762 | der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14763 | if (der == NULL) { |
wolfSSL | 15:117db924cf7c | 14764 | WOLFSSL_MSG("wc_SetAltNames OOF Problem"); |
wolfSSL | 15:117db924cf7c | 14765 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 14766 | } |
wolfSSL | 15:117db924cf7c | 14767 | derSz = wc_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 15:117db924cf7c | 14768 | ret = SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 15:117db924cf7c | 14769 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 15:117db924cf7c | 14770 | |
wolfSSL | 15:117db924cf7c | 14771 | return ret; |
wolfSSL | 15:117db924cf7c | 14772 | } |
wolfSSL | 15:117db924cf7c | 14773 | |
wolfSSL | 15:117db924cf7c | 14774 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 15:117db924cf7c | 14775 | |
wolfSSL | 16:8e0d178b1d1e | 14776 | #endif /* !NO_FILESYSTEM */ |
wolfSSL | 15:117db924cf7c | 14777 | |
wolfSSL | 15:117db924cf7c | 14778 | /* Set cert issuer from DER buffer */ |
wolfSSL | 15:117db924cf7c | 14779 | int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14780 | { |
wolfSSL | 16:8e0d178b1d1e | 14781 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14782 | |
wolfSSL | 16:8e0d178b1d1e | 14783 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14784 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14785 | } |
wolfSSL | 16:8e0d178b1d1e | 14786 | else { |
wolfSSL | 16:8e0d178b1d1e | 14787 | cert->selfSigned = 0; |
wolfSSL | 16:8e0d178b1d1e | 14788 | |
wolfSSL | 16:8e0d178b1d1e | 14789 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14790 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14791 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14792 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14793 | } |
wolfSSL | 16:8e0d178b1d1e | 14794 | |
wolfSSL | 16:8e0d178b1d1e | 14795 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14796 | SetNameFromDcert(&cert->issuer, (DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 14797 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14798 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14799 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14800 | } |
wolfSSL | 16:8e0d178b1d1e | 14801 | } |
wolfSSL | 16:8e0d178b1d1e | 14802 | |
wolfSSL | 16:8e0d178b1d1e | 14803 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14804 | } |
wolfSSL | 15:117db924cf7c | 14805 | |
wolfSSL | 15:117db924cf7c | 14806 | /* Set cert subject from DER buffer */ |
wolfSSL | 15:117db924cf7c | 14807 | int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14808 | { |
wolfSSL | 16:8e0d178b1d1e | 14809 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14810 | |
wolfSSL | 16:8e0d178b1d1e | 14811 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14812 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14813 | } |
wolfSSL | 16:8e0d178b1d1e | 14814 | else { |
wolfSSL | 16:8e0d178b1d1e | 14815 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14816 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14817 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14818 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14819 | } |
wolfSSL | 16:8e0d178b1d1e | 14820 | |
wolfSSL | 16:8e0d178b1d1e | 14821 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14822 | SetNameFromDcert(&cert->subject, (DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 14823 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14824 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14825 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14826 | } |
wolfSSL | 16:8e0d178b1d1e | 14827 | } |
wolfSSL | 16:8e0d178b1d1e | 14828 | |
wolfSSL | 16:8e0d178b1d1e | 14829 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14830 | } |
wolfSSL | 16:8e0d178b1d1e | 14831 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 16:8e0d178b1d1e | 14832 | /* Set cert raw subject from DER buffer */ |
wolfSSL | 16:8e0d178b1d1e | 14833 | int wc_SetSubjectRaw(Cert* cert, const byte* der, int derSz) |
wolfSSL | 16:8e0d178b1d1e | 14834 | { |
wolfSSL | 16:8e0d178b1d1e | 14835 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14836 | |
wolfSSL | 16:8e0d178b1d1e | 14837 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14838 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14839 | } |
wolfSSL | 16:8e0d178b1d1e | 14840 | else { |
wolfSSL | 16:8e0d178b1d1e | 14841 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14842 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14843 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14844 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14845 | } |
wolfSSL | 16:8e0d178b1d1e | 14846 | |
wolfSSL | 16:8e0d178b1d1e | 14847 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14848 | if ((((DecodedCert*)cert->decodedCert)->subjectRaw) && |
wolfSSL | 16:8e0d178b1d1e | 14849 | (((DecodedCert*)cert->decodedCert)->subjectRawLen <= |
wolfSSL | 16:8e0d178b1d1e | 14850 | (int)sizeof(CertName))) { |
wolfSSL | 16:8e0d178b1d1e | 14851 | XMEMCPY(cert->sbjRaw, |
wolfSSL | 16:8e0d178b1d1e | 14852 | ((DecodedCert*)cert->decodedCert)->subjectRaw, |
wolfSSL | 16:8e0d178b1d1e | 14853 | ((DecodedCert*)cert->decodedCert)->subjectRawLen); |
wolfSSL | 16:8e0d178b1d1e | 14854 | } |
wolfSSL | 16:8e0d178b1d1e | 14855 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14856 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14857 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14858 | } |
wolfSSL | 16:8e0d178b1d1e | 14859 | } |
wolfSSL | 16:8e0d178b1d1e | 14860 | |
wolfSSL | 16:8e0d178b1d1e | 14861 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14862 | } |
wolfSSL | 16:8e0d178b1d1e | 14863 | |
wolfSSL | 16:8e0d178b1d1e | 14864 | /* Set cert raw issuer from DER buffer */ |
wolfSSL | 16:8e0d178b1d1e | 14865 | int wc_SetIssuerRaw(Cert* cert, const byte* der, int derSz) |
wolfSSL | 16:8e0d178b1d1e | 14866 | { |
wolfSSL | 16:8e0d178b1d1e | 14867 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14868 | |
wolfSSL | 16:8e0d178b1d1e | 14869 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14870 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14871 | } |
wolfSSL | 16:8e0d178b1d1e | 14872 | else { |
wolfSSL | 16:8e0d178b1d1e | 14873 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14874 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14875 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14876 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14877 | } |
wolfSSL | 16:8e0d178b1d1e | 14878 | |
wolfSSL | 16:8e0d178b1d1e | 14879 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14880 | if ((((DecodedCert*)cert->decodedCert)->issuerRaw) && |
wolfSSL | 16:8e0d178b1d1e | 14881 | (((DecodedCert*)cert->decodedCert)->issuerRawLen <= |
wolfSSL | 16:8e0d178b1d1e | 14882 | (int)sizeof(CertName))) { |
wolfSSL | 16:8e0d178b1d1e | 14883 | XMEMCPY(cert->issRaw, |
wolfSSL | 16:8e0d178b1d1e | 14884 | ((DecodedCert*)cert->decodedCert)->issuerRaw, |
wolfSSL | 16:8e0d178b1d1e | 14885 | ((DecodedCert*)cert->decodedCert)->issuerRawLen); |
wolfSSL | 16:8e0d178b1d1e | 14886 | } |
wolfSSL | 16:8e0d178b1d1e | 14887 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14888 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14889 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14890 | } |
wolfSSL | 16:8e0d178b1d1e | 14891 | } |
wolfSSL | 16:8e0d178b1d1e | 14892 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 14893 | } |
wolfSSL | 16:8e0d178b1d1e | 14894 | #endif |
wolfSSL | 15:117db924cf7c | 14895 | |
wolfSSL | 15:117db924cf7c | 14896 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 15:117db924cf7c | 14897 | |
wolfSSL | 15:117db924cf7c | 14898 | /* Set cert alt names from DER buffer */ |
wolfSSL | 15:117db924cf7c | 14899 | int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14900 | { |
wolfSSL | 16:8e0d178b1d1e | 14901 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14902 | |
wolfSSL | 16:8e0d178b1d1e | 14903 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14904 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14905 | } |
wolfSSL | 16:8e0d178b1d1e | 14906 | else { |
wolfSSL | 16:8e0d178b1d1e | 14907 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14908 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14909 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14910 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14911 | } |
wolfSSL | 16:8e0d178b1d1e | 14912 | |
wolfSSL | 16:8e0d178b1d1e | 14913 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14914 | ret = SetAltNamesFromDcert(cert, (DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 14915 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14916 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14917 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14918 | } |
wolfSSL | 16:8e0d178b1d1e | 14919 | } |
wolfSSL | 16:8e0d178b1d1e | 14920 | |
wolfSSL | 16:8e0d178b1d1e | 14921 | return(ret); |
wolfSSL | 15:117db924cf7c | 14922 | } |
wolfSSL | 15:117db924cf7c | 14923 | |
wolfSSL | 15:117db924cf7c | 14924 | /* Set cert dates from DER buffer */ |
wolfSSL | 15:117db924cf7c | 14925 | int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 15:117db924cf7c | 14926 | { |
wolfSSL | 16:8e0d178b1d1e | 14927 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 14928 | |
wolfSSL | 16:8e0d178b1d1e | 14929 | if (cert == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 14930 | ret = BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14931 | } |
wolfSSL | 16:8e0d178b1d1e | 14932 | else { |
wolfSSL | 16:8e0d178b1d1e | 14933 | /* Check if decodedCert is cached */ |
wolfSSL | 16:8e0d178b1d1e | 14934 | if (cert->der != der) { |
wolfSSL | 16:8e0d178b1d1e | 14935 | /* Allocate cache for the decoded cert */ |
wolfSSL | 16:8e0d178b1d1e | 14936 | ret = wc_SetCert_LoadDer(cert, der, derSz); |
wolfSSL | 16:8e0d178b1d1e | 14937 | } |
wolfSSL | 16:8e0d178b1d1e | 14938 | |
wolfSSL | 16:8e0d178b1d1e | 14939 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 14940 | ret = SetDatesFromDcert(cert, (DecodedCert*)cert->decodedCert); |
wolfSSL | 16:8e0d178b1d1e | 14941 | #ifndef WOLFSSL_CERT_GEN_CACHE |
wolfSSL | 16:8e0d178b1d1e | 14942 | wc_SetCert_Free(cert); |
wolfSSL | 16:8e0d178b1d1e | 14943 | #endif |
wolfSSL | 16:8e0d178b1d1e | 14944 | } |
wolfSSL | 16:8e0d178b1d1e | 14945 | } |
wolfSSL | 16:8e0d178b1d1e | 14946 | |
wolfSSL | 16:8e0d178b1d1e | 14947 | return(ret); |
wolfSSL | 15:117db924cf7c | 14948 | } |
wolfSSL | 15:117db924cf7c | 14949 | |
wolfSSL | 15:117db924cf7c | 14950 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 15:117db924cf7c | 14951 | |
wolfSSL | 15:117db924cf7c | 14952 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 15:117db924cf7c | 14953 | |
wolfSSL | 16:8e0d178b1d1e | 14954 | #if (defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)) \ |
wolfSSL | 16:8e0d178b1d1e | 14955 | || defined(OPENSSL_EXTRA) |
wolfSSL | 16:8e0d178b1d1e | 14956 | /* Encode OID string representation to ITU-T X.690 format */ |
wolfSSL | 16:8e0d178b1d1e | 14957 | int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap) |
wolfSSL | 16:8e0d178b1d1e | 14958 | { |
wolfSSL | 16:8e0d178b1d1e | 14959 | word32 val, idx = 0, nb_val; |
wolfSSL | 16:8e0d178b1d1e | 14960 | char *token, *str, *ptr; |
wolfSSL | 16:8e0d178b1d1e | 14961 | word32 len; |
wolfSSL | 16:8e0d178b1d1e | 14962 | |
wolfSSL | 16:8e0d178b1d1e | 14963 | (void)heap; |
wolfSSL | 16:8e0d178b1d1e | 14964 | |
wolfSSL | 16:8e0d178b1d1e | 14965 | if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL) |
wolfSSL | 16:8e0d178b1d1e | 14966 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 14967 | |
wolfSSL | 16:8e0d178b1d1e | 14968 | /* duplicate string (including terminator) */ |
wolfSSL | 16:8e0d178b1d1e | 14969 | len = (word32)XSTRLEN(in); |
wolfSSL | 16:8e0d178b1d1e | 14970 | str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 14971 | if (str == NULL) |
wolfSSL | 16:8e0d178b1d1e | 14972 | return MEMORY_E; |
wolfSSL | 16:8e0d178b1d1e | 14973 | XMEMCPY(str, in, len+1); |
wolfSSL | 16:8e0d178b1d1e | 14974 | |
wolfSSL | 16:8e0d178b1d1e | 14975 | nb_val = 0; |
wolfSSL | 16:8e0d178b1d1e | 14976 | |
wolfSSL | 16:8e0d178b1d1e | 14977 | /* parse value, and set corresponding Policy OID value */ |
wolfSSL | 16:8e0d178b1d1e | 14978 | token = XSTRTOK(str, ".", &ptr); |
wolfSSL | 16:8e0d178b1d1e | 14979 | while (token != NULL) |
wolfSSL | 16:8e0d178b1d1e | 14980 | { |
wolfSSL | 16:8e0d178b1d1e | 14981 | val = (word32)XATOI(token); |
wolfSSL | 16:8e0d178b1d1e | 14982 | |
wolfSSL | 16:8e0d178b1d1e | 14983 | if (nb_val == 0) { |
wolfSSL | 16:8e0d178b1d1e | 14984 | if (val > 2) { |
wolfSSL | 16:8e0d178b1d1e | 14985 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 14986 | return ASN_OBJECT_ID_E; |
wolfSSL | 16:8e0d178b1d1e | 14987 | } |
wolfSSL | 16:8e0d178b1d1e | 14988 | |
wolfSSL | 16:8e0d178b1d1e | 14989 | out[idx] = (byte)(40 * val); |
wolfSSL | 16:8e0d178b1d1e | 14990 | } |
wolfSSL | 16:8e0d178b1d1e | 14991 | else if (nb_val == 1) { |
wolfSSL | 16:8e0d178b1d1e | 14992 | if (val > 127) { |
wolfSSL | 16:8e0d178b1d1e | 14993 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 14994 | return ASN_OBJECT_ID_E; |
wolfSSL | 16:8e0d178b1d1e | 14995 | } |
wolfSSL | 16:8e0d178b1d1e | 14996 | |
wolfSSL | 16:8e0d178b1d1e | 14997 | if (idx > *outSz) { |
wolfSSL | 16:8e0d178b1d1e | 14998 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 14999 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15000 | } |
wolfSSL | 16:8e0d178b1d1e | 15001 | |
wolfSSL | 16:8e0d178b1d1e | 15002 | out[idx++] += (byte)val; |
wolfSSL | 16:8e0d178b1d1e | 15003 | } |
wolfSSL | 16:8e0d178b1d1e | 15004 | else { |
wolfSSL | 16:8e0d178b1d1e | 15005 | word32 tb = 0, x; |
wolfSSL | 16:8e0d178b1d1e | 15006 | int i = 0; |
wolfSSL | 16:8e0d178b1d1e | 15007 | byte oid[MAX_OID_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 15008 | |
wolfSSL | 16:8e0d178b1d1e | 15009 | while (val >= 128) { |
wolfSSL | 16:8e0d178b1d1e | 15010 | x = val % 128; |
wolfSSL | 16:8e0d178b1d1e | 15011 | val /= 128; |
wolfSSL | 16:8e0d178b1d1e | 15012 | oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x); |
wolfSSL | 16:8e0d178b1d1e | 15013 | } |
wolfSSL | 16:8e0d178b1d1e | 15014 | |
wolfSSL | 16:8e0d178b1d1e | 15015 | if ((idx+(word32)i) > *outSz) { |
wolfSSL | 16:8e0d178b1d1e | 15016 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15017 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15018 | } |
wolfSSL | 16:8e0d178b1d1e | 15019 | |
wolfSSL | 16:8e0d178b1d1e | 15020 | oid[i] = (byte) (((tb++) ? 0x80 : 0) | val); |
wolfSSL | 16:8e0d178b1d1e | 15021 | |
wolfSSL | 16:8e0d178b1d1e | 15022 | /* push value in the right order */ |
wolfSSL | 16:8e0d178b1d1e | 15023 | while (i >= 0) |
wolfSSL | 16:8e0d178b1d1e | 15024 | out[idx++] = oid[i--]; |
wolfSSL | 16:8e0d178b1d1e | 15025 | } |
wolfSSL | 16:8e0d178b1d1e | 15026 | |
wolfSSL | 16:8e0d178b1d1e | 15027 | token = XSTRTOK(NULL, ".", &ptr); |
wolfSSL | 16:8e0d178b1d1e | 15028 | nb_val++; |
wolfSSL | 16:8e0d178b1d1e | 15029 | } |
wolfSSL | 16:8e0d178b1d1e | 15030 | |
wolfSSL | 16:8e0d178b1d1e | 15031 | *outSz = idx; |
wolfSSL | 16:8e0d178b1d1e | 15032 | |
wolfSSL | 16:8e0d178b1d1e | 15033 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15034 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 15035 | } |
wolfSSL | 16:8e0d178b1d1e | 15036 | #endif /* WOLFSSL_CERT_EXT || OPENSSL_EXTRA */ |
wolfSSL | 16:8e0d178b1d1e | 15037 | |
wolfSSL | 16:8e0d178b1d1e | 15038 | #endif /* !NO_CERTS */ |
wolfSSL | 16:8e0d178b1d1e | 15039 | |
wolfSSL | 16:8e0d178b1d1e | 15040 | #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) |
wolfSSL | 16:8e0d178b1d1e | 15041 | /* Helper function for wolfSSL_i2d_DHparams */ |
wolfSSL | 16:8e0d178b1d1e | 15042 | int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g) |
wolfSSL | 16:8e0d178b1d1e | 15043 | { |
wolfSSL | 16:8e0d178b1d1e | 15044 | word32 idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 15045 | int pSz; |
wolfSSL | 16:8e0d178b1d1e | 15046 | int gSz; |
wolfSSL | 16:8e0d178b1d1e | 15047 | unsigned int tmp; |
wolfSSL | 16:8e0d178b1d1e | 15048 | word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ |
wolfSSL | 16:8e0d178b1d1e | 15049 | |
wolfSSL | 16:8e0d178b1d1e | 15050 | /* If the leading bit on the INTEGER is a 1, add a leading zero */ |
wolfSSL | 16:8e0d178b1d1e | 15051 | int pLeadingZero = mp_leading_bit(p); |
wolfSSL | 16:8e0d178b1d1e | 15052 | int gLeadingZero = mp_leading_bit(g); |
wolfSSL | 16:8e0d178b1d1e | 15053 | int pLen = mp_unsigned_bin_size(p); |
wolfSSL | 16:8e0d178b1d1e | 15054 | int gLen = mp_unsigned_bin_size(g); |
wolfSSL | 16:8e0d178b1d1e | 15055 | |
wolfSSL | 16:8e0d178b1d1e | 15056 | WOLFSSL_ENTER("StoreDHparams"); |
wolfSSL | 16:8e0d178b1d1e | 15057 | if (out == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 15058 | WOLFSSL_MSG("Null buffer error"); |
wolfSSL | 16:8e0d178b1d1e | 15059 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15060 | } |
wolfSSL | 16:8e0d178b1d1e | 15061 | |
wolfSSL | 16:8e0d178b1d1e | 15062 | tmp = pLeadingZero + gLeadingZero + pLen + gLen; |
wolfSSL | 16:8e0d178b1d1e | 15063 | if (*outLen < (tmp + headerSz)) { |
wolfSSL | 16:8e0d178b1d1e | 15064 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15065 | } |
wolfSSL | 16:8e0d178b1d1e | 15066 | |
wolfSSL | 16:8e0d178b1d1e | 15067 | /* Set sequence */ |
wolfSSL | 16:8e0d178b1d1e | 15068 | idx = SetSequence(tmp + headerSz + 2, out); |
wolfSSL | 16:8e0d178b1d1e | 15069 | |
wolfSSL | 16:8e0d178b1d1e | 15070 | /* Encode p */ |
wolfSSL | 16:8e0d178b1d1e | 15071 | pSz = SetASNIntMP(p, -1, &out[idx]); |
wolfSSL | 16:8e0d178b1d1e | 15072 | if (pSz < 0) { |
wolfSSL | 16:8e0d178b1d1e | 15073 | WOLFSSL_MSG("SetASNIntMP failed"); |
wolfSSL | 16:8e0d178b1d1e | 15074 | return pSz; |
wolfSSL | 16:8e0d178b1d1e | 15075 | } |
wolfSSL | 16:8e0d178b1d1e | 15076 | idx += pSz; |
wolfSSL | 16:8e0d178b1d1e | 15077 | |
wolfSSL | 16:8e0d178b1d1e | 15078 | /* Encode g */ |
wolfSSL | 16:8e0d178b1d1e | 15079 | gSz = SetASNIntMP(g, -1, &out[idx]); |
wolfSSL | 16:8e0d178b1d1e | 15080 | if (gSz < 0) { |
wolfSSL | 16:8e0d178b1d1e | 15081 | WOLFSSL_MSG("SetASNIntMP failed"); |
wolfSSL | 16:8e0d178b1d1e | 15082 | return gSz; |
wolfSSL | 16:8e0d178b1d1e | 15083 | } |
wolfSSL | 16:8e0d178b1d1e | 15084 | idx += gSz; |
wolfSSL | 16:8e0d178b1d1e | 15085 | |
wolfSSL | 16:8e0d178b1d1e | 15086 | *outLen = idx; |
wolfSSL | 16:8e0d178b1d1e | 15087 | |
wolfSSL | 16:8e0d178b1d1e | 15088 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 15089 | } |
wolfSSL | 16:8e0d178b1d1e | 15090 | #endif /* !NO_DH && WOLFSSL_QT || OPENSSL_ALL */ |
wolfSSL | 15:117db924cf7c | 15091 | |
wolfSSL | 15:117db924cf7c | 15092 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 15093 | |
wolfSSL | 15:117db924cf7c | 15094 | /* Der Encode r & s ints into out, outLen is (in/out) size */ |
wolfSSL | 15:117db924cf7c | 15095 | int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) |
wolfSSL | 15:117db924cf7c | 15096 | { |
wolfSSL | 15:117db924cf7c | 15097 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 15098 | int rSz; /* encoding size */ |
wolfSSL | 15:117db924cf7c | 15099 | int sSz; |
wolfSSL | 15:117db924cf7c | 15100 | word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ |
wolfSSL | 15:117db924cf7c | 15101 | |
wolfSSL | 15:117db924cf7c | 15102 | /* If the leading bit on the INTEGER is a 1, add a leading zero */ |
wolfSSL | 15:117db924cf7c | 15103 | int rLeadingZero = mp_leading_bit(r); |
wolfSSL | 15:117db924cf7c | 15104 | int sLeadingZero = mp_leading_bit(s); |
wolfSSL | 15:117db924cf7c | 15105 | int rLen = mp_unsigned_bin_size(r); /* big int size */ |
wolfSSL | 15:117db924cf7c | 15106 | int sLen = mp_unsigned_bin_size(s); |
wolfSSL | 15:117db924cf7c | 15107 | |
wolfSSL | 15:117db924cf7c | 15108 | if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero + |
wolfSSL | 15:117db924cf7c | 15109 | headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */ |
wolfSSL | 15:117db924cf7c | 15110 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15111 | |
wolfSSL | 15:117db924cf7c | 15112 | idx = SetSequence(rLen + rLeadingZero + sLen+sLeadingZero + headerSz, out); |
wolfSSL | 15:117db924cf7c | 15113 | |
wolfSSL | 15:117db924cf7c | 15114 | /* store r */ |
wolfSSL | 15:117db924cf7c | 15115 | rSz = SetASNIntMP(r, -1, &out[idx]); |
wolfSSL | 15:117db924cf7c | 15116 | if (rSz < 0) |
wolfSSL | 15:117db924cf7c | 15117 | return rSz; |
wolfSSL | 15:117db924cf7c | 15118 | idx += rSz; |
wolfSSL | 15:117db924cf7c | 15119 | |
wolfSSL | 15:117db924cf7c | 15120 | /* store s */ |
wolfSSL | 15:117db924cf7c | 15121 | sSz = SetASNIntMP(s, -1, &out[idx]); |
wolfSSL | 15:117db924cf7c | 15122 | if (sSz < 0) |
wolfSSL | 15:117db924cf7c | 15123 | return sSz; |
wolfSSL | 15:117db924cf7c | 15124 | idx += sSz; |
wolfSSL | 15:117db924cf7c | 15125 | |
wolfSSL | 15:117db924cf7c | 15126 | *outLen = idx; |
wolfSSL | 15:117db924cf7c | 15127 | |
wolfSSL | 15:117db924cf7c | 15128 | return 0; |
wolfSSL | 15:117db924cf7c | 15129 | } |
wolfSSL | 15:117db924cf7c | 15130 | |
wolfSSL | 15:117db924cf7c | 15131 | |
wolfSSL | 15:117db924cf7c | 15132 | /* Der Decode ECC-DSA Signature, r & s stored as big ints */ |
wolfSSL | 15:117db924cf7c | 15133 | int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s) |
wolfSSL | 15:117db924cf7c | 15134 | { |
wolfSSL | 15:117db924cf7c | 15135 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 15136 | int len = 0; |
wolfSSL | 15:117db924cf7c | 15137 | |
wolfSSL | 15:117db924cf7c | 15138 | if (GetSequence(sig, &idx, &len, sigLen) < 0) { |
wolfSSL | 15:117db924cf7c | 15139 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15140 | } |
wolfSSL | 15:117db924cf7c | 15141 | |
wolfSSL | 16:8e0d178b1d1e | 15142 | #ifndef NO_STRICT_ECDSA_LEN |
wolfSSL | 16:8e0d178b1d1e | 15143 | /* enable strict length checking for signature */ |
wolfSSL | 16:8e0d178b1d1e | 15144 | if (sigLen != idx + (word32)len) { |
wolfSSL | 16:8e0d178b1d1e | 15145 | return ASN_ECC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 15146 | } |
wolfSSL | 16:8e0d178b1d1e | 15147 | #else |
wolfSSL | 16:8e0d178b1d1e | 15148 | /* allow extra signature bytes at end */ |
wolfSSL | 15:117db924cf7c | 15149 | if ((word32)len > (sigLen - idx)) { |
wolfSSL | 15:117db924cf7c | 15150 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15151 | } |
wolfSSL | 16:8e0d178b1d1e | 15152 | #endif |
wolfSSL | 15:117db924cf7c | 15153 | |
wolfSSL | 15:117db924cf7c | 15154 | if (GetInt(r, sig, &idx, sigLen) < 0) { |
wolfSSL | 15:117db924cf7c | 15155 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15156 | } |
wolfSSL | 15:117db924cf7c | 15157 | |
wolfSSL | 15:117db924cf7c | 15158 | if (GetInt(s, sig, &idx, sigLen) < 0) { |
wolfSSL | 15:117db924cf7c | 15159 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15160 | } |
wolfSSL | 15:117db924cf7c | 15161 | |
wolfSSL | 15:117db924cf7c | 15162 | return 0; |
wolfSSL | 15:117db924cf7c | 15163 | } |
wolfSSL | 15:117db924cf7c | 15164 | |
wolfSSL | 15:117db924cf7c | 15165 | |
wolfSSL | 15:117db924cf7c | 15166 | int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, |
wolfSSL | 15:117db924cf7c | 15167 | word32 inSz) |
wolfSSL | 15:117db924cf7c | 15168 | { |
wolfSSL | 15:117db924cf7c | 15169 | word32 oidSum; |
wolfSSL | 15:117db924cf7c | 15170 | int version, length; |
wolfSSL | 15:117db924cf7c | 15171 | int privSz, pubSz = 0; |
wolfSSL | 15:117db924cf7c | 15172 | byte b; |
wolfSSL | 15:117db924cf7c | 15173 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 15174 | int curve_id = ECC_CURVE_DEF; |
wolfSSL | 15:117db924cf7c | 15175 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 15176 | byte* priv; |
wolfSSL | 15:117db924cf7c | 15177 | byte* pub; |
wolfSSL | 15:117db924cf7c | 15178 | #else |
wolfSSL | 15:117db924cf7c | 15179 | byte priv[ECC_MAXSIZE+1]; |
wolfSSL | 15:117db924cf7c | 15180 | byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */ |
wolfSSL | 15:117db924cf7c | 15181 | #endif |
wolfSSL | 15:117db924cf7c | 15182 | byte* pubData = NULL; |
wolfSSL | 15:117db924cf7c | 15183 | |
wolfSSL | 15:117db924cf7c | 15184 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 15:117db924cf7c | 15185 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15186 | |
wolfSSL | 15:117db924cf7c | 15187 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15188 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15189 | |
wolfSSL | 15:117db924cf7c | 15190 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15191 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15192 | |
wolfSSL | 15:117db924cf7c | 15193 | if (*inOutIdx >= inSz) |
wolfSSL | 15:117db924cf7c | 15194 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15195 | |
wolfSSL | 15:117db924cf7c | 15196 | b = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 15197 | *inOutIdx += 1; |
wolfSSL | 15:117db924cf7c | 15198 | |
wolfSSL | 15:117db924cf7c | 15199 | /* priv type */ |
wolfSSL | 15:117db924cf7c | 15200 | if (b != 4 && b != 6 && b != 7) |
wolfSSL | 15:117db924cf7c | 15201 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15202 | |
wolfSSL | 15:117db924cf7c | 15203 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15204 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15205 | |
wolfSSL | 15:117db924cf7c | 15206 | if (length > ECC_MAXSIZE) |
wolfSSL | 15:117db924cf7c | 15207 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15208 | |
wolfSSL | 15:117db924cf7c | 15209 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 15210 | priv = (byte*)XMALLOC(ECC_MAXSIZE+1, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15211 | if (priv == NULL) |
wolfSSL | 15:117db924cf7c | 15212 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15213 | |
wolfSSL | 15:117db924cf7c | 15214 | pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15215 | if (pub == NULL) { |
wolfSSL | 15:117db924cf7c | 15216 | XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15217 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15218 | } |
wolfSSL | 15:117db924cf7c | 15219 | #endif |
wolfSSL | 15:117db924cf7c | 15220 | |
wolfSSL | 15:117db924cf7c | 15221 | /* priv key */ |
wolfSSL | 15:117db924cf7c | 15222 | privSz = length; |
wolfSSL | 15:117db924cf7c | 15223 | XMEMCPY(priv, &input[*inOutIdx], privSz); |
wolfSSL | 15:117db924cf7c | 15224 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 15225 | |
wolfSSL | 16:8e0d178b1d1e | 15226 | if ((*inOutIdx + 1) < inSz) { |
wolfSSL | 15:117db924cf7c | 15227 | /* prefix 0, may have */ |
wolfSSL | 15:117db924cf7c | 15228 | b = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 15229 | if (b == ECC_PREFIX_0) { |
wolfSSL | 15:117db924cf7c | 15230 | *inOutIdx += 1; |
wolfSSL | 15:117db924cf7c | 15231 | |
wolfSSL | 15:117db924cf7c | 15232 | if (GetLength(input, inOutIdx, &length, inSz) <= 0) |
wolfSSL | 15:117db924cf7c | 15233 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15234 | else { |
wolfSSL | 15:117db924cf7c | 15235 | ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, |
wolfSSL | 15:117db924cf7c | 15236 | inSz); |
wolfSSL | 15:117db924cf7c | 15237 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15238 | if ((ret = CheckCurve(oidSum)) < 0) |
wolfSSL | 15:117db924cf7c | 15239 | ret = ECC_CURVE_OID_E; |
wolfSSL | 15:117db924cf7c | 15240 | else { |
wolfSSL | 15:117db924cf7c | 15241 | curve_id = ret; |
wolfSSL | 15:117db924cf7c | 15242 | ret = 0; |
wolfSSL | 15:117db924cf7c | 15243 | } |
wolfSSL | 15:117db924cf7c | 15244 | } |
wolfSSL | 15:117db924cf7c | 15245 | } |
wolfSSL | 15:117db924cf7c | 15246 | } |
wolfSSL | 15:117db924cf7c | 15247 | } |
wolfSSL | 15:117db924cf7c | 15248 | |
wolfSSL | 15:117db924cf7c | 15249 | if (ret == 0 && (*inOutIdx + 1) < inSz) { |
wolfSSL | 15:117db924cf7c | 15250 | /* prefix 1 */ |
wolfSSL | 15:117db924cf7c | 15251 | b = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 15252 | *inOutIdx += 1; |
wolfSSL | 15:117db924cf7c | 15253 | |
wolfSSL | 15:117db924cf7c | 15254 | if (b != ECC_PREFIX_1) { |
wolfSSL | 15:117db924cf7c | 15255 | ret = ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15256 | } |
wolfSSL | 15:117db924cf7c | 15257 | else if (GetLength(input, inOutIdx, &length, inSz) <= 0) { |
wolfSSL | 15:117db924cf7c | 15258 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15259 | } |
wolfSSL | 15:117db924cf7c | 15260 | else { |
wolfSSL | 15:117db924cf7c | 15261 | /* key header */ |
wolfSSL | 15:117db924cf7c | 15262 | ret = CheckBitString(input, inOutIdx, &length, inSz, 0, NULL); |
wolfSSL | 15:117db924cf7c | 15263 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15264 | /* pub key */ |
wolfSSL | 15:117db924cf7c | 15265 | pubSz = length; |
wolfSSL | 15:117db924cf7c | 15266 | if (pubSz < 2*(ECC_MAXSIZE+1)) { |
wolfSSL | 15:117db924cf7c | 15267 | XMEMCPY(pub, &input[*inOutIdx], pubSz); |
wolfSSL | 15:117db924cf7c | 15268 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 15269 | pubData = pub; |
wolfSSL | 15:117db924cf7c | 15270 | } |
wolfSSL | 15:117db924cf7c | 15271 | else |
wolfSSL | 15:117db924cf7c | 15272 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15273 | } |
wolfSSL | 15:117db924cf7c | 15274 | } |
wolfSSL | 15:117db924cf7c | 15275 | } |
wolfSSL | 15:117db924cf7c | 15276 | |
wolfSSL | 15:117db924cf7c | 15277 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15278 | ret = wc_ecc_import_private_key_ex(priv, privSz, pubData, pubSz, key, |
wolfSSL | 15:117db924cf7c | 15279 | curve_id); |
wolfSSL | 15:117db924cf7c | 15280 | } |
wolfSSL | 15:117db924cf7c | 15281 | |
wolfSSL | 15:117db924cf7c | 15282 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 15283 | XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15284 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15285 | #endif |
wolfSSL | 15:117db924cf7c | 15286 | |
wolfSSL | 15:117db924cf7c | 15287 | return ret; |
wolfSSL | 15:117db924cf7c | 15288 | } |
wolfSSL | 15:117db924cf7c | 15289 | |
wolfSSL | 15:117db924cf7c | 15290 | |
wolfSSL | 15:117db924cf7c | 15291 | #ifdef WOLFSSL_CUSTOM_CURVES |
wolfSSL | 15:117db924cf7c | 15292 | static void ByteToHex(byte n, char* str) |
wolfSSL | 15:117db924cf7c | 15293 | { |
wolfSSL | 16:8e0d178b1d1e | 15294 | const char hexChar[] = { '0', '1', '2', '3', '4', '5', '6', '7', |
wolfSSL | 15:117db924cf7c | 15295 | '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; |
wolfSSL | 15:117db924cf7c | 15296 | |
wolfSSL | 15:117db924cf7c | 15297 | str[0] = hexChar[n >> 4]; |
wolfSSL | 15:117db924cf7c | 15298 | str[1] = hexChar[n & 0xf]; |
wolfSSL | 15:117db924cf7c | 15299 | } |
wolfSSL | 15:117db924cf7c | 15300 | |
wolfSSL | 15:117db924cf7c | 15301 | /* returns 0 on success */ |
wolfSSL | 15:117db924cf7c | 15302 | static int ASNToHexString(const byte* input, word32* inOutIdx, char** out, |
wolfSSL | 15:117db924cf7c | 15303 | word32 inSz, void* heap, int heapType) |
wolfSSL | 15:117db924cf7c | 15304 | { |
wolfSSL | 15:117db924cf7c | 15305 | int len; |
wolfSSL | 15:117db924cf7c | 15306 | int i; |
wolfSSL | 15:117db924cf7c | 15307 | char* str; |
wolfSSL | 16:8e0d178b1d1e | 15308 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 15309 | byte tag; |
wolfSSL | 15:117db924cf7c | 15310 | |
wolfSSL | 15:117db924cf7c | 15311 | if (*inOutIdx >= inSz) { |
wolfSSL | 15:117db924cf7c | 15312 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15313 | } |
wolfSSL | 15:117db924cf7c | 15314 | |
wolfSSL | 16:8e0d178b1d1e | 15315 | localIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15316 | if (GetASNTag(input, &localIdx, &tag, inSz) == 0 && tag == ASN_INTEGER) { |
wolfSSL | 15:117db924cf7c | 15317 | if (GetASNInt(input, inOutIdx, &len, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15318 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15319 | } |
wolfSSL | 15:117db924cf7c | 15320 | else { |
wolfSSL | 15:117db924cf7c | 15321 | if (GetOctetString(input, inOutIdx, &len, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15322 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15323 | } |
wolfSSL | 15:117db924cf7c | 15324 | |
wolfSSL | 15:117db924cf7c | 15325 | str = (char*)XMALLOC(len * 2 + 1, heap, heapType); |
wolfSSL | 15:117db924cf7c | 15326 | for (i=0; i<len; i++) |
wolfSSL | 15:117db924cf7c | 15327 | ByteToHex(input[*inOutIdx + i], str + i*2); |
wolfSSL | 15:117db924cf7c | 15328 | str[len*2] = '\0'; |
wolfSSL | 15:117db924cf7c | 15329 | |
wolfSSL | 15:117db924cf7c | 15330 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 15331 | *out = str; |
wolfSSL | 15:117db924cf7c | 15332 | |
wolfSSL | 16:8e0d178b1d1e | 15333 | (void)heap; |
wolfSSL | 16:8e0d178b1d1e | 15334 | (void)heapType; |
wolfSSL | 16:8e0d178b1d1e | 15335 | |
wolfSSL | 16:8e0d178b1d1e | 15336 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 15337 | } |
wolfSSL | 16:8e0d178b1d1e | 15338 | #endif /* WOLFSSL_CUSTOM_CURVES */ |
wolfSSL | 16:8e0d178b1d1e | 15339 | |
wolfSSL | 16:8e0d178b1d1e | 15340 | #ifdef WOLFSSL_CUSTOM_CURVES |
wolfSSL | 16:8e0d178b1d1e | 15341 | static int EccKeyParamCopy(char** dst, char* src) |
wolfSSL | 16:8e0d178b1d1e | 15342 | { |
wolfSSL | 16:8e0d178b1d1e | 15343 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 15344 | #ifdef WOLFSSL_ECC_CURVE_STATIC |
wolfSSL | 16:8e0d178b1d1e | 15345 | word32 length; |
wolfSSL | 16:8e0d178b1d1e | 15346 | #endif |
wolfSSL | 16:8e0d178b1d1e | 15347 | |
wolfSSL | 16:8e0d178b1d1e | 15348 | if (dst == NULL || src == NULL) |
wolfSSL | 16:8e0d178b1d1e | 15349 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 15350 | |
wolfSSL | 16:8e0d178b1d1e | 15351 | #ifndef WOLFSSL_ECC_CURVE_STATIC |
wolfSSL | 16:8e0d178b1d1e | 15352 | *dst = src; |
wolfSSL | 16:8e0d178b1d1e | 15353 | #else |
wolfSSL | 16:8e0d178b1d1e | 15354 | length = (int)XSTRLEN(src) + 1; |
wolfSSL | 16:8e0d178b1d1e | 15355 | if (length > MAX_ECC_STRING) { |
wolfSSL | 16:8e0d178b1d1e | 15356 | WOLFSSL_MSG("ECC Param too large for buffer"); |
wolfSSL | 16:8e0d178b1d1e | 15357 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15358 | } |
wolfSSL | 16:8e0d178b1d1e | 15359 | else { |
wolfSSL | 16:8e0d178b1d1e | 15360 | XSTRNCPY(*dst, src, length); |
wolfSSL | 16:8e0d178b1d1e | 15361 | } |
wolfSSL | 16:8e0d178b1d1e | 15362 | XFREE(src, key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15363 | #endif |
wolfSSL | 16:8e0d178b1d1e | 15364 | |
wolfSSL | 16:8e0d178b1d1e | 15365 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 15366 | } |
wolfSSL | 16:8e0d178b1d1e | 15367 | #endif /* WOLFSSL_CUSTOM_CURVES */ |
wolfSSL | 15:117db924cf7c | 15368 | |
wolfSSL | 15:117db924cf7c | 15369 | int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 15370 | ecc_key* key, word32 inSz) |
wolfSSL | 15:117db924cf7c | 15371 | { |
wolfSSL | 15:117db924cf7c | 15372 | int length; |
wolfSSL | 15:117db924cf7c | 15373 | int ret; |
wolfSSL | 15:117db924cf7c | 15374 | int curve_id = ECC_CURVE_DEF; |
wolfSSL | 16:8e0d178b1d1e | 15375 | word32 oidSum, localIdx; |
wolfSSL | 16:8e0d178b1d1e | 15376 | byte tag; |
wolfSSL | 15:117db924cf7c | 15377 | |
wolfSSL | 15:117db924cf7c | 15378 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 15:117db924cf7c | 15379 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15380 | |
wolfSSL | 15:117db924cf7c | 15381 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15382 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15383 | |
wolfSSL | 15:117db924cf7c | 15384 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15385 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15386 | |
wolfSSL | 15:117db924cf7c | 15387 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 15:117db924cf7c | 15388 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15389 | return ret; |
wolfSSL | 15:117db924cf7c | 15390 | |
wolfSSL | 15:117db924cf7c | 15391 | if (*inOutIdx >= inSz) { |
wolfSSL | 15:117db924cf7c | 15392 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15393 | } |
wolfSSL | 15:117db924cf7c | 15394 | |
wolfSSL | 16:8e0d178b1d1e | 15395 | localIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15396 | if (GetASNTag(input, &localIdx, &tag, inSz) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 15397 | tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { |
wolfSSL | 15:117db924cf7c | 15398 | #ifdef WOLFSSL_CUSTOM_CURVES |
wolfSSL | 15:117db924cf7c | 15399 | ecc_set_type* curve; |
wolfSSL | 15:117db924cf7c | 15400 | int len; |
wolfSSL | 16:8e0d178b1d1e | 15401 | char* point = NULL; |
wolfSSL | 15:117db924cf7c | 15402 | |
wolfSSL | 15:117db924cf7c | 15403 | ret = 0; |
wolfSSL | 15:117db924cf7c | 15404 | |
wolfSSL | 15:117db924cf7c | 15405 | curve = (ecc_set_type*)XMALLOC(sizeof(*curve), key->heap, |
wolfSSL | 15:117db924cf7c | 15406 | DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15407 | if (curve == NULL) |
wolfSSL | 15:117db924cf7c | 15408 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15409 | |
wolfSSL | 15:117db924cf7c | 15410 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15411 | static const char customName[] = "Custom"; |
wolfSSL | 15:117db924cf7c | 15412 | XMEMSET(curve, 0, sizeof(*curve)); |
wolfSSL | 16:8e0d178b1d1e | 15413 | #ifndef WOLFSSL_ECC_CURVE_STATIC |
wolfSSL | 16:8e0d178b1d1e | 15414 | curve->name = customName; |
wolfSSL | 16:8e0d178b1d1e | 15415 | #else |
wolfSSL | 16:8e0d178b1d1e | 15416 | XMEMCPY((void*)curve->name, customName, sizeof(customName)); |
wolfSSL | 16:8e0d178b1d1e | 15417 | #endif |
wolfSSL | 15:117db924cf7c | 15418 | curve->id = ECC_CURVE_CUSTOM; |
wolfSSL | 15:117db924cf7c | 15419 | |
wolfSSL | 15:117db924cf7c | 15420 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15421 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15422 | } |
wolfSSL | 15:117db924cf7c | 15423 | |
wolfSSL | 15:117db924cf7c | 15424 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15425 | GetInteger7Bit(input, inOutIdx, inSz); |
wolfSSL | 15:117db924cf7c | 15426 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15427 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15428 | } |
wolfSSL | 15:117db924cf7c | 15429 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15430 | char* p = NULL; |
wolfSSL | 15:117db924cf7c | 15431 | SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 15432 | ret = ASNToHexString(input, inOutIdx, &p, inSz, |
wolfSSL | 15:117db924cf7c | 15433 | key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15434 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 15435 | ret = EccKeyParamCopy((char**)&curve->prime, p); |
wolfSSL | 15:117db924cf7c | 15436 | } |
wolfSSL | 15:117db924cf7c | 15437 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15438 | curve->size = (int)XSTRLEN(curve->prime) / 2; |
wolfSSL | 15:117db924cf7c | 15439 | |
wolfSSL | 15:117db924cf7c | 15440 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15441 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15442 | } |
wolfSSL | 15:117db924cf7c | 15443 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15444 | char* af = NULL; |
wolfSSL | 16:8e0d178b1d1e | 15445 | ret = ASNToHexString(input, inOutIdx, &af, inSz, |
wolfSSL | 15:117db924cf7c | 15446 | key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15447 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 15448 | ret = EccKeyParamCopy((char**)&curve->Af, af); |
wolfSSL | 15:117db924cf7c | 15449 | } |
wolfSSL | 15:117db924cf7c | 15450 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15451 | char* bf = NULL; |
wolfSSL | 16:8e0d178b1d1e | 15452 | ret = ASNToHexString(input, inOutIdx, &bf, inSz, |
wolfSSL | 15:117db924cf7c | 15453 | key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15454 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 15455 | ret = EccKeyParamCopy((char**)&curve->Bf, bf); |
wolfSSL | 15:117db924cf7c | 15456 | } |
wolfSSL | 15:117db924cf7c | 15457 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15458 | localIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15459 | if (*inOutIdx < inSz && GetASNTag(input, &localIdx, &tag, inSz) |
wolfSSL | 16:8e0d178b1d1e | 15460 | == 0 && tag == ASN_BIT_STRING) { |
wolfSSL | 15:117db924cf7c | 15461 | len = 0; |
wolfSSL | 15:117db924cf7c | 15462 | ret = GetASNHeader(input, ASN_BIT_STRING, inOutIdx, &len, inSz); |
wolfSSL | 15:117db924cf7c | 15463 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 15464 | } |
wolfSSL | 15:117db924cf7c | 15465 | } |
wolfSSL | 15:117db924cf7c | 15466 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15467 | ret = ASNToHexString(input, inOutIdx, (char**)&point, inSz, |
wolfSSL | 15:117db924cf7c | 15468 | key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15469 | |
wolfSSL | 15:117db924cf7c | 15470 | /* sanity check that point buffer is not smaller than the expected |
wolfSSL | 15:117db924cf7c | 15471 | * size to hold ( 0 4 || Gx || Gy ) |
wolfSSL | 15:117db924cf7c | 15472 | * where Gx and Gy are each the size of curve->size * 2 */ |
wolfSSL | 15:117db924cf7c | 15473 | if (ret == 0 && (int)XSTRLEN(point) < (curve->size * 4) + 2) { |
wolfSSL | 15:117db924cf7c | 15474 | XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15475 | ret = BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15476 | } |
wolfSSL | 15:117db924cf7c | 15477 | } |
wolfSSL | 15:117db924cf7c | 15478 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15479 | #ifndef WOLFSSL_ECC_CURVE_STATIC |
wolfSSL | 15:117db924cf7c | 15480 | curve->Gx = (const char*)XMALLOC(curve->size * 2 + 2, key->heap, |
wolfSSL | 15:117db924cf7c | 15481 | DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15482 | curve->Gy = (const char*)XMALLOC(curve->size * 2 + 2, key->heap, |
wolfSSL | 15:117db924cf7c | 15483 | DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15484 | if (curve->Gx == NULL || curve->Gy == NULL) { |
wolfSSL | 15:117db924cf7c | 15485 | XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 15:117db924cf7c | 15486 | ret = MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15487 | } |
wolfSSL | 16:8e0d178b1d1e | 15488 | #else |
wolfSSL | 16:8e0d178b1d1e | 15489 | if (curve->size * 2 + 2 > MAX_ECC_STRING) { |
wolfSSL | 16:8e0d178b1d1e | 15490 | WOLFSSL_MSG("curve size is too large to fit in buffer"); |
wolfSSL | 16:8e0d178b1d1e | 15491 | ret = BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 15492 | } |
wolfSSL | 16:8e0d178b1d1e | 15493 | #endif |
wolfSSL | 15:117db924cf7c | 15494 | } |
wolfSSL | 15:117db924cf7c | 15495 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 15496 | char* o = NULL; |
wolfSSL | 16:8e0d178b1d1e | 15497 | |
wolfSSL | 15:117db924cf7c | 15498 | XMEMCPY((char*)curve->Gx, point + 2, curve->size * 2); |
wolfSSL | 15:117db924cf7c | 15499 | XMEMCPY((char*)curve->Gy, point + curve->size * 2 + 2, |
wolfSSL | 15:117db924cf7c | 15500 | curve->size * 2); |
wolfSSL | 15:117db924cf7c | 15501 | ((char*)curve->Gx)[curve->size * 2] = '\0'; |
wolfSSL | 15:117db924cf7c | 15502 | ((char*)curve->Gy)[curve->size * 2] = '\0'; |
wolfSSL | 15:117db924cf7c | 15503 | XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15504 | ret = ASNToHexString(input, inOutIdx, &o, inSz, |
wolfSSL | 15:117db924cf7c | 15505 | key->heap, DYNAMIC_TYPE_ECC_BUFFER); |
wolfSSL | 16:8e0d178b1d1e | 15506 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 15507 | ret = EccKeyParamCopy((char**)&curve->order, o); |
wolfSSL | 15:117db924cf7c | 15508 | } |
wolfSSL | 15:117db924cf7c | 15509 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 15510 | curve->cofactor = GetInteger7Bit(input, inOutIdx, inSz); |
wolfSSL | 15:117db924cf7c | 15511 | |
wolfSSL | 16:8e0d178b1d1e | 15512 | #ifndef WOLFSSL_ECC_CURVE_STATIC |
wolfSSL | 15:117db924cf7c | 15513 | curve->oid = NULL; |
wolfSSL | 16:8e0d178b1d1e | 15514 | #else |
wolfSSL | 16:8e0d178b1d1e | 15515 | XMEMSET((void*)curve->oid, 0, sizeof(curve->oid)); |
wolfSSL | 16:8e0d178b1d1e | 15516 | #endif |
wolfSSL | 15:117db924cf7c | 15517 | curve->oidSz = 0; |
wolfSSL | 15:117db924cf7c | 15518 | curve->oidSum = 0; |
wolfSSL | 15:117db924cf7c | 15519 | |
wolfSSL | 15:117db924cf7c | 15520 | if (wc_ecc_set_custom_curve(key, curve) < 0) { |
wolfSSL | 15:117db924cf7c | 15521 | ret = ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15522 | } |
wolfSSL | 16:8e0d178b1d1e | 15523 | #ifdef WOLFSSL_CUSTOM_CURVES |
wolfSSL | 15:117db924cf7c | 15524 | key->deallocSet = 1; |
wolfSSL | 16:8e0d178b1d1e | 15525 | #endif |
wolfSSL | 15:117db924cf7c | 15526 | curve = NULL; |
wolfSSL | 15:117db924cf7c | 15527 | } |
wolfSSL | 15:117db924cf7c | 15528 | if (curve != NULL) |
wolfSSL | 15:117db924cf7c | 15529 | wc_ecc_free_curve(curve, key->heap); |
wolfSSL | 15:117db924cf7c | 15530 | |
wolfSSL | 15:117db924cf7c | 15531 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 15532 | return ret; |
wolfSSL | 15:117db924cf7c | 15533 | #else |
wolfSSL | 15:117db924cf7c | 15534 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15535 | #endif /* WOLFSSL_CUSTOM_CURVES */ |
wolfSSL | 15:117db924cf7c | 15536 | } |
wolfSSL | 15:117db924cf7c | 15537 | else { |
wolfSSL | 15:117db924cf7c | 15538 | /* ecc params information */ |
wolfSSL | 15:117db924cf7c | 15539 | ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, inSz); |
wolfSSL | 15:117db924cf7c | 15540 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15541 | return ret; |
wolfSSL | 15:117db924cf7c | 15542 | |
wolfSSL | 15:117db924cf7c | 15543 | /* get curve id */ |
wolfSSL | 15:117db924cf7c | 15544 | curve_id = wc_ecc_get_oid(oidSum, NULL, 0); |
wolfSSL | 15:117db924cf7c | 15545 | if (curve_id < 0) |
wolfSSL | 15:117db924cf7c | 15546 | return ECC_CURVE_OID_E; |
wolfSSL | 15:117db924cf7c | 15547 | } |
wolfSSL | 15:117db924cf7c | 15548 | |
wolfSSL | 15:117db924cf7c | 15549 | /* key header */ |
wolfSSL | 16:8e0d178b1d1e | 15550 | ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL); |
wolfSSL | 15:117db924cf7c | 15551 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15552 | return ret; |
wolfSSL | 15:117db924cf7c | 15553 | |
wolfSSL | 15:117db924cf7c | 15554 | /* This is the raw point data compressed or uncompressed. */ |
wolfSSL | 16:8e0d178b1d1e | 15555 | if (wc_ecc_import_x963_ex(input + *inOutIdx, length, key, |
wolfSSL | 15:117db924cf7c | 15556 | curve_id) != 0) { |
wolfSSL | 15:117db924cf7c | 15557 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15558 | } |
wolfSSL | 15:117db924cf7c | 15559 | |
wolfSSL | 16:8e0d178b1d1e | 15560 | *inOutIdx += length; |
wolfSSL | 16:8e0d178b1d1e | 15561 | |
wolfSSL | 16:8e0d178b1d1e | 15562 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 15563 | } |
wolfSSL | 16:8e0d178b1d1e | 15564 | |
wolfSSL | 16:8e0d178b1d1e | 15565 | #if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) |
wolfSSL | 15:117db924cf7c | 15566 | /* build DER formatted ECC key, include optional public key if requested, |
wolfSSL | 15:117db924cf7c | 15567 | * return length on success, negative on error */ |
wolfSSL | 15:117db924cf7c | 15568 | static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen, |
wolfSSL | 15:117db924cf7c | 15569 | int pubIn) |
wolfSSL | 15:117db924cf7c | 15570 | { |
wolfSSL | 15:117db924cf7c | 15571 | byte curve[MAX_ALGO_SZ+2]; |
wolfSSL | 15:117db924cf7c | 15572 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 15:117db924cf7c | 15573 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 15574 | byte *prv = NULL, *pub = NULL; |
wolfSSL | 15:117db924cf7c | 15575 | int ret, totalSz, curveSz, verSz; |
wolfSSL | 15:117db924cf7c | 15576 | int privHdrSz = ASN_ECC_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 15577 | int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 15578 | |
wolfSSL | 15:117db924cf7c | 15579 | word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0; |
wolfSSL | 15:117db924cf7c | 15580 | word32 seqSz, privSz, pubSz = ECC_BUFSIZE; |
wolfSSL | 15:117db924cf7c | 15581 | |
wolfSSL | 15:117db924cf7c | 15582 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 15:117db924cf7c | 15583 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15584 | |
wolfSSL | 15:117db924cf7c | 15585 | /* curve */ |
wolfSSL | 15:117db924cf7c | 15586 | curve[curveidx++] = ECC_PREFIX_0; |
wolfSSL | 15:117db924cf7c | 15587 | curveidx++ /* to put the size after computation */; |
wolfSSL | 15:117db924cf7c | 15588 | curveSz = SetCurve(key, curve+curveidx); |
wolfSSL | 15:117db924cf7c | 15589 | if (curveSz < 0) |
wolfSSL | 15:117db924cf7c | 15590 | return curveSz; |
wolfSSL | 15:117db924cf7c | 15591 | /* set computed size */ |
wolfSSL | 15:117db924cf7c | 15592 | curve[1] = (byte)curveSz; |
wolfSSL | 15:117db924cf7c | 15593 | curveidx += curveSz; |
wolfSSL | 15:117db924cf7c | 15594 | |
wolfSSL | 15:117db924cf7c | 15595 | /* private */ |
wolfSSL | 15:117db924cf7c | 15596 | privSz = key->dp->size; |
wolfSSL | 15:117db924cf7c | 15597 | prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ, |
wolfSSL | 15:117db924cf7c | 15598 | key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15599 | if (prv == NULL) { |
wolfSSL | 15:117db924cf7c | 15600 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15601 | } |
wolfSSL | 15:117db924cf7c | 15602 | prvidx += SetOctetString8Bit(key->dp->size, &prv[prvidx]); |
wolfSSL | 15:117db924cf7c | 15603 | ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz); |
wolfSSL | 15:117db924cf7c | 15604 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 15605 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15606 | return ret; |
wolfSSL | 15:117db924cf7c | 15607 | } |
wolfSSL | 15:117db924cf7c | 15608 | prvidx += privSz; |
wolfSSL | 15:117db924cf7c | 15609 | |
wolfSSL | 15:117db924cf7c | 15610 | /* pubIn */ |
wolfSSL | 15:117db924cf7c | 15611 | if (pubIn) { |
wolfSSL | 15:117db924cf7c | 15612 | ret = wc_ecc_export_x963(key, NULL, &pubSz); |
wolfSSL | 15:117db924cf7c | 15613 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 15:117db924cf7c | 15614 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15615 | return ret; |
wolfSSL | 15:117db924cf7c | 15616 | } |
wolfSSL | 15:117db924cf7c | 15617 | |
wolfSSL | 15:117db924cf7c | 15618 | pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ, |
wolfSSL | 15:117db924cf7c | 15619 | key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15620 | if (pub == NULL) { |
wolfSSL | 15:117db924cf7c | 15621 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15622 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15623 | } |
wolfSSL | 15:117db924cf7c | 15624 | |
wolfSSL | 15:117db924cf7c | 15625 | pub[pubidx++] = ECC_PREFIX_1; |
wolfSSL | 15:117db924cf7c | 15626 | if (pubSz > 128) /* leading zero + extra size byte */ |
wolfSSL | 15:117db924cf7c | 15627 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx); |
wolfSSL | 15:117db924cf7c | 15628 | else /* leading zero */ |
wolfSSL | 15:117db924cf7c | 15629 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx); |
wolfSSL | 15:117db924cf7c | 15630 | |
wolfSSL | 15:117db924cf7c | 15631 | /* SetBitString adds leading zero */ |
wolfSSL | 15:117db924cf7c | 15632 | pubidx += SetBitString(pubSz, 0, pub + pubidx); |
wolfSSL | 15:117db924cf7c | 15633 | ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz); |
wolfSSL | 15:117db924cf7c | 15634 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 15635 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15636 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15637 | return ret; |
wolfSSL | 15:117db924cf7c | 15638 | } |
wolfSSL | 15:117db924cf7c | 15639 | pubidx += pubSz; |
wolfSSL | 15:117db924cf7c | 15640 | } |
wolfSSL | 15:117db924cf7c | 15641 | |
wolfSSL | 15:117db924cf7c | 15642 | /* make headers */ |
wolfSSL | 15:117db924cf7c | 15643 | verSz = SetMyVersion(1, ver, FALSE); |
wolfSSL | 15:117db924cf7c | 15644 | seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq); |
wolfSSL | 15:117db924cf7c | 15645 | |
wolfSSL | 15:117db924cf7c | 15646 | totalSz = prvidx + pubidx + curveidx + verSz + seqSz; |
wolfSSL | 15:117db924cf7c | 15647 | if (totalSz > (int)inLen) { |
wolfSSL | 15:117db924cf7c | 15648 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15649 | if (pubIn) { |
wolfSSL | 15:117db924cf7c | 15650 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15651 | } |
wolfSSL | 15:117db924cf7c | 15652 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15653 | } |
wolfSSL | 15:117db924cf7c | 15654 | |
wolfSSL | 15:117db924cf7c | 15655 | /* write out */ |
wolfSSL | 15:117db924cf7c | 15656 | /* seq */ |
wolfSSL | 15:117db924cf7c | 15657 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 15:117db924cf7c | 15658 | idx = seqSz; |
wolfSSL | 15:117db924cf7c | 15659 | |
wolfSSL | 15:117db924cf7c | 15660 | /* ver */ |
wolfSSL | 15:117db924cf7c | 15661 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 15:117db924cf7c | 15662 | idx += verSz; |
wolfSSL | 15:117db924cf7c | 15663 | |
wolfSSL | 15:117db924cf7c | 15664 | /* private */ |
wolfSSL | 15:117db924cf7c | 15665 | XMEMCPY(output + idx, prv, prvidx); |
wolfSSL | 15:117db924cf7c | 15666 | idx += prvidx; |
wolfSSL | 15:117db924cf7c | 15667 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15668 | |
wolfSSL | 15:117db924cf7c | 15669 | /* curve */ |
wolfSSL | 15:117db924cf7c | 15670 | XMEMCPY(output + idx, curve, curveidx); |
wolfSSL | 15:117db924cf7c | 15671 | idx += curveidx; |
wolfSSL | 15:117db924cf7c | 15672 | |
wolfSSL | 15:117db924cf7c | 15673 | /* pubIn */ |
wolfSSL | 15:117db924cf7c | 15674 | if (pubIn) { |
wolfSSL | 15:117db924cf7c | 15675 | XMEMCPY(output + idx, pub, pubidx); |
wolfSSL | 15:117db924cf7c | 15676 | /* idx += pubidx; not used after write, if more data remove comment */ |
wolfSSL | 15:117db924cf7c | 15677 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15678 | } |
wolfSSL | 15:117db924cf7c | 15679 | |
wolfSSL | 15:117db924cf7c | 15680 | return totalSz; |
wolfSSL | 15:117db924cf7c | 15681 | } |
wolfSSL | 15:117db924cf7c | 15682 | |
wolfSSL | 15:117db924cf7c | 15683 | /* Write a Private ecc key, including public to DER format, |
wolfSSL | 15:117db924cf7c | 15684 | * length on success else < 0 */ |
wolfSSL | 15:117db924cf7c | 15685 | int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 15686 | { |
wolfSSL | 15:117db924cf7c | 15687 | return wc_BuildEccKeyDer(key, output, inLen, 1); |
wolfSSL | 15:117db924cf7c | 15688 | } |
wolfSSL | 15:117db924cf7c | 15689 | |
wolfSSL | 15:117db924cf7c | 15690 | |
wolfSSL | 15:117db924cf7c | 15691 | /* Write only private ecc key to DER format, |
wolfSSL | 15:117db924cf7c | 15692 | * length on success else < 0 */ |
wolfSSL | 15:117db924cf7c | 15693 | int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 15694 | { |
wolfSSL | 15:117db924cf7c | 15695 | return wc_BuildEccKeyDer(key, output, inLen, 0); |
wolfSSL | 15:117db924cf7c | 15696 | } |
wolfSSL | 15:117db924cf7c | 15697 | |
wolfSSL | 16:8e0d178b1d1e | 15698 | #ifdef HAVE_PKCS8 |
wolfSSL | 15:117db924cf7c | 15699 | /* Write only private ecc key to unencrypted PKCS#8 format. |
wolfSSL | 15:117db924cf7c | 15700 | * |
wolfSSL | 15:117db924cf7c | 15701 | * If output is NULL, places required PKCS#8 buffer size in outLen and |
wolfSSL | 15:117db924cf7c | 15702 | * returns LENGTH_ONLY_E. |
wolfSSL | 15:117db924cf7c | 15703 | * |
wolfSSL | 15:117db924cf7c | 15704 | * return length on success else < 0 */ |
wolfSSL | 15:117db924cf7c | 15705 | int wc_EccPrivateKeyToPKCS8(ecc_key* key, byte* output, word32* outLen) |
wolfSSL | 15:117db924cf7c | 15706 | { |
wolfSSL | 15:117db924cf7c | 15707 | int ret, tmpDerSz; |
wolfSSL | 15:117db924cf7c | 15708 | int algoID = 0; |
wolfSSL | 15:117db924cf7c | 15709 | word32 oidSz = 0; |
wolfSSL | 15:117db924cf7c | 15710 | word32 pkcs8Sz = 0; |
wolfSSL | 15:117db924cf7c | 15711 | const byte* curveOID = NULL; |
wolfSSL | 15:117db924cf7c | 15712 | byte* tmpDer = NULL; |
wolfSSL | 15:117db924cf7c | 15713 | |
wolfSSL | 15:117db924cf7c | 15714 | if (key == NULL || outLen == NULL) |
wolfSSL | 15:117db924cf7c | 15715 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15716 | |
wolfSSL | 15:117db924cf7c | 15717 | /* set algoID, get curve OID */ |
wolfSSL | 15:117db924cf7c | 15718 | algoID = ECDSAk; |
wolfSSL | 15:117db924cf7c | 15719 | ret = wc_ecc_get_oid(key->dp->oidSum, &curveOID, &oidSz); |
wolfSSL | 15:117db924cf7c | 15720 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 15721 | return ret; |
wolfSSL | 15:117db924cf7c | 15722 | |
wolfSSL | 15:117db924cf7c | 15723 | /* temp buffer for plain DER key */ |
wolfSSL | 15:117db924cf7c | 15724 | tmpDer = (byte*)XMALLOC(ECC_BUFSIZE, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15725 | if (tmpDer == NULL) |
wolfSSL | 15:117db924cf7c | 15726 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 15727 | |
wolfSSL | 15:117db924cf7c | 15728 | XMEMSET(tmpDer, 0, ECC_BUFSIZE); |
wolfSSL | 15:117db924cf7c | 15729 | |
wolfSSL | 15:117db924cf7c | 15730 | tmpDerSz = wc_BuildEccKeyDer(key, tmpDer, ECC_BUFSIZE, 0); |
wolfSSL | 15:117db924cf7c | 15731 | if (tmpDerSz < 0) { |
wolfSSL | 15:117db924cf7c | 15732 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15733 | return tmpDerSz; |
wolfSSL | 15:117db924cf7c | 15734 | } |
wolfSSL | 15:117db924cf7c | 15735 | |
wolfSSL | 15:117db924cf7c | 15736 | /* get pkcs8 expected output size */ |
wolfSSL | 15:117db924cf7c | 15737 | ret = wc_CreatePKCS8Key(NULL, &pkcs8Sz, tmpDer, tmpDerSz, algoID, |
wolfSSL | 15:117db924cf7c | 15738 | curveOID, oidSz); |
wolfSSL | 15:117db924cf7c | 15739 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 15:117db924cf7c | 15740 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15741 | return ret; |
wolfSSL | 15:117db924cf7c | 15742 | } |
wolfSSL | 15:117db924cf7c | 15743 | |
wolfSSL | 15:117db924cf7c | 15744 | if (output == NULL) { |
wolfSSL | 15:117db924cf7c | 15745 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15746 | *outLen = pkcs8Sz; |
wolfSSL | 15:117db924cf7c | 15747 | return LENGTH_ONLY_E; |
wolfSSL | 15:117db924cf7c | 15748 | |
wolfSSL | 15:117db924cf7c | 15749 | } else if (*outLen < pkcs8Sz) { |
wolfSSL | 15:117db924cf7c | 15750 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15751 | WOLFSSL_MSG("Input buffer too small for ECC PKCS#8 key"); |
wolfSSL | 15:117db924cf7c | 15752 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 15753 | } |
wolfSSL | 15:117db924cf7c | 15754 | |
wolfSSL | 15:117db924cf7c | 15755 | ret = wc_CreatePKCS8Key(output, &pkcs8Sz, tmpDer, tmpDerSz, |
wolfSSL | 15:117db924cf7c | 15756 | algoID, curveOID, oidSz); |
wolfSSL | 15:117db924cf7c | 15757 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 15758 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15759 | return ret; |
wolfSSL | 15:117db924cf7c | 15760 | } |
wolfSSL | 15:117db924cf7c | 15761 | |
wolfSSL | 15:117db924cf7c | 15762 | XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 15763 | |
wolfSSL | 15:117db924cf7c | 15764 | *outLen = ret; |
wolfSSL | 15:117db924cf7c | 15765 | return ret; |
wolfSSL | 15:117db924cf7c | 15766 | } |
wolfSSL | 16:8e0d178b1d1e | 15767 | #endif /* HAVE_PKCS8 */ |
wolfSSL | 16:8e0d178b1d1e | 15768 | #endif /* HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 15769 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 15770 | |
wolfSSL | 15:117db924cf7c | 15771 | |
wolfSSL | 15:117db924cf7c | 15772 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 15773 | |
wolfSSL | 15:117db924cf7c | 15774 | int wc_Ed25519PrivateKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 15775 | ed25519_key* key, word32 inSz) |
wolfSSL | 15:117db924cf7c | 15776 | { |
wolfSSL | 15:117db924cf7c | 15777 | word32 oid; |
wolfSSL | 15:117db924cf7c | 15778 | int ret, version, length, endKeyIdx, privSz, pubSz; |
wolfSSL | 15:117db924cf7c | 15779 | const byte* priv; |
wolfSSL | 15:117db924cf7c | 15780 | const byte* pub; |
wolfSSL | 15:117db924cf7c | 15781 | |
wolfSSL | 15:117db924cf7c | 15782 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 15:117db924cf7c | 15783 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15784 | |
wolfSSL | 15:117db924cf7c | 15785 | if (GetSequence(input, inOutIdx, &length, inSz) >= 0) { |
wolfSSL | 15:117db924cf7c | 15786 | endKeyIdx = *inOutIdx + length; |
wolfSSL | 15:117db924cf7c | 15787 | |
wolfSSL | 15:117db924cf7c | 15788 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15789 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15790 | if (version != 0) { |
wolfSSL | 15:117db924cf7c | 15791 | WOLFSSL_MSG("Unrecognized version of ED25519 private key"); |
wolfSSL | 15:117db924cf7c | 15792 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15793 | } |
wolfSSL | 15:117db924cf7c | 15794 | |
wolfSSL | 15:117db924cf7c | 15795 | if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15796 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15797 | if (oid != ED25519k) |
wolfSSL | 15:117db924cf7c | 15798 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15799 | |
wolfSSL | 15:117db924cf7c | 15800 | if (GetOctetString(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15801 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15802 | |
wolfSSL | 15:117db924cf7c | 15803 | if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15804 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15805 | |
wolfSSL | 15:117db924cf7c | 15806 | priv = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 15807 | *inOutIdx += privSz; |
wolfSSL | 15:117db924cf7c | 15808 | } |
wolfSSL | 15:117db924cf7c | 15809 | else { |
wolfSSL | 15:117db924cf7c | 15810 | if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15811 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15812 | |
wolfSSL | 16:8e0d178b1d1e | 15813 | if (privSz != 32) |
wolfSSL | 16:8e0d178b1d1e | 15814 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15815 | |
wolfSSL | 15:117db924cf7c | 15816 | priv = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 15817 | *inOutIdx += privSz; |
wolfSSL | 15:117db924cf7c | 15818 | endKeyIdx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 15819 | } |
wolfSSL | 15:117db924cf7c | 15820 | |
wolfSSL | 15:117db924cf7c | 15821 | if (endKeyIdx == (int)*inOutIdx) { |
wolfSSL | 15:117db924cf7c | 15822 | ret = wc_ed25519_import_private_only(priv, privSz, key); |
wolfSSL | 15:117db924cf7c | 15823 | } |
wolfSSL | 15:117db924cf7c | 15824 | else { |
wolfSSL | 15:117db924cf7c | 15825 | if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1, |
wolfSSL | 15:117db924cf7c | 15826 | inOutIdx, &length, inSz) < 0) { |
wolfSSL | 15:117db924cf7c | 15827 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15828 | } |
wolfSSL | 15:117db924cf7c | 15829 | if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15830 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15831 | pub = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 15832 | *inOutIdx += pubSz; |
wolfSSL | 15:117db924cf7c | 15833 | |
wolfSSL | 15:117db924cf7c | 15834 | ret = wc_ed25519_import_private_key(priv, privSz, pub, pubSz, key); |
wolfSSL | 15:117db924cf7c | 15835 | } |
wolfSSL | 15:117db924cf7c | 15836 | if (ret == 0 && endKeyIdx != (int)*inOutIdx) |
wolfSSL | 15:117db924cf7c | 15837 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15838 | |
wolfSSL | 15:117db924cf7c | 15839 | return ret; |
wolfSSL | 15:117db924cf7c | 15840 | } |
wolfSSL | 15:117db924cf7c | 15841 | |
wolfSSL | 15:117db924cf7c | 15842 | |
wolfSSL | 15:117db924cf7c | 15843 | int wc_Ed25519PublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 15844 | ed25519_key* key, word32 inSz) |
wolfSSL | 15:117db924cf7c | 15845 | { |
wolfSSL | 15:117db924cf7c | 15846 | int length; |
wolfSSL | 15:117db924cf7c | 15847 | int ret; |
wolfSSL | 15:117db924cf7c | 15848 | |
wolfSSL | 15:117db924cf7c | 15849 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 15:117db924cf7c | 15850 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15851 | |
wolfSSL | 15:117db924cf7c | 15852 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15853 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15854 | |
wolfSSL | 15:117db924cf7c | 15855 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 15:117db924cf7c | 15856 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 15857 | |
wolfSSL | 15:117db924cf7c | 15858 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 15:117db924cf7c | 15859 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15860 | return ret; |
wolfSSL | 15:117db924cf7c | 15861 | |
wolfSSL | 15:117db924cf7c | 15862 | /* key header */ |
wolfSSL | 15:117db924cf7c | 15863 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 15:117db924cf7c | 15864 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15865 | return ret; |
wolfSSL | 15:117db924cf7c | 15866 | |
wolfSSL | 15:117db924cf7c | 15867 | /* This is the raw point data compressed or uncompressed. */ |
wolfSSL | 15:117db924cf7c | 15868 | if (wc_ed25519_import_public(input + *inOutIdx, inSz - *inOutIdx, key) != 0) |
wolfSSL | 15:117db924cf7c | 15869 | return ASN_ECC_KEY_E; |
wolfSSL | 15:117db924cf7c | 15870 | |
wolfSSL | 15:117db924cf7c | 15871 | return 0; |
wolfSSL | 15:117db924cf7c | 15872 | } |
wolfSSL | 15:117db924cf7c | 15873 | |
wolfSSL | 15:117db924cf7c | 15874 | |
wolfSSL | 15:117db924cf7c | 15875 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 15:117db924cf7c | 15876 | |
wolfSSL | 15:117db924cf7c | 15877 | /* build DER formatted ED25519 key, |
wolfSSL | 15:117db924cf7c | 15878 | * return length on success, negative on error */ |
wolfSSL | 15:117db924cf7c | 15879 | static int wc_BuildEd25519KeyDer(ed25519_key* key, byte* output, word32 inLen, |
wolfSSL | 15:117db924cf7c | 15880 | int pubOut) |
wolfSSL | 15:117db924cf7c | 15881 | { |
wolfSSL | 15:117db924cf7c | 15882 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 15883 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 15:117db924cf7c | 15884 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 15885 | int ret; |
wolfSSL | 15:117db924cf7c | 15886 | word32 idx = 0, seqSz, verSz, algoSz, privSz, pubSz = 0; |
wolfSSL | 15:117db924cf7c | 15887 | |
wolfSSL | 15:117db924cf7c | 15888 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 15:117db924cf7c | 15889 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15890 | |
wolfSSL | 15:117db924cf7c | 15891 | if (pubOut) |
wolfSSL | 15:117db924cf7c | 15892 | pubSz = 2 + 2 + ED25519_PUB_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 15893 | privSz = 2 + 2 + ED25519_KEY_SIZE; |
wolfSSL | 15:117db924cf7c | 15894 | algoSz = SetAlgoID(ED25519k, algoArray, oidKeyType, 0); |
wolfSSL | 15:117db924cf7c | 15895 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 15:117db924cf7c | 15896 | seqSz = SetSequence(verSz + algoSz + privSz + pubSz, seq); |
wolfSSL | 15:117db924cf7c | 15897 | |
wolfSSL | 15:117db924cf7c | 15898 | if (seqSz + verSz + algoSz + privSz + pubSz > inLen) |
wolfSSL | 15:117db924cf7c | 15899 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 15900 | |
wolfSSL | 15:117db924cf7c | 15901 | /* write out */ |
wolfSSL | 15:117db924cf7c | 15902 | /* seq */ |
wolfSSL | 15:117db924cf7c | 15903 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 15:117db924cf7c | 15904 | idx = seqSz; |
wolfSSL | 15:117db924cf7c | 15905 | /* ver */ |
wolfSSL | 15:117db924cf7c | 15906 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 15:117db924cf7c | 15907 | idx += verSz; |
wolfSSL | 15:117db924cf7c | 15908 | /* algo */ |
wolfSSL | 15:117db924cf7c | 15909 | XMEMCPY(output + idx, algoArray, algoSz); |
wolfSSL | 15:117db924cf7c | 15910 | idx += algoSz; |
wolfSSL | 15:117db924cf7c | 15911 | /* privKey */ |
wolfSSL | 15:117db924cf7c | 15912 | idx += SetOctetString(2 + ED25519_KEY_SIZE, output + idx); |
wolfSSL | 15:117db924cf7c | 15913 | idx += SetOctetString(ED25519_KEY_SIZE, output + idx); |
wolfSSL | 15:117db924cf7c | 15914 | ret = wc_ed25519_export_private_only(key, output + idx, &privSz); |
wolfSSL | 15:117db924cf7c | 15915 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15916 | return ret; |
wolfSSL | 15:117db924cf7c | 15917 | idx += privSz; |
wolfSSL | 15:117db924cf7c | 15918 | /* pubKey */ |
wolfSSL | 15:117db924cf7c | 15919 | if (pubOut) { |
wolfSSL | 15:117db924cf7c | 15920 | idx += SetExplicit(1, 2 + ED25519_PUB_KEY_SIZE, output + idx); |
wolfSSL | 15:117db924cf7c | 15921 | idx += SetOctetString(ED25519_KEY_SIZE, output + idx); |
wolfSSL | 15:117db924cf7c | 15922 | ret = wc_ed25519_export_public(key, output + idx, &pubSz); |
wolfSSL | 15:117db924cf7c | 15923 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 15924 | return ret; |
wolfSSL | 15:117db924cf7c | 15925 | idx += pubSz; |
wolfSSL | 15:117db924cf7c | 15926 | } |
wolfSSL | 15:117db924cf7c | 15927 | |
wolfSSL | 15:117db924cf7c | 15928 | return idx; |
wolfSSL | 15:117db924cf7c | 15929 | } |
wolfSSL | 15:117db924cf7c | 15930 | |
wolfSSL | 15:117db924cf7c | 15931 | /* Write a Private ecc key, including public to DER format, |
wolfSSL | 15:117db924cf7c | 15932 | * length on success else < 0 */ |
wolfSSL | 15:117db924cf7c | 15933 | int wc_Ed25519KeyToDer(ed25519_key* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 15934 | { |
wolfSSL | 15:117db924cf7c | 15935 | return wc_BuildEd25519KeyDer(key, output, inLen, 1); |
wolfSSL | 15:117db924cf7c | 15936 | } |
wolfSSL | 15:117db924cf7c | 15937 | |
wolfSSL | 15:117db924cf7c | 15938 | |
wolfSSL | 15:117db924cf7c | 15939 | |
wolfSSL | 15:117db924cf7c | 15940 | /* Write only private ecc key to DER format, |
wolfSSL | 15:117db924cf7c | 15941 | * length on success else < 0 */ |
wolfSSL | 15:117db924cf7c | 15942 | int wc_Ed25519PrivateKeyToDer(ed25519_key* key, byte* output, word32 inLen) |
wolfSSL | 15:117db924cf7c | 15943 | { |
wolfSSL | 15:117db924cf7c | 15944 | return wc_BuildEd25519KeyDer(key, output, inLen, 0); |
wolfSSL | 15:117db924cf7c | 15945 | } |
wolfSSL | 15:117db924cf7c | 15946 | |
wolfSSL | 15:117db924cf7c | 15947 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 15:117db924cf7c | 15948 | |
wolfSSL | 16:8e0d178b1d1e | 15949 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 15950 | |
wolfSSL | 16:8e0d178b1d1e | 15951 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 15952 | |
wolfSSL | 16:8e0d178b1d1e | 15953 | int wc_Ed448PrivateKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 16:8e0d178b1d1e | 15954 | ed448_key* key, word32 inSz) |
wolfSSL | 16:8e0d178b1d1e | 15955 | { |
wolfSSL | 16:8e0d178b1d1e | 15956 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 15957 | int ret, version, length, endKeyIdx, privSz, pubSz; |
wolfSSL | 16:8e0d178b1d1e | 15958 | const byte* priv; |
wolfSSL | 16:8e0d178b1d1e | 15959 | const byte* pub; |
wolfSSL | 16:8e0d178b1d1e | 15960 | |
wolfSSL | 16:8e0d178b1d1e | 15961 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 16:8e0d178b1d1e | 15962 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 15963 | |
wolfSSL | 16:8e0d178b1d1e | 15964 | if (GetSequence(input, inOutIdx, &length, inSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 15965 | endKeyIdx = *inOutIdx + length; |
wolfSSL | 16:8e0d178b1d1e | 15966 | |
wolfSSL | 16:8e0d178b1d1e | 15967 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 15968 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15969 | if (version != 0) { |
wolfSSL | 16:8e0d178b1d1e | 15970 | WOLFSSL_MSG("Unrecognized version of ED448 private key"); |
wolfSSL | 16:8e0d178b1d1e | 15971 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15972 | } |
wolfSSL | 16:8e0d178b1d1e | 15973 | |
wolfSSL | 16:8e0d178b1d1e | 15974 | if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 15975 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15976 | if (oid != ED448k) |
wolfSSL | 16:8e0d178b1d1e | 15977 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15978 | |
wolfSSL | 16:8e0d178b1d1e | 15979 | if (GetOctetString(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 15980 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15981 | |
wolfSSL | 16:8e0d178b1d1e | 15982 | if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 15983 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15984 | |
wolfSSL | 16:8e0d178b1d1e | 15985 | priv = input + *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15986 | *inOutIdx += privSz; |
wolfSSL | 16:8e0d178b1d1e | 15987 | } |
wolfSSL | 16:8e0d178b1d1e | 15988 | else { |
wolfSSL | 16:8e0d178b1d1e | 15989 | if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 15990 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15991 | |
wolfSSL | 16:8e0d178b1d1e | 15992 | if (privSz != 57) |
wolfSSL | 16:8e0d178b1d1e | 15993 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 15994 | |
wolfSSL | 16:8e0d178b1d1e | 15995 | priv = input + *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15996 | *inOutIdx += privSz; |
wolfSSL | 16:8e0d178b1d1e | 15997 | endKeyIdx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 15998 | } |
wolfSSL | 16:8e0d178b1d1e | 15999 | |
wolfSSL | 16:8e0d178b1d1e | 16000 | if (endKeyIdx == (int)*inOutIdx) { |
wolfSSL | 16:8e0d178b1d1e | 16001 | ret = wc_ed448_import_private_only(priv, privSz, key); |
wolfSSL | 16:8e0d178b1d1e | 16002 | } |
wolfSSL | 16:8e0d178b1d1e | 16003 | else { |
wolfSSL | 16:8e0d178b1d1e | 16004 | if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1, |
wolfSSL | 16:8e0d178b1d1e | 16005 | inOutIdx, &length, inSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 16006 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16007 | } |
wolfSSL | 16:8e0d178b1d1e | 16008 | if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16009 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16010 | pub = input + *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 16011 | *inOutIdx += pubSz; |
wolfSSL | 16:8e0d178b1d1e | 16012 | |
wolfSSL | 16:8e0d178b1d1e | 16013 | ret = wc_ed448_import_private_key(priv, privSz, pub, pubSz, key); |
wolfSSL | 16:8e0d178b1d1e | 16014 | } |
wolfSSL | 16:8e0d178b1d1e | 16015 | if (ret == 0 && endKeyIdx != (int)*inOutIdx) |
wolfSSL | 16:8e0d178b1d1e | 16016 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16017 | |
wolfSSL | 16:8e0d178b1d1e | 16018 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 16019 | } |
wolfSSL | 16:8e0d178b1d1e | 16020 | |
wolfSSL | 16:8e0d178b1d1e | 16021 | |
wolfSSL | 16:8e0d178b1d1e | 16022 | int wc_Ed448PublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 16:8e0d178b1d1e | 16023 | ed448_key* key, word32 inSz) |
wolfSSL | 16:8e0d178b1d1e | 16024 | { |
wolfSSL | 16:8e0d178b1d1e | 16025 | int length; |
wolfSSL | 16:8e0d178b1d1e | 16026 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 16027 | |
wolfSSL | 16:8e0d178b1d1e | 16028 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 16:8e0d178b1d1e | 16029 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 16030 | |
wolfSSL | 16:8e0d178b1d1e | 16031 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16032 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16033 | |
wolfSSL | 16:8e0d178b1d1e | 16034 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16035 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16036 | |
wolfSSL | 16:8e0d178b1d1e | 16037 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 16:8e0d178b1d1e | 16038 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 16039 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 16040 | |
wolfSSL | 16:8e0d178b1d1e | 16041 | /* key header */ |
wolfSSL | 16:8e0d178b1d1e | 16042 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 16:8e0d178b1d1e | 16043 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 16044 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 16045 | |
wolfSSL | 16:8e0d178b1d1e | 16046 | /* This is the raw point data compressed or uncompressed. */ |
wolfSSL | 16:8e0d178b1d1e | 16047 | if (wc_ed448_import_public(input + *inOutIdx, inSz - *inOutIdx, key) != 0) |
wolfSSL | 16:8e0d178b1d1e | 16048 | return ASN_ECC_KEY_E; |
wolfSSL | 16:8e0d178b1d1e | 16049 | |
wolfSSL | 16:8e0d178b1d1e | 16050 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 16051 | } |
wolfSSL | 16:8e0d178b1d1e | 16052 | |
wolfSSL | 16:8e0d178b1d1e | 16053 | |
wolfSSL | 16:8e0d178b1d1e | 16054 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 16:8e0d178b1d1e | 16055 | |
wolfSSL | 16:8e0d178b1d1e | 16056 | /* build DER formatted ED448 key, |
wolfSSL | 16:8e0d178b1d1e | 16057 | * return length on success, negative on error */ |
wolfSSL | 16:8e0d178b1d1e | 16058 | static int wc_BuildEd448KeyDer(ed448_key* key, byte* output, word32 inLen, |
wolfSSL | 16:8e0d178b1d1e | 16059 | int pubOut) |
wolfSSL | 16:8e0d178b1d1e | 16060 | { |
wolfSSL | 16:8e0d178b1d1e | 16061 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 16062 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 16063 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 16:8e0d178b1d1e | 16064 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 16065 | word32 idx = 0, seqSz, verSz, algoSz, privSz, pubSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 16066 | |
wolfSSL | 16:8e0d178b1d1e | 16067 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 16:8e0d178b1d1e | 16068 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 16069 | |
wolfSSL | 16:8e0d178b1d1e | 16070 | if (pubOut) { |
wolfSSL | 16:8e0d178b1d1e | 16071 | pubSz = 2 + 2 + ED448_PUB_KEY_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 16072 | } |
wolfSSL | 16:8e0d178b1d1e | 16073 | privSz = 2 + 2 + ED448_KEY_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 16074 | algoSz = SetAlgoID(ED448k, algoArray, oidKeyType, 0); |
wolfSSL | 16:8e0d178b1d1e | 16075 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 16:8e0d178b1d1e | 16076 | seqSz = SetSequence(verSz + algoSz + privSz + pubSz, seq); |
wolfSSL | 16:8e0d178b1d1e | 16077 | |
wolfSSL | 16:8e0d178b1d1e | 16078 | if (seqSz + verSz + algoSz + privSz + pubSz > inLen) |
wolfSSL | 16:8e0d178b1d1e | 16079 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 16080 | |
wolfSSL | 16:8e0d178b1d1e | 16081 | /* write out */ |
wolfSSL | 16:8e0d178b1d1e | 16082 | /* seq */ |
wolfSSL | 16:8e0d178b1d1e | 16083 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 16:8e0d178b1d1e | 16084 | idx = seqSz; |
wolfSSL | 16:8e0d178b1d1e | 16085 | /* ver */ |
wolfSSL | 16:8e0d178b1d1e | 16086 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 16:8e0d178b1d1e | 16087 | idx += verSz; |
wolfSSL | 16:8e0d178b1d1e | 16088 | /* algo */ |
wolfSSL | 16:8e0d178b1d1e | 16089 | XMEMCPY(output + idx, algoArray, algoSz); |
wolfSSL | 16:8e0d178b1d1e | 16090 | idx += algoSz; |
wolfSSL | 16:8e0d178b1d1e | 16091 | /* privKey */ |
wolfSSL | 16:8e0d178b1d1e | 16092 | idx += SetOctetString(2 + ED448_KEY_SIZE, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 16093 | idx += SetOctetString(ED448_KEY_SIZE, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 16094 | ret = wc_ed448_export_private_only(key, output + idx, &privSz); |
wolfSSL | 16:8e0d178b1d1e | 16095 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 16096 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 16097 | idx += privSz; |
wolfSSL | 16:8e0d178b1d1e | 16098 | /* pubKey */ |
wolfSSL | 16:8e0d178b1d1e | 16099 | if (pubOut) { |
wolfSSL | 16:8e0d178b1d1e | 16100 | idx += SetExplicit(1, 2 + ED448_PUB_KEY_SIZE, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 16101 | idx += SetOctetString(ED448_KEY_SIZE, output + idx); |
wolfSSL | 16:8e0d178b1d1e | 16102 | ret = wc_ed448_export_public(key, output + idx, &pubSz); |
wolfSSL | 16:8e0d178b1d1e | 16103 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 16104 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 16105 | idx += pubSz; |
wolfSSL | 16:8e0d178b1d1e | 16106 | } |
wolfSSL | 16:8e0d178b1d1e | 16107 | |
wolfSSL | 16:8e0d178b1d1e | 16108 | return idx; |
wolfSSL | 16:8e0d178b1d1e | 16109 | } |
wolfSSL | 16:8e0d178b1d1e | 16110 | |
wolfSSL | 16:8e0d178b1d1e | 16111 | /* Write a Private ecc key, including public to DER format, |
wolfSSL | 16:8e0d178b1d1e | 16112 | * length on success else < 0 */ |
wolfSSL | 16:8e0d178b1d1e | 16113 | int wc_Ed448KeyToDer(ed448_key* key, byte* output, word32 inLen) |
wolfSSL | 16:8e0d178b1d1e | 16114 | { |
wolfSSL | 16:8e0d178b1d1e | 16115 | return wc_BuildEd448KeyDer(key, output, inLen, 1); |
wolfSSL | 16:8e0d178b1d1e | 16116 | } |
wolfSSL | 16:8e0d178b1d1e | 16117 | |
wolfSSL | 16:8e0d178b1d1e | 16118 | |
wolfSSL | 16:8e0d178b1d1e | 16119 | |
wolfSSL | 16:8e0d178b1d1e | 16120 | /* Write only private ecc key to DER format, |
wolfSSL | 16:8e0d178b1d1e | 16121 | * length on success else < 0 */ |
wolfSSL | 16:8e0d178b1d1e | 16122 | int wc_Ed448PrivateKeyToDer(ed448_key* key, byte* output, word32 inLen) |
wolfSSL | 16:8e0d178b1d1e | 16123 | { |
wolfSSL | 16:8e0d178b1d1e | 16124 | return wc_BuildEd448KeyDer(key, output, inLen, 0); |
wolfSSL | 16:8e0d178b1d1e | 16125 | } |
wolfSSL | 16:8e0d178b1d1e | 16126 | |
wolfSSL | 16:8e0d178b1d1e | 16127 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 16:8e0d178b1d1e | 16128 | |
wolfSSL | 16:8e0d178b1d1e | 16129 | #endif /* HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 16130 | |
wolfSSL | 15:117db924cf7c | 16131 | #if defined(HAVE_OCSP) || defined(HAVE_CRL) |
wolfSSL | 15:117db924cf7c | 16132 | |
wolfSSL | 15:117db924cf7c | 16133 | /* Get raw Date only, no processing, 0 on success */ |
wolfSSL | 15:117db924cf7c | 16134 | static int GetBasicDate(const byte* source, word32* idx, byte* date, |
wolfSSL | 15:117db924cf7c | 16135 | byte* format, int maxIdx) |
wolfSSL | 15:117db924cf7c | 16136 | { |
wolfSSL | 15:117db924cf7c | 16137 | int ret, length; |
wolfSSL | 15:117db924cf7c | 16138 | const byte *datePtr = NULL; |
wolfSSL | 15:117db924cf7c | 16139 | |
wolfSSL | 15:117db924cf7c | 16140 | WOLFSSL_ENTER("GetBasicDate"); |
wolfSSL | 15:117db924cf7c | 16141 | |
wolfSSL | 15:117db924cf7c | 16142 | ret = GetDateInfo(source, idx, &datePtr, format, &length, maxIdx); |
wolfSSL | 15:117db924cf7c | 16143 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16144 | return ret; |
wolfSSL | 15:117db924cf7c | 16145 | |
wolfSSL | 15:117db924cf7c | 16146 | XMEMCPY(date, datePtr, length); |
wolfSSL | 15:117db924cf7c | 16147 | |
wolfSSL | 15:117db924cf7c | 16148 | return 0; |
wolfSSL | 15:117db924cf7c | 16149 | } |
wolfSSL | 15:117db924cf7c | 16150 | |
wolfSSL | 16:8e0d178b1d1e | 16151 | #endif /* HAVE_OCSP || HAVE_CRL */ |
wolfSSL | 15:117db924cf7c | 16152 | |
wolfSSL | 15:117db924cf7c | 16153 | |
wolfSSL | 15:117db924cf7c | 16154 | #ifdef HAVE_OCSP |
wolfSSL | 15:117db924cf7c | 16155 | |
wolfSSL | 16:8e0d178b1d1e | 16156 | static int GetEnumerated(const byte* input, word32* inOutIdx, int *value, |
wolfSSL | 16:8e0d178b1d1e | 16157 | int sz) |
wolfSSL | 15:117db924cf7c | 16158 | { |
wolfSSL | 15:117db924cf7c | 16159 | word32 idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 16160 | word32 len; |
wolfSSL | 16:8e0d178b1d1e | 16161 | byte tag; |
wolfSSL | 15:117db924cf7c | 16162 | |
wolfSSL | 15:117db924cf7c | 16163 | WOLFSSL_ENTER("GetEnumerated"); |
wolfSSL | 15:117db924cf7c | 16164 | |
wolfSSL | 15:117db924cf7c | 16165 | *value = 0; |
wolfSSL | 15:117db924cf7c | 16166 | |
wolfSSL | 16:8e0d178b1d1e | 16167 | if (GetASNTag(input, &idx, &tag, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16168 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16169 | |
wolfSSL | 16:8e0d178b1d1e | 16170 | if (tag != ASN_ENUMERATED) |
wolfSSL | 16:8e0d178b1d1e | 16171 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16172 | |
wolfSSL | 16:8e0d178b1d1e | 16173 | if ((int)idx >= sz) |
wolfSSL | 16:8e0d178b1d1e | 16174 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 16175 | |
wolfSSL | 15:117db924cf7c | 16176 | len = input[idx++]; |
wolfSSL | 16:8e0d178b1d1e | 16177 | if (len > 4 || (int)(len + idx) > sz) |
wolfSSL | 15:117db924cf7c | 16178 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16179 | |
wolfSSL | 15:117db924cf7c | 16180 | while (len--) { |
wolfSSL | 15:117db924cf7c | 16181 | *value = *value << 8 | input[idx++]; |
wolfSSL | 15:117db924cf7c | 16182 | } |
wolfSSL | 15:117db924cf7c | 16183 | |
wolfSSL | 15:117db924cf7c | 16184 | *inOutIdx = idx; |
wolfSSL | 15:117db924cf7c | 16185 | |
wolfSSL | 15:117db924cf7c | 16186 | return *value; |
wolfSSL | 15:117db924cf7c | 16187 | } |
wolfSSL | 15:117db924cf7c | 16188 | |
wolfSSL | 15:117db924cf7c | 16189 | |
wolfSSL | 15:117db924cf7c | 16190 | static int DecodeSingleResponse(byte* source, |
wolfSSL | 15:117db924cf7c | 16191 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 15:117db924cf7c | 16192 | { |
wolfSSL | 16:8e0d178b1d1e | 16193 | word32 idx = *ioIndex, prevIndex, oid, localIdx; |
wolfSSL | 15:117db924cf7c | 16194 | int length, wrapperSz; |
wolfSSL | 15:117db924cf7c | 16195 | CertStatus* cs = resp->status; |
wolfSSL | 15:117db924cf7c | 16196 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 16197 | byte tag; |
wolfSSL | 15:117db924cf7c | 16198 | |
wolfSSL | 15:117db924cf7c | 16199 | WOLFSSL_ENTER("DecodeSingleResponse"); |
wolfSSL | 15:117db924cf7c | 16200 | |
wolfSSL | 15:117db924cf7c | 16201 | /* Outer wrapper of the SEQUENCE OF Single Responses. */ |
wolfSSL | 15:117db924cf7c | 16202 | if (GetSequence(source, &idx, &wrapperSz, size) < 0) |
wolfSSL | 15:117db924cf7c | 16203 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16204 | |
wolfSSL | 15:117db924cf7c | 16205 | prevIndex = idx; |
wolfSSL | 15:117db924cf7c | 16206 | |
wolfSSL | 15:117db924cf7c | 16207 | /* When making a request, we only request one status on one certificate |
wolfSSL | 15:117db924cf7c | 16208 | * at a time. There should only be one SingleResponse */ |
wolfSSL | 15:117db924cf7c | 16209 | |
wolfSSL | 15:117db924cf7c | 16210 | /* Wrapper around the Single Response */ |
wolfSSL | 15:117db924cf7c | 16211 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16212 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16213 | |
wolfSSL | 15:117db924cf7c | 16214 | /* Wrapper around the CertID */ |
wolfSSL | 15:117db924cf7c | 16215 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16216 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16217 | /* Skip the hash algorithm */ |
wolfSSL | 15:117db924cf7c | 16218 | if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0) |
wolfSSL | 15:117db924cf7c | 16219 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16220 | /* Save reference to the hash of CN */ |
wolfSSL | 15:117db924cf7c | 16221 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 15:117db924cf7c | 16222 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16223 | return ret; |
wolfSSL | 15:117db924cf7c | 16224 | resp->issuerHash = source + idx; |
wolfSSL | 15:117db924cf7c | 16225 | idx += length; |
wolfSSL | 15:117db924cf7c | 16226 | /* Save reference to the hash of the issuer public key */ |
wolfSSL | 15:117db924cf7c | 16227 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 15:117db924cf7c | 16228 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16229 | return ret; |
wolfSSL | 15:117db924cf7c | 16230 | resp->issuerKeyHash = source + idx; |
wolfSSL | 15:117db924cf7c | 16231 | idx += length; |
wolfSSL | 15:117db924cf7c | 16232 | |
wolfSSL | 15:117db924cf7c | 16233 | /* Get serial number */ |
wolfSSL | 15:117db924cf7c | 16234 | if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0) |
wolfSSL | 15:117db924cf7c | 16235 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16236 | |
wolfSSL | 16:8e0d178b1d1e | 16237 | if ( idx >= size ) |
wolfSSL | 16:8e0d178b1d1e | 16238 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 16239 | |
wolfSSL | 15:117db924cf7c | 16240 | /* CertStatus */ |
wolfSSL | 15:117db924cf7c | 16241 | switch (source[idx++]) |
wolfSSL | 15:117db924cf7c | 16242 | { |
wolfSSL | 15:117db924cf7c | 16243 | case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): |
wolfSSL | 15:117db924cf7c | 16244 | cs->status = CERT_GOOD; |
wolfSSL | 15:117db924cf7c | 16245 | idx++; |
wolfSSL | 15:117db924cf7c | 16246 | break; |
wolfSSL | 15:117db924cf7c | 16247 | case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): |
wolfSSL | 15:117db924cf7c | 16248 | cs->status = CERT_REVOKED; |
wolfSSL | 15:117db924cf7c | 16249 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16250 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16251 | idx += length; |
wolfSSL | 15:117db924cf7c | 16252 | break; |
wolfSSL | 15:117db924cf7c | 16253 | case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): |
wolfSSL | 15:117db924cf7c | 16254 | cs->status = CERT_UNKNOWN; |
wolfSSL | 15:117db924cf7c | 16255 | idx++; |
wolfSSL | 15:117db924cf7c | 16256 | break; |
wolfSSL | 15:117db924cf7c | 16257 | default: |
wolfSSL | 15:117db924cf7c | 16258 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16259 | } |
wolfSSL | 15:117db924cf7c | 16260 | |
wolfSSL | 15:117db924cf7c | 16261 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 15:117db924cf7c | 16262 | cs->thisDateAsn = source + idx; |
wolfSSL | 16:8e0d178b1d1e | 16263 | localIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 16264 | if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL, |
wolfSSL | 16:8e0d178b1d1e | 16265 | (byte*)&cs->thisDateParsed.type, |
wolfSSL | 16:8e0d178b1d1e | 16266 | &cs->thisDateParsed.length, size) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16267 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16268 | XMEMCPY(cs->thisDateParsed.data, |
wolfSSL | 16:8e0d178b1d1e | 16269 | cs->thisDateAsn + localIdx - cs->thisDateParsed.length, |
wolfSSL | 16:8e0d178b1d1e | 16270 | cs->thisDateParsed.length); |
wolfSSL | 15:117db924cf7c | 16271 | #endif |
wolfSSL | 15:117db924cf7c | 16272 | if (GetBasicDate(source, &idx, cs->thisDate, |
wolfSSL | 15:117db924cf7c | 16273 | &cs->thisDateFormat, size) < 0) |
wolfSSL | 15:117db924cf7c | 16274 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16275 | |
wolfSSL | 15:117db924cf7c | 16276 | #ifndef NO_ASN_TIME |
wolfSSL | 16:8e0d178b1d1e | 16277 | #ifndef WOLFSSL_NO_OCSP_DATE_CHECK |
wolfSSL | 15:117db924cf7c | 16278 | if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) |
wolfSSL | 15:117db924cf7c | 16279 | return ASN_BEFORE_DATE_E; |
wolfSSL | 15:117db924cf7c | 16280 | #endif |
wolfSSL | 16:8e0d178b1d1e | 16281 | #endif |
wolfSSL | 15:117db924cf7c | 16282 | |
wolfSSL | 15:117db924cf7c | 16283 | /* The following items are optional. Only check for them if there is more |
wolfSSL | 15:117db924cf7c | 16284 | * unprocessed data in the singleResponse wrapper. */ |
wolfSSL | 15:117db924cf7c | 16285 | |
wolfSSL | 16:8e0d178b1d1e | 16286 | localIdx = idx; |
wolfSSL | 15:117db924cf7c | 16287 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 16:8e0d178b1d1e | 16288 | GetASNTag(source, &localIdx, &tag, size) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 16289 | tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 15:117db924cf7c | 16290 | { |
wolfSSL | 15:117db924cf7c | 16291 | idx++; |
wolfSSL | 15:117db924cf7c | 16292 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16293 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16294 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 15:117db924cf7c | 16295 | cs->nextDateAsn = source + idx; |
wolfSSL | 16:8e0d178b1d1e | 16296 | localIdx = 0; |
wolfSSL | 16:8e0d178b1d1e | 16297 | if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL, |
wolfSSL | 16:8e0d178b1d1e | 16298 | (byte*)&cs->nextDateParsed.type, |
wolfSSL | 16:8e0d178b1d1e | 16299 | &cs->nextDateParsed.length, size) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16300 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16301 | XMEMCPY(cs->nextDateParsed.data, |
wolfSSL | 16:8e0d178b1d1e | 16302 | cs->nextDateAsn + localIdx - cs->nextDateParsed.length, |
wolfSSL | 16:8e0d178b1d1e | 16303 | cs->nextDateParsed.length); |
wolfSSL | 15:117db924cf7c | 16304 | #endif |
wolfSSL | 15:117db924cf7c | 16305 | if (GetBasicDate(source, &idx, cs->nextDate, |
wolfSSL | 15:117db924cf7c | 16306 | &cs->nextDateFormat, size) < 0) |
wolfSSL | 15:117db924cf7c | 16307 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16308 | |
wolfSSL | 15:117db924cf7c | 16309 | #ifndef NO_ASN_TIME |
wolfSSL | 16:8e0d178b1d1e | 16310 | #ifndef WOLFSSL_NO_OCSP_DATE_CHECK |
wolfSSL | 15:117db924cf7c | 16311 | if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) |
wolfSSL | 15:117db924cf7c | 16312 | return ASN_AFTER_DATE_E; |
wolfSSL | 15:117db924cf7c | 16313 | #endif |
wolfSSL | 16:8e0d178b1d1e | 16314 | #endif |
wolfSSL | 16:8e0d178b1d1e | 16315 | } |
wolfSSL | 16:8e0d178b1d1e | 16316 | |
wolfSSL | 16:8e0d178b1d1e | 16317 | localIdx = idx; |
wolfSSL | 15:117db924cf7c | 16318 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 16:8e0d178b1d1e | 16319 | GetASNTag(source, &localIdx, &tag, size) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 16320 | tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 15:117db924cf7c | 16321 | { |
wolfSSL | 15:117db924cf7c | 16322 | idx++; |
wolfSSL | 15:117db924cf7c | 16323 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16324 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16325 | idx += length; |
wolfSSL | 15:117db924cf7c | 16326 | } |
wolfSSL | 15:117db924cf7c | 16327 | |
wolfSSL | 15:117db924cf7c | 16328 | *ioIndex = idx; |
wolfSSL | 15:117db924cf7c | 16329 | |
wolfSSL | 15:117db924cf7c | 16330 | return 0; |
wolfSSL | 15:117db924cf7c | 16331 | } |
wolfSSL | 15:117db924cf7c | 16332 | |
wolfSSL | 15:117db924cf7c | 16333 | static int DecodeOcspRespExtensions(byte* source, |
wolfSSL | 15:117db924cf7c | 16334 | word32* ioIndex, OcspResponse* resp, word32 sz) |
wolfSSL | 15:117db924cf7c | 16335 | { |
wolfSSL | 15:117db924cf7c | 16336 | word32 idx = *ioIndex; |
wolfSSL | 15:117db924cf7c | 16337 | int length; |
wolfSSL | 15:117db924cf7c | 16338 | int ext_bound; /* boundary index for the sequence of extensions */ |
wolfSSL | 15:117db924cf7c | 16339 | word32 oid; |
wolfSSL | 15:117db924cf7c | 16340 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 16341 | byte tag; |
wolfSSL | 15:117db924cf7c | 16342 | |
wolfSSL | 15:117db924cf7c | 16343 | WOLFSSL_ENTER("DecodeOcspRespExtensions"); |
wolfSSL | 15:117db924cf7c | 16344 | |
wolfSSL | 15:117db924cf7c | 16345 | if ((idx + 1) > sz) |
wolfSSL | 15:117db924cf7c | 16346 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 16347 | |
wolfSSL | 16:8e0d178b1d1e | 16348 | if (GetASNTag(source, &idx, &tag, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16349 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16350 | |
wolfSSL | 16:8e0d178b1d1e | 16351 | if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 15:117db924cf7c | 16352 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16353 | |
wolfSSL | 15:117db924cf7c | 16354 | if (GetLength(source, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 16355 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16356 | |
wolfSSL | 15:117db924cf7c | 16357 | if (GetSequence(source, &idx, &length, sz) < 0) |
wolfSSL | 15:117db924cf7c | 16358 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16359 | |
wolfSSL | 15:117db924cf7c | 16360 | ext_bound = idx + length; |
wolfSSL | 15:117db924cf7c | 16361 | |
wolfSSL | 15:117db924cf7c | 16362 | while (idx < (word32)ext_bound) { |
wolfSSL | 16:8e0d178b1d1e | 16363 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 16364 | |
wolfSSL | 15:117db924cf7c | 16365 | if (GetSequence(source, &idx, &length, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 16366 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 15:117db924cf7c | 16367 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16368 | } |
wolfSSL | 15:117db924cf7c | 16369 | |
wolfSSL | 15:117db924cf7c | 16370 | oid = 0; |
wolfSSL | 15:117db924cf7c | 16371 | if (GetObjectId(source, &idx, &oid, oidOcspType, sz) < 0) { |
wolfSSL | 15:117db924cf7c | 16372 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 15:117db924cf7c | 16373 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16374 | } |
wolfSSL | 15:117db924cf7c | 16375 | |
wolfSSL | 15:117db924cf7c | 16376 | /* check for critical flag */ |
wolfSSL | 16:8e0d178b1d1e | 16377 | if ((idx + 1) > (word32)sz) { |
wolfSSL | 16:8e0d178b1d1e | 16378 | WOLFSSL_MSG("\tfail: malformed buffer"); |
wolfSSL | 16:8e0d178b1d1e | 16379 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 16380 | } |
wolfSSL | 16:8e0d178b1d1e | 16381 | |
wolfSSL | 16:8e0d178b1d1e | 16382 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 16383 | if (GetASNTag(source, &localIdx, &tag, sz) == 0 && tag == ASN_BOOLEAN) { |
wolfSSL | 15:117db924cf7c | 16384 | WOLFSSL_MSG("\tfound optional critical flag, moving past"); |
wolfSSL | 15:117db924cf7c | 16385 | ret = GetBoolean(source, &idx, sz); |
wolfSSL | 15:117db924cf7c | 16386 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16387 | return ret; |
wolfSSL | 15:117db924cf7c | 16388 | } |
wolfSSL | 15:117db924cf7c | 16389 | |
wolfSSL | 15:117db924cf7c | 16390 | ret = GetOctetString(source, &idx, &length, sz); |
wolfSSL | 15:117db924cf7c | 16391 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16392 | return ret; |
wolfSSL | 15:117db924cf7c | 16393 | |
wolfSSL | 15:117db924cf7c | 16394 | if (oid == OCSP_NONCE_OID) { |
wolfSSL | 15:117db924cf7c | 16395 | /* get data inside extra OCTET_STRING */ |
wolfSSL | 15:117db924cf7c | 16396 | ret = GetOctetString(source, &idx, &length, sz); |
wolfSSL | 15:117db924cf7c | 16397 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16398 | return ret; |
wolfSSL | 15:117db924cf7c | 16399 | |
wolfSSL | 15:117db924cf7c | 16400 | resp->nonce = source + idx; |
wolfSSL | 15:117db924cf7c | 16401 | resp->nonceSz = length; |
wolfSSL | 15:117db924cf7c | 16402 | } |
wolfSSL | 15:117db924cf7c | 16403 | |
wolfSSL | 15:117db924cf7c | 16404 | idx += length; |
wolfSSL | 15:117db924cf7c | 16405 | } |
wolfSSL | 15:117db924cf7c | 16406 | |
wolfSSL | 15:117db924cf7c | 16407 | *ioIndex = idx; |
wolfSSL | 15:117db924cf7c | 16408 | return 0; |
wolfSSL | 15:117db924cf7c | 16409 | } |
wolfSSL | 15:117db924cf7c | 16410 | |
wolfSSL | 15:117db924cf7c | 16411 | |
wolfSSL | 15:117db924cf7c | 16412 | static int DecodeResponseData(byte* source, |
wolfSSL | 15:117db924cf7c | 16413 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 15:117db924cf7c | 16414 | { |
wolfSSL | 16:8e0d178b1d1e | 16415 | word32 idx = *ioIndex, prev_idx, localIdx; |
wolfSSL | 15:117db924cf7c | 16416 | int length; |
wolfSSL | 15:117db924cf7c | 16417 | int version; |
wolfSSL | 16:8e0d178b1d1e | 16418 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 16419 | byte tag; |
wolfSSL | 15:117db924cf7c | 16420 | |
wolfSSL | 15:117db924cf7c | 16421 | WOLFSSL_ENTER("DecodeResponseData"); |
wolfSSL | 15:117db924cf7c | 16422 | |
wolfSSL | 15:117db924cf7c | 16423 | resp->response = source + idx; |
wolfSSL | 15:117db924cf7c | 16424 | prev_idx = idx; |
wolfSSL | 15:117db924cf7c | 16425 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16426 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16427 | resp->responseSz = length + idx - prev_idx; |
wolfSSL | 15:117db924cf7c | 16428 | |
wolfSSL | 15:117db924cf7c | 16429 | /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this |
wolfSSL | 15:117db924cf7c | 16430 | * item isn't an EXPLICIT[0], then set version to zero and move |
wolfSSL | 15:117db924cf7c | 16431 | * onto the next item. |
wolfSSL | 15:117db924cf7c | 16432 | */ |
wolfSSL | 16:8e0d178b1d1e | 16433 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 16434 | if (GetASNTag(source, &localIdx, &tag, size) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 16435 | tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) |
wolfSSL | 15:117db924cf7c | 16436 | { |
wolfSSL | 15:117db924cf7c | 16437 | idx += 2; /* Eat the value and length */ |
wolfSSL | 15:117db924cf7c | 16438 | if (GetMyVersion(source, &idx, &version, size) < 0) |
wolfSSL | 15:117db924cf7c | 16439 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16440 | } else |
wolfSSL | 15:117db924cf7c | 16441 | version = 0; |
wolfSSL | 15:117db924cf7c | 16442 | |
wolfSSL | 16:8e0d178b1d1e | 16443 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 16444 | if (GetASNTag(source, &localIdx, &tag, size) == 0 && |
wolfSSL | 16:8e0d178b1d1e | 16445 | ( tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1) || |
wolfSSL | 16:8e0d178b1d1e | 16446 | tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2) )) |
wolfSSL | 15:117db924cf7c | 16447 | { |
wolfSSL | 16:8e0d178b1d1e | 16448 | idx++; /* advance past ASN tag */ |
wolfSSL | 15:117db924cf7c | 16449 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16450 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16451 | idx += length; |
wolfSSL | 15:117db924cf7c | 16452 | } |
wolfSSL | 15:117db924cf7c | 16453 | else |
wolfSSL | 15:117db924cf7c | 16454 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16455 | |
wolfSSL | 15:117db924cf7c | 16456 | /* save pointer to the producedAt time */ |
wolfSSL | 15:117db924cf7c | 16457 | if (GetBasicDate(source, &idx, resp->producedDate, |
wolfSSL | 15:117db924cf7c | 16458 | &resp->producedDateFormat, size) < 0) |
wolfSSL | 15:117db924cf7c | 16459 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16460 | |
wolfSSL | 16:8e0d178b1d1e | 16461 | if ((ret = DecodeSingleResponse(source, &idx, resp, size)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16462 | return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ |
wolfSSL | 15:117db924cf7c | 16463 | |
wolfSSL | 15:117db924cf7c | 16464 | /* |
wolfSSL | 15:117db924cf7c | 16465 | * Check the length of the ResponseData against the current index to |
wolfSSL | 15:117db924cf7c | 16466 | * see if there are extensions, they are optional. |
wolfSSL | 15:117db924cf7c | 16467 | */ |
wolfSSL | 15:117db924cf7c | 16468 | if (idx - prev_idx < resp->responseSz) |
wolfSSL | 15:117db924cf7c | 16469 | if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) |
wolfSSL | 15:117db924cf7c | 16470 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16471 | |
wolfSSL | 15:117db924cf7c | 16472 | *ioIndex = idx; |
wolfSSL | 15:117db924cf7c | 16473 | return 0; |
wolfSSL | 15:117db924cf7c | 16474 | } |
wolfSSL | 15:117db924cf7c | 16475 | |
wolfSSL | 15:117db924cf7c | 16476 | |
wolfSSL | 15:117db924cf7c | 16477 | #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS |
wolfSSL | 15:117db924cf7c | 16478 | |
wolfSSL | 15:117db924cf7c | 16479 | static int DecodeCerts(byte* source, |
wolfSSL | 15:117db924cf7c | 16480 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 15:117db924cf7c | 16481 | { |
wolfSSL | 15:117db924cf7c | 16482 | word32 idx = *ioIndex; |
wolfSSL | 16:8e0d178b1d1e | 16483 | byte tag; |
wolfSSL | 15:117db924cf7c | 16484 | |
wolfSSL | 15:117db924cf7c | 16485 | WOLFSSL_ENTER("DecodeCerts"); |
wolfSSL | 15:117db924cf7c | 16486 | |
wolfSSL | 16:8e0d178b1d1e | 16487 | if (GetASNTag(source, &idx, &tag, size) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16488 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16489 | |
wolfSSL | 16:8e0d178b1d1e | 16490 | if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 15:117db924cf7c | 16491 | { |
wolfSSL | 15:117db924cf7c | 16492 | int length; |
wolfSSL | 15:117db924cf7c | 16493 | |
wolfSSL | 15:117db924cf7c | 16494 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16495 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16496 | |
wolfSSL | 15:117db924cf7c | 16497 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16498 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16499 | |
wolfSSL | 15:117db924cf7c | 16500 | resp->cert = source + idx; |
wolfSSL | 15:117db924cf7c | 16501 | resp->certSz = length; |
wolfSSL | 15:117db924cf7c | 16502 | |
wolfSSL | 15:117db924cf7c | 16503 | idx += length; |
wolfSSL | 15:117db924cf7c | 16504 | } |
wolfSSL | 15:117db924cf7c | 16505 | *ioIndex = idx; |
wolfSSL | 15:117db924cf7c | 16506 | return 0; |
wolfSSL | 15:117db924cf7c | 16507 | } |
wolfSSL | 15:117db924cf7c | 16508 | |
wolfSSL | 15:117db924cf7c | 16509 | #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ |
wolfSSL | 15:117db924cf7c | 16510 | |
wolfSSL | 15:117db924cf7c | 16511 | |
wolfSSL | 15:117db924cf7c | 16512 | static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, |
wolfSSL | 15:117db924cf7c | 16513 | OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify) |
wolfSSL | 15:117db924cf7c | 16514 | { |
wolfSSL | 15:117db924cf7c | 16515 | int length; |
wolfSSL | 15:117db924cf7c | 16516 | word32 idx = *ioIndex; |
wolfSSL | 15:117db924cf7c | 16517 | word32 end_index; |
wolfSSL | 15:117db924cf7c | 16518 | int ret; |
wolfSSL | 15:117db924cf7c | 16519 | int sigLength; |
wolfSSL | 15:117db924cf7c | 16520 | |
wolfSSL | 15:117db924cf7c | 16521 | WOLFSSL_ENTER("DecodeBasicOcspResponse"); |
wolfSSL | 15:117db924cf7c | 16522 | (void)heap; |
wolfSSL | 15:117db924cf7c | 16523 | |
wolfSSL | 15:117db924cf7c | 16524 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16525 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16526 | |
wolfSSL | 15:117db924cf7c | 16527 | if (idx + length > size) |
wolfSSL | 15:117db924cf7c | 16528 | return ASN_INPUT_E; |
wolfSSL | 15:117db924cf7c | 16529 | end_index = idx + length; |
wolfSSL | 15:117db924cf7c | 16530 | |
wolfSSL | 16:8e0d178b1d1e | 16531 | if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16532 | return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ |
wolfSSL | 15:117db924cf7c | 16533 | |
wolfSSL | 15:117db924cf7c | 16534 | /* Get the signature algorithm */ |
wolfSSL | 15:117db924cf7c | 16535 | if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) |
wolfSSL | 15:117db924cf7c | 16536 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16537 | |
wolfSSL | 15:117db924cf7c | 16538 | ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); |
wolfSSL | 15:117db924cf7c | 16539 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 16540 | return ret; |
wolfSSL | 15:117db924cf7c | 16541 | |
wolfSSL | 15:117db924cf7c | 16542 | resp->sigSz = sigLength; |
wolfSSL | 15:117db924cf7c | 16543 | resp->sig = source + idx; |
wolfSSL | 15:117db924cf7c | 16544 | idx += sigLength; |
wolfSSL | 15:117db924cf7c | 16545 | |
wolfSSL | 15:117db924cf7c | 16546 | /* |
wolfSSL | 15:117db924cf7c | 16547 | * Check the length of the BasicOcspResponse against the current index to |
wolfSSL | 15:117db924cf7c | 16548 | * see if there are certificates, they are optional. |
wolfSSL | 15:117db924cf7c | 16549 | */ |
wolfSSL | 15:117db924cf7c | 16550 | #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS |
wolfSSL | 15:117db924cf7c | 16551 | if (idx < end_index) |
wolfSSL | 15:117db924cf7c | 16552 | { |
wolfSSL | 15:117db924cf7c | 16553 | DecodedCert cert; |
wolfSSL | 15:117db924cf7c | 16554 | |
wolfSSL | 15:117db924cf7c | 16555 | if (DecodeCerts(source, &idx, resp, size) < 0) |
wolfSSL | 15:117db924cf7c | 16556 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16557 | |
wolfSSL | 15:117db924cf7c | 16558 | InitDecodedCert(&cert, resp->cert, resp->certSz, heap); |
wolfSSL | 15:117db924cf7c | 16559 | |
wolfSSL | 15:117db924cf7c | 16560 | /* Don't verify if we don't have access to Cert Manager. */ |
wolfSSL | 15:117db924cf7c | 16561 | ret = ParseCertRelative(&cert, CERT_TYPE, |
wolfSSL | 15:117db924cf7c | 16562 | noVerify ? NO_VERIFY : VERIFY_OCSP, cm); |
wolfSSL | 15:117db924cf7c | 16563 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 16564 | WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); |
wolfSSL | 15:117db924cf7c | 16565 | FreeDecodedCert(&cert); |
wolfSSL | 15:117db924cf7c | 16566 | return ret; |
wolfSSL | 15:117db924cf7c | 16567 | } |
wolfSSL | 15:117db924cf7c | 16568 | |
wolfSSL | 15:117db924cf7c | 16569 | #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK |
wolfSSL | 15:117db924cf7c | 16570 | if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { |
wolfSSL | 15:117db924cf7c | 16571 | if (XMEMCMP(cert.subjectHash, |
wolfSSL | 15:117db924cf7c | 16572 | resp->issuerHash, KEYID_SIZE) == 0) { |
wolfSSL | 15:117db924cf7c | 16573 | WOLFSSL_MSG("\tOCSP Response signed by issuer"); |
wolfSSL | 15:117db924cf7c | 16574 | } |
wolfSSL | 15:117db924cf7c | 16575 | else { |
wolfSSL | 15:117db924cf7c | 16576 | WOLFSSL_MSG("\tOCSP Responder key usage check failed"); |
wolfSSL | 15:117db924cf7c | 16577 | #ifdef OPENSSL_EXTRA |
wolfSSL | 15:117db924cf7c | 16578 | resp->verifyError = OCSP_BAD_ISSUER; |
wolfSSL | 15:117db924cf7c | 16579 | #else |
wolfSSL | 15:117db924cf7c | 16580 | FreeDecodedCert(&cert); |
wolfSSL | 15:117db924cf7c | 16581 | return BAD_OCSP_RESPONDER; |
wolfSSL | 15:117db924cf7c | 16582 | #endif |
wolfSSL | 15:117db924cf7c | 16583 | } |
wolfSSL | 15:117db924cf7c | 16584 | } |
wolfSSL | 15:117db924cf7c | 16585 | #endif |
wolfSSL | 15:117db924cf7c | 16586 | |
wolfSSL | 15:117db924cf7c | 16587 | /* ConfirmSignature is blocking here */ |
wolfSSL | 15:117db924cf7c | 16588 | ret = ConfirmSignature(&cert.sigCtx, |
wolfSSL | 15:117db924cf7c | 16589 | resp->response, resp->responseSz, |
wolfSSL | 15:117db924cf7c | 16590 | cert.publicKey, cert.pubKeySize, cert.keyOID, |
wolfSSL | 16:8e0d178b1d1e | 16591 | resp->sig, resp->sigSz, resp->sigOID, NULL); |
wolfSSL | 16:8e0d178b1d1e | 16592 | |
wolfSSL | 15:117db924cf7c | 16593 | FreeDecodedCert(&cert); |
wolfSSL | 15:117db924cf7c | 16594 | |
wolfSSL | 15:117db924cf7c | 16595 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 16596 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 15:117db924cf7c | 16597 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 16598 | } |
wolfSSL | 15:117db924cf7c | 16599 | } |
wolfSSL | 15:117db924cf7c | 16600 | else |
wolfSSL | 15:117db924cf7c | 16601 | #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ |
wolfSSL | 15:117db924cf7c | 16602 | { |
wolfSSL | 16:8e0d178b1d1e | 16603 | Signer* ca; |
wolfSSL | 15:117db924cf7c | 16604 | int sigValid = -1; |
wolfSSL | 15:117db924cf7c | 16605 | |
wolfSSL | 15:117db924cf7c | 16606 | #ifndef NO_SKID |
wolfSSL | 15:117db924cf7c | 16607 | ca = GetCA(cm, resp->issuerKeyHash); |
wolfSSL | 15:117db924cf7c | 16608 | #else |
wolfSSL | 15:117db924cf7c | 16609 | ca = GetCA(cm, resp->issuerHash); |
wolfSSL | 15:117db924cf7c | 16610 | #endif |
wolfSSL | 15:117db924cf7c | 16611 | |
wolfSSL | 15:117db924cf7c | 16612 | if (ca) { |
wolfSSL | 15:117db924cf7c | 16613 | SignatureCtx sigCtx; |
wolfSSL | 15:117db924cf7c | 16614 | InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 16615 | |
wolfSSL | 15:117db924cf7c | 16616 | /* ConfirmSignature is blocking here */ |
wolfSSL | 15:117db924cf7c | 16617 | sigValid = ConfirmSignature(&sigCtx, resp->response, |
wolfSSL | 15:117db924cf7c | 16618 | resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 16:8e0d178b1d1e | 16619 | resp->sig, resp->sigSz, resp->sigOID, NULL); |
wolfSSL | 15:117db924cf7c | 16620 | } |
wolfSSL | 15:117db924cf7c | 16621 | if (ca == NULL || sigValid != 0) { |
wolfSSL | 15:117db924cf7c | 16622 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 15:117db924cf7c | 16623 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 16624 | } |
wolfSSL | 15:117db924cf7c | 16625 | |
wolfSSL | 15:117db924cf7c | 16626 | (void)noVerify; |
wolfSSL | 15:117db924cf7c | 16627 | } |
wolfSSL | 15:117db924cf7c | 16628 | |
wolfSSL | 15:117db924cf7c | 16629 | *ioIndex = idx; |
wolfSSL | 15:117db924cf7c | 16630 | return 0; |
wolfSSL | 15:117db924cf7c | 16631 | } |
wolfSSL | 15:117db924cf7c | 16632 | |
wolfSSL | 15:117db924cf7c | 16633 | |
wolfSSL | 15:117db924cf7c | 16634 | void InitOcspResponse(OcspResponse* resp, CertStatus* status, |
wolfSSL | 15:117db924cf7c | 16635 | byte* source, word32 inSz) |
wolfSSL | 15:117db924cf7c | 16636 | { |
wolfSSL | 15:117db924cf7c | 16637 | WOLFSSL_ENTER("InitOcspResponse"); |
wolfSSL | 15:117db924cf7c | 16638 | |
wolfSSL | 15:117db924cf7c | 16639 | XMEMSET(status, 0, sizeof(CertStatus)); |
wolfSSL | 15:117db924cf7c | 16640 | XMEMSET(resp, 0, sizeof(OcspResponse)); |
wolfSSL | 15:117db924cf7c | 16641 | |
wolfSSL | 15:117db924cf7c | 16642 | resp->responseStatus = -1; |
wolfSSL | 15:117db924cf7c | 16643 | resp->status = status; |
wolfSSL | 15:117db924cf7c | 16644 | resp->source = source; |
wolfSSL | 15:117db924cf7c | 16645 | resp->maxIdx = inSz; |
wolfSSL | 15:117db924cf7c | 16646 | } |
wolfSSL | 15:117db924cf7c | 16647 | |
wolfSSL | 15:117db924cf7c | 16648 | |
wolfSSL | 15:117db924cf7c | 16649 | int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) |
wolfSSL | 15:117db924cf7c | 16650 | { |
wolfSSL | 15:117db924cf7c | 16651 | int ret; |
wolfSSL | 15:117db924cf7c | 16652 | int length = 0; |
wolfSSL | 15:117db924cf7c | 16653 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 16654 | byte* source = resp->source; |
wolfSSL | 15:117db924cf7c | 16655 | word32 size = resp->maxIdx; |
wolfSSL | 15:117db924cf7c | 16656 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 16657 | byte tag; |
wolfSSL | 15:117db924cf7c | 16658 | |
wolfSSL | 15:117db924cf7c | 16659 | WOLFSSL_ENTER("OcspResponseDecode"); |
wolfSSL | 15:117db924cf7c | 16660 | |
wolfSSL | 15:117db924cf7c | 16661 | /* peel the outer SEQUENCE wrapper */ |
wolfSSL | 15:117db924cf7c | 16662 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16663 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16664 | |
wolfSSL | 15:117db924cf7c | 16665 | /* First get the responseStatus, an ENUMERATED */ |
wolfSSL | 16:8e0d178b1d1e | 16666 | if (GetEnumerated(source, &idx, &resp->responseStatus, size) < 0) |
wolfSSL | 15:117db924cf7c | 16667 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16668 | |
wolfSSL | 15:117db924cf7c | 16669 | if (resp->responseStatus != OCSP_SUCCESSFUL) |
wolfSSL | 15:117db924cf7c | 16670 | return 0; |
wolfSSL | 15:117db924cf7c | 16671 | |
wolfSSL | 15:117db924cf7c | 16672 | /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */ |
wolfSSL | 15:117db924cf7c | 16673 | if (idx >= size) |
wolfSSL | 15:117db924cf7c | 16674 | return ASN_INPUT_E; |
wolfSSL | 16:8e0d178b1d1e | 16675 | if (GetASNTag(source, &idx, &tag, size) < 0) |
wolfSSL | 16:8e0d178b1d1e | 16676 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 16677 | if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 15:117db924cf7c | 16678 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16679 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16680 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16681 | |
wolfSSL | 15:117db924cf7c | 16682 | /* Get the responseBytes SEQUENCE */ |
wolfSSL | 15:117db924cf7c | 16683 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 15:117db924cf7c | 16684 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16685 | |
wolfSSL | 15:117db924cf7c | 16686 | /* Check ObjectID for the resposeBytes */ |
wolfSSL | 15:117db924cf7c | 16687 | if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0) |
wolfSSL | 15:117db924cf7c | 16688 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16689 | if (oid != OCSP_BASIC_OID) |
wolfSSL | 15:117db924cf7c | 16690 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 16691 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 15:117db924cf7c | 16692 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16693 | return ret; |
wolfSSL | 15:117db924cf7c | 16694 | |
wolfSSL | 15:117db924cf7c | 16695 | ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify); |
wolfSSL | 15:117db924cf7c | 16696 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 16697 | return ret; |
wolfSSL | 15:117db924cf7c | 16698 | |
wolfSSL | 15:117db924cf7c | 16699 | return 0; |
wolfSSL | 15:117db924cf7c | 16700 | } |
wolfSSL | 15:117db924cf7c | 16701 | |
wolfSSL | 15:117db924cf7c | 16702 | |
wolfSSL | 15:117db924cf7c | 16703 | word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 15:117db924cf7c | 16704 | { |
wolfSSL | 16:8e0d178b1d1e | 16705 | const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, |
wolfSSL | 15:117db924cf7c | 16706 | 0x30, 0x01, 0x02 }; |
wolfSSL | 15:117db924cf7c | 16707 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 16708 | word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId); |
wolfSSL | 15:117db924cf7c | 16709 | |
wolfSSL | 15:117db924cf7c | 16710 | WOLFSSL_ENTER("SetOcspReqExtensions"); |
wolfSSL | 15:117db924cf7c | 16711 | |
wolfSSL | 15:117db924cf7c | 16712 | if (!req || !output || !req->nonceSz) |
wolfSSL | 15:117db924cf7c | 16713 | return 0; |
wolfSSL | 15:117db924cf7c | 16714 | |
wolfSSL | 15:117db924cf7c | 16715 | totalSz += req->nonceSz; |
wolfSSL | 15:117db924cf7c | 16716 | totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]); |
wolfSSL | 15:117db924cf7c | 16717 | totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]); |
wolfSSL | 15:117db924cf7c | 16718 | totalSz += seqSz[2] = SetObjectId(sizeof(NonceObjId), seqArray[2]); |
wolfSSL | 15:117db924cf7c | 16719 | totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); |
wolfSSL | 15:117db924cf7c | 16720 | totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); |
wolfSSL | 15:117db924cf7c | 16721 | |
wolfSSL | 15:117db924cf7c | 16722 | if (totalSz > size) |
wolfSSL | 15:117db924cf7c | 16723 | return 0; |
wolfSSL | 15:117db924cf7c | 16724 | |
wolfSSL | 15:117db924cf7c | 16725 | totalSz = 0; |
wolfSSL | 15:117db924cf7c | 16726 | |
wolfSSL | 15:117db924cf7c | 16727 | XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); |
wolfSSL | 15:117db924cf7c | 16728 | totalSz += seqSz[4]; |
wolfSSL | 15:117db924cf7c | 16729 | |
wolfSSL | 15:117db924cf7c | 16730 | XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); |
wolfSSL | 15:117db924cf7c | 16731 | totalSz += seqSz[3]; |
wolfSSL | 15:117db924cf7c | 16732 | |
wolfSSL | 15:117db924cf7c | 16733 | XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); |
wolfSSL | 15:117db924cf7c | 16734 | totalSz += seqSz[2]; |
wolfSSL | 15:117db924cf7c | 16735 | |
wolfSSL | 15:117db924cf7c | 16736 | XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); |
wolfSSL | 15:117db924cf7c | 16737 | totalSz += (word32)sizeof(NonceObjId); |
wolfSSL | 15:117db924cf7c | 16738 | |
wolfSSL | 15:117db924cf7c | 16739 | XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); |
wolfSSL | 15:117db924cf7c | 16740 | totalSz += seqSz[1]; |
wolfSSL | 15:117db924cf7c | 16741 | |
wolfSSL | 15:117db924cf7c | 16742 | XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); |
wolfSSL | 15:117db924cf7c | 16743 | totalSz += seqSz[0]; |
wolfSSL | 15:117db924cf7c | 16744 | |
wolfSSL | 15:117db924cf7c | 16745 | XMEMCPY(output + totalSz, req->nonce, req->nonceSz); |
wolfSSL | 15:117db924cf7c | 16746 | totalSz += req->nonceSz; |
wolfSSL | 15:117db924cf7c | 16747 | |
wolfSSL | 15:117db924cf7c | 16748 | return totalSz; |
wolfSSL | 15:117db924cf7c | 16749 | } |
wolfSSL | 15:117db924cf7c | 16750 | |
wolfSSL | 15:117db924cf7c | 16751 | |
wolfSSL | 15:117db924cf7c | 16752 | int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 15:117db924cf7c | 16753 | { |
wolfSSL | 15:117db924cf7c | 16754 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 15:117db924cf7c | 16755 | /* The ASN.1 of the OCSP Request is an onion of sequences */ |
wolfSSL | 15:117db924cf7c | 16756 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 15:117db924cf7c | 16757 | byte issuerArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 15:117db924cf7c | 16758 | byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 15:117db924cf7c | 16759 | byte snArray[MAX_SN_SZ]; |
wolfSSL | 15:117db924cf7c | 16760 | byte extArray[MAX_OCSP_EXT_SZ]; |
wolfSSL | 15:117db924cf7c | 16761 | word32 seqSz[5], algoSz, issuerSz, issuerKeySz, extSz, totalSz; |
wolfSSL | 15:117db924cf7c | 16762 | int i, snSz; |
wolfSSL | 15:117db924cf7c | 16763 | |
wolfSSL | 15:117db924cf7c | 16764 | WOLFSSL_ENTER("EncodeOcspRequest"); |
wolfSSL | 15:117db924cf7c | 16765 | |
wolfSSL | 15:117db924cf7c | 16766 | #ifdef NO_SHA |
wolfSSL | 15:117db924cf7c | 16767 | algoSz = SetAlgoID(SHA256h, algoArray, oidHashType, 0); |
wolfSSL | 15:117db924cf7c | 16768 | #else |
wolfSSL | 15:117db924cf7c | 16769 | algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0); |
wolfSSL | 15:117db924cf7c | 16770 | #endif |
wolfSSL | 15:117db924cf7c | 16771 | |
wolfSSL | 15:117db924cf7c | 16772 | issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); |
wolfSSL | 15:117db924cf7c | 16773 | issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); |
wolfSSL | 16:8e0d178b1d1e | 16774 | snSz = SetSerialNumber(req->serial, req->serialSz, snArray, |
wolfSSL | 16:8e0d178b1d1e | 16775 | MAX_SN_SZ, MAX_SN_SZ); |
wolfSSL | 15:117db924cf7c | 16776 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 16777 | |
wolfSSL | 15:117db924cf7c | 16778 | if (snSz < 0) |
wolfSSL | 15:117db924cf7c | 16779 | return snSz; |
wolfSSL | 15:117db924cf7c | 16780 | |
wolfSSL | 15:117db924cf7c | 16781 | if (req->nonceSz) { |
wolfSSL | 15:117db924cf7c | 16782 | /* TLS Extensions use this function too - put extensions after |
wolfSSL | 15:117db924cf7c | 16783 | * ASN.1: Context Specific [2]. |
wolfSSL | 15:117db924cf7c | 16784 | */ |
wolfSSL | 15:117db924cf7c | 16785 | extSz = EncodeOcspRequestExtensions(req, extArray + 2, |
wolfSSL | 15:117db924cf7c | 16786 | OCSP_NONCE_EXT_SZ); |
wolfSSL | 15:117db924cf7c | 16787 | extSz += SetExplicit(2, extSz, extArray); |
wolfSSL | 15:117db924cf7c | 16788 | } |
wolfSSL | 15:117db924cf7c | 16789 | |
wolfSSL | 15:117db924cf7c | 16790 | totalSz = algoSz + issuerSz + issuerKeySz + snSz; |
wolfSSL | 15:117db924cf7c | 16791 | for (i = 4; i >= 0; i--) { |
wolfSSL | 15:117db924cf7c | 16792 | seqSz[i] = SetSequence(totalSz, seqArray[i]); |
wolfSSL | 15:117db924cf7c | 16793 | totalSz += seqSz[i]; |
wolfSSL | 15:117db924cf7c | 16794 | if (i == 2) totalSz += extSz; |
wolfSSL | 15:117db924cf7c | 16795 | } |
wolfSSL | 15:117db924cf7c | 16796 | |
wolfSSL | 15:117db924cf7c | 16797 | if (output == NULL) |
wolfSSL | 15:117db924cf7c | 16798 | return totalSz; |
wolfSSL | 15:117db924cf7c | 16799 | if (totalSz > size) |
wolfSSL | 15:117db924cf7c | 16800 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 16801 | |
wolfSSL | 15:117db924cf7c | 16802 | totalSz = 0; |
wolfSSL | 15:117db924cf7c | 16803 | for (i = 0; i < 5; i++) { |
wolfSSL | 15:117db924cf7c | 16804 | XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); |
wolfSSL | 15:117db924cf7c | 16805 | totalSz += seqSz[i]; |
wolfSSL | 15:117db924cf7c | 16806 | } |
wolfSSL | 15:117db924cf7c | 16807 | |
wolfSSL | 15:117db924cf7c | 16808 | XMEMCPY(output + totalSz, algoArray, algoSz); |
wolfSSL | 15:117db924cf7c | 16809 | totalSz += algoSz; |
wolfSSL | 15:117db924cf7c | 16810 | |
wolfSSL | 15:117db924cf7c | 16811 | XMEMCPY(output + totalSz, issuerArray, issuerSz); |
wolfSSL | 15:117db924cf7c | 16812 | totalSz += issuerSz; |
wolfSSL | 15:117db924cf7c | 16813 | |
wolfSSL | 15:117db924cf7c | 16814 | XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); |
wolfSSL | 15:117db924cf7c | 16815 | totalSz += issuerKeySz; |
wolfSSL | 15:117db924cf7c | 16816 | |
wolfSSL | 15:117db924cf7c | 16817 | XMEMCPY(output + totalSz, snArray, snSz); |
wolfSSL | 15:117db924cf7c | 16818 | totalSz += snSz; |
wolfSSL | 15:117db924cf7c | 16819 | |
wolfSSL | 15:117db924cf7c | 16820 | if (extSz != 0) { |
wolfSSL | 15:117db924cf7c | 16821 | XMEMCPY(output + totalSz, extArray, extSz); |
wolfSSL | 15:117db924cf7c | 16822 | totalSz += extSz; |
wolfSSL | 15:117db924cf7c | 16823 | } |
wolfSSL | 15:117db924cf7c | 16824 | |
wolfSSL | 15:117db924cf7c | 16825 | return totalSz; |
wolfSSL | 15:117db924cf7c | 16826 | } |
wolfSSL | 15:117db924cf7c | 16827 | |
wolfSSL | 15:117db924cf7c | 16828 | |
wolfSSL | 15:117db924cf7c | 16829 | int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, |
wolfSSL | 15:117db924cf7c | 16830 | void* heap) |
wolfSSL | 15:117db924cf7c | 16831 | { |
wolfSSL | 15:117db924cf7c | 16832 | int ret; |
wolfSSL | 15:117db924cf7c | 16833 | |
wolfSSL | 15:117db924cf7c | 16834 | WOLFSSL_ENTER("InitOcspRequest"); |
wolfSSL | 15:117db924cf7c | 16835 | |
wolfSSL | 15:117db924cf7c | 16836 | if (req == NULL) |
wolfSSL | 15:117db924cf7c | 16837 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 16838 | |
wolfSSL | 15:117db924cf7c | 16839 | ForceZero(req, sizeof(OcspRequest)); |
wolfSSL | 15:117db924cf7c | 16840 | req->heap = heap; |
wolfSSL | 15:117db924cf7c | 16841 | |
wolfSSL | 15:117db924cf7c | 16842 | if (cert) { |
wolfSSL | 15:117db924cf7c | 16843 | XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); |
wolfSSL | 15:117db924cf7c | 16844 | XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 15:117db924cf7c | 16845 | |
wolfSSL | 15:117db924cf7c | 16846 | req->serial = (byte*)XMALLOC(cert->serialSz, req->heap, |
wolfSSL | 15:117db924cf7c | 16847 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 15:117db924cf7c | 16848 | if (req->serial == NULL) |
wolfSSL | 15:117db924cf7c | 16849 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 16850 | |
wolfSSL | 15:117db924cf7c | 16851 | XMEMCPY(req->serial, cert->serial, cert->serialSz); |
wolfSSL | 15:117db924cf7c | 16852 | req->serialSz = cert->serialSz; |
wolfSSL | 15:117db924cf7c | 16853 | |
wolfSSL | 15:117db924cf7c | 16854 | if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 16855 | req->url = (byte*)XMALLOC(cert->extAuthInfoSz + 1, req->heap, |
wolfSSL | 15:117db924cf7c | 16856 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 15:117db924cf7c | 16857 | if (req->url == NULL) { |
wolfSSL | 15:117db924cf7c | 16858 | XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP); |
wolfSSL | 15:117db924cf7c | 16859 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 16860 | } |
wolfSSL | 15:117db924cf7c | 16861 | |
wolfSSL | 15:117db924cf7c | 16862 | XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); |
wolfSSL | 15:117db924cf7c | 16863 | req->urlSz = cert->extAuthInfoSz; |
wolfSSL | 16:8e0d178b1d1e | 16864 | req->url[req->urlSz] = 0; |
wolfSSL | 15:117db924cf7c | 16865 | } |
wolfSSL | 15:117db924cf7c | 16866 | } |
wolfSSL | 15:117db924cf7c | 16867 | |
wolfSSL | 15:117db924cf7c | 16868 | if (useNonce) { |
wolfSSL | 15:117db924cf7c | 16869 | WC_RNG rng; |
wolfSSL | 15:117db924cf7c | 16870 | |
wolfSSL | 15:117db924cf7c | 16871 | #ifndef HAVE_FIPS |
wolfSSL | 15:117db924cf7c | 16872 | ret = wc_InitRng_ex(&rng, req->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 16873 | #else |
wolfSSL | 15:117db924cf7c | 16874 | ret = wc_InitRng(&rng); |
wolfSSL | 15:117db924cf7c | 16875 | #endif |
wolfSSL | 15:117db924cf7c | 16876 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 16877 | WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); |
wolfSSL | 15:117db924cf7c | 16878 | } else { |
wolfSSL | 15:117db924cf7c | 16879 | if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) |
wolfSSL | 15:117db924cf7c | 16880 | WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); |
wolfSSL | 15:117db924cf7c | 16881 | else |
wolfSSL | 15:117db924cf7c | 16882 | req->nonceSz = MAX_OCSP_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 16883 | |
wolfSSL | 15:117db924cf7c | 16884 | wc_FreeRng(&rng); |
wolfSSL | 15:117db924cf7c | 16885 | } |
wolfSSL | 15:117db924cf7c | 16886 | } |
wolfSSL | 15:117db924cf7c | 16887 | |
wolfSSL | 15:117db924cf7c | 16888 | return 0; |
wolfSSL | 15:117db924cf7c | 16889 | } |
wolfSSL | 15:117db924cf7c | 16890 | |
wolfSSL | 15:117db924cf7c | 16891 | void FreeOcspRequest(OcspRequest* req) |
wolfSSL | 15:117db924cf7c | 16892 | { |
wolfSSL | 15:117db924cf7c | 16893 | WOLFSSL_ENTER("FreeOcspRequest"); |
wolfSSL | 15:117db924cf7c | 16894 | |
wolfSSL | 15:117db924cf7c | 16895 | if (req) { |
wolfSSL | 15:117db924cf7c | 16896 | if (req->serial) |
wolfSSL | 15:117db924cf7c | 16897 | XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 16:8e0d178b1d1e | 16898 | req->serial = NULL; |
wolfSSL | 16:8e0d178b1d1e | 16899 | |
wolfSSL | 16:8e0d178b1d1e | 16900 | #ifdef OPENSSL_EXTRA |
wolfSSL | 16:8e0d178b1d1e | 16901 | if (req->serialInt) { |
wolfSSL | 16:8e0d178b1d1e | 16902 | if (req->serialInt->isDynamic) { |
wolfSSL | 16:8e0d178b1d1e | 16903 | XFREE(req->serialInt->data, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 16:8e0d178b1d1e | 16904 | } |
wolfSSL | 16:8e0d178b1d1e | 16905 | XFREE(req->serialInt, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 16:8e0d178b1d1e | 16906 | } |
wolfSSL | 16:8e0d178b1d1e | 16907 | req->serialInt = NULL; |
wolfSSL | 16:8e0d178b1d1e | 16908 | #endif |
wolfSSL | 15:117db924cf7c | 16909 | |
wolfSSL | 15:117db924cf7c | 16910 | if (req->url) |
wolfSSL | 15:117db924cf7c | 16911 | XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 16:8e0d178b1d1e | 16912 | req->url = NULL; |
wolfSSL | 15:117db924cf7c | 16913 | } |
wolfSSL | 15:117db924cf7c | 16914 | } |
wolfSSL | 15:117db924cf7c | 16915 | |
wolfSSL | 15:117db924cf7c | 16916 | |
wolfSSL | 15:117db924cf7c | 16917 | int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) |
wolfSSL | 15:117db924cf7c | 16918 | { |
wolfSSL | 15:117db924cf7c | 16919 | int cmp; |
wolfSSL | 15:117db924cf7c | 16920 | |
wolfSSL | 15:117db924cf7c | 16921 | WOLFSSL_ENTER("CompareOcspReqResp"); |
wolfSSL | 15:117db924cf7c | 16922 | |
wolfSSL | 15:117db924cf7c | 16923 | if (req == NULL) |
wolfSSL | 15:117db924cf7c | 16924 | { |
wolfSSL | 15:117db924cf7c | 16925 | WOLFSSL_MSG("\tReq missing"); |
wolfSSL | 15:117db924cf7c | 16926 | return -1; |
wolfSSL | 15:117db924cf7c | 16927 | } |
wolfSSL | 15:117db924cf7c | 16928 | |
wolfSSL | 15:117db924cf7c | 16929 | if (resp == NULL) |
wolfSSL | 15:117db924cf7c | 16930 | { |
wolfSSL | 15:117db924cf7c | 16931 | WOLFSSL_MSG("\tResp missing"); |
wolfSSL | 15:117db924cf7c | 16932 | return 1; |
wolfSSL | 15:117db924cf7c | 16933 | } |
wolfSSL | 15:117db924cf7c | 16934 | |
wolfSSL | 15:117db924cf7c | 16935 | /* Nonces are not critical. The responder may not necessarily add |
wolfSSL | 15:117db924cf7c | 16936 | * the nonce to the response. */ |
wolfSSL | 16:8e0d178b1d1e | 16937 | if (req->nonceSz |
wolfSSL | 16:8e0d178b1d1e | 16938 | #ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK |
wolfSSL | 16:8e0d178b1d1e | 16939 | && resp->nonceSz != 0 |
wolfSSL | 16:8e0d178b1d1e | 16940 | #endif |
wolfSSL | 16:8e0d178b1d1e | 16941 | ) { |
wolfSSL | 15:117db924cf7c | 16942 | cmp = req->nonceSz - resp->nonceSz; |
wolfSSL | 15:117db924cf7c | 16943 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16944 | { |
wolfSSL | 15:117db924cf7c | 16945 | WOLFSSL_MSG("\tnonceSz mismatch"); |
wolfSSL | 15:117db924cf7c | 16946 | return cmp; |
wolfSSL | 15:117db924cf7c | 16947 | } |
wolfSSL | 15:117db924cf7c | 16948 | |
wolfSSL | 15:117db924cf7c | 16949 | cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); |
wolfSSL | 15:117db924cf7c | 16950 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16951 | { |
wolfSSL | 15:117db924cf7c | 16952 | WOLFSSL_MSG("\tnonce mismatch"); |
wolfSSL | 15:117db924cf7c | 16953 | return cmp; |
wolfSSL | 15:117db924cf7c | 16954 | } |
wolfSSL | 15:117db924cf7c | 16955 | } |
wolfSSL | 15:117db924cf7c | 16956 | |
wolfSSL | 15:117db924cf7c | 16957 | cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); |
wolfSSL | 15:117db924cf7c | 16958 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16959 | { |
wolfSSL | 15:117db924cf7c | 16960 | WOLFSSL_MSG("\tissuerHash mismatch"); |
wolfSSL | 15:117db924cf7c | 16961 | return cmp; |
wolfSSL | 15:117db924cf7c | 16962 | } |
wolfSSL | 15:117db924cf7c | 16963 | |
wolfSSL | 15:117db924cf7c | 16964 | cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 15:117db924cf7c | 16965 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16966 | { |
wolfSSL | 15:117db924cf7c | 16967 | WOLFSSL_MSG("\tissuerKeyHash mismatch"); |
wolfSSL | 15:117db924cf7c | 16968 | return cmp; |
wolfSSL | 15:117db924cf7c | 16969 | } |
wolfSSL | 15:117db924cf7c | 16970 | |
wolfSSL | 15:117db924cf7c | 16971 | cmp = req->serialSz - resp->status->serialSz; |
wolfSSL | 15:117db924cf7c | 16972 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16973 | { |
wolfSSL | 15:117db924cf7c | 16974 | WOLFSSL_MSG("\tserialSz mismatch"); |
wolfSSL | 15:117db924cf7c | 16975 | return cmp; |
wolfSSL | 15:117db924cf7c | 16976 | } |
wolfSSL | 15:117db924cf7c | 16977 | |
wolfSSL | 15:117db924cf7c | 16978 | cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); |
wolfSSL | 15:117db924cf7c | 16979 | if (cmp != 0) |
wolfSSL | 15:117db924cf7c | 16980 | { |
wolfSSL | 15:117db924cf7c | 16981 | WOLFSSL_MSG("\tserial mismatch"); |
wolfSSL | 15:117db924cf7c | 16982 | return cmp; |
wolfSSL | 15:117db924cf7c | 16983 | } |
wolfSSL | 15:117db924cf7c | 16984 | |
wolfSSL | 15:117db924cf7c | 16985 | return 0; |
wolfSSL | 15:117db924cf7c | 16986 | } |
wolfSSL | 15:117db924cf7c | 16987 | |
wolfSSL | 16:8e0d178b1d1e | 16988 | #endif /* HAVE_OCSP */ |
wolfSSL | 15:117db924cf7c | 16989 | |
wolfSSL | 15:117db924cf7c | 16990 | |
wolfSSL | 15:117db924cf7c | 16991 | /* store WC_SHA hash of NAME */ |
wolfSSL | 16:8e0d178b1d1e | 16992 | int GetNameHash(const byte* source, word32* idx, byte* hash, |
wolfSSL | 15:117db924cf7c | 16993 | int maxIdx) |
wolfSSL | 15:117db924cf7c | 16994 | { |
wolfSSL | 15:117db924cf7c | 16995 | int length; /* length of all distinguished names */ |
wolfSSL | 15:117db924cf7c | 16996 | int ret; |
wolfSSL | 15:117db924cf7c | 16997 | word32 dummy; |
wolfSSL | 16:8e0d178b1d1e | 16998 | byte tag; |
wolfSSL | 15:117db924cf7c | 16999 | |
wolfSSL | 15:117db924cf7c | 17000 | WOLFSSL_ENTER("GetNameHash"); |
wolfSSL | 15:117db924cf7c | 17001 | |
wolfSSL | 16:8e0d178b1d1e | 17002 | dummy = *idx; |
wolfSSL | 16:8e0d178b1d1e | 17003 | if (GetASNTag(source, &dummy, &tag, maxIdx) == 0 && tag == ASN_OBJECT_ID) { |
wolfSSL | 15:117db924cf7c | 17004 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 15:117db924cf7c | 17005 | |
wolfSSL | 15:117db924cf7c | 17006 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 17007 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17008 | |
wolfSSL | 15:117db924cf7c | 17009 | *idx += length; |
wolfSSL | 15:117db924cf7c | 17010 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 15:117db924cf7c | 17011 | } |
wolfSSL | 15:117db924cf7c | 17012 | |
wolfSSL | 15:117db924cf7c | 17013 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 15:117db924cf7c | 17014 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 15:117db924cf7c | 17015 | * the tag and length. */ |
wolfSSL | 15:117db924cf7c | 17016 | dummy = *idx; |
wolfSSL | 15:117db924cf7c | 17017 | if (GetSequence(source, idx, &length, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 17018 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17019 | |
wolfSSL | 16:8e0d178b1d1e | 17020 | ret = CalcHashId(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 15:117db924cf7c | 17021 | |
wolfSSL | 15:117db924cf7c | 17022 | *idx += length; |
wolfSSL | 15:117db924cf7c | 17023 | |
wolfSSL | 15:117db924cf7c | 17024 | return ret; |
wolfSSL | 15:117db924cf7c | 17025 | } |
wolfSSL | 15:117db924cf7c | 17026 | |
wolfSSL | 15:117db924cf7c | 17027 | |
wolfSSL | 15:117db924cf7c | 17028 | #ifdef HAVE_CRL |
wolfSSL | 15:117db924cf7c | 17029 | |
wolfSSL | 15:117db924cf7c | 17030 | /* initialize decoded CRL */ |
wolfSSL | 15:117db924cf7c | 17031 | void InitDecodedCRL(DecodedCRL* dcrl, void* heap) |
wolfSSL | 15:117db924cf7c | 17032 | { |
wolfSSL | 15:117db924cf7c | 17033 | WOLFSSL_MSG("InitDecodedCRL"); |
wolfSSL | 15:117db924cf7c | 17034 | |
wolfSSL | 16:8e0d178b1d1e | 17035 | XMEMSET(dcrl, 0, sizeof(DecodedCRL)); |
wolfSSL | 16:8e0d178b1d1e | 17036 | dcrl->heap = heap; |
wolfSSL | 15:117db924cf7c | 17037 | #ifdef WOLFSSL_HEAP_TEST |
wolfSSL | 15:117db924cf7c | 17038 | dcrl->heap = (void*)WOLFSSL_HEAP_TEST; |
wolfSSL | 15:117db924cf7c | 17039 | #endif |
wolfSSL | 15:117db924cf7c | 17040 | } |
wolfSSL | 15:117db924cf7c | 17041 | |
wolfSSL | 15:117db924cf7c | 17042 | |
wolfSSL | 15:117db924cf7c | 17043 | /* free decoded CRL resources */ |
wolfSSL | 15:117db924cf7c | 17044 | void FreeDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 15:117db924cf7c | 17045 | { |
wolfSSL | 15:117db924cf7c | 17046 | RevokedCert* tmp = dcrl->certs; |
wolfSSL | 15:117db924cf7c | 17047 | |
wolfSSL | 15:117db924cf7c | 17048 | WOLFSSL_MSG("FreeDecodedCRL"); |
wolfSSL | 15:117db924cf7c | 17049 | |
wolfSSL | 15:117db924cf7c | 17050 | while(tmp) { |
wolfSSL | 15:117db924cf7c | 17051 | RevokedCert* next = tmp->next; |
wolfSSL | 15:117db924cf7c | 17052 | XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 17053 | tmp = next; |
wolfSSL | 15:117db924cf7c | 17054 | } |
wolfSSL | 15:117db924cf7c | 17055 | } |
wolfSSL | 15:117db924cf7c | 17056 | |
wolfSSL | 15:117db924cf7c | 17057 | |
wolfSSL | 15:117db924cf7c | 17058 | /* Get Revoked Cert list, 0 on success */ |
wolfSSL | 15:117db924cf7c | 17059 | static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 15:117db924cf7c | 17060 | int maxIdx) |
wolfSSL | 15:117db924cf7c | 17061 | { |
wolfSSL | 15:117db924cf7c | 17062 | int ret, len; |
wolfSSL | 15:117db924cf7c | 17063 | word32 end; |
wolfSSL | 15:117db924cf7c | 17064 | byte b; |
wolfSSL | 15:117db924cf7c | 17065 | RevokedCert* rc; |
wolfSSL | 15:117db924cf7c | 17066 | |
wolfSSL | 15:117db924cf7c | 17067 | WOLFSSL_ENTER("GetRevoked"); |
wolfSSL | 15:117db924cf7c | 17068 | |
wolfSSL | 15:117db924cf7c | 17069 | if (GetSequence(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 15:117db924cf7c | 17070 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17071 | |
wolfSSL | 15:117db924cf7c | 17072 | end = *idx + len; |
wolfSSL | 15:117db924cf7c | 17073 | |
wolfSSL | 15:117db924cf7c | 17074 | rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap, |
wolfSSL | 15:117db924cf7c | 17075 | DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 17076 | if (rc == NULL) { |
wolfSSL | 15:117db924cf7c | 17077 | WOLFSSL_MSG("Alloc Revoked Cert failed"); |
wolfSSL | 15:117db924cf7c | 17078 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 17079 | } |
wolfSSL | 15:117db924cf7c | 17080 | |
wolfSSL | 15:117db924cf7c | 17081 | if (GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz, |
wolfSSL | 15:117db924cf7c | 17082 | maxIdx) < 0) { |
wolfSSL | 15:117db924cf7c | 17083 | XFREE(rc, dcrl->heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 15:117db924cf7c | 17084 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17085 | } |
wolfSSL | 15:117db924cf7c | 17086 | |
wolfSSL | 15:117db924cf7c | 17087 | /* add to list */ |
wolfSSL | 15:117db924cf7c | 17088 | rc->next = dcrl->certs; |
wolfSSL | 15:117db924cf7c | 17089 | dcrl->certs = rc; |
wolfSSL | 15:117db924cf7c | 17090 | dcrl->totalCerts++; |
wolfSSL | 15:117db924cf7c | 17091 | |
wolfSSL | 15:117db924cf7c | 17092 | /* get date */ |
wolfSSL | 15:117db924cf7c | 17093 | ret = GetDateInfo(buff, idx, NULL, &b, NULL, maxIdx); |
wolfSSL | 15:117db924cf7c | 17094 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 17095 | WOLFSSL_MSG("Expecting Date"); |
wolfSSL | 15:117db924cf7c | 17096 | return ret; |
wolfSSL | 15:117db924cf7c | 17097 | } |
wolfSSL | 15:117db924cf7c | 17098 | |
wolfSSL | 16:8e0d178b1d1e | 17099 | /* skip extensions */ |
wolfSSL | 16:8e0d178b1d1e | 17100 | *idx = end; |
wolfSSL | 15:117db924cf7c | 17101 | |
wolfSSL | 15:117db924cf7c | 17102 | return 0; |
wolfSSL | 15:117db924cf7c | 17103 | } |
wolfSSL | 15:117db924cf7c | 17104 | |
wolfSSL | 15:117db924cf7c | 17105 | |
wolfSSL | 15:117db924cf7c | 17106 | /* Get CRL Signature, 0 on success */ |
wolfSSL | 15:117db924cf7c | 17107 | static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 15:117db924cf7c | 17108 | int maxIdx) |
wolfSSL | 15:117db924cf7c | 17109 | { |
wolfSSL | 15:117db924cf7c | 17110 | int length; |
wolfSSL | 15:117db924cf7c | 17111 | int ret; |
wolfSSL | 15:117db924cf7c | 17112 | |
wolfSSL | 15:117db924cf7c | 17113 | WOLFSSL_ENTER("GetCRL_Signature"); |
wolfSSL | 15:117db924cf7c | 17114 | |
wolfSSL | 15:117db924cf7c | 17115 | ret = CheckBitString(source, idx, &length, maxIdx, 1, NULL); |
wolfSSL | 15:117db924cf7c | 17116 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 17117 | return ret; |
wolfSSL | 15:117db924cf7c | 17118 | dcrl->sigLength = length; |
wolfSSL | 15:117db924cf7c | 17119 | |
wolfSSL | 15:117db924cf7c | 17120 | dcrl->signature = (byte*)&source[*idx]; |
wolfSSL | 15:117db924cf7c | 17121 | *idx += dcrl->sigLength; |
wolfSSL | 15:117db924cf7c | 17122 | |
wolfSSL | 15:117db924cf7c | 17123 | return 0; |
wolfSSL | 15:117db924cf7c | 17124 | } |
wolfSSL | 15:117db924cf7c | 17125 | |
wolfSSL | 15:117db924cf7c | 17126 | int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, |
wolfSSL | 15:117db924cf7c | 17127 | word32 tbsSz, const byte* signature, word32 sigSz, |
wolfSSL | 15:117db924cf7c | 17128 | word32 signatureOID, Signer *ca, void* heap) |
wolfSSL | 15:117db924cf7c | 17129 | { |
wolfSSL | 15:117db924cf7c | 17130 | /* try to confirm/verify signature */ |
wolfSSL | 15:117db924cf7c | 17131 | #ifndef IGNORE_KEY_EXTENSIONS |
wolfSSL | 15:117db924cf7c | 17132 | if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) { |
wolfSSL | 15:117db924cf7c | 17133 | WOLFSSL_MSG("CA cannot sign CRLs"); |
wolfSSL | 15:117db924cf7c | 17134 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 15:117db924cf7c | 17135 | } |
wolfSSL | 15:117db924cf7c | 17136 | #endif /* IGNORE_KEY_EXTENSIONS */ |
wolfSSL | 15:117db924cf7c | 17137 | |
wolfSSL | 15:117db924cf7c | 17138 | InitSignatureCtx(sigCtx, heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 17139 | if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, |
wolfSSL | 15:117db924cf7c | 17140 | ca->pubKeySize, ca->keyOID, signature, sigSz, |
wolfSSL | 16:8e0d178b1d1e | 17141 | signatureOID, NULL) != 0) { |
wolfSSL | 15:117db924cf7c | 17142 | WOLFSSL_MSG("CRL Confirm signature failed"); |
wolfSSL | 15:117db924cf7c | 17143 | return ASN_CRL_CONFIRM_E; |
wolfSSL | 15:117db924cf7c | 17144 | } |
wolfSSL | 15:117db924cf7c | 17145 | |
wolfSSL | 15:117db924cf7c | 17146 | return 0; |
wolfSSL | 15:117db924cf7c | 17147 | } |
wolfSSL | 15:117db924cf7c | 17148 | |
wolfSSL | 16:8e0d178b1d1e | 17149 | |
wolfSSL | 16:8e0d178b1d1e | 17150 | static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf, |
wolfSSL | 16:8e0d178b1d1e | 17151 | word32* inOutIdx, int sz) |
wolfSSL | 16:8e0d178b1d1e | 17152 | { |
wolfSSL | 16:8e0d178b1d1e | 17153 | word32 oid, dateIdx, idx, checkIdx; |
wolfSSL | 16:8e0d178b1d1e | 17154 | int version, doNextDate = 1; |
wolfSSL | 16:8e0d178b1d1e | 17155 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 17156 | |
wolfSSL | 16:8e0d178b1d1e | 17157 | if (dcrl == NULL || inOutIdx == NULL || buf == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 17158 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 17159 | } |
wolfSSL | 16:8e0d178b1d1e | 17160 | |
wolfSSL | 16:8e0d178b1d1e | 17161 | /* may have version */ |
wolfSSL | 16:8e0d178b1d1e | 17162 | idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 17163 | |
wolfSSL | 16:8e0d178b1d1e | 17164 | checkIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17165 | if (GetASNTag(buf, &checkIdx, &tag, sz) == 0 && tag == ASN_INTEGER) { |
wolfSSL | 16:8e0d178b1d1e | 17166 | if (GetMyVersion(buf, &idx, &version, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17167 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17168 | } |
wolfSSL | 16:8e0d178b1d1e | 17169 | |
wolfSSL | 16:8e0d178b1d1e | 17170 | if (GetAlgoId(buf, &idx, &oid, oidIgnoreType, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17171 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17172 | |
wolfSSL | 16:8e0d178b1d1e | 17173 | if (GetNameHash(buf, &idx, dcrl->issuerHash, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17174 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17175 | |
wolfSSL | 16:8e0d178b1d1e | 17176 | if (GetBasicDate(buf, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17177 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17178 | |
wolfSSL | 16:8e0d178b1d1e | 17179 | dateIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17180 | |
wolfSSL | 16:8e0d178b1d1e | 17181 | if (GetBasicDate(buf, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17182 | { |
wolfSSL | 16:8e0d178b1d1e | 17183 | #ifndef WOLFSSL_NO_CRL_NEXT_DATE |
wolfSSL | 16:8e0d178b1d1e | 17184 | (void)dateIdx; |
wolfSSL | 16:8e0d178b1d1e | 17185 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17186 | #else |
wolfSSL | 16:8e0d178b1d1e | 17187 | dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */ |
wolfSSL | 16:8e0d178b1d1e | 17188 | doNextDate = 0; |
wolfSSL | 16:8e0d178b1d1e | 17189 | idx = dateIdx; |
wolfSSL | 16:8e0d178b1d1e | 17190 | #endif |
wolfSSL | 16:8e0d178b1d1e | 17191 | } |
wolfSSL | 16:8e0d178b1d1e | 17192 | |
wolfSSL | 16:8e0d178b1d1e | 17193 | if (doNextDate) { |
wolfSSL | 16:8e0d178b1d1e | 17194 | #ifndef NO_ASN_TIME |
wolfSSL | 16:8e0d178b1d1e | 17195 | if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { |
wolfSSL | 16:8e0d178b1d1e | 17196 | WOLFSSL_MSG("CRL after date is no longer valid"); |
wolfSSL | 16:8e0d178b1d1e | 17197 | return ASN_AFTER_DATE_E; |
wolfSSL | 16:8e0d178b1d1e | 17198 | } |
wolfSSL | 16:8e0d178b1d1e | 17199 | #endif |
wolfSSL | 16:8e0d178b1d1e | 17200 | } |
wolfSSL | 16:8e0d178b1d1e | 17201 | |
wolfSSL | 16:8e0d178b1d1e | 17202 | checkIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17203 | if (idx != dcrl->sigIndex && |
wolfSSL | 16:8e0d178b1d1e | 17204 | GetASNTag(buf, &checkIdx, &tag, sz) == 0 && tag != CRL_EXTENSIONS) { |
wolfSSL | 16:8e0d178b1d1e | 17205 | |
wolfSSL | 16:8e0d178b1d1e | 17206 | int len; |
wolfSSL | 16:8e0d178b1d1e | 17207 | |
wolfSSL | 16:8e0d178b1d1e | 17208 | if (GetSequence(buf, &idx, &len, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17209 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17210 | len += idx; |
wolfSSL | 16:8e0d178b1d1e | 17211 | |
wolfSSL | 16:8e0d178b1d1e | 17212 | while (idx < (word32)len) { |
wolfSSL | 16:8e0d178b1d1e | 17213 | if (GetRevoked(buf, &idx, dcrl, len) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17214 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17215 | } |
wolfSSL | 16:8e0d178b1d1e | 17216 | } |
wolfSSL | 16:8e0d178b1d1e | 17217 | |
wolfSSL | 16:8e0d178b1d1e | 17218 | *inOutIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17219 | |
wolfSSL | 16:8e0d178b1d1e | 17220 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17221 | } |
wolfSSL | 16:8e0d178b1d1e | 17222 | |
wolfSSL | 16:8e0d178b1d1e | 17223 | |
wolfSSL | 16:8e0d178b1d1e | 17224 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 17225 | static int ParseCRL_AuthKeyIdExt(const byte* input, int sz, DecodedCRL* dcrl) |
wolfSSL | 16:8e0d178b1d1e | 17226 | { |
wolfSSL | 16:8e0d178b1d1e | 17227 | word32 idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 17228 | int length = 0, ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 17229 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 17230 | |
wolfSSL | 16:8e0d178b1d1e | 17231 | WOLFSSL_ENTER("ParseCRL_AuthKeyIdExt"); |
wolfSSL | 16:8e0d178b1d1e | 17232 | |
wolfSSL | 16:8e0d178b1d1e | 17233 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17234 | WOLFSSL_MSG("\tfail: should be a SEQUENCE\n"); |
wolfSSL | 16:8e0d178b1d1e | 17235 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17236 | } |
wolfSSL | 16:8e0d178b1d1e | 17237 | |
wolfSSL | 16:8e0d178b1d1e | 17238 | if (GetASNTag(input, &idx, &tag, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17239 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17240 | } |
wolfSSL | 16:8e0d178b1d1e | 17241 | |
wolfSSL | 16:8e0d178b1d1e | 17242 | if (tag != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 16:8e0d178b1d1e | 17243 | WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n"); |
wolfSSL | 16:8e0d178b1d1e | 17244 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17245 | } |
wolfSSL | 16:8e0d178b1d1e | 17246 | |
wolfSSL | 16:8e0d178b1d1e | 17247 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17248 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 16:8e0d178b1d1e | 17249 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17250 | } |
wolfSSL | 16:8e0d178b1d1e | 17251 | |
wolfSSL | 16:8e0d178b1d1e | 17252 | dcrl->extAuthKeyIdSet = 1; |
wolfSSL | 16:8e0d178b1d1e | 17253 | if (length == KEYID_SIZE) { |
wolfSSL | 16:8e0d178b1d1e | 17254 | XMEMCPY(dcrl->extAuthKeyId, input + idx, length); |
wolfSSL | 16:8e0d178b1d1e | 17255 | } |
wolfSSL | 16:8e0d178b1d1e | 17256 | else { |
wolfSSL | 16:8e0d178b1d1e | 17257 | ret = CalcHashId(input + idx, length, dcrl->extAuthKeyId); |
wolfSSL | 16:8e0d178b1d1e | 17258 | } |
wolfSSL | 16:8e0d178b1d1e | 17259 | |
wolfSSL | 16:8e0d178b1d1e | 17260 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 17261 | } |
wolfSSL | 16:8e0d178b1d1e | 17262 | #endif |
wolfSSL | 16:8e0d178b1d1e | 17263 | |
wolfSSL | 16:8e0d178b1d1e | 17264 | |
wolfSSL | 16:8e0d178b1d1e | 17265 | static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, |
wolfSSL | 16:8e0d178b1d1e | 17266 | word32* inOutIdx, word32 sz) |
wolfSSL | 16:8e0d178b1d1e | 17267 | { |
wolfSSL | 16:8e0d178b1d1e | 17268 | int length; |
wolfSSL | 16:8e0d178b1d1e | 17269 | word32 idx; |
wolfSSL | 16:8e0d178b1d1e | 17270 | word32 ext_bound; /* boundary index for the sequence of extensions */ |
wolfSSL | 16:8e0d178b1d1e | 17271 | word32 oid; |
wolfSSL | 16:8e0d178b1d1e | 17272 | byte tag; |
wolfSSL | 16:8e0d178b1d1e | 17273 | |
wolfSSL | 16:8e0d178b1d1e | 17274 | WOLFSSL_ENTER("ParseCRL_Extensions"); |
wolfSSL | 16:8e0d178b1d1e | 17275 | (void)dcrl; |
wolfSSL | 16:8e0d178b1d1e | 17276 | |
wolfSSL | 16:8e0d178b1d1e | 17277 | if (inOutIdx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 17278 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 17279 | |
wolfSSL | 16:8e0d178b1d1e | 17280 | idx = *inOutIdx; |
wolfSSL | 16:8e0d178b1d1e | 17281 | |
wolfSSL | 16:8e0d178b1d1e | 17282 | /* CRL Extensions are optional */ |
wolfSSL | 16:8e0d178b1d1e | 17283 | if ((idx + 1) > sz) |
wolfSSL | 16:8e0d178b1d1e | 17284 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17285 | |
wolfSSL | 16:8e0d178b1d1e | 17286 | /* CRL Extensions are optional */ |
wolfSSL | 16:8e0d178b1d1e | 17287 | if (GetASNTag(buf, &idx, &tag, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17288 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17289 | |
wolfSSL | 16:8e0d178b1d1e | 17290 | /* CRL Extensions are optional */ |
wolfSSL | 16:8e0d178b1d1e | 17291 | if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 16:8e0d178b1d1e | 17292 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17293 | |
wolfSSL | 16:8e0d178b1d1e | 17294 | if (GetLength(buf, &idx, &length, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17295 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17296 | |
wolfSSL | 16:8e0d178b1d1e | 17297 | if (GetSequence(buf, &idx, &length, sz) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17298 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17299 | |
wolfSSL | 16:8e0d178b1d1e | 17300 | ext_bound = idx + length; |
wolfSSL | 16:8e0d178b1d1e | 17301 | |
wolfSSL | 16:8e0d178b1d1e | 17302 | while (idx < (word32)ext_bound) { |
wolfSSL | 16:8e0d178b1d1e | 17303 | word32 localIdx; |
wolfSSL | 16:8e0d178b1d1e | 17304 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 17305 | |
wolfSSL | 16:8e0d178b1d1e | 17306 | if (GetSequence(buf, &idx, &length, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17307 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 16:8e0d178b1d1e | 17308 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17309 | } |
wolfSSL | 16:8e0d178b1d1e | 17310 | |
wolfSSL | 16:8e0d178b1d1e | 17311 | oid = 0; |
wolfSSL | 16:8e0d178b1d1e | 17312 | if (GetObjectId(buf, &idx, &oid, oidCrlExtType, sz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17313 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 16:8e0d178b1d1e | 17314 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17315 | } |
wolfSSL | 16:8e0d178b1d1e | 17316 | |
wolfSSL | 16:8e0d178b1d1e | 17317 | /* check for critical flag */ |
wolfSSL | 16:8e0d178b1d1e | 17318 | if ((idx + 1) > (word32)sz) { |
wolfSSL | 16:8e0d178b1d1e | 17319 | WOLFSSL_MSG("\tfail: malformed buffer"); |
wolfSSL | 16:8e0d178b1d1e | 17320 | return BUFFER_E; |
wolfSSL | 16:8e0d178b1d1e | 17321 | } |
wolfSSL | 16:8e0d178b1d1e | 17322 | |
wolfSSL | 16:8e0d178b1d1e | 17323 | localIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17324 | if (GetASNTag(buf, &localIdx, &tag, sz) == 0 && tag == ASN_BOOLEAN) { |
wolfSSL | 16:8e0d178b1d1e | 17325 | WOLFSSL_MSG("\tfound optional critical flag, moving past"); |
wolfSSL | 16:8e0d178b1d1e | 17326 | ret = GetBoolean(buf, &idx, sz); |
wolfSSL | 16:8e0d178b1d1e | 17327 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 17328 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 17329 | } |
wolfSSL | 16:8e0d178b1d1e | 17330 | |
wolfSSL | 16:8e0d178b1d1e | 17331 | ret = GetOctetString(buf, &idx, &length, sz); |
wolfSSL | 16:8e0d178b1d1e | 17332 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 17333 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 17334 | |
wolfSSL | 16:8e0d178b1d1e | 17335 | if (oid == AUTH_KEY_OID) { |
wolfSSL | 16:8e0d178b1d1e | 17336 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 17337 | ret = ParseCRL_AuthKeyIdExt(buf + idx, length, dcrl); |
wolfSSL | 16:8e0d178b1d1e | 17338 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17339 | WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension"); |
wolfSSL | 16:8e0d178b1d1e | 17340 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 17341 | } |
wolfSSL | 16:8e0d178b1d1e | 17342 | #endif |
wolfSSL | 16:8e0d178b1d1e | 17343 | } |
wolfSSL | 16:8e0d178b1d1e | 17344 | |
wolfSSL | 16:8e0d178b1d1e | 17345 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17346 | } |
wolfSSL | 16:8e0d178b1d1e | 17347 | |
wolfSSL | 16:8e0d178b1d1e | 17348 | *inOutIdx = idx; |
wolfSSL | 16:8e0d178b1d1e | 17349 | |
wolfSSL | 16:8e0d178b1d1e | 17350 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17351 | } |
wolfSSL | 16:8e0d178b1d1e | 17352 | |
wolfSSL | 16:8e0d178b1d1e | 17353 | |
wolfSSL | 15:117db924cf7c | 17354 | /* prase crl buffer into decoded state, 0 on success */ |
wolfSSL | 15:117db924cf7c | 17355 | int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) |
wolfSSL | 15:117db924cf7c | 17356 | { |
wolfSSL | 16:8e0d178b1d1e | 17357 | int len; |
wolfSSL | 16:8e0d178b1d1e | 17358 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 17359 | Signer* ca = NULL; |
wolfSSL | 15:117db924cf7c | 17360 | SignatureCtx sigCtx; |
wolfSSL | 15:117db924cf7c | 17361 | |
wolfSSL | 15:117db924cf7c | 17362 | WOLFSSL_MSG("ParseCRL"); |
wolfSSL | 15:117db924cf7c | 17363 | |
wolfSSL | 15:117db924cf7c | 17364 | /* raw crl hash */ |
wolfSSL | 15:117db924cf7c | 17365 | /* hash here if needed for optimized comparisons |
wolfSSL | 15:117db924cf7c | 17366 | * wc_Sha sha; |
wolfSSL | 15:117db924cf7c | 17367 | * wc_InitSha(&sha); |
wolfSSL | 15:117db924cf7c | 17368 | * wc_ShaUpdate(&sha, buff, sz); |
wolfSSL | 15:117db924cf7c | 17369 | * wc_ShaFinal(&sha, dcrl->crlHash); */ |
wolfSSL | 15:117db924cf7c | 17370 | |
wolfSSL | 15:117db924cf7c | 17371 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 15:117db924cf7c | 17372 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17373 | |
wolfSSL | 15:117db924cf7c | 17374 | dcrl->certBegin = idx; |
wolfSSL | 16:8e0d178b1d1e | 17375 | /* Normalize sz for the length inside the outer sequence. */ |
wolfSSL | 16:8e0d178b1d1e | 17376 | sz = len + idx; |
wolfSSL | 15:117db924cf7c | 17377 | |
wolfSSL | 15:117db924cf7c | 17378 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 15:117db924cf7c | 17379 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17380 | dcrl->sigIndex = len + idx; |
wolfSSL | 15:117db924cf7c | 17381 | |
wolfSSL | 16:8e0d178b1d1e | 17382 | if (ParseCRL_CertList(dcrl, buff, &idx, idx + len) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17383 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17384 | |
wolfSSL | 16:8e0d178b1d1e | 17385 | if (ParseCRL_Extensions(dcrl, buff, &idx, idx + len) < 0) |
wolfSSL | 16:8e0d178b1d1e | 17386 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17387 | |
wolfSSL | 16:8e0d178b1d1e | 17388 | idx = dcrl->sigIndex; |
wolfSSL | 15:117db924cf7c | 17389 | |
wolfSSL | 15:117db924cf7c | 17390 | if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0) |
wolfSSL | 15:117db924cf7c | 17391 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17392 | |
wolfSSL | 15:117db924cf7c | 17393 | if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 15:117db924cf7c | 17394 | return ASN_PARSE_E; |
wolfSSL | 15:117db924cf7c | 17395 | |
wolfSSL | 15:117db924cf7c | 17396 | /* openssl doesn't add skid by default for CRLs cause firefox chokes |
wolfSSL | 16:8e0d178b1d1e | 17397 | if experiencing issues uncomment NO_SKID define in CRL section of |
wolfSSL | 16:8e0d178b1d1e | 17398 | wolfssl/wolfcrypt/settings.h */ |
wolfSSL | 16:8e0d178b1d1e | 17399 | #ifndef NO_SKID |
wolfSSL | 16:8e0d178b1d1e | 17400 | if (dcrl->extAuthKeyIdSet) { |
wolfSSL | 16:8e0d178b1d1e | 17401 | ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */ |
wolfSSL | 16:8e0d178b1d1e | 17402 | } |
wolfSSL | 16:8e0d178b1d1e | 17403 | if (ca != NULL && XMEMCMP(dcrl->issuerHash, ca->subjectNameHash, |
wolfSSL | 16:8e0d178b1d1e | 17404 | KEYID_SIZE) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 17405 | ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 17406 | } |
wolfSSL | 16:8e0d178b1d1e | 17407 | if (ca == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 17408 | ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */ |
wolfSSL | 16:8e0d178b1d1e | 17409 | /* If AKID is available then this CA doesn't have the public |
wolfSSL | 16:8e0d178b1d1e | 17410 | * key required */ |
wolfSSL | 16:8e0d178b1d1e | 17411 | if (ca && dcrl->extAuthKeyIdSet) { |
wolfSSL | 16:8e0d178b1d1e | 17412 | WOLFSSL_MSG("CA SKID doesn't match AKID"); |
wolfSSL | 16:8e0d178b1d1e | 17413 | ca = NULL; |
wolfSSL | 16:8e0d178b1d1e | 17414 | } |
wolfSSL | 16:8e0d178b1d1e | 17415 | } |
wolfSSL | 15:117db924cf7c | 17416 | #else |
wolfSSL | 15:117db924cf7c | 17417 | ca = GetCA(cm, dcrl->issuerHash); |
wolfSSL | 16:8e0d178b1d1e | 17418 | #endif /* !NO_SKID */ |
wolfSSL | 15:117db924cf7c | 17419 | WOLFSSL_MSG("About to verify CRL signature"); |
wolfSSL | 15:117db924cf7c | 17420 | |
wolfSSL | 15:117db924cf7c | 17421 | if (ca == NULL) { |
wolfSSL | 15:117db924cf7c | 17422 | WOLFSSL_MSG("Did NOT find CRL issuer CA"); |
wolfSSL | 15:117db924cf7c | 17423 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 15:117db924cf7c | 17424 | } |
wolfSSL | 15:117db924cf7c | 17425 | |
wolfSSL | 15:117db924cf7c | 17426 | WOLFSSL_MSG("Found CRL issuer CA"); |
wolfSSL | 15:117db924cf7c | 17427 | return VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, |
wolfSSL | 15:117db924cf7c | 17428 | dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, |
wolfSSL | 15:117db924cf7c | 17429 | dcrl->signatureOID, ca, dcrl->heap); |
wolfSSL | 15:117db924cf7c | 17430 | } |
wolfSSL | 15:117db924cf7c | 17431 | |
wolfSSL | 15:117db924cf7c | 17432 | #endif /* HAVE_CRL */ |
wolfSSL | 15:117db924cf7c | 17433 | |
wolfSSL | 16:8e0d178b1d1e | 17434 | |
wolfSSL | 16:8e0d178b1d1e | 17435 | |
wolfSSL | 16:8e0d178b1d1e | 17436 | #ifdef WOLFSSL_CERT_PIV |
wolfSSL | 16:8e0d178b1d1e | 17437 | |
wolfSSL | 16:8e0d178b1d1e | 17438 | int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz) |
wolfSSL | 16:8e0d178b1d1e | 17439 | { |
wolfSSL | 16:8e0d178b1d1e | 17440 | int length = 0; |
wolfSSL | 16:8e0d178b1d1e | 17441 | word32 idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 17442 | |
wolfSSL | 16:8e0d178b1d1e | 17443 | WOLFSSL_ENTER("wc_ParseCertPIV"); |
wolfSSL | 16:8e0d178b1d1e | 17444 | |
wolfSSL | 16:8e0d178b1d1e | 17445 | if (piv == NULL || buf == NULL || totalSz == 0) |
wolfSSL | 16:8e0d178b1d1e | 17446 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 17447 | |
wolfSSL | 16:8e0d178b1d1e | 17448 | XMEMSET(piv, 0, sizeof(wc_CertPIV)); |
wolfSSL | 16:8e0d178b1d1e | 17449 | |
wolfSSL | 16:8e0d178b1d1e | 17450 | /* Detect Identiv PIV (with 0x0A, 0x0B and 0x0C sections) */ |
wolfSSL | 16:8e0d178b1d1e | 17451 | /* Certificate (0A 82 05FA) */ |
wolfSSL | 16:8e0d178b1d1e | 17452 | if (GetASNHeader(buf, ASN_PIV_CERT, &idx, &length, totalSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17453 | /* Identiv Type PIV card */ |
wolfSSL | 16:8e0d178b1d1e | 17454 | piv->isIdentiv = 1; |
wolfSSL | 16:8e0d178b1d1e | 17455 | |
wolfSSL | 16:8e0d178b1d1e | 17456 | piv->cert = &buf[idx]; |
wolfSSL | 16:8e0d178b1d1e | 17457 | piv->certSz = length; |
wolfSSL | 16:8e0d178b1d1e | 17458 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17459 | |
wolfSSL | 16:8e0d178b1d1e | 17460 | /* Nonce (0B 14) */ |
wolfSSL | 16:8e0d178b1d1e | 17461 | if (GetASNHeader(buf, ASN_PIV_NONCE, &idx, &length, totalSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17462 | piv->nonce = &buf[idx]; |
wolfSSL | 16:8e0d178b1d1e | 17463 | piv->nonceSz = length; |
wolfSSL | 16:8e0d178b1d1e | 17464 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17465 | } |
wolfSSL | 16:8e0d178b1d1e | 17466 | |
wolfSSL | 16:8e0d178b1d1e | 17467 | /* Signed Nonce (0C 82 0100) */ |
wolfSSL | 16:8e0d178b1d1e | 17468 | if (GetASNHeader(buf, ASN_PIV_SIGNED_NONCE, &idx, &length, totalSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17469 | piv->signedNonce = &buf[idx]; |
wolfSSL | 16:8e0d178b1d1e | 17470 | piv->signedNonceSz = length; |
wolfSSL | 16:8e0d178b1d1e | 17471 | } |
wolfSSL | 16:8e0d178b1d1e | 17472 | |
wolfSSL | 16:8e0d178b1d1e | 17473 | idx = 0; |
wolfSSL | 16:8e0d178b1d1e | 17474 | buf = piv->cert; |
wolfSSL | 16:8e0d178b1d1e | 17475 | totalSz = piv->certSz; |
wolfSSL | 16:8e0d178b1d1e | 17476 | } |
wolfSSL | 16:8e0d178b1d1e | 17477 | |
wolfSSL | 16:8e0d178b1d1e | 17478 | /* Certificate Buffer Total Size (53 82 05F6) */ |
wolfSSL | 16:8e0d178b1d1e | 17479 | if (GetASNHeader(buf, ASN_APPLICATION | ASN_PRINTABLE_STRING, &idx, |
wolfSSL | 16:8e0d178b1d1e | 17480 | &length, totalSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17481 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17482 | } |
wolfSSL | 16:8e0d178b1d1e | 17483 | /* PIV Certificate (70 82 05ED) */ |
wolfSSL | 16:8e0d178b1d1e | 17484 | if (GetASNHeader(buf, ASN_PIV_TAG_CERT, &idx, &length, |
wolfSSL | 16:8e0d178b1d1e | 17485 | totalSz) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 17486 | return ASN_PARSE_E; |
wolfSSL | 16:8e0d178b1d1e | 17487 | } |
wolfSSL | 16:8e0d178b1d1e | 17488 | |
wolfSSL | 16:8e0d178b1d1e | 17489 | /* Capture certificate buffer pointer and length */ |
wolfSSL | 16:8e0d178b1d1e | 17490 | piv->cert = &buf[idx]; |
wolfSSL | 16:8e0d178b1d1e | 17491 | piv->certSz = length; |
wolfSSL | 16:8e0d178b1d1e | 17492 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17493 | |
wolfSSL | 16:8e0d178b1d1e | 17494 | /* PIV Certificate Info (71 01 00) */ |
wolfSSL | 16:8e0d178b1d1e | 17495 | if (GetASNHeader(buf, ASN_PIV_TAG_CERT_INFO, &idx, &length, |
wolfSSL | 16:8e0d178b1d1e | 17496 | totalSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17497 | if (length >= 1) { |
wolfSSL | 16:8e0d178b1d1e | 17498 | piv->compression = (buf[idx] & ASN_PIV_CERT_INFO_COMPRESSED); |
wolfSSL | 16:8e0d178b1d1e | 17499 | piv->isX509 = (buf[idx] & ASN_PIV_CERT_INFO_ISX509); |
wolfSSL | 16:8e0d178b1d1e | 17500 | } |
wolfSSL | 16:8e0d178b1d1e | 17501 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17502 | } |
wolfSSL | 16:8e0d178b1d1e | 17503 | |
wolfSSL | 16:8e0d178b1d1e | 17504 | /* PIV Error Detection (FE 00) */ |
wolfSSL | 16:8e0d178b1d1e | 17505 | if (GetASNHeader(buf, ASN_PIV_TAG_ERR_DET, &idx, &length, |
wolfSSL | 16:8e0d178b1d1e | 17506 | totalSz) >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 17507 | piv->certErrDet = &buf[idx]; |
wolfSSL | 16:8e0d178b1d1e | 17508 | piv->certErrDetSz = length; |
wolfSSL | 16:8e0d178b1d1e | 17509 | idx += length; |
wolfSSL | 16:8e0d178b1d1e | 17510 | } |
wolfSSL | 16:8e0d178b1d1e | 17511 | |
wolfSSL | 16:8e0d178b1d1e | 17512 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 17513 | } |
wolfSSL | 16:8e0d178b1d1e | 17514 | |
wolfSSL | 16:8e0d178b1d1e | 17515 | #endif /* WOLFSSL_CERT_PIV */ |
wolfSSL | 16:8e0d178b1d1e | 17516 | |
wolfSSL | 16:8e0d178b1d1e | 17517 | |
wolfSSL | 15:117db924cf7c | 17518 | #undef ERROR_OUT |
wolfSSL | 15:117db924cf7c | 17519 | |
wolfSSL | 15:117db924cf7c | 17520 | #endif /* !NO_ASN */ |
wolfSSL | 15:117db924cf7c | 17521 | |
wolfSSL | 15:117db924cf7c | 17522 | #ifdef WOLFSSL_SEP |
wolfSSL | 15:117db924cf7c | 17523 | |
wolfSSL | 15:117db924cf7c | 17524 | |
wolfSSL | 15:117db924cf7c | 17525 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 15:117db924cf7c | 17526 |