wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/asn.c@0:d92f9d21154c, 2015-06-26 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 26 00:39:20 2015 +0000
- Revision:
- 0:d92f9d21154c
- Child:
- 2:28278596c2a2
wolfSSL 3.6.0
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 0:d92f9d21154c | 1 | /* asn.c |
wolfSSL | 0:d92f9d21154c | 2 | * |
wolfSSL | 0:d92f9d21154c | 3 | * Copyright (C) 2006-2015 wolfSSL Inc. |
wolfSSL | 0:d92f9d21154c | 4 | * |
wolfSSL | 0:d92f9d21154c | 5 | * This file is part of wolfSSL. (formerly known as CyaSSL) |
wolfSSL | 0:d92f9d21154c | 6 | * |
wolfSSL | 0:d92f9d21154c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 0:d92f9d21154c | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 0:d92f9d21154c | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 0:d92f9d21154c | 10 | * (at your option) any later version. |
wolfSSL | 0:d92f9d21154c | 11 | * |
wolfSSL | 0:d92f9d21154c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 0:d92f9d21154c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 0:d92f9d21154c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 0:d92f9d21154c | 15 | * GNU General Public License for more details. |
wolfSSL | 0:d92f9d21154c | 16 | * |
wolfSSL | 0:d92f9d21154c | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 0:d92f9d21154c | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 0:d92f9d21154c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
wolfSSL | 0:d92f9d21154c | 20 | */ |
wolfSSL | 0:d92f9d21154c | 21 | |
wolfSSL | 0:d92f9d21154c | 22 | #ifdef HAVE_CONFIG_H |
wolfSSL | 0:d92f9d21154c | 23 | #include <config.h> |
wolfSSL | 0:d92f9d21154c | 24 | #endif |
wolfSSL | 0:d92f9d21154c | 25 | |
wolfSSL | 0:d92f9d21154c | 26 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 0:d92f9d21154c | 27 | |
wolfSSL | 0:d92f9d21154c | 28 | #ifndef NO_ASN |
wolfSSL | 0:d92f9d21154c | 29 | |
wolfSSL | 0:d92f9d21154c | 30 | #ifdef HAVE_RTP_SYS |
wolfSSL | 0:d92f9d21154c | 31 | #include "os.h" /* dc_rtc_api needs */ |
wolfSSL | 0:d92f9d21154c | 32 | #include "dc_rtc_api.h" /* to get current time */ |
wolfSSL | 0:d92f9d21154c | 33 | #endif |
wolfSSL | 0:d92f9d21154c | 34 | |
wolfSSL | 0:d92f9d21154c | 35 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 0:d92f9d21154c | 36 | #include <wolfssl/wolfcrypt/coding.h> |
wolfSSL | 0:d92f9d21154c | 37 | #include <wolfssl/wolfcrypt/md2.h> |
wolfSSL | 0:d92f9d21154c | 38 | #include <wolfssl/wolfcrypt/hmac.h> |
wolfSSL | 0:d92f9d21154c | 39 | #include <wolfssl/wolfcrypt/error-crypt.h> |
wolfSSL | 0:d92f9d21154c | 40 | #include <wolfssl/wolfcrypt/pwdbased.h> |
wolfSSL | 0:d92f9d21154c | 41 | #include <wolfssl/wolfcrypt/des3.h> |
wolfSSL | 0:d92f9d21154c | 42 | #include <wolfssl/wolfcrypt/logging.h> |
wolfSSL | 0:d92f9d21154c | 43 | |
wolfSSL | 0:d92f9d21154c | 44 | #include <wolfssl/wolfcrypt/random.h> |
wolfSSL | 0:d92f9d21154c | 45 | |
wolfSSL | 0:d92f9d21154c | 46 | |
wolfSSL | 0:d92f9d21154c | 47 | #ifndef NO_RC4 |
wolfSSL | 0:d92f9d21154c | 48 | #include <wolfssl/wolfcrypt/arc4.h> |
wolfSSL | 0:d92f9d21154c | 49 | #endif |
wolfSSL | 0:d92f9d21154c | 50 | |
wolfSSL | 0:d92f9d21154c | 51 | #ifdef HAVE_NTRU |
wolfSSL | 0:d92f9d21154c | 52 | #include "ntru_crypto.h" |
wolfSSL | 0:d92f9d21154c | 53 | #endif |
wolfSSL | 0:d92f9d21154c | 54 | |
wolfSSL | 0:d92f9d21154c | 55 | #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) |
wolfSSL | 0:d92f9d21154c | 56 | #include <wolfssl/wolfcrypt/sha512.h> |
wolfSSL | 0:d92f9d21154c | 57 | #endif |
wolfSSL | 0:d92f9d21154c | 58 | |
wolfSSL | 0:d92f9d21154c | 59 | #ifndef NO_SHA256 |
wolfSSL | 0:d92f9d21154c | 60 | #include <wolfssl/wolfcrypt/sha256.h> |
wolfSSL | 0:d92f9d21154c | 61 | #endif |
wolfSSL | 0:d92f9d21154c | 62 | |
wolfSSL | 0:d92f9d21154c | 63 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 64 | #include <wolfssl/wolfcrypt/ecc.h> |
wolfSSL | 0:d92f9d21154c | 65 | #endif |
wolfSSL | 0:d92f9d21154c | 66 | |
wolfSSL | 0:d92f9d21154c | 67 | #ifdef WOLFSSL_DEBUG_ENCODING |
wolfSSL | 0:d92f9d21154c | 68 | #ifdef FREESCALE_MQX |
wolfSSL | 0:d92f9d21154c | 69 | #include <fio.h> |
wolfSSL | 0:d92f9d21154c | 70 | #else |
wolfSSL | 0:d92f9d21154c | 71 | #include <stdio.h> |
wolfSSL | 0:d92f9d21154c | 72 | #endif |
wolfSSL | 0:d92f9d21154c | 73 | #endif |
wolfSSL | 0:d92f9d21154c | 74 | |
wolfSSL | 0:d92f9d21154c | 75 | #ifdef _MSC_VER |
wolfSSL | 0:d92f9d21154c | 76 | /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */ |
wolfSSL | 0:d92f9d21154c | 77 | #pragma warning(disable: 4996) |
wolfSSL | 0:d92f9d21154c | 78 | #endif |
wolfSSL | 0:d92f9d21154c | 79 | |
wolfSSL | 0:d92f9d21154c | 80 | |
wolfSSL | 0:d92f9d21154c | 81 | #ifndef TRUE |
wolfSSL | 0:d92f9d21154c | 82 | #define TRUE 1 |
wolfSSL | 0:d92f9d21154c | 83 | #endif |
wolfSSL | 0:d92f9d21154c | 84 | #ifndef FALSE |
wolfSSL | 0:d92f9d21154c | 85 | #define FALSE 0 |
wolfSSL | 0:d92f9d21154c | 86 | #endif |
wolfSSL | 0:d92f9d21154c | 87 | |
wolfSSL | 0:d92f9d21154c | 88 | |
wolfSSL | 0:d92f9d21154c | 89 | #ifdef HAVE_RTP_SYS |
wolfSSL | 0:d92f9d21154c | 90 | /* uses parital <time.h> structures */ |
wolfSSL | 0:d92f9d21154c | 91 | #define XTIME(tl) (0) |
wolfSSL | 0:d92f9d21154c | 92 | #define XGMTIME(c, t) my_gmtime((c)) |
wolfSSL | 0:d92f9d21154c | 93 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 94 | #elif defined(MICRIUM) |
wolfSSL | 0:d92f9d21154c | 95 | #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) |
wolfSSL | 0:d92f9d21154c | 96 | #define XVALIDATE_DATE(d,f,t) NetSecure_ValidateDateHandler((d),(f),(t)) |
wolfSSL | 0:d92f9d21154c | 97 | #else |
wolfSSL | 0:d92f9d21154c | 98 | #define XVALIDATE_DATE(d, f, t) (0) |
wolfSSL | 0:d92f9d21154c | 99 | #endif |
wolfSSL | 0:d92f9d21154c | 100 | #define NO_TIME_H |
wolfSSL | 0:d92f9d21154c | 101 | /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */ |
wolfSSL | 0:d92f9d21154c | 102 | #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 0:d92f9d21154c | 103 | #include <time.h> |
wolfSSL | 0:d92f9d21154c | 104 | #define XTIME(t1) pic32_time((t1)) |
wolfSSL | 0:d92f9d21154c | 105 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 0:d92f9d21154c | 106 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 107 | #elif defined(FREESCALE_MQX) |
wolfSSL | 0:d92f9d21154c | 108 | #define XTIME(t1) mqx_time((t1)) |
wolfSSL | 0:d92f9d21154c | 109 | #define XGMTIME(c, t) mqx_gmtime((c), (t)) |
wolfSSL | 0:d92f9d21154c | 110 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 111 | #elif defined(WOLFSSL_MDK_ARM) |
wolfSSL | 0:d92f9d21154c | 112 | #if defined(WOLFSSL_MDK5) |
wolfSSL | 0:d92f9d21154c | 113 | #include "cmsis_os.h" |
wolfSSL | 0:d92f9d21154c | 114 | #else |
wolfSSL | 0:d92f9d21154c | 115 | #include <rtl.h> |
wolfSSL | 0:d92f9d21154c | 116 | #endif |
wolfSSL | 0:d92f9d21154c | 117 | #undef RNG |
wolfSSL | 0:d92f9d21154c | 118 | #include "wolfssl_MDK_ARM.h" |
wolfSSL | 0:d92f9d21154c | 119 | #undef RNG |
wolfSSL | 0:d92f9d21154c | 120 | #define RNG wolfSSL_RNG /*for avoiding name conflict in "stm32f2xx.h" */ |
wolfSSL | 0:d92f9d21154c | 121 | #define XTIME(tl) (0) |
wolfSSL | 0:d92f9d21154c | 122 | #define XGMTIME(c, t) wolfssl_MDK_gmtime((c)) |
wolfSSL | 0:d92f9d21154c | 123 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 124 | #elif defined(USER_TIME) |
wolfSSL | 0:d92f9d21154c | 125 | /* user time, and gmtime compatible functions, there is a gmtime |
wolfSSL | 0:d92f9d21154c | 126 | implementation here that WINCE uses, so really just need some ticks |
wolfSSL | 0:d92f9d21154c | 127 | since the EPOCH |
wolfSSL | 0:d92f9d21154c | 128 | */ |
wolfSSL | 0:d92f9d21154c | 129 | |
wolfSSL | 0:d92f9d21154c | 130 | struct tm { |
wolfSSL | 0:d92f9d21154c | 131 | int tm_sec; /* seconds after the minute [0-60] */ |
wolfSSL | 0:d92f9d21154c | 132 | int tm_min; /* minutes after the hour [0-59] */ |
wolfSSL | 0:d92f9d21154c | 133 | int tm_hour; /* hours since midnight [0-23] */ |
wolfSSL | 0:d92f9d21154c | 134 | int tm_mday; /* day of the month [1-31] */ |
wolfSSL | 0:d92f9d21154c | 135 | int tm_mon; /* months since January [0-11] */ |
wolfSSL | 0:d92f9d21154c | 136 | int tm_year; /* years since 1900 */ |
wolfSSL | 0:d92f9d21154c | 137 | int tm_wday; /* days since Sunday [0-6] */ |
wolfSSL | 0:d92f9d21154c | 138 | int tm_yday; /* days since January 1 [0-365] */ |
wolfSSL | 0:d92f9d21154c | 139 | int tm_isdst; /* Daylight Savings Time flag */ |
wolfSSL | 0:d92f9d21154c | 140 | long tm_gmtoff; /* offset from CUT in seconds */ |
wolfSSL | 0:d92f9d21154c | 141 | char *tm_zone; /* timezone abbreviation */ |
wolfSSL | 0:d92f9d21154c | 142 | }; |
wolfSSL | 0:d92f9d21154c | 143 | typedef long time_t; |
wolfSSL | 0:d92f9d21154c | 144 | |
wolfSSL | 0:d92f9d21154c | 145 | /* forward declaration */ |
wolfSSL | 0:d92f9d21154c | 146 | struct tm* gmtime(const time_t* timer); |
wolfSSL | 0:d92f9d21154c | 147 | extern time_t XTIME(time_t * timer); |
wolfSSL | 0:d92f9d21154c | 148 | |
wolfSSL | 0:d92f9d21154c | 149 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 0:d92f9d21154c | 150 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 151 | |
wolfSSL | 0:d92f9d21154c | 152 | #ifdef STACK_TRAP |
wolfSSL | 0:d92f9d21154c | 153 | /* for stack trap tracking, don't call os gmtime on OS X/linux, |
wolfSSL | 0:d92f9d21154c | 154 | uses a lot of stack spce */ |
wolfSSL | 0:d92f9d21154c | 155 | extern time_t time(time_t * timer); |
wolfSSL | 0:d92f9d21154c | 156 | #define XTIME(tl) time((tl)) |
wolfSSL | 0:d92f9d21154c | 157 | #endif /* STACK_TRAP */ |
wolfSSL | 0:d92f9d21154c | 158 | |
wolfSSL | 0:d92f9d21154c | 159 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 0:d92f9d21154c | 160 | /* user would like to override time() and gmtime() functionality */ |
wolfSSL | 0:d92f9d21154c | 161 | |
wolfSSL | 0:d92f9d21154c | 162 | #ifndef HAVE_TIME_T_TYPE |
wolfSSL | 0:d92f9d21154c | 163 | typedef long time_t; |
wolfSSL | 0:d92f9d21154c | 164 | #endif |
wolfSSL | 0:d92f9d21154c | 165 | extern time_t XTIME(time_t * timer); |
wolfSSL | 0:d92f9d21154c | 166 | |
wolfSSL | 0:d92f9d21154c | 167 | #ifndef HAVE_TM_TYPE |
wolfSSL | 0:d92f9d21154c | 168 | struct tm { |
wolfSSL | 0:d92f9d21154c | 169 | int tm_sec; /* seconds after the minute [0-60] */ |
wolfSSL | 0:d92f9d21154c | 170 | int tm_min; /* minutes after the hour [0-59] */ |
wolfSSL | 0:d92f9d21154c | 171 | int tm_hour; /* hours since midnight [0-23] */ |
wolfSSL | 0:d92f9d21154c | 172 | int tm_mday; /* day of the month [1-31] */ |
wolfSSL | 0:d92f9d21154c | 173 | int tm_mon; /* months since January [0-11] */ |
wolfSSL | 0:d92f9d21154c | 174 | int tm_year; /* years since 1900 */ |
wolfSSL | 0:d92f9d21154c | 175 | int tm_wday; /* days since Sunday [0-6] */ |
wolfSSL | 0:d92f9d21154c | 176 | int tm_yday; /* days since January 1 [0-365] */ |
wolfSSL | 0:d92f9d21154c | 177 | int tm_isdst; /* Daylight Savings Time flag */ |
wolfSSL | 0:d92f9d21154c | 178 | long tm_gmtoff; /* offset from CUT in seconds */ |
wolfSSL | 0:d92f9d21154c | 179 | char *tm_zone; /* timezone abbreviation */ |
wolfSSL | 0:d92f9d21154c | 180 | }; |
wolfSSL | 0:d92f9d21154c | 181 | #endif |
wolfSSL | 0:d92f9d21154c | 182 | extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp); |
wolfSSL | 0:d92f9d21154c | 183 | |
wolfSSL | 0:d92f9d21154c | 184 | #ifndef HAVE_VALIDATE_DATE |
wolfSSL | 0:d92f9d21154c | 185 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 186 | #endif |
wolfSSL | 0:d92f9d21154c | 187 | #else |
wolfSSL | 0:d92f9d21154c | 188 | /* default */ |
wolfSSL | 0:d92f9d21154c | 189 | /* uses complete <time.h> facility */ |
wolfSSL | 0:d92f9d21154c | 190 | #include <time.h> |
wolfSSL | 0:d92f9d21154c | 191 | #define XTIME(tl) time((tl)) |
wolfSSL | 0:d92f9d21154c | 192 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 0:d92f9d21154c | 193 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 0:d92f9d21154c | 194 | #endif |
wolfSSL | 0:d92f9d21154c | 195 | |
wolfSSL | 0:d92f9d21154c | 196 | |
wolfSSL | 0:d92f9d21154c | 197 | #ifdef _WIN32_WCE |
wolfSSL | 0:d92f9d21154c | 198 | /* no time() or gmtime() even though in time.h header?? */ |
wolfSSL | 0:d92f9d21154c | 199 | |
wolfSSL | 0:d92f9d21154c | 200 | #include <windows.h> |
wolfSSL | 0:d92f9d21154c | 201 | |
wolfSSL | 0:d92f9d21154c | 202 | |
wolfSSL | 0:d92f9d21154c | 203 | time_t time(time_t* timer) |
wolfSSL | 0:d92f9d21154c | 204 | { |
wolfSSL | 0:d92f9d21154c | 205 | SYSTEMTIME sysTime; |
wolfSSL | 0:d92f9d21154c | 206 | FILETIME fTime; |
wolfSSL | 0:d92f9d21154c | 207 | ULARGE_INTEGER intTime; |
wolfSSL | 0:d92f9d21154c | 208 | time_t localTime; |
wolfSSL | 0:d92f9d21154c | 209 | |
wolfSSL | 0:d92f9d21154c | 210 | if (timer == NULL) |
wolfSSL | 0:d92f9d21154c | 211 | timer = &localTime; |
wolfSSL | 0:d92f9d21154c | 212 | |
wolfSSL | 0:d92f9d21154c | 213 | GetSystemTime(&sysTime); |
wolfSSL | 0:d92f9d21154c | 214 | SystemTimeToFileTime(&sysTime, &fTime); |
wolfSSL | 0:d92f9d21154c | 215 | |
wolfSSL | 0:d92f9d21154c | 216 | XMEMCPY(&intTime, &fTime, sizeof(FILETIME)); |
wolfSSL | 0:d92f9d21154c | 217 | /* subtract EPOCH */ |
wolfSSL | 0:d92f9d21154c | 218 | intTime.QuadPart -= 0x19db1ded53e8000; |
wolfSSL | 0:d92f9d21154c | 219 | /* to secs */ |
wolfSSL | 0:d92f9d21154c | 220 | intTime.QuadPart /= 10000000; |
wolfSSL | 0:d92f9d21154c | 221 | *timer = (time_t)intTime.QuadPart; |
wolfSSL | 0:d92f9d21154c | 222 | |
wolfSSL | 0:d92f9d21154c | 223 | return *timer; |
wolfSSL | 0:d92f9d21154c | 224 | } |
wolfSSL | 0:d92f9d21154c | 225 | |
wolfSSL | 0:d92f9d21154c | 226 | #endif /* _WIN32_WCE */ |
wolfSSL | 0:d92f9d21154c | 227 | #if defined( _WIN32_WCE ) || defined( USER_TIME ) |
wolfSSL | 0:d92f9d21154c | 228 | |
wolfSSL | 0:d92f9d21154c | 229 | struct tm* gmtime(const time_t* timer) |
wolfSSL | 0:d92f9d21154c | 230 | { |
wolfSSL | 0:d92f9d21154c | 231 | #define YEAR0 1900 |
wolfSSL | 0:d92f9d21154c | 232 | #define EPOCH_YEAR 1970 |
wolfSSL | 0:d92f9d21154c | 233 | #define SECS_DAY (24L * 60L * 60L) |
wolfSSL | 0:d92f9d21154c | 234 | #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400))) |
wolfSSL | 0:d92f9d21154c | 235 | #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365) |
wolfSSL | 0:d92f9d21154c | 236 | |
wolfSSL | 0:d92f9d21154c | 237 | static const int _ytab[2][12] = |
wolfSSL | 0:d92f9d21154c | 238 | { |
wolfSSL | 0:d92f9d21154c | 239 | {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}, |
wolfSSL | 0:d92f9d21154c | 240 | {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31} |
wolfSSL | 0:d92f9d21154c | 241 | }; |
wolfSSL | 0:d92f9d21154c | 242 | |
wolfSSL | 0:d92f9d21154c | 243 | static struct tm st_time; |
wolfSSL | 0:d92f9d21154c | 244 | struct tm* ret = &st_time; |
wolfSSL | 0:d92f9d21154c | 245 | time_t secs = *timer; |
wolfSSL | 0:d92f9d21154c | 246 | unsigned long dayclock, dayno; |
wolfSSL | 0:d92f9d21154c | 247 | int year = EPOCH_YEAR; |
wolfSSL | 0:d92f9d21154c | 248 | |
wolfSSL | 0:d92f9d21154c | 249 | dayclock = (unsigned long)secs % SECS_DAY; |
wolfSSL | 0:d92f9d21154c | 250 | dayno = (unsigned long)secs / SECS_DAY; |
wolfSSL | 0:d92f9d21154c | 251 | |
wolfSSL | 0:d92f9d21154c | 252 | ret->tm_sec = (int) dayclock % 60; |
wolfSSL | 0:d92f9d21154c | 253 | ret->tm_min = (int)(dayclock % 3600) / 60; |
wolfSSL | 0:d92f9d21154c | 254 | ret->tm_hour = (int) dayclock / 3600; |
wolfSSL | 0:d92f9d21154c | 255 | ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */ |
wolfSSL | 0:d92f9d21154c | 256 | |
wolfSSL | 0:d92f9d21154c | 257 | while(dayno >= (unsigned long)YEARSIZE(year)) { |
wolfSSL | 0:d92f9d21154c | 258 | dayno -= YEARSIZE(year); |
wolfSSL | 0:d92f9d21154c | 259 | year++; |
wolfSSL | 0:d92f9d21154c | 260 | } |
wolfSSL | 0:d92f9d21154c | 261 | |
wolfSSL | 0:d92f9d21154c | 262 | ret->tm_year = year - YEAR0; |
wolfSSL | 0:d92f9d21154c | 263 | ret->tm_yday = (int)dayno; |
wolfSSL | 0:d92f9d21154c | 264 | ret->tm_mon = 0; |
wolfSSL | 0:d92f9d21154c | 265 | |
wolfSSL | 0:d92f9d21154c | 266 | while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) { |
wolfSSL | 0:d92f9d21154c | 267 | dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon]; |
wolfSSL | 0:d92f9d21154c | 268 | ret->tm_mon++; |
wolfSSL | 0:d92f9d21154c | 269 | } |
wolfSSL | 0:d92f9d21154c | 270 | |
wolfSSL | 0:d92f9d21154c | 271 | ret->tm_mday = (int)++dayno; |
wolfSSL | 0:d92f9d21154c | 272 | ret->tm_isdst = 0; |
wolfSSL | 0:d92f9d21154c | 273 | |
wolfSSL | 0:d92f9d21154c | 274 | return ret; |
wolfSSL | 0:d92f9d21154c | 275 | } |
wolfSSL | 0:d92f9d21154c | 276 | |
wolfSSL | 0:d92f9d21154c | 277 | #endif /* _WIN32_WCE || USER_TIME */ |
wolfSSL | 0:d92f9d21154c | 278 | |
wolfSSL | 0:d92f9d21154c | 279 | |
wolfSSL | 0:d92f9d21154c | 280 | #ifdef HAVE_RTP_SYS |
wolfSSL | 0:d92f9d21154c | 281 | |
wolfSSL | 0:d92f9d21154c | 282 | #define YEAR0 1900 |
wolfSSL | 0:d92f9d21154c | 283 | |
wolfSSL | 0:d92f9d21154c | 284 | struct tm* my_gmtime(const time_t* timer) /* has a gmtime() but hangs */ |
wolfSSL | 0:d92f9d21154c | 285 | { |
wolfSSL | 0:d92f9d21154c | 286 | static struct tm st_time; |
wolfSSL | 0:d92f9d21154c | 287 | struct tm* ret = &st_time; |
wolfSSL | 0:d92f9d21154c | 288 | |
wolfSSL | 0:d92f9d21154c | 289 | DC_RTC_CALENDAR cal; |
wolfSSL | 0:d92f9d21154c | 290 | dc_rtc_time_get(&cal, TRUE); |
wolfSSL | 0:d92f9d21154c | 291 | |
wolfSSL | 0:d92f9d21154c | 292 | ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */ |
wolfSSL | 0:d92f9d21154c | 293 | ret->tm_mon = cal.month - 1; /* gm starts at 0 */ |
wolfSSL | 0:d92f9d21154c | 294 | ret->tm_mday = cal.day; |
wolfSSL | 0:d92f9d21154c | 295 | ret->tm_hour = cal.hour; |
wolfSSL | 0:d92f9d21154c | 296 | ret->tm_min = cal.minute; |
wolfSSL | 0:d92f9d21154c | 297 | ret->tm_sec = cal.second; |
wolfSSL | 0:d92f9d21154c | 298 | |
wolfSSL | 0:d92f9d21154c | 299 | return ret; |
wolfSSL | 0:d92f9d21154c | 300 | } |
wolfSSL | 0:d92f9d21154c | 301 | |
wolfSSL | 0:d92f9d21154c | 302 | #endif /* HAVE_RTP_SYS */ |
wolfSSL | 0:d92f9d21154c | 303 | |
wolfSSL | 0:d92f9d21154c | 304 | |
wolfSSL | 0:d92f9d21154c | 305 | #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 0:d92f9d21154c | 306 | |
wolfSSL | 0:d92f9d21154c | 307 | /* |
wolfSSL | 0:d92f9d21154c | 308 | * time() is just a stub in Microchip libraries. We need our own |
wolfSSL | 0:d92f9d21154c | 309 | * implementation. Use SNTP client to get seconds since epoch. |
wolfSSL | 0:d92f9d21154c | 310 | */ |
wolfSSL | 0:d92f9d21154c | 311 | time_t pic32_time(time_t* timer) |
wolfSSL | 0:d92f9d21154c | 312 | { |
wolfSSL | 0:d92f9d21154c | 313 | #ifdef MICROCHIP_TCPIP_V5 |
wolfSSL | 0:d92f9d21154c | 314 | DWORD sec = 0; |
wolfSSL | 0:d92f9d21154c | 315 | #else |
wolfSSL | 0:d92f9d21154c | 316 | uint32_t sec = 0; |
wolfSSL | 0:d92f9d21154c | 317 | #endif |
wolfSSL | 0:d92f9d21154c | 318 | time_t localTime; |
wolfSSL | 0:d92f9d21154c | 319 | |
wolfSSL | 0:d92f9d21154c | 320 | if (timer == NULL) |
wolfSSL | 0:d92f9d21154c | 321 | timer = &localTime; |
wolfSSL | 0:d92f9d21154c | 322 | |
wolfSSL | 0:d92f9d21154c | 323 | #ifdef MICROCHIP_MPLAB_HARMONY |
wolfSSL | 0:d92f9d21154c | 324 | sec = TCPIP_SNTP_UTCSecondsGet(); |
wolfSSL | 0:d92f9d21154c | 325 | #else |
wolfSSL | 0:d92f9d21154c | 326 | sec = SNTPGetUTCSeconds(); |
wolfSSL | 0:d92f9d21154c | 327 | #endif |
wolfSSL | 0:d92f9d21154c | 328 | *timer = (time_t) sec; |
wolfSSL | 0:d92f9d21154c | 329 | |
wolfSSL | 0:d92f9d21154c | 330 | return *timer; |
wolfSSL | 0:d92f9d21154c | 331 | } |
wolfSSL | 0:d92f9d21154c | 332 | |
wolfSSL | 0:d92f9d21154c | 333 | #endif /* MICROCHIP_TCPIP */ |
wolfSSL | 0:d92f9d21154c | 334 | |
wolfSSL | 0:d92f9d21154c | 335 | |
wolfSSL | 0:d92f9d21154c | 336 | #ifdef FREESCALE_MQX |
wolfSSL | 0:d92f9d21154c | 337 | |
wolfSSL | 0:d92f9d21154c | 338 | time_t mqx_time(time_t* timer) |
wolfSSL | 0:d92f9d21154c | 339 | { |
wolfSSL | 0:d92f9d21154c | 340 | time_t localTime; |
wolfSSL | 0:d92f9d21154c | 341 | TIME_STRUCT time_s; |
wolfSSL | 0:d92f9d21154c | 342 | |
wolfSSL | 0:d92f9d21154c | 343 | if (timer == NULL) |
wolfSSL | 0:d92f9d21154c | 344 | timer = &localTime; |
wolfSSL | 0:d92f9d21154c | 345 | |
wolfSSL | 0:d92f9d21154c | 346 | _time_get(&time_s); |
wolfSSL | 0:d92f9d21154c | 347 | *timer = (time_t) time_s.SECONDS; |
wolfSSL | 0:d92f9d21154c | 348 | |
wolfSSL | 0:d92f9d21154c | 349 | return *timer; |
wolfSSL | 0:d92f9d21154c | 350 | } |
wolfSSL | 0:d92f9d21154c | 351 | |
wolfSSL | 0:d92f9d21154c | 352 | /* CodeWarrior GCC toolchain only has gmtime_r(), no gmtime() */ |
wolfSSL | 0:d92f9d21154c | 353 | struct tm* mqx_gmtime(const time_t* clock, struct tm* tmpTime) |
wolfSSL | 0:d92f9d21154c | 354 | { |
wolfSSL | 0:d92f9d21154c | 355 | return gmtime_r(clock, tmpTime); |
wolfSSL | 0:d92f9d21154c | 356 | } |
wolfSSL | 0:d92f9d21154c | 357 | |
wolfSSL | 0:d92f9d21154c | 358 | #endif /* FREESCALE_MQX */ |
wolfSSL | 0:d92f9d21154c | 359 | |
wolfSSL | 0:d92f9d21154c | 360 | #ifdef WOLFSSL_TIRTOS |
wolfSSL | 0:d92f9d21154c | 361 | |
wolfSSL | 0:d92f9d21154c | 362 | time_t XTIME(time_t * timer) |
wolfSSL | 0:d92f9d21154c | 363 | { |
wolfSSL | 0:d92f9d21154c | 364 | time_t sec = 0; |
wolfSSL | 0:d92f9d21154c | 365 | |
wolfSSL | 0:d92f9d21154c | 366 | sec = (time_t) Seconds_get(); |
wolfSSL | 0:d92f9d21154c | 367 | |
wolfSSL | 0:d92f9d21154c | 368 | if (timer != NULL) |
wolfSSL | 0:d92f9d21154c | 369 | *timer = sec; |
wolfSSL | 0:d92f9d21154c | 370 | |
wolfSSL | 0:d92f9d21154c | 371 | return sec; |
wolfSSL | 0:d92f9d21154c | 372 | } |
wolfSSL | 0:d92f9d21154c | 373 | |
wolfSSL | 0:d92f9d21154c | 374 | #endif /* WOLFSSL_TIRTOS */ |
wolfSSL | 0:d92f9d21154c | 375 | |
wolfSSL | 0:d92f9d21154c | 376 | static INLINE word32 btoi(byte b) |
wolfSSL | 0:d92f9d21154c | 377 | { |
wolfSSL | 0:d92f9d21154c | 378 | return b - 0x30; |
wolfSSL | 0:d92f9d21154c | 379 | } |
wolfSSL | 0:d92f9d21154c | 380 | |
wolfSSL | 0:d92f9d21154c | 381 | |
wolfSSL | 0:d92f9d21154c | 382 | /* two byte date/time, add to value */ |
wolfSSL | 0:d92f9d21154c | 383 | static INLINE void GetTime(int* value, const byte* date, int* idx) |
wolfSSL | 0:d92f9d21154c | 384 | { |
wolfSSL | 0:d92f9d21154c | 385 | int i = *idx; |
wolfSSL | 0:d92f9d21154c | 386 | |
wolfSSL | 0:d92f9d21154c | 387 | *value += btoi(date[i++]) * 10; |
wolfSSL | 0:d92f9d21154c | 388 | *value += btoi(date[i++]); |
wolfSSL | 0:d92f9d21154c | 389 | |
wolfSSL | 0:d92f9d21154c | 390 | *idx = i; |
wolfSSL | 0:d92f9d21154c | 391 | } |
wolfSSL | 0:d92f9d21154c | 392 | |
wolfSSL | 0:d92f9d21154c | 393 | |
wolfSSL | 0:d92f9d21154c | 394 | #if defined(MICRIUM) |
wolfSSL | 0:d92f9d21154c | 395 | |
wolfSSL | 0:d92f9d21154c | 396 | CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format, |
wolfSSL | 0:d92f9d21154c | 397 | CPU_INT08U dateType) |
wolfSSL | 0:d92f9d21154c | 398 | { |
wolfSSL | 0:d92f9d21154c | 399 | CPU_BOOLEAN rtn_code; |
wolfSSL | 0:d92f9d21154c | 400 | CPU_INT32S i; |
wolfSSL | 0:d92f9d21154c | 401 | CPU_INT32S val; |
wolfSSL | 0:d92f9d21154c | 402 | CPU_INT16U year; |
wolfSSL | 0:d92f9d21154c | 403 | CPU_INT08U month; |
wolfSSL | 0:d92f9d21154c | 404 | CPU_INT16U day; |
wolfSSL | 0:d92f9d21154c | 405 | CPU_INT08U hour; |
wolfSSL | 0:d92f9d21154c | 406 | CPU_INT08U min; |
wolfSSL | 0:d92f9d21154c | 407 | CPU_INT08U sec; |
wolfSSL | 0:d92f9d21154c | 408 | |
wolfSSL | 0:d92f9d21154c | 409 | i = 0; |
wolfSSL | 0:d92f9d21154c | 410 | year = 0u; |
wolfSSL | 0:d92f9d21154c | 411 | |
wolfSSL | 0:d92f9d21154c | 412 | if (format == ASN_UTC_TIME) { |
wolfSSL | 0:d92f9d21154c | 413 | if (btoi(date[0]) >= 5) |
wolfSSL | 0:d92f9d21154c | 414 | year = 1900; |
wolfSSL | 0:d92f9d21154c | 415 | else |
wolfSSL | 0:d92f9d21154c | 416 | year = 2000; |
wolfSSL | 0:d92f9d21154c | 417 | } |
wolfSSL | 0:d92f9d21154c | 418 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 0:d92f9d21154c | 419 | year += btoi(date[i++]) * 1000; |
wolfSSL | 0:d92f9d21154c | 420 | year += btoi(date[i++]) * 100; |
wolfSSL | 0:d92f9d21154c | 421 | } |
wolfSSL | 0:d92f9d21154c | 422 | |
wolfSSL | 0:d92f9d21154c | 423 | val = year; |
wolfSSL | 0:d92f9d21154c | 424 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 425 | year = (CPU_INT16U)val; |
wolfSSL | 0:d92f9d21154c | 426 | |
wolfSSL | 0:d92f9d21154c | 427 | val = 0; |
wolfSSL | 0:d92f9d21154c | 428 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 429 | month = (CPU_INT08U)val; |
wolfSSL | 0:d92f9d21154c | 430 | |
wolfSSL | 0:d92f9d21154c | 431 | val = 0; |
wolfSSL | 0:d92f9d21154c | 432 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 433 | day = (CPU_INT16U)val; |
wolfSSL | 0:d92f9d21154c | 434 | |
wolfSSL | 0:d92f9d21154c | 435 | val = 0; |
wolfSSL | 0:d92f9d21154c | 436 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 437 | hour = (CPU_INT08U)val; |
wolfSSL | 0:d92f9d21154c | 438 | |
wolfSSL | 0:d92f9d21154c | 439 | val = 0; |
wolfSSL | 0:d92f9d21154c | 440 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 441 | min = (CPU_INT08U)val; |
wolfSSL | 0:d92f9d21154c | 442 | |
wolfSSL | 0:d92f9d21154c | 443 | val = 0; |
wolfSSL | 0:d92f9d21154c | 444 | GetTime(&val, date, &i); |
wolfSSL | 0:d92f9d21154c | 445 | sec = (CPU_INT08U)val; |
wolfSSL | 0:d92f9d21154c | 446 | |
wolfSSL | 0:d92f9d21154c | 447 | return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType); |
wolfSSL | 0:d92f9d21154c | 448 | } |
wolfSSL | 0:d92f9d21154c | 449 | |
wolfSSL | 0:d92f9d21154c | 450 | #endif /* MICRIUM */ |
wolfSSL | 0:d92f9d21154c | 451 | |
wolfSSL | 0:d92f9d21154c | 452 | |
wolfSSL | 0:d92f9d21154c | 453 | WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 0:d92f9d21154c | 454 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 455 | { |
wolfSSL | 0:d92f9d21154c | 456 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 457 | word32 i = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 458 | byte b; |
wolfSSL | 0:d92f9d21154c | 459 | |
wolfSSL | 0:d92f9d21154c | 460 | *len = 0; /* default length */ |
wolfSSL | 0:d92f9d21154c | 461 | |
wolfSSL | 0:d92f9d21154c | 462 | if ( (i+1) > maxIdx) { /* for first read */ |
wolfSSL | 0:d92f9d21154c | 463 | WOLFSSL_MSG("GetLength bad index on input"); |
wolfSSL | 0:d92f9d21154c | 464 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 465 | } |
wolfSSL | 0:d92f9d21154c | 466 | |
wolfSSL | 0:d92f9d21154c | 467 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 468 | if (b >= ASN_LONG_LENGTH) { |
wolfSSL | 0:d92f9d21154c | 469 | word32 bytes = b & 0x7F; |
wolfSSL | 0:d92f9d21154c | 470 | |
wolfSSL | 0:d92f9d21154c | 471 | if ( (i+bytes) > maxIdx) { /* for reading bytes */ |
wolfSSL | 0:d92f9d21154c | 472 | WOLFSSL_MSG("GetLength bad long length"); |
wolfSSL | 0:d92f9d21154c | 473 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 474 | } |
wolfSSL | 0:d92f9d21154c | 475 | |
wolfSSL | 0:d92f9d21154c | 476 | while (bytes--) { |
wolfSSL | 0:d92f9d21154c | 477 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 478 | length = (length << 8) | b; |
wolfSSL | 0:d92f9d21154c | 479 | } |
wolfSSL | 0:d92f9d21154c | 480 | } |
wolfSSL | 0:d92f9d21154c | 481 | else |
wolfSSL | 0:d92f9d21154c | 482 | length = b; |
wolfSSL | 0:d92f9d21154c | 483 | |
wolfSSL | 0:d92f9d21154c | 484 | if ( (i+length) > maxIdx) { /* for user of length */ |
wolfSSL | 0:d92f9d21154c | 485 | WOLFSSL_MSG("GetLength value exceeds buffer length"); |
wolfSSL | 0:d92f9d21154c | 486 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 487 | } |
wolfSSL | 0:d92f9d21154c | 488 | |
wolfSSL | 0:d92f9d21154c | 489 | *inOutIdx = i; |
wolfSSL | 0:d92f9d21154c | 490 | if (length > 0) |
wolfSSL | 0:d92f9d21154c | 491 | *len = length; |
wolfSSL | 0:d92f9d21154c | 492 | |
wolfSSL | 0:d92f9d21154c | 493 | return length; |
wolfSSL | 0:d92f9d21154c | 494 | } |
wolfSSL | 0:d92f9d21154c | 495 | |
wolfSSL | 0:d92f9d21154c | 496 | |
wolfSSL | 0:d92f9d21154c | 497 | WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 0:d92f9d21154c | 498 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 499 | { |
wolfSSL | 0:d92f9d21154c | 500 | int length = -1; |
wolfSSL | 0:d92f9d21154c | 501 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 502 | |
wolfSSL | 0:d92f9d21154c | 503 | if (input[idx++] != (ASN_SEQUENCE | ASN_CONSTRUCTED) || |
wolfSSL | 0:d92f9d21154c | 504 | GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 505 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 506 | |
wolfSSL | 0:d92f9d21154c | 507 | *len = length; |
wolfSSL | 0:d92f9d21154c | 508 | *inOutIdx = idx; |
wolfSSL | 0:d92f9d21154c | 509 | |
wolfSSL | 0:d92f9d21154c | 510 | return length; |
wolfSSL | 0:d92f9d21154c | 511 | } |
wolfSSL | 0:d92f9d21154c | 512 | |
wolfSSL | 0:d92f9d21154c | 513 | |
wolfSSL | 0:d92f9d21154c | 514 | WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 0:d92f9d21154c | 515 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 516 | { |
wolfSSL | 0:d92f9d21154c | 517 | int length = -1; |
wolfSSL | 0:d92f9d21154c | 518 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 519 | |
wolfSSL | 0:d92f9d21154c | 520 | if (input[idx++] != (ASN_SET | ASN_CONSTRUCTED) || |
wolfSSL | 0:d92f9d21154c | 521 | GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 522 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 523 | |
wolfSSL | 0:d92f9d21154c | 524 | *len = length; |
wolfSSL | 0:d92f9d21154c | 525 | *inOutIdx = idx; |
wolfSSL | 0:d92f9d21154c | 526 | |
wolfSSL | 0:d92f9d21154c | 527 | return length; |
wolfSSL | 0:d92f9d21154c | 528 | } |
wolfSSL | 0:d92f9d21154c | 529 | |
wolfSSL | 0:d92f9d21154c | 530 | |
wolfSSL | 0:d92f9d21154c | 531 | /* winodws header clash for WinCE using GetVersion */ |
wolfSSL | 0:d92f9d21154c | 532 | WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version) |
wolfSSL | 0:d92f9d21154c | 533 | { |
wolfSSL | 0:d92f9d21154c | 534 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 535 | |
wolfSSL | 0:d92f9d21154c | 536 | WOLFSSL_ENTER("GetMyVersion"); |
wolfSSL | 0:d92f9d21154c | 537 | |
wolfSSL | 0:d92f9d21154c | 538 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 539 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 540 | |
wolfSSL | 0:d92f9d21154c | 541 | if (input[idx++] != 0x01) |
wolfSSL | 0:d92f9d21154c | 542 | return ASN_VERSION_E; |
wolfSSL | 0:d92f9d21154c | 543 | |
wolfSSL | 0:d92f9d21154c | 544 | *version = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 545 | *inOutIdx = idx; |
wolfSSL | 0:d92f9d21154c | 546 | |
wolfSSL | 0:d92f9d21154c | 547 | return *version; |
wolfSSL | 0:d92f9d21154c | 548 | } |
wolfSSL | 0:d92f9d21154c | 549 | |
wolfSSL | 0:d92f9d21154c | 550 | |
wolfSSL | 0:d92f9d21154c | 551 | #ifndef NO_PWDBASED |
wolfSSL | 0:d92f9d21154c | 552 | /* Get small count integer, 32 bits or less */ |
wolfSSL | 0:d92f9d21154c | 553 | static int GetShortInt(const byte* input, word32* inOutIdx, int* number) |
wolfSSL | 0:d92f9d21154c | 554 | { |
wolfSSL | 0:d92f9d21154c | 555 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 556 | word32 len; |
wolfSSL | 0:d92f9d21154c | 557 | |
wolfSSL | 0:d92f9d21154c | 558 | *number = 0; |
wolfSSL | 0:d92f9d21154c | 559 | |
wolfSSL | 0:d92f9d21154c | 560 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 561 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 562 | |
wolfSSL | 0:d92f9d21154c | 563 | len = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 564 | if (len > 4) |
wolfSSL | 0:d92f9d21154c | 565 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 566 | |
wolfSSL | 0:d92f9d21154c | 567 | while (len--) { |
wolfSSL | 0:d92f9d21154c | 568 | *number = *number << 8 | input[idx++]; |
wolfSSL | 0:d92f9d21154c | 569 | } |
wolfSSL | 0:d92f9d21154c | 570 | |
wolfSSL | 0:d92f9d21154c | 571 | *inOutIdx = idx; |
wolfSSL | 0:d92f9d21154c | 572 | |
wolfSSL | 0:d92f9d21154c | 573 | return *number; |
wolfSSL | 0:d92f9d21154c | 574 | } |
wolfSSL | 0:d92f9d21154c | 575 | #endif /* !NO_PWDBASED */ |
wolfSSL | 0:d92f9d21154c | 576 | |
wolfSSL | 0:d92f9d21154c | 577 | |
wolfSSL | 0:d92f9d21154c | 578 | /* May not have one, not an error */ |
wolfSSL | 0:d92f9d21154c | 579 | static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version) |
wolfSSL | 0:d92f9d21154c | 580 | { |
wolfSSL | 0:d92f9d21154c | 581 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 582 | |
wolfSSL | 0:d92f9d21154c | 583 | WOLFSSL_ENTER("GetExplicitVersion"); |
wolfSSL | 0:d92f9d21154c | 584 | if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 0:d92f9d21154c | 585 | *inOutIdx = ++idx; /* eat header */ |
wolfSSL | 0:d92f9d21154c | 586 | return GetMyVersion(input, inOutIdx, version); |
wolfSSL | 0:d92f9d21154c | 587 | } |
wolfSSL | 0:d92f9d21154c | 588 | |
wolfSSL | 0:d92f9d21154c | 589 | /* go back as is */ |
wolfSSL | 0:d92f9d21154c | 590 | *version = 0; |
wolfSSL | 0:d92f9d21154c | 591 | |
wolfSSL | 0:d92f9d21154c | 592 | return 0; |
wolfSSL | 0:d92f9d21154c | 593 | } |
wolfSSL | 0:d92f9d21154c | 594 | |
wolfSSL | 0:d92f9d21154c | 595 | |
wolfSSL | 0:d92f9d21154c | 596 | WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, |
wolfSSL | 0:d92f9d21154c | 597 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 598 | { |
wolfSSL | 0:d92f9d21154c | 599 | word32 i = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 600 | byte b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 601 | int length; |
wolfSSL | 0:d92f9d21154c | 602 | |
wolfSSL | 0:d92f9d21154c | 603 | if (b != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 604 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 605 | |
wolfSSL | 0:d92f9d21154c | 606 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 607 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 608 | |
wolfSSL | 0:d92f9d21154c | 609 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 0:d92f9d21154c | 610 | length--; |
wolfSSL | 0:d92f9d21154c | 611 | else |
wolfSSL | 0:d92f9d21154c | 612 | i--; |
wolfSSL | 0:d92f9d21154c | 613 | |
wolfSSL | 0:d92f9d21154c | 614 | if (mp_init(mpi) != MP_OKAY) |
wolfSSL | 0:d92f9d21154c | 615 | return MP_INIT_E; |
wolfSSL | 0:d92f9d21154c | 616 | |
wolfSSL | 0:d92f9d21154c | 617 | if (mp_read_unsigned_bin(mpi, (byte*)input + i, length) != 0) { |
wolfSSL | 0:d92f9d21154c | 618 | mp_clear(mpi); |
wolfSSL | 0:d92f9d21154c | 619 | return ASN_GETINT_E; |
wolfSSL | 0:d92f9d21154c | 620 | } |
wolfSSL | 0:d92f9d21154c | 621 | |
wolfSSL | 0:d92f9d21154c | 622 | *inOutIdx = i + length; |
wolfSSL | 0:d92f9d21154c | 623 | return 0; |
wolfSSL | 0:d92f9d21154c | 624 | } |
wolfSSL | 0:d92f9d21154c | 625 | |
wolfSSL | 0:d92f9d21154c | 626 | |
wolfSSL | 0:d92f9d21154c | 627 | static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 0:d92f9d21154c | 628 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 629 | { |
wolfSSL | 0:d92f9d21154c | 630 | int length; |
wolfSSL | 0:d92f9d21154c | 631 | word32 i = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 632 | byte b; |
wolfSSL | 0:d92f9d21154c | 633 | *oid = 0; |
wolfSSL | 0:d92f9d21154c | 634 | |
wolfSSL | 0:d92f9d21154c | 635 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 636 | if (b != ASN_OBJECT_ID) |
wolfSSL | 0:d92f9d21154c | 637 | return ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 638 | |
wolfSSL | 0:d92f9d21154c | 639 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 640 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 641 | |
wolfSSL | 0:d92f9d21154c | 642 | while(length--) |
wolfSSL | 0:d92f9d21154c | 643 | *oid += input[i++]; |
wolfSSL | 0:d92f9d21154c | 644 | /* just sum it up for now */ |
wolfSSL | 0:d92f9d21154c | 645 | |
wolfSSL | 0:d92f9d21154c | 646 | *inOutIdx = i; |
wolfSSL | 0:d92f9d21154c | 647 | |
wolfSSL | 0:d92f9d21154c | 648 | return 0; |
wolfSSL | 0:d92f9d21154c | 649 | } |
wolfSSL | 0:d92f9d21154c | 650 | |
wolfSSL | 0:d92f9d21154c | 651 | |
wolfSSL | 0:d92f9d21154c | 652 | WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 0:d92f9d21154c | 653 | word32 maxIdx) |
wolfSSL | 0:d92f9d21154c | 654 | { |
wolfSSL | 0:d92f9d21154c | 655 | int length; |
wolfSSL | 0:d92f9d21154c | 656 | word32 i = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 657 | byte b; |
wolfSSL | 0:d92f9d21154c | 658 | *oid = 0; |
wolfSSL | 0:d92f9d21154c | 659 | |
wolfSSL | 0:d92f9d21154c | 660 | WOLFSSL_ENTER("GetAlgoId"); |
wolfSSL | 0:d92f9d21154c | 661 | |
wolfSSL | 0:d92f9d21154c | 662 | if (GetSequence(input, &i, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 663 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 664 | |
wolfSSL | 0:d92f9d21154c | 665 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 666 | if (b != ASN_OBJECT_ID) |
wolfSSL | 0:d92f9d21154c | 667 | return ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 668 | |
wolfSSL | 0:d92f9d21154c | 669 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 670 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 671 | |
wolfSSL | 0:d92f9d21154c | 672 | while(length--) { |
wolfSSL | 0:d92f9d21154c | 673 | /* odd HC08 compiler behavior here when input[i++] */ |
wolfSSL | 0:d92f9d21154c | 674 | *oid += input[i]; |
wolfSSL | 0:d92f9d21154c | 675 | i++; |
wolfSSL | 0:d92f9d21154c | 676 | } |
wolfSSL | 0:d92f9d21154c | 677 | /* just sum it up for now */ |
wolfSSL | 0:d92f9d21154c | 678 | |
wolfSSL | 0:d92f9d21154c | 679 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 0:d92f9d21154c | 680 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 681 | |
wolfSSL | 0:d92f9d21154c | 682 | if (b == ASN_TAG_NULL) { |
wolfSSL | 0:d92f9d21154c | 683 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 684 | if (b != 0) |
wolfSSL | 0:d92f9d21154c | 685 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 686 | } |
wolfSSL | 0:d92f9d21154c | 687 | else |
wolfSSL | 0:d92f9d21154c | 688 | /* go back, didn't have it */ |
wolfSSL | 0:d92f9d21154c | 689 | i--; |
wolfSSL | 0:d92f9d21154c | 690 | |
wolfSSL | 0:d92f9d21154c | 691 | *inOutIdx = i; |
wolfSSL | 0:d92f9d21154c | 692 | |
wolfSSL | 0:d92f9d21154c | 693 | return 0; |
wolfSSL | 0:d92f9d21154c | 694 | } |
wolfSSL | 0:d92f9d21154c | 695 | |
wolfSSL | 0:d92f9d21154c | 696 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 697 | |
wolfSSL | 0:d92f9d21154c | 698 | |
wolfSSL | 0:d92f9d21154c | 699 | #ifdef HAVE_CAVIUM |
wolfSSL | 0:d92f9d21154c | 700 | |
wolfSSL | 0:d92f9d21154c | 701 | static int GetCaviumInt(byte** buff, word16* buffSz, const byte* input, |
wolfSSL | 0:d92f9d21154c | 702 | word32* inOutIdx, word32 maxIdx, void* heap) |
wolfSSL | 0:d92f9d21154c | 703 | { |
wolfSSL | 0:d92f9d21154c | 704 | word32 i = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 705 | byte b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 706 | int length; |
wolfSSL | 0:d92f9d21154c | 707 | |
wolfSSL | 0:d92f9d21154c | 708 | if (b != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 709 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 710 | |
wolfSSL | 0:d92f9d21154c | 711 | if (GetLength(input, &i, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 712 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 713 | |
wolfSSL | 0:d92f9d21154c | 714 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 0:d92f9d21154c | 715 | length--; |
wolfSSL | 0:d92f9d21154c | 716 | else |
wolfSSL | 0:d92f9d21154c | 717 | i--; |
wolfSSL | 0:d92f9d21154c | 718 | |
wolfSSL | 0:d92f9d21154c | 719 | *buffSz = (word16)length; |
wolfSSL | 0:d92f9d21154c | 720 | *buff = XMALLOC(*buffSz, heap, DYNAMIC_TYPE_CAVIUM_RSA); |
wolfSSL | 0:d92f9d21154c | 721 | if (*buff == NULL) |
wolfSSL | 0:d92f9d21154c | 722 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 723 | |
wolfSSL | 0:d92f9d21154c | 724 | XMEMCPY(*buff, input + i, *buffSz); |
wolfSSL | 0:d92f9d21154c | 725 | |
wolfSSL | 0:d92f9d21154c | 726 | *inOutIdx = i + length; |
wolfSSL | 0:d92f9d21154c | 727 | return 0; |
wolfSSL | 0:d92f9d21154c | 728 | } |
wolfSSL | 0:d92f9d21154c | 729 | |
wolfSSL | 0:d92f9d21154c | 730 | static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 0:d92f9d21154c | 731 | RsaKey* key, word32 inSz) |
wolfSSL | 0:d92f9d21154c | 732 | { |
wolfSSL | 0:d92f9d21154c | 733 | int version, length; |
wolfSSL | 0:d92f9d21154c | 734 | void* h = key->heap; |
wolfSSL | 0:d92f9d21154c | 735 | |
wolfSSL | 0:d92f9d21154c | 736 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 737 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 738 | |
wolfSSL | 0:d92f9d21154c | 739 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 740 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 741 | |
wolfSSL | 0:d92f9d21154c | 742 | key->type = RSA_PRIVATE; |
wolfSSL | 0:d92f9d21154c | 743 | |
wolfSSL | 0:d92f9d21154c | 744 | if (GetCaviumInt(&key->c_n, &key->c_nSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 745 | GetCaviumInt(&key->c_e, &key->c_eSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 746 | GetCaviumInt(&key->c_d, &key->c_dSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 747 | GetCaviumInt(&key->c_p, &key->c_pSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 748 | GetCaviumInt(&key->c_q, &key->c_qSz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 749 | GetCaviumInt(&key->c_dP, &key->c_dP_Sz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 750 | GetCaviumInt(&key->c_dQ, &key->c_dQ_Sz, input, inOutIdx, inSz, h) < 0 || |
wolfSSL | 0:d92f9d21154c | 751 | GetCaviumInt(&key->c_u, &key->c_uSz, input, inOutIdx, inSz, h) < 0 ) |
wolfSSL | 0:d92f9d21154c | 752 | return ASN_RSA_KEY_E; |
wolfSSL | 0:d92f9d21154c | 753 | |
wolfSSL | 0:d92f9d21154c | 754 | return 0; |
wolfSSL | 0:d92f9d21154c | 755 | } |
wolfSSL | 0:d92f9d21154c | 756 | |
wolfSSL | 0:d92f9d21154c | 757 | |
wolfSSL | 0:d92f9d21154c | 758 | #endif /* HAVE_CAVIUM */ |
wolfSSL | 0:d92f9d21154c | 759 | |
wolfSSL | 0:d92f9d21154c | 760 | int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 0:d92f9d21154c | 761 | word32 inSz) |
wolfSSL | 0:d92f9d21154c | 762 | { |
wolfSSL | 0:d92f9d21154c | 763 | int version, length; |
wolfSSL | 0:d92f9d21154c | 764 | |
wolfSSL | 0:d92f9d21154c | 765 | #ifdef HAVE_CAVIUM |
wolfSSL | 0:d92f9d21154c | 766 | if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) |
wolfSSL | 0:d92f9d21154c | 767 | return CaviumRsaPrivateKeyDecode(input, inOutIdx, key, inSz); |
wolfSSL | 0:d92f9d21154c | 768 | #endif |
wolfSSL | 0:d92f9d21154c | 769 | |
wolfSSL | 0:d92f9d21154c | 770 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 771 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 772 | |
wolfSSL | 0:d92f9d21154c | 773 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 774 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 775 | |
wolfSSL | 0:d92f9d21154c | 776 | key->type = RSA_PRIVATE; |
wolfSSL | 0:d92f9d21154c | 777 | |
wolfSSL | 0:d92f9d21154c | 778 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 779 | GetInt(&key->e, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 780 | GetInt(&key->d, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 781 | GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 782 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 783 | GetInt(&key->dP, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 784 | GetInt(&key->dQ, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 785 | GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 0:d92f9d21154c | 786 | |
wolfSSL | 0:d92f9d21154c | 787 | return 0; |
wolfSSL | 0:d92f9d21154c | 788 | } |
wolfSSL | 0:d92f9d21154c | 789 | |
wolfSSL | 0:d92f9d21154c | 790 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 791 | |
wolfSSL | 0:d92f9d21154c | 792 | /* Remove PKCS8 header, move beginning of traditional to beginning of input */ |
wolfSSL | 0:d92f9d21154c | 793 | int ToTraditional(byte* input, word32 sz) |
wolfSSL | 0:d92f9d21154c | 794 | { |
wolfSSL | 0:d92f9d21154c | 795 | word32 inOutIdx = 0, oid; |
wolfSSL | 0:d92f9d21154c | 796 | int version, length; |
wolfSSL | 0:d92f9d21154c | 797 | |
wolfSSL | 0:d92f9d21154c | 798 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 799 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 800 | |
wolfSSL | 0:d92f9d21154c | 801 | if (GetMyVersion(input, &inOutIdx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 802 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 803 | |
wolfSSL | 0:d92f9d21154c | 804 | if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 805 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 806 | |
wolfSSL | 0:d92f9d21154c | 807 | if (input[inOutIdx] == ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 808 | /* pkcs8 ecc uses slightly different format */ |
wolfSSL | 0:d92f9d21154c | 809 | inOutIdx++; /* past id */ |
wolfSSL | 0:d92f9d21154c | 810 | if (GetLength(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 811 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 812 | inOutIdx += length; /* over sub id, key input will verify */ |
wolfSSL | 0:d92f9d21154c | 813 | } |
wolfSSL | 0:d92f9d21154c | 814 | |
wolfSSL | 0:d92f9d21154c | 815 | if (input[inOutIdx++] != ASN_OCTET_STRING) |
wolfSSL | 0:d92f9d21154c | 816 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 817 | |
wolfSSL | 0:d92f9d21154c | 818 | if (GetLength(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 819 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 820 | |
wolfSSL | 0:d92f9d21154c | 821 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 0:d92f9d21154c | 822 | |
wolfSSL | 0:d92f9d21154c | 823 | return length; |
wolfSSL | 0:d92f9d21154c | 824 | } |
wolfSSL | 0:d92f9d21154c | 825 | |
wolfSSL | 0:d92f9d21154c | 826 | |
wolfSSL | 0:d92f9d21154c | 827 | #ifndef NO_PWDBASED |
wolfSSL | 0:d92f9d21154c | 828 | |
wolfSSL | 0:d92f9d21154c | 829 | /* Check To see if PKCS version algo is supported, set id if it is return 0 |
wolfSSL | 0:d92f9d21154c | 830 | < 0 on error */ |
wolfSSL | 0:d92f9d21154c | 831 | static int CheckAlgo(int first, int second, int* id, int* version) |
wolfSSL | 0:d92f9d21154c | 832 | { |
wolfSSL | 0:d92f9d21154c | 833 | *id = ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 834 | *version = PKCS5; /* default */ |
wolfSSL | 0:d92f9d21154c | 835 | |
wolfSSL | 0:d92f9d21154c | 836 | if (first == 1) { |
wolfSSL | 0:d92f9d21154c | 837 | switch (second) { |
wolfSSL | 0:d92f9d21154c | 838 | case 1: |
wolfSSL | 0:d92f9d21154c | 839 | *id = PBE_SHA1_RC4_128; |
wolfSSL | 0:d92f9d21154c | 840 | *version = PKCS12; |
wolfSSL | 0:d92f9d21154c | 841 | return 0; |
wolfSSL | 0:d92f9d21154c | 842 | case 3: |
wolfSSL | 0:d92f9d21154c | 843 | *id = PBE_SHA1_DES3; |
wolfSSL | 0:d92f9d21154c | 844 | *version = PKCS12; |
wolfSSL | 0:d92f9d21154c | 845 | return 0; |
wolfSSL | 0:d92f9d21154c | 846 | default: |
wolfSSL | 0:d92f9d21154c | 847 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 848 | } |
wolfSSL | 0:d92f9d21154c | 849 | } |
wolfSSL | 0:d92f9d21154c | 850 | |
wolfSSL | 0:d92f9d21154c | 851 | if (first != PKCS5) |
wolfSSL | 0:d92f9d21154c | 852 | return ASN_INPUT_E; /* VERSION ERROR */ |
wolfSSL | 0:d92f9d21154c | 853 | |
wolfSSL | 0:d92f9d21154c | 854 | if (second == PBES2) { |
wolfSSL | 0:d92f9d21154c | 855 | *version = PKCS5v2; |
wolfSSL | 0:d92f9d21154c | 856 | return 0; |
wolfSSL | 0:d92f9d21154c | 857 | } |
wolfSSL | 0:d92f9d21154c | 858 | |
wolfSSL | 0:d92f9d21154c | 859 | switch (second) { |
wolfSSL | 0:d92f9d21154c | 860 | case 3: /* see RFC 2898 for ids */ |
wolfSSL | 0:d92f9d21154c | 861 | *id = PBE_MD5_DES; |
wolfSSL | 0:d92f9d21154c | 862 | return 0; |
wolfSSL | 0:d92f9d21154c | 863 | case 10: |
wolfSSL | 0:d92f9d21154c | 864 | *id = PBE_SHA1_DES; |
wolfSSL | 0:d92f9d21154c | 865 | return 0; |
wolfSSL | 0:d92f9d21154c | 866 | default: |
wolfSSL | 0:d92f9d21154c | 867 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 868 | |
wolfSSL | 0:d92f9d21154c | 869 | } |
wolfSSL | 0:d92f9d21154c | 870 | } |
wolfSSL | 0:d92f9d21154c | 871 | |
wolfSSL | 0:d92f9d21154c | 872 | |
wolfSSL | 0:d92f9d21154c | 873 | /* Check To see if PKCS v2 algo is supported, set id if it is return 0 |
wolfSSL | 0:d92f9d21154c | 874 | < 0 on error */ |
wolfSSL | 0:d92f9d21154c | 875 | static int CheckAlgoV2(int oid, int* id) |
wolfSSL | 0:d92f9d21154c | 876 | { |
wolfSSL | 0:d92f9d21154c | 877 | switch (oid) { |
wolfSSL | 0:d92f9d21154c | 878 | case 69: |
wolfSSL | 0:d92f9d21154c | 879 | *id = PBE_SHA1_DES; |
wolfSSL | 0:d92f9d21154c | 880 | return 0; |
wolfSSL | 0:d92f9d21154c | 881 | case 652: |
wolfSSL | 0:d92f9d21154c | 882 | *id = PBE_SHA1_DES3; |
wolfSSL | 0:d92f9d21154c | 883 | return 0; |
wolfSSL | 0:d92f9d21154c | 884 | default: |
wolfSSL | 0:d92f9d21154c | 885 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 886 | |
wolfSSL | 0:d92f9d21154c | 887 | } |
wolfSSL | 0:d92f9d21154c | 888 | } |
wolfSSL | 0:d92f9d21154c | 889 | |
wolfSSL | 0:d92f9d21154c | 890 | |
wolfSSL | 0:d92f9d21154c | 891 | /* Decrypt intput in place from parameters based on id */ |
wolfSSL | 0:d92f9d21154c | 892 | static int DecryptKey(const char* password, int passwordSz, byte* salt, |
wolfSSL | 0:d92f9d21154c | 893 | int saltSz, int iterations, int id, byte* input, |
wolfSSL | 0:d92f9d21154c | 894 | int length, int version, byte* cbcIv) |
wolfSSL | 0:d92f9d21154c | 895 | { |
wolfSSL | 0:d92f9d21154c | 896 | int typeH; |
wolfSSL | 0:d92f9d21154c | 897 | int derivedLen; |
wolfSSL | 0:d92f9d21154c | 898 | int decryptionType; |
wolfSSL | 0:d92f9d21154c | 899 | int ret = 0; |
wolfSSL | 0:d92f9d21154c | 900 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 901 | byte* key; |
wolfSSL | 0:d92f9d21154c | 902 | #else |
wolfSSL | 0:d92f9d21154c | 903 | byte key[MAX_KEY_SIZE]; |
wolfSSL | 0:d92f9d21154c | 904 | #endif |
wolfSSL | 0:d92f9d21154c | 905 | |
wolfSSL | 0:d92f9d21154c | 906 | switch (id) { |
wolfSSL | 0:d92f9d21154c | 907 | case PBE_MD5_DES: |
wolfSSL | 0:d92f9d21154c | 908 | typeH = MD5; |
wolfSSL | 0:d92f9d21154c | 909 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 0:d92f9d21154c | 910 | decryptionType = DES_TYPE; |
wolfSSL | 0:d92f9d21154c | 911 | break; |
wolfSSL | 0:d92f9d21154c | 912 | |
wolfSSL | 0:d92f9d21154c | 913 | case PBE_SHA1_DES: |
wolfSSL | 0:d92f9d21154c | 914 | typeH = SHA; |
wolfSSL | 0:d92f9d21154c | 915 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 0:d92f9d21154c | 916 | decryptionType = DES_TYPE; |
wolfSSL | 0:d92f9d21154c | 917 | break; |
wolfSSL | 0:d92f9d21154c | 918 | |
wolfSSL | 0:d92f9d21154c | 919 | case PBE_SHA1_DES3: |
wolfSSL | 0:d92f9d21154c | 920 | typeH = SHA; |
wolfSSL | 0:d92f9d21154c | 921 | derivedLen = 32; /* may need iv for v1.5 */ |
wolfSSL | 0:d92f9d21154c | 922 | decryptionType = DES3_TYPE; |
wolfSSL | 0:d92f9d21154c | 923 | break; |
wolfSSL | 0:d92f9d21154c | 924 | |
wolfSSL | 0:d92f9d21154c | 925 | case PBE_SHA1_RC4_128: |
wolfSSL | 0:d92f9d21154c | 926 | typeH = SHA; |
wolfSSL | 0:d92f9d21154c | 927 | derivedLen = 16; |
wolfSSL | 0:d92f9d21154c | 928 | decryptionType = RC4_TYPE; |
wolfSSL | 0:d92f9d21154c | 929 | break; |
wolfSSL | 0:d92f9d21154c | 930 | |
wolfSSL | 0:d92f9d21154c | 931 | default: |
wolfSSL | 0:d92f9d21154c | 932 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 933 | } |
wolfSSL | 0:d92f9d21154c | 934 | |
wolfSSL | 0:d92f9d21154c | 935 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 936 | key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 937 | if (key == NULL) |
wolfSSL | 0:d92f9d21154c | 938 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 939 | #endif |
wolfSSL | 0:d92f9d21154c | 940 | |
wolfSSL | 0:d92f9d21154c | 941 | if (version == PKCS5v2) |
wolfSSL | 0:d92f9d21154c | 942 | ret = wc_PBKDF2(key, (byte*)password, passwordSz, salt, saltSz, iterations, |
wolfSSL | 0:d92f9d21154c | 943 | derivedLen, typeH); |
wolfSSL | 0:d92f9d21154c | 944 | #ifndef NO_SHA |
wolfSSL | 0:d92f9d21154c | 945 | else if (version == PKCS5) |
wolfSSL | 0:d92f9d21154c | 946 | ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations, |
wolfSSL | 0:d92f9d21154c | 947 | derivedLen, typeH); |
wolfSSL | 0:d92f9d21154c | 948 | #endif |
wolfSSL | 0:d92f9d21154c | 949 | else if (version == PKCS12) { |
wolfSSL | 0:d92f9d21154c | 950 | int i, idx = 0; |
wolfSSL | 0:d92f9d21154c | 951 | byte unicodePasswd[MAX_UNICODE_SZ]; |
wolfSSL | 0:d92f9d21154c | 952 | |
wolfSSL | 0:d92f9d21154c | 953 | if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) { |
wolfSSL | 0:d92f9d21154c | 954 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 955 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 956 | #endif |
wolfSSL | 0:d92f9d21154c | 957 | return UNICODE_SIZE_E; |
wolfSSL | 0:d92f9d21154c | 958 | } |
wolfSSL | 0:d92f9d21154c | 959 | |
wolfSSL | 0:d92f9d21154c | 960 | for (i = 0; i < passwordSz; i++) { |
wolfSSL | 0:d92f9d21154c | 961 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 0:d92f9d21154c | 962 | unicodePasswd[idx++] = (byte)password[i]; |
wolfSSL | 0:d92f9d21154c | 963 | } |
wolfSSL | 0:d92f9d21154c | 964 | /* add trailing NULL */ |
wolfSSL | 0:d92f9d21154c | 965 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 0:d92f9d21154c | 966 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 0:d92f9d21154c | 967 | |
wolfSSL | 0:d92f9d21154c | 968 | ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 0:d92f9d21154c | 969 | iterations, derivedLen, typeH, 1); |
wolfSSL | 0:d92f9d21154c | 970 | if (decryptionType != RC4_TYPE) |
wolfSSL | 0:d92f9d21154c | 971 | ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 0:d92f9d21154c | 972 | iterations, 8, typeH, 2); |
wolfSSL | 0:d92f9d21154c | 973 | } |
wolfSSL | 0:d92f9d21154c | 974 | else { |
wolfSSL | 0:d92f9d21154c | 975 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 976 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 977 | #endif |
wolfSSL | 0:d92f9d21154c | 978 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 979 | } |
wolfSSL | 0:d92f9d21154c | 980 | |
wolfSSL | 0:d92f9d21154c | 981 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 982 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 983 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 984 | #endif |
wolfSSL | 0:d92f9d21154c | 985 | return ret; |
wolfSSL | 0:d92f9d21154c | 986 | } |
wolfSSL | 0:d92f9d21154c | 987 | |
wolfSSL | 0:d92f9d21154c | 988 | switch (decryptionType) { |
wolfSSL | 0:d92f9d21154c | 989 | #ifndef NO_DES3 |
wolfSSL | 0:d92f9d21154c | 990 | case DES_TYPE: |
wolfSSL | 0:d92f9d21154c | 991 | { |
wolfSSL | 0:d92f9d21154c | 992 | Des dec; |
wolfSSL | 0:d92f9d21154c | 993 | byte* desIv = key + 8; |
wolfSSL | 0:d92f9d21154c | 994 | |
wolfSSL | 0:d92f9d21154c | 995 | if (version == PKCS5v2 || version == PKCS12) |
wolfSSL | 0:d92f9d21154c | 996 | desIv = cbcIv; |
wolfSSL | 0:d92f9d21154c | 997 | |
wolfSSL | 0:d92f9d21154c | 998 | ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 0:d92f9d21154c | 999 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 1000 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1001 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1002 | #endif |
wolfSSL | 0:d92f9d21154c | 1003 | return ret; |
wolfSSL | 0:d92f9d21154c | 1004 | } |
wolfSSL | 0:d92f9d21154c | 1005 | |
wolfSSL | 0:d92f9d21154c | 1006 | wc_Des_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 0:d92f9d21154c | 1007 | break; |
wolfSSL | 0:d92f9d21154c | 1008 | } |
wolfSSL | 0:d92f9d21154c | 1009 | |
wolfSSL | 0:d92f9d21154c | 1010 | case DES3_TYPE: |
wolfSSL | 0:d92f9d21154c | 1011 | { |
wolfSSL | 0:d92f9d21154c | 1012 | Des3 dec; |
wolfSSL | 0:d92f9d21154c | 1013 | byte* desIv = key + 24; |
wolfSSL | 0:d92f9d21154c | 1014 | |
wolfSSL | 0:d92f9d21154c | 1015 | if (version == PKCS5v2 || version == PKCS12) |
wolfSSL | 0:d92f9d21154c | 1016 | desIv = cbcIv; |
wolfSSL | 0:d92f9d21154c | 1017 | ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 0:d92f9d21154c | 1018 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 1019 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1020 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1021 | #endif |
wolfSSL | 0:d92f9d21154c | 1022 | return ret; |
wolfSSL | 0:d92f9d21154c | 1023 | } |
wolfSSL | 0:d92f9d21154c | 1024 | ret = wc_Des3_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 0:d92f9d21154c | 1025 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 1026 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1027 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1028 | #endif |
wolfSSL | 0:d92f9d21154c | 1029 | return ret; |
wolfSSL | 0:d92f9d21154c | 1030 | } |
wolfSSL | 0:d92f9d21154c | 1031 | break; |
wolfSSL | 0:d92f9d21154c | 1032 | } |
wolfSSL | 0:d92f9d21154c | 1033 | #endif |
wolfSSL | 0:d92f9d21154c | 1034 | #ifndef NO_RC4 |
wolfSSL | 0:d92f9d21154c | 1035 | case RC4_TYPE: |
wolfSSL | 0:d92f9d21154c | 1036 | { |
wolfSSL | 0:d92f9d21154c | 1037 | Arc4 dec; |
wolfSSL | 0:d92f9d21154c | 1038 | |
wolfSSL | 0:d92f9d21154c | 1039 | wc_Arc4SetKey(&dec, key, derivedLen); |
wolfSSL | 0:d92f9d21154c | 1040 | wc_Arc4Process(&dec, input, input, length); |
wolfSSL | 0:d92f9d21154c | 1041 | break; |
wolfSSL | 0:d92f9d21154c | 1042 | } |
wolfSSL | 0:d92f9d21154c | 1043 | #endif |
wolfSSL | 0:d92f9d21154c | 1044 | |
wolfSSL | 0:d92f9d21154c | 1045 | default: |
wolfSSL | 0:d92f9d21154c | 1046 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1047 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1048 | #endif |
wolfSSL | 0:d92f9d21154c | 1049 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 1050 | } |
wolfSSL | 0:d92f9d21154c | 1051 | |
wolfSSL | 0:d92f9d21154c | 1052 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1053 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1054 | #endif |
wolfSSL | 0:d92f9d21154c | 1055 | |
wolfSSL | 0:d92f9d21154c | 1056 | return 0; |
wolfSSL | 0:d92f9d21154c | 1057 | } |
wolfSSL | 0:d92f9d21154c | 1058 | |
wolfSSL | 0:d92f9d21154c | 1059 | |
wolfSSL | 0:d92f9d21154c | 1060 | /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning |
wolfSSL | 0:d92f9d21154c | 1061 | of input */ |
wolfSSL | 0:d92f9d21154c | 1062 | int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) |
wolfSSL | 0:d92f9d21154c | 1063 | { |
wolfSSL | 0:d92f9d21154c | 1064 | word32 inOutIdx = 0, oid; |
wolfSSL | 0:d92f9d21154c | 1065 | int first, second, length, version, saltSz, id; |
wolfSSL | 0:d92f9d21154c | 1066 | int iterations = 0; |
wolfSSL | 0:d92f9d21154c | 1067 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1068 | byte* salt = NULL; |
wolfSSL | 0:d92f9d21154c | 1069 | byte* cbcIv = NULL; |
wolfSSL | 0:d92f9d21154c | 1070 | #else |
wolfSSL | 0:d92f9d21154c | 1071 | byte salt[MAX_SALT_SIZE]; |
wolfSSL | 0:d92f9d21154c | 1072 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 0:d92f9d21154c | 1073 | #endif |
wolfSSL | 0:d92f9d21154c | 1074 | |
wolfSSL | 0:d92f9d21154c | 1075 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1076 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1077 | |
wolfSSL | 0:d92f9d21154c | 1078 | if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1079 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1080 | |
wolfSSL | 0:d92f9d21154c | 1081 | first = input[inOutIdx - 2]; /* PKCS version alwyas 2nd to last byte */ |
wolfSSL | 0:d92f9d21154c | 1082 | second = input[inOutIdx - 1]; /* version.algo, algo id last byte */ |
wolfSSL | 0:d92f9d21154c | 1083 | |
wolfSSL | 0:d92f9d21154c | 1084 | if (CheckAlgo(first, second, &id, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 1085 | return ASN_INPUT_E; /* Algo ID error */ |
wolfSSL | 0:d92f9d21154c | 1086 | |
wolfSSL | 0:d92f9d21154c | 1087 | if (version == PKCS5v2) { |
wolfSSL | 0:d92f9d21154c | 1088 | |
wolfSSL | 0:d92f9d21154c | 1089 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1090 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1091 | |
wolfSSL | 0:d92f9d21154c | 1092 | if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1093 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1094 | |
wolfSSL | 0:d92f9d21154c | 1095 | if (oid != PBKDF2_OID) |
wolfSSL | 0:d92f9d21154c | 1096 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1097 | } |
wolfSSL | 0:d92f9d21154c | 1098 | |
wolfSSL | 0:d92f9d21154c | 1099 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1100 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1101 | |
wolfSSL | 0:d92f9d21154c | 1102 | if (input[inOutIdx++] != ASN_OCTET_STRING) |
wolfSSL | 0:d92f9d21154c | 1103 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1104 | |
wolfSSL | 0:d92f9d21154c | 1105 | if (GetLength(input, &inOutIdx, &saltSz, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 1106 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1107 | |
wolfSSL | 0:d92f9d21154c | 1108 | if (saltSz > MAX_SALT_SIZE) |
wolfSSL | 0:d92f9d21154c | 1109 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1110 | |
wolfSSL | 0:d92f9d21154c | 1111 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1112 | salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1113 | if (salt == NULL) |
wolfSSL | 0:d92f9d21154c | 1114 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1115 | #endif |
wolfSSL | 0:d92f9d21154c | 1116 | |
wolfSSL | 0:d92f9d21154c | 1117 | XMEMCPY(salt, &input[inOutIdx], saltSz); |
wolfSSL | 0:d92f9d21154c | 1118 | inOutIdx += saltSz; |
wolfSSL | 0:d92f9d21154c | 1119 | |
wolfSSL | 0:d92f9d21154c | 1120 | if (GetShortInt(input, &inOutIdx, &iterations) < 0) { |
wolfSSL | 0:d92f9d21154c | 1121 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1122 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1123 | #endif |
wolfSSL | 0:d92f9d21154c | 1124 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1125 | } |
wolfSSL | 0:d92f9d21154c | 1126 | |
wolfSSL | 0:d92f9d21154c | 1127 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1128 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1129 | if (cbcIv == NULL) { |
wolfSSL | 0:d92f9d21154c | 1130 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1131 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1132 | } |
wolfSSL | 0:d92f9d21154c | 1133 | #endif |
wolfSSL | 0:d92f9d21154c | 1134 | |
wolfSSL | 0:d92f9d21154c | 1135 | if (version == PKCS5v2) { |
wolfSSL | 0:d92f9d21154c | 1136 | /* get encryption algo */ |
wolfSSL | 0:d92f9d21154c | 1137 | if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 1138 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1139 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1140 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1141 | #endif |
wolfSSL | 0:d92f9d21154c | 1142 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1143 | } |
wolfSSL | 0:d92f9d21154c | 1144 | |
wolfSSL | 0:d92f9d21154c | 1145 | if (CheckAlgoV2(oid, &id) < 0) { |
wolfSSL | 0:d92f9d21154c | 1146 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1147 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1148 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1149 | #endif |
wolfSSL | 0:d92f9d21154c | 1150 | return ASN_PARSE_E; /* PKCS v2 algo id error */ |
wolfSSL | 0:d92f9d21154c | 1151 | } |
wolfSSL | 0:d92f9d21154c | 1152 | |
wolfSSL | 0:d92f9d21154c | 1153 | if (input[inOutIdx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 1154 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1155 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1156 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1157 | #endif |
wolfSSL | 0:d92f9d21154c | 1158 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1159 | } |
wolfSSL | 0:d92f9d21154c | 1160 | |
wolfSSL | 0:d92f9d21154c | 1161 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 1162 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1163 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1164 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1165 | #endif |
wolfSSL | 0:d92f9d21154c | 1166 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1167 | } |
wolfSSL | 0:d92f9d21154c | 1168 | |
wolfSSL | 0:d92f9d21154c | 1169 | XMEMCPY(cbcIv, &input[inOutIdx], length); |
wolfSSL | 0:d92f9d21154c | 1170 | inOutIdx += length; |
wolfSSL | 0:d92f9d21154c | 1171 | } |
wolfSSL | 0:d92f9d21154c | 1172 | |
wolfSSL | 0:d92f9d21154c | 1173 | if (input[inOutIdx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 1174 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1175 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1176 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1177 | #endif |
wolfSSL | 0:d92f9d21154c | 1178 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1179 | } |
wolfSSL | 0:d92f9d21154c | 1180 | |
wolfSSL | 0:d92f9d21154c | 1181 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 1182 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1183 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1184 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1185 | #endif |
wolfSSL | 0:d92f9d21154c | 1186 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1187 | } |
wolfSSL | 0:d92f9d21154c | 1188 | |
wolfSSL | 0:d92f9d21154c | 1189 | if (DecryptKey(password, passwordSz, salt, saltSz, iterations, id, |
wolfSSL | 0:d92f9d21154c | 1190 | input + inOutIdx, length, version, cbcIv) < 0) { |
wolfSSL | 0:d92f9d21154c | 1191 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1192 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1193 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1194 | #endif |
wolfSSL | 0:d92f9d21154c | 1195 | return ASN_INPUT_E; /* decrypt failure */ |
wolfSSL | 0:d92f9d21154c | 1196 | } |
wolfSSL | 0:d92f9d21154c | 1197 | |
wolfSSL | 0:d92f9d21154c | 1198 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1199 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1200 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1201 | #endif |
wolfSSL | 0:d92f9d21154c | 1202 | |
wolfSSL | 0:d92f9d21154c | 1203 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 0:d92f9d21154c | 1204 | return ToTraditional(input, length); |
wolfSSL | 0:d92f9d21154c | 1205 | } |
wolfSSL | 0:d92f9d21154c | 1206 | |
wolfSSL | 0:d92f9d21154c | 1207 | #endif /* NO_PWDBASED */ |
wolfSSL | 0:d92f9d21154c | 1208 | |
wolfSSL | 0:d92f9d21154c | 1209 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 1210 | |
wolfSSL | 0:d92f9d21154c | 1211 | int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 0:d92f9d21154c | 1212 | word32 inSz) |
wolfSSL | 0:d92f9d21154c | 1213 | { |
wolfSSL | 0:d92f9d21154c | 1214 | int length; |
wolfSSL | 0:d92f9d21154c | 1215 | |
wolfSSL | 0:d92f9d21154c | 1216 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1217 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1218 | |
wolfSSL | 0:d92f9d21154c | 1219 | key->type = RSA_PUBLIC; |
wolfSSL | 0:d92f9d21154c | 1220 | |
wolfSSL | 0:d92f9d21154c | 1221 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 0:d92f9d21154c | 1222 | { |
wolfSSL | 0:d92f9d21154c | 1223 | byte b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 1224 | if (b != ASN_INTEGER) { |
wolfSSL | 0:d92f9d21154c | 1225 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 0:d92f9d21154c | 1226 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1227 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1228 | |
wolfSSL | 0:d92f9d21154c | 1229 | b = input[(*inOutIdx)++]; |
wolfSSL | 0:d92f9d21154c | 1230 | if (b != ASN_OBJECT_ID) |
wolfSSL | 0:d92f9d21154c | 1231 | return ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 1232 | |
wolfSSL | 0:d92f9d21154c | 1233 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1234 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1235 | |
wolfSSL | 0:d92f9d21154c | 1236 | *inOutIdx += length; /* skip past */ |
wolfSSL | 0:d92f9d21154c | 1237 | |
wolfSSL | 0:d92f9d21154c | 1238 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 0:d92f9d21154c | 1239 | b = input[(*inOutIdx)++]; |
wolfSSL | 0:d92f9d21154c | 1240 | |
wolfSSL | 0:d92f9d21154c | 1241 | if (b == ASN_TAG_NULL) { |
wolfSSL | 0:d92f9d21154c | 1242 | b = input[(*inOutIdx)++]; |
wolfSSL | 0:d92f9d21154c | 1243 | if (b != 0) |
wolfSSL | 0:d92f9d21154c | 1244 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 1245 | } |
wolfSSL | 0:d92f9d21154c | 1246 | else |
wolfSSL | 0:d92f9d21154c | 1247 | /* go back, didn't have it */ |
wolfSSL | 0:d92f9d21154c | 1248 | (*inOutIdx)--; |
wolfSSL | 0:d92f9d21154c | 1249 | |
wolfSSL | 0:d92f9d21154c | 1250 | /* should have bit tag length and seq next */ |
wolfSSL | 0:d92f9d21154c | 1251 | b = input[(*inOutIdx)++]; |
wolfSSL | 0:d92f9d21154c | 1252 | if (b != ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 1253 | return ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 1254 | |
wolfSSL | 0:d92f9d21154c | 1255 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1256 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1257 | |
wolfSSL | 0:d92f9d21154c | 1258 | /* could have 0 */ |
wolfSSL | 0:d92f9d21154c | 1259 | b = input[(*inOutIdx)++]; |
wolfSSL | 0:d92f9d21154c | 1260 | if (b != 0) |
wolfSSL | 0:d92f9d21154c | 1261 | (*inOutIdx)--; |
wolfSSL | 0:d92f9d21154c | 1262 | |
wolfSSL | 0:d92f9d21154c | 1263 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1264 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1265 | } /* end if */ |
wolfSSL | 0:d92f9d21154c | 1266 | } /* openssl var block */ |
wolfSSL | 0:d92f9d21154c | 1267 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1268 | |
wolfSSL | 0:d92f9d21154c | 1269 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1270 | GetInt(&key->e, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1271 | |
wolfSSL | 0:d92f9d21154c | 1272 | return 0; |
wolfSSL | 0:d92f9d21154c | 1273 | } |
wolfSSL | 0:d92f9d21154c | 1274 | |
wolfSSL | 0:d92f9d21154c | 1275 | /* import RSA public key elements (n, e) into RsaKey structure (key) */ |
wolfSSL | 0:d92f9d21154c | 1276 | int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, |
wolfSSL | 0:d92f9d21154c | 1277 | word32 eSz, RsaKey* key) |
wolfSSL | 0:d92f9d21154c | 1278 | { |
wolfSSL | 0:d92f9d21154c | 1279 | if (n == NULL || e == NULL || key == NULL) |
wolfSSL | 0:d92f9d21154c | 1280 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 1281 | |
wolfSSL | 0:d92f9d21154c | 1282 | key->type = RSA_PUBLIC; |
wolfSSL | 0:d92f9d21154c | 1283 | |
wolfSSL | 0:d92f9d21154c | 1284 | if (mp_init(&key->n) != MP_OKAY) |
wolfSSL | 0:d92f9d21154c | 1285 | return MP_INIT_E; |
wolfSSL | 0:d92f9d21154c | 1286 | |
wolfSSL | 0:d92f9d21154c | 1287 | if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) { |
wolfSSL | 0:d92f9d21154c | 1288 | mp_clear(&key->n); |
wolfSSL | 0:d92f9d21154c | 1289 | return ASN_GETINT_E; |
wolfSSL | 0:d92f9d21154c | 1290 | } |
wolfSSL | 0:d92f9d21154c | 1291 | |
wolfSSL | 0:d92f9d21154c | 1292 | if (mp_init(&key->e) != MP_OKAY) { |
wolfSSL | 0:d92f9d21154c | 1293 | mp_clear(&key->n); |
wolfSSL | 0:d92f9d21154c | 1294 | return MP_INIT_E; |
wolfSSL | 0:d92f9d21154c | 1295 | } |
wolfSSL | 0:d92f9d21154c | 1296 | |
wolfSSL | 0:d92f9d21154c | 1297 | if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) { |
wolfSSL | 0:d92f9d21154c | 1298 | mp_clear(&key->n); |
wolfSSL | 0:d92f9d21154c | 1299 | mp_clear(&key->e); |
wolfSSL | 0:d92f9d21154c | 1300 | return ASN_GETINT_E; |
wolfSSL | 0:d92f9d21154c | 1301 | } |
wolfSSL | 0:d92f9d21154c | 1302 | |
wolfSSL | 0:d92f9d21154c | 1303 | return 0; |
wolfSSL | 0:d92f9d21154c | 1304 | } |
wolfSSL | 0:d92f9d21154c | 1305 | |
wolfSSL | 0:d92f9d21154c | 1306 | #endif |
wolfSSL | 0:d92f9d21154c | 1307 | |
wolfSSL | 0:d92f9d21154c | 1308 | #ifndef NO_DH |
wolfSSL | 0:d92f9d21154c | 1309 | |
wolfSSL | 0:d92f9d21154c | 1310 | int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) |
wolfSSL | 0:d92f9d21154c | 1311 | { |
wolfSSL | 0:d92f9d21154c | 1312 | int length; |
wolfSSL | 0:d92f9d21154c | 1313 | |
wolfSSL | 0:d92f9d21154c | 1314 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1315 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1316 | |
wolfSSL | 0:d92f9d21154c | 1317 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1318 | GetInt(&key->g, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1319 | |
wolfSSL | 0:d92f9d21154c | 1320 | return 0; |
wolfSSL | 0:d92f9d21154c | 1321 | } |
wolfSSL | 0:d92f9d21154c | 1322 | |
wolfSSL | 0:d92f9d21154c | 1323 | |
wolfSSL | 0:d92f9d21154c | 1324 | int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, |
wolfSSL | 0:d92f9d21154c | 1325 | byte* g, word32* gInOutSz) |
wolfSSL | 0:d92f9d21154c | 1326 | { |
wolfSSL | 0:d92f9d21154c | 1327 | word32 i = 0; |
wolfSSL | 0:d92f9d21154c | 1328 | byte b; |
wolfSSL | 0:d92f9d21154c | 1329 | int length; |
wolfSSL | 0:d92f9d21154c | 1330 | |
wolfSSL | 0:d92f9d21154c | 1331 | if (GetSequence(input, &i, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1332 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1333 | |
wolfSSL | 0:d92f9d21154c | 1334 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 1335 | if (b != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 1336 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1337 | |
wolfSSL | 0:d92f9d21154c | 1338 | if (GetLength(input, &i, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1339 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1340 | |
wolfSSL | 0:d92f9d21154c | 1341 | if ( (b = input[i++]) == 0x00) |
wolfSSL | 0:d92f9d21154c | 1342 | length--; |
wolfSSL | 0:d92f9d21154c | 1343 | else |
wolfSSL | 0:d92f9d21154c | 1344 | i--; |
wolfSSL | 0:d92f9d21154c | 1345 | |
wolfSSL | 0:d92f9d21154c | 1346 | if (length <= (int)*pInOutSz) { |
wolfSSL | 0:d92f9d21154c | 1347 | XMEMCPY(p, &input[i], length); |
wolfSSL | 0:d92f9d21154c | 1348 | *pInOutSz = length; |
wolfSSL | 0:d92f9d21154c | 1349 | } |
wolfSSL | 0:d92f9d21154c | 1350 | else |
wolfSSL | 0:d92f9d21154c | 1351 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 1352 | |
wolfSSL | 0:d92f9d21154c | 1353 | i += length; |
wolfSSL | 0:d92f9d21154c | 1354 | |
wolfSSL | 0:d92f9d21154c | 1355 | b = input[i++]; |
wolfSSL | 0:d92f9d21154c | 1356 | if (b != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 1357 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1358 | |
wolfSSL | 0:d92f9d21154c | 1359 | if (GetLength(input, &i, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1360 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1361 | |
wolfSSL | 0:d92f9d21154c | 1362 | if (length <= (int)*gInOutSz) { |
wolfSSL | 0:d92f9d21154c | 1363 | XMEMCPY(g, &input[i], length); |
wolfSSL | 0:d92f9d21154c | 1364 | *gInOutSz = length; |
wolfSSL | 0:d92f9d21154c | 1365 | } |
wolfSSL | 0:d92f9d21154c | 1366 | else |
wolfSSL | 0:d92f9d21154c | 1367 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 1368 | |
wolfSSL | 0:d92f9d21154c | 1369 | return 0; |
wolfSSL | 0:d92f9d21154c | 1370 | } |
wolfSSL | 0:d92f9d21154c | 1371 | |
wolfSSL | 0:d92f9d21154c | 1372 | #endif /* NO_DH */ |
wolfSSL | 0:d92f9d21154c | 1373 | |
wolfSSL | 0:d92f9d21154c | 1374 | |
wolfSSL | 0:d92f9d21154c | 1375 | #ifndef NO_DSA |
wolfSSL | 0:d92f9d21154c | 1376 | |
wolfSSL | 0:d92f9d21154c | 1377 | int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 0:d92f9d21154c | 1378 | word32 inSz) |
wolfSSL | 0:d92f9d21154c | 1379 | { |
wolfSSL | 0:d92f9d21154c | 1380 | int length; |
wolfSSL | 0:d92f9d21154c | 1381 | |
wolfSSL | 0:d92f9d21154c | 1382 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1383 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1384 | |
wolfSSL | 0:d92f9d21154c | 1385 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1386 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1387 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1388 | GetInt(&key->y, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1389 | |
wolfSSL | 0:d92f9d21154c | 1390 | key->type = DSA_PUBLIC; |
wolfSSL | 0:d92f9d21154c | 1391 | return 0; |
wolfSSL | 0:d92f9d21154c | 1392 | } |
wolfSSL | 0:d92f9d21154c | 1393 | |
wolfSSL | 0:d92f9d21154c | 1394 | |
wolfSSL | 0:d92f9d21154c | 1395 | int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 0:d92f9d21154c | 1396 | word32 inSz) |
wolfSSL | 0:d92f9d21154c | 1397 | { |
wolfSSL | 0:d92f9d21154c | 1398 | int length, version; |
wolfSSL | 0:d92f9d21154c | 1399 | |
wolfSSL | 0:d92f9d21154c | 1400 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 1401 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1402 | |
wolfSSL | 0:d92f9d21154c | 1403 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 1404 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1405 | |
wolfSSL | 0:d92f9d21154c | 1406 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1407 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1408 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1409 | GetInt(&key->y, input, inOutIdx, inSz) < 0 || |
wolfSSL | 0:d92f9d21154c | 1410 | GetInt(&key->x, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1411 | |
wolfSSL | 0:d92f9d21154c | 1412 | key->type = DSA_PRIVATE; |
wolfSSL | 0:d92f9d21154c | 1413 | return 0; |
wolfSSL | 0:d92f9d21154c | 1414 | } |
wolfSSL | 0:d92f9d21154c | 1415 | |
wolfSSL | 0:d92f9d21154c | 1416 | #endif /* NO_DSA */ |
wolfSSL | 0:d92f9d21154c | 1417 | |
wolfSSL | 0:d92f9d21154c | 1418 | |
wolfSSL | 0:d92f9d21154c | 1419 | void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) |
wolfSSL | 0:d92f9d21154c | 1420 | { |
wolfSSL | 0:d92f9d21154c | 1421 | cert->publicKey = 0; |
wolfSSL | 0:d92f9d21154c | 1422 | cert->pubKeySize = 0; |
wolfSSL | 0:d92f9d21154c | 1423 | cert->pubKeyStored = 0; |
wolfSSL | 0:d92f9d21154c | 1424 | cert->version = 0; |
wolfSSL | 0:d92f9d21154c | 1425 | cert->signature = 0; |
wolfSSL | 0:d92f9d21154c | 1426 | cert->subjectCN = 0; |
wolfSSL | 0:d92f9d21154c | 1427 | cert->subjectCNLen = 0; |
wolfSSL | 0:d92f9d21154c | 1428 | cert->subjectCNEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1429 | cert->subjectCNStored = 0; |
wolfSSL | 0:d92f9d21154c | 1430 | cert->weOwnAltNames = 0; |
wolfSSL | 0:d92f9d21154c | 1431 | cert->altNames = NULL; |
wolfSSL | 0:d92f9d21154c | 1432 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 1433 | cert->altEmailNames = NULL; |
wolfSSL | 0:d92f9d21154c | 1434 | cert->permittedNames = NULL; |
wolfSSL | 0:d92f9d21154c | 1435 | cert->excludedNames = NULL; |
wolfSSL | 0:d92f9d21154c | 1436 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 1437 | cert->issuer[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 1438 | cert->subject[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 1439 | cert->source = source; /* don't own */ |
wolfSSL | 0:d92f9d21154c | 1440 | cert->srcIdx = 0; |
wolfSSL | 0:d92f9d21154c | 1441 | cert->maxIdx = inSz; /* can't go over this index */ |
wolfSSL | 0:d92f9d21154c | 1442 | cert->heap = heap; |
wolfSSL | 0:d92f9d21154c | 1443 | XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE); |
wolfSSL | 0:d92f9d21154c | 1444 | cert->serialSz = 0; |
wolfSSL | 0:d92f9d21154c | 1445 | cert->extensions = 0; |
wolfSSL | 0:d92f9d21154c | 1446 | cert->extensionsSz = 0; |
wolfSSL | 0:d92f9d21154c | 1447 | cert->extensionsIdx = 0; |
wolfSSL | 0:d92f9d21154c | 1448 | cert->extAuthInfo = NULL; |
wolfSSL | 0:d92f9d21154c | 1449 | cert->extAuthInfoSz = 0; |
wolfSSL | 0:d92f9d21154c | 1450 | cert->extCrlInfo = NULL; |
wolfSSL | 0:d92f9d21154c | 1451 | cert->extCrlInfoSz = 0; |
wolfSSL | 0:d92f9d21154c | 1452 | XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE); |
wolfSSL | 0:d92f9d21154c | 1453 | cert->extSubjKeyIdSet = 0; |
wolfSSL | 0:d92f9d21154c | 1454 | XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE); |
wolfSSL | 0:d92f9d21154c | 1455 | cert->extAuthKeyIdSet = 0; |
wolfSSL | 0:d92f9d21154c | 1456 | cert->extKeyUsageSet = 0; |
wolfSSL | 0:d92f9d21154c | 1457 | cert->extKeyUsage = 0; |
wolfSSL | 0:d92f9d21154c | 1458 | cert->extExtKeyUsageSet = 0; |
wolfSSL | 0:d92f9d21154c | 1459 | cert->extExtKeyUsage = 0; |
wolfSSL | 0:d92f9d21154c | 1460 | cert->isCA = 0; |
wolfSSL | 0:d92f9d21154c | 1461 | #ifdef HAVE_PKCS7 |
wolfSSL | 0:d92f9d21154c | 1462 | cert->issuerRaw = NULL; |
wolfSSL | 0:d92f9d21154c | 1463 | cert->issuerRawLen = 0; |
wolfSSL | 0:d92f9d21154c | 1464 | #endif |
wolfSSL | 0:d92f9d21154c | 1465 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 1466 | cert->subjectSN = 0; |
wolfSSL | 0:d92f9d21154c | 1467 | cert->subjectSNLen = 0; |
wolfSSL | 0:d92f9d21154c | 1468 | cert->subjectSNEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1469 | cert->subjectC = 0; |
wolfSSL | 0:d92f9d21154c | 1470 | cert->subjectCLen = 0; |
wolfSSL | 0:d92f9d21154c | 1471 | cert->subjectCEnc = CTC_PRINTABLE; |
wolfSSL | 0:d92f9d21154c | 1472 | cert->subjectL = 0; |
wolfSSL | 0:d92f9d21154c | 1473 | cert->subjectLLen = 0; |
wolfSSL | 0:d92f9d21154c | 1474 | cert->subjectLEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1475 | cert->subjectST = 0; |
wolfSSL | 0:d92f9d21154c | 1476 | cert->subjectSTLen = 0; |
wolfSSL | 0:d92f9d21154c | 1477 | cert->subjectSTEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1478 | cert->subjectO = 0; |
wolfSSL | 0:d92f9d21154c | 1479 | cert->subjectOLen = 0; |
wolfSSL | 0:d92f9d21154c | 1480 | cert->subjectOEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1481 | cert->subjectOU = 0; |
wolfSSL | 0:d92f9d21154c | 1482 | cert->subjectOULen = 0; |
wolfSSL | 0:d92f9d21154c | 1483 | cert->subjectOUEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 1484 | cert->subjectEmail = 0; |
wolfSSL | 0:d92f9d21154c | 1485 | cert->subjectEmailLen = 0; |
wolfSSL | 0:d92f9d21154c | 1486 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 1487 | cert->beforeDate = NULL; |
wolfSSL | 0:d92f9d21154c | 1488 | cert->beforeDateLen = 0; |
wolfSSL | 0:d92f9d21154c | 1489 | cert->afterDate = NULL; |
wolfSSL | 0:d92f9d21154c | 1490 | cert->afterDateLen = 0; |
wolfSSL | 0:d92f9d21154c | 1491 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1492 | XMEMSET(&cert->issuerName, 0, sizeof(DecodedName)); |
wolfSSL | 0:d92f9d21154c | 1493 | XMEMSET(&cert->subjectName, 0, sizeof(DecodedName)); |
wolfSSL | 0:d92f9d21154c | 1494 | cert->extBasicConstSet = 0; |
wolfSSL | 0:d92f9d21154c | 1495 | cert->extBasicConstCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1496 | cert->extBasicConstPlSet = 0; |
wolfSSL | 0:d92f9d21154c | 1497 | cert->pathLength = 0; |
wolfSSL | 0:d92f9d21154c | 1498 | cert->extSubjAltNameSet = 0; |
wolfSSL | 0:d92f9d21154c | 1499 | cert->extSubjAltNameCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1500 | cert->extAuthKeyIdCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1501 | cert->extSubjKeyIdCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1502 | cert->extKeyUsageCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1503 | cert->extExtKeyUsageCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1504 | cert->extExtKeyUsageSrc = NULL; |
wolfSSL | 0:d92f9d21154c | 1505 | cert->extExtKeyUsageSz = 0; |
wolfSSL | 0:d92f9d21154c | 1506 | cert->extExtKeyUsageCount = 0; |
wolfSSL | 0:d92f9d21154c | 1507 | cert->extAuthKeyIdSrc = NULL; |
wolfSSL | 0:d92f9d21154c | 1508 | cert->extAuthKeyIdSz = 0; |
wolfSSL | 0:d92f9d21154c | 1509 | cert->extSubjKeyIdSrc = NULL; |
wolfSSL | 0:d92f9d21154c | 1510 | cert->extSubjKeyIdSz = 0; |
wolfSSL | 0:d92f9d21154c | 1511 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1512 | #if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS) |
wolfSSL | 0:d92f9d21154c | 1513 | cert->extNameConstraintSet = 0; |
wolfSSL | 0:d92f9d21154c | 1514 | #endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 1515 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 1516 | cert->pkCurveOID = 0; |
wolfSSL | 0:d92f9d21154c | 1517 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 1518 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 1519 | cert->deviceTypeSz = 0; |
wolfSSL | 0:d92f9d21154c | 1520 | cert->deviceType = NULL; |
wolfSSL | 0:d92f9d21154c | 1521 | cert->hwTypeSz = 0; |
wolfSSL | 0:d92f9d21154c | 1522 | cert->hwType = NULL; |
wolfSSL | 0:d92f9d21154c | 1523 | cert->hwSerialNumSz = 0; |
wolfSSL | 0:d92f9d21154c | 1524 | cert->hwSerialNum = NULL; |
wolfSSL | 0:d92f9d21154c | 1525 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1526 | cert->extCertPolicySet = 0; |
wolfSSL | 0:d92f9d21154c | 1527 | cert->extCertPolicyCrit = 0; |
wolfSSL | 0:d92f9d21154c | 1528 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1529 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 0:d92f9d21154c | 1530 | } |
wolfSSL | 0:d92f9d21154c | 1531 | |
wolfSSL | 0:d92f9d21154c | 1532 | |
wolfSSL | 0:d92f9d21154c | 1533 | void FreeAltNames(DNS_entry* altNames, void* heap) |
wolfSSL | 0:d92f9d21154c | 1534 | { |
wolfSSL | 0:d92f9d21154c | 1535 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 1536 | |
wolfSSL | 0:d92f9d21154c | 1537 | while (altNames) { |
wolfSSL | 0:d92f9d21154c | 1538 | DNS_entry* tmp = altNames->next; |
wolfSSL | 0:d92f9d21154c | 1539 | |
wolfSSL | 0:d92f9d21154c | 1540 | XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 1541 | XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 1542 | altNames = tmp; |
wolfSSL | 0:d92f9d21154c | 1543 | } |
wolfSSL | 0:d92f9d21154c | 1544 | } |
wolfSSL | 0:d92f9d21154c | 1545 | |
wolfSSL | 0:d92f9d21154c | 1546 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 1547 | |
wolfSSL | 0:d92f9d21154c | 1548 | void FreeNameSubtrees(Base_entry* names, void* heap) |
wolfSSL | 0:d92f9d21154c | 1549 | { |
wolfSSL | 0:d92f9d21154c | 1550 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 1551 | |
wolfSSL | 0:d92f9d21154c | 1552 | while (names) { |
wolfSSL | 0:d92f9d21154c | 1553 | Base_entry* tmp = names->next; |
wolfSSL | 0:d92f9d21154c | 1554 | |
wolfSSL | 0:d92f9d21154c | 1555 | XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 1556 | XFREE(names, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 1557 | names = tmp; |
wolfSSL | 0:d92f9d21154c | 1558 | } |
wolfSSL | 0:d92f9d21154c | 1559 | } |
wolfSSL | 0:d92f9d21154c | 1560 | |
wolfSSL | 0:d92f9d21154c | 1561 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 1562 | |
wolfSSL | 0:d92f9d21154c | 1563 | void FreeDecodedCert(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 1564 | { |
wolfSSL | 0:d92f9d21154c | 1565 | if (cert->subjectCNStored == 1) |
wolfSSL | 0:d92f9d21154c | 1566 | XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 0:d92f9d21154c | 1567 | if (cert->pubKeyStored == 1) |
wolfSSL | 0:d92f9d21154c | 1568 | XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 0:d92f9d21154c | 1569 | if (cert->weOwnAltNames && cert->altNames) |
wolfSSL | 0:d92f9d21154c | 1570 | FreeAltNames(cert->altNames, cert->heap); |
wolfSSL | 0:d92f9d21154c | 1571 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 1572 | if (cert->altEmailNames) |
wolfSSL | 0:d92f9d21154c | 1573 | FreeAltNames(cert->altEmailNames, cert->heap); |
wolfSSL | 0:d92f9d21154c | 1574 | if (cert->permittedNames) |
wolfSSL | 0:d92f9d21154c | 1575 | FreeNameSubtrees(cert->permittedNames, cert->heap); |
wolfSSL | 0:d92f9d21154c | 1576 | if (cert->excludedNames) |
wolfSSL | 0:d92f9d21154c | 1577 | FreeNameSubtrees(cert->excludedNames, cert->heap); |
wolfSSL | 0:d92f9d21154c | 1578 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 1579 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 1580 | XFREE(cert->deviceType, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 1581 | XFREE(cert->hwType, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 1582 | XFREE(cert->hwSerialNum, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 1583 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 0:d92f9d21154c | 1584 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1585 | if (cert->issuerName.fullName != NULL) |
wolfSSL | 0:d92f9d21154c | 1586 | XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 0:d92f9d21154c | 1587 | if (cert->subjectName.fullName != NULL) |
wolfSSL | 0:d92f9d21154c | 1588 | XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 0:d92f9d21154c | 1589 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1590 | } |
wolfSSL | 0:d92f9d21154c | 1591 | |
wolfSSL | 0:d92f9d21154c | 1592 | |
wolfSSL | 0:d92f9d21154c | 1593 | static int GetCertHeader(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 1594 | { |
wolfSSL | 0:d92f9d21154c | 1595 | int ret = 0, len; |
wolfSSL | 0:d92f9d21154c | 1596 | byte serialTmp[EXTERNAL_SERIAL_SIZE]; |
wolfSSL | 0:d92f9d21154c | 1597 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 0:d92f9d21154c | 1598 | mp_int* mpi = NULL; |
wolfSSL | 0:d92f9d21154c | 1599 | #else |
wolfSSL | 0:d92f9d21154c | 1600 | mp_int stack_mpi; |
wolfSSL | 0:d92f9d21154c | 1601 | mp_int* mpi = &stack_mpi; |
wolfSSL | 0:d92f9d21154c | 1602 | #endif |
wolfSSL | 0:d92f9d21154c | 1603 | |
wolfSSL | 0:d92f9d21154c | 1604 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1605 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1606 | |
wolfSSL | 0:d92f9d21154c | 1607 | cert->certBegin = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1608 | |
wolfSSL | 0:d92f9d21154c | 1609 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1610 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1611 | cert->sigIndex = len + cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1612 | |
wolfSSL | 0:d92f9d21154c | 1613 | if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0) |
wolfSSL | 0:d92f9d21154c | 1614 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1615 | |
wolfSSL | 0:d92f9d21154c | 1616 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 0:d92f9d21154c | 1617 | mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1618 | if (mpi == NULL) |
wolfSSL | 0:d92f9d21154c | 1619 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1620 | #endif |
wolfSSL | 0:d92f9d21154c | 1621 | |
wolfSSL | 0:d92f9d21154c | 1622 | if (GetInt(mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 1623 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 0:d92f9d21154c | 1624 | XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1625 | #endif |
wolfSSL | 0:d92f9d21154c | 1626 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1627 | } |
wolfSSL | 0:d92f9d21154c | 1628 | |
wolfSSL | 0:d92f9d21154c | 1629 | len = mp_unsigned_bin_size(mpi); |
wolfSSL | 0:d92f9d21154c | 1630 | if (len < (int)sizeof(serialTmp)) { |
wolfSSL | 0:d92f9d21154c | 1631 | if ( (ret = mp_to_unsigned_bin(mpi, serialTmp)) == MP_OKAY) { |
wolfSSL | 0:d92f9d21154c | 1632 | XMEMCPY(cert->serial, serialTmp, len); |
wolfSSL | 0:d92f9d21154c | 1633 | cert->serialSz = len; |
wolfSSL | 0:d92f9d21154c | 1634 | } |
wolfSSL | 0:d92f9d21154c | 1635 | } |
wolfSSL | 0:d92f9d21154c | 1636 | mp_clear(mpi); |
wolfSSL | 0:d92f9d21154c | 1637 | |
wolfSSL | 0:d92f9d21154c | 1638 | #if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH) |
wolfSSL | 0:d92f9d21154c | 1639 | XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1640 | #endif |
wolfSSL | 0:d92f9d21154c | 1641 | |
wolfSSL | 0:d92f9d21154c | 1642 | return ret; |
wolfSSL | 0:d92f9d21154c | 1643 | } |
wolfSSL | 0:d92f9d21154c | 1644 | |
wolfSSL | 0:d92f9d21154c | 1645 | #if !defined(NO_RSA) |
wolfSSL | 0:d92f9d21154c | 1646 | /* Store Rsa Key, may save later, Dsa could use in future */ |
wolfSSL | 0:d92f9d21154c | 1647 | static int StoreRsaKey(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 1648 | { |
wolfSSL | 0:d92f9d21154c | 1649 | int length; |
wolfSSL | 0:d92f9d21154c | 1650 | word32 recvd = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1651 | |
wolfSSL | 0:d92f9d21154c | 1652 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1653 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1654 | |
wolfSSL | 0:d92f9d21154c | 1655 | recvd = cert->srcIdx - recvd; |
wolfSSL | 0:d92f9d21154c | 1656 | length += recvd; |
wolfSSL | 0:d92f9d21154c | 1657 | |
wolfSSL | 0:d92f9d21154c | 1658 | while (recvd--) |
wolfSSL | 0:d92f9d21154c | 1659 | cert->srcIdx--; |
wolfSSL | 0:d92f9d21154c | 1660 | |
wolfSSL | 0:d92f9d21154c | 1661 | cert->pubKeySize = length; |
wolfSSL | 0:d92f9d21154c | 1662 | cert->publicKey = cert->source + cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1663 | cert->srcIdx += length; |
wolfSSL | 0:d92f9d21154c | 1664 | |
wolfSSL | 0:d92f9d21154c | 1665 | return 0; |
wolfSSL | 0:d92f9d21154c | 1666 | } |
wolfSSL | 0:d92f9d21154c | 1667 | #endif |
wolfSSL | 0:d92f9d21154c | 1668 | |
wolfSSL | 0:d92f9d21154c | 1669 | |
wolfSSL | 0:d92f9d21154c | 1670 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 1671 | |
wolfSSL | 0:d92f9d21154c | 1672 | /* return 0 on sucess if the ECC curve oid sum is supported */ |
wolfSSL | 0:d92f9d21154c | 1673 | static int CheckCurve(word32 oid) |
wolfSSL | 0:d92f9d21154c | 1674 | { |
wolfSSL | 0:d92f9d21154c | 1675 | int ret = 0; |
wolfSSL | 0:d92f9d21154c | 1676 | |
wolfSSL | 0:d92f9d21154c | 1677 | switch (oid) { |
wolfSSL | 0:d92f9d21154c | 1678 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 0:d92f9d21154c | 1679 | case ECC_160R1: |
wolfSSL | 0:d92f9d21154c | 1680 | #endif |
wolfSSL | 0:d92f9d21154c | 1681 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 0:d92f9d21154c | 1682 | case ECC_192R1: |
wolfSSL | 0:d92f9d21154c | 1683 | #endif |
wolfSSL | 0:d92f9d21154c | 1684 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 0:d92f9d21154c | 1685 | case ECC_224R1: |
wolfSSL | 0:d92f9d21154c | 1686 | #endif |
wolfSSL | 0:d92f9d21154c | 1687 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 0:d92f9d21154c | 1688 | case ECC_256R1: |
wolfSSL | 0:d92f9d21154c | 1689 | #endif |
wolfSSL | 0:d92f9d21154c | 1690 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 0:d92f9d21154c | 1691 | case ECC_384R1: |
wolfSSL | 0:d92f9d21154c | 1692 | #endif |
wolfSSL | 0:d92f9d21154c | 1693 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 0:d92f9d21154c | 1694 | case ECC_521R1: |
wolfSSL | 0:d92f9d21154c | 1695 | #endif |
wolfSSL | 0:d92f9d21154c | 1696 | break; |
wolfSSL | 0:d92f9d21154c | 1697 | |
wolfSSL | 0:d92f9d21154c | 1698 | default: |
wolfSSL | 0:d92f9d21154c | 1699 | ret = ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 1700 | } |
wolfSSL | 0:d92f9d21154c | 1701 | |
wolfSSL | 0:d92f9d21154c | 1702 | return ret; |
wolfSSL | 0:d92f9d21154c | 1703 | } |
wolfSSL | 0:d92f9d21154c | 1704 | |
wolfSSL | 0:d92f9d21154c | 1705 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 1706 | |
wolfSSL | 0:d92f9d21154c | 1707 | |
wolfSSL | 0:d92f9d21154c | 1708 | static int GetKey(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 1709 | { |
wolfSSL | 0:d92f9d21154c | 1710 | int length; |
wolfSSL | 0:d92f9d21154c | 1711 | #ifdef HAVE_NTRU |
wolfSSL | 0:d92f9d21154c | 1712 | int tmpIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1713 | #endif |
wolfSSL | 0:d92f9d21154c | 1714 | |
wolfSSL | 0:d92f9d21154c | 1715 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1716 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1717 | |
wolfSSL | 0:d92f9d21154c | 1718 | if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1719 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1720 | |
wolfSSL | 0:d92f9d21154c | 1721 | switch (cert->keyOID) { |
wolfSSL | 0:d92f9d21154c | 1722 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 1723 | case RSAk: |
wolfSSL | 0:d92f9d21154c | 1724 | { |
wolfSSL | 0:d92f9d21154c | 1725 | byte b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1726 | if (b != ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 1727 | return ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 1728 | |
wolfSSL | 0:d92f9d21154c | 1729 | if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1730 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1731 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1732 | if (b != 0x00) |
wolfSSL | 0:d92f9d21154c | 1733 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 1734 | |
wolfSSL | 0:d92f9d21154c | 1735 | return StoreRsaKey(cert); |
wolfSSL | 0:d92f9d21154c | 1736 | } |
wolfSSL | 0:d92f9d21154c | 1737 | |
wolfSSL | 0:d92f9d21154c | 1738 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 1739 | #ifdef HAVE_NTRU |
wolfSSL | 0:d92f9d21154c | 1740 | case NTRUk: |
wolfSSL | 0:d92f9d21154c | 1741 | { |
wolfSSL | 0:d92f9d21154c | 1742 | const byte* key = &cert->source[tmpIdx]; |
wolfSSL | 0:d92f9d21154c | 1743 | byte* next = (byte*)key; |
wolfSSL | 0:d92f9d21154c | 1744 | word16 keyLen; |
wolfSSL | 0:d92f9d21154c | 1745 | word32 rc; |
wolfSSL | 0:d92f9d21154c | 1746 | word32 remaining = cert->maxIdx - cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1747 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1748 | byte* keyBlob = NULL; |
wolfSSL | 0:d92f9d21154c | 1749 | #else |
wolfSSL | 0:d92f9d21154c | 1750 | byte keyBlob[MAX_NTRU_KEY_SZ]; |
wolfSSL | 0:d92f9d21154c | 1751 | #endif |
wolfSSL | 0:d92f9d21154c | 1752 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 0:d92f9d21154c | 1753 | &keyLen, NULL, &next, &remaining); |
wolfSSL | 0:d92f9d21154c | 1754 | if (rc != NTRU_OK) |
wolfSSL | 0:d92f9d21154c | 1755 | return ASN_NTRU_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1756 | if (keyLen > MAX_NTRU_KEY_SZ) |
wolfSSL | 0:d92f9d21154c | 1757 | return ASN_NTRU_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1758 | |
wolfSSL | 0:d92f9d21154c | 1759 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1760 | keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL, |
wolfSSL | 0:d92f9d21154c | 1761 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1762 | if (keyBlob == NULL) |
wolfSSL | 0:d92f9d21154c | 1763 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1764 | #endif |
wolfSSL | 0:d92f9d21154c | 1765 | |
wolfSSL | 0:d92f9d21154c | 1766 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 0:d92f9d21154c | 1767 | &keyLen, keyBlob, &next, &remaining); |
wolfSSL | 0:d92f9d21154c | 1768 | if (rc != NTRU_OK) { |
wolfSSL | 0:d92f9d21154c | 1769 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1770 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1771 | #endif |
wolfSSL | 0:d92f9d21154c | 1772 | return ASN_NTRU_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1773 | } |
wolfSSL | 0:d92f9d21154c | 1774 | |
wolfSSL | 0:d92f9d21154c | 1775 | if ( (next - key) < 0) { |
wolfSSL | 0:d92f9d21154c | 1776 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1777 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1778 | #endif |
wolfSSL | 0:d92f9d21154c | 1779 | return ASN_NTRU_KEY_E; |
wolfSSL | 0:d92f9d21154c | 1780 | } |
wolfSSL | 0:d92f9d21154c | 1781 | |
wolfSSL | 0:d92f9d21154c | 1782 | cert->srcIdx = tmpIdx + (int)(next - key); |
wolfSSL | 0:d92f9d21154c | 1783 | |
wolfSSL | 0:d92f9d21154c | 1784 | cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap, |
wolfSSL | 0:d92f9d21154c | 1785 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 0:d92f9d21154c | 1786 | if (cert->publicKey == NULL) { |
wolfSSL | 0:d92f9d21154c | 1787 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1788 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1789 | #endif |
wolfSSL | 0:d92f9d21154c | 1790 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1791 | } |
wolfSSL | 0:d92f9d21154c | 1792 | XMEMCPY(cert->publicKey, keyBlob, keyLen); |
wolfSSL | 0:d92f9d21154c | 1793 | cert->pubKeyStored = 1; |
wolfSSL | 0:d92f9d21154c | 1794 | cert->pubKeySize = keyLen; |
wolfSSL | 0:d92f9d21154c | 1795 | |
wolfSSL | 0:d92f9d21154c | 1796 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 1797 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 1798 | #endif |
wolfSSL | 0:d92f9d21154c | 1799 | |
wolfSSL | 0:d92f9d21154c | 1800 | return 0; |
wolfSSL | 0:d92f9d21154c | 1801 | } |
wolfSSL | 0:d92f9d21154c | 1802 | #endif /* HAVE_NTRU */ |
wolfSSL | 0:d92f9d21154c | 1803 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 1804 | case ECDSAk: |
wolfSSL | 0:d92f9d21154c | 1805 | { |
wolfSSL | 0:d92f9d21154c | 1806 | int oidSz = 0; |
wolfSSL | 0:d92f9d21154c | 1807 | byte b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1808 | |
wolfSSL | 0:d92f9d21154c | 1809 | if (b != ASN_OBJECT_ID) |
wolfSSL | 0:d92f9d21154c | 1810 | return ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 1811 | |
wolfSSL | 0:d92f9d21154c | 1812 | if (GetLength(cert->source,&cert->srcIdx,&oidSz,cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1813 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1814 | |
wolfSSL | 0:d92f9d21154c | 1815 | while(oidSz--) |
wolfSSL | 0:d92f9d21154c | 1816 | cert->pkCurveOID += cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1817 | |
wolfSSL | 0:d92f9d21154c | 1818 | if (CheckCurve(cert->pkCurveOID) < 0) |
wolfSSL | 0:d92f9d21154c | 1819 | return ECC_CURVE_OID_E; |
wolfSSL | 0:d92f9d21154c | 1820 | |
wolfSSL | 0:d92f9d21154c | 1821 | /* key header */ |
wolfSSL | 0:d92f9d21154c | 1822 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1823 | if (b != ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 1824 | return ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 1825 | |
wolfSSL | 0:d92f9d21154c | 1826 | if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1827 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1828 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1829 | if (b != 0x00) |
wolfSSL | 0:d92f9d21154c | 1830 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 1831 | |
wolfSSL | 0:d92f9d21154c | 1832 | /* actual key, use length - 1 since ate preceding 0 */ |
wolfSSL | 0:d92f9d21154c | 1833 | length -= 1; |
wolfSSL | 0:d92f9d21154c | 1834 | |
wolfSSL | 0:d92f9d21154c | 1835 | cert->publicKey = (byte*) XMALLOC(length, cert->heap, |
wolfSSL | 0:d92f9d21154c | 1836 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 0:d92f9d21154c | 1837 | if (cert->publicKey == NULL) |
wolfSSL | 0:d92f9d21154c | 1838 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 1839 | XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 0:d92f9d21154c | 1840 | cert->pubKeyStored = 1; |
wolfSSL | 0:d92f9d21154c | 1841 | cert->pubKeySize = length; |
wolfSSL | 0:d92f9d21154c | 1842 | |
wolfSSL | 0:d92f9d21154c | 1843 | cert->srcIdx += length; |
wolfSSL | 0:d92f9d21154c | 1844 | |
wolfSSL | 0:d92f9d21154c | 1845 | return 0; |
wolfSSL | 0:d92f9d21154c | 1846 | } |
wolfSSL | 0:d92f9d21154c | 1847 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 1848 | default: |
wolfSSL | 0:d92f9d21154c | 1849 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 0:d92f9d21154c | 1850 | } |
wolfSSL | 0:d92f9d21154c | 1851 | } |
wolfSSL | 0:d92f9d21154c | 1852 | |
wolfSSL | 0:d92f9d21154c | 1853 | |
wolfSSL | 0:d92f9d21154c | 1854 | /* process NAME, either issuer or subject */ |
wolfSSL | 0:d92f9d21154c | 1855 | static int GetName(DecodedCert* cert, int nameType) |
wolfSSL | 0:d92f9d21154c | 1856 | { |
wolfSSL | 0:d92f9d21154c | 1857 | int length; /* length of all distinguished names */ |
wolfSSL | 0:d92f9d21154c | 1858 | int dummy; |
wolfSSL | 0:d92f9d21154c | 1859 | int ret; |
wolfSSL | 0:d92f9d21154c | 1860 | char* full; |
wolfSSL | 0:d92f9d21154c | 1861 | byte* hash; |
wolfSSL | 0:d92f9d21154c | 1862 | word32 idx; |
wolfSSL | 0:d92f9d21154c | 1863 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1864 | DecodedName* dName = |
wolfSSL | 0:d92f9d21154c | 1865 | (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName; |
wolfSSL | 0:d92f9d21154c | 1866 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1867 | |
wolfSSL | 0:d92f9d21154c | 1868 | WOLFSSL_MSG("Getting Cert Name"); |
wolfSSL | 0:d92f9d21154c | 1869 | |
wolfSSL | 0:d92f9d21154c | 1870 | if (nameType == ISSUER) { |
wolfSSL | 0:d92f9d21154c | 1871 | full = cert->issuer; |
wolfSSL | 0:d92f9d21154c | 1872 | hash = cert->issuerHash; |
wolfSSL | 0:d92f9d21154c | 1873 | } |
wolfSSL | 0:d92f9d21154c | 1874 | else { |
wolfSSL | 0:d92f9d21154c | 1875 | full = cert->subject; |
wolfSSL | 0:d92f9d21154c | 1876 | hash = cert->subjectHash; |
wolfSSL | 0:d92f9d21154c | 1877 | } |
wolfSSL | 0:d92f9d21154c | 1878 | |
wolfSSL | 0:d92f9d21154c | 1879 | if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 1880 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 0:d92f9d21154c | 1881 | |
wolfSSL | 0:d92f9d21154c | 1882 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1883 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1884 | |
wolfSSL | 0:d92f9d21154c | 1885 | cert->srcIdx += length; |
wolfSSL | 0:d92f9d21154c | 1886 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 0:d92f9d21154c | 1887 | } |
wolfSSL | 0:d92f9d21154c | 1888 | |
wolfSSL | 0:d92f9d21154c | 1889 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 0:d92f9d21154c | 1890 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 0:d92f9d21154c | 1891 | * the tag and length. */ |
wolfSSL | 0:d92f9d21154c | 1892 | idx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1893 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1894 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1895 | |
wolfSSL | 0:d92f9d21154c | 1896 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 1897 | ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 0:d92f9d21154c | 1898 | #else |
wolfSSL | 0:d92f9d21154c | 1899 | ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 0:d92f9d21154c | 1900 | #endif |
wolfSSL | 0:d92f9d21154c | 1901 | if (ret != 0) |
wolfSSL | 0:d92f9d21154c | 1902 | return ret; |
wolfSSL | 0:d92f9d21154c | 1903 | |
wolfSSL | 0:d92f9d21154c | 1904 | length += cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1905 | idx = 0; |
wolfSSL | 0:d92f9d21154c | 1906 | |
wolfSSL | 0:d92f9d21154c | 1907 | #ifdef HAVE_PKCS7 |
wolfSSL | 0:d92f9d21154c | 1908 | /* store pointer to raw issuer */ |
wolfSSL | 0:d92f9d21154c | 1909 | if (nameType == ISSUER) { |
wolfSSL | 0:d92f9d21154c | 1910 | cert->issuerRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 1911 | cert->issuerRawLen = length - cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1912 | } |
wolfSSL | 0:d92f9d21154c | 1913 | #endif |
wolfSSL | 0:d92f9d21154c | 1914 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 1915 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 1916 | cert->subjectRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 1917 | cert->subjectRawLen = length - cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1918 | } |
wolfSSL | 0:d92f9d21154c | 1919 | #endif |
wolfSSL | 0:d92f9d21154c | 1920 | |
wolfSSL | 0:d92f9d21154c | 1921 | while (cert->srcIdx < (word32)length) { |
wolfSSL | 0:d92f9d21154c | 1922 | byte b; |
wolfSSL | 0:d92f9d21154c | 1923 | byte joint[2]; |
wolfSSL | 0:d92f9d21154c | 1924 | byte tooBig = FALSE; |
wolfSSL | 0:d92f9d21154c | 1925 | int oidSz; |
wolfSSL | 0:d92f9d21154c | 1926 | |
wolfSSL | 0:d92f9d21154c | 1927 | if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 1928 | WOLFSSL_MSG("Cert name lacks set header, trying sequence"); |
wolfSSL | 0:d92f9d21154c | 1929 | } |
wolfSSL | 0:d92f9d21154c | 1930 | |
wolfSSL | 0:d92f9d21154c | 1931 | if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1932 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1933 | |
wolfSSL | 0:d92f9d21154c | 1934 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1935 | if (b != ASN_OBJECT_ID) |
wolfSSL | 0:d92f9d21154c | 1936 | return ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 1937 | |
wolfSSL | 0:d92f9d21154c | 1938 | if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1939 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1940 | |
wolfSSL | 0:d92f9d21154c | 1941 | XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint)); |
wolfSSL | 0:d92f9d21154c | 1942 | |
wolfSSL | 0:d92f9d21154c | 1943 | /* v1 name types */ |
wolfSSL | 0:d92f9d21154c | 1944 | if (joint[0] == 0x55 && joint[1] == 0x04) { |
wolfSSL | 0:d92f9d21154c | 1945 | byte id; |
wolfSSL | 0:d92f9d21154c | 1946 | byte copy = FALSE; |
wolfSSL | 0:d92f9d21154c | 1947 | int strLen; |
wolfSSL | 0:d92f9d21154c | 1948 | |
wolfSSL | 0:d92f9d21154c | 1949 | cert->srcIdx += 2; |
wolfSSL | 0:d92f9d21154c | 1950 | id = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 1951 | b = cert->source[cert->srcIdx++]; /* encoding */ |
wolfSSL | 0:d92f9d21154c | 1952 | |
wolfSSL | 0:d92f9d21154c | 1953 | if (GetLength(cert->source, &cert->srcIdx, &strLen, |
wolfSSL | 0:d92f9d21154c | 1954 | cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 1955 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 1956 | |
wolfSSL | 0:d92f9d21154c | 1957 | if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 0:d92f9d21154c | 1958 | /* include biggest pre fix header too 4 = "/serialNumber=" */ |
wolfSSL | 0:d92f9d21154c | 1959 | WOLFSSL_MSG("ASN Name too big, skipping"); |
wolfSSL | 0:d92f9d21154c | 1960 | tooBig = TRUE; |
wolfSSL | 0:d92f9d21154c | 1961 | } |
wolfSSL | 0:d92f9d21154c | 1962 | |
wolfSSL | 0:d92f9d21154c | 1963 | if (id == ASN_COMMON_NAME) { |
wolfSSL | 0:d92f9d21154c | 1964 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 1965 | cert->subjectCN = (char *)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 1966 | cert->subjectCNLen = strLen; |
wolfSSL | 0:d92f9d21154c | 1967 | cert->subjectCNEnc = b; |
wolfSSL | 0:d92f9d21154c | 1968 | } |
wolfSSL | 0:d92f9d21154c | 1969 | |
wolfSSL | 0:d92f9d21154c | 1970 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 1971 | XMEMCPY(&full[idx], "/CN=", 4); |
wolfSSL | 0:d92f9d21154c | 1972 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 1973 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 1974 | } |
wolfSSL | 0:d92f9d21154c | 1975 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1976 | dName->cnIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1977 | dName->cnLen = strLen; |
wolfSSL | 0:d92f9d21154c | 1978 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1979 | } |
wolfSSL | 0:d92f9d21154c | 1980 | else if (id == ASN_SUR_NAME) { |
wolfSSL | 0:d92f9d21154c | 1981 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 1982 | XMEMCPY(&full[idx], "/SN=", 4); |
wolfSSL | 0:d92f9d21154c | 1983 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 1984 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 1985 | } |
wolfSSL | 0:d92f9d21154c | 1986 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 1987 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 1988 | cert->subjectSN = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 1989 | cert->subjectSNLen = strLen; |
wolfSSL | 0:d92f9d21154c | 1990 | cert->subjectSNEnc = b; |
wolfSSL | 0:d92f9d21154c | 1991 | } |
wolfSSL | 0:d92f9d21154c | 1992 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 1993 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 1994 | dName->snIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 1995 | dName->snLen = strLen; |
wolfSSL | 0:d92f9d21154c | 1996 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 1997 | } |
wolfSSL | 0:d92f9d21154c | 1998 | else if (id == ASN_COUNTRY_NAME) { |
wolfSSL | 0:d92f9d21154c | 1999 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2000 | XMEMCPY(&full[idx], "/C=", 3); |
wolfSSL | 0:d92f9d21154c | 2001 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2002 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2003 | } |
wolfSSL | 0:d92f9d21154c | 2004 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2005 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2006 | cert->subjectC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2007 | cert->subjectCLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2008 | cert->subjectCEnc = b; |
wolfSSL | 0:d92f9d21154c | 2009 | } |
wolfSSL | 0:d92f9d21154c | 2010 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2011 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2012 | dName->cIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2013 | dName->cLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2014 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2015 | } |
wolfSSL | 0:d92f9d21154c | 2016 | else if (id == ASN_LOCALITY_NAME) { |
wolfSSL | 0:d92f9d21154c | 2017 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2018 | XMEMCPY(&full[idx], "/L=", 3); |
wolfSSL | 0:d92f9d21154c | 2019 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2020 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2021 | } |
wolfSSL | 0:d92f9d21154c | 2022 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2023 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2024 | cert->subjectL = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2025 | cert->subjectLLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2026 | cert->subjectLEnc = b; |
wolfSSL | 0:d92f9d21154c | 2027 | } |
wolfSSL | 0:d92f9d21154c | 2028 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2029 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2030 | dName->lIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2031 | dName->lLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2032 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2033 | } |
wolfSSL | 0:d92f9d21154c | 2034 | else if (id == ASN_STATE_NAME) { |
wolfSSL | 0:d92f9d21154c | 2035 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2036 | XMEMCPY(&full[idx], "/ST=", 4); |
wolfSSL | 0:d92f9d21154c | 2037 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2038 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2039 | } |
wolfSSL | 0:d92f9d21154c | 2040 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2041 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2042 | cert->subjectST = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2043 | cert->subjectSTLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2044 | cert->subjectSTEnc = b; |
wolfSSL | 0:d92f9d21154c | 2045 | } |
wolfSSL | 0:d92f9d21154c | 2046 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2047 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2048 | dName->stIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2049 | dName->stLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2050 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2051 | } |
wolfSSL | 0:d92f9d21154c | 2052 | else if (id == ASN_ORG_NAME) { |
wolfSSL | 0:d92f9d21154c | 2053 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2054 | XMEMCPY(&full[idx], "/O=", 3); |
wolfSSL | 0:d92f9d21154c | 2055 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2056 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2057 | } |
wolfSSL | 0:d92f9d21154c | 2058 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2059 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2060 | cert->subjectO = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2061 | cert->subjectOLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2062 | cert->subjectOEnc = b; |
wolfSSL | 0:d92f9d21154c | 2063 | } |
wolfSSL | 0:d92f9d21154c | 2064 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2065 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2066 | dName->oIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2067 | dName->oLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2068 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2069 | } |
wolfSSL | 0:d92f9d21154c | 2070 | else if (id == ASN_ORGUNIT_NAME) { |
wolfSSL | 0:d92f9d21154c | 2071 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2072 | XMEMCPY(&full[idx], "/OU=", 4); |
wolfSSL | 0:d92f9d21154c | 2073 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2074 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2075 | } |
wolfSSL | 0:d92f9d21154c | 2076 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2077 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2078 | cert->subjectOU = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2079 | cert->subjectOULen = strLen; |
wolfSSL | 0:d92f9d21154c | 2080 | cert->subjectOUEnc = b; |
wolfSSL | 0:d92f9d21154c | 2081 | } |
wolfSSL | 0:d92f9d21154c | 2082 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2083 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2084 | dName->ouIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2085 | dName->ouLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2086 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2087 | } |
wolfSSL | 0:d92f9d21154c | 2088 | else if (id == ASN_SERIAL_NUMBER) { |
wolfSSL | 0:d92f9d21154c | 2089 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2090 | XMEMCPY(&full[idx], "/serialNumber=", 14); |
wolfSSL | 0:d92f9d21154c | 2091 | idx += 14; |
wolfSSL | 0:d92f9d21154c | 2092 | copy = TRUE; |
wolfSSL | 0:d92f9d21154c | 2093 | } |
wolfSSL | 0:d92f9d21154c | 2094 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2095 | dName->snIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2096 | dName->snLen = strLen; |
wolfSSL | 0:d92f9d21154c | 2097 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2098 | } |
wolfSSL | 0:d92f9d21154c | 2099 | |
wolfSSL | 0:d92f9d21154c | 2100 | if (copy && !tooBig) { |
wolfSSL | 0:d92f9d21154c | 2101 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); |
wolfSSL | 0:d92f9d21154c | 2102 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 2103 | } |
wolfSSL | 0:d92f9d21154c | 2104 | |
wolfSSL | 0:d92f9d21154c | 2105 | cert->srcIdx += strLen; |
wolfSSL | 0:d92f9d21154c | 2106 | } |
wolfSSL | 0:d92f9d21154c | 2107 | else { |
wolfSSL | 0:d92f9d21154c | 2108 | /* skip */ |
wolfSSL | 0:d92f9d21154c | 2109 | byte email = FALSE; |
wolfSSL | 0:d92f9d21154c | 2110 | byte uid = FALSE; |
wolfSSL | 0:d92f9d21154c | 2111 | int adv; |
wolfSSL | 0:d92f9d21154c | 2112 | |
wolfSSL | 0:d92f9d21154c | 2113 | if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */ |
wolfSSL | 0:d92f9d21154c | 2114 | email = TRUE; |
wolfSSL | 0:d92f9d21154c | 2115 | |
wolfSSL | 0:d92f9d21154c | 2116 | if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */ |
wolfSSL | 0:d92f9d21154c | 2117 | uid = TRUE; |
wolfSSL | 0:d92f9d21154c | 2118 | |
wolfSSL | 0:d92f9d21154c | 2119 | cert->srcIdx += oidSz + 1; |
wolfSSL | 0:d92f9d21154c | 2120 | |
wolfSSL | 0:d92f9d21154c | 2121 | if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 2122 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 2123 | |
wolfSSL | 0:d92f9d21154c | 2124 | if (adv > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 0:d92f9d21154c | 2125 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 0:d92f9d21154c | 2126 | tooBig = TRUE; |
wolfSSL | 0:d92f9d21154c | 2127 | } |
wolfSSL | 0:d92f9d21154c | 2128 | |
wolfSSL | 0:d92f9d21154c | 2129 | if (email) { |
wolfSSL | 0:d92f9d21154c | 2130 | if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 0:d92f9d21154c | 2131 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 0:d92f9d21154c | 2132 | tooBig = TRUE; |
wolfSSL | 0:d92f9d21154c | 2133 | } |
wolfSSL | 0:d92f9d21154c | 2134 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2135 | XMEMCPY(&full[idx], "/emailAddress=", 14); |
wolfSSL | 0:d92f9d21154c | 2136 | idx += 14; |
wolfSSL | 0:d92f9d21154c | 2137 | } |
wolfSSL | 0:d92f9d21154c | 2138 | |
wolfSSL | 0:d92f9d21154c | 2139 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 0:d92f9d21154c | 2140 | if (nameType == SUBJECT) { |
wolfSSL | 0:d92f9d21154c | 2141 | cert->subjectEmail = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2142 | cert->subjectEmailLen = adv; |
wolfSSL | 0:d92f9d21154c | 2143 | } |
wolfSSL | 0:d92f9d21154c | 2144 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2145 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2146 | dName->emailIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2147 | dName->emailLen = adv; |
wolfSSL | 0:d92f9d21154c | 2148 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2149 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 2150 | { |
wolfSSL | 0:d92f9d21154c | 2151 | DNS_entry* emailName = NULL; |
wolfSSL | 0:d92f9d21154c | 2152 | |
wolfSSL | 0:d92f9d21154c | 2153 | emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), |
wolfSSL | 0:d92f9d21154c | 2154 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 2155 | if (emailName == NULL) { |
wolfSSL | 0:d92f9d21154c | 2156 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 2157 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 2158 | } |
wolfSSL | 0:d92f9d21154c | 2159 | emailName->name = (char*)XMALLOC(adv + 1, |
wolfSSL | 0:d92f9d21154c | 2160 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 2161 | if (emailName->name == NULL) { |
wolfSSL | 0:d92f9d21154c | 2162 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 2163 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 2164 | } |
wolfSSL | 0:d92f9d21154c | 2165 | XMEMCPY(emailName->name, |
wolfSSL | 0:d92f9d21154c | 2166 | &cert->source[cert->srcIdx], adv); |
wolfSSL | 0:d92f9d21154c | 2167 | emailName->name[adv] = 0; |
wolfSSL | 0:d92f9d21154c | 2168 | |
wolfSSL | 0:d92f9d21154c | 2169 | emailName->next = cert->altEmailNames; |
wolfSSL | 0:d92f9d21154c | 2170 | cert->altEmailNames = emailName; |
wolfSSL | 0:d92f9d21154c | 2171 | } |
wolfSSL | 0:d92f9d21154c | 2172 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 2173 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2174 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 0:d92f9d21154c | 2175 | idx += adv; |
wolfSSL | 0:d92f9d21154c | 2176 | } |
wolfSSL | 0:d92f9d21154c | 2177 | } |
wolfSSL | 0:d92f9d21154c | 2178 | |
wolfSSL | 0:d92f9d21154c | 2179 | if (uid) { |
wolfSSL | 0:d92f9d21154c | 2180 | if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 0:d92f9d21154c | 2181 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 0:d92f9d21154c | 2182 | tooBig = TRUE; |
wolfSSL | 0:d92f9d21154c | 2183 | } |
wolfSSL | 0:d92f9d21154c | 2184 | if (!tooBig) { |
wolfSSL | 0:d92f9d21154c | 2185 | XMEMCPY(&full[idx], "/UID=", 5); |
wolfSSL | 0:d92f9d21154c | 2186 | idx += 5; |
wolfSSL | 0:d92f9d21154c | 2187 | |
wolfSSL | 0:d92f9d21154c | 2188 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 0:d92f9d21154c | 2189 | idx += adv; |
wolfSSL | 0:d92f9d21154c | 2190 | } |
wolfSSL | 0:d92f9d21154c | 2191 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2192 | dName->uidIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2193 | dName->uidLen = adv; |
wolfSSL | 0:d92f9d21154c | 2194 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2195 | } |
wolfSSL | 0:d92f9d21154c | 2196 | |
wolfSSL | 0:d92f9d21154c | 2197 | cert->srcIdx += adv; |
wolfSSL | 0:d92f9d21154c | 2198 | } |
wolfSSL | 0:d92f9d21154c | 2199 | } |
wolfSSL | 0:d92f9d21154c | 2200 | full[idx++] = 0; |
wolfSSL | 0:d92f9d21154c | 2201 | |
wolfSSL | 0:d92f9d21154c | 2202 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 2203 | { |
wolfSSL | 0:d92f9d21154c | 2204 | int totalLen = 0; |
wolfSSL | 0:d92f9d21154c | 2205 | |
wolfSSL | 0:d92f9d21154c | 2206 | if (dName->cnLen != 0) |
wolfSSL | 0:d92f9d21154c | 2207 | totalLen += dName->cnLen + 4; |
wolfSSL | 0:d92f9d21154c | 2208 | if (dName->snLen != 0) |
wolfSSL | 0:d92f9d21154c | 2209 | totalLen += dName->snLen + 4; |
wolfSSL | 0:d92f9d21154c | 2210 | if (dName->cLen != 0) |
wolfSSL | 0:d92f9d21154c | 2211 | totalLen += dName->cLen + 3; |
wolfSSL | 0:d92f9d21154c | 2212 | if (dName->lLen != 0) |
wolfSSL | 0:d92f9d21154c | 2213 | totalLen += dName->lLen + 3; |
wolfSSL | 0:d92f9d21154c | 2214 | if (dName->stLen != 0) |
wolfSSL | 0:d92f9d21154c | 2215 | totalLen += dName->stLen + 4; |
wolfSSL | 0:d92f9d21154c | 2216 | if (dName->oLen != 0) |
wolfSSL | 0:d92f9d21154c | 2217 | totalLen += dName->oLen + 3; |
wolfSSL | 0:d92f9d21154c | 2218 | if (dName->ouLen != 0) |
wolfSSL | 0:d92f9d21154c | 2219 | totalLen += dName->ouLen + 4; |
wolfSSL | 0:d92f9d21154c | 2220 | if (dName->emailLen != 0) |
wolfSSL | 0:d92f9d21154c | 2221 | totalLen += dName->emailLen + 14; |
wolfSSL | 0:d92f9d21154c | 2222 | if (dName->uidLen != 0) |
wolfSSL | 0:d92f9d21154c | 2223 | totalLen += dName->uidLen + 5; |
wolfSSL | 0:d92f9d21154c | 2224 | if (dName->serialLen != 0) |
wolfSSL | 0:d92f9d21154c | 2225 | totalLen += dName->serialLen + 14; |
wolfSSL | 0:d92f9d21154c | 2226 | |
wolfSSL | 0:d92f9d21154c | 2227 | dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509); |
wolfSSL | 0:d92f9d21154c | 2228 | if (dName->fullName != NULL) { |
wolfSSL | 0:d92f9d21154c | 2229 | idx = 0; |
wolfSSL | 0:d92f9d21154c | 2230 | |
wolfSSL | 0:d92f9d21154c | 2231 | if (dName->cnLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2232 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2233 | XMEMCPY(&dName->fullName[idx], "/CN=", 4); |
wolfSSL | 0:d92f9d21154c | 2234 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2235 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2236 | &cert->source[dName->cnIdx], dName->cnLen); |
wolfSSL | 0:d92f9d21154c | 2237 | dName->cnIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2238 | idx += dName->cnLen; |
wolfSSL | 0:d92f9d21154c | 2239 | } |
wolfSSL | 0:d92f9d21154c | 2240 | if (dName->snLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2241 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2242 | XMEMCPY(&dName->fullName[idx], "/SN=", 4); |
wolfSSL | 0:d92f9d21154c | 2243 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2244 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2245 | &cert->source[dName->snIdx], dName->snLen); |
wolfSSL | 0:d92f9d21154c | 2246 | dName->snIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2247 | idx += dName->snLen; |
wolfSSL | 0:d92f9d21154c | 2248 | } |
wolfSSL | 0:d92f9d21154c | 2249 | if (dName->cLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2250 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2251 | XMEMCPY(&dName->fullName[idx], "/C=", 3); |
wolfSSL | 0:d92f9d21154c | 2252 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2253 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2254 | &cert->source[dName->cIdx], dName->cLen); |
wolfSSL | 0:d92f9d21154c | 2255 | dName->cIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2256 | idx += dName->cLen; |
wolfSSL | 0:d92f9d21154c | 2257 | } |
wolfSSL | 0:d92f9d21154c | 2258 | if (dName->lLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2259 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2260 | XMEMCPY(&dName->fullName[idx], "/L=", 3); |
wolfSSL | 0:d92f9d21154c | 2261 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2262 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2263 | &cert->source[dName->lIdx], dName->lLen); |
wolfSSL | 0:d92f9d21154c | 2264 | dName->lIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2265 | idx += dName->lLen; |
wolfSSL | 0:d92f9d21154c | 2266 | } |
wolfSSL | 0:d92f9d21154c | 2267 | if (dName->stLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2268 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2269 | XMEMCPY(&dName->fullName[idx], "/ST=", 4); |
wolfSSL | 0:d92f9d21154c | 2270 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2271 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2272 | &cert->source[dName->stIdx], dName->stLen); |
wolfSSL | 0:d92f9d21154c | 2273 | dName->stIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2274 | idx += dName->stLen; |
wolfSSL | 0:d92f9d21154c | 2275 | } |
wolfSSL | 0:d92f9d21154c | 2276 | if (dName->oLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2277 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2278 | XMEMCPY(&dName->fullName[idx], "/O=", 3); |
wolfSSL | 0:d92f9d21154c | 2279 | idx += 3; |
wolfSSL | 0:d92f9d21154c | 2280 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2281 | &cert->source[dName->oIdx], dName->oLen); |
wolfSSL | 0:d92f9d21154c | 2282 | dName->oIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2283 | idx += dName->oLen; |
wolfSSL | 0:d92f9d21154c | 2284 | } |
wolfSSL | 0:d92f9d21154c | 2285 | if (dName->ouLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2286 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2287 | XMEMCPY(&dName->fullName[idx], "/OU=", 4); |
wolfSSL | 0:d92f9d21154c | 2288 | idx += 4; |
wolfSSL | 0:d92f9d21154c | 2289 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2290 | &cert->source[dName->ouIdx], dName->ouLen); |
wolfSSL | 0:d92f9d21154c | 2291 | dName->ouIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2292 | idx += dName->ouLen; |
wolfSSL | 0:d92f9d21154c | 2293 | } |
wolfSSL | 0:d92f9d21154c | 2294 | if (dName->emailLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2295 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2296 | XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14); |
wolfSSL | 0:d92f9d21154c | 2297 | idx += 14; |
wolfSSL | 0:d92f9d21154c | 2298 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2299 | &cert->source[dName->emailIdx], dName->emailLen); |
wolfSSL | 0:d92f9d21154c | 2300 | dName->emailIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2301 | idx += dName->emailLen; |
wolfSSL | 0:d92f9d21154c | 2302 | } |
wolfSSL | 0:d92f9d21154c | 2303 | if (dName->uidLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2304 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2305 | XMEMCPY(&dName->fullName[idx], "/UID=", 5); |
wolfSSL | 0:d92f9d21154c | 2306 | idx += 5; |
wolfSSL | 0:d92f9d21154c | 2307 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2308 | &cert->source[dName->uidIdx], dName->uidLen); |
wolfSSL | 0:d92f9d21154c | 2309 | dName->uidIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2310 | idx += dName->uidLen; |
wolfSSL | 0:d92f9d21154c | 2311 | } |
wolfSSL | 0:d92f9d21154c | 2312 | if (dName->serialLen != 0) { |
wolfSSL | 0:d92f9d21154c | 2313 | dName->entryCount++; |
wolfSSL | 0:d92f9d21154c | 2314 | XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14); |
wolfSSL | 0:d92f9d21154c | 2315 | idx += 14; |
wolfSSL | 0:d92f9d21154c | 2316 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 0:d92f9d21154c | 2317 | &cert->source[dName->serialIdx], dName->serialLen); |
wolfSSL | 0:d92f9d21154c | 2318 | dName->serialIdx = idx; |
wolfSSL | 0:d92f9d21154c | 2319 | idx += dName->serialLen; |
wolfSSL | 0:d92f9d21154c | 2320 | } |
wolfSSL | 0:d92f9d21154c | 2321 | dName->fullName[idx] = '\0'; |
wolfSSL | 0:d92f9d21154c | 2322 | dName->fullNameLen = totalLen; |
wolfSSL | 0:d92f9d21154c | 2323 | } |
wolfSSL | 0:d92f9d21154c | 2324 | } |
wolfSSL | 0:d92f9d21154c | 2325 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 2326 | |
wolfSSL | 0:d92f9d21154c | 2327 | return 0; |
wolfSSL | 0:d92f9d21154c | 2328 | } |
wolfSSL | 0:d92f9d21154c | 2329 | |
wolfSSL | 0:d92f9d21154c | 2330 | |
wolfSSL | 0:d92f9d21154c | 2331 | #ifndef NO_TIME_H |
wolfSSL | 0:d92f9d21154c | 2332 | |
wolfSSL | 0:d92f9d21154c | 2333 | /* to the second */ |
wolfSSL | 0:d92f9d21154c | 2334 | static int DateGreaterThan(const struct tm* a, const struct tm* b) |
wolfSSL | 0:d92f9d21154c | 2335 | { |
wolfSSL | 0:d92f9d21154c | 2336 | if (a->tm_year > b->tm_year) |
wolfSSL | 0:d92f9d21154c | 2337 | return 1; |
wolfSSL | 0:d92f9d21154c | 2338 | |
wolfSSL | 0:d92f9d21154c | 2339 | if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon) |
wolfSSL | 0:d92f9d21154c | 2340 | return 1; |
wolfSSL | 0:d92f9d21154c | 2341 | |
wolfSSL | 0:d92f9d21154c | 2342 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 0:d92f9d21154c | 2343 | a->tm_mday > b->tm_mday) |
wolfSSL | 0:d92f9d21154c | 2344 | return 1; |
wolfSSL | 0:d92f9d21154c | 2345 | |
wolfSSL | 0:d92f9d21154c | 2346 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 0:d92f9d21154c | 2347 | a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour) |
wolfSSL | 0:d92f9d21154c | 2348 | return 1; |
wolfSSL | 0:d92f9d21154c | 2349 | |
wolfSSL | 0:d92f9d21154c | 2350 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 0:d92f9d21154c | 2351 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 0:d92f9d21154c | 2352 | a->tm_min > b->tm_min) |
wolfSSL | 0:d92f9d21154c | 2353 | return 1; |
wolfSSL | 0:d92f9d21154c | 2354 | |
wolfSSL | 0:d92f9d21154c | 2355 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 0:d92f9d21154c | 2356 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 0:d92f9d21154c | 2357 | a->tm_min == b->tm_min && a->tm_sec > b->tm_sec) |
wolfSSL | 0:d92f9d21154c | 2358 | return 1; |
wolfSSL | 0:d92f9d21154c | 2359 | |
wolfSSL | 0:d92f9d21154c | 2360 | return 0; /* false */ |
wolfSSL | 0:d92f9d21154c | 2361 | } |
wolfSSL | 0:d92f9d21154c | 2362 | |
wolfSSL | 0:d92f9d21154c | 2363 | |
wolfSSL | 0:d92f9d21154c | 2364 | static INLINE int DateLessThan(const struct tm* a, const struct tm* b) |
wolfSSL | 0:d92f9d21154c | 2365 | { |
wolfSSL | 0:d92f9d21154c | 2366 | return DateGreaterThan(b,a); |
wolfSSL | 0:d92f9d21154c | 2367 | } |
wolfSSL | 0:d92f9d21154c | 2368 | |
wolfSSL | 0:d92f9d21154c | 2369 | |
wolfSSL | 0:d92f9d21154c | 2370 | /* like atoi but only use first byte */ |
wolfSSL | 0:d92f9d21154c | 2371 | /* Make sure before and after dates are valid */ |
wolfSSL | 0:d92f9d21154c | 2372 | int ValidateDate(const byte* date, byte format, int dateType) |
wolfSSL | 0:d92f9d21154c | 2373 | { |
wolfSSL | 0:d92f9d21154c | 2374 | time_t ltime; |
wolfSSL | 0:d92f9d21154c | 2375 | struct tm certTime; |
wolfSSL | 0:d92f9d21154c | 2376 | struct tm* localTime; |
wolfSSL | 0:d92f9d21154c | 2377 | struct tm* tmpTime = NULL; |
wolfSSL | 0:d92f9d21154c | 2378 | int i = 0; |
wolfSSL | 0:d92f9d21154c | 2379 | |
wolfSSL | 0:d92f9d21154c | 2380 | #if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) |
wolfSSL | 0:d92f9d21154c | 2381 | struct tm tmpTimeStorage; |
wolfSSL | 0:d92f9d21154c | 2382 | tmpTime = &tmpTimeStorage; |
wolfSSL | 0:d92f9d21154c | 2383 | #else |
wolfSSL | 0:d92f9d21154c | 2384 | (void)tmpTime; |
wolfSSL | 0:d92f9d21154c | 2385 | #endif |
wolfSSL | 0:d92f9d21154c | 2386 | |
wolfSSL | 0:d92f9d21154c | 2387 | ltime = XTIME(0); |
wolfSSL | 0:d92f9d21154c | 2388 | XMEMSET(&certTime, 0, sizeof(certTime)); |
wolfSSL | 0:d92f9d21154c | 2389 | |
wolfSSL | 0:d92f9d21154c | 2390 | if (format == ASN_UTC_TIME) { |
wolfSSL | 0:d92f9d21154c | 2391 | if (btoi(date[0]) >= 5) |
wolfSSL | 0:d92f9d21154c | 2392 | certTime.tm_year = 1900; |
wolfSSL | 0:d92f9d21154c | 2393 | else |
wolfSSL | 0:d92f9d21154c | 2394 | certTime.tm_year = 2000; |
wolfSSL | 0:d92f9d21154c | 2395 | } |
wolfSSL | 0:d92f9d21154c | 2396 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 0:d92f9d21154c | 2397 | certTime.tm_year += btoi(date[i++]) * 1000; |
wolfSSL | 0:d92f9d21154c | 2398 | certTime.tm_year += btoi(date[i++]) * 100; |
wolfSSL | 0:d92f9d21154c | 2399 | } |
wolfSSL | 0:d92f9d21154c | 2400 | |
wolfSSL | 0:d92f9d21154c | 2401 | /* adjust tm_year, tm_mon */ |
wolfSSL | 0:d92f9d21154c | 2402 | GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900; |
wolfSSL | 0:d92f9d21154c | 2403 | GetTime((int*)&certTime.tm_mon, date, &i); certTime.tm_mon -= 1; |
wolfSSL | 0:d92f9d21154c | 2404 | GetTime((int*)&certTime.tm_mday, date, &i); |
wolfSSL | 0:d92f9d21154c | 2405 | GetTime((int*)&certTime.tm_hour, date, &i); |
wolfSSL | 0:d92f9d21154c | 2406 | GetTime((int*)&certTime.tm_min, date, &i); |
wolfSSL | 0:d92f9d21154c | 2407 | GetTime((int*)&certTime.tm_sec, date, &i); |
wolfSSL | 0:d92f9d21154c | 2408 | |
wolfSSL | 0:d92f9d21154c | 2409 | if (date[i] != 'Z') { /* only Zulu supported for this profile */ |
wolfSSL | 0:d92f9d21154c | 2410 | WOLFSSL_MSG("Only Zulu time supported for this profile"); |
wolfSSL | 0:d92f9d21154c | 2411 | return 0; |
wolfSSL | 0:d92f9d21154c | 2412 | } |
wolfSSL | 0:d92f9d21154c | 2413 | |
wolfSSL | 0:d92f9d21154c | 2414 | localTime = XGMTIME(<ime, tmpTime); |
wolfSSL | 0:d92f9d21154c | 2415 | |
wolfSSL | 0:d92f9d21154c | 2416 | if (dateType == BEFORE) { |
wolfSSL | 0:d92f9d21154c | 2417 | if (DateLessThan(localTime, &certTime)) |
wolfSSL | 0:d92f9d21154c | 2418 | return 0; |
wolfSSL | 0:d92f9d21154c | 2419 | } |
wolfSSL | 0:d92f9d21154c | 2420 | else |
wolfSSL | 0:d92f9d21154c | 2421 | if (DateGreaterThan(localTime, &certTime)) |
wolfSSL | 0:d92f9d21154c | 2422 | return 0; |
wolfSSL | 0:d92f9d21154c | 2423 | |
wolfSSL | 0:d92f9d21154c | 2424 | return 1; |
wolfSSL | 0:d92f9d21154c | 2425 | } |
wolfSSL | 0:d92f9d21154c | 2426 | |
wolfSSL | 0:d92f9d21154c | 2427 | #endif /* NO_TIME_H */ |
wolfSSL | 0:d92f9d21154c | 2428 | |
wolfSSL | 0:d92f9d21154c | 2429 | |
wolfSSL | 0:d92f9d21154c | 2430 | static int GetDate(DecodedCert* cert, int dateType) |
wolfSSL | 0:d92f9d21154c | 2431 | { |
wolfSSL | 0:d92f9d21154c | 2432 | int length; |
wolfSSL | 0:d92f9d21154c | 2433 | byte date[MAX_DATE_SIZE]; |
wolfSSL | 0:d92f9d21154c | 2434 | byte b; |
wolfSSL | 0:d92f9d21154c | 2435 | word32 startIdx = 0; |
wolfSSL | 0:d92f9d21154c | 2436 | |
wolfSSL | 0:d92f9d21154c | 2437 | if (dateType == BEFORE) |
wolfSSL | 0:d92f9d21154c | 2438 | cert->beforeDate = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2439 | else |
wolfSSL | 0:d92f9d21154c | 2440 | cert->afterDate = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2441 | startIdx = cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 2442 | |
wolfSSL | 0:d92f9d21154c | 2443 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 2444 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) |
wolfSSL | 0:d92f9d21154c | 2445 | return ASN_TIME_E; |
wolfSSL | 0:d92f9d21154c | 2446 | |
wolfSSL | 0:d92f9d21154c | 2447 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 2448 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 2449 | |
wolfSSL | 0:d92f9d21154c | 2450 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 0:d92f9d21154c | 2451 | return ASN_DATE_SZ_E; |
wolfSSL | 0:d92f9d21154c | 2452 | |
wolfSSL | 0:d92f9d21154c | 2453 | XMEMCPY(date, &cert->source[cert->srcIdx], length); |
wolfSSL | 0:d92f9d21154c | 2454 | cert->srcIdx += length; |
wolfSSL | 0:d92f9d21154c | 2455 | |
wolfSSL | 0:d92f9d21154c | 2456 | if (dateType == BEFORE) |
wolfSSL | 0:d92f9d21154c | 2457 | cert->beforeDateLen = cert->srcIdx - startIdx; |
wolfSSL | 0:d92f9d21154c | 2458 | else |
wolfSSL | 0:d92f9d21154c | 2459 | cert->afterDateLen = cert->srcIdx - startIdx; |
wolfSSL | 0:d92f9d21154c | 2460 | |
wolfSSL | 0:d92f9d21154c | 2461 | if (!XVALIDATE_DATE(date, b, dateType)) { |
wolfSSL | 0:d92f9d21154c | 2462 | if (dateType == BEFORE) |
wolfSSL | 0:d92f9d21154c | 2463 | return ASN_BEFORE_DATE_E; |
wolfSSL | 0:d92f9d21154c | 2464 | else |
wolfSSL | 0:d92f9d21154c | 2465 | return ASN_AFTER_DATE_E; |
wolfSSL | 0:d92f9d21154c | 2466 | } |
wolfSSL | 0:d92f9d21154c | 2467 | |
wolfSSL | 0:d92f9d21154c | 2468 | return 0; |
wolfSSL | 0:d92f9d21154c | 2469 | } |
wolfSSL | 0:d92f9d21154c | 2470 | |
wolfSSL | 0:d92f9d21154c | 2471 | |
wolfSSL | 0:d92f9d21154c | 2472 | static int GetValidity(DecodedCert* cert, int verify) |
wolfSSL | 0:d92f9d21154c | 2473 | { |
wolfSSL | 0:d92f9d21154c | 2474 | int length; |
wolfSSL | 0:d92f9d21154c | 2475 | int badDate = 0; |
wolfSSL | 0:d92f9d21154c | 2476 | |
wolfSSL | 0:d92f9d21154c | 2477 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 2478 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 2479 | |
wolfSSL | 0:d92f9d21154c | 2480 | if (GetDate(cert, BEFORE) < 0 && verify) |
wolfSSL | 0:d92f9d21154c | 2481 | badDate = ASN_BEFORE_DATE_E; /* continue parsing */ |
wolfSSL | 0:d92f9d21154c | 2482 | |
wolfSSL | 0:d92f9d21154c | 2483 | if (GetDate(cert, AFTER) < 0 && verify) |
wolfSSL | 0:d92f9d21154c | 2484 | return ASN_AFTER_DATE_E; |
wolfSSL | 0:d92f9d21154c | 2485 | |
wolfSSL | 0:d92f9d21154c | 2486 | if (badDate != 0) |
wolfSSL | 0:d92f9d21154c | 2487 | return badDate; |
wolfSSL | 0:d92f9d21154c | 2488 | |
wolfSSL | 0:d92f9d21154c | 2489 | return 0; |
wolfSSL | 0:d92f9d21154c | 2490 | } |
wolfSSL | 0:d92f9d21154c | 2491 | |
wolfSSL | 0:d92f9d21154c | 2492 | |
wolfSSL | 0:d92f9d21154c | 2493 | int DecodeToKey(DecodedCert* cert, int verify) |
wolfSSL | 0:d92f9d21154c | 2494 | { |
wolfSSL | 0:d92f9d21154c | 2495 | int badDate = 0; |
wolfSSL | 0:d92f9d21154c | 2496 | int ret; |
wolfSSL | 0:d92f9d21154c | 2497 | |
wolfSSL | 0:d92f9d21154c | 2498 | if ( (ret = GetCertHeader(cert)) < 0) |
wolfSSL | 0:d92f9d21154c | 2499 | return ret; |
wolfSSL | 0:d92f9d21154c | 2500 | |
wolfSSL | 0:d92f9d21154c | 2501 | WOLFSSL_MSG("Got Cert Header"); |
wolfSSL | 0:d92f9d21154c | 2502 | |
wolfSSL | 0:d92f9d21154c | 2503 | if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, |
wolfSSL | 0:d92f9d21154c | 2504 | cert->maxIdx)) < 0) |
wolfSSL | 0:d92f9d21154c | 2505 | return ret; |
wolfSSL | 0:d92f9d21154c | 2506 | |
wolfSSL | 0:d92f9d21154c | 2507 | WOLFSSL_MSG("Got Algo ID"); |
wolfSSL | 0:d92f9d21154c | 2508 | |
wolfSSL | 0:d92f9d21154c | 2509 | if ( (ret = GetName(cert, ISSUER)) < 0) |
wolfSSL | 0:d92f9d21154c | 2510 | return ret; |
wolfSSL | 0:d92f9d21154c | 2511 | |
wolfSSL | 0:d92f9d21154c | 2512 | if ( (ret = GetValidity(cert, verify)) < 0) |
wolfSSL | 0:d92f9d21154c | 2513 | badDate = ret; |
wolfSSL | 0:d92f9d21154c | 2514 | |
wolfSSL | 0:d92f9d21154c | 2515 | if ( (ret = GetName(cert, SUBJECT)) < 0) |
wolfSSL | 0:d92f9d21154c | 2516 | return ret; |
wolfSSL | 0:d92f9d21154c | 2517 | |
wolfSSL | 0:d92f9d21154c | 2518 | WOLFSSL_MSG("Got Subject Name"); |
wolfSSL | 0:d92f9d21154c | 2519 | |
wolfSSL | 0:d92f9d21154c | 2520 | if ( (ret = GetKey(cert)) < 0) |
wolfSSL | 0:d92f9d21154c | 2521 | return ret; |
wolfSSL | 0:d92f9d21154c | 2522 | |
wolfSSL | 0:d92f9d21154c | 2523 | WOLFSSL_MSG("Got Key"); |
wolfSSL | 0:d92f9d21154c | 2524 | |
wolfSSL | 0:d92f9d21154c | 2525 | if (badDate != 0) |
wolfSSL | 0:d92f9d21154c | 2526 | return badDate; |
wolfSSL | 0:d92f9d21154c | 2527 | |
wolfSSL | 0:d92f9d21154c | 2528 | return ret; |
wolfSSL | 0:d92f9d21154c | 2529 | } |
wolfSSL | 0:d92f9d21154c | 2530 | |
wolfSSL | 0:d92f9d21154c | 2531 | |
wolfSSL | 0:d92f9d21154c | 2532 | static int GetSignature(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 2533 | { |
wolfSSL | 0:d92f9d21154c | 2534 | int length; |
wolfSSL | 0:d92f9d21154c | 2535 | byte b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 2536 | |
wolfSSL | 0:d92f9d21154c | 2537 | if (b != ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 2538 | return ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 2539 | |
wolfSSL | 0:d92f9d21154c | 2540 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 2541 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 2542 | |
wolfSSL | 0:d92f9d21154c | 2543 | cert->sigLength = length; |
wolfSSL | 0:d92f9d21154c | 2544 | |
wolfSSL | 0:d92f9d21154c | 2545 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 2546 | if (b != 0x00) |
wolfSSL | 0:d92f9d21154c | 2547 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 2548 | |
wolfSSL | 0:d92f9d21154c | 2549 | cert->sigLength--; |
wolfSSL | 0:d92f9d21154c | 2550 | cert->signature = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 2551 | cert->srcIdx += cert->sigLength; |
wolfSSL | 0:d92f9d21154c | 2552 | |
wolfSSL | 0:d92f9d21154c | 2553 | return 0; |
wolfSSL | 0:d92f9d21154c | 2554 | } |
wolfSSL | 0:d92f9d21154c | 2555 | |
wolfSSL | 0:d92f9d21154c | 2556 | |
wolfSSL | 0:d92f9d21154c | 2557 | static word32 SetDigest(const byte* digest, word32 digSz, byte* output) |
wolfSSL | 0:d92f9d21154c | 2558 | { |
wolfSSL | 0:d92f9d21154c | 2559 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 0:d92f9d21154c | 2560 | output[1] = (byte)digSz; |
wolfSSL | 0:d92f9d21154c | 2561 | XMEMCPY(&output[2], digest, digSz); |
wolfSSL | 0:d92f9d21154c | 2562 | |
wolfSSL | 0:d92f9d21154c | 2563 | return digSz + 2; |
wolfSSL | 0:d92f9d21154c | 2564 | } |
wolfSSL | 0:d92f9d21154c | 2565 | |
wolfSSL | 0:d92f9d21154c | 2566 | |
wolfSSL | 0:d92f9d21154c | 2567 | static word32 BytePrecision(word32 value) |
wolfSSL | 0:d92f9d21154c | 2568 | { |
wolfSSL | 0:d92f9d21154c | 2569 | word32 i; |
wolfSSL | 0:d92f9d21154c | 2570 | for (i = sizeof(value); i; --i) |
wolfSSL | 0:d92f9d21154c | 2571 | if (value >> ((i - 1) * WOLFSSL_BIT_SIZE)) |
wolfSSL | 0:d92f9d21154c | 2572 | break; |
wolfSSL | 0:d92f9d21154c | 2573 | |
wolfSSL | 0:d92f9d21154c | 2574 | return i; |
wolfSSL | 0:d92f9d21154c | 2575 | } |
wolfSSL | 0:d92f9d21154c | 2576 | |
wolfSSL | 0:d92f9d21154c | 2577 | |
wolfSSL | 0:d92f9d21154c | 2578 | WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output) |
wolfSSL | 0:d92f9d21154c | 2579 | { |
wolfSSL | 0:d92f9d21154c | 2580 | word32 i = 0, j; |
wolfSSL | 0:d92f9d21154c | 2581 | |
wolfSSL | 0:d92f9d21154c | 2582 | if (length < ASN_LONG_LENGTH) |
wolfSSL | 0:d92f9d21154c | 2583 | output[i++] = (byte)length; |
wolfSSL | 0:d92f9d21154c | 2584 | else { |
wolfSSL | 0:d92f9d21154c | 2585 | output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); |
wolfSSL | 0:d92f9d21154c | 2586 | |
wolfSSL | 0:d92f9d21154c | 2587 | for (j = BytePrecision(length); j; --j) { |
wolfSSL | 0:d92f9d21154c | 2588 | output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE)); |
wolfSSL | 0:d92f9d21154c | 2589 | i++; |
wolfSSL | 0:d92f9d21154c | 2590 | } |
wolfSSL | 0:d92f9d21154c | 2591 | } |
wolfSSL | 0:d92f9d21154c | 2592 | |
wolfSSL | 0:d92f9d21154c | 2593 | return i; |
wolfSSL | 0:d92f9d21154c | 2594 | } |
wolfSSL | 0:d92f9d21154c | 2595 | |
wolfSSL | 0:d92f9d21154c | 2596 | |
wolfSSL | 0:d92f9d21154c | 2597 | WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 2598 | { |
wolfSSL | 0:d92f9d21154c | 2599 | output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED; |
wolfSSL | 0:d92f9d21154c | 2600 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 2601 | } |
wolfSSL | 0:d92f9d21154c | 2602 | |
wolfSSL | 0:d92f9d21154c | 2603 | WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 2604 | { |
wolfSSL | 0:d92f9d21154c | 2605 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 0:d92f9d21154c | 2606 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 2607 | } |
wolfSSL | 0:d92f9d21154c | 2608 | |
wolfSSL | 0:d92f9d21154c | 2609 | /* Write a set header to output */ |
wolfSSL | 0:d92f9d21154c | 2610 | WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 2611 | { |
wolfSSL | 0:d92f9d21154c | 2612 | output[0] = ASN_SET | ASN_CONSTRUCTED; |
wolfSSL | 0:d92f9d21154c | 2613 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 2614 | } |
wolfSSL | 0:d92f9d21154c | 2615 | |
wolfSSL | 0:d92f9d21154c | 2616 | WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 2617 | { |
wolfSSL | 0:d92f9d21154c | 2618 | |
wolfSSL | 0:d92f9d21154c | 2619 | output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0) |
wolfSSL | 0:d92f9d21154c | 2620 | | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 0:d92f9d21154c | 2621 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 2622 | } |
wolfSSL | 0:d92f9d21154c | 2623 | |
wolfSSL | 0:d92f9d21154c | 2624 | WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 2625 | { |
wolfSSL | 0:d92f9d21154c | 2626 | output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 0:d92f9d21154c | 2627 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 2628 | } |
wolfSSL | 0:d92f9d21154c | 2629 | |
wolfSSL | 0:d92f9d21154c | 2630 | |
wolfSSL | 0:d92f9d21154c | 2631 | #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 0:d92f9d21154c | 2632 | |
wolfSSL | 0:d92f9d21154c | 2633 | static word32 SetCurve(ecc_key* key, byte* output) |
wolfSSL | 0:d92f9d21154c | 2634 | { |
wolfSSL | 0:d92f9d21154c | 2635 | |
wolfSSL | 0:d92f9d21154c | 2636 | /* curve types */ |
wolfSSL | 0:d92f9d21154c | 2637 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 0:d92f9d21154c | 2638 | static const byte ECC_192v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 0:d92f9d21154c | 2639 | 0x03, 0x01, 0x01}; |
wolfSSL | 0:d92f9d21154c | 2640 | #endif |
wolfSSL | 0:d92f9d21154c | 2641 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 0:d92f9d21154c | 2642 | static const byte ECC_256v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 0:d92f9d21154c | 2643 | 0x03, 0x01, 0x07}; |
wolfSSL | 0:d92f9d21154c | 2644 | #endif |
wolfSSL | 0:d92f9d21154c | 2645 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 0:d92f9d21154c | 2646 | static const byte ECC_160r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 0:d92f9d21154c | 2647 | 0x02}; |
wolfSSL | 0:d92f9d21154c | 2648 | #endif |
wolfSSL | 0:d92f9d21154c | 2649 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 0:d92f9d21154c | 2650 | static const byte ECC_224r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 0:d92f9d21154c | 2651 | 0x21}; |
wolfSSL | 0:d92f9d21154c | 2652 | #endif |
wolfSSL | 0:d92f9d21154c | 2653 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 0:d92f9d21154c | 2654 | static const byte ECC_384r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 0:d92f9d21154c | 2655 | 0x22}; |
wolfSSL | 0:d92f9d21154c | 2656 | #endif |
wolfSSL | 0:d92f9d21154c | 2657 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 0:d92f9d21154c | 2658 | static const byte ECC_521r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00, |
wolfSSL | 0:d92f9d21154c | 2659 | 0x23}; |
wolfSSL | 0:d92f9d21154c | 2660 | #endif |
wolfSSL | 0:d92f9d21154c | 2661 | |
wolfSSL | 0:d92f9d21154c | 2662 | int oidSz = 0; |
wolfSSL | 0:d92f9d21154c | 2663 | int idx = 0; |
wolfSSL | 0:d92f9d21154c | 2664 | int lenSz = 0; |
wolfSSL | 0:d92f9d21154c | 2665 | const byte* oid = 0; |
wolfSSL | 0:d92f9d21154c | 2666 | |
wolfSSL | 0:d92f9d21154c | 2667 | output[0] = ASN_OBJECT_ID; |
wolfSSL | 0:d92f9d21154c | 2668 | idx++; |
wolfSSL | 0:d92f9d21154c | 2669 | |
wolfSSL | 0:d92f9d21154c | 2670 | switch (key->dp->size) { |
wolfSSL | 0:d92f9d21154c | 2671 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) |
wolfSSL | 0:d92f9d21154c | 2672 | case 20: |
wolfSSL | 0:d92f9d21154c | 2673 | oidSz = sizeof(ECC_160r1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2674 | oid = ECC_160r1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2675 | break; |
wolfSSL | 0:d92f9d21154c | 2676 | #endif |
wolfSSL | 0:d92f9d21154c | 2677 | |
wolfSSL | 0:d92f9d21154c | 2678 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) |
wolfSSL | 0:d92f9d21154c | 2679 | case 24: |
wolfSSL | 0:d92f9d21154c | 2680 | oidSz = sizeof(ECC_192v1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2681 | oid = ECC_192v1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2682 | break; |
wolfSSL | 0:d92f9d21154c | 2683 | #endif |
wolfSSL | 0:d92f9d21154c | 2684 | |
wolfSSL | 0:d92f9d21154c | 2685 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) |
wolfSSL | 0:d92f9d21154c | 2686 | case 28: |
wolfSSL | 0:d92f9d21154c | 2687 | oidSz = sizeof(ECC_224r1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2688 | oid = ECC_224r1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2689 | break; |
wolfSSL | 0:d92f9d21154c | 2690 | #endif |
wolfSSL | 0:d92f9d21154c | 2691 | |
wolfSSL | 0:d92f9d21154c | 2692 | #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) |
wolfSSL | 0:d92f9d21154c | 2693 | case 32: |
wolfSSL | 0:d92f9d21154c | 2694 | oidSz = sizeof(ECC_256v1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2695 | oid = ECC_256v1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2696 | break; |
wolfSSL | 0:d92f9d21154c | 2697 | #endif |
wolfSSL | 0:d92f9d21154c | 2698 | |
wolfSSL | 0:d92f9d21154c | 2699 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) |
wolfSSL | 0:d92f9d21154c | 2700 | case 48: |
wolfSSL | 0:d92f9d21154c | 2701 | oidSz = sizeof(ECC_384r1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2702 | oid = ECC_384r1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2703 | break; |
wolfSSL | 0:d92f9d21154c | 2704 | #endif |
wolfSSL | 0:d92f9d21154c | 2705 | |
wolfSSL | 0:d92f9d21154c | 2706 | #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) |
wolfSSL | 0:d92f9d21154c | 2707 | case 66: |
wolfSSL | 0:d92f9d21154c | 2708 | oidSz = sizeof(ECC_521r1_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2709 | oid = ECC_521r1_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2710 | break; |
wolfSSL | 0:d92f9d21154c | 2711 | #endif |
wolfSSL | 0:d92f9d21154c | 2712 | |
wolfSSL | 0:d92f9d21154c | 2713 | default: |
wolfSSL | 0:d92f9d21154c | 2714 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 0:d92f9d21154c | 2715 | } |
wolfSSL | 0:d92f9d21154c | 2716 | lenSz = SetLength(oidSz, output+idx); |
wolfSSL | 0:d92f9d21154c | 2717 | idx += lenSz; |
wolfSSL | 0:d92f9d21154c | 2718 | |
wolfSSL | 0:d92f9d21154c | 2719 | XMEMCPY(output+idx, oid, oidSz); |
wolfSSL | 0:d92f9d21154c | 2720 | idx += oidSz; |
wolfSSL | 0:d92f9d21154c | 2721 | |
wolfSSL | 0:d92f9d21154c | 2722 | return idx; |
wolfSSL | 0:d92f9d21154c | 2723 | } |
wolfSSL | 0:d92f9d21154c | 2724 | |
wolfSSL | 0:d92f9d21154c | 2725 | #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 2726 | |
wolfSSL | 0:d92f9d21154c | 2727 | |
wolfSSL | 0:d92f9d21154c | 2728 | WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) |
wolfSSL | 0:d92f9d21154c | 2729 | { |
wolfSSL | 0:d92f9d21154c | 2730 | /* adding TAG_NULL and 0 to end */ |
wolfSSL | 0:d92f9d21154c | 2731 | |
wolfSSL | 0:d92f9d21154c | 2732 | /* hashTypes */ |
wolfSSL | 0:d92f9d21154c | 2733 | static const byte shaAlgoID[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a, |
wolfSSL | 0:d92f9d21154c | 2734 | 0x05, 0x00 }; |
wolfSSL | 0:d92f9d21154c | 2735 | static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
wolfSSL | 0:d92f9d21154c | 2736 | 0x04, 0x02, 0x01, 0x05, 0x00 }; |
wolfSSL | 0:d92f9d21154c | 2737 | static const byte sha384AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
wolfSSL | 0:d92f9d21154c | 2738 | 0x04, 0x02, 0x02, 0x05, 0x00 }; |
wolfSSL | 0:d92f9d21154c | 2739 | static const byte sha512AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, |
wolfSSL | 0:d92f9d21154c | 2740 | 0x04, 0x02, 0x03, 0x05, 0x00 }; |
wolfSSL | 0:d92f9d21154c | 2741 | static const byte md5AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 0:d92f9d21154c | 2742 | 0x02, 0x05, 0x05, 0x00 }; |
wolfSSL | 0:d92f9d21154c | 2743 | static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 0:d92f9d21154c | 2744 | 0x02, 0x02, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2745 | |
wolfSSL | 0:d92f9d21154c | 2746 | /* blkTypes, no NULL tags because IV is there instead */ |
wolfSSL | 0:d92f9d21154c | 2747 | static const byte desCbcAlgoID[] = { 0x2B, 0x0E, 0x03, 0x02, 0x07 }; |
wolfSSL | 0:d92f9d21154c | 2748 | static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, |
wolfSSL | 0:d92f9d21154c | 2749 | 0x0D, 0x03, 0x07 }; |
wolfSSL | 0:d92f9d21154c | 2750 | |
wolfSSL | 0:d92f9d21154c | 2751 | /* RSA sigTypes */ |
wolfSSL | 0:d92f9d21154c | 2752 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 2753 | static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, |
wolfSSL | 0:d92f9d21154c | 2754 | 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2755 | static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, |
wolfSSL | 0:d92f9d21154c | 2756 | 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2757 | static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, |
wolfSSL | 0:d92f9d21154c | 2758 | 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2759 | static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, |
wolfSSL | 0:d92f9d21154c | 2760 | 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2761 | static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, |
wolfSSL | 0:d92f9d21154c | 2762 | 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2763 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 2764 | |
wolfSSL | 0:d92f9d21154c | 2765 | /* ECDSA sigTypes */ |
wolfSSL | 0:d92f9d21154c | 2766 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 2767 | static const byte shawECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 0:d92f9d21154c | 2768 | 0x04, 0x01, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2769 | static const byte sha256wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, |
wolfSSL | 0:d92f9d21154c | 2770 | 0x04, 0x03, 0x02, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2771 | static const byte sha384wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, |
wolfSSL | 0:d92f9d21154c | 2772 | 0x04, 0x03, 0x03, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2773 | static const byte sha512wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, |
wolfSSL | 0:d92f9d21154c | 2774 | 0x04, 0x03, 0x04, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2775 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 2776 | |
wolfSSL | 0:d92f9d21154c | 2777 | /* RSA keyType */ |
wolfSSL | 0:d92f9d21154c | 2778 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 2779 | static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 0:d92f9d21154c | 2780 | 0x01, 0x01, 0x01, 0x05, 0x00}; |
wolfSSL | 0:d92f9d21154c | 2781 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 2782 | |
wolfSSL | 0:d92f9d21154c | 2783 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 2784 | /* ECC keyType */ |
wolfSSL | 0:d92f9d21154c | 2785 | /* no tags, so set tagSz smaller later */ |
wolfSSL | 0:d92f9d21154c | 2786 | static const byte ECC_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, |
wolfSSL | 0:d92f9d21154c | 2787 | 0x02, 0x01}; |
wolfSSL | 0:d92f9d21154c | 2788 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 2789 | |
wolfSSL | 0:d92f9d21154c | 2790 | int algoSz = 0; |
wolfSSL | 0:d92f9d21154c | 2791 | int tagSz = 2; /* tag null and terminator */ |
wolfSSL | 0:d92f9d21154c | 2792 | word32 idSz, seqSz; |
wolfSSL | 0:d92f9d21154c | 2793 | const byte* algoName = 0; |
wolfSSL | 0:d92f9d21154c | 2794 | byte ID_Length[MAX_LENGTH_SZ]; |
wolfSSL | 0:d92f9d21154c | 2795 | byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ |
wolfSSL | 0:d92f9d21154c | 2796 | |
wolfSSL | 0:d92f9d21154c | 2797 | if (type == hashType) { |
wolfSSL | 0:d92f9d21154c | 2798 | switch (algoOID) { |
wolfSSL | 0:d92f9d21154c | 2799 | case SHAh: |
wolfSSL | 0:d92f9d21154c | 2800 | algoSz = sizeof(shaAlgoID); |
wolfSSL | 0:d92f9d21154c | 2801 | algoName = shaAlgoID; |
wolfSSL | 0:d92f9d21154c | 2802 | break; |
wolfSSL | 0:d92f9d21154c | 2803 | |
wolfSSL | 0:d92f9d21154c | 2804 | case SHA256h: |
wolfSSL | 0:d92f9d21154c | 2805 | algoSz = sizeof(sha256AlgoID); |
wolfSSL | 0:d92f9d21154c | 2806 | algoName = sha256AlgoID; |
wolfSSL | 0:d92f9d21154c | 2807 | break; |
wolfSSL | 0:d92f9d21154c | 2808 | |
wolfSSL | 0:d92f9d21154c | 2809 | case SHA384h: |
wolfSSL | 0:d92f9d21154c | 2810 | algoSz = sizeof(sha384AlgoID); |
wolfSSL | 0:d92f9d21154c | 2811 | algoName = sha384AlgoID; |
wolfSSL | 0:d92f9d21154c | 2812 | break; |
wolfSSL | 0:d92f9d21154c | 2813 | |
wolfSSL | 0:d92f9d21154c | 2814 | case SHA512h: |
wolfSSL | 0:d92f9d21154c | 2815 | algoSz = sizeof(sha512AlgoID); |
wolfSSL | 0:d92f9d21154c | 2816 | algoName = sha512AlgoID; |
wolfSSL | 0:d92f9d21154c | 2817 | break; |
wolfSSL | 0:d92f9d21154c | 2818 | |
wolfSSL | 0:d92f9d21154c | 2819 | case MD2h: |
wolfSSL | 0:d92f9d21154c | 2820 | algoSz = sizeof(md2AlgoID); |
wolfSSL | 0:d92f9d21154c | 2821 | algoName = md2AlgoID; |
wolfSSL | 0:d92f9d21154c | 2822 | break; |
wolfSSL | 0:d92f9d21154c | 2823 | |
wolfSSL | 0:d92f9d21154c | 2824 | case MD5h: |
wolfSSL | 0:d92f9d21154c | 2825 | algoSz = sizeof(md5AlgoID); |
wolfSSL | 0:d92f9d21154c | 2826 | algoName = md5AlgoID; |
wolfSSL | 0:d92f9d21154c | 2827 | break; |
wolfSSL | 0:d92f9d21154c | 2828 | |
wolfSSL | 0:d92f9d21154c | 2829 | default: |
wolfSSL | 0:d92f9d21154c | 2830 | WOLFSSL_MSG("Unknown Hash Algo"); |
wolfSSL | 0:d92f9d21154c | 2831 | return 0; /* UNKOWN_HASH_E; */ |
wolfSSL | 0:d92f9d21154c | 2832 | } |
wolfSSL | 0:d92f9d21154c | 2833 | } |
wolfSSL | 0:d92f9d21154c | 2834 | else if (type == blkType) { |
wolfSSL | 0:d92f9d21154c | 2835 | switch (algoOID) { |
wolfSSL | 0:d92f9d21154c | 2836 | case DESb: |
wolfSSL | 0:d92f9d21154c | 2837 | algoSz = sizeof(desCbcAlgoID); |
wolfSSL | 0:d92f9d21154c | 2838 | algoName = desCbcAlgoID; |
wolfSSL | 0:d92f9d21154c | 2839 | tagSz = 0; |
wolfSSL | 0:d92f9d21154c | 2840 | break; |
wolfSSL | 0:d92f9d21154c | 2841 | case DES3b: |
wolfSSL | 0:d92f9d21154c | 2842 | algoSz = sizeof(des3CbcAlgoID); |
wolfSSL | 0:d92f9d21154c | 2843 | algoName = des3CbcAlgoID; |
wolfSSL | 0:d92f9d21154c | 2844 | tagSz = 0; |
wolfSSL | 0:d92f9d21154c | 2845 | break; |
wolfSSL | 0:d92f9d21154c | 2846 | default: |
wolfSSL | 0:d92f9d21154c | 2847 | WOLFSSL_MSG("Unknown Block Algo"); |
wolfSSL | 0:d92f9d21154c | 2848 | return 0; |
wolfSSL | 0:d92f9d21154c | 2849 | } |
wolfSSL | 0:d92f9d21154c | 2850 | } |
wolfSSL | 0:d92f9d21154c | 2851 | else if (type == sigType) { /* sigType */ |
wolfSSL | 0:d92f9d21154c | 2852 | switch (algoOID) { |
wolfSSL | 0:d92f9d21154c | 2853 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 2854 | case CTC_MD5wRSA: |
wolfSSL | 0:d92f9d21154c | 2855 | algoSz = sizeof(md5wRSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2856 | algoName = md5wRSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2857 | break; |
wolfSSL | 0:d92f9d21154c | 2858 | |
wolfSSL | 0:d92f9d21154c | 2859 | case CTC_SHAwRSA: |
wolfSSL | 0:d92f9d21154c | 2860 | algoSz = sizeof(shawRSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2861 | algoName = shawRSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2862 | break; |
wolfSSL | 0:d92f9d21154c | 2863 | |
wolfSSL | 0:d92f9d21154c | 2864 | case CTC_SHA256wRSA: |
wolfSSL | 0:d92f9d21154c | 2865 | algoSz = sizeof(sha256wRSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2866 | algoName = sha256wRSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2867 | break; |
wolfSSL | 0:d92f9d21154c | 2868 | |
wolfSSL | 0:d92f9d21154c | 2869 | case CTC_SHA384wRSA: |
wolfSSL | 0:d92f9d21154c | 2870 | algoSz = sizeof(sha384wRSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2871 | algoName = sha384wRSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2872 | break; |
wolfSSL | 0:d92f9d21154c | 2873 | |
wolfSSL | 0:d92f9d21154c | 2874 | case CTC_SHA512wRSA: |
wolfSSL | 0:d92f9d21154c | 2875 | algoSz = sizeof(sha512wRSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2876 | algoName = sha512wRSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2877 | break; |
wolfSSL | 0:d92f9d21154c | 2878 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 2879 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 2880 | case CTC_SHAwECDSA: |
wolfSSL | 0:d92f9d21154c | 2881 | algoSz = sizeof(shawECDSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2882 | algoName = shawECDSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2883 | break; |
wolfSSL | 0:d92f9d21154c | 2884 | |
wolfSSL | 0:d92f9d21154c | 2885 | case CTC_SHA256wECDSA: |
wolfSSL | 0:d92f9d21154c | 2886 | algoSz = sizeof(sha256wECDSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2887 | algoName = sha256wECDSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2888 | break; |
wolfSSL | 0:d92f9d21154c | 2889 | |
wolfSSL | 0:d92f9d21154c | 2890 | case CTC_SHA384wECDSA: |
wolfSSL | 0:d92f9d21154c | 2891 | algoSz = sizeof(sha384wECDSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2892 | algoName = sha384wECDSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2893 | break; |
wolfSSL | 0:d92f9d21154c | 2894 | |
wolfSSL | 0:d92f9d21154c | 2895 | case CTC_SHA512wECDSA: |
wolfSSL | 0:d92f9d21154c | 2896 | algoSz = sizeof(sha512wECDSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2897 | algoName = sha512wECDSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2898 | break; |
wolfSSL | 0:d92f9d21154c | 2899 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 2900 | default: |
wolfSSL | 0:d92f9d21154c | 2901 | WOLFSSL_MSG("Unknown Signature Algo"); |
wolfSSL | 0:d92f9d21154c | 2902 | return 0; |
wolfSSL | 0:d92f9d21154c | 2903 | } |
wolfSSL | 0:d92f9d21154c | 2904 | } |
wolfSSL | 0:d92f9d21154c | 2905 | else if (type == keyType) { /* keyType */ |
wolfSSL | 0:d92f9d21154c | 2906 | switch (algoOID) { |
wolfSSL | 0:d92f9d21154c | 2907 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 2908 | case RSAk: |
wolfSSL | 0:d92f9d21154c | 2909 | algoSz = sizeof(RSA_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2910 | algoName = RSA_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2911 | break; |
wolfSSL | 0:d92f9d21154c | 2912 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 2913 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 2914 | case ECDSAk: |
wolfSSL | 0:d92f9d21154c | 2915 | algoSz = sizeof(ECC_AlgoID); |
wolfSSL | 0:d92f9d21154c | 2916 | algoName = ECC_AlgoID; |
wolfSSL | 0:d92f9d21154c | 2917 | tagSz = 0; |
wolfSSL | 0:d92f9d21154c | 2918 | break; |
wolfSSL | 0:d92f9d21154c | 2919 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 2920 | default: |
wolfSSL | 0:d92f9d21154c | 2921 | WOLFSSL_MSG("Unknown Key Algo"); |
wolfSSL | 0:d92f9d21154c | 2922 | return 0; |
wolfSSL | 0:d92f9d21154c | 2923 | } |
wolfSSL | 0:d92f9d21154c | 2924 | } |
wolfSSL | 0:d92f9d21154c | 2925 | else { |
wolfSSL | 0:d92f9d21154c | 2926 | WOLFSSL_MSG("Unknown Algo type"); |
wolfSSL | 0:d92f9d21154c | 2927 | return 0; |
wolfSSL | 0:d92f9d21154c | 2928 | } |
wolfSSL | 0:d92f9d21154c | 2929 | |
wolfSSL | 0:d92f9d21154c | 2930 | idSz = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */ |
wolfSSL | 0:d92f9d21154c | 2931 | seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray); |
wolfSSL | 0:d92f9d21154c | 2932 | /* +1 for object id, curveID of curveSz follows for ecc */ |
wolfSSL | 0:d92f9d21154c | 2933 | seqArray[seqSz++] = ASN_OBJECT_ID; |
wolfSSL | 0:d92f9d21154c | 2934 | |
wolfSSL | 0:d92f9d21154c | 2935 | XMEMCPY(output, seqArray, seqSz); |
wolfSSL | 0:d92f9d21154c | 2936 | XMEMCPY(output + seqSz, ID_Length, idSz); |
wolfSSL | 0:d92f9d21154c | 2937 | XMEMCPY(output + seqSz + idSz, algoName, algoSz); |
wolfSSL | 0:d92f9d21154c | 2938 | |
wolfSSL | 0:d92f9d21154c | 2939 | return seqSz + idSz + algoSz; |
wolfSSL | 0:d92f9d21154c | 2940 | |
wolfSSL | 0:d92f9d21154c | 2941 | } |
wolfSSL | 0:d92f9d21154c | 2942 | |
wolfSSL | 0:d92f9d21154c | 2943 | |
wolfSSL | 0:d92f9d21154c | 2944 | word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz, |
wolfSSL | 0:d92f9d21154c | 2945 | int hashOID) |
wolfSSL | 0:d92f9d21154c | 2946 | { |
wolfSSL | 0:d92f9d21154c | 2947 | byte digArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 2948 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 2949 | byte seqArray[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 2950 | word32 encDigSz, algoSz, seqSz; |
wolfSSL | 0:d92f9d21154c | 2951 | |
wolfSSL | 0:d92f9d21154c | 2952 | encDigSz = SetDigest(digest, digSz, digArray); |
wolfSSL | 0:d92f9d21154c | 2953 | algoSz = SetAlgoID(hashOID, algoArray, hashType, 0); |
wolfSSL | 0:d92f9d21154c | 2954 | seqSz = SetSequence(encDigSz + algoSz, seqArray); |
wolfSSL | 0:d92f9d21154c | 2955 | |
wolfSSL | 0:d92f9d21154c | 2956 | XMEMCPY(out, seqArray, seqSz); |
wolfSSL | 0:d92f9d21154c | 2957 | XMEMCPY(out + seqSz, algoArray, algoSz); |
wolfSSL | 0:d92f9d21154c | 2958 | XMEMCPY(out + seqSz + algoSz, digArray, encDigSz); |
wolfSSL | 0:d92f9d21154c | 2959 | |
wolfSSL | 0:d92f9d21154c | 2960 | return encDigSz + algoSz + seqSz; |
wolfSSL | 0:d92f9d21154c | 2961 | } |
wolfSSL | 0:d92f9d21154c | 2962 | |
wolfSSL | 0:d92f9d21154c | 2963 | |
wolfSSL | 0:d92f9d21154c | 2964 | int wc_GetCTC_HashOID(int type) |
wolfSSL | 0:d92f9d21154c | 2965 | { |
wolfSSL | 0:d92f9d21154c | 2966 | switch (type) { |
wolfSSL | 0:d92f9d21154c | 2967 | #ifdef WOLFSSL_MD2 |
wolfSSL | 0:d92f9d21154c | 2968 | case MD2: |
wolfSSL | 0:d92f9d21154c | 2969 | return MD2h; |
wolfSSL | 0:d92f9d21154c | 2970 | #endif |
wolfSSL | 0:d92f9d21154c | 2971 | #ifndef NO_MD5 |
wolfSSL | 0:d92f9d21154c | 2972 | case MD5: |
wolfSSL | 0:d92f9d21154c | 2973 | return MD5h; |
wolfSSL | 0:d92f9d21154c | 2974 | #endif |
wolfSSL | 0:d92f9d21154c | 2975 | #ifndef NO_SHA |
wolfSSL | 0:d92f9d21154c | 2976 | case SHA: |
wolfSSL | 0:d92f9d21154c | 2977 | return SHAh; |
wolfSSL | 0:d92f9d21154c | 2978 | #endif |
wolfSSL | 0:d92f9d21154c | 2979 | #ifndef NO_SHA256 |
wolfSSL | 0:d92f9d21154c | 2980 | case SHA256: |
wolfSSL | 0:d92f9d21154c | 2981 | return SHA256h; |
wolfSSL | 0:d92f9d21154c | 2982 | #endif |
wolfSSL | 0:d92f9d21154c | 2983 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 0:d92f9d21154c | 2984 | case SHA384: |
wolfSSL | 0:d92f9d21154c | 2985 | return SHA384h; |
wolfSSL | 0:d92f9d21154c | 2986 | #endif |
wolfSSL | 0:d92f9d21154c | 2987 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 0:d92f9d21154c | 2988 | case SHA512: |
wolfSSL | 0:d92f9d21154c | 2989 | return SHA512h; |
wolfSSL | 0:d92f9d21154c | 2990 | #endif |
wolfSSL | 0:d92f9d21154c | 2991 | default: |
wolfSSL | 0:d92f9d21154c | 2992 | return 0; |
wolfSSL | 0:d92f9d21154c | 2993 | }; |
wolfSSL | 0:d92f9d21154c | 2994 | } |
wolfSSL | 0:d92f9d21154c | 2995 | |
wolfSSL | 0:d92f9d21154c | 2996 | |
wolfSSL | 0:d92f9d21154c | 2997 | /* return true (1) or false (0) for Confirmation */ |
wolfSSL | 0:d92f9d21154c | 2998 | static int ConfirmSignature(const byte* buf, word32 bufSz, |
wolfSSL | 0:d92f9d21154c | 2999 | const byte* key, word32 keySz, word32 keyOID, |
wolfSSL | 0:d92f9d21154c | 3000 | const byte* sig, word32 sigSz, word32 sigOID, |
wolfSSL | 0:d92f9d21154c | 3001 | void* heap) |
wolfSSL | 0:d92f9d21154c | 3002 | { |
wolfSSL | 0:d92f9d21154c | 3003 | int typeH = 0, digestSz = 0, ret = 0; |
wolfSSL | 0:d92f9d21154c | 3004 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3005 | byte* digest; |
wolfSSL | 0:d92f9d21154c | 3006 | #else |
wolfSSL | 0:d92f9d21154c | 3007 | byte digest[MAX_DIGEST_SIZE]; |
wolfSSL | 0:d92f9d21154c | 3008 | #endif |
wolfSSL | 0:d92f9d21154c | 3009 | |
wolfSSL | 0:d92f9d21154c | 3010 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3011 | digest = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3012 | if (digest == NULL) |
wolfSSL | 0:d92f9d21154c | 3013 | return 0; /* not confirmed */ |
wolfSSL | 0:d92f9d21154c | 3014 | #endif |
wolfSSL | 0:d92f9d21154c | 3015 | |
wolfSSL | 0:d92f9d21154c | 3016 | (void)key; |
wolfSSL | 0:d92f9d21154c | 3017 | (void)keySz; |
wolfSSL | 0:d92f9d21154c | 3018 | (void)sig; |
wolfSSL | 0:d92f9d21154c | 3019 | (void)sigSz; |
wolfSSL | 0:d92f9d21154c | 3020 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 3021 | |
wolfSSL | 0:d92f9d21154c | 3022 | switch (sigOID) { |
wolfSSL | 0:d92f9d21154c | 3023 | #ifndef NO_MD5 |
wolfSSL | 0:d92f9d21154c | 3024 | case CTC_MD5wRSA: |
wolfSSL | 0:d92f9d21154c | 3025 | if (wc_Md5Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3026 | typeH = MD5h; |
wolfSSL | 0:d92f9d21154c | 3027 | digestSz = MD5_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3028 | } |
wolfSSL | 0:d92f9d21154c | 3029 | break; |
wolfSSL | 0:d92f9d21154c | 3030 | #endif |
wolfSSL | 0:d92f9d21154c | 3031 | #if defined(WOLFSSL_MD2) |
wolfSSL | 0:d92f9d21154c | 3032 | case CTC_MD2wRSA: |
wolfSSL | 0:d92f9d21154c | 3033 | if (wc_Md2Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3034 | typeH = MD2h; |
wolfSSL | 0:d92f9d21154c | 3035 | digestSz = MD2_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3036 | } |
wolfSSL | 0:d92f9d21154c | 3037 | break; |
wolfSSL | 0:d92f9d21154c | 3038 | #endif |
wolfSSL | 0:d92f9d21154c | 3039 | #ifndef NO_SHA |
wolfSSL | 0:d92f9d21154c | 3040 | case CTC_SHAwRSA: |
wolfSSL | 0:d92f9d21154c | 3041 | case CTC_SHAwDSA: |
wolfSSL | 0:d92f9d21154c | 3042 | case CTC_SHAwECDSA: |
wolfSSL | 0:d92f9d21154c | 3043 | if (wc_ShaHash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3044 | typeH = SHAh; |
wolfSSL | 0:d92f9d21154c | 3045 | digestSz = SHA_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3046 | } |
wolfSSL | 0:d92f9d21154c | 3047 | break; |
wolfSSL | 0:d92f9d21154c | 3048 | #endif |
wolfSSL | 0:d92f9d21154c | 3049 | #ifndef NO_SHA256 |
wolfSSL | 0:d92f9d21154c | 3050 | case CTC_SHA256wRSA: |
wolfSSL | 0:d92f9d21154c | 3051 | case CTC_SHA256wECDSA: |
wolfSSL | 0:d92f9d21154c | 3052 | if (wc_Sha256Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3053 | typeH = SHA256h; |
wolfSSL | 0:d92f9d21154c | 3054 | digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3055 | } |
wolfSSL | 0:d92f9d21154c | 3056 | break; |
wolfSSL | 0:d92f9d21154c | 3057 | #endif |
wolfSSL | 0:d92f9d21154c | 3058 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 0:d92f9d21154c | 3059 | case CTC_SHA512wRSA: |
wolfSSL | 0:d92f9d21154c | 3060 | case CTC_SHA512wECDSA: |
wolfSSL | 0:d92f9d21154c | 3061 | if (wc_Sha512Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3062 | typeH = SHA512h; |
wolfSSL | 0:d92f9d21154c | 3063 | digestSz = SHA512_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3064 | } |
wolfSSL | 0:d92f9d21154c | 3065 | break; |
wolfSSL | 0:d92f9d21154c | 3066 | #endif |
wolfSSL | 0:d92f9d21154c | 3067 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 0:d92f9d21154c | 3068 | case CTC_SHA384wRSA: |
wolfSSL | 0:d92f9d21154c | 3069 | case CTC_SHA384wECDSA: |
wolfSSL | 0:d92f9d21154c | 3070 | if (wc_Sha384Hash(buf, bufSz, digest) == 0) { |
wolfSSL | 0:d92f9d21154c | 3071 | typeH = SHA384h; |
wolfSSL | 0:d92f9d21154c | 3072 | digestSz = SHA384_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 3073 | } |
wolfSSL | 0:d92f9d21154c | 3074 | break; |
wolfSSL | 0:d92f9d21154c | 3075 | #endif |
wolfSSL | 0:d92f9d21154c | 3076 | default: |
wolfSSL | 0:d92f9d21154c | 3077 | WOLFSSL_MSG("Verify Signautre has unsupported type"); |
wolfSSL | 0:d92f9d21154c | 3078 | } |
wolfSSL | 0:d92f9d21154c | 3079 | |
wolfSSL | 0:d92f9d21154c | 3080 | if (typeH == 0) { |
wolfSSL | 0:d92f9d21154c | 3081 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3082 | XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3083 | #endif |
wolfSSL | 0:d92f9d21154c | 3084 | return 0; /* not confirmed */ |
wolfSSL | 0:d92f9d21154c | 3085 | } |
wolfSSL | 0:d92f9d21154c | 3086 | |
wolfSSL | 0:d92f9d21154c | 3087 | switch (keyOID) { |
wolfSSL | 0:d92f9d21154c | 3088 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 3089 | case RSAk: |
wolfSSL | 0:d92f9d21154c | 3090 | { |
wolfSSL | 0:d92f9d21154c | 3091 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3092 | int encodedSigSz, verifySz; |
wolfSSL | 0:d92f9d21154c | 3093 | byte* out; |
wolfSSL | 0:d92f9d21154c | 3094 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3095 | RsaKey* pubKey; |
wolfSSL | 0:d92f9d21154c | 3096 | byte* plain; |
wolfSSL | 0:d92f9d21154c | 3097 | byte* encodedSig; |
wolfSSL | 0:d92f9d21154c | 3098 | #else |
wolfSSL | 0:d92f9d21154c | 3099 | RsaKey pubKey[1]; |
wolfSSL | 0:d92f9d21154c | 3100 | byte plain[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 3101 | byte encodedSig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 3102 | #endif |
wolfSSL | 0:d92f9d21154c | 3103 | |
wolfSSL | 0:d92f9d21154c | 3104 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3105 | pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, |
wolfSSL | 0:d92f9d21154c | 3106 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3107 | plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, |
wolfSSL | 0:d92f9d21154c | 3108 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3109 | encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, |
wolfSSL | 0:d92f9d21154c | 3110 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3111 | |
wolfSSL | 0:d92f9d21154c | 3112 | if (pubKey == NULL || plain == NULL || encodedSig == NULL) { |
wolfSSL | 0:d92f9d21154c | 3113 | WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature"); |
wolfSSL | 0:d92f9d21154c | 3114 | |
wolfSSL | 0:d92f9d21154c | 3115 | if (pubKey) |
wolfSSL | 0:d92f9d21154c | 3116 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3117 | if (plain) |
wolfSSL | 0:d92f9d21154c | 3118 | XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3119 | if (encodedSig) |
wolfSSL | 0:d92f9d21154c | 3120 | XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3121 | |
wolfSSL | 0:d92f9d21154c | 3122 | break; /* not confirmed */ |
wolfSSL | 0:d92f9d21154c | 3123 | } |
wolfSSL | 0:d92f9d21154c | 3124 | #endif |
wolfSSL | 0:d92f9d21154c | 3125 | |
wolfSSL | 0:d92f9d21154c | 3126 | if (sigSz > MAX_ENCODED_SIG_SZ) { |
wolfSSL | 0:d92f9d21154c | 3127 | WOLFSSL_MSG("Verify Signautre is too big"); |
wolfSSL | 0:d92f9d21154c | 3128 | } |
wolfSSL | 0:d92f9d21154c | 3129 | else if (wc_InitRsaKey(pubKey, heap) != 0) { |
wolfSSL | 0:d92f9d21154c | 3130 | WOLFSSL_MSG("InitRsaKey failed"); |
wolfSSL | 0:d92f9d21154c | 3131 | } |
wolfSSL | 0:d92f9d21154c | 3132 | else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3133 | WOLFSSL_MSG("ASN Key decode error RSA"); |
wolfSSL | 0:d92f9d21154c | 3134 | } |
wolfSSL | 0:d92f9d21154c | 3135 | else { |
wolfSSL | 0:d92f9d21154c | 3136 | XMEMCPY(plain, sig, sigSz); |
wolfSSL | 0:d92f9d21154c | 3137 | |
wolfSSL | 0:d92f9d21154c | 3138 | if ((verifySz = wc_RsaSSL_VerifyInline(plain, sigSz, &out, |
wolfSSL | 0:d92f9d21154c | 3139 | pubKey)) < 0) { |
wolfSSL | 0:d92f9d21154c | 3140 | WOLFSSL_MSG("Rsa SSL verify error"); |
wolfSSL | 0:d92f9d21154c | 3141 | } |
wolfSSL | 0:d92f9d21154c | 3142 | else { |
wolfSSL | 0:d92f9d21154c | 3143 | /* make sure we're right justified */ |
wolfSSL | 0:d92f9d21154c | 3144 | encodedSigSz = |
wolfSSL | 0:d92f9d21154c | 3145 | wc_EncodeSignature(encodedSig, digest, digestSz, typeH); |
wolfSSL | 0:d92f9d21154c | 3146 | if (encodedSigSz != verifySz || |
wolfSSL | 0:d92f9d21154c | 3147 | XMEMCMP(out, encodedSig, encodedSigSz) != 0) { |
wolfSSL | 0:d92f9d21154c | 3148 | WOLFSSL_MSG("Rsa SSL verify match encode error"); |
wolfSSL | 0:d92f9d21154c | 3149 | } |
wolfSSL | 0:d92f9d21154c | 3150 | else |
wolfSSL | 0:d92f9d21154c | 3151 | ret = 1; /* match */ |
wolfSSL | 0:d92f9d21154c | 3152 | |
wolfSSL | 0:d92f9d21154c | 3153 | #ifdef WOLFSSL_DEBUG_ENCODING |
wolfSSL | 0:d92f9d21154c | 3154 | { |
wolfSSL | 0:d92f9d21154c | 3155 | int x; |
wolfSSL | 0:d92f9d21154c | 3156 | |
wolfSSL | 0:d92f9d21154c | 3157 | printf("wolfssl encodedSig:\n"); |
wolfSSL | 0:d92f9d21154c | 3158 | |
wolfSSL | 0:d92f9d21154c | 3159 | for (x = 0; x < encodedSigSz; x++) { |
wolfSSL | 0:d92f9d21154c | 3160 | printf("%02x ", encodedSig[x]); |
wolfSSL | 0:d92f9d21154c | 3161 | if ( (x % 16) == 15) |
wolfSSL | 0:d92f9d21154c | 3162 | printf("\n"); |
wolfSSL | 0:d92f9d21154c | 3163 | } |
wolfSSL | 0:d92f9d21154c | 3164 | |
wolfSSL | 0:d92f9d21154c | 3165 | printf("\n"); |
wolfSSL | 0:d92f9d21154c | 3166 | printf("actual digest:\n"); |
wolfSSL | 0:d92f9d21154c | 3167 | |
wolfSSL | 0:d92f9d21154c | 3168 | for (x = 0; x < verifySz; x++) { |
wolfSSL | 0:d92f9d21154c | 3169 | printf("%02x ", out[x]); |
wolfSSL | 0:d92f9d21154c | 3170 | if ( (x % 16) == 15) |
wolfSSL | 0:d92f9d21154c | 3171 | printf("\n"); |
wolfSSL | 0:d92f9d21154c | 3172 | } |
wolfSSL | 0:d92f9d21154c | 3173 | |
wolfSSL | 0:d92f9d21154c | 3174 | printf("\n"); |
wolfSSL | 0:d92f9d21154c | 3175 | } |
wolfSSL | 0:d92f9d21154c | 3176 | #endif /* WOLFSSL_DEBUG_ENCODING */ |
wolfSSL | 0:d92f9d21154c | 3177 | |
wolfSSL | 0:d92f9d21154c | 3178 | } |
wolfSSL | 0:d92f9d21154c | 3179 | |
wolfSSL | 0:d92f9d21154c | 3180 | } |
wolfSSL | 0:d92f9d21154c | 3181 | |
wolfSSL | 0:d92f9d21154c | 3182 | wc_FreeRsaKey(pubKey); |
wolfSSL | 0:d92f9d21154c | 3183 | |
wolfSSL | 0:d92f9d21154c | 3184 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3185 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3186 | XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3187 | XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3188 | #endif |
wolfSSL | 0:d92f9d21154c | 3189 | break; |
wolfSSL | 0:d92f9d21154c | 3190 | } |
wolfSSL | 0:d92f9d21154c | 3191 | |
wolfSSL | 0:d92f9d21154c | 3192 | #endif /* NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 3193 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 3194 | case ECDSAk: |
wolfSSL | 0:d92f9d21154c | 3195 | { |
wolfSSL | 0:d92f9d21154c | 3196 | int verify = 0; |
wolfSSL | 0:d92f9d21154c | 3197 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3198 | ecc_key* pubKey; |
wolfSSL | 0:d92f9d21154c | 3199 | #else |
wolfSSL | 0:d92f9d21154c | 3200 | ecc_key pubKey[1]; |
wolfSSL | 0:d92f9d21154c | 3201 | #endif |
wolfSSL | 0:d92f9d21154c | 3202 | |
wolfSSL | 0:d92f9d21154c | 3203 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3204 | pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, |
wolfSSL | 0:d92f9d21154c | 3205 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3206 | if (pubKey == NULL) { |
wolfSSL | 0:d92f9d21154c | 3207 | WOLFSSL_MSG("Failed to allocate pubKey"); |
wolfSSL | 0:d92f9d21154c | 3208 | break; /* not confirmed */ |
wolfSSL | 0:d92f9d21154c | 3209 | } |
wolfSSL | 0:d92f9d21154c | 3210 | #endif |
wolfSSL | 0:d92f9d21154c | 3211 | |
wolfSSL | 0:d92f9d21154c | 3212 | if (wc_ecc_init(pubKey) < 0) { |
wolfSSL | 0:d92f9d21154c | 3213 | WOLFSSL_MSG("Failed to initialize key"); |
wolfSSL | 0:d92f9d21154c | 3214 | break; /* not confirmed */ |
wolfSSL | 0:d92f9d21154c | 3215 | } |
wolfSSL | 0:d92f9d21154c | 3216 | if (wc_ecc_import_x963(key, keySz, pubKey) < 0) { |
wolfSSL | 0:d92f9d21154c | 3217 | WOLFSSL_MSG("ASN Key import error ECC"); |
wolfSSL | 0:d92f9d21154c | 3218 | } |
wolfSSL | 0:d92f9d21154c | 3219 | else { |
wolfSSL | 0:d92f9d21154c | 3220 | if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify, |
wolfSSL | 0:d92f9d21154c | 3221 | pubKey) != 0) { |
wolfSSL | 0:d92f9d21154c | 3222 | WOLFSSL_MSG("ECC verify hash error"); |
wolfSSL | 0:d92f9d21154c | 3223 | } |
wolfSSL | 0:d92f9d21154c | 3224 | else if (1 != verify) { |
wolfSSL | 0:d92f9d21154c | 3225 | WOLFSSL_MSG("ECC Verify didn't match"); |
wolfSSL | 0:d92f9d21154c | 3226 | } else |
wolfSSL | 0:d92f9d21154c | 3227 | ret = 1; /* match */ |
wolfSSL | 0:d92f9d21154c | 3228 | |
wolfSSL | 0:d92f9d21154c | 3229 | } |
wolfSSL | 0:d92f9d21154c | 3230 | wc_ecc_free(pubKey); |
wolfSSL | 0:d92f9d21154c | 3231 | |
wolfSSL | 0:d92f9d21154c | 3232 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3233 | XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3234 | #endif |
wolfSSL | 0:d92f9d21154c | 3235 | break; |
wolfSSL | 0:d92f9d21154c | 3236 | } |
wolfSSL | 0:d92f9d21154c | 3237 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 3238 | default: |
wolfSSL | 0:d92f9d21154c | 3239 | WOLFSSL_MSG("Verify Key type unknown"); |
wolfSSL | 0:d92f9d21154c | 3240 | } |
wolfSSL | 0:d92f9d21154c | 3241 | |
wolfSSL | 0:d92f9d21154c | 3242 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 3243 | XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 3244 | #endif |
wolfSSL | 0:d92f9d21154c | 3245 | |
wolfSSL | 0:d92f9d21154c | 3246 | return ret; |
wolfSSL | 0:d92f9d21154c | 3247 | } |
wolfSSL | 0:d92f9d21154c | 3248 | |
wolfSSL | 0:d92f9d21154c | 3249 | |
wolfSSL | 0:d92f9d21154c | 3250 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 3251 | |
wolfSSL | 0:d92f9d21154c | 3252 | static int MatchBaseName(int type, const char* name, int nameSz, |
wolfSSL | 0:d92f9d21154c | 3253 | const char* base, int baseSz) |
wolfSSL | 0:d92f9d21154c | 3254 | { |
wolfSSL | 0:d92f9d21154c | 3255 | if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 || |
wolfSSL | 0:d92f9d21154c | 3256 | name[0] == '.' || nameSz < baseSz || |
wolfSSL | 0:d92f9d21154c | 3257 | (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE)) |
wolfSSL | 0:d92f9d21154c | 3258 | return 0; |
wolfSSL | 0:d92f9d21154c | 3259 | |
wolfSSL | 0:d92f9d21154c | 3260 | /* If an email type, handle special cases where the base is only |
wolfSSL | 0:d92f9d21154c | 3261 | * a domain, or is an email address itself. */ |
wolfSSL | 0:d92f9d21154c | 3262 | if (type == ASN_RFC822_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3263 | const char* p = NULL; |
wolfSSL | 0:d92f9d21154c | 3264 | int count = 0; |
wolfSSL | 0:d92f9d21154c | 3265 | |
wolfSSL | 0:d92f9d21154c | 3266 | if (base[0] != '.') { |
wolfSSL | 0:d92f9d21154c | 3267 | p = base; |
wolfSSL | 0:d92f9d21154c | 3268 | count = 0; |
wolfSSL | 0:d92f9d21154c | 3269 | |
wolfSSL | 0:d92f9d21154c | 3270 | /* find the '@' in the base */ |
wolfSSL | 0:d92f9d21154c | 3271 | while (*p != '@' && count < baseSz) { |
wolfSSL | 0:d92f9d21154c | 3272 | count++; |
wolfSSL | 0:d92f9d21154c | 3273 | p++; |
wolfSSL | 0:d92f9d21154c | 3274 | } |
wolfSSL | 0:d92f9d21154c | 3275 | |
wolfSSL | 0:d92f9d21154c | 3276 | /* No '@' in base, reset p to NULL */ |
wolfSSL | 0:d92f9d21154c | 3277 | if (count >= baseSz) |
wolfSSL | 0:d92f9d21154c | 3278 | p = NULL; |
wolfSSL | 0:d92f9d21154c | 3279 | } |
wolfSSL | 0:d92f9d21154c | 3280 | |
wolfSSL | 0:d92f9d21154c | 3281 | if (p == NULL) { |
wolfSSL | 0:d92f9d21154c | 3282 | /* Base isn't an email address, it is a domain name, |
wolfSSL | 0:d92f9d21154c | 3283 | * wind the name forward one character past its '@'. */ |
wolfSSL | 0:d92f9d21154c | 3284 | p = name; |
wolfSSL | 0:d92f9d21154c | 3285 | count = 0; |
wolfSSL | 0:d92f9d21154c | 3286 | while (*p != '@' && count < baseSz) { |
wolfSSL | 0:d92f9d21154c | 3287 | count++; |
wolfSSL | 0:d92f9d21154c | 3288 | p++; |
wolfSSL | 0:d92f9d21154c | 3289 | } |
wolfSSL | 0:d92f9d21154c | 3290 | |
wolfSSL | 0:d92f9d21154c | 3291 | if (count < baseSz && *p == '@') { |
wolfSSL | 0:d92f9d21154c | 3292 | name = p + 1; |
wolfSSL | 0:d92f9d21154c | 3293 | nameSz -= count + 1; |
wolfSSL | 0:d92f9d21154c | 3294 | } |
wolfSSL | 0:d92f9d21154c | 3295 | } |
wolfSSL | 0:d92f9d21154c | 3296 | } |
wolfSSL | 0:d92f9d21154c | 3297 | |
wolfSSL | 0:d92f9d21154c | 3298 | if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') { |
wolfSSL | 0:d92f9d21154c | 3299 | int szAdjust = nameSz - baseSz; |
wolfSSL | 0:d92f9d21154c | 3300 | name += szAdjust; |
wolfSSL | 0:d92f9d21154c | 3301 | nameSz -= szAdjust; |
wolfSSL | 0:d92f9d21154c | 3302 | } |
wolfSSL | 0:d92f9d21154c | 3303 | |
wolfSSL | 0:d92f9d21154c | 3304 | while (nameSz > 0) { |
wolfSSL | 0:d92f9d21154c | 3305 | if (XTOLOWER((unsigned char)*name++) != |
wolfSSL | 0:d92f9d21154c | 3306 | XTOLOWER((unsigned char)*base++)) |
wolfSSL | 0:d92f9d21154c | 3307 | return 0; |
wolfSSL | 0:d92f9d21154c | 3308 | nameSz--; |
wolfSSL | 0:d92f9d21154c | 3309 | } |
wolfSSL | 0:d92f9d21154c | 3310 | |
wolfSSL | 0:d92f9d21154c | 3311 | return 1; |
wolfSSL | 0:d92f9d21154c | 3312 | } |
wolfSSL | 0:d92f9d21154c | 3313 | |
wolfSSL | 0:d92f9d21154c | 3314 | |
wolfSSL | 0:d92f9d21154c | 3315 | static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3316 | { |
wolfSSL | 0:d92f9d21154c | 3317 | if (signer == NULL || cert == NULL) |
wolfSSL | 0:d92f9d21154c | 3318 | return 0; |
wolfSSL | 0:d92f9d21154c | 3319 | |
wolfSSL | 0:d92f9d21154c | 3320 | /* Check against the excluded list */ |
wolfSSL | 0:d92f9d21154c | 3321 | if (signer->excludedNames) { |
wolfSSL | 0:d92f9d21154c | 3322 | Base_entry* base = signer->excludedNames; |
wolfSSL | 0:d92f9d21154c | 3323 | |
wolfSSL | 0:d92f9d21154c | 3324 | while (base != NULL) { |
wolfSSL | 0:d92f9d21154c | 3325 | if (base->type == ASN_DNS_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3326 | DNS_entry* name = cert->altNames; |
wolfSSL | 0:d92f9d21154c | 3327 | while (name != NULL) { |
wolfSSL | 0:d92f9d21154c | 3328 | if (MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 0:d92f9d21154c | 3329 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 0:d92f9d21154c | 3330 | base->name, base->nameSz)) |
wolfSSL | 0:d92f9d21154c | 3331 | return 0; |
wolfSSL | 0:d92f9d21154c | 3332 | name = name->next; |
wolfSSL | 0:d92f9d21154c | 3333 | } |
wolfSSL | 0:d92f9d21154c | 3334 | } |
wolfSSL | 0:d92f9d21154c | 3335 | else if (base->type == ASN_RFC822_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3336 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 0:d92f9d21154c | 3337 | while (name != NULL) { |
wolfSSL | 0:d92f9d21154c | 3338 | if (MatchBaseName(ASN_RFC822_TYPE, |
wolfSSL | 0:d92f9d21154c | 3339 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 0:d92f9d21154c | 3340 | base->name, base->nameSz)) |
wolfSSL | 0:d92f9d21154c | 3341 | return 0; |
wolfSSL | 0:d92f9d21154c | 3342 | |
wolfSSL | 0:d92f9d21154c | 3343 | name = name->next; |
wolfSSL | 0:d92f9d21154c | 3344 | } |
wolfSSL | 0:d92f9d21154c | 3345 | } |
wolfSSL | 0:d92f9d21154c | 3346 | else if (base->type == ASN_DIR_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3347 | if (cert->subjectRawLen == base->nameSz && |
wolfSSL | 0:d92f9d21154c | 3348 | XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) { |
wolfSSL | 0:d92f9d21154c | 3349 | |
wolfSSL | 0:d92f9d21154c | 3350 | return 0; |
wolfSSL | 0:d92f9d21154c | 3351 | } |
wolfSSL | 0:d92f9d21154c | 3352 | } |
wolfSSL | 0:d92f9d21154c | 3353 | base = base->next; |
wolfSSL | 0:d92f9d21154c | 3354 | } |
wolfSSL | 0:d92f9d21154c | 3355 | } |
wolfSSL | 0:d92f9d21154c | 3356 | |
wolfSSL | 0:d92f9d21154c | 3357 | /* Check against the permitted list */ |
wolfSSL | 0:d92f9d21154c | 3358 | if (signer->permittedNames != NULL) { |
wolfSSL | 0:d92f9d21154c | 3359 | int needDns = 0; |
wolfSSL | 0:d92f9d21154c | 3360 | int matchDns = 0; |
wolfSSL | 0:d92f9d21154c | 3361 | int needEmail = 0; |
wolfSSL | 0:d92f9d21154c | 3362 | int matchEmail = 0; |
wolfSSL | 0:d92f9d21154c | 3363 | int needDir = 0; |
wolfSSL | 0:d92f9d21154c | 3364 | int matchDir = 0; |
wolfSSL | 0:d92f9d21154c | 3365 | Base_entry* base = signer->permittedNames; |
wolfSSL | 0:d92f9d21154c | 3366 | |
wolfSSL | 0:d92f9d21154c | 3367 | while (base != NULL) { |
wolfSSL | 0:d92f9d21154c | 3368 | if (base->type == ASN_DNS_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3369 | DNS_entry* name = cert->altNames; |
wolfSSL | 0:d92f9d21154c | 3370 | |
wolfSSL | 0:d92f9d21154c | 3371 | if (name != NULL) |
wolfSSL | 0:d92f9d21154c | 3372 | needDns = 1; |
wolfSSL | 0:d92f9d21154c | 3373 | |
wolfSSL | 0:d92f9d21154c | 3374 | while (name != NULL) { |
wolfSSL | 0:d92f9d21154c | 3375 | matchDns = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 0:d92f9d21154c | 3376 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 0:d92f9d21154c | 3377 | base->name, base->nameSz); |
wolfSSL | 0:d92f9d21154c | 3378 | name = name->next; |
wolfSSL | 0:d92f9d21154c | 3379 | } |
wolfSSL | 0:d92f9d21154c | 3380 | } |
wolfSSL | 0:d92f9d21154c | 3381 | else if (base->type == ASN_RFC822_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3382 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 0:d92f9d21154c | 3383 | |
wolfSSL | 0:d92f9d21154c | 3384 | if (name != NULL) |
wolfSSL | 0:d92f9d21154c | 3385 | needEmail = 1; |
wolfSSL | 0:d92f9d21154c | 3386 | |
wolfSSL | 0:d92f9d21154c | 3387 | while (name != NULL) { |
wolfSSL | 0:d92f9d21154c | 3388 | matchEmail = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 0:d92f9d21154c | 3389 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 0:d92f9d21154c | 3390 | base->name, base->nameSz); |
wolfSSL | 0:d92f9d21154c | 3391 | name = name->next; |
wolfSSL | 0:d92f9d21154c | 3392 | } |
wolfSSL | 0:d92f9d21154c | 3393 | } |
wolfSSL | 0:d92f9d21154c | 3394 | else if (base->type == ASN_DIR_TYPE) { |
wolfSSL | 0:d92f9d21154c | 3395 | needDir = 1; |
wolfSSL | 0:d92f9d21154c | 3396 | if (cert->subjectRaw != NULL && |
wolfSSL | 0:d92f9d21154c | 3397 | cert->subjectRawLen == base->nameSz && |
wolfSSL | 0:d92f9d21154c | 3398 | XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) { |
wolfSSL | 0:d92f9d21154c | 3399 | |
wolfSSL | 0:d92f9d21154c | 3400 | matchDir = 1; |
wolfSSL | 0:d92f9d21154c | 3401 | } |
wolfSSL | 0:d92f9d21154c | 3402 | } |
wolfSSL | 0:d92f9d21154c | 3403 | base = base->next; |
wolfSSL | 0:d92f9d21154c | 3404 | } |
wolfSSL | 0:d92f9d21154c | 3405 | |
wolfSSL | 0:d92f9d21154c | 3406 | if ((needDns && !matchDns) || (needEmail && !matchEmail) || |
wolfSSL | 0:d92f9d21154c | 3407 | (needDir && !matchDir)) { |
wolfSSL | 0:d92f9d21154c | 3408 | |
wolfSSL | 0:d92f9d21154c | 3409 | return 0; |
wolfSSL | 0:d92f9d21154c | 3410 | } |
wolfSSL | 0:d92f9d21154c | 3411 | } |
wolfSSL | 0:d92f9d21154c | 3412 | |
wolfSSL | 0:d92f9d21154c | 3413 | return 1; |
wolfSSL | 0:d92f9d21154c | 3414 | } |
wolfSSL | 0:d92f9d21154c | 3415 | |
wolfSSL | 0:d92f9d21154c | 3416 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 3417 | |
wolfSSL | 0:d92f9d21154c | 3418 | |
wolfSSL | 0:d92f9d21154c | 3419 | static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3420 | { |
wolfSSL | 0:d92f9d21154c | 3421 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3422 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 3423 | |
wolfSSL | 0:d92f9d21154c | 3424 | WOLFSSL_ENTER("DecodeAltNames"); |
wolfSSL | 0:d92f9d21154c | 3425 | |
wolfSSL | 0:d92f9d21154c | 3426 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3427 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 0:d92f9d21154c | 3428 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3429 | } |
wolfSSL | 0:d92f9d21154c | 3430 | |
wolfSSL | 0:d92f9d21154c | 3431 | cert->weOwnAltNames = 1; |
wolfSSL | 0:d92f9d21154c | 3432 | |
wolfSSL | 0:d92f9d21154c | 3433 | while (length > 0) { |
wolfSSL | 0:d92f9d21154c | 3434 | byte b = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 3435 | |
wolfSSL | 0:d92f9d21154c | 3436 | length--; |
wolfSSL | 0:d92f9d21154c | 3437 | |
wolfSSL | 0:d92f9d21154c | 3438 | /* Save DNS Type names in the altNames list. */ |
wolfSSL | 0:d92f9d21154c | 3439 | /* Save Other Type names in the cert's OidMap */ |
wolfSSL | 0:d92f9d21154c | 3440 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) { |
wolfSSL | 0:d92f9d21154c | 3441 | DNS_entry* dnsEntry; |
wolfSSL | 0:d92f9d21154c | 3442 | int strLen; |
wolfSSL | 0:d92f9d21154c | 3443 | word32 lenStartIdx = idx; |
wolfSSL | 0:d92f9d21154c | 3444 | |
wolfSSL | 0:d92f9d21154c | 3445 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3446 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 0:d92f9d21154c | 3447 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3448 | } |
wolfSSL | 0:d92f9d21154c | 3449 | length -= (idx - lenStartIdx); |
wolfSSL | 0:d92f9d21154c | 3450 | |
wolfSSL | 0:d92f9d21154c | 3451 | dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 0:d92f9d21154c | 3452 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3453 | if (dnsEntry == NULL) { |
wolfSSL | 0:d92f9d21154c | 3454 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3455 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3456 | } |
wolfSSL | 0:d92f9d21154c | 3457 | |
wolfSSL | 0:d92f9d21154c | 3458 | dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 0:d92f9d21154c | 3459 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3460 | if (dnsEntry->name == NULL) { |
wolfSSL | 0:d92f9d21154c | 3461 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3462 | XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3463 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3464 | } |
wolfSSL | 0:d92f9d21154c | 3465 | |
wolfSSL | 0:d92f9d21154c | 3466 | XMEMCPY(dnsEntry->name, &input[idx], strLen); |
wolfSSL | 0:d92f9d21154c | 3467 | dnsEntry->name[strLen] = '\0'; |
wolfSSL | 0:d92f9d21154c | 3468 | |
wolfSSL | 0:d92f9d21154c | 3469 | dnsEntry->next = cert->altNames; |
wolfSSL | 0:d92f9d21154c | 3470 | cert->altNames = dnsEntry; |
wolfSSL | 0:d92f9d21154c | 3471 | |
wolfSSL | 0:d92f9d21154c | 3472 | length -= strLen; |
wolfSSL | 0:d92f9d21154c | 3473 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 3474 | } |
wolfSSL | 0:d92f9d21154c | 3475 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 3476 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) { |
wolfSSL | 0:d92f9d21154c | 3477 | DNS_entry* emailEntry; |
wolfSSL | 0:d92f9d21154c | 3478 | int strLen; |
wolfSSL | 0:d92f9d21154c | 3479 | word32 lenStartIdx = idx; |
wolfSSL | 0:d92f9d21154c | 3480 | |
wolfSSL | 0:d92f9d21154c | 3481 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3482 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 0:d92f9d21154c | 3483 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3484 | } |
wolfSSL | 0:d92f9d21154c | 3485 | length -= (idx - lenStartIdx); |
wolfSSL | 0:d92f9d21154c | 3486 | |
wolfSSL | 0:d92f9d21154c | 3487 | emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 0:d92f9d21154c | 3488 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3489 | if (emailEntry == NULL) { |
wolfSSL | 0:d92f9d21154c | 3490 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3491 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3492 | } |
wolfSSL | 0:d92f9d21154c | 3493 | |
wolfSSL | 0:d92f9d21154c | 3494 | emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 0:d92f9d21154c | 3495 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3496 | if (emailEntry->name == NULL) { |
wolfSSL | 0:d92f9d21154c | 3497 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3498 | XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3499 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3500 | } |
wolfSSL | 0:d92f9d21154c | 3501 | |
wolfSSL | 0:d92f9d21154c | 3502 | XMEMCPY(emailEntry->name, &input[idx], strLen); |
wolfSSL | 0:d92f9d21154c | 3503 | emailEntry->name[strLen] = '\0'; |
wolfSSL | 0:d92f9d21154c | 3504 | |
wolfSSL | 0:d92f9d21154c | 3505 | emailEntry->next = cert->altEmailNames; |
wolfSSL | 0:d92f9d21154c | 3506 | cert->altEmailNames = emailEntry; |
wolfSSL | 0:d92f9d21154c | 3507 | |
wolfSSL | 0:d92f9d21154c | 3508 | length -= strLen; |
wolfSSL | 0:d92f9d21154c | 3509 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 3510 | } |
wolfSSL | 0:d92f9d21154c | 3511 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 3512 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 3513 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) |
wolfSSL | 0:d92f9d21154c | 3514 | { |
wolfSSL | 0:d92f9d21154c | 3515 | int strLen; |
wolfSSL | 0:d92f9d21154c | 3516 | word32 lenStartIdx = idx; |
wolfSSL | 0:d92f9d21154c | 3517 | word32 oid = 0; |
wolfSSL | 0:d92f9d21154c | 3518 | |
wolfSSL | 0:d92f9d21154c | 3519 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3520 | WOLFSSL_MSG("\tfail: other name length"); |
wolfSSL | 0:d92f9d21154c | 3521 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3522 | } |
wolfSSL | 0:d92f9d21154c | 3523 | /* Consume the rest of this sequence. */ |
wolfSSL | 0:d92f9d21154c | 3524 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 0:d92f9d21154c | 3525 | |
wolfSSL | 0:d92f9d21154c | 3526 | if (GetObjectId(input, &idx, &oid, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3527 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 0:d92f9d21154c | 3528 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3529 | } |
wolfSSL | 0:d92f9d21154c | 3530 | |
wolfSSL | 0:d92f9d21154c | 3531 | if (oid != HW_NAME_OID) { |
wolfSSL | 0:d92f9d21154c | 3532 | WOLFSSL_MSG("\tincorrect OID"); |
wolfSSL | 0:d92f9d21154c | 3533 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3534 | } |
wolfSSL | 0:d92f9d21154c | 3535 | |
wolfSSL | 0:d92f9d21154c | 3536 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 0:d92f9d21154c | 3537 | WOLFSSL_MSG("\twrong type"); |
wolfSSL | 0:d92f9d21154c | 3538 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3539 | } |
wolfSSL | 0:d92f9d21154c | 3540 | |
wolfSSL | 0:d92f9d21154c | 3541 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3542 | WOLFSSL_MSG("\tfail: str len"); |
wolfSSL | 0:d92f9d21154c | 3543 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3544 | } |
wolfSSL | 0:d92f9d21154c | 3545 | |
wolfSSL | 0:d92f9d21154c | 3546 | if (GetSequence(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3547 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 0:d92f9d21154c | 3548 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3549 | } |
wolfSSL | 0:d92f9d21154c | 3550 | |
wolfSSL | 0:d92f9d21154c | 3551 | if (input[idx++] != ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 3552 | WOLFSSL_MSG("\texpected OID"); |
wolfSSL | 0:d92f9d21154c | 3553 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3554 | } |
wolfSSL | 0:d92f9d21154c | 3555 | |
wolfSSL | 0:d92f9d21154c | 3556 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3557 | WOLFSSL_MSG("\tfailed: str len"); |
wolfSSL | 0:d92f9d21154c | 3558 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3559 | } |
wolfSSL | 0:d92f9d21154c | 3560 | |
wolfSSL | 0:d92f9d21154c | 3561 | cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 3562 | if (cert->hwType == NULL) { |
wolfSSL | 0:d92f9d21154c | 3563 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3564 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 3565 | } |
wolfSSL | 0:d92f9d21154c | 3566 | |
wolfSSL | 0:d92f9d21154c | 3567 | XMEMCPY(cert->hwType, &input[idx], strLen); |
wolfSSL | 0:d92f9d21154c | 3568 | cert->hwTypeSz = strLen; |
wolfSSL | 0:d92f9d21154c | 3569 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 3570 | |
wolfSSL | 0:d92f9d21154c | 3571 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 3572 | WOLFSSL_MSG("\texpected Octet String"); |
wolfSSL | 0:d92f9d21154c | 3573 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3574 | } |
wolfSSL | 0:d92f9d21154c | 3575 | |
wolfSSL | 0:d92f9d21154c | 3576 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3577 | WOLFSSL_MSG("\tfailed: str len"); |
wolfSSL | 0:d92f9d21154c | 3578 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3579 | } |
wolfSSL | 0:d92f9d21154c | 3580 | |
wolfSSL | 0:d92f9d21154c | 3581 | cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 3582 | if (cert->hwSerialNum == NULL) { |
wolfSSL | 0:d92f9d21154c | 3583 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 0:d92f9d21154c | 3584 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 3585 | } |
wolfSSL | 0:d92f9d21154c | 3586 | |
wolfSSL | 0:d92f9d21154c | 3587 | XMEMCPY(cert->hwSerialNum, &input[idx], strLen); |
wolfSSL | 0:d92f9d21154c | 3588 | cert->hwSerialNum[strLen] = '\0'; |
wolfSSL | 0:d92f9d21154c | 3589 | cert->hwSerialNumSz = strLen; |
wolfSSL | 0:d92f9d21154c | 3590 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 3591 | } |
wolfSSL | 0:d92f9d21154c | 3592 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 0:d92f9d21154c | 3593 | else { |
wolfSSL | 0:d92f9d21154c | 3594 | int strLen; |
wolfSSL | 0:d92f9d21154c | 3595 | word32 lenStartIdx = idx; |
wolfSSL | 0:d92f9d21154c | 3596 | |
wolfSSL | 0:d92f9d21154c | 3597 | WOLFSSL_MSG("\tUnsupported name type, skipping"); |
wolfSSL | 0:d92f9d21154c | 3598 | |
wolfSSL | 0:d92f9d21154c | 3599 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3600 | WOLFSSL_MSG("\tfail: unsupported name length"); |
wolfSSL | 0:d92f9d21154c | 3601 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3602 | } |
wolfSSL | 0:d92f9d21154c | 3603 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 0:d92f9d21154c | 3604 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 3605 | } |
wolfSSL | 0:d92f9d21154c | 3606 | } |
wolfSSL | 0:d92f9d21154c | 3607 | return 0; |
wolfSSL | 0:d92f9d21154c | 3608 | } |
wolfSSL | 0:d92f9d21154c | 3609 | |
wolfSSL | 0:d92f9d21154c | 3610 | |
wolfSSL | 0:d92f9d21154c | 3611 | static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3612 | { |
wolfSSL | 0:d92f9d21154c | 3613 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3614 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 3615 | |
wolfSSL | 0:d92f9d21154c | 3616 | WOLFSSL_ENTER("DecodeBasicCaConstraint"); |
wolfSSL | 0:d92f9d21154c | 3617 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3618 | WOLFSSL_MSG("\tfail: bad SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 3619 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3620 | } |
wolfSSL | 0:d92f9d21154c | 3621 | |
wolfSSL | 0:d92f9d21154c | 3622 | if (length == 0) |
wolfSSL | 0:d92f9d21154c | 3623 | return 0; |
wolfSSL | 0:d92f9d21154c | 3624 | |
wolfSSL | 0:d92f9d21154c | 3625 | /* If the basic ca constraint is false, this extension may be named, but |
wolfSSL | 0:d92f9d21154c | 3626 | * left empty. So, if the length is 0, just return. */ |
wolfSSL | 0:d92f9d21154c | 3627 | |
wolfSSL | 0:d92f9d21154c | 3628 | if (input[idx++] != ASN_BOOLEAN) |
wolfSSL | 0:d92f9d21154c | 3629 | { |
wolfSSL | 0:d92f9d21154c | 3630 | WOLFSSL_MSG("\tfail: constraint not BOOLEAN"); |
wolfSSL | 0:d92f9d21154c | 3631 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3632 | } |
wolfSSL | 0:d92f9d21154c | 3633 | |
wolfSSL | 0:d92f9d21154c | 3634 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3635 | { |
wolfSSL | 0:d92f9d21154c | 3636 | WOLFSSL_MSG("\tfail: length"); |
wolfSSL | 0:d92f9d21154c | 3637 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3638 | } |
wolfSSL | 0:d92f9d21154c | 3639 | |
wolfSSL | 0:d92f9d21154c | 3640 | if (input[idx++]) |
wolfSSL | 0:d92f9d21154c | 3641 | cert->isCA = 1; |
wolfSSL | 0:d92f9d21154c | 3642 | |
wolfSSL | 0:d92f9d21154c | 3643 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 3644 | /* If there isn't any more data, return. */ |
wolfSSL | 0:d92f9d21154c | 3645 | if (idx >= (word32)sz) |
wolfSSL | 0:d92f9d21154c | 3646 | return 0; |
wolfSSL | 0:d92f9d21154c | 3647 | |
wolfSSL | 0:d92f9d21154c | 3648 | /* Anything left should be the optional pathlength */ |
wolfSSL | 0:d92f9d21154c | 3649 | if (input[idx++] != ASN_INTEGER) { |
wolfSSL | 0:d92f9d21154c | 3650 | WOLFSSL_MSG("\tfail: pathlen not INTEGER"); |
wolfSSL | 0:d92f9d21154c | 3651 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3652 | } |
wolfSSL | 0:d92f9d21154c | 3653 | |
wolfSSL | 0:d92f9d21154c | 3654 | if (input[idx++] != 1) { |
wolfSSL | 0:d92f9d21154c | 3655 | WOLFSSL_MSG("\tfail: pathlen too long"); |
wolfSSL | 0:d92f9d21154c | 3656 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3657 | } |
wolfSSL | 0:d92f9d21154c | 3658 | |
wolfSSL | 0:d92f9d21154c | 3659 | cert->pathLength = input[idx]; |
wolfSSL | 0:d92f9d21154c | 3660 | cert->extBasicConstPlSet = 1; |
wolfSSL | 0:d92f9d21154c | 3661 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 3662 | |
wolfSSL | 0:d92f9d21154c | 3663 | return 0; |
wolfSSL | 0:d92f9d21154c | 3664 | } |
wolfSSL | 0:d92f9d21154c | 3665 | |
wolfSSL | 0:d92f9d21154c | 3666 | |
wolfSSL | 0:d92f9d21154c | 3667 | #define CRLDP_FULL_NAME 0 |
wolfSSL | 0:d92f9d21154c | 3668 | /* From RFC3280 SS4.2.1.14, Distribution Point Name*/ |
wolfSSL | 0:d92f9d21154c | 3669 | #define GENERALNAME_URI 6 |
wolfSSL | 0:d92f9d21154c | 3670 | /* From RFC3280 SS4.2.1.7, GeneralName */ |
wolfSSL | 0:d92f9d21154c | 3671 | |
wolfSSL | 0:d92f9d21154c | 3672 | static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3673 | { |
wolfSSL | 0:d92f9d21154c | 3674 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3675 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 3676 | |
wolfSSL | 0:d92f9d21154c | 3677 | WOLFSSL_ENTER("DecodeCrlDist"); |
wolfSSL | 0:d92f9d21154c | 3678 | |
wolfSSL | 0:d92f9d21154c | 3679 | /* Unwrap the list of Distribution Points*/ |
wolfSSL | 0:d92f9d21154c | 3680 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3681 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3682 | |
wolfSSL | 0:d92f9d21154c | 3683 | /* Unwrap a single Distribution Point */ |
wolfSSL | 0:d92f9d21154c | 3684 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3685 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3686 | |
wolfSSL | 0:d92f9d21154c | 3687 | /* The Distribution Point has three explicit optional members |
wolfSSL | 0:d92f9d21154c | 3688 | * First check for a DistributionPointName |
wolfSSL | 0:d92f9d21154c | 3689 | */ |
wolfSSL | 0:d92f9d21154c | 3690 | if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 0:d92f9d21154c | 3691 | { |
wolfSSL | 0:d92f9d21154c | 3692 | idx++; |
wolfSSL | 0:d92f9d21154c | 3693 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3694 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3695 | |
wolfSSL | 0:d92f9d21154c | 3696 | if (input[idx] == |
wolfSSL | 0:d92f9d21154c | 3697 | (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME)) |
wolfSSL | 0:d92f9d21154c | 3698 | { |
wolfSSL | 0:d92f9d21154c | 3699 | idx++; |
wolfSSL | 0:d92f9d21154c | 3700 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3701 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3702 | |
wolfSSL | 0:d92f9d21154c | 3703 | if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) |
wolfSSL | 0:d92f9d21154c | 3704 | { |
wolfSSL | 0:d92f9d21154c | 3705 | idx++; |
wolfSSL | 0:d92f9d21154c | 3706 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3707 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3708 | |
wolfSSL | 0:d92f9d21154c | 3709 | cert->extCrlInfoSz = length; |
wolfSSL | 0:d92f9d21154c | 3710 | cert->extCrlInfo = input + idx; |
wolfSSL | 0:d92f9d21154c | 3711 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3712 | } |
wolfSSL | 0:d92f9d21154c | 3713 | else |
wolfSSL | 0:d92f9d21154c | 3714 | /* This isn't a URI, skip it. */ |
wolfSSL | 0:d92f9d21154c | 3715 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3716 | } |
wolfSSL | 0:d92f9d21154c | 3717 | else |
wolfSSL | 0:d92f9d21154c | 3718 | /* This isn't a FULLNAME, skip it. */ |
wolfSSL | 0:d92f9d21154c | 3719 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3720 | } |
wolfSSL | 0:d92f9d21154c | 3721 | |
wolfSSL | 0:d92f9d21154c | 3722 | /* Check for reasonFlags */ |
wolfSSL | 0:d92f9d21154c | 3723 | if (idx < (word32)sz && |
wolfSSL | 0:d92f9d21154c | 3724 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 0:d92f9d21154c | 3725 | { |
wolfSSL | 0:d92f9d21154c | 3726 | idx++; |
wolfSSL | 0:d92f9d21154c | 3727 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3728 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3729 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3730 | } |
wolfSSL | 0:d92f9d21154c | 3731 | |
wolfSSL | 0:d92f9d21154c | 3732 | /* Check for cRLIssuer */ |
wolfSSL | 0:d92f9d21154c | 3733 | if (idx < (word32)sz && |
wolfSSL | 0:d92f9d21154c | 3734 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2)) |
wolfSSL | 0:d92f9d21154c | 3735 | { |
wolfSSL | 0:d92f9d21154c | 3736 | idx++; |
wolfSSL | 0:d92f9d21154c | 3737 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3738 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3739 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3740 | } |
wolfSSL | 0:d92f9d21154c | 3741 | |
wolfSSL | 0:d92f9d21154c | 3742 | if (idx < (word32)sz) |
wolfSSL | 0:d92f9d21154c | 3743 | { |
wolfSSL | 0:d92f9d21154c | 3744 | WOLFSSL_MSG("\tThere are more CRL Distribution Point records, " |
wolfSSL | 0:d92f9d21154c | 3745 | "but we only use the first one."); |
wolfSSL | 0:d92f9d21154c | 3746 | } |
wolfSSL | 0:d92f9d21154c | 3747 | |
wolfSSL | 0:d92f9d21154c | 3748 | return 0; |
wolfSSL | 0:d92f9d21154c | 3749 | } |
wolfSSL | 0:d92f9d21154c | 3750 | |
wolfSSL | 0:d92f9d21154c | 3751 | |
wolfSSL | 0:d92f9d21154c | 3752 | static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3753 | /* |
wolfSSL | 0:d92f9d21154c | 3754 | * Read the first of the Authority Information Access records. If there are |
wolfSSL | 0:d92f9d21154c | 3755 | * any issues, return without saving the record. |
wolfSSL | 0:d92f9d21154c | 3756 | */ |
wolfSSL | 0:d92f9d21154c | 3757 | { |
wolfSSL | 0:d92f9d21154c | 3758 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3759 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 3760 | byte b; |
wolfSSL | 0:d92f9d21154c | 3761 | word32 oid; |
wolfSSL | 0:d92f9d21154c | 3762 | |
wolfSSL | 0:d92f9d21154c | 3763 | WOLFSSL_ENTER("DecodeAuthInfo"); |
wolfSSL | 0:d92f9d21154c | 3764 | |
wolfSSL | 0:d92f9d21154c | 3765 | /* Unwrap the list of AIAs */ |
wolfSSL | 0:d92f9d21154c | 3766 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3767 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3768 | |
wolfSSL | 0:d92f9d21154c | 3769 | while (idx < (word32)sz) { |
wolfSSL | 0:d92f9d21154c | 3770 | /* Unwrap a single AIA */ |
wolfSSL | 0:d92f9d21154c | 3771 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3772 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3773 | |
wolfSSL | 0:d92f9d21154c | 3774 | oid = 0; |
wolfSSL | 0:d92f9d21154c | 3775 | if (GetObjectId(input, &idx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3776 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3777 | |
wolfSSL | 0:d92f9d21154c | 3778 | /* Only supporting URIs right now. */ |
wolfSSL | 0:d92f9d21154c | 3779 | b = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 3780 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3781 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3782 | |
wolfSSL | 0:d92f9d21154c | 3783 | if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) && |
wolfSSL | 0:d92f9d21154c | 3784 | oid == AIA_OCSP_OID) |
wolfSSL | 0:d92f9d21154c | 3785 | { |
wolfSSL | 0:d92f9d21154c | 3786 | cert->extAuthInfoSz = length; |
wolfSSL | 0:d92f9d21154c | 3787 | cert->extAuthInfo = input + idx; |
wolfSSL | 0:d92f9d21154c | 3788 | break; |
wolfSSL | 0:d92f9d21154c | 3789 | } |
wolfSSL | 0:d92f9d21154c | 3790 | idx += length; |
wolfSSL | 0:d92f9d21154c | 3791 | } |
wolfSSL | 0:d92f9d21154c | 3792 | |
wolfSSL | 0:d92f9d21154c | 3793 | return 0; |
wolfSSL | 0:d92f9d21154c | 3794 | } |
wolfSSL | 0:d92f9d21154c | 3795 | |
wolfSSL | 0:d92f9d21154c | 3796 | |
wolfSSL | 0:d92f9d21154c | 3797 | static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3798 | { |
wolfSSL | 0:d92f9d21154c | 3799 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3800 | int length = 0, ret = 0; |
wolfSSL | 0:d92f9d21154c | 3801 | |
wolfSSL | 0:d92f9d21154c | 3802 | WOLFSSL_ENTER("DecodeAuthKeyId"); |
wolfSSL | 0:d92f9d21154c | 3803 | |
wolfSSL | 0:d92f9d21154c | 3804 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3805 | WOLFSSL_MSG("\tfail: should be a SEQUENCE\n"); |
wolfSSL | 0:d92f9d21154c | 3806 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3807 | } |
wolfSSL | 0:d92f9d21154c | 3808 | |
wolfSSL | 0:d92f9d21154c | 3809 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 0:d92f9d21154c | 3810 | WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n"); |
wolfSSL | 0:d92f9d21154c | 3811 | return 0; |
wolfSSL | 0:d92f9d21154c | 3812 | } |
wolfSSL | 0:d92f9d21154c | 3813 | |
wolfSSL | 0:d92f9d21154c | 3814 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3815 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 0:d92f9d21154c | 3816 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3817 | } |
wolfSSL | 0:d92f9d21154c | 3818 | |
wolfSSL | 0:d92f9d21154c | 3819 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 3820 | cert->extAuthKeyIdSrc = &input[idx]; |
wolfSSL | 0:d92f9d21154c | 3821 | cert->extAuthKeyIdSz = length; |
wolfSSL | 0:d92f9d21154c | 3822 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 3823 | |
wolfSSL | 0:d92f9d21154c | 3824 | if (length == KEYID_SIZE) { |
wolfSSL | 0:d92f9d21154c | 3825 | XMEMCPY(cert->extAuthKeyId, input + idx, length); |
wolfSSL | 0:d92f9d21154c | 3826 | } |
wolfSSL | 0:d92f9d21154c | 3827 | else { |
wolfSSL | 0:d92f9d21154c | 3828 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 3829 | ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 0:d92f9d21154c | 3830 | #else |
wolfSSL | 0:d92f9d21154c | 3831 | ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 0:d92f9d21154c | 3832 | #endif |
wolfSSL | 0:d92f9d21154c | 3833 | } |
wolfSSL | 0:d92f9d21154c | 3834 | |
wolfSSL | 0:d92f9d21154c | 3835 | return ret; |
wolfSSL | 0:d92f9d21154c | 3836 | } |
wolfSSL | 0:d92f9d21154c | 3837 | |
wolfSSL | 0:d92f9d21154c | 3838 | |
wolfSSL | 0:d92f9d21154c | 3839 | static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3840 | { |
wolfSSL | 0:d92f9d21154c | 3841 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3842 | int length = 0, ret = 0; |
wolfSSL | 0:d92f9d21154c | 3843 | |
wolfSSL | 0:d92f9d21154c | 3844 | WOLFSSL_ENTER("DecodeSubjKeyId"); |
wolfSSL | 0:d92f9d21154c | 3845 | |
wolfSSL | 0:d92f9d21154c | 3846 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 3847 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 0:d92f9d21154c | 3848 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3849 | } |
wolfSSL | 0:d92f9d21154c | 3850 | |
wolfSSL | 0:d92f9d21154c | 3851 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3852 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 0:d92f9d21154c | 3853 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3854 | } |
wolfSSL | 0:d92f9d21154c | 3855 | |
wolfSSL | 0:d92f9d21154c | 3856 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 3857 | cert->extSubjKeyIdSrc = &input[idx]; |
wolfSSL | 0:d92f9d21154c | 3858 | cert->extSubjKeyIdSz = length; |
wolfSSL | 0:d92f9d21154c | 3859 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 0:d92f9d21154c | 3860 | |
wolfSSL | 0:d92f9d21154c | 3861 | if (length == SIGNER_DIGEST_SIZE) { |
wolfSSL | 0:d92f9d21154c | 3862 | XMEMCPY(cert->extSubjKeyId, input + idx, length); |
wolfSSL | 0:d92f9d21154c | 3863 | } |
wolfSSL | 0:d92f9d21154c | 3864 | else { |
wolfSSL | 0:d92f9d21154c | 3865 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 3866 | ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 0:d92f9d21154c | 3867 | #else |
wolfSSL | 0:d92f9d21154c | 3868 | ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 0:d92f9d21154c | 3869 | #endif |
wolfSSL | 0:d92f9d21154c | 3870 | } |
wolfSSL | 0:d92f9d21154c | 3871 | |
wolfSSL | 0:d92f9d21154c | 3872 | return ret; |
wolfSSL | 0:d92f9d21154c | 3873 | } |
wolfSSL | 0:d92f9d21154c | 3874 | |
wolfSSL | 0:d92f9d21154c | 3875 | |
wolfSSL | 0:d92f9d21154c | 3876 | static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3877 | { |
wolfSSL | 0:d92f9d21154c | 3878 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3879 | int length; |
wolfSSL | 0:d92f9d21154c | 3880 | byte unusedBits; |
wolfSSL | 0:d92f9d21154c | 3881 | WOLFSSL_ENTER("DecodeKeyUsage"); |
wolfSSL | 0:d92f9d21154c | 3882 | |
wolfSSL | 0:d92f9d21154c | 3883 | if (input[idx++] != ASN_BIT_STRING) { |
wolfSSL | 0:d92f9d21154c | 3884 | WOLFSSL_MSG("\tfail: key usage expected bit string"); |
wolfSSL | 0:d92f9d21154c | 3885 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3886 | } |
wolfSSL | 0:d92f9d21154c | 3887 | |
wolfSSL | 0:d92f9d21154c | 3888 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3889 | WOLFSSL_MSG("\tfail: key usage bad length"); |
wolfSSL | 0:d92f9d21154c | 3890 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3891 | } |
wolfSSL | 0:d92f9d21154c | 3892 | |
wolfSSL | 0:d92f9d21154c | 3893 | unusedBits = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 3894 | length--; |
wolfSSL | 0:d92f9d21154c | 3895 | |
wolfSSL | 0:d92f9d21154c | 3896 | if (length == 2) { |
wolfSSL | 0:d92f9d21154c | 3897 | cert->extKeyUsage = (word16)((input[idx] << 8) | input[idx+1]); |
wolfSSL | 0:d92f9d21154c | 3898 | cert->extKeyUsage >>= unusedBits; |
wolfSSL | 0:d92f9d21154c | 3899 | } |
wolfSSL | 0:d92f9d21154c | 3900 | else if (length == 1) |
wolfSSL | 0:d92f9d21154c | 3901 | cert->extKeyUsage = (word16)(input[idx] << 1); |
wolfSSL | 0:d92f9d21154c | 3902 | |
wolfSSL | 0:d92f9d21154c | 3903 | return 0; |
wolfSSL | 0:d92f9d21154c | 3904 | } |
wolfSSL | 0:d92f9d21154c | 3905 | |
wolfSSL | 0:d92f9d21154c | 3906 | |
wolfSSL | 0:d92f9d21154c | 3907 | static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 3908 | { |
wolfSSL | 0:d92f9d21154c | 3909 | word32 idx = 0, oid; |
wolfSSL | 0:d92f9d21154c | 3910 | int length; |
wolfSSL | 0:d92f9d21154c | 3911 | |
wolfSSL | 0:d92f9d21154c | 3912 | WOLFSSL_ENTER("DecodeExtKeyUsage"); |
wolfSSL | 0:d92f9d21154c | 3913 | |
wolfSSL | 0:d92f9d21154c | 3914 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3915 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 3916 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3917 | } |
wolfSSL | 0:d92f9d21154c | 3918 | |
wolfSSL | 0:d92f9d21154c | 3919 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 3920 | cert->extExtKeyUsageSrc = input + idx; |
wolfSSL | 0:d92f9d21154c | 3921 | cert->extExtKeyUsageSz = length; |
wolfSSL | 0:d92f9d21154c | 3922 | #endif |
wolfSSL | 0:d92f9d21154c | 3923 | |
wolfSSL | 0:d92f9d21154c | 3924 | while (idx < (word32)sz) { |
wolfSSL | 0:d92f9d21154c | 3925 | if (GetObjectId(input, &idx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 3926 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3927 | |
wolfSSL | 0:d92f9d21154c | 3928 | switch (oid) { |
wolfSSL | 0:d92f9d21154c | 3929 | case EKU_ANY_OID: |
wolfSSL | 0:d92f9d21154c | 3930 | cert->extExtKeyUsage |= EXTKEYUSE_ANY; |
wolfSSL | 0:d92f9d21154c | 3931 | break; |
wolfSSL | 0:d92f9d21154c | 3932 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 0:d92f9d21154c | 3933 | cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH; |
wolfSSL | 0:d92f9d21154c | 3934 | break; |
wolfSSL | 0:d92f9d21154c | 3935 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 0:d92f9d21154c | 3936 | cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH; |
wolfSSL | 0:d92f9d21154c | 3937 | break; |
wolfSSL | 0:d92f9d21154c | 3938 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 0:d92f9d21154c | 3939 | cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; |
wolfSSL | 0:d92f9d21154c | 3940 | break; |
wolfSSL | 0:d92f9d21154c | 3941 | } |
wolfSSL | 0:d92f9d21154c | 3942 | |
wolfSSL | 0:d92f9d21154c | 3943 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 3944 | cert->extExtKeyUsageCount++; |
wolfSSL | 0:d92f9d21154c | 3945 | #endif |
wolfSSL | 0:d92f9d21154c | 3946 | } |
wolfSSL | 0:d92f9d21154c | 3947 | |
wolfSSL | 0:d92f9d21154c | 3948 | return 0; |
wolfSSL | 0:d92f9d21154c | 3949 | } |
wolfSSL | 0:d92f9d21154c | 3950 | |
wolfSSL | 0:d92f9d21154c | 3951 | |
wolfSSL | 0:d92f9d21154c | 3952 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 3953 | static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) |
wolfSSL | 0:d92f9d21154c | 3954 | { |
wolfSSL | 0:d92f9d21154c | 3955 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 3956 | |
wolfSSL | 0:d92f9d21154c | 3957 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 3958 | |
wolfSSL | 0:d92f9d21154c | 3959 | while (idx < (word32)sz) { |
wolfSSL | 0:d92f9d21154c | 3960 | int seqLength, strLength; |
wolfSSL | 0:d92f9d21154c | 3961 | word32 nameIdx; |
wolfSSL | 0:d92f9d21154c | 3962 | byte b; |
wolfSSL | 0:d92f9d21154c | 3963 | |
wolfSSL | 0:d92f9d21154c | 3964 | if (GetSequence(input, &idx, &seqLength, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 3965 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 3966 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3967 | } |
wolfSSL | 0:d92f9d21154c | 3968 | |
wolfSSL | 0:d92f9d21154c | 3969 | nameIdx = idx; |
wolfSSL | 0:d92f9d21154c | 3970 | b = input[nameIdx++]; |
wolfSSL | 0:d92f9d21154c | 3971 | if (GetLength(input, &nameIdx, &strLength, sz) <= 0) { |
wolfSSL | 0:d92f9d21154c | 3972 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 0:d92f9d21154c | 3973 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 3974 | } |
wolfSSL | 0:d92f9d21154c | 3975 | |
wolfSSL | 0:d92f9d21154c | 3976 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) || |
wolfSSL | 0:d92f9d21154c | 3977 | b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) || |
wolfSSL | 0:d92f9d21154c | 3978 | b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) { |
wolfSSL | 0:d92f9d21154c | 3979 | |
wolfSSL | 0:d92f9d21154c | 3980 | Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry), |
wolfSSL | 0:d92f9d21154c | 3981 | heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3982 | |
wolfSSL | 0:d92f9d21154c | 3983 | if (entry == NULL) { |
wolfSSL | 0:d92f9d21154c | 3984 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 0:d92f9d21154c | 3985 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 3986 | } |
wolfSSL | 0:d92f9d21154c | 3987 | |
wolfSSL | 0:d92f9d21154c | 3988 | entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 0:d92f9d21154c | 3989 | if (entry->name == NULL) { |
wolfSSL | 0:d92f9d21154c | 3990 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 0:d92f9d21154c | 3991 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 3992 | } |
wolfSSL | 0:d92f9d21154c | 3993 | |
wolfSSL | 0:d92f9d21154c | 3994 | XMEMCPY(entry->name, &input[nameIdx], strLength); |
wolfSSL | 0:d92f9d21154c | 3995 | entry->nameSz = strLength; |
wolfSSL | 0:d92f9d21154c | 3996 | entry->type = b & 0x0F; |
wolfSSL | 0:d92f9d21154c | 3997 | |
wolfSSL | 0:d92f9d21154c | 3998 | entry->next = *head; |
wolfSSL | 0:d92f9d21154c | 3999 | *head = entry; |
wolfSSL | 0:d92f9d21154c | 4000 | } |
wolfSSL | 0:d92f9d21154c | 4001 | |
wolfSSL | 0:d92f9d21154c | 4002 | idx += seqLength; |
wolfSSL | 0:d92f9d21154c | 4003 | } |
wolfSSL | 0:d92f9d21154c | 4004 | |
wolfSSL | 0:d92f9d21154c | 4005 | return 0; |
wolfSSL | 0:d92f9d21154c | 4006 | } |
wolfSSL | 0:d92f9d21154c | 4007 | |
wolfSSL | 0:d92f9d21154c | 4008 | |
wolfSSL | 0:d92f9d21154c | 4009 | static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 4010 | { |
wolfSSL | 0:d92f9d21154c | 4011 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 4012 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 4013 | |
wolfSSL | 0:d92f9d21154c | 4014 | WOLFSSL_ENTER("DecodeNameConstraints"); |
wolfSSL | 0:d92f9d21154c | 4015 | |
wolfSSL | 0:d92f9d21154c | 4016 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4017 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 4018 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4019 | } |
wolfSSL | 0:d92f9d21154c | 4020 | |
wolfSSL | 0:d92f9d21154c | 4021 | while (idx < (word32)sz) { |
wolfSSL | 0:d92f9d21154c | 4022 | byte b = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 4023 | Base_entry** subtree = NULL; |
wolfSSL | 0:d92f9d21154c | 4024 | |
wolfSSL | 0:d92f9d21154c | 4025 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 0:d92f9d21154c | 4026 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 0:d92f9d21154c | 4027 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4028 | } |
wolfSSL | 0:d92f9d21154c | 4029 | |
wolfSSL | 0:d92f9d21154c | 4030 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) |
wolfSSL | 0:d92f9d21154c | 4031 | subtree = &cert->permittedNames; |
wolfSSL | 0:d92f9d21154c | 4032 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) |
wolfSSL | 0:d92f9d21154c | 4033 | subtree = &cert->excludedNames; |
wolfSSL | 0:d92f9d21154c | 4034 | else { |
wolfSSL | 0:d92f9d21154c | 4035 | WOLFSSL_MSG("\tinvalid subtree"); |
wolfSSL | 0:d92f9d21154c | 4036 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4037 | } |
wolfSSL | 0:d92f9d21154c | 4038 | |
wolfSSL | 0:d92f9d21154c | 4039 | DecodeSubtree(input + idx, length, subtree, cert->heap); |
wolfSSL | 0:d92f9d21154c | 4040 | |
wolfSSL | 0:d92f9d21154c | 4041 | idx += length; |
wolfSSL | 0:d92f9d21154c | 4042 | } |
wolfSSL | 0:d92f9d21154c | 4043 | |
wolfSSL | 0:d92f9d21154c | 4044 | return 0; |
wolfSSL | 0:d92f9d21154c | 4045 | } |
wolfSSL | 0:d92f9d21154c | 4046 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 4047 | |
wolfSSL | 0:d92f9d21154c | 4048 | |
wolfSSL | 0:d92f9d21154c | 4049 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 4050 | static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 4051 | { |
wolfSSL | 0:d92f9d21154c | 4052 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 4053 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 4054 | |
wolfSSL | 0:d92f9d21154c | 4055 | WOLFSSL_ENTER("DecodeCertPolicy"); |
wolfSSL | 0:d92f9d21154c | 4056 | |
wolfSSL | 0:d92f9d21154c | 4057 | /* Unwrap certificatePolicies */ |
wolfSSL | 0:d92f9d21154c | 4058 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4059 | WOLFSSL_MSG("\tdeviceType isn't OID"); |
wolfSSL | 0:d92f9d21154c | 4060 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4061 | } |
wolfSSL | 0:d92f9d21154c | 4062 | |
wolfSSL | 0:d92f9d21154c | 4063 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4064 | WOLFSSL_MSG("\tdeviceType isn't OID"); |
wolfSSL | 0:d92f9d21154c | 4065 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4066 | } |
wolfSSL | 0:d92f9d21154c | 4067 | |
wolfSSL | 0:d92f9d21154c | 4068 | if (input[idx++] != ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 4069 | WOLFSSL_MSG("\tdeviceType isn't OID"); |
wolfSSL | 0:d92f9d21154c | 4070 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4071 | } |
wolfSSL | 0:d92f9d21154c | 4072 | |
wolfSSL | 0:d92f9d21154c | 4073 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4074 | WOLFSSL_MSG("\tCouldn't read length of deviceType"); |
wolfSSL | 0:d92f9d21154c | 4075 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4076 | } |
wolfSSL | 0:d92f9d21154c | 4077 | |
wolfSSL | 0:d92f9d21154c | 4078 | if (length > 0) { |
wolfSSL | 0:d92f9d21154c | 4079 | cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0); |
wolfSSL | 0:d92f9d21154c | 4080 | if (cert->deviceType == NULL) { |
wolfSSL | 0:d92f9d21154c | 4081 | WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); |
wolfSSL | 0:d92f9d21154c | 4082 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4083 | } |
wolfSSL | 0:d92f9d21154c | 4084 | cert->deviceTypeSz = length; |
wolfSSL | 0:d92f9d21154c | 4085 | XMEMCPY(cert->deviceType, input + idx, length); |
wolfSSL | 0:d92f9d21154c | 4086 | } |
wolfSSL | 0:d92f9d21154c | 4087 | |
wolfSSL | 0:d92f9d21154c | 4088 | WOLFSSL_LEAVE("DecodeCertPolicy", 0); |
wolfSSL | 0:d92f9d21154c | 4089 | return 0; |
wolfSSL | 0:d92f9d21154c | 4090 | } |
wolfSSL | 0:d92f9d21154c | 4091 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 0:d92f9d21154c | 4092 | |
wolfSSL | 0:d92f9d21154c | 4093 | |
wolfSSL | 0:d92f9d21154c | 4094 | static int DecodeCertExtensions(DecodedCert* cert) |
wolfSSL | 0:d92f9d21154c | 4095 | /* |
wolfSSL | 0:d92f9d21154c | 4096 | * Processing the Certificate Extensions. This does not modify the current |
wolfSSL | 0:d92f9d21154c | 4097 | * index. It is works starting with the recorded extensions pointer. |
wolfSSL | 0:d92f9d21154c | 4098 | */ |
wolfSSL | 0:d92f9d21154c | 4099 | { |
wolfSSL | 0:d92f9d21154c | 4100 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 4101 | int sz = cert->extensionsSz; |
wolfSSL | 0:d92f9d21154c | 4102 | byte* input = cert->extensions; |
wolfSSL | 0:d92f9d21154c | 4103 | int length; |
wolfSSL | 0:d92f9d21154c | 4104 | word32 oid; |
wolfSSL | 0:d92f9d21154c | 4105 | byte critical = 0; |
wolfSSL | 0:d92f9d21154c | 4106 | byte criticalFail = 0; |
wolfSSL | 0:d92f9d21154c | 4107 | |
wolfSSL | 0:d92f9d21154c | 4108 | WOLFSSL_ENTER("DecodeCertExtensions"); |
wolfSSL | 0:d92f9d21154c | 4109 | |
wolfSSL | 0:d92f9d21154c | 4110 | if (input == NULL || sz == 0) |
wolfSSL | 0:d92f9d21154c | 4111 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4112 | |
wolfSSL | 0:d92f9d21154c | 4113 | if (input[idx++] != ASN_EXTENSIONS) |
wolfSSL | 0:d92f9d21154c | 4114 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4115 | |
wolfSSL | 0:d92f9d21154c | 4116 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 4117 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4118 | |
wolfSSL | 0:d92f9d21154c | 4119 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 4120 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4121 | |
wolfSSL | 0:d92f9d21154c | 4122 | while (idx < (word32)sz) { |
wolfSSL | 0:d92f9d21154c | 4123 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4124 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 4125 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4126 | } |
wolfSSL | 0:d92f9d21154c | 4127 | |
wolfSSL | 0:d92f9d21154c | 4128 | oid = 0; |
wolfSSL | 0:d92f9d21154c | 4129 | if (GetObjectId(input, &idx, &oid, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4130 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 0:d92f9d21154c | 4131 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4132 | } |
wolfSSL | 0:d92f9d21154c | 4133 | |
wolfSSL | 0:d92f9d21154c | 4134 | /* check for critical flag */ |
wolfSSL | 0:d92f9d21154c | 4135 | critical = 0; |
wolfSSL | 0:d92f9d21154c | 4136 | if (input[idx] == ASN_BOOLEAN) { |
wolfSSL | 0:d92f9d21154c | 4137 | int boolLength = 0; |
wolfSSL | 0:d92f9d21154c | 4138 | idx++; |
wolfSSL | 0:d92f9d21154c | 4139 | if (GetLength(input, &idx, &boolLength, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4140 | WOLFSSL_MSG("\tfail: critical boolean length"); |
wolfSSL | 0:d92f9d21154c | 4141 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4142 | } |
wolfSSL | 0:d92f9d21154c | 4143 | if (input[idx++]) |
wolfSSL | 0:d92f9d21154c | 4144 | critical = 1; |
wolfSSL | 0:d92f9d21154c | 4145 | } |
wolfSSL | 0:d92f9d21154c | 4146 | |
wolfSSL | 0:d92f9d21154c | 4147 | /* process the extension based on the OID */ |
wolfSSL | 0:d92f9d21154c | 4148 | if (input[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 4149 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 0:d92f9d21154c | 4150 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4151 | } |
wolfSSL | 0:d92f9d21154c | 4152 | |
wolfSSL | 0:d92f9d21154c | 4153 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 4154 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 0:d92f9d21154c | 4155 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4156 | } |
wolfSSL | 0:d92f9d21154c | 4157 | |
wolfSSL | 0:d92f9d21154c | 4158 | switch (oid) { |
wolfSSL | 0:d92f9d21154c | 4159 | case BASIC_CA_OID: |
wolfSSL | 0:d92f9d21154c | 4160 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4161 | cert->extBasicConstSet = 1; |
wolfSSL | 0:d92f9d21154c | 4162 | cert->extBasicConstCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4163 | #endif |
wolfSSL | 0:d92f9d21154c | 4164 | if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4165 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4166 | break; |
wolfSSL | 0:d92f9d21154c | 4167 | |
wolfSSL | 0:d92f9d21154c | 4168 | case CRL_DIST_OID: |
wolfSSL | 0:d92f9d21154c | 4169 | if (DecodeCrlDist(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4170 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4171 | break; |
wolfSSL | 0:d92f9d21154c | 4172 | |
wolfSSL | 0:d92f9d21154c | 4173 | case AUTH_INFO_OID: |
wolfSSL | 0:d92f9d21154c | 4174 | if (DecodeAuthInfo(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4175 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4176 | break; |
wolfSSL | 0:d92f9d21154c | 4177 | |
wolfSSL | 0:d92f9d21154c | 4178 | case ALT_NAMES_OID: |
wolfSSL | 0:d92f9d21154c | 4179 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4180 | cert->extSubjAltNameSet = 1; |
wolfSSL | 0:d92f9d21154c | 4181 | cert->extSubjAltNameCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4182 | #endif |
wolfSSL | 0:d92f9d21154c | 4183 | if (DecodeAltNames(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4184 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4185 | break; |
wolfSSL | 0:d92f9d21154c | 4186 | |
wolfSSL | 0:d92f9d21154c | 4187 | case AUTH_KEY_OID: |
wolfSSL | 0:d92f9d21154c | 4188 | cert->extAuthKeyIdSet = 1; |
wolfSSL | 0:d92f9d21154c | 4189 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4190 | cert->extAuthKeyIdCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4191 | #endif |
wolfSSL | 0:d92f9d21154c | 4192 | if (DecodeAuthKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4193 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4194 | break; |
wolfSSL | 0:d92f9d21154c | 4195 | |
wolfSSL | 0:d92f9d21154c | 4196 | case SUBJ_KEY_OID: |
wolfSSL | 0:d92f9d21154c | 4197 | cert->extSubjKeyIdSet = 1; |
wolfSSL | 0:d92f9d21154c | 4198 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4199 | cert->extSubjKeyIdCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4200 | #endif |
wolfSSL | 0:d92f9d21154c | 4201 | if (DecodeSubjKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4202 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4203 | break; |
wolfSSL | 0:d92f9d21154c | 4204 | |
wolfSSL | 0:d92f9d21154c | 4205 | case CERT_POLICY_OID: |
wolfSSL | 0:d92f9d21154c | 4206 | WOLFSSL_MSG("Certificate Policy extension not supported yet."); |
wolfSSL | 0:d92f9d21154c | 4207 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 4208 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4209 | cert->extCertPolicySet = 1; |
wolfSSL | 0:d92f9d21154c | 4210 | cert->extCertPolicyCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4211 | #endif |
wolfSSL | 0:d92f9d21154c | 4212 | if (DecodeCertPolicy(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4213 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4214 | #endif |
wolfSSL | 0:d92f9d21154c | 4215 | break; |
wolfSSL | 0:d92f9d21154c | 4216 | |
wolfSSL | 0:d92f9d21154c | 4217 | case KEY_USAGE_OID: |
wolfSSL | 0:d92f9d21154c | 4218 | cert->extKeyUsageSet = 1; |
wolfSSL | 0:d92f9d21154c | 4219 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4220 | cert->extKeyUsageCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4221 | #endif |
wolfSSL | 0:d92f9d21154c | 4222 | if (DecodeKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4223 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4224 | break; |
wolfSSL | 0:d92f9d21154c | 4225 | |
wolfSSL | 0:d92f9d21154c | 4226 | case EXT_KEY_USAGE_OID: |
wolfSSL | 0:d92f9d21154c | 4227 | cert->extExtKeyUsageSet = 1; |
wolfSSL | 0:d92f9d21154c | 4228 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4229 | cert->extExtKeyUsageCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4230 | #endif |
wolfSSL | 0:d92f9d21154c | 4231 | if (DecodeExtKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4232 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4233 | break; |
wolfSSL | 0:d92f9d21154c | 4234 | |
wolfSSL | 0:d92f9d21154c | 4235 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 4236 | case NAME_CONS_OID: |
wolfSSL | 0:d92f9d21154c | 4237 | cert->extNameConstraintSet = 1; |
wolfSSL | 0:d92f9d21154c | 4238 | #ifdef OPENSSL_EXTRA |
wolfSSL | 0:d92f9d21154c | 4239 | cert->extNameConstraintCrit = critical; |
wolfSSL | 0:d92f9d21154c | 4240 | #endif |
wolfSSL | 0:d92f9d21154c | 4241 | if (DecodeNameConstraints(&input[idx], length, cert) < 0) |
wolfSSL | 0:d92f9d21154c | 4242 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 4243 | break; |
wolfSSL | 0:d92f9d21154c | 4244 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 4245 | |
wolfSSL | 0:d92f9d21154c | 4246 | case INHIBIT_ANY_OID: |
wolfSSL | 0:d92f9d21154c | 4247 | WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); |
wolfSSL | 0:d92f9d21154c | 4248 | break; |
wolfSSL | 0:d92f9d21154c | 4249 | |
wolfSSL | 0:d92f9d21154c | 4250 | default: |
wolfSSL | 0:d92f9d21154c | 4251 | /* While it is a failure to not support critical extensions, |
wolfSSL | 0:d92f9d21154c | 4252 | * still parse the certificate ignoring the unsupported |
wolfSSL | 0:d92f9d21154c | 4253 | * extention to allow caller to accept it with the verify |
wolfSSL | 0:d92f9d21154c | 4254 | * callback. */ |
wolfSSL | 0:d92f9d21154c | 4255 | if (critical) |
wolfSSL | 0:d92f9d21154c | 4256 | criticalFail = 1; |
wolfSSL | 0:d92f9d21154c | 4257 | break; |
wolfSSL | 0:d92f9d21154c | 4258 | } |
wolfSSL | 0:d92f9d21154c | 4259 | idx += length; |
wolfSSL | 0:d92f9d21154c | 4260 | } |
wolfSSL | 0:d92f9d21154c | 4261 | |
wolfSSL | 0:d92f9d21154c | 4262 | return criticalFail ? ASN_CRIT_EXT_E : 0; |
wolfSSL | 0:d92f9d21154c | 4263 | } |
wolfSSL | 0:d92f9d21154c | 4264 | |
wolfSSL | 0:d92f9d21154c | 4265 | |
wolfSSL | 0:d92f9d21154c | 4266 | int ParseCert(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 0:d92f9d21154c | 4267 | { |
wolfSSL | 0:d92f9d21154c | 4268 | int ret; |
wolfSSL | 0:d92f9d21154c | 4269 | char* ptr; |
wolfSSL | 0:d92f9d21154c | 4270 | |
wolfSSL | 0:d92f9d21154c | 4271 | ret = ParseCertRelative(cert, type, verify, cm); |
wolfSSL | 0:d92f9d21154c | 4272 | if (ret < 0) |
wolfSSL | 0:d92f9d21154c | 4273 | return ret; |
wolfSSL | 0:d92f9d21154c | 4274 | |
wolfSSL | 0:d92f9d21154c | 4275 | if (cert->subjectCNLen > 0) { |
wolfSSL | 0:d92f9d21154c | 4276 | ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap, |
wolfSSL | 0:d92f9d21154c | 4277 | DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 0:d92f9d21154c | 4278 | if (ptr == NULL) |
wolfSSL | 0:d92f9d21154c | 4279 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4280 | XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen); |
wolfSSL | 0:d92f9d21154c | 4281 | ptr[cert->subjectCNLen] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4282 | cert->subjectCN = ptr; |
wolfSSL | 0:d92f9d21154c | 4283 | cert->subjectCNStored = 1; |
wolfSSL | 0:d92f9d21154c | 4284 | } |
wolfSSL | 0:d92f9d21154c | 4285 | |
wolfSSL | 0:d92f9d21154c | 4286 | if (cert->keyOID == RSAk && |
wolfSSL | 0:d92f9d21154c | 4287 | cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 0:d92f9d21154c | 4288 | ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, |
wolfSSL | 0:d92f9d21154c | 4289 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 0:d92f9d21154c | 4290 | if (ptr == NULL) |
wolfSSL | 0:d92f9d21154c | 4291 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4292 | XMEMCPY(ptr, cert->publicKey, cert->pubKeySize); |
wolfSSL | 0:d92f9d21154c | 4293 | cert->publicKey = (byte *)ptr; |
wolfSSL | 0:d92f9d21154c | 4294 | cert->pubKeyStored = 1; |
wolfSSL | 0:d92f9d21154c | 4295 | } |
wolfSSL | 0:d92f9d21154c | 4296 | |
wolfSSL | 0:d92f9d21154c | 4297 | return ret; |
wolfSSL | 0:d92f9d21154c | 4298 | } |
wolfSSL | 0:d92f9d21154c | 4299 | |
wolfSSL | 0:d92f9d21154c | 4300 | |
wolfSSL | 0:d92f9d21154c | 4301 | /* from SSL proper, for locking can't do find here anymore */ |
wolfSSL | 0:d92f9d21154c | 4302 | #ifdef __cplusplus |
wolfSSL | 0:d92f9d21154c | 4303 | extern "C" { |
wolfSSL | 0:d92f9d21154c | 4304 | #endif |
wolfSSL | 0:d92f9d21154c | 4305 | WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash); |
wolfSSL | 0:d92f9d21154c | 4306 | #ifndef NO_SKID |
wolfSSL | 0:d92f9d21154c | 4307 | WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash); |
wolfSSL | 0:d92f9d21154c | 4308 | #endif |
wolfSSL | 0:d92f9d21154c | 4309 | #ifdef __cplusplus |
wolfSSL | 0:d92f9d21154c | 4310 | } |
wolfSSL | 0:d92f9d21154c | 4311 | #endif |
wolfSSL | 0:d92f9d21154c | 4312 | |
wolfSSL | 0:d92f9d21154c | 4313 | |
wolfSSL | 0:d92f9d21154c | 4314 | int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 0:d92f9d21154c | 4315 | { |
wolfSSL | 0:d92f9d21154c | 4316 | word32 confirmOID; |
wolfSSL | 0:d92f9d21154c | 4317 | int ret; |
wolfSSL | 0:d92f9d21154c | 4318 | int badDate = 0; |
wolfSSL | 0:d92f9d21154c | 4319 | int criticalExt = 0; |
wolfSSL | 0:d92f9d21154c | 4320 | |
wolfSSL | 0:d92f9d21154c | 4321 | if ((ret = DecodeToKey(cert, verify)) < 0) { |
wolfSSL | 0:d92f9d21154c | 4322 | if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) |
wolfSSL | 0:d92f9d21154c | 4323 | badDate = ret; |
wolfSSL | 0:d92f9d21154c | 4324 | else |
wolfSSL | 0:d92f9d21154c | 4325 | return ret; |
wolfSSL | 0:d92f9d21154c | 4326 | } |
wolfSSL | 0:d92f9d21154c | 4327 | |
wolfSSL | 0:d92f9d21154c | 4328 | WOLFSSL_MSG("Parsed Past Key"); |
wolfSSL | 0:d92f9d21154c | 4329 | |
wolfSSL | 0:d92f9d21154c | 4330 | if (cert->srcIdx < cert->sigIndex) { |
wolfSSL | 0:d92f9d21154c | 4331 | #ifndef ALLOW_V1_EXTENSIONS |
wolfSSL | 0:d92f9d21154c | 4332 | if (cert->version < 2) { |
wolfSSL | 0:d92f9d21154c | 4333 | WOLFSSL_MSG(" v1 and v2 certs not allowed extensions"); |
wolfSSL | 0:d92f9d21154c | 4334 | return ASN_VERSION_E; |
wolfSSL | 0:d92f9d21154c | 4335 | } |
wolfSSL | 0:d92f9d21154c | 4336 | #endif |
wolfSSL | 0:d92f9d21154c | 4337 | /* save extensions */ |
wolfSSL | 0:d92f9d21154c | 4338 | cert->extensions = &cert->source[cert->srcIdx]; |
wolfSSL | 0:d92f9d21154c | 4339 | cert->extensionsSz = cert->sigIndex - cert->srcIdx; |
wolfSSL | 0:d92f9d21154c | 4340 | cert->extensionsIdx = cert->srcIdx; /* for potential later use */ |
wolfSSL | 0:d92f9d21154c | 4341 | |
wolfSSL | 0:d92f9d21154c | 4342 | if ((ret = DecodeCertExtensions(cert)) < 0) { |
wolfSSL | 0:d92f9d21154c | 4343 | if (ret == ASN_CRIT_EXT_E) |
wolfSSL | 0:d92f9d21154c | 4344 | criticalExt = ret; |
wolfSSL | 0:d92f9d21154c | 4345 | else |
wolfSSL | 0:d92f9d21154c | 4346 | return ret; |
wolfSSL | 0:d92f9d21154c | 4347 | } |
wolfSSL | 0:d92f9d21154c | 4348 | |
wolfSSL | 0:d92f9d21154c | 4349 | /* advance past extensions */ |
wolfSSL | 0:d92f9d21154c | 4350 | cert->srcIdx = cert->sigIndex; |
wolfSSL | 0:d92f9d21154c | 4351 | } |
wolfSSL | 0:d92f9d21154c | 4352 | |
wolfSSL | 0:d92f9d21154c | 4353 | if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID, |
wolfSSL | 0:d92f9d21154c | 4354 | cert->maxIdx)) < 0) |
wolfSSL | 0:d92f9d21154c | 4355 | return ret; |
wolfSSL | 0:d92f9d21154c | 4356 | |
wolfSSL | 0:d92f9d21154c | 4357 | if ((ret = GetSignature(cert)) < 0) |
wolfSSL | 0:d92f9d21154c | 4358 | return ret; |
wolfSSL | 0:d92f9d21154c | 4359 | |
wolfSSL | 0:d92f9d21154c | 4360 | if (confirmOID != cert->signatureOID) |
wolfSSL | 0:d92f9d21154c | 4361 | return ASN_SIG_OID_E; |
wolfSSL | 0:d92f9d21154c | 4362 | |
wolfSSL | 0:d92f9d21154c | 4363 | #ifndef NO_SKID |
wolfSSL | 0:d92f9d21154c | 4364 | if (cert->extSubjKeyIdSet == 0 |
wolfSSL | 0:d92f9d21154c | 4365 | && cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 0:d92f9d21154c | 4366 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 4367 | ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 0:d92f9d21154c | 4368 | cert->extSubjKeyId); |
wolfSSL | 0:d92f9d21154c | 4369 | #else |
wolfSSL | 0:d92f9d21154c | 4370 | ret = wc_ShaHash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 0:d92f9d21154c | 4371 | cert->extSubjKeyId); |
wolfSSL | 0:d92f9d21154c | 4372 | #endif |
wolfSSL | 0:d92f9d21154c | 4373 | if (ret != 0) |
wolfSSL | 0:d92f9d21154c | 4374 | return ret; |
wolfSSL | 0:d92f9d21154c | 4375 | } |
wolfSSL | 0:d92f9d21154c | 4376 | #endif |
wolfSSL | 0:d92f9d21154c | 4377 | |
wolfSSL | 0:d92f9d21154c | 4378 | if (verify && type != CA_TYPE) { |
wolfSSL | 0:d92f9d21154c | 4379 | Signer* ca = NULL; |
wolfSSL | 0:d92f9d21154c | 4380 | #ifndef NO_SKID |
wolfSSL | 0:d92f9d21154c | 4381 | if (cert->extAuthKeyIdSet) |
wolfSSL | 0:d92f9d21154c | 4382 | ca = GetCA(cm, cert->extAuthKeyId); |
wolfSSL | 0:d92f9d21154c | 4383 | if (ca == NULL) |
wolfSSL | 0:d92f9d21154c | 4384 | ca = GetCAByName(cm, cert->issuerHash); |
wolfSSL | 0:d92f9d21154c | 4385 | #else /* NO_SKID */ |
wolfSSL | 0:d92f9d21154c | 4386 | ca = GetCA(cm, cert->issuerHash); |
wolfSSL | 0:d92f9d21154c | 4387 | #endif /* NO SKID */ |
wolfSSL | 0:d92f9d21154c | 4388 | WOLFSSL_MSG("About to verify certificate signature"); |
wolfSSL | 0:d92f9d21154c | 4389 | |
wolfSSL | 0:d92f9d21154c | 4390 | if (ca) { |
wolfSSL | 0:d92f9d21154c | 4391 | #ifdef HAVE_OCSP |
wolfSSL | 0:d92f9d21154c | 4392 | /* Need the ca's public key hash for OCSP */ |
wolfSSL | 0:d92f9d21154c | 4393 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 4394 | ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize, |
wolfSSL | 0:d92f9d21154c | 4395 | cert->issuerKeyHash); |
wolfSSL | 0:d92f9d21154c | 4396 | #else /* NO_SHA */ |
wolfSSL | 0:d92f9d21154c | 4397 | ret = wc_ShaHash(ca->publicKey, ca->pubKeySize, |
wolfSSL | 0:d92f9d21154c | 4398 | cert->issuerKeyHash); |
wolfSSL | 0:d92f9d21154c | 4399 | #endif /* NO_SHA */ |
wolfSSL | 0:d92f9d21154c | 4400 | if (ret != 0) |
wolfSSL | 0:d92f9d21154c | 4401 | return ret; |
wolfSSL | 0:d92f9d21154c | 4402 | #endif /* HAVE_OCSP */ |
wolfSSL | 0:d92f9d21154c | 4403 | /* try to confirm/verify signature */ |
wolfSSL | 0:d92f9d21154c | 4404 | if (!ConfirmSignature(cert->source + cert->certBegin, |
wolfSSL | 0:d92f9d21154c | 4405 | cert->sigIndex - cert->certBegin, |
wolfSSL | 0:d92f9d21154c | 4406 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 0:d92f9d21154c | 4407 | cert->signature, cert->sigLength, cert->signatureOID, |
wolfSSL | 0:d92f9d21154c | 4408 | cert->heap)) { |
wolfSSL | 0:d92f9d21154c | 4409 | WOLFSSL_MSG("Confirm signature failed"); |
wolfSSL | 0:d92f9d21154c | 4410 | return ASN_SIG_CONFIRM_E; |
wolfSSL | 0:d92f9d21154c | 4411 | } |
wolfSSL | 0:d92f9d21154c | 4412 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 4413 | /* check that this cert's name is permitted by the signer's |
wolfSSL | 0:d92f9d21154c | 4414 | * name constraints */ |
wolfSSL | 0:d92f9d21154c | 4415 | if (!ConfirmNameConstraints(ca, cert)) { |
wolfSSL | 0:d92f9d21154c | 4416 | WOLFSSL_MSG("Confirm name constraint failed"); |
wolfSSL | 0:d92f9d21154c | 4417 | return ASN_NAME_INVALID_E; |
wolfSSL | 0:d92f9d21154c | 4418 | } |
wolfSSL | 0:d92f9d21154c | 4419 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 4420 | } |
wolfSSL | 0:d92f9d21154c | 4421 | else { |
wolfSSL | 0:d92f9d21154c | 4422 | /* no signer */ |
wolfSSL | 0:d92f9d21154c | 4423 | WOLFSSL_MSG("No CA signer to verify with"); |
wolfSSL | 0:d92f9d21154c | 4424 | return ASN_NO_SIGNER_E; |
wolfSSL | 0:d92f9d21154c | 4425 | } |
wolfSSL | 0:d92f9d21154c | 4426 | } |
wolfSSL | 0:d92f9d21154c | 4427 | |
wolfSSL | 0:d92f9d21154c | 4428 | if (badDate != 0) |
wolfSSL | 0:d92f9d21154c | 4429 | return badDate; |
wolfSSL | 0:d92f9d21154c | 4430 | |
wolfSSL | 0:d92f9d21154c | 4431 | if (criticalExt != 0) |
wolfSSL | 0:d92f9d21154c | 4432 | return criticalExt; |
wolfSSL | 0:d92f9d21154c | 4433 | |
wolfSSL | 0:d92f9d21154c | 4434 | return 0; |
wolfSSL | 0:d92f9d21154c | 4435 | } |
wolfSSL | 0:d92f9d21154c | 4436 | |
wolfSSL | 0:d92f9d21154c | 4437 | |
wolfSSL | 0:d92f9d21154c | 4438 | /* Create and init an new signer */ |
wolfSSL | 0:d92f9d21154c | 4439 | Signer* MakeSigner(void* heap) |
wolfSSL | 0:d92f9d21154c | 4440 | { |
wolfSSL | 0:d92f9d21154c | 4441 | Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap, |
wolfSSL | 0:d92f9d21154c | 4442 | DYNAMIC_TYPE_SIGNER); |
wolfSSL | 0:d92f9d21154c | 4443 | if (signer) { |
wolfSSL | 0:d92f9d21154c | 4444 | signer->pubKeySize = 0; |
wolfSSL | 0:d92f9d21154c | 4445 | signer->keyOID = 0; |
wolfSSL | 0:d92f9d21154c | 4446 | signer->publicKey = NULL; |
wolfSSL | 0:d92f9d21154c | 4447 | signer->nameLen = 0; |
wolfSSL | 0:d92f9d21154c | 4448 | signer->name = NULL; |
wolfSSL | 0:d92f9d21154c | 4449 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 4450 | signer->permittedNames = NULL; |
wolfSSL | 0:d92f9d21154c | 4451 | signer->excludedNames = NULL; |
wolfSSL | 0:d92f9d21154c | 4452 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 0:d92f9d21154c | 4453 | signer->next = NULL; |
wolfSSL | 0:d92f9d21154c | 4454 | } |
wolfSSL | 0:d92f9d21154c | 4455 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 4456 | |
wolfSSL | 0:d92f9d21154c | 4457 | return signer; |
wolfSSL | 0:d92f9d21154c | 4458 | } |
wolfSSL | 0:d92f9d21154c | 4459 | |
wolfSSL | 0:d92f9d21154c | 4460 | |
wolfSSL | 0:d92f9d21154c | 4461 | /* Free an individual signer */ |
wolfSSL | 0:d92f9d21154c | 4462 | void FreeSigner(Signer* signer, void* heap) |
wolfSSL | 0:d92f9d21154c | 4463 | { |
wolfSSL | 0:d92f9d21154c | 4464 | XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 0:d92f9d21154c | 4465 | XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 0:d92f9d21154c | 4466 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 0:d92f9d21154c | 4467 | if (signer->permittedNames) |
wolfSSL | 0:d92f9d21154c | 4468 | FreeNameSubtrees(signer->permittedNames, heap); |
wolfSSL | 0:d92f9d21154c | 4469 | if (signer->excludedNames) |
wolfSSL | 0:d92f9d21154c | 4470 | FreeNameSubtrees(signer->excludedNames, heap); |
wolfSSL | 0:d92f9d21154c | 4471 | #endif |
wolfSSL | 0:d92f9d21154c | 4472 | XFREE(signer, heap, DYNAMIC_TYPE_SIGNER); |
wolfSSL | 0:d92f9d21154c | 4473 | |
wolfSSL | 0:d92f9d21154c | 4474 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 4475 | } |
wolfSSL | 0:d92f9d21154c | 4476 | |
wolfSSL | 0:d92f9d21154c | 4477 | |
wolfSSL | 0:d92f9d21154c | 4478 | /* Free the whole singer table with number of rows */ |
wolfSSL | 0:d92f9d21154c | 4479 | void FreeSignerTable(Signer** table, int rows, void* heap) |
wolfSSL | 0:d92f9d21154c | 4480 | { |
wolfSSL | 0:d92f9d21154c | 4481 | int i; |
wolfSSL | 0:d92f9d21154c | 4482 | |
wolfSSL | 0:d92f9d21154c | 4483 | for (i = 0; i < rows; i++) { |
wolfSSL | 0:d92f9d21154c | 4484 | Signer* signer = table[i]; |
wolfSSL | 0:d92f9d21154c | 4485 | while (signer) { |
wolfSSL | 0:d92f9d21154c | 4486 | Signer* next = signer->next; |
wolfSSL | 0:d92f9d21154c | 4487 | FreeSigner(signer, heap); |
wolfSSL | 0:d92f9d21154c | 4488 | signer = next; |
wolfSSL | 0:d92f9d21154c | 4489 | } |
wolfSSL | 0:d92f9d21154c | 4490 | table[i] = NULL; |
wolfSSL | 0:d92f9d21154c | 4491 | } |
wolfSSL | 0:d92f9d21154c | 4492 | } |
wolfSSL | 0:d92f9d21154c | 4493 | |
wolfSSL | 0:d92f9d21154c | 4494 | |
wolfSSL | 0:d92f9d21154c | 4495 | WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header) |
wolfSSL | 0:d92f9d21154c | 4496 | { |
wolfSSL | 0:d92f9d21154c | 4497 | int i = 0; |
wolfSSL | 0:d92f9d21154c | 4498 | |
wolfSSL | 0:d92f9d21154c | 4499 | if (header) { |
wolfSSL | 0:d92f9d21154c | 4500 | output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED; |
wolfSSL | 0:d92f9d21154c | 4501 | output[i++] = ASN_BIT_STRING; |
wolfSSL | 0:d92f9d21154c | 4502 | } |
wolfSSL | 0:d92f9d21154c | 4503 | output[i++] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 4504 | output[i++] = 0x01; |
wolfSSL | 0:d92f9d21154c | 4505 | output[i++] = (byte)version; |
wolfSSL | 0:d92f9d21154c | 4506 | |
wolfSSL | 0:d92f9d21154c | 4507 | return i; |
wolfSSL | 0:d92f9d21154c | 4508 | } |
wolfSSL | 0:d92f9d21154c | 4509 | |
wolfSSL | 0:d92f9d21154c | 4510 | |
wolfSSL | 0:d92f9d21154c | 4511 | WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) |
wolfSSL | 0:d92f9d21154c | 4512 | { |
wolfSSL | 0:d92f9d21154c | 4513 | int result = 0; |
wolfSSL | 0:d92f9d21154c | 4514 | |
wolfSSL | 0:d92f9d21154c | 4515 | WOLFSSL_ENTER("SetSerialNumber"); |
wolfSSL | 0:d92f9d21154c | 4516 | |
wolfSSL | 0:d92f9d21154c | 4517 | if (snSz <= EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 0:d92f9d21154c | 4518 | output[0] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 4519 | /* The serial number is always positive. When encoding the |
wolfSSL | 0:d92f9d21154c | 4520 | * INTEGER, if the MSB is 1, add a padding zero to keep the |
wolfSSL | 0:d92f9d21154c | 4521 | * number positive. */ |
wolfSSL | 0:d92f9d21154c | 4522 | if (sn[0] & 0x80) { |
wolfSSL | 0:d92f9d21154c | 4523 | output[1] = (byte)snSz + 1; |
wolfSSL | 0:d92f9d21154c | 4524 | output[2] = 0; |
wolfSSL | 0:d92f9d21154c | 4525 | XMEMCPY(&output[3], sn, snSz); |
wolfSSL | 0:d92f9d21154c | 4526 | result = snSz + 3; |
wolfSSL | 0:d92f9d21154c | 4527 | } |
wolfSSL | 0:d92f9d21154c | 4528 | else { |
wolfSSL | 0:d92f9d21154c | 4529 | output[1] = (byte)snSz; |
wolfSSL | 0:d92f9d21154c | 4530 | XMEMCPY(&output[2], sn, snSz); |
wolfSSL | 0:d92f9d21154c | 4531 | result = snSz + 2; |
wolfSSL | 0:d92f9d21154c | 4532 | } |
wolfSSL | 0:d92f9d21154c | 4533 | } |
wolfSSL | 0:d92f9d21154c | 4534 | return result; |
wolfSSL | 0:d92f9d21154c | 4535 | } |
wolfSSL | 0:d92f9d21154c | 4536 | |
wolfSSL | 0:d92f9d21154c | 4537 | |
wolfSSL | 0:d92f9d21154c | 4538 | |
wolfSSL | 0:d92f9d21154c | 4539 | |
wolfSSL | 0:d92f9d21154c | 4540 | #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) |
wolfSSL | 0:d92f9d21154c | 4541 | |
wolfSSL | 0:d92f9d21154c | 4542 | /* convert der buffer to pem into output, can't do inplace, der and output |
wolfSSL | 0:d92f9d21154c | 4543 | need to be different */ |
wolfSSL | 0:d92f9d21154c | 4544 | int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, |
wolfSSL | 0:d92f9d21154c | 4545 | int type) |
wolfSSL | 0:d92f9d21154c | 4546 | { |
wolfSSL | 0:d92f9d21154c | 4547 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4548 | char* header = NULL; |
wolfSSL | 0:d92f9d21154c | 4549 | char* footer = NULL; |
wolfSSL | 0:d92f9d21154c | 4550 | #else |
wolfSSL | 0:d92f9d21154c | 4551 | char header[80]; |
wolfSSL | 0:d92f9d21154c | 4552 | char footer[80]; |
wolfSSL | 0:d92f9d21154c | 4553 | #endif |
wolfSSL | 0:d92f9d21154c | 4554 | |
wolfSSL | 0:d92f9d21154c | 4555 | int headerLen = 80; |
wolfSSL | 0:d92f9d21154c | 4556 | int footerLen = 80; |
wolfSSL | 0:d92f9d21154c | 4557 | int i; |
wolfSSL | 0:d92f9d21154c | 4558 | int err; |
wolfSSL | 0:d92f9d21154c | 4559 | int outLen; /* return length or error */ |
wolfSSL | 0:d92f9d21154c | 4560 | |
wolfSSL | 0:d92f9d21154c | 4561 | if (der == output) /* no in place conversion */ |
wolfSSL | 0:d92f9d21154c | 4562 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4563 | |
wolfSSL | 0:d92f9d21154c | 4564 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4565 | header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4566 | if (header == NULL) |
wolfSSL | 0:d92f9d21154c | 4567 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4568 | |
wolfSSL | 0:d92f9d21154c | 4569 | footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4570 | if (footer == NULL) { |
wolfSSL | 0:d92f9d21154c | 4571 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4572 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4573 | } |
wolfSSL | 0:d92f9d21154c | 4574 | #endif |
wolfSSL | 0:d92f9d21154c | 4575 | |
wolfSSL | 0:d92f9d21154c | 4576 | if (type == CERT_TYPE) { |
wolfSSL | 0:d92f9d21154c | 4577 | XSTRNCPY(header, "-----BEGIN CERTIFICATE-----\n", headerLen); |
wolfSSL | 0:d92f9d21154c | 4578 | XSTRNCPY(footer, "-----END CERTIFICATE-----\n", footerLen); |
wolfSSL | 0:d92f9d21154c | 4579 | } |
wolfSSL | 0:d92f9d21154c | 4580 | else if (type == PRIVATEKEY_TYPE) { |
wolfSSL | 0:d92f9d21154c | 4581 | XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----\n", headerLen); |
wolfSSL | 0:d92f9d21154c | 4582 | XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----\n", footerLen); |
wolfSSL | 0:d92f9d21154c | 4583 | } |
wolfSSL | 0:d92f9d21154c | 4584 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 4585 | else if (type == ECC_PRIVATEKEY_TYPE) { |
wolfSSL | 0:d92f9d21154c | 4586 | XSTRNCPY(header, "-----BEGIN EC PRIVATE KEY-----\n", headerLen); |
wolfSSL | 0:d92f9d21154c | 4587 | XSTRNCPY(footer, "-----END EC PRIVATE KEY-----\n", footerLen); |
wolfSSL | 0:d92f9d21154c | 4588 | } |
wolfSSL | 0:d92f9d21154c | 4589 | #endif |
wolfSSL | 0:d92f9d21154c | 4590 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 4591 | else if (type == CERTREQ_TYPE) |
wolfSSL | 0:d92f9d21154c | 4592 | { |
wolfSSL | 0:d92f9d21154c | 4593 | XSTRNCPY(header, |
wolfSSL | 0:d92f9d21154c | 4594 | "-----BEGIN CERTIFICATE REQUEST-----\n", headerLen); |
wolfSSL | 0:d92f9d21154c | 4595 | XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----\n", footerLen); |
wolfSSL | 0:d92f9d21154c | 4596 | } |
wolfSSL | 0:d92f9d21154c | 4597 | #endif |
wolfSSL | 0:d92f9d21154c | 4598 | else { |
wolfSSL | 0:d92f9d21154c | 4599 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4600 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4601 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4602 | #endif |
wolfSSL | 0:d92f9d21154c | 4603 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4604 | } |
wolfSSL | 0:d92f9d21154c | 4605 | |
wolfSSL | 0:d92f9d21154c | 4606 | headerLen = (int)XSTRLEN(header); |
wolfSSL | 0:d92f9d21154c | 4607 | footerLen = (int)XSTRLEN(footer); |
wolfSSL | 0:d92f9d21154c | 4608 | |
wolfSSL | 0:d92f9d21154c | 4609 | if (!der || !output) { |
wolfSSL | 0:d92f9d21154c | 4610 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4611 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4612 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4613 | #endif |
wolfSSL | 0:d92f9d21154c | 4614 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4615 | } |
wolfSSL | 0:d92f9d21154c | 4616 | |
wolfSSL | 0:d92f9d21154c | 4617 | /* don't even try if outSz too short */ |
wolfSSL | 0:d92f9d21154c | 4618 | if (outSz < headerLen + footerLen + derSz) { |
wolfSSL | 0:d92f9d21154c | 4619 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4620 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4621 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4622 | #endif |
wolfSSL | 0:d92f9d21154c | 4623 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4624 | } |
wolfSSL | 0:d92f9d21154c | 4625 | |
wolfSSL | 0:d92f9d21154c | 4626 | /* header */ |
wolfSSL | 0:d92f9d21154c | 4627 | XMEMCPY(output, header, headerLen); |
wolfSSL | 0:d92f9d21154c | 4628 | i = headerLen; |
wolfSSL | 0:d92f9d21154c | 4629 | |
wolfSSL | 0:d92f9d21154c | 4630 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4631 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4632 | #endif |
wolfSSL | 0:d92f9d21154c | 4633 | |
wolfSSL | 0:d92f9d21154c | 4634 | /* body */ |
wolfSSL | 0:d92f9d21154c | 4635 | outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */ |
wolfSSL | 0:d92f9d21154c | 4636 | if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) { |
wolfSSL | 0:d92f9d21154c | 4637 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4638 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4639 | #endif |
wolfSSL | 0:d92f9d21154c | 4640 | return err; |
wolfSSL | 0:d92f9d21154c | 4641 | } |
wolfSSL | 0:d92f9d21154c | 4642 | i += outLen; |
wolfSSL | 0:d92f9d21154c | 4643 | |
wolfSSL | 0:d92f9d21154c | 4644 | /* footer */ |
wolfSSL | 0:d92f9d21154c | 4645 | if ( (i + footerLen) > (int)outSz) { |
wolfSSL | 0:d92f9d21154c | 4646 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4647 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4648 | #endif |
wolfSSL | 0:d92f9d21154c | 4649 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4650 | } |
wolfSSL | 0:d92f9d21154c | 4651 | XMEMCPY(output + i, footer, footerLen); |
wolfSSL | 0:d92f9d21154c | 4652 | |
wolfSSL | 0:d92f9d21154c | 4653 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4654 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4655 | #endif |
wolfSSL | 0:d92f9d21154c | 4656 | |
wolfSSL | 0:d92f9d21154c | 4657 | return outLen + headerLen + footerLen; |
wolfSSL | 0:d92f9d21154c | 4658 | } |
wolfSSL | 0:d92f9d21154c | 4659 | |
wolfSSL | 0:d92f9d21154c | 4660 | |
wolfSSL | 0:d92f9d21154c | 4661 | #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 4662 | |
wolfSSL | 0:d92f9d21154c | 4663 | |
wolfSSL | 0:d92f9d21154c | 4664 | #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) |
wolfSSL | 0:d92f9d21154c | 4665 | |
wolfSSL | 0:d92f9d21154c | 4666 | |
wolfSSL | 0:d92f9d21154c | 4667 | static mp_int* GetRsaInt(RsaKey* key, int idx) |
wolfSSL | 0:d92f9d21154c | 4668 | { |
wolfSSL | 0:d92f9d21154c | 4669 | if (idx == 0) |
wolfSSL | 0:d92f9d21154c | 4670 | return &key->n; |
wolfSSL | 0:d92f9d21154c | 4671 | if (idx == 1) |
wolfSSL | 0:d92f9d21154c | 4672 | return &key->e; |
wolfSSL | 0:d92f9d21154c | 4673 | if (idx == 2) |
wolfSSL | 0:d92f9d21154c | 4674 | return &key->d; |
wolfSSL | 0:d92f9d21154c | 4675 | if (idx == 3) |
wolfSSL | 0:d92f9d21154c | 4676 | return &key->p; |
wolfSSL | 0:d92f9d21154c | 4677 | if (idx == 4) |
wolfSSL | 0:d92f9d21154c | 4678 | return &key->q; |
wolfSSL | 0:d92f9d21154c | 4679 | if (idx == 5) |
wolfSSL | 0:d92f9d21154c | 4680 | return &key->dP; |
wolfSSL | 0:d92f9d21154c | 4681 | if (idx == 6) |
wolfSSL | 0:d92f9d21154c | 4682 | return &key->dQ; |
wolfSSL | 0:d92f9d21154c | 4683 | if (idx == 7) |
wolfSSL | 0:d92f9d21154c | 4684 | return &key->u; |
wolfSSL | 0:d92f9d21154c | 4685 | |
wolfSSL | 0:d92f9d21154c | 4686 | return NULL; |
wolfSSL | 0:d92f9d21154c | 4687 | } |
wolfSSL | 0:d92f9d21154c | 4688 | |
wolfSSL | 0:d92f9d21154c | 4689 | |
wolfSSL | 0:d92f9d21154c | 4690 | /* Release Tmp RSA resources */ |
wolfSSL | 0:d92f9d21154c | 4691 | static INLINE void FreeTmpRsas(byte** tmps, void* heap) |
wolfSSL | 0:d92f9d21154c | 4692 | { |
wolfSSL | 0:d92f9d21154c | 4693 | int i; |
wolfSSL | 0:d92f9d21154c | 4694 | |
wolfSSL | 0:d92f9d21154c | 4695 | (void)heap; |
wolfSSL | 0:d92f9d21154c | 4696 | |
wolfSSL | 0:d92f9d21154c | 4697 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 0:d92f9d21154c | 4698 | XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 0:d92f9d21154c | 4699 | } |
wolfSSL | 0:d92f9d21154c | 4700 | |
wolfSSL | 0:d92f9d21154c | 4701 | |
wolfSSL | 0:d92f9d21154c | 4702 | /* Convert RsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 0:d92f9d21154c | 4703 | written */ |
wolfSSL | 0:d92f9d21154c | 4704 | int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 0:d92f9d21154c | 4705 | { |
wolfSSL | 0:d92f9d21154c | 4706 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 0:d92f9d21154c | 4707 | word32 sizes[RSA_INTS]; |
wolfSSL | 0:d92f9d21154c | 4708 | int i, j, outLen, ret = 0; |
wolfSSL | 0:d92f9d21154c | 4709 | |
wolfSSL | 0:d92f9d21154c | 4710 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 4711 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 0:d92f9d21154c | 4712 | byte* tmps[RSA_INTS]; |
wolfSSL | 0:d92f9d21154c | 4713 | |
wolfSSL | 0:d92f9d21154c | 4714 | if (!key || !output) |
wolfSSL | 0:d92f9d21154c | 4715 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4716 | |
wolfSSL | 0:d92f9d21154c | 4717 | if (key->type != RSA_PRIVATE) |
wolfSSL | 0:d92f9d21154c | 4718 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4719 | |
wolfSSL | 0:d92f9d21154c | 4720 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 0:d92f9d21154c | 4721 | tmps[i] = NULL; |
wolfSSL | 0:d92f9d21154c | 4722 | |
wolfSSL | 0:d92f9d21154c | 4723 | /* write all big ints from key to DER tmps */ |
wolfSSL | 0:d92f9d21154c | 4724 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 0:d92f9d21154c | 4725 | mp_int* keyInt = GetRsaInt(key, i); |
wolfSSL | 0:d92f9d21154c | 4726 | rawLen = mp_unsigned_bin_size(keyInt); |
wolfSSL | 0:d92f9d21154c | 4727 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 0:d92f9d21154c | 4728 | DYNAMIC_TYPE_RSA); |
wolfSSL | 0:d92f9d21154c | 4729 | if (tmps[i] == NULL) { |
wolfSSL | 0:d92f9d21154c | 4730 | ret = MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4731 | break; |
wolfSSL | 0:d92f9d21154c | 4732 | } |
wolfSSL | 0:d92f9d21154c | 4733 | |
wolfSSL | 0:d92f9d21154c | 4734 | tmps[i][0] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 4735 | sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1; /* int tag */ |
wolfSSL | 0:d92f9d21154c | 4736 | |
wolfSSL | 0:d92f9d21154c | 4737 | if (sizes[i] <= MAX_SEQ_SZ) { |
wolfSSL | 0:d92f9d21154c | 4738 | int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); |
wolfSSL | 0:d92f9d21154c | 4739 | if (err == MP_OKAY) { |
wolfSSL | 0:d92f9d21154c | 4740 | sizes[i] += rawLen; |
wolfSSL | 0:d92f9d21154c | 4741 | intTotalLen += sizes[i]; |
wolfSSL | 0:d92f9d21154c | 4742 | } |
wolfSSL | 0:d92f9d21154c | 4743 | else { |
wolfSSL | 0:d92f9d21154c | 4744 | ret = err; |
wolfSSL | 0:d92f9d21154c | 4745 | break; |
wolfSSL | 0:d92f9d21154c | 4746 | } |
wolfSSL | 0:d92f9d21154c | 4747 | } |
wolfSSL | 0:d92f9d21154c | 4748 | else { |
wolfSSL | 0:d92f9d21154c | 4749 | ret = ASN_INPUT_E; |
wolfSSL | 0:d92f9d21154c | 4750 | break; |
wolfSSL | 0:d92f9d21154c | 4751 | } |
wolfSSL | 0:d92f9d21154c | 4752 | } |
wolfSSL | 0:d92f9d21154c | 4753 | |
wolfSSL | 0:d92f9d21154c | 4754 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 4755 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 0:d92f9d21154c | 4756 | return ret; |
wolfSSL | 0:d92f9d21154c | 4757 | } |
wolfSSL | 0:d92f9d21154c | 4758 | |
wolfSSL | 0:d92f9d21154c | 4759 | /* make headers */ |
wolfSSL | 0:d92f9d21154c | 4760 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 0:d92f9d21154c | 4761 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 0:d92f9d21154c | 4762 | |
wolfSSL | 0:d92f9d21154c | 4763 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 0:d92f9d21154c | 4764 | if (outLen > (int)inLen) |
wolfSSL | 0:d92f9d21154c | 4765 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 4766 | |
wolfSSL | 0:d92f9d21154c | 4767 | /* write to output */ |
wolfSSL | 0:d92f9d21154c | 4768 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 0:d92f9d21154c | 4769 | j = seqSz; |
wolfSSL | 0:d92f9d21154c | 4770 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 0:d92f9d21154c | 4771 | j += verSz; |
wolfSSL | 0:d92f9d21154c | 4772 | |
wolfSSL | 0:d92f9d21154c | 4773 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 0:d92f9d21154c | 4774 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 0:d92f9d21154c | 4775 | j += sizes[i]; |
wolfSSL | 0:d92f9d21154c | 4776 | } |
wolfSSL | 0:d92f9d21154c | 4777 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 0:d92f9d21154c | 4778 | |
wolfSSL | 0:d92f9d21154c | 4779 | return outLen; |
wolfSSL | 0:d92f9d21154c | 4780 | } |
wolfSSL | 0:d92f9d21154c | 4781 | |
wolfSSL | 0:d92f9d21154c | 4782 | #endif /* WOLFSSL_KEY_GEN && !NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 4783 | |
wolfSSL | 0:d92f9d21154c | 4784 | |
wolfSSL | 0:d92f9d21154c | 4785 | #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) |
wolfSSL | 0:d92f9d21154c | 4786 | |
wolfSSL | 0:d92f9d21154c | 4787 | |
wolfSSL | 0:d92f9d21154c | 4788 | #ifndef WOLFSSL_HAVE_MIN |
wolfSSL | 0:d92f9d21154c | 4789 | #define WOLFSSL_HAVE_MIN |
wolfSSL | 0:d92f9d21154c | 4790 | |
wolfSSL | 0:d92f9d21154c | 4791 | static INLINE word32 min(word32 a, word32 b) |
wolfSSL | 0:d92f9d21154c | 4792 | { |
wolfSSL | 0:d92f9d21154c | 4793 | return a > b ? b : a; |
wolfSSL | 0:d92f9d21154c | 4794 | } |
wolfSSL | 0:d92f9d21154c | 4795 | |
wolfSSL | 0:d92f9d21154c | 4796 | #endif /* WOLFSSL_HAVE_MIN */ |
wolfSSL | 0:d92f9d21154c | 4797 | |
wolfSSL | 0:d92f9d21154c | 4798 | |
wolfSSL | 0:d92f9d21154c | 4799 | /* Initialize and Set Certficate defaults: |
wolfSSL | 0:d92f9d21154c | 4800 | version = 3 (0x2) |
wolfSSL | 0:d92f9d21154c | 4801 | serial = 0 |
wolfSSL | 0:d92f9d21154c | 4802 | sigType = SHA_WITH_RSA |
wolfSSL | 0:d92f9d21154c | 4803 | issuer = blank |
wolfSSL | 0:d92f9d21154c | 4804 | daysValid = 500 |
wolfSSL | 0:d92f9d21154c | 4805 | selfSigned = 1 (true) use subject as issuer |
wolfSSL | 0:d92f9d21154c | 4806 | subject = blank |
wolfSSL | 0:d92f9d21154c | 4807 | */ |
wolfSSL | 0:d92f9d21154c | 4808 | void wc_InitCert(Cert* cert) |
wolfSSL | 0:d92f9d21154c | 4809 | { |
wolfSSL | 0:d92f9d21154c | 4810 | cert->version = 2; /* version 3 is hex 2 */ |
wolfSSL | 0:d92f9d21154c | 4811 | cert->sigType = CTC_SHAwRSA; |
wolfSSL | 0:d92f9d21154c | 4812 | cert->daysValid = 500; |
wolfSSL | 0:d92f9d21154c | 4813 | cert->selfSigned = 1; |
wolfSSL | 0:d92f9d21154c | 4814 | cert->isCA = 0; |
wolfSSL | 0:d92f9d21154c | 4815 | cert->bodySz = 0; |
wolfSSL | 0:d92f9d21154c | 4816 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 4817 | cert->altNamesSz = 0; |
wolfSSL | 0:d92f9d21154c | 4818 | cert->beforeDateSz = 0; |
wolfSSL | 0:d92f9d21154c | 4819 | cert->afterDateSz = 0; |
wolfSSL | 0:d92f9d21154c | 4820 | #endif |
wolfSSL | 0:d92f9d21154c | 4821 | cert->keyType = RSA_KEY; |
wolfSSL | 0:d92f9d21154c | 4822 | XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE); |
wolfSSL | 0:d92f9d21154c | 4823 | |
wolfSSL | 0:d92f9d21154c | 4824 | cert->issuer.country[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4825 | cert->issuer.countryEnc = CTC_PRINTABLE; |
wolfSSL | 0:d92f9d21154c | 4826 | cert->issuer.state[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4827 | cert->issuer.stateEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4828 | cert->issuer.locality[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4829 | cert->issuer.localityEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4830 | cert->issuer.sur[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4831 | cert->issuer.surEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4832 | cert->issuer.org[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4833 | cert->issuer.orgEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4834 | cert->issuer.unit[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4835 | cert->issuer.unitEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4836 | cert->issuer.commonName[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4837 | cert->issuer.commonNameEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4838 | cert->issuer.email[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4839 | |
wolfSSL | 0:d92f9d21154c | 4840 | cert->subject.country[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4841 | cert->subject.countryEnc = CTC_PRINTABLE; |
wolfSSL | 0:d92f9d21154c | 4842 | cert->subject.state[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4843 | cert->subject.stateEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4844 | cert->subject.locality[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4845 | cert->subject.localityEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4846 | cert->subject.sur[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4847 | cert->subject.surEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4848 | cert->subject.org[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4849 | cert->subject.orgEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4850 | cert->subject.unit[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4851 | cert->subject.unitEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4852 | cert->subject.commonName[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4853 | cert->subject.commonNameEnc = CTC_UTF8; |
wolfSSL | 0:d92f9d21154c | 4854 | cert->subject.email[0] = '\0'; |
wolfSSL | 0:d92f9d21154c | 4855 | |
wolfSSL | 0:d92f9d21154c | 4856 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 4857 | cert->challengePw[0] ='\0'; |
wolfSSL | 0:d92f9d21154c | 4858 | #endif |
wolfSSL | 0:d92f9d21154c | 4859 | } |
wolfSSL | 0:d92f9d21154c | 4860 | |
wolfSSL | 0:d92f9d21154c | 4861 | |
wolfSSL | 0:d92f9d21154c | 4862 | /* DER encoded x509 Certificate */ |
wolfSSL | 0:d92f9d21154c | 4863 | typedef struct DerCert { |
wolfSSL | 0:d92f9d21154c | 4864 | byte size[MAX_LENGTH_SZ]; /* length encoded */ |
wolfSSL | 0:d92f9d21154c | 4865 | byte version[MAX_VERSION_SZ]; /* version encoded */ |
wolfSSL | 0:d92f9d21154c | 4866 | byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */ |
wolfSSL | 0:d92f9d21154c | 4867 | byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */ |
wolfSSL | 0:d92f9d21154c | 4868 | byte issuer[ASN_NAME_MAX]; /* issuer encoded */ |
wolfSSL | 0:d92f9d21154c | 4869 | byte subject[ASN_NAME_MAX]; /* subject encoded */ |
wolfSSL | 0:d92f9d21154c | 4870 | byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */ |
wolfSSL | 0:d92f9d21154c | 4871 | byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */ |
wolfSSL | 0:d92f9d21154c | 4872 | byte ca[MAX_CA_SZ]; /* basic constraint CA true size */ |
wolfSSL | 0:d92f9d21154c | 4873 | byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ |
wolfSSL | 0:d92f9d21154c | 4874 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 4875 | byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ |
wolfSSL | 0:d92f9d21154c | 4876 | #endif |
wolfSSL | 0:d92f9d21154c | 4877 | int sizeSz; /* encoded size length */ |
wolfSSL | 0:d92f9d21154c | 4878 | int versionSz; /* encoded version length */ |
wolfSSL | 0:d92f9d21154c | 4879 | int serialSz; /* encoded serial length */ |
wolfSSL | 0:d92f9d21154c | 4880 | int sigAlgoSz; /* enocded sig alog length */ |
wolfSSL | 0:d92f9d21154c | 4881 | int issuerSz; /* encoded issuer length */ |
wolfSSL | 0:d92f9d21154c | 4882 | int subjectSz; /* encoded subject length */ |
wolfSSL | 0:d92f9d21154c | 4883 | int validitySz; /* encoded validity length */ |
wolfSSL | 0:d92f9d21154c | 4884 | int publicKeySz; /* encoded public key length */ |
wolfSSL | 0:d92f9d21154c | 4885 | int caSz; /* encoded CA extension length */ |
wolfSSL | 0:d92f9d21154c | 4886 | int extensionsSz; /* encoded extensions total length */ |
wolfSSL | 0:d92f9d21154c | 4887 | int total; /* total encoded lengths */ |
wolfSSL | 0:d92f9d21154c | 4888 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 4889 | int attribSz; |
wolfSSL | 0:d92f9d21154c | 4890 | #endif |
wolfSSL | 0:d92f9d21154c | 4891 | } DerCert; |
wolfSSL | 0:d92f9d21154c | 4892 | |
wolfSSL | 0:d92f9d21154c | 4893 | |
wolfSSL | 0:d92f9d21154c | 4894 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 4895 | |
wolfSSL | 0:d92f9d21154c | 4896 | /* Write a set header to output */ |
wolfSSL | 0:d92f9d21154c | 4897 | static word32 SetUTF8String(word32 len, byte* output) |
wolfSSL | 0:d92f9d21154c | 4898 | { |
wolfSSL | 0:d92f9d21154c | 4899 | output[0] = ASN_UTF8STRING; |
wolfSSL | 0:d92f9d21154c | 4900 | return SetLength(len, output + 1) + 1; |
wolfSSL | 0:d92f9d21154c | 4901 | } |
wolfSSL | 0:d92f9d21154c | 4902 | |
wolfSSL | 0:d92f9d21154c | 4903 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 0:d92f9d21154c | 4904 | |
wolfSSL | 0:d92f9d21154c | 4905 | |
wolfSSL | 0:d92f9d21154c | 4906 | /* Write a serial number to output */ |
wolfSSL | 0:d92f9d21154c | 4907 | static int SetSerial(const byte* serial, byte* output) |
wolfSSL | 0:d92f9d21154c | 4908 | { |
wolfSSL | 0:d92f9d21154c | 4909 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 4910 | |
wolfSSL | 0:d92f9d21154c | 4911 | output[length++] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 4912 | length += SetLength(CTC_SERIAL_SIZE, &output[length]); |
wolfSSL | 0:d92f9d21154c | 4913 | XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE); |
wolfSSL | 0:d92f9d21154c | 4914 | |
wolfSSL | 0:d92f9d21154c | 4915 | return length + CTC_SERIAL_SIZE; |
wolfSSL | 0:d92f9d21154c | 4916 | } |
wolfSSL | 0:d92f9d21154c | 4917 | |
wolfSSL | 0:d92f9d21154c | 4918 | |
wolfSSL | 0:d92f9d21154c | 4919 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 4920 | |
wolfSSL | 0:d92f9d21154c | 4921 | |
wolfSSL | 0:d92f9d21154c | 4922 | /* Write a public ECC key to output */ |
wolfSSL | 0:d92f9d21154c | 4923 | static int SetEccPublicKey(byte* output, ecc_key* key) |
wolfSSL | 0:d92f9d21154c | 4924 | { |
wolfSSL | 0:d92f9d21154c | 4925 | byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */ |
wolfSSL | 0:d92f9d21154c | 4926 | int algoSz; |
wolfSSL | 0:d92f9d21154c | 4927 | int curveSz; |
wolfSSL | 0:d92f9d21154c | 4928 | int lenSz; |
wolfSSL | 0:d92f9d21154c | 4929 | int idx; |
wolfSSL | 0:d92f9d21154c | 4930 | word32 pubSz = ECC_BUFSIZE; |
wolfSSL | 0:d92f9d21154c | 4931 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4932 | byte* algo = NULL; |
wolfSSL | 0:d92f9d21154c | 4933 | byte* curve = NULL; |
wolfSSL | 0:d92f9d21154c | 4934 | byte* pub = NULL; |
wolfSSL | 0:d92f9d21154c | 4935 | #else |
wolfSSL | 0:d92f9d21154c | 4936 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 4937 | byte curve[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 4938 | byte pub[ECC_BUFSIZE]; |
wolfSSL | 0:d92f9d21154c | 4939 | #endif |
wolfSSL | 0:d92f9d21154c | 4940 | |
wolfSSL | 0:d92f9d21154c | 4941 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4942 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4943 | if (pub == NULL) |
wolfSSL | 0:d92f9d21154c | 4944 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4945 | #endif |
wolfSSL | 0:d92f9d21154c | 4946 | |
wolfSSL | 0:d92f9d21154c | 4947 | int ret = wc_ecc_export_x963(key, pub, &pubSz); |
wolfSSL | 0:d92f9d21154c | 4948 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 4949 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4950 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4951 | #endif |
wolfSSL | 0:d92f9d21154c | 4952 | return ret; |
wolfSSL | 0:d92f9d21154c | 4953 | } |
wolfSSL | 0:d92f9d21154c | 4954 | |
wolfSSL | 0:d92f9d21154c | 4955 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4956 | curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4957 | if (curve == NULL) { |
wolfSSL | 0:d92f9d21154c | 4958 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4959 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4960 | } |
wolfSSL | 0:d92f9d21154c | 4961 | #endif |
wolfSSL | 0:d92f9d21154c | 4962 | |
wolfSSL | 0:d92f9d21154c | 4963 | /* headers */ |
wolfSSL | 0:d92f9d21154c | 4964 | curveSz = SetCurve(key, curve); |
wolfSSL | 0:d92f9d21154c | 4965 | if (curveSz <= 0) { |
wolfSSL | 0:d92f9d21154c | 4966 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4967 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4968 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4969 | #endif |
wolfSSL | 0:d92f9d21154c | 4970 | return curveSz; |
wolfSSL | 0:d92f9d21154c | 4971 | } |
wolfSSL | 0:d92f9d21154c | 4972 | |
wolfSSL | 0:d92f9d21154c | 4973 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 4974 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4975 | if (algo == NULL) { |
wolfSSL | 0:d92f9d21154c | 4976 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4977 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 4978 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 4979 | } |
wolfSSL | 0:d92f9d21154c | 4980 | #endif |
wolfSSL | 0:d92f9d21154c | 4981 | |
wolfSSL | 0:d92f9d21154c | 4982 | algoSz = SetAlgoID(ECDSAk, algo, keyType, curveSz); |
wolfSSL | 0:d92f9d21154c | 4983 | lenSz = SetLength(pubSz + 1, len); |
wolfSSL | 0:d92f9d21154c | 4984 | len[lenSz++] = 0; /* trailing 0 */ |
wolfSSL | 0:d92f9d21154c | 4985 | |
wolfSSL | 0:d92f9d21154c | 4986 | /* write */ |
wolfSSL | 0:d92f9d21154c | 4987 | idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output); |
wolfSSL | 0:d92f9d21154c | 4988 | /* 1 is for ASN_BIT_STRING */ |
wolfSSL | 0:d92f9d21154c | 4989 | /* algo */ |
wolfSSL | 0:d92f9d21154c | 4990 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 0:d92f9d21154c | 4991 | idx += algoSz; |
wolfSSL | 0:d92f9d21154c | 4992 | /* curve */ |
wolfSSL | 0:d92f9d21154c | 4993 | XMEMCPY(output + idx, curve, curveSz); |
wolfSSL | 0:d92f9d21154c | 4994 | idx += curveSz; |
wolfSSL | 0:d92f9d21154c | 4995 | /* bit string */ |
wolfSSL | 0:d92f9d21154c | 4996 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 0:d92f9d21154c | 4997 | /* length */ |
wolfSSL | 0:d92f9d21154c | 4998 | XMEMCPY(output + idx, len, lenSz); |
wolfSSL | 0:d92f9d21154c | 4999 | idx += lenSz; |
wolfSSL | 0:d92f9d21154c | 5000 | /* pub */ |
wolfSSL | 0:d92f9d21154c | 5001 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 0:d92f9d21154c | 5002 | idx += pubSz; |
wolfSSL | 0:d92f9d21154c | 5003 | |
wolfSSL | 0:d92f9d21154c | 5004 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5005 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5006 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5007 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5008 | #endif |
wolfSSL | 0:d92f9d21154c | 5009 | |
wolfSSL | 0:d92f9d21154c | 5010 | return idx; |
wolfSSL | 0:d92f9d21154c | 5011 | } |
wolfSSL | 0:d92f9d21154c | 5012 | |
wolfSSL | 0:d92f9d21154c | 5013 | |
wolfSSL | 0:d92f9d21154c | 5014 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 5015 | |
wolfSSL | 0:d92f9d21154c | 5016 | |
wolfSSL | 0:d92f9d21154c | 5017 | /* Write a public RSA key to output */ |
wolfSSL | 0:d92f9d21154c | 5018 | static int SetRsaPublicKey(byte* output, RsaKey* key) |
wolfSSL | 0:d92f9d21154c | 5019 | { |
wolfSSL | 0:d92f9d21154c | 5020 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5021 | byte* n = NULL; |
wolfSSL | 0:d92f9d21154c | 5022 | byte* e = NULL; |
wolfSSL | 0:d92f9d21154c | 5023 | byte* algo = NULL; |
wolfSSL | 0:d92f9d21154c | 5024 | #else |
wolfSSL | 0:d92f9d21154c | 5025 | byte n[MAX_RSA_INT_SZ]; |
wolfSSL | 0:d92f9d21154c | 5026 | byte e[MAX_RSA_E_SZ]; |
wolfSSL | 0:d92f9d21154c | 5027 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 5028 | #endif |
wolfSSL | 0:d92f9d21154c | 5029 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5030 | byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */ |
wolfSSL | 0:d92f9d21154c | 5031 | int nSz; |
wolfSSL | 0:d92f9d21154c | 5032 | int eSz; |
wolfSSL | 0:d92f9d21154c | 5033 | int algoSz; |
wolfSSL | 0:d92f9d21154c | 5034 | int seqSz; |
wolfSSL | 0:d92f9d21154c | 5035 | int lenSz; |
wolfSSL | 0:d92f9d21154c | 5036 | int idx; |
wolfSSL | 0:d92f9d21154c | 5037 | int rawLen; |
wolfSSL | 0:d92f9d21154c | 5038 | int leadingBit; |
wolfSSL | 0:d92f9d21154c | 5039 | int err; |
wolfSSL | 0:d92f9d21154c | 5040 | |
wolfSSL | 0:d92f9d21154c | 5041 | /* n */ |
wolfSSL | 0:d92f9d21154c | 5042 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5043 | n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5044 | if (n == NULL) |
wolfSSL | 0:d92f9d21154c | 5045 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5046 | #endif |
wolfSSL | 0:d92f9d21154c | 5047 | |
wolfSSL | 0:d92f9d21154c | 5048 | leadingBit = mp_leading_bit(&key->n); |
wolfSSL | 0:d92f9d21154c | 5049 | rawLen = mp_unsigned_bin_size(&key->n) + leadingBit; |
wolfSSL | 0:d92f9d21154c | 5050 | n[0] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 5051 | nSz = SetLength(rawLen, n + 1) + 1; /* int tag */ |
wolfSSL | 0:d92f9d21154c | 5052 | |
wolfSSL | 0:d92f9d21154c | 5053 | if ( (nSz + rawLen) < MAX_RSA_INT_SZ) { |
wolfSSL | 0:d92f9d21154c | 5054 | if (leadingBit) |
wolfSSL | 0:d92f9d21154c | 5055 | n[nSz] = 0; |
wolfSSL | 0:d92f9d21154c | 5056 | err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit); |
wolfSSL | 0:d92f9d21154c | 5057 | if (err == MP_OKAY) |
wolfSSL | 0:d92f9d21154c | 5058 | nSz += rawLen; |
wolfSSL | 0:d92f9d21154c | 5059 | else { |
wolfSSL | 0:d92f9d21154c | 5060 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5061 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5062 | #endif |
wolfSSL | 0:d92f9d21154c | 5063 | return MP_TO_E; |
wolfSSL | 0:d92f9d21154c | 5064 | } |
wolfSSL | 0:d92f9d21154c | 5065 | } |
wolfSSL | 0:d92f9d21154c | 5066 | else { |
wolfSSL | 0:d92f9d21154c | 5067 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5068 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5069 | #endif |
wolfSSL | 0:d92f9d21154c | 5070 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 5071 | } |
wolfSSL | 0:d92f9d21154c | 5072 | |
wolfSSL | 0:d92f9d21154c | 5073 | /* e */ |
wolfSSL | 0:d92f9d21154c | 5074 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5075 | e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5076 | if (e == NULL) { |
wolfSSL | 0:d92f9d21154c | 5077 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5078 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5079 | #endif |
wolfSSL | 0:d92f9d21154c | 5080 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5081 | } |
wolfSSL | 0:d92f9d21154c | 5082 | #endif |
wolfSSL | 0:d92f9d21154c | 5083 | |
wolfSSL | 0:d92f9d21154c | 5084 | leadingBit = mp_leading_bit(&key->e); |
wolfSSL | 0:d92f9d21154c | 5085 | rawLen = mp_unsigned_bin_size(&key->e) + leadingBit; |
wolfSSL | 0:d92f9d21154c | 5086 | e[0] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 5087 | eSz = SetLength(rawLen, e + 1) + 1; /* int tag */ |
wolfSSL | 0:d92f9d21154c | 5088 | |
wolfSSL | 0:d92f9d21154c | 5089 | if ( (eSz + rawLen) < MAX_RSA_E_SZ) { |
wolfSSL | 0:d92f9d21154c | 5090 | if (leadingBit) |
wolfSSL | 0:d92f9d21154c | 5091 | e[eSz] = 0; |
wolfSSL | 0:d92f9d21154c | 5092 | err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit); |
wolfSSL | 0:d92f9d21154c | 5093 | if (err == MP_OKAY) |
wolfSSL | 0:d92f9d21154c | 5094 | eSz += rawLen; |
wolfSSL | 0:d92f9d21154c | 5095 | else { |
wolfSSL | 0:d92f9d21154c | 5096 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5097 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5098 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5099 | #endif |
wolfSSL | 0:d92f9d21154c | 5100 | return MP_TO_E; |
wolfSSL | 0:d92f9d21154c | 5101 | } |
wolfSSL | 0:d92f9d21154c | 5102 | } |
wolfSSL | 0:d92f9d21154c | 5103 | else { |
wolfSSL | 0:d92f9d21154c | 5104 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5105 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5106 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5107 | #endif |
wolfSSL | 0:d92f9d21154c | 5108 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 5109 | } |
wolfSSL | 0:d92f9d21154c | 5110 | |
wolfSSL | 0:d92f9d21154c | 5111 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5112 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5113 | if (algo == NULL) { |
wolfSSL | 0:d92f9d21154c | 5114 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5115 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5116 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5117 | } |
wolfSSL | 0:d92f9d21154c | 5118 | #endif |
wolfSSL | 0:d92f9d21154c | 5119 | |
wolfSSL | 0:d92f9d21154c | 5120 | /* headers */ |
wolfSSL | 0:d92f9d21154c | 5121 | algoSz = SetAlgoID(RSAk, algo, keyType, 0); |
wolfSSL | 0:d92f9d21154c | 5122 | seqSz = SetSequence(nSz + eSz, seq); |
wolfSSL | 0:d92f9d21154c | 5123 | lenSz = SetLength(seqSz + nSz + eSz + 1, len); |
wolfSSL | 0:d92f9d21154c | 5124 | len[lenSz++] = 0; /* trailing 0 */ |
wolfSSL | 0:d92f9d21154c | 5125 | |
wolfSSL | 0:d92f9d21154c | 5126 | /* write */ |
wolfSSL | 0:d92f9d21154c | 5127 | idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output); |
wolfSSL | 0:d92f9d21154c | 5128 | /* 1 is for ASN_BIT_STRING */ |
wolfSSL | 0:d92f9d21154c | 5129 | /* algo */ |
wolfSSL | 0:d92f9d21154c | 5130 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 0:d92f9d21154c | 5131 | idx += algoSz; |
wolfSSL | 0:d92f9d21154c | 5132 | /* bit string */ |
wolfSSL | 0:d92f9d21154c | 5133 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 0:d92f9d21154c | 5134 | /* length */ |
wolfSSL | 0:d92f9d21154c | 5135 | XMEMCPY(output + idx, len, lenSz); |
wolfSSL | 0:d92f9d21154c | 5136 | idx += lenSz; |
wolfSSL | 0:d92f9d21154c | 5137 | /* seq */ |
wolfSSL | 0:d92f9d21154c | 5138 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 0:d92f9d21154c | 5139 | idx += seqSz; |
wolfSSL | 0:d92f9d21154c | 5140 | /* n */ |
wolfSSL | 0:d92f9d21154c | 5141 | XMEMCPY(output + idx, n, nSz); |
wolfSSL | 0:d92f9d21154c | 5142 | idx += nSz; |
wolfSSL | 0:d92f9d21154c | 5143 | /* e */ |
wolfSSL | 0:d92f9d21154c | 5144 | XMEMCPY(output + idx, e, eSz); |
wolfSSL | 0:d92f9d21154c | 5145 | idx += eSz; |
wolfSSL | 0:d92f9d21154c | 5146 | |
wolfSSL | 0:d92f9d21154c | 5147 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5148 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5149 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5150 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5151 | #endif |
wolfSSL | 0:d92f9d21154c | 5152 | |
wolfSSL | 0:d92f9d21154c | 5153 | return idx; |
wolfSSL | 0:d92f9d21154c | 5154 | } |
wolfSSL | 0:d92f9d21154c | 5155 | |
wolfSSL | 0:d92f9d21154c | 5156 | |
wolfSSL | 0:d92f9d21154c | 5157 | static INLINE byte itob(int number) |
wolfSSL | 0:d92f9d21154c | 5158 | { |
wolfSSL | 0:d92f9d21154c | 5159 | return (byte)number + 0x30; |
wolfSSL | 0:d92f9d21154c | 5160 | } |
wolfSSL | 0:d92f9d21154c | 5161 | |
wolfSSL | 0:d92f9d21154c | 5162 | |
wolfSSL | 0:d92f9d21154c | 5163 | /* write time to output, format */ |
wolfSSL | 0:d92f9d21154c | 5164 | static void SetTime(struct tm* date, byte* output) |
wolfSSL | 0:d92f9d21154c | 5165 | { |
wolfSSL | 0:d92f9d21154c | 5166 | int i = 0; |
wolfSSL | 0:d92f9d21154c | 5167 | |
wolfSSL | 0:d92f9d21154c | 5168 | output[i++] = itob((date->tm_year % 10000) / 1000); |
wolfSSL | 0:d92f9d21154c | 5169 | output[i++] = itob((date->tm_year % 1000) / 100); |
wolfSSL | 0:d92f9d21154c | 5170 | output[i++] = itob((date->tm_year % 100) / 10); |
wolfSSL | 0:d92f9d21154c | 5171 | output[i++] = itob( date->tm_year % 10); |
wolfSSL | 0:d92f9d21154c | 5172 | |
wolfSSL | 0:d92f9d21154c | 5173 | output[i++] = itob(date->tm_mon / 10); |
wolfSSL | 0:d92f9d21154c | 5174 | output[i++] = itob(date->tm_mon % 10); |
wolfSSL | 0:d92f9d21154c | 5175 | |
wolfSSL | 0:d92f9d21154c | 5176 | output[i++] = itob(date->tm_mday / 10); |
wolfSSL | 0:d92f9d21154c | 5177 | output[i++] = itob(date->tm_mday % 10); |
wolfSSL | 0:d92f9d21154c | 5178 | |
wolfSSL | 0:d92f9d21154c | 5179 | output[i++] = itob(date->tm_hour / 10); |
wolfSSL | 0:d92f9d21154c | 5180 | output[i++] = itob(date->tm_hour % 10); |
wolfSSL | 0:d92f9d21154c | 5181 | |
wolfSSL | 0:d92f9d21154c | 5182 | output[i++] = itob(date->tm_min / 10); |
wolfSSL | 0:d92f9d21154c | 5183 | output[i++] = itob(date->tm_min % 10); |
wolfSSL | 0:d92f9d21154c | 5184 | |
wolfSSL | 0:d92f9d21154c | 5185 | output[i++] = itob(date->tm_sec / 10); |
wolfSSL | 0:d92f9d21154c | 5186 | output[i++] = itob(date->tm_sec % 10); |
wolfSSL | 0:d92f9d21154c | 5187 | |
wolfSSL | 0:d92f9d21154c | 5188 | output[i] = 'Z'; /* Zulu profile */ |
wolfSSL | 0:d92f9d21154c | 5189 | } |
wolfSSL | 0:d92f9d21154c | 5190 | |
wolfSSL | 0:d92f9d21154c | 5191 | |
wolfSSL | 0:d92f9d21154c | 5192 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 5193 | |
wolfSSL | 0:d92f9d21154c | 5194 | /* Copy Dates from cert, return bytes written */ |
wolfSSL | 0:d92f9d21154c | 5195 | static int CopyValidity(byte* output, Cert* cert) |
wolfSSL | 0:d92f9d21154c | 5196 | { |
wolfSSL | 0:d92f9d21154c | 5197 | int seqSz; |
wolfSSL | 0:d92f9d21154c | 5198 | |
wolfSSL | 0:d92f9d21154c | 5199 | WOLFSSL_ENTER("CopyValidity"); |
wolfSSL | 0:d92f9d21154c | 5200 | |
wolfSSL | 0:d92f9d21154c | 5201 | /* headers and output */ |
wolfSSL | 0:d92f9d21154c | 5202 | seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output); |
wolfSSL | 0:d92f9d21154c | 5203 | XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz); |
wolfSSL | 0:d92f9d21154c | 5204 | XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate, |
wolfSSL | 0:d92f9d21154c | 5205 | cert->afterDateSz); |
wolfSSL | 0:d92f9d21154c | 5206 | return seqSz + cert->beforeDateSz + cert->afterDateSz; |
wolfSSL | 0:d92f9d21154c | 5207 | } |
wolfSSL | 0:d92f9d21154c | 5208 | |
wolfSSL | 0:d92f9d21154c | 5209 | #endif |
wolfSSL | 0:d92f9d21154c | 5210 | |
wolfSSL | 0:d92f9d21154c | 5211 | |
wolfSSL | 0:d92f9d21154c | 5212 | /* for systems where mktime() doesn't normalize fully */ |
wolfSSL | 0:d92f9d21154c | 5213 | static void RebuildTime(time_t* in, struct tm* out) |
wolfSSL | 0:d92f9d21154c | 5214 | { |
wolfSSL | 0:d92f9d21154c | 5215 | #ifdef FREESCALE_MQX |
wolfSSL | 0:d92f9d21154c | 5216 | out = localtime_r(in, out); |
wolfSSL | 0:d92f9d21154c | 5217 | #else |
wolfSSL | 0:d92f9d21154c | 5218 | (void)in; |
wolfSSL | 0:d92f9d21154c | 5219 | (void)out; |
wolfSSL | 0:d92f9d21154c | 5220 | #endif |
wolfSSL | 0:d92f9d21154c | 5221 | } |
wolfSSL | 0:d92f9d21154c | 5222 | |
wolfSSL | 0:d92f9d21154c | 5223 | |
wolfSSL | 0:d92f9d21154c | 5224 | /* Set Date validity from now until now + daysValid */ |
wolfSSL | 0:d92f9d21154c | 5225 | static int SetValidity(byte* output, int daysValid) |
wolfSSL | 0:d92f9d21154c | 5226 | { |
wolfSSL | 0:d92f9d21154c | 5227 | byte before[MAX_DATE_SIZE]; |
wolfSSL | 0:d92f9d21154c | 5228 | byte after[MAX_DATE_SIZE]; |
wolfSSL | 0:d92f9d21154c | 5229 | |
wolfSSL | 0:d92f9d21154c | 5230 | int beforeSz; |
wolfSSL | 0:d92f9d21154c | 5231 | int afterSz; |
wolfSSL | 0:d92f9d21154c | 5232 | int seqSz; |
wolfSSL | 0:d92f9d21154c | 5233 | |
wolfSSL | 0:d92f9d21154c | 5234 | time_t ticks; |
wolfSSL | 0:d92f9d21154c | 5235 | time_t normalTime; |
wolfSSL | 0:d92f9d21154c | 5236 | struct tm* now; |
wolfSSL | 0:d92f9d21154c | 5237 | struct tm* tmpTime = NULL; |
wolfSSL | 0:d92f9d21154c | 5238 | struct tm local; |
wolfSSL | 0:d92f9d21154c | 5239 | |
wolfSSL | 0:d92f9d21154c | 5240 | #if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) |
wolfSSL | 0:d92f9d21154c | 5241 | /* for use with gmtime_r */ |
wolfSSL | 0:d92f9d21154c | 5242 | struct tm tmpTimeStorage; |
wolfSSL | 0:d92f9d21154c | 5243 | tmpTime = &tmpTimeStorage; |
wolfSSL | 0:d92f9d21154c | 5244 | #else |
wolfSSL | 0:d92f9d21154c | 5245 | (void)tmpTime; |
wolfSSL | 0:d92f9d21154c | 5246 | #endif |
wolfSSL | 0:d92f9d21154c | 5247 | |
wolfSSL | 0:d92f9d21154c | 5248 | ticks = XTIME(0); |
wolfSSL | 0:d92f9d21154c | 5249 | now = XGMTIME(&ticks, tmpTime); |
wolfSSL | 0:d92f9d21154c | 5250 | |
wolfSSL | 0:d92f9d21154c | 5251 | /* before now */ |
wolfSSL | 0:d92f9d21154c | 5252 | local = *now; |
wolfSSL | 0:d92f9d21154c | 5253 | before[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 0:d92f9d21154c | 5254 | beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */ |
wolfSSL | 0:d92f9d21154c | 5255 | |
wolfSSL | 0:d92f9d21154c | 5256 | /* subtract 1 day for more compliance */ |
wolfSSL | 0:d92f9d21154c | 5257 | local.tm_mday -= 1; |
wolfSSL | 0:d92f9d21154c | 5258 | normalTime = mktime(&local); |
wolfSSL | 0:d92f9d21154c | 5259 | RebuildTime(&normalTime, &local); |
wolfSSL | 0:d92f9d21154c | 5260 | |
wolfSSL | 0:d92f9d21154c | 5261 | /* adjust */ |
wolfSSL | 0:d92f9d21154c | 5262 | local.tm_year += 1900; |
wolfSSL | 0:d92f9d21154c | 5263 | local.tm_mon += 1; |
wolfSSL | 0:d92f9d21154c | 5264 | |
wolfSSL | 0:d92f9d21154c | 5265 | SetTime(&local, before + beforeSz); |
wolfSSL | 0:d92f9d21154c | 5266 | beforeSz += ASN_GEN_TIME_SZ; |
wolfSSL | 0:d92f9d21154c | 5267 | |
wolfSSL | 0:d92f9d21154c | 5268 | /* after now + daysValid */ |
wolfSSL | 0:d92f9d21154c | 5269 | local = *now; |
wolfSSL | 0:d92f9d21154c | 5270 | after[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 0:d92f9d21154c | 5271 | afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */ |
wolfSSL | 0:d92f9d21154c | 5272 | |
wolfSSL | 0:d92f9d21154c | 5273 | /* add daysValid */ |
wolfSSL | 0:d92f9d21154c | 5274 | local.tm_mday += daysValid; |
wolfSSL | 0:d92f9d21154c | 5275 | normalTime = mktime(&local); |
wolfSSL | 0:d92f9d21154c | 5276 | RebuildTime(&normalTime, &local); |
wolfSSL | 0:d92f9d21154c | 5277 | |
wolfSSL | 0:d92f9d21154c | 5278 | /* adjust */ |
wolfSSL | 0:d92f9d21154c | 5279 | local.tm_year += 1900; |
wolfSSL | 0:d92f9d21154c | 5280 | local.tm_mon += 1; |
wolfSSL | 0:d92f9d21154c | 5281 | |
wolfSSL | 0:d92f9d21154c | 5282 | SetTime(&local, after + afterSz); |
wolfSSL | 0:d92f9d21154c | 5283 | afterSz += ASN_GEN_TIME_SZ; |
wolfSSL | 0:d92f9d21154c | 5284 | |
wolfSSL | 0:d92f9d21154c | 5285 | /* headers and output */ |
wolfSSL | 0:d92f9d21154c | 5286 | seqSz = SetSequence(beforeSz + afterSz, output); |
wolfSSL | 0:d92f9d21154c | 5287 | XMEMCPY(output + seqSz, before, beforeSz); |
wolfSSL | 0:d92f9d21154c | 5288 | XMEMCPY(output + seqSz + beforeSz, after, afterSz); |
wolfSSL | 0:d92f9d21154c | 5289 | |
wolfSSL | 0:d92f9d21154c | 5290 | return seqSz + beforeSz + afterSz; |
wolfSSL | 0:d92f9d21154c | 5291 | } |
wolfSSL | 0:d92f9d21154c | 5292 | |
wolfSSL | 0:d92f9d21154c | 5293 | |
wolfSSL | 0:d92f9d21154c | 5294 | /* ASN Encoded Name field */ |
wolfSSL | 0:d92f9d21154c | 5295 | typedef struct EncodedName { |
wolfSSL | 0:d92f9d21154c | 5296 | int nameLen; /* actual string value length */ |
wolfSSL | 0:d92f9d21154c | 5297 | int totalLen; /* total encoded length */ |
wolfSSL | 0:d92f9d21154c | 5298 | int type; /* type of name */ |
wolfSSL | 0:d92f9d21154c | 5299 | int used; /* are we actually using this one */ |
wolfSSL | 0:d92f9d21154c | 5300 | byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ |
wolfSSL | 0:d92f9d21154c | 5301 | } EncodedName; |
wolfSSL | 0:d92f9d21154c | 5302 | |
wolfSSL | 0:d92f9d21154c | 5303 | |
wolfSSL | 0:d92f9d21154c | 5304 | /* Get Which Name from index */ |
wolfSSL | 0:d92f9d21154c | 5305 | static const char* GetOneName(CertName* name, int idx) |
wolfSSL | 0:d92f9d21154c | 5306 | { |
wolfSSL | 0:d92f9d21154c | 5307 | switch (idx) { |
wolfSSL | 0:d92f9d21154c | 5308 | case 0: |
wolfSSL | 0:d92f9d21154c | 5309 | return name->country; |
wolfSSL | 0:d92f9d21154c | 5310 | |
wolfSSL | 0:d92f9d21154c | 5311 | case 1: |
wolfSSL | 0:d92f9d21154c | 5312 | return name->state; |
wolfSSL | 0:d92f9d21154c | 5313 | |
wolfSSL | 0:d92f9d21154c | 5314 | case 2: |
wolfSSL | 0:d92f9d21154c | 5315 | return name->locality; |
wolfSSL | 0:d92f9d21154c | 5316 | |
wolfSSL | 0:d92f9d21154c | 5317 | case 3: |
wolfSSL | 0:d92f9d21154c | 5318 | return name->sur; |
wolfSSL | 0:d92f9d21154c | 5319 | |
wolfSSL | 0:d92f9d21154c | 5320 | case 4: |
wolfSSL | 0:d92f9d21154c | 5321 | return name->org; |
wolfSSL | 0:d92f9d21154c | 5322 | |
wolfSSL | 0:d92f9d21154c | 5323 | case 5: |
wolfSSL | 0:d92f9d21154c | 5324 | return name->unit; |
wolfSSL | 0:d92f9d21154c | 5325 | |
wolfSSL | 0:d92f9d21154c | 5326 | case 6: |
wolfSSL | 0:d92f9d21154c | 5327 | return name->commonName; |
wolfSSL | 0:d92f9d21154c | 5328 | |
wolfSSL | 0:d92f9d21154c | 5329 | case 7: |
wolfSSL | 0:d92f9d21154c | 5330 | return name->email; |
wolfSSL | 0:d92f9d21154c | 5331 | |
wolfSSL | 0:d92f9d21154c | 5332 | default: |
wolfSSL | 0:d92f9d21154c | 5333 | return 0; |
wolfSSL | 0:d92f9d21154c | 5334 | } |
wolfSSL | 0:d92f9d21154c | 5335 | } |
wolfSSL | 0:d92f9d21154c | 5336 | |
wolfSSL | 0:d92f9d21154c | 5337 | |
wolfSSL | 0:d92f9d21154c | 5338 | /* Get Which Name Encoding from index */ |
wolfSSL | 0:d92f9d21154c | 5339 | static char GetNameType(CertName* name, int idx) |
wolfSSL | 0:d92f9d21154c | 5340 | { |
wolfSSL | 0:d92f9d21154c | 5341 | switch (idx) { |
wolfSSL | 0:d92f9d21154c | 5342 | case 0: |
wolfSSL | 0:d92f9d21154c | 5343 | return name->countryEnc; |
wolfSSL | 0:d92f9d21154c | 5344 | |
wolfSSL | 0:d92f9d21154c | 5345 | case 1: |
wolfSSL | 0:d92f9d21154c | 5346 | return name->stateEnc; |
wolfSSL | 0:d92f9d21154c | 5347 | |
wolfSSL | 0:d92f9d21154c | 5348 | case 2: |
wolfSSL | 0:d92f9d21154c | 5349 | return name->localityEnc; |
wolfSSL | 0:d92f9d21154c | 5350 | |
wolfSSL | 0:d92f9d21154c | 5351 | case 3: |
wolfSSL | 0:d92f9d21154c | 5352 | return name->surEnc; |
wolfSSL | 0:d92f9d21154c | 5353 | |
wolfSSL | 0:d92f9d21154c | 5354 | case 4: |
wolfSSL | 0:d92f9d21154c | 5355 | return name->orgEnc; |
wolfSSL | 0:d92f9d21154c | 5356 | |
wolfSSL | 0:d92f9d21154c | 5357 | case 5: |
wolfSSL | 0:d92f9d21154c | 5358 | return name->unitEnc; |
wolfSSL | 0:d92f9d21154c | 5359 | |
wolfSSL | 0:d92f9d21154c | 5360 | case 6: |
wolfSSL | 0:d92f9d21154c | 5361 | return name->commonNameEnc; |
wolfSSL | 0:d92f9d21154c | 5362 | |
wolfSSL | 0:d92f9d21154c | 5363 | default: |
wolfSSL | 0:d92f9d21154c | 5364 | return 0; |
wolfSSL | 0:d92f9d21154c | 5365 | } |
wolfSSL | 0:d92f9d21154c | 5366 | } |
wolfSSL | 0:d92f9d21154c | 5367 | |
wolfSSL | 0:d92f9d21154c | 5368 | |
wolfSSL | 0:d92f9d21154c | 5369 | /* Get ASN Name from index */ |
wolfSSL | 0:d92f9d21154c | 5370 | static byte GetNameId(int idx) |
wolfSSL | 0:d92f9d21154c | 5371 | { |
wolfSSL | 0:d92f9d21154c | 5372 | switch (idx) { |
wolfSSL | 0:d92f9d21154c | 5373 | case 0: |
wolfSSL | 0:d92f9d21154c | 5374 | return ASN_COUNTRY_NAME; |
wolfSSL | 0:d92f9d21154c | 5375 | |
wolfSSL | 0:d92f9d21154c | 5376 | case 1: |
wolfSSL | 0:d92f9d21154c | 5377 | return ASN_STATE_NAME; |
wolfSSL | 0:d92f9d21154c | 5378 | |
wolfSSL | 0:d92f9d21154c | 5379 | case 2: |
wolfSSL | 0:d92f9d21154c | 5380 | return ASN_LOCALITY_NAME; |
wolfSSL | 0:d92f9d21154c | 5381 | |
wolfSSL | 0:d92f9d21154c | 5382 | case 3: |
wolfSSL | 0:d92f9d21154c | 5383 | return ASN_SUR_NAME; |
wolfSSL | 0:d92f9d21154c | 5384 | |
wolfSSL | 0:d92f9d21154c | 5385 | case 4: |
wolfSSL | 0:d92f9d21154c | 5386 | return ASN_ORG_NAME; |
wolfSSL | 0:d92f9d21154c | 5387 | |
wolfSSL | 0:d92f9d21154c | 5388 | case 5: |
wolfSSL | 0:d92f9d21154c | 5389 | return ASN_ORGUNIT_NAME; |
wolfSSL | 0:d92f9d21154c | 5390 | |
wolfSSL | 0:d92f9d21154c | 5391 | case 6: |
wolfSSL | 0:d92f9d21154c | 5392 | return ASN_COMMON_NAME; |
wolfSSL | 0:d92f9d21154c | 5393 | |
wolfSSL | 0:d92f9d21154c | 5394 | case 7: |
wolfSSL | 0:d92f9d21154c | 5395 | /* email uses different id type */ |
wolfSSL | 0:d92f9d21154c | 5396 | return 0; |
wolfSSL | 0:d92f9d21154c | 5397 | |
wolfSSL | 0:d92f9d21154c | 5398 | default: |
wolfSSL | 0:d92f9d21154c | 5399 | return 0; |
wolfSSL | 0:d92f9d21154c | 5400 | } |
wolfSSL | 0:d92f9d21154c | 5401 | } |
wolfSSL | 0:d92f9d21154c | 5402 | |
wolfSSL | 0:d92f9d21154c | 5403 | |
wolfSSL | 0:d92f9d21154c | 5404 | /* encode all extensions, return total bytes written */ |
wolfSSL | 0:d92f9d21154c | 5405 | static int SetExtensions(byte* output, const byte* ext, int extSz, int header) |
wolfSSL | 0:d92f9d21154c | 5406 | { |
wolfSSL | 0:d92f9d21154c | 5407 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5408 | byte len[MAX_LENGTH_SZ]; |
wolfSSL | 0:d92f9d21154c | 5409 | |
wolfSSL | 0:d92f9d21154c | 5410 | int sz = 0; |
wolfSSL | 0:d92f9d21154c | 5411 | int seqSz = SetSequence(extSz, sequence); |
wolfSSL | 0:d92f9d21154c | 5412 | |
wolfSSL | 0:d92f9d21154c | 5413 | if (header) { |
wolfSSL | 0:d92f9d21154c | 5414 | int lenSz = SetLength(seqSz + extSz, len); |
wolfSSL | 0:d92f9d21154c | 5415 | output[0] = ASN_EXTENSIONS; /* extensions id */ |
wolfSSL | 0:d92f9d21154c | 5416 | sz++; |
wolfSSL | 0:d92f9d21154c | 5417 | XMEMCPY(&output[sz], len, lenSz); /* length */ |
wolfSSL | 0:d92f9d21154c | 5418 | sz += lenSz; |
wolfSSL | 0:d92f9d21154c | 5419 | } |
wolfSSL | 0:d92f9d21154c | 5420 | XMEMCPY(&output[sz], sequence, seqSz); /* sequence */ |
wolfSSL | 0:d92f9d21154c | 5421 | sz += seqSz; |
wolfSSL | 0:d92f9d21154c | 5422 | XMEMCPY(&output[sz], ext, extSz); /* extensions */ |
wolfSSL | 0:d92f9d21154c | 5423 | sz += extSz; |
wolfSSL | 0:d92f9d21154c | 5424 | |
wolfSSL | 0:d92f9d21154c | 5425 | return sz; |
wolfSSL | 0:d92f9d21154c | 5426 | } |
wolfSSL | 0:d92f9d21154c | 5427 | |
wolfSSL | 0:d92f9d21154c | 5428 | |
wolfSSL | 0:d92f9d21154c | 5429 | /* encode CA basic constraint true, return total bytes written */ |
wolfSSL | 0:d92f9d21154c | 5430 | static int SetCa(byte* output) |
wolfSSL | 0:d92f9d21154c | 5431 | { |
wolfSSL | 0:d92f9d21154c | 5432 | static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, |
wolfSSL | 0:d92f9d21154c | 5433 | 0x05, 0x30, 0x03, 0x01, 0x01, 0xff }; |
wolfSSL | 0:d92f9d21154c | 5434 | |
wolfSSL | 0:d92f9d21154c | 5435 | XMEMCPY(output, ca, sizeof(ca)); |
wolfSSL | 0:d92f9d21154c | 5436 | |
wolfSSL | 0:d92f9d21154c | 5437 | return (int)sizeof(ca); |
wolfSSL | 0:d92f9d21154c | 5438 | } |
wolfSSL | 0:d92f9d21154c | 5439 | |
wolfSSL | 0:d92f9d21154c | 5440 | |
wolfSSL | 0:d92f9d21154c | 5441 | /* encode CertName into output, return total bytes written */ |
wolfSSL | 0:d92f9d21154c | 5442 | static int SetName(byte* output, CertName* name) |
wolfSSL | 0:d92f9d21154c | 5443 | { |
wolfSSL | 0:d92f9d21154c | 5444 | int totalBytes = 0, i, idx; |
wolfSSL | 0:d92f9d21154c | 5445 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5446 | EncodedName* names = NULL; |
wolfSSL | 0:d92f9d21154c | 5447 | #else |
wolfSSL | 0:d92f9d21154c | 5448 | EncodedName names[NAME_ENTRIES]; |
wolfSSL | 0:d92f9d21154c | 5449 | #endif |
wolfSSL | 0:d92f9d21154c | 5450 | |
wolfSSL | 0:d92f9d21154c | 5451 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5452 | names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL, |
wolfSSL | 0:d92f9d21154c | 5453 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5454 | if (names == NULL) |
wolfSSL | 0:d92f9d21154c | 5455 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5456 | #endif |
wolfSSL | 0:d92f9d21154c | 5457 | |
wolfSSL | 0:d92f9d21154c | 5458 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 0:d92f9d21154c | 5459 | const char* nameStr = GetOneName(name, i); |
wolfSSL | 0:d92f9d21154c | 5460 | if (nameStr) { |
wolfSSL | 0:d92f9d21154c | 5461 | /* bottom up */ |
wolfSSL | 0:d92f9d21154c | 5462 | byte firstLen[MAX_LENGTH_SZ]; |
wolfSSL | 0:d92f9d21154c | 5463 | byte secondLen[MAX_LENGTH_SZ]; |
wolfSSL | 0:d92f9d21154c | 5464 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5465 | byte set[MAX_SET_SZ]; |
wolfSSL | 0:d92f9d21154c | 5466 | |
wolfSSL | 0:d92f9d21154c | 5467 | int email = i == (NAME_ENTRIES - 1) ? 1 : 0; |
wolfSSL | 0:d92f9d21154c | 5468 | int strLen = (int)XSTRLEN(nameStr); |
wolfSSL | 0:d92f9d21154c | 5469 | int thisLen = strLen; |
wolfSSL | 0:d92f9d21154c | 5470 | int firstSz, secondSz, seqSz, setSz; |
wolfSSL | 0:d92f9d21154c | 5471 | |
wolfSSL | 0:d92f9d21154c | 5472 | if (strLen == 0) { /* no user data for this item */ |
wolfSSL | 0:d92f9d21154c | 5473 | names[i].used = 0; |
wolfSSL | 0:d92f9d21154c | 5474 | continue; |
wolfSSL | 0:d92f9d21154c | 5475 | } |
wolfSSL | 0:d92f9d21154c | 5476 | |
wolfSSL | 0:d92f9d21154c | 5477 | secondSz = SetLength(strLen, secondLen); |
wolfSSL | 0:d92f9d21154c | 5478 | thisLen += secondSz; |
wolfSSL | 0:d92f9d21154c | 5479 | if (email) { |
wolfSSL | 0:d92f9d21154c | 5480 | thisLen += EMAIL_JOINT_LEN; |
wolfSSL | 0:d92f9d21154c | 5481 | thisLen ++; /* id type */ |
wolfSSL | 0:d92f9d21154c | 5482 | firstSz = SetLength(EMAIL_JOINT_LEN, firstLen); |
wolfSSL | 0:d92f9d21154c | 5483 | } |
wolfSSL | 0:d92f9d21154c | 5484 | else { |
wolfSSL | 0:d92f9d21154c | 5485 | thisLen++; /* str type */ |
wolfSSL | 0:d92f9d21154c | 5486 | thisLen++; /* id type */ |
wolfSSL | 0:d92f9d21154c | 5487 | thisLen += JOINT_LEN; |
wolfSSL | 0:d92f9d21154c | 5488 | firstSz = SetLength(JOINT_LEN + 1, firstLen); |
wolfSSL | 0:d92f9d21154c | 5489 | } |
wolfSSL | 0:d92f9d21154c | 5490 | thisLen += firstSz; |
wolfSSL | 0:d92f9d21154c | 5491 | thisLen++; /* object id */ |
wolfSSL | 0:d92f9d21154c | 5492 | |
wolfSSL | 0:d92f9d21154c | 5493 | seqSz = SetSequence(thisLen, sequence); |
wolfSSL | 0:d92f9d21154c | 5494 | thisLen += seqSz; |
wolfSSL | 0:d92f9d21154c | 5495 | setSz = SetSet(thisLen, set); |
wolfSSL | 0:d92f9d21154c | 5496 | thisLen += setSz; |
wolfSSL | 0:d92f9d21154c | 5497 | |
wolfSSL | 0:d92f9d21154c | 5498 | if (thisLen > (int)sizeof(names[i].encoded)) { |
wolfSSL | 0:d92f9d21154c | 5499 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5500 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5501 | #endif |
wolfSSL | 0:d92f9d21154c | 5502 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 5503 | } |
wolfSSL | 0:d92f9d21154c | 5504 | |
wolfSSL | 0:d92f9d21154c | 5505 | /* store it */ |
wolfSSL | 0:d92f9d21154c | 5506 | idx = 0; |
wolfSSL | 0:d92f9d21154c | 5507 | /* set */ |
wolfSSL | 0:d92f9d21154c | 5508 | XMEMCPY(names[i].encoded, set, setSz); |
wolfSSL | 0:d92f9d21154c | 5509 | idx += setSz; |
wolfSSL | 0:d92f9d21154c | 5510 | /* seq */ |
wolfSSL | 0:d92f9d21154c | 5511 | XMEMCPY(names[i].encoded + idx, sequence, seqSz); |
wolfSSL | 0:d92f9d21154c | 5512 | idx += seqSz; |
wolfSSL | 0:d92f9d21154c | 5513 | /* asn object id */ |
wolfSSL | 0:d92f9d21154c | 5514 | names[i].encoded[idx++] = ASN_OBJECT_ID; |
wolfSSL | 0:d92f9d21154c | 5515 | /* first length */ |
wolfSSL | 0:d92f9d21154c | 5516 | XMEMCPY(names[i].encoded + idx, firstLen, firstSz); |
wolfSSL | 0:d92f9d21154c | 5517 | idx += firstSz; |
wolfSSL | 0:d92f9d21154c | 5518 | if (email) { |
wolfSSL | 0:d92f9d21154c | 5519 | const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 0:d92f9d21154c | 5520 | 0x01, 0x09, 0x01, 0x16 }; |
wolfSSL | 0:d92f9d21154c | 5521 | /* email joint id */ |
wolfSSL | 0:d92f9d21154c | 5522 | XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); |
wolfSSL | 0:d92f9d21154c | 5523 | idx += (int)sizeof(EMAIL_OID); |
wolfSSL | 0:d92f9d21154c | 5524 | } |
wolfSSL | 0:d92f9d21154c | 5525 | else { |
wolfSSL | 0:d92f9d21154c | 5526 | /* joint id */ |
wolfSSL | 0:d92f9d21154c | 5527 | byte bType = GetNameId(i); |
wolfSSL | 0:d92f9d21154c | 5528 | names[i].encoded[idx++] = 0x55; |
wolfSSL | 0:d92f9d21154c | 5529 | names[i].encoded[idx++] = 0x04; |
wolfSSL | 0:d92f9d21154c | 5530 | /* id type */ |
wolfSSL | 0:d92f9d21154c | 5531 | names[i].encoded[idx++] = bType; |
wolfSSL | 0:d92f9d21154c | 5532 | /* str type */ |
wolfSSL | 0:d92f9d21154c | 5533 | names[i].encoded[idx++] = GetNameType(name, i); |
wolfSSL | 0:d92f9d21154c | 5534 | } |
wolfSSL | 0:d92f9d21154c | 5535 | /* second length */ |
wolfSSL | 0:d92f9d21154c | 5536 | XMEMCPY(names[i].encoded + idx, secondLen, secondSz); |
wolfSSL | 0:d92f9d21154c | 5537 | idx += secondSz; |
wolfSSL | 0:d92f9d21154c | 5538 | /* str value */ |
wolfSSL | 0:d92f9d21154c | 5539 | XMEMCPY(names[i].encoded + idx, nameStr, strLen); |
wolfSSL | 0:d92f9d21154c | 5540 | idx += strLen; |
wolfSSL | 0:d92f9d21154c | 5541 | |
wolfSSL | 0:d92f9d21154c | 5542 | totalBytes += idx; |
wolfSSL | 0:d92f9d21154c | 5543 | names[i].totalLen = idx; |
wolfSSL | 0:d92f9d21154c | 5544 | names[i].used = 1; |
wolfSSL | 0:d92f9d21154c | 5545 | } |
wolfSSL | 0:d92f9d21154c | 5546 | else |
wolfSSL | 0:d92f9d21154c | 5547 | names[i].used = 0; |
wolfSSL | 0:d92f9d21154c | 5548 | } |
wolfSSL | 0:d92f9d21154c | 5549 | |
wolfSSL | 0:d92f9d21154c | 5550 | /* header */ |
wolfSSL | 0:d92f9d21154c | 5551 | idx = SetSequence(totalBytes, output); |
wolfSSL | 0:d92f9d21154c | 5552 | totalBytes += idx; |
wolfSSL | 0:d92f9d21154c | 5553 | if (totalBytes > ASN_NAME_MAX) { |
wolfSSL | 0:d92f9d21154c | 5554 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5555 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5556 | #endif |
wolfSSL | 0:d92f9d21154c | 5557 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 5558 | } |
wolfSSL | 0:d92f9d21154c | 5559 | |
wolfSSL | 0:d92f9d21154c | 5560 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 0:d92f9d21154c | 5561 | if (names[i].used) { |
wolfSSL | 0:d92f9d21154c | 5562 | XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); |
wolfSSL | 0:d92f9d21154c | 5563 | idx += names[i].totalLen; |
wolfSSL | 0:d92f9d21154c | 5564 | } |
wolfSSL | 0:d92f9d21154c | 5565 | } |
wolfSSL | 0:d92f9d21154c | 5566 | |
wolfSSL | 0:d92f9d21154c | 5567 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5568 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5569 | #endif |
wolfSSL | 0:d92f9d21154c | 5570 | |
wolfSSL | 0:d92f9d21154c | 5571 | return totalBytes; |
wolfSSL | 0:d92f9d21154c | 5572 | } |
wolfSSL | 0:d92f9d21154c | 5573 | |
wolfSSL | 0:d92f9d21154c | 5574 | /* encode info from cert into DER encoded format */ |
wolfSSL | 0:d92f9d21154c | 5575 | static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 0:d92f9d21154c | 5576 | RNG* rng, const byte* ntruKey, word16 ntruSz) |
wolfSSL | 0:d92f9d21154c | 5577 | { |
wolfSSL | 0:d92f9d21154c | 5578 | int ret; |
wolfSSL | 0:d92f9d21154c | 5579 | |
wolfSSL | 0:d92f9d21154c | 5580 | (void)eccKey; |
wolfSSL | 0:d92f9d21154c | 5581 | (void)ntruKey; |
wolfSSL | 0:d92f9d21154c | 5582 | (void)ntruSz; |
wolfSSL | 0:d92f9d21154c | 5583 | |
wolfSSL | 0:d92f9d21154c | 5584 | /* init */ |
wolfSSL | 0:d92f9d21154c | 5585 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 0:d92f9d21154c | 5586 | |
wolfSSL | 0:d92f9d21154c | 5587 | /* version */ |
wolfSSL | 0:d92f9d21154c | 5588 | der->versionSz = SetMyVersion(cert->version, der->version, TRUE); |
wolfSSL | 0:d92f9d21154c | 5589 | |
wolfSSL | 0:d92f9d21154c | 5590 | /* serial number */ |
wolfSSL | 0:d92f9d21154c | 5591 | ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE); |
wolfSSL | 0:d92f9d21154c | 5592 | if (ret != 0) |
wolfSSL | 0:d92f9d21154c | 5593 | return ret; |
wolfSSL | 0:d92f9d21154c | 5594 | |
wolfSSL | 0:d92f9d21154c | 5595 | cert->serial[0] = 0x01; /* ensure positive */ |
wolfSSL | 0:d92f9d21154c | 5596 | der->serialSz = SetSerial(cert->serial, der->serial); |
wolfSSL | 0:d92f9d21154c | 5597 | |
wolfSSL | 0:d92f9d21154c | 5598 | /* signature algo */ |
wolfSSL | 0:d92f9d21154c | 5599 | der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, sigType, 0); |
wolfSSL | 0:d92f9d21154c | 5600 | if (der->sigAlgoSz == 0) |
wolfSSL | 0:d92f9d21154c | 5601 | return ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 5602 | |
wolfSSL | 0:d92f9d21154c | 5603 | /* public key */ |
wolfSSL | 0:d92f9d21154c | 5604 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 0:d92f9d21154c | 5605 | if (rsaKey == NULL) |
wolfSSL | 0:d92f9d21154c | 5606 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5607 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey); |
wolfSSL | 0:d92f9d21154c | 5608 | if (der->publicKeySz <= 0) |
wolfSSL | 0:d92f9d21154c | 5609 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5610 | } |
wolfSSL | 0:d92f9d21154c | 5611 | |
wolfSSL | 0:d92f9d21154c | 5612 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 5613 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 0:d92f9d21154c | 5614 | if (eccKey == NULL) |
wolfSSL | 0:d92f9d21154c | 5615 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5616 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey); |
wolfSSL | 0:d92f9d21154c | 5617 | if (der->publicKeySz <= 0) |
wolfSSL | 0:d92f9d21154c | 5618 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5619 | } |
wolfSSL | 0:d92f9d21154c | 5620 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 5621 | |
wolfSSL | 0:d92f9d21154c | 5622 | #ifdef HAVE_NTRU |
wolfSSL | 0:d92f9d21154c | 5623 | if (cert->keyType == NTRU_KEY) { |
wolfSSL | 0:d92f9d21154c | 5624 | word32 rc; |
wolfSSL | 0:d92f9d21154c | 5625 | word16 encodedSz; |
wolfSSL | 0:d92f9d21154c | 5626 | |
wolfSSL | 0:d92f9d21154c | 5627 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 0:d92f9d21154c | 5628 | ntruKey, &encodedSz, NULL); |
wolfSSL | 0:d92f9d21154c | 5629 | if (rc != NTRU_OK) |
wolfSSL | 0:d92f9d21154c | 5630 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5631 | if (encodedSz > MAX_PUBLIC_KEY_SZ) |
wolfSSL | 0:d92f9d21154c | 5632 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5633 | |
wolfSSL | 0:d92f9d21154c | 5634 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 0:d92f9d21154c | 5635 | ntruKey, &encodedSz, der->publicKey); |
wolfSSL | 0:d92f9d21154c | 5636 | if (rc != NTRU_OK) |
wolfSSL | 0:d92f9d21154c | 5637 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 5638 | |
wolfSSL | 0:d92f9d21154c | 5639 | der->publicKeySz = encodedSz; |
wolfSSL | 0:d92f9d21154c | 5640 | } |
wolfSSL | 0:d92f9d21154c | 5641 | #endif /* HAVE_NTRU */ |
wolfSSL | 0:d92f9d21154c | 5642 | |
wolfSSL | 0:d92f9d21154c | 5643 | der->validitySz = 0; |
wolfSSL | 0:d92f9d21154c | 5644 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 5645 | /* date validity copy ? */ |
wolfSSL | 0:d92f9d21154c | 5646 | if (cert->beforeDateSz && cert->afterDateSz) { |
wolfSSL | 0:d92f9d21154c | 5647 | der->validitySz = CopyValidity(der->validity, cert); |
wolfSSL | 0:d92f9d21154c | 5648 | if (der->validitySz == 0) |
wolfSSL | 0:d92f9d21154c | 5649 | return DATE_E; |
wolfSSL | 0:d92f9d21154c | 5650 | } |
wolfSSL | 0:d92f9d21154c | 5651 | #endif |
wolfSSL | 0:d92f9d21154c | 5652 | |
wolfSSL | 0:d92f9d21154c | 5653 | /* date validity */ |
wolfSSL | 0:d92f9d21154c | 5654 | if (der->validitySz == 0) { |
wolfSSL | 0:d92f9d21154c | 5655 | der->validitySz = SetValidity(der->validity, cert->daysValid); |
wolfSSL | 0:d92f9d21154c | 5656 | if (der->validitySz == 0) |
wolfSSL | 0:d92f9d21154c | 5657 | return DATE_E; |
wolfSSL | 0:d92f9d21154c | 5658 | } |
wolfSSL | 0:d92f9d21154c | 5659 | |
wolfSSL | 0:d92f9d21154c | 5660 | /* subject name */ |
wolfSSL | 0:d92f9d21154c | 5661 | der->subjectSz = SetName(der->subject, &cert->subject); |
wolfSSL | 0:d92f9d21154c | 5662 | if (der->subjectSz == 0) |
wolfSSL | 0:d92f9d21154c | 5663 | return SUBJECT_E; |
wolfSSL | 0:d92f9d21154c | 5664 | |
wolfSSL | 0:d92f9d21154c | 5665 | /* issuer name */ |
wolfSSL | 0:d92f9d21154c | 5666 | der->issuerSz = SetName(der->issuer, cert->selfSigned ? |
wolfSSL | 0:d92f9d21154c | 5667 | &cert->subject : &cert->issuer); |
wolfSSL | 0:d92f9d21154c | 5668 | if (der->issuerSz == 0) |
wolfSSL | 0:d92f9d21154c | 5669 | return ISSUER_E; |
wolfSSL | 0:d92f9d21154c | 5670 | |
wolfSSL | 0:d92f9d21154c | 5671 | /* CA */ |
wolfSSL | 0:d92f9d21154c | 5672 | if (cert->isCA) { |
wolfSSL | 0:d92f9d21154c | 5673 | der->caSz = SetCa(der->ca); |
wolfSSL | 0:d92f9d21154c | 5674 | if (der->caSz == 0) |
wolfSSL | 0:d92f9d21154c | 5675 | return CA_TRUE_E; |
wolfSSL | 0:d92f9d21154c | 5676 | } |
wolfSSL | 0:d92f9d21154c | 5677 | else |
wolfSSL | 0:d92f9d21154c | 5678 | der->caSz = 0; |
wolfSSL | 0:d92f9d21154c | 5679 | |
wolfSSL | 0:d92f9d21154c | 5680 | /* extensions, just CA now */ |
wolfSSL | 0:d92f9d21154c | 5681 | if (cert->isCA) { |
wolfSSL | 0:d92f9d21154c | 5682 | der->extensionsSz = SetExtensions(der->extensions, |
wolfSSL | 0:d92f9d21154c | 5683 | der->ca, der->caSz, TRUE); |
wolfSSL | 0:d92f9d21154c | 5684 | if (der->extensionsSz == 0) |
wolfSSL | 0:d92f9d21154c | 5685 | return EXTENSIONS_E; |
wolfSSL | 0:d92f9d21154c | 5686 | } |
wolfSSL | 0:d92f9d21154c | 5687 | else |
wolfSSL | 0:d92f9d21154c | 5688 | der->extensionsSz = 0; |
wolfSSL | 0:d92f9d21154c | 5689 | |
wolfSSL | 0:d92f9d21154c | 5690 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 5691 | if (der->extensionsSz == 0 && cert->altNamesSz) { |
wolfSSL | 0:d92f9d21154c | 5692 | der->extensionsSz = SetExtensions(der->extensions, cert->altNames, |
wolfSSL | 0:d92f9d21154c | 5693 | cert->altNamesSz, TRUE); |
wolfSSL | 0:d92f9d21154c | 5694 | if (der->extensionsSz == 0) |
wolfSSL | 0:d92f9d21154c | 5695 | return EXTENSIONS_E; |
wolfSSL | 0:d92f9d21154c | 5696 | } |
wolfSSL | 0:d92f9d21154c | 5697 | #endif |
wolfSSL | 0:d92f9d21154c | 5698 | |
wolfSSL | 0:d92f9d21154c | 5699 | der->total = der->versionSz + der->serialSz + der->sigAlgoSz + |
wolfSSL | 0:d92f9d21154c | 5700 | der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + |
wolfSSL | 0:d92f9d21154c | 5701 | der->extensionsSz; |
wolfSSL | 0:d92f9d21154c | 5702 | |
wolfSSL | 0:d92f9d21154c | 5703 | return 0; |
wolfSSL | 0:d92f9d21154c | 5704 | } |
wolfSSL | 0:d92f9d21154c | 5705 | |
wolfSSL | 0:d92f9d21154c | 5706 | |
wolfSSL | 0:d92f9d21154c | 5707 | /* write DER encoded cert to buffer, size already checked */ |
wolfSSL | 0:d92f9d21154c | 5708 | static int WriteCertBody(DerCert* der, byte* buffer) |
wolfSSL | 0:d92f9d21154c | 5709 | { |
wolfSSL | 0:d92f9d21154c | 5710 | int idx; |
wolfSSL | 0:d92f9d21154c | 5711 | |
wolfSSL | 0:d92f9d21154c | 5712 | /* signed part header */ |
wolfSSL | 0:d92f9d21154c | 5713 | idx = SetSequence(der->total, buffer); |
wolfSSL | 0:d92f9d21154c | 5714 | /* version */ |
wolfSSL | 0:d92f9d21154c | 5715 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 0:d92f9d21154c | 5716 | idx += der->versionSz; |
wolfSSL | 0:d92f9d21154c | 5717 | /* serial */ |
wolfSSL | 0:d92f9d21154c | 5718 | XMEMCPY(buffer + idx, der->serial, der->serialSz); |
wolfSSL | 0:d92f9d21154c | 5719 | idx += der->serialSz; |
wolfSSL | 0:d92f9d21154c | 5720 | /* sig algo */ |
wolfSSL | 0:d92f9d21154c | 5721 | XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz); |
wolfSSL | 0:d92f9d21154c | 5722 | idx += der->sigAlgoSz; |
wolfSSL | 0:d92f9d21154c | 5723 | /* issuer */ |
wolfSSL | 0:d92f9d21154c | 5724 | XMEMCPY(buffer + idx, der->issuer, der->issuerSz); |
wolfSSL | 0:d92f9d21154c | 5725 | idx += der->issuerSz; |
wolfSSL | 0:d92f9d21154c | 5726 | /* validity */ |
wolfSSL | 0:d92f9d21154c | 5727 | XMEMCPY(buffer + idx, der->validity, der->validitySz); |
wolfSSL | 0:d92f9d21154c | 5728 | idx += der->validitySz; |
wolfSSL | 0:d92f9d21154c | 5729 | /* subject */ |
wolfSSL | 0:d92f9d21154c | 5730 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 0:d92f9d21154c | 5731 | idx += der->subjectSz; |
wolfSSL | 0:d92f9d21154c | 5732 | /* public key */ |
wolfSSL | 0:d92f9d21154c | 5733 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 0:d92f9d21154c | 5734 | idx += der->publicKeySz; |
wolfSSL | 0:d92f9d21154c | 5735 | if (der->extensionsSz) { |
wolfSSL | 0:d92f9d21154c | 5736 | /* extensions */ |
wolfSSL | 0:d92f9d21154c | 5737 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 0:d92f9d21154c | 5738 | sizeof(der->extensions))); |
wolfSSL | 0:d92f9d21154c | 5739 | idx += der->extensionsSz; |
wolfSSL | 0:d92f9d21154c | 5740 | } |
wolfSSL | 0:d92f9d21154c | 5741 | |
wolfSSL | 0:d92f9d21154c | 5742 | return idx; |
wolfSSL | 0:d92f9d21154c | 5743 | } |
wolfSSL | 0:d92f9d21154c | 5744 | |
wolfSSL | 0:d92f9d21154c | 5745 | |
wolfSSL | 0:d92f9d21154c | 5746 | /* Make RSA signature from buffer (sz), write to sig (sigSz) */ |
wolfSSL | 0:d92f9d21154c | 5747 | static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz, |
wolfSSL | 0:d92f9d21154c | 5748 | RsaKey* rsaKey, ecc_key* eccKey, RNG* rng, |
wolfSSL | 0:d92f9d21154c | 5749 | int sigAlgoType) |
wolfSSL | 0:d92f9d21154c | 5750 | { |
wolfSSL | 0:d92f9d21154c | 5751 | int encSigSz, digestSz, typeH = 0, ret = 0; |
wolfSSL | 0:d92f9d21154c | 5752 | byte digest[SHA256_DIGEST_SIZE]; /* max size */ |
wolfSSL | 0:d92f9d21154c | 5753 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5754 | byte* encSig; |
wolfSSL | 0:d92f9d21154c | 5755 | #else |
wolfSSL | 0:d92f9d21154c | 5756 | byte encSig[MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5757 | #endif |
wolfSSL | 0:d92f9d21154c | 5758 | |
wolfSSL | 0:d92f9d21154c | 5759 | (void)digest; |
wolfSSL | 0:d92f9d21154c | 5760 | (void)digestSz; |
wolfSSL | 0:d92f9d21154c | 5761 | (void)encSig; |
wolfSSL | 0:d92f9d21154c | 5762 | (void)encSigSz; |
wolfSSL | 0:d92f9d21154c | 5763 | (void)typeH; |
wolfSSL | 0:d92f9d21154c | 5764 | |
wolfSSL | 0:d92f9d21154c | 5765 | (void)buffer; |
wolfSSL | 0:d92f9d21154c | 5766 | (void)sz; |
wolfSSL | 0:d92f9d21154c | 5767 | (void)sig; |
wolfSSL | 0:d92f9d21154c | 5768 | (void)sigSz; |
wolfSSL | 0:d92f9d21154c | 5769 | (void)rsaKey; |
wolfSSL | 0:d92f9d21154c | 5770 | (void)eccKey; |
wolfSSL | 0:d92f9d21154c | 5771 | (void)rng; |
wolfSSL | 0:d92f9d21154c | 5772 | |
wolfSSL | 0:d92f9d21154c | 5773 | switch (sigAlgoType) { |
wolfSSL | 0:d92f9d21154c | 5774 | #ifndef NO_MD5 |
wolfSSL | 0:d92f9d21154c | 5775 | case CTC_MD5wRSA: |
wolfSSL | 0:d92f9d21154c | 5776 | if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) { |
wolfSSL | 0:d92f9d21154c | 5777 | typeH = MD5h; |
wolfSSL | 0:d92f9d21154c | 5778 | digestSz = MD5_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 5779 | } |
wolfSSL | 0:d92f9d21154c | 5780 | break; |
wolfSSL | 0:d92f9d21154c | 5781 | #endif |
wolfSSL | 0:d92f9d21154c | 5782 | #ifndef NO_SHA |
wolfSSL | 0:d92f9d21154c | 5783 | case CTC_SHAwRSA: |
wolfSSL | 0:d92f9d21154c | 5784 | case CTC_SHAwECDSA: |
wolfSSL | 0:d92f9d21154c | 5785 | if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) { |
wolfSSL | 0:d92f9d21154c | 5786 | typeH = SHAh; |
wolfSSL | 0:d92f9d21154c | 5787 | digestSz = SHA_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 5788 | } |
wolfSSL | 0:d92f9d21154c | 5789 | break; |
wolfSSL | 0:d92f9d21154c | 5790 | #endif |
wolfSSL | 0:d92f9d21154c | 5791 | #ifndef NO_SHA256 |
wolfSSL | 0:d92f9d21154c | 5792 | case CTC_SHA256wRSA: |
wolfSSL | 0:d92f9d21154c | 5793 | case CTC_SHA256wECDSA: |
wolfSSL | 0:d92f9d21154c | 5794 | if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) { |
wolfSSL | 0:d92f9d21154c | 5795 | typeH = SHA256h; |
wolfSSL | 0:d92f9d21154c | 5796 | digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 0:d92f9d21154c | 5797 | } |
wolfSSL | 0:d92f9d21154c | 5798 | break; |
wolfSSL | 0:d92f9d21154c | 5799 | #endif |
wolfSSL | 0:d92f9d21154c | 5800 | default: |
wolfSSL | 0:d92f9d21154c | 5801 | WOLFSSL_MSG("MakeSignautre called with unsupported type"); |
wolfSSL | 0:d92f9d21154c | 5802 | ret = ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 5803 | } |
wolfSSL | 0:d92f9d21154c | 5804 | |
wolfSSL | 0:d92f9d21154c | 5805 | if (ret != 0) |
wolfSSL | 0:d92f9d21154c | 5806 | return ret; |
wolfSSL | 0:d92f9d21154c | 5807 | |
wolfSSL | 0:d92f9d21154c | 5808 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5809 | encSig = (byte*)XMALLOC(MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, |
wolfSSL | 0:d92f9d21154c | 5810 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5811 | if (encSig == NULL) |
wolfSSL | 0:d92f9d21154c | 5812 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5813 | #endif |
wolfSSL | 0:d92f9d21154c | 5814 | |
wolfSSL | 0:d92f9d21154c | 5815 | ret = ALGO_ID_E; |
wolfSSL | 0:d92f9d21154c | 5816 | |
wolfSSL | 0:d92f9d21154c | 5817 | #ifndef NO_RSA |
wolfSSL | 0:d92f9d21154c | 5818 | if (rsaKey) { |
wolfSSL | 0:d92f9d21154c | 5819 | /* signature */ |
wolfSSL | 0:d92f9d21154c | 5820 | encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH); |
wolfSSL | 0:d92f9d21154c | 5821 | ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng); |
wolfSSL | 0:d92f9d21154c | 5822 | } |
wolfSSL | 0:d92f9d21154c | 5823 | #endif |
wolfSSL | 0:d92f9d21154c | 5824 | |
wolfSSL | 0:d92f9d21154c | 5825 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 5826 | if (!rsaKey && eccKey) { |
wolfSSL | 0:d92f9d21154c | 5827 | word32 outSz = sigSz; |
wolfSSL | 0:d92f9d21154c | 5828 | ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey); |
wolfSSL | 0:d92f9d21154c | 5829 | |
wolfSSL | 0:d92f9d21154c | 5830 | if (ret == 0) |
wolfSSL | 0:d92f9d21154c | 5831 | ret = outSz; |
wolfSSL | 0:d92f9d21154c | 5832 | } |
wolfSSL | 0:d92f9d21154c | 5833 | #endif |
wolfSSL | 0:d92f9d21154c | 5834 | |
wolfSSL | 0:d92f9d21154c | 5835 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5836 | XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5837 | #endif |
wolfSSL | 0:d92f9d21154c | 5838 | |
wolfSSL | 0:d92f9d21154c | 5839 | return ret; |
wolfSSL | 0:d92f9d21154c | 5840 | } |
wolfSSL | 0:d92f9d21154c | 5841 | |
wolfSSL | 0:d92f9d21154c | 5842 | |
wolfSSL | 0:d92f9d21154c | 5843 | /* add signature to end of buffer, size of buffer assumed checked, return |
wolfSSL | 0:d92f9d21154c | 5844 | new length */ |
wolfSSL | 0:d92f9d21154c | 5845 | static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz, |
wolfSSL | 0:d92f9d21154c | 5846 | int sigAlgoType) |
wolfSSL | 0:d92f9d21154c | 5847 | { |
wolfSSL | 0:d92f9d21154c | 5848 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5849 | int idx = bodySz, seqSz; |
wolfSSL | 0:d92f9d21154c | 5850 | |
wolfSSL | 0:d92f9d21154c | 5851 | /* algo */ |
wolfSSL | 0:d92f9d21154c | 5852 | idx += SetAlgoID(sigAlgoType, buffer + idx, sigType, 0); |
wolfSSL | 0:d92f9d21154c | 5853 | /* bit string */ |
wolfSSL | 0:d92f9d21154c | 5854 | buffer[idx++] = ASN_BIT_STRING; |
wolfSSL | 0:d92f9d21154c | 5855 | /* length */ |
wolfSSL | 0:d92f9d21154c | 5856 | idx += SetLength(sigSz + 1, buffer + idx); |
wolfSSL | 0:d92f9d21154c | 5857 | buffer[idx++] = 0; /* trailing 0 */ |
wolfSSL | 0:d92f9d21154c | 5858 | /* signature */ |
wolfSSL | 0:d92f9d21154c | 5859 | XMEMCPY(buffer + idx, sig, sigSz); |
wolfSSL | 0:d92f9d21154c | 5860 | idx += sigSz; |
wolfSSL | 0:d92f9d21154c | 5861 | |
wolfSSL | 0:d92f9d21154c | 5862 | /* make room for overall header */ |
wolfSSL | 0:d92f9d21154c | 5863 | seqSz = SetSequence(idx, seq); |
wolfSSL | 0:d92f9d21154c | 5864 | XMEMMOVE(buffer + seqSz, buffer, idx); |
wolfSSL | 0:d92f9d21154c | 5865 | XMEMCPY(buffer, seq, seqSz); |
wolfSSL | 0:d92f9d21154c | 5866 | |
wolfSSL | 0:d92f9d21154c | 5867 | return idx + seqSz; |
wolfSSL | 0:d92f9d21154c | 5868 | } |
wolfSSL | 0:d92f9d21154c | 5869 | |
wolfSSL | 0:d92f9d21154c | 5870 | |
wolfSSL | 0:d92f9d21154c | 5871 | /* Make an x509 Certificate v3 any key type from cert input, write to buffer */ |
wolfSSL | 0:d92f9d21154c | 5872 | static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 0:d92f9d21154c | 5873 | RsaKey* rsaKey, ecc_key* eccKey, RNG* rng, |
wolfSSL | 0:d92f9d21154c | 5874 | const byte* ntruKey, word16 ntruSz) |
wolfSSL | 0:d92f9d21154c | 5875 | { |
wolfSSL | 0:d92f9d21154c | 5876 | int ret; |
wolfSSL | 0:d92f9d21154c | 5877 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5878 | DerCert* der; |
wolfSSL | 0:d92f9d21154c | 5879 | #else |
wolfSSL | 0:d92f9d21154c | 5880 | DerCert der[1]; |
wolfSSL | 0:d92f9d21154c | 5881 | #endif |
wolfSSL | 0:d92f9d21154c | 5882 | |
wolfSSL | 0:d92f9d21154c | 5883 | cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY); |
wolfSSL | 0:d92f9d21154c | 5884 | |
wolfSSL | 0:d92f9d21154c | 5885 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5886 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5887 | if (der == NULL) |
wolfSSL | 0:d92f9d21154c | 5888 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 5889 | #endif |
wolfSSL | 0:d92f9d21154c | 5890 | |
wolfSSL | 0:d92f9d21154c | 5891 | ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz); |
wolfSSL | 0:d92f9d21154c | 5892 | |
wolfSSL | 0:d92f9d21154c | 5893 | if (ret == 0) { |
wolfSSL | 0:d92f9d21154c | 5894 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 0:d92f9d21154c | 5895 | ret = BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 5896 | else |
wolfSSL | 0:d92f9d21154c | 5897 | ret = cert->bodySz = WriteCertBody(der, derBuffer); |
wolfSSL | 0:d92f9d21154c | 5898 | } |
wolfSSL | 0:d92f9d21154c | 5899 | |
wolfSSL | 0:d92f9d21154c | 5900 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 5901 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 5902 | #endif |
wolfSSL | 0:d92f9d21154c | 5903 | |
wolfSSL | 0:d92f9d21154c | 5904 | return ret; |
wolfSSL | 0:d92f9d21154c | 5905 | } |
wolfSSL | 0:d92f9d21154c | 5906 | |
wolfSSL | 0:d92f9d21154c | 5907 | |
wolfSSL | 0:d92f9d21154c | 5908 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 0:d92f9d21154c | 5909 | int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, |
wolfSSL | 0:d92f9d21154c | 5910 | ecc_key* eccKey, RNG* rng) |
wolfSSL | 0:d92f9d21154c | 5911 | { |
wolfSSL | 0:d92f9d21154c | 5912 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0); |
wolfSSL | 0:d92f9d21154c | 5913 | } |
wolfSSL | 0:d92f9d21154c | 5914 | |
wolfSSL | 0:d92f9d21154c | 5915 | |
wolfSSL | 0:d92f9d21154c | 5916 | #ifdef HAVE_NTRU |
wolfSSL | 0:d92f9d21154c | 5917 | |
wolfSSL | 0:d92f9d21154c | 5918 | int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 0:d92f9d21154c | 5919 | const byte* ntruKey, word16 keySz, RNG* rng) |
wolfSSL | 0:d92f9d21154c | 5920 | { |
wolfSSL | 0:d92f9d21154c | 5921 | return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz); |
wolfSSL | 0:d92f9d21154c | 5922 | } |
wolfSSL | 0:d92f9d21154c | 5923 | |
wolfSSL | 0:d92f9d21154c | 5924 | #endif /* HAVE_NTRU */ |
wolfSSL | 0:d92f9d21154c | 5925 | |
wolfSSL | 0:d92f9d21154c | 5926 | |
wolfSSL | 0:d92f9d21154c | 5927 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 0:d92f9d21154c | 5928 | |
wolfSSL | 0:d92f9d21154c | 5929 | static int SetReqAttrib(byte* output, char* pw, int extSz) |
wolfSSL | 0:d92f9d21154c | 5930 | { |
wolfSSL | 0:d92f9d21154c | 5931 | static const byte cpOid[] = |
wolfSSL | 0:d92f9d21154c | 5932 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 0:d92f9d21154c | 5933 | 0x09, 0x07 }; |
wolfSSL | 0:d92f9d21154c | 5934 | static const byte erOid[] = |
wolfSSL | 0:d92f9d21154c | 5935 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 0:d92f9d21154c | 5936 | 0x09, 0x0e }; |
wolfSSL | 0:d92f9d21154c | 5937 | |
wolfSSL | 0:d92f9d21154c | 5938 | int sz = 0; /* overall size */ |
wolfSSL | 0:d92f9d21154c | 5939 | int cpSz = 0; /* Challenge Password section size */ |
wolfSSL | 0:d92f9d21154c | 5940 | int cpSeqSz = 0; |
wolfSSL | 0:d92f9d21154c | 5941 | int cpSetSz = 0; |
wolfSSL | 0:d92f9d21154c | 5942 | int cpStrSz = 0; |
wolfSSL | 0:d92f9d21154c | 5943 | int pwSz = 0; |
wolfSSL | 0:d92f9d21154c | 5944 | int erSz = 0; /* Extension Request section size */ |
wolfSSL | 0:d92f9d21154c | 5945 | int erSeqSz = 0; |
wolfSSL | 0:d92f9d21154c | 5946 | int erSetSz = 0; |
wolfSSL | 0:d92f9d21154c | 5947 | byte cpSeq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5948 | byte cpSet[MAX_SET_SZ]; |
wolfSSL | 0:d92f9d21154c | 5949 | byte cpStr[MAX_PRSTR_SZ]; |
wolfSSL | 0:d92f9d21154c | 5950 | byte erSeq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 5951 | byte erSet[MAX_SET_SZ]; |
wolfSSL | 0:d92f9d21154c | 5952 | |
wolfSSL | 0:d92f9d21154c | 5953 | output[0] = 0xa0; |
wolfSSL | 0:d92f9d21154c | 5954 | sz++; |
wolfSSL | 0:d92f9d21154c | 5955 | |
wolfSSL | 0:d92f9d21154c | 5956 | if (pw && pw[0]) { |
wolfSSL | 0:d92f9d21154c | 5957 | pwSz = (int)XSTRLEN(pw); |
wolfSSL | 0:d92f9d21154c | 5958 | cpStrSz = SetUTF8String(pwSz, cpStr); |
wolfSSL | 0:d92f9d21154c | 5959 | cpSetSz = SetSet(cpStrSz + pwSz, cpSet); |
wolfSSL | 0:d92f9d21154c | 5960 | cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq); |
wolfSSL | 0:d92f9d21154c | 5961 | cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz; |
wolfSSL | 0:d92f9d21154c | 5962 | } |
wolfSSL | 0:d92f9d21154c | 5963 | |
wolfSSL | 0:d92f9d21154c | 5964 | if (extSz) { |
wolfSSL | 0:d92f9d21154c | 5965 | erSetSz = SetSet(extSz, erSet); |
wolfSSL | 0:d92f9d21154c | 5966 | erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq); |
wolfSSL | 0:d92f9d21154c | 5967 | erSz = extSz + erSetSz + erSeqSz + sizeof(erOid); |
wolfSSL | 0:d92f9d21154c | 5968 | } |
wolfSSL | 0:d92f9d21154c | 5969 | |
wolfSSL | 0:d92f9d21154c | 5970 | /* Put the pieces together. */ |
wolfSSL | 0:d92f9d21154c | 5971 | sz += SetLength(cpSz + erSz, &output[sz]); |
wolfSSL | 0:d92f9d21154c | 5972 | |
wolfSSL | 0:d92f9d21154c | 5973 | if (cpSz) { |
wolfSSL | 0:d92f9d21154c | 5974 | XMEMCPY(&output[sz], cpSeq, cpSeqSz); |
wolfSSL | 0:d92f9d21154c | 5975 | sz += cpSeqSz; |
wolfSSL | 0:d92f9d21154c | 5976 | XMEMCPY(&output[sz], cpOid, sizeof(cpOid)); |
wolfSSL | 0:d92f9d21154c | 5977 | sz += sizeof(cpOid); |
wolfSSL | 0:d92f9d21154c | 5978 | XMEMCPY(&output[sz], cpSet, cpSetSz); |
wolfSSL | 0:d92f9d21154c | 5979 | sz += cpSetSz; |
wolfSSL | 0:d92f9d21154c | 5980 | XMEMCPY(&output[sz], cpStr, cpStrSz); |
wolfSSL | 0:d92f9d21154c | 5981 | sz += cpStrSz; |
wolfSSL | 0:d92f9d21154c | 5982 | XMEMCPY(&output[sz], pw, pwSz); |
wolfSSL | 0:d92f9d21154c | 5983 | sz += pwSz; |
wolfSSL | 0:d92f9d21154c | 5984 | } |
wolfSSL | 0:d92f9d21154c | 5985 | |
wolfSSL | 0:d92f9d21154c | 5986 | if (erSz) { |
wolfSSL | 0:d92f9d21154c | 5987 | XMEMCPY(&output[sz], erSeq, erSeqSz); |
wolfSSL | 0:d92f9d21154c | 5988 | sz += erSeqSz; |
wolfSSL | 0:d92f9d21154c | 5989 | XMEMCPY(&output[sz], erOid, sizeof(erOid)); |
wolfSSL | 0:d92f9d21154c | 5990 | sz += sizeof(erOid); |
wolfSSL | 0:d92f9d21154c | 5991 | XMEMCPY(&output[sz], erSet, erSetSz); |
wolfSSL | 0:d92f9d21154c | 5992 | sz += erSetSz; |
wolfSSL | 0:d92f9d21154c | 5993 | /* The actual extension data will be tacked onto the output later. */ |
wolfSSL | 0:d92f9d21154c | 5994 | } |
wolfSSL | 0:d92f9d21154c | 5995 | |
wolfSSL | 0:d92f9d21154c | 5996 | return sz; |
wolfSSL | 0:d92f9d21154c | 5997 | } |
wolfSSL | 0:d92f9d21154c | 5998 | |
wolfSSL | 0:d92f9d21154c | 5999 | |
wolfSSL | 0:d92f9d21154c | 6000 | /* encode info from cert into DER encoded format */ |
wolfSSL | 0:d92f9d21154c | 6001 | static int EncodeCertReq(Cert* cert, DerCert* der, |
wolfSSL | 0:d92f9d21154c | 6002 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 0:d92f9d21154c | 6003 | { |
wolfSSL | 0:d92f9d21154c | 6004 | (void)eccKey; |
wolfSSL | 0:d92f9d21154c | 6005 | |
wolfSSL | 0:d92f9d21154c | 6006 | /* init */ |
wolfSSL | 0:d92f9d21154c | 6007 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 0:d92f9d21154c | 6008 | |
wolfSSL | 0:d92f9d21154c | 6009 | /* version */ |
wolfSSL | 0:d92f9d21154c | 6010 | der->versionSz = SetMyVersion(cert->version, der->version, FALSE); |
wolfSSL | 0:d92f9d21154c | 6011 | |
wolfSSL | 0:d92f9d21154c | 6012 | /* subject name */ |
wolfSSL | 0:d92f9d21154c | 6013 | der->subjectSz = SetName(der->subject, &cert->subject); |
wolfSSL | 0:d92f9d21154c | 6014 | if (der->subjectSz == 0) |
wolfSSL | 0:d92f9d21154c | 6015 | return SUBJECT_E; |
wolfSSL | 0:d92f9d21154c | 6016 | |
wolfSSL | 0:d92f9d21154c | 6017 | /* public key */ |
wolfSSL | 0:d92f9d21154c | 6018 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 0:d92f9d21154c | 6019 | if (rsaKey == NULL) |
wolfSSL | 0:d92f9d21154c | 6020 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6021 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey); |
wolfSSL | 0:d92f9d21154c | 6022 | if (der->publicKeySz <= 0) |
wolfSSL | 0:d92f9d21154c | 6023 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6024 | } |
wolfSSL | 0:d92f9d21154c | 6025 | |
wolfSSL | 0:d92f9d21154c | 6026 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 6027 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 0:d92f9d21154c | 6028 | if (eccKey == NULL) |
wolfSSL | 0:d92f9d21154c | 6029 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6030 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey); |
wolfSSL | 0:d92f9d21154c | 6031 | if (der->publicKeySz <= 0) |
wolfSSL | 0:d92f9d21154c | 6032 | return PUBLIC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6033 | } |
wolfSSL | 0:d92f9d21154c | 6034 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 6035 | |
wolfSSL | 0:d92f9d21154c | 6036 | /* CA */ |
wolfSSL | 0:d92f9d21154c | 6037 | if (cert->isCA) { |
wolfSSL | 0:d92f9d21154c | 6038 | der->caSz = SetCa(der->ca); |
wolfSSL | 0:d92f9d21154c | 6039 | if (der->caSz == 0) |
wolfSSL | 0:d92f9d21154c | 6040 | return CA_TRUE_E; |
wolfSSL | 0:d92f9d21154c | 6041 | } |
wolfSSL | 0:d92f9d21154c | 6042 | else |
wolfSSL | 0:d92f9d21154c | 6043 | der->caSz = 0; |
wolfSSL | 0:d92f9d21154c | 6044 | |
wolfSSL | 0:d92f9d21154c | 6045 | /* extensions, just CA now */ |
wolfSSL | 0:d92f9d21154c | 6046 | if (cert->isCA) { |
wolfSSL | 0:d92f9d21154c | 6047 | der->extensionsSz = SetExtensions(der->extensions, |
wolfSSL | 0:d92f9d21154c | 6048 | der->ca, der->caSz, FALSE); |
wolfSSL | 0:d92f9d21154c | 6049 | if (der->extensionsSz == 0) |
wolfSSL | 0:d92f9d21154c | 6050 | return EXTENSIONS_E; |
wolfSSL | 0:d92f9d21154c | 6051 | } |
wolfSSL | 0:d92f9d21154c | 6052 | else |
wolfSSL | 0:d92f9d21154c | 6053 | der->extensionsSz = 0; |
wolfSSL | 0:d92f9d21154c | 6054 | |
wolfSSL | 0:d92f9d21154c | 6055 | der->attribSz = SetReqAttrib(der->attrib, |
wolfSSL | 0:d92f9d21154c | 6056 | cert->challengePw, der->extensionsSz); |
wolfSSL | 0:d92f9d21154c | 6057 | if (der->attribSz == 0) |
wolfSSL | 0:d92f9d21154c | 6058 | return REQ_ATTRIBUTE_E; |
wolfSSL | 0:d92f9d21154c | 6059 | |
wolfSSL | 0:d92f9d21154c | 6060 | der->total = der->versionSz + der->subjectSz + der->publicKeySz + |
wolfSSL | 0:d92f9d21154c | 6061 | der->extensionsSz + der->attribSz; |
wolfSSL | 0:d92f9d21154c | 6062 | |
wolfSSL | 0:d92f9d21154c | 6063 | return 0; |
wolfSSL | 0:d92f9d21154c | 6064 | } |
wolfSSL | 0:d92f9d21154c | 6065 | |
wolfSSL | 0:d92f9d21154c | 6066 | |
wolfSSL | 0:d92f9d21154c | 6067 | /* write DER encoded cert req to buffer, size already checked */ |
wolfSSL | 0:d92f9d21154c | 6068 | static int WriteCertReqBody(DerCert* der, byte* buffer) |
wolfSSL | 0:d92f9d21154c | 6069 | { |
wolfSSL | 0:d92f9d21154c | 6070 | int idx; |
wolfSSL | 0:d92f9d21154c | 6071 | |
wolfSSL | 0:d92f9d21154c | 6072 | /* signed part header */ |
wolfSSL | 0:d92f9d21154c | 6073 | idx = SetSequence(der->total, buffer); |
wolfSSL | 0:d92f9d21154c | 6074 | /* version */ |
wolfSSL | 0:d92f9d21154c | 6075 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 0:d92f9d21154c | 6076 | idx += der->versionSz; |
wolfSSL | 0:d92f9d21154c | 6077 | /* subject */ |
wolfSSL | 0:d92f9d21154c | 6078 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 0:d92f9d21154c | 6079 | idx += der->subjectSz; |
wolfSSL | 0:d92f9d21154c | 6080 | /* public key */ |
wolfSSL | 0:d92f9d21154c | 6081 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 0:d92f9d21154c | 6082 | idx += der->publicKeySz; |
wolfSSL | 0:d92f9d21154c | 6083 | /* attributes */ |
wolfSSL | 0:d92f9d21154c | 6084 | XMEMCPY(buffer + idx, der->attrib, der->attribSz); |
wolfSSL | 0:d92f9d21154c | 6085 | idx += der->attribSz; |
wolfSSL | 0:d92f9d21154c | 6086 | /* extensions */ |
wolfSSL | 0:d92f9d21154c | 6087 | if (der->extensionsSz) { |
wolfSSL | 0:d92f9d21154c | 6088 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 0:d92f9d21154c | 6089 | sizeof(der->extensions))); |
wolfSSL | 0:d92f9d21154c | 6090 | idx += der->extensionsSz; |
wolfSSL | 0:d92f9d21154c | 6091 | } |
wolfSSL | 0:d92f9d21154c | 6092 | |
wolfSSL | 0:d92f9d21154c | 6093 | return idx; |
wolfSSL | 0:d92f9d21154c | 6094 | } |
wolfSSL | 0:d92f9d21154c | 6095 | |
wolfSSL | 0:d92f9d21154c | 6096 | |
wolfSSL | 0:d92f9d21154c | 6097 | int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 0:d92f9d21154c | 6098 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 0:d92f9d21154c | 6099 | { |
wolfSSL | 0:d92f9d21154c | 6100 | int ret; |
wolfSSL | 0:d92f9d21154c | 6101 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6102 | DerCert* der; |
wolfSSL | 0:d92f9d21154c | 6103 | #else |
wolfSSL | 0:d92f9d21154c | 6104 | DerCert der[1]; |
wolfSSL | 0:d92f9d21154c | 6105 | #endif |
wolfSSL | 0:d92f9d21154c | 6106 | |
wolfSSL | 0:d92f9d21154c | 6107 | cert->keyType = eccKey ? ECC_KEY : RSA_KEY; |
wolfSSL | 0:d92f9d21154c | 6108 | |
wolfSSL | 0:d92f9d21154c | 6109 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6110 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6111 | if (der == NULL) |
wolfSSL | 0:d92f9d21154c | 6112 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6113 | #endif |
wolfSSL | 0:d92f9d21154c | 6114 | |
wolfSSL | 0:d92f9d21154c | 6115 | ret = EncodeCertReq(cert, der, rsaKey, eccKey); |
wolfSSL | 0:d92f9d21154c | 6116 | |
wolfSSL | 0:d92f9d21154c | 6117 | if (ret == 0) { |
wolfSSL | 0:d92f9d21154c | 6118 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 0:d92f9d21154c | 6119 | ret = BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 6120 | else |
wolfSSL | 0:d92f9d21154c | 6121 | ret = cert->bodySz = WriteCertReqBody(der, derBuffer); |
wolfSSL | 0:d92f9d21154c | 6122 | } |
wolfSSL | 0:d92f9d21154c | 6123 | |
wolfSSL | 0:d92f9d21154c | 6124 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6125 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6126 | #endif |
wolfSSL | 0:d92f9d21154c | 6127 | |
wolfSSL | 0:d92f9d21154c | 6128 | return ret; |
wolfSSL | 0:d92f9d21154c | 6129 | } |
wolfSSL | 0:d92f9d21154c | 6130 | |
wolfSSL | 0:d92f9d21154c | 6131 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 0:d92f9d21154c | 6132 | |
wolfSSL | 0:d92f9d21154c | 6133 | |
wolfSSL | 0:d92f9d21154c | 6134 | int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz, |
wolfSSL | 0:d92f9d21154c | 6135 | RsaKey* rsaKey, ecc_key* eccKey, RNG* rng) |
wolfSSL | 0:d92f9d21154c | 6136 | { |
wolfSSL | 0:d92f9d21154c | 6137 | int sigSz; |
wolfSSL | 0:d92f9d21154c | 6138 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6139 | byte* sig; |
wolfSSL | 0:d92f9d21154c | 6140 | #else |
wolfSSL | 0:d92f9d21154c | 6141 | byte sig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 6142 | #endif |
wolfSSL | 0:d92f9d21154c | 6143 | |
wolfSSL | 0:d92f9d21154c | 6144 | if (requestSz < 0) |
wolfSSL | 0:d92f9d21154c | 6145 | return requestSz; |
wolfSSL | 0:d92f9d21154c | 6146 | |
wolfSSL | 0:d92f9d21154c | 6147 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6148 | sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6149 | if (sig == NULL) |
wolfSSL | 0:d92f9d21154c | 6150 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6151 | #endif |
wolfSSL | 0:d92f9d21154c | 6152 | |
wolfSSL | 0:d92f9d21154c | 6153 | sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey, |
wolfSSL | 0:d92f9d21154c | 6154 | eccKey, rng, sType); |
wolfSSL | 0:d92f9d21154c | 6155 | |
wolfSSL | 0:d92f9d21154c | 6156 | if (sigSz >= 0) { |
wolfSSL | 0:d92f9d21154c | 6157 | if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz) |
wolfSSL | 0:d92f9d21154c | 6158 | sigSz = BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 6159 | else |
wolfSSL | 0:d92f9d21154c | 6160 | sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType); |
wolfSSL | 0:d92f9d21154c | 6161 | } |
wolfSSL | 0:d92f9d21154c | 6162 | |
wolfSSL | 0:d92f9d21154c | 6163 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6164 | XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6165 | #endif |
wolfSSL | 0:d92f9d21154c | 6166 | |
wolfSSL | 0:d92f9d21154c | 6167 | return sigSz; |
wolfSSL | 0:d92f9d21154c | 6168 | } |
wolfSSL | 0:d92f9d21154c | 6169 | |
wolfSSL | 0:d92f9d21154c | 6170 | |
wolfSSL | 0:d92f9d21154c | 6171 | int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, RsaKey* key, RNG* rng) |
wolfSSL | 0:d92f9d21154c | 6172 | { |
wolfSSL | 0:d92f9d21154c | 6173 | int ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng); |
wolfSSL | 0:d92f9d21154c | 6174 | |
wolfSSL | 0:d92f9d21154c | 6175 | if (ret < 0) |
wolfSSL | 0:d92f9d21154c | 6176 | return ret; |
wolfSSL | 0:d92f9d21154c | 6177 | |
wolfSSL | 0:d92f9d21154c | 6178 | return wc_SignCert(cert->bodySz, cert->sigType, buffer, buffSz, key, NULL,rng); |
wolfSSL | 0:d92f9d21154c | 6179 | } |
wolfSSL | 0:d92f9d21154c | 6180 | |
wolfSSL | 0:d92f9d21154c | 6181 | |
wolfSSL | 0:d92f9d21154c | 6182 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 6183 | |
wolfSSL | 0:d92f9d21154c | 6184 | /* Set Alt Names from der cert, return 0 on success */ |
wolfSSL | 0:d92f9d21154c | 6185 | static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6186 | { |
wolfSSL | 0:d92f9d21154c | 6187 | int ret; |
wolfSSL | 0:d92f9d21154c | 6188 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6189 | DecodedCert* decoded; |
wolfSSL | 0:d92f9d21154c | 6190 | #else |
wolfSSL | 0:d92f9d21154c | 6191 | DecodedCert decoded[1]; |
wolfSSL | 0:d92f9d21154c | 6192 | #endif |
wolfSSL | 0:d92f9d21154c | 6193 | |
wolfSSL | 0:d92f9d21154c | 6194 | if (derSz < 0) |
wolfSSL | 0:d92f9d21154c | 6195 | return derSz; |
wolfSSL | 0:d92f9d21154c | 6196 | |
wolfSSL | 0:d92f9d21154c | 6197 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6198 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 0:d92f9d21154c | 6199 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6200 | if (decoded == NULL) |
wolfSSL | 0:d92f9d21154c | 6201 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6202 | #endif |
wolfSSL | 0:d92f9d21154c | 6203 | |
wolfSSL | 0:d92f9d21154c | 6204 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 0:d92f9d21154c | 6205 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 0:d92f9d21154c | 6206 | |
wolfSSL | 0:d92f9d21154c | 6207 | if (ret < 0) { |
wolfSSL | 0:d92f9d21154c | 6208 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 0:d92f9d21154c | 6209 | } |
wolfSSL | 0:d92f9d21154c | 6210 | else if (decoded->extensions) { |
wolfSSL | 0:d92f9d21154c | 6211 | byte b; |
wolfSSL | 0:d92f9d21154c | 6212 | int length; |
wolfSSL | 0:d92f9d21154c | 6213 | word32 maxExtensionsIdx; |
wolfSSL | 0:d92f9d21154c | 6214 | |
wolfSSL | 0:d92f9d21154c | 6215 | decoded->srcIdx = decoded->extensionsIdx; |
wolfSSL | 0:d92f9d21154c | 6216 | b = decoded->source[decoded->srcIdx++]; |
wolfSSL | 0:d92f9d21154c | 6217 | |
wolfSSL | 0:d92f9d21154c | 6218 | if (b != ASN_EXTENSIONS) { |
wolfSSL | 0:d92f9d21154c | 6219 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6220 | } |
wolfSSL | 0:d92f9d21154c | 6221 | else if (GetLength(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 0:d92f9d21154c | 6222 | decoded->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 6223 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6224 | } |
wolfSSL | 0:d92f9d21154c | 6225 | else if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 0:d92f9d21154c | 6226 | decoded->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 6227 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6228 | } |
wolfSSL | 0:d92f9d21154c | 6229 | else { |
wolfSSL | 0:d92f9d21154c | 6230 | maxExtensionsIdx = decoded->srcIdx + length; |
wolfSSL | 0:d92f9d21154c | 6231 | |
wolfSSL | 0:d92f9d21154c | 6232 | while (decoded->srcIdx < maxExtensionsIdx) { |
wolfSSL | 0:d92f9d21154c | 6233 | word32 oid; |
wolfSSL | 0:d92f9d21154c | 6234 | word32 startIdx = decoded->srcIdx; |
wolfSSL | 0:d92f9d21154c | 6235 | word32 tmpIdx; |
wolfSSL | 0:d92f9d21154c | 6236 | |
wolfSSL | 0:d92f9d21154c | 6237 | if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 0:d92f9d21154c | 6238 | decoded->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 6239 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6240 | break; |
wolfSSL | 0:d92f9d21154c | 6241 | } |
wolfSSL | 0:d92f9d21154c | 6242 | |
wolfSSL | 0:d92f9d21154c | 6243 | tmpIdx = decoded->srcIdx; |
wolfSSL | 0:d92f9d21154c | 6244 | decoded->srcIdx = startIdx; |
wolfSSL | 0:d92f9d21154c | 6245 | |
wolfSSL | 0:d92f9d21154c | 6246 | if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid, |
wolfSSL | 0:d92f9d21154c | 6247 | decoded->maxIdx) < 0) { |
wolfSSL | 0:d92f9d21154c | 6248 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6249 | break; |
wolfSSL | 0:d92f9d21154c | 6250 | } |
wolfSSL | 0:d92f9d21154c | 6251 | |
wolfSSL | 0:d92f9d21154c | 6252 | if (oid == ALT_NAMES_OID) { |
wolfSSL | 0:d92f9d21154c | 6253 | cert->altNamesSz = length + (tmpIdx - startIdx); |
wolfSSL | 0:d92f9d21154c | 6254 | |
wolfSSL | 0:d92f9d21154c | 6255 | if (cert->altNamesSz < (int)sizeof(cert->altNames)) |
wolfSSL | 0:d92f9d21154c | 6256 | XMEMCPY(cert->altNames, &decoded->source[startIdx], |
wolfSSL | 0:d92f9d21154c | 6257 | cert->altNamesSz); |
wolfSSL | 0:d92f9d21154c | 6258 | else { |
wolfSSL | 0:d92f9d21154c | 6259 | cert->altNamesSz = 0; |
wolfSSL | 0:d92f9d21154c | 6260 | WOLFSSL_MSG("AltNames extensions too big"); |
wolfSSL | 0:d92f9d21154c | 6261 | ret = ALT_NAME_E; |
wolfSSL | 0:d92f9d21154c | 6262 | break; |
wolfSSL | 0:d92f9d21154c | 6263 | } |
wolfSSL | 0:d92f9d21154c | 6264 | } |
wolfSSL | 0:d92f9d21154c | 6265 | decoded->srcIdx = tmpIdx + length; |
wolfSSL | 0:d92f9d21154c | 6266 | } |
wolfSSL | 0:d92f9d21154c | 6267 | } |
wolfSSL | 0:d92f9d21154c | 6268 | } |
wolfSSL | 0:d92f9d21154c | 6269 | |
wolfSSL | 0:d92f9d21154c | 6270 | FreeDecodedCert(decoded); |
wolfSSL | 0:d92f9d21154c | 6271 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6272 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6273 | #endif |
wolfSSL | 0:d92f9d21154c | 6274 | |
wolfSSL | 0:d92f9d21154c | 6275 | return ret < 0 ? ret : 0; |
wolfSSL | 0:d92f9d21154c | 6276 | } |
wolfSSL | 0:d92f9d21154c | 6277 | |
wolfSSL | 0:d92f9d21154c | 6278 | |
wolfSSL | 0:d92f9d21154c | 6279 | /* Set Dates from der cert, return 0 on success */ |
wolfSSL | 0:d92f9d21154c | 6280 | static int SetDatesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6281 | { |
wolfSSL | 0:d92f9d21154c | 6282 | int ret; |
wolfSSL | 0:d92f9d21154c | 6283 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6284 | DecodedCert* decoded; |
wolfSSL | 0:d92f9d21154c | 6285 | #else |
wolfSSL | 0:d92f9d21154c | 6286 | DecodedCert decoded[1]; |
wolfSSL | 0:d92f9d21154c | 6287 | #endif |
wolfSSL | 0:d92f9d21154c | 6288 | |
wolfSSL | 0:d92f9d21154c | 6289 | WOLFSSL_ENTER("SetDatesFromCert"); |
wolfSSL | 0:d92f9d21154c | 6290 | if (derSz < 0) |
wolfSSL | 0:d92f9d21154c | 6291 | return derSz; |
wolfSSL | 0:d92f9d21154c | 6292 | |
wolfSSL | 0:d92f9d21154c | 6293 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6294 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 0:d92f9d21154c | 6295 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6296 | if (decoded == NULL) |
wolfSSL | 0:d92f9d21154c | 6297 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6298 | #endif |
wolfSSL | 0:d92f9d21154c | 6299 | |
wolfSSL | 0:d92f9d21154c | 6300 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 0:d92f9d21154c | 6301 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 0:d92f9d21154c | 6302 | |
wolfSSL | 0:d92f9d21154c | 6303 | if (ret < 0) { |
wolfSSL | 0:d92f9d21154c | 6304 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 0:d92f9d21154c | 6305 | } |
wolfSSL | 0:d92f9d21154c | 6306 | else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) { |
wolfSSL | 0:d92f9d21154c | 6307 | WOLFSSL_MSG("Couldn't extract dates"); |
wolfSSL | 0:d92f9d21154c | 6308 | ret = -1; |
wolfSSL | 0:d92f9d21154c | 6309 | } |
wolfSSL | 0:d92f9d21154c | 6310 | else if (decoded->beforeDateLen > MAX_DATE_SIZE || |
wolfSSL | 0:d92f9d21154c | 6311 | decoded->afterDateLen > MAX_DATE_SIZE) { |
wolfSSL | 0:d92f9d21154c | 6312 | WOLFSSL_MSG("Bad date size"); |
wolfSSL | 0:d92f9d21154c | 6313 | ret = -1; |
wolfSSL | 0:d92f9d21154c | 6314 | } |
wolfSSL | 0:d92f9d21154c | 6315 | else { |
wolfSSL | 0:d92f9d21154c | 6316 | XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen); |
wolfSSL | 0:d92f9d21154c | 6317 | XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen); |
wolfSSL | 0:d92f9d21154c | 6318 | |
wolfSSL | 0:d92f9d21154c | 6319 | cert->beforeDateSz = decoded->beforeDateLen; |
wolfSSL | 0:d92f9d21154c | 6320 | cert->afterDateSz = decoded->afterDateLen; |
wolfSSL | 0:d92f9d21154c | 6321 | } |
wolfSSL | 0:d92f9d21154c | 6322 | |
wolfSSL | 0:d92f9d21154c | 6323 | FreeDecodedCert(decoded); |
wolfSSL | 0:d92f9d21154c | 6324 | |
wolfSSL | 0:d92f9d21154c | 6325 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6326 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6327 | #endif |
wolfSSL | 0:d92f9d21154c | 6328 | |
wolfSSL | 0:d92f9d21154c | 6329 | return ret < 0 ? ret : 0; |
wolfSSL | 0:d92f9d21154c | 6330 | } |
wolfSSL | 0:d92f9d21154c | 6331 | |
wolfSSL | 0:d92f9d21154c | 6332 | |
wolfSSL | 0:d92f9d21154c | 6333 | #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */ |
wolfSSL | 0:d92f9d21154c | 6334 | |
wolfSSL | 0:d92f9d21154c | 6335 | |
wolfSSL | 0:d92f9d21154c | 6336 | /* Set cn name from der buffer, return 0 on success */ |
wolfSSL | 0:d92f9d21154c | 6337 | static int SetNameFromCert(CertName* cn, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6338 | { |
wolfSSL | 0:d92f9d21154c | 6339 | int ret, sz; |
wolfSSL | 0:d92f9d21154c | 6340 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6341 | DecodedCert* decoded; |
wolfSSL | 0:d92f9d21154c | 6342 | #else |
wolfSSL | 0:d92f9d21154c | 6343 | DecodedCert decoded[1]; |
wolfSSL | 0:d92f9d21154c | 6344 | #endif |
wolfSSL | 0:d92f9d21154c | 6345 | |
wolfSSL | 0:d92f9d21154c | 6346 | if (derSz < 0) |
wolfSSL | 0:d92f9d21154c | 6347 | return derSz; |
wolfSSL | 0:d92f9d21154c | 6348 | |
wolfSSL | 0:d92f9d21154c | 6349 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6350 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 0:d92f9d21154c | 6351 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6352 | if (decoded == NULL) |
wolfSSL | 0:d92f9d21154c | 6353 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6354 | #endif |
wolfSSL | 0:d92f9d21154c | 6355 | |
wolfSSL | 0:d92f9d21154c | 6356 | InitDecodedCert(decoded, (byte*)der, derSz, 0); |
wolfSSL | 0:d92f9d21154c | 6357 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 0:d92f9d21154c | 6358 | |
wolfSSL | 0:d92f9d21154c | 6359 | if (ret < 0) { |
wolfSSL | 0:d92f9d21154c | 6360 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 0:d92f9d21154c | 6361 | } |
wolfSSL | 0:d92f9d21154c | 6362 | else { |
wolfSSL | 0:d92f9d21154c | 6363 | if (decoded->subjectCN) { |
wolfSSL | 0:d92f9d21154c | 6364 | sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen |
wolfSSL | 0:d92f9d21154c | 6365 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6366 | strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6367 | cn->commonName[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6368 | cn->commonNameEnc = decoded->subjectCNEnc; |
wolfSSL | 0:d92f9d21154c | 6369 | } |
wolfSSL | 0:d92f9d21154c | 6370 | if (decoded->subjectC) { |
wolfSSL | 0:d92f9d21154c | 6371 | sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen |
wolfSSL | 0:d92f9d21154c | 6372 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6373 | strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6374 | cn->country[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6375 | cn->countryEnc = decoded->subjectCEnc; |
wolfSSL | 0:d92f9d21154c | 6376 | } |
wolfSSL | 0:d92f9d21154c | 6377 | if (decoded->subjectST) { |
wolfSSL | 0:d92f9d21154c | 6378 | sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen |
wolfSSL | 0:d92f9d21154c | 6379 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6380 | strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6381 | cn->state[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6382 | cn->stateEnc = decoded->subjectSTEnc; |
wolfSSL | 0:d92f9d21154c | 6383 | } |
wolfSSL | 0:d92f9d21154c | 6384 | if (decoded->subjectL) { |
wolfSSL | 0:d92f9d21154c | 6385 | sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen |
wolfSSL | 0:d92f9d21154c | 6386 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6387 | strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6388 | cn->locality[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6389 | cn->localityEnc = decoded->subjectLEnc; |
wolfSSL | 0:d92f9d21154c | 6390 | } |
wolfSSL | 0:d92f9d21154c | 6391 | if (decoded->subjectO) { |
wolfSSL | 0:d92f9d21154c | 6392 | sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen |
wolfSSL | 0:d92f9d21154c | 6393 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6394 | strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6395 | cn->org[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6396 | cn->orgEnc = decoded->subjectOEnc; |
wolfSSL | 0:d92f9d21154c | 6397 | } |
wolfSSL | 0:d92f9d21154c | 6398 | if (decoded->subjectOU) { |
wolfSSL | 0:d92f9d21154c | 6399 | sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen |
wolfSSL | 0:d92f9d21154c | 6400 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6401 | strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6402 | cn->unit[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6403 | cn->unitEnc = decoded->subjectOUEnc; |
wolfSSL | 0:d92f9d21154c | 6404 | } |
wolfSSL | 0:d92f9d21154c | 6405 | if (decoded->subjectSN) { |
wolfSSL | 0:d92f9d21154c | 6406 | sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen |
wolfSSL | 0:d92f9d21154c | 6407 | : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6408 | strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6409 | cn->sur[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6410 | cn->surEnc = decoded->subjectSNEnc; |
wolfSSL | 0:d92f9d21154c | 6411 | } |
wolfSSL | 0:d92f9d21154c | 6412 | if (decoded->subjectEmail) { |
wolfSSL | 0:d92f9d21154c | 6413 | sz = (decoded->subjectEmailLen < CTC_NAME_SIZE) |
wolfSSL | 0:d92f9d21154c | 6414 | ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1; |
wolfSSL | 0:d92f9d21154c | 6415 | strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE); |
wolfSSL | 0:d92f9d21154c | 6416 | cn->email[sz] = 0; |
wolfSSL | 0:d92f9d21154c | 6417 | } |
wolfSSL | 0:d92f9d21154c | 6418 | } |
wolfSSL | 0:d92f9d21154c | 6419 | |
wolfSSL | 0:d92f9d21154c | 6420 | FreeDecodedCert(decoded); |
wolfSSL | 0:d92f9d21154c | 6421 | |
wolfSSL | 0:d92f9d21154c | 6422 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6423 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6424 | #endif |
wolfSSL | 0:d92f9d21154c | 6425 | |
wolfSSL | 0:d92f9d21154c | 6426 | return ret < 0 ? ret : 0; |
wolfSSL | 0:d92f9d21154c | 6427 | } |
wolfSSL | 0:d92f9d21154c | 6428 | |
wolfSSL | 0:d92f9d21154c | 6429 | |
wolfSSL | 0:d92f9d21154c | 6430 | #ifndef NO_FILESYSTEM |
wolfSSL | 0:d92f9d21154c | 6431 | |
wolfSSL | 0:d92f9d21154c | 6432 | /* Set cert issuer from issuerFile in PEM */ |
wolfSSL | 0:d92f9d21154c | 6433 | int wc_SetIssuer(Cert* cert, const char* issuerFile) |
wolfSSL | 0:d92f9d21154c | 6434 | { |
wolfSSL | 0:d92f9d21154c | 6435 | int ret; |
wolfSSL | 0:d92f9d21154c | 6436 | int derSz; |
wolfSSL | 0:d92f9d21154c | 6437 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6438 | |
wolfSSL | 0:d92f9d21154c | 6439 | if (der == NULL) { |
wolfSSL | 0:d92f9d21154c | 6440 | WOLFSSL_MSG("wc_SetIssuer OOF Problem"); |
wolfSSL | 0:d92f9d21154c | 6441 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6442 | } |
wolfSSL | 0:d92f9d21154c | 6443 | derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF); |
wolfSSL | 0:d92f9d21154c | 6444 | cert->selfSigned = 0; |
wolfSSL | 0:d92f9d21154c | 6445 | ret = SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6446 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6447 | |
wolfSSL | 0:d92f9d21154c | 6448 | return ret; |
wolfSSL | 0:d92f9d21154c | 6449 | } |
wolfSSL | 0:d92f9d21154c | 6450 | |
wolfSSL | 0:d92f9d21154c | 6451 | |
wolfSSL | 0:d92f9d21154c | 6452 | /* Set cert subject from subjectFile in PEM */ |
wolfSSL | 0:d92f9d21154c | 6453 | int wc_SetSubject(Cert* cert, const char* subjectFile) |
wolfSSL | 0:d92f9d21154c | 6454 | { |
wolfSSL | 0:d92f9d21154c | 6455 | int ret; |
wolfSSL | 0:d92f9d21154c | 6456 | int derSz; |
wolfSSL | 0:d92f9d21154c | 6457 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6458 | |
wolfSSL | 0:d92f9d21154c | 6459 | if (der == NULL) { |
wolfSSL | 0:d92f9d21154c | 6460 | WOLFSSL_MSG("wc_SetSubject OOF Problem"); |
wolfSSL | 0:d92f9d21154c | 6461 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6462 | } |
wolfSSL | 0:d92f9d21154c | 6463 | derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF); |
wolfSSL | 0:d92f9d21154c | 6464 | ret = SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6465 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6466 | |
wolfSSL | 0:d92f9d21154c | 6467 | return ret; |
wolfSSL | 0:d92f9d21154c | 6468 | } |
wolfSSL | 0:d92f9d21154c | 6469 | |
wolfSSL | 0:d92f9d21154c | 6470 | |
wolfSSL | 0:d92f9d21154c | 6471 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 6472 | |
wolfSSL | 0:d92f9d21154c | 6473 | /* Set atl names from file in PEM */ |
wolfSSL | 0:d92f9d21154c | 6474 | int wc_SetAltNames(Cert* cert, const char* file) |
wolfSSL | 0:d92f9d21154c | 6475 | { |
wolfSSL | 0:d92f9d21154c | 6476 | int ret; |
wolfSSL | 0:d92f9d21154c | 6477 | int derSz; |
wolfSSL | 0:d92f9d21154c | 6478 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6479 | |
wolfSSL | 0:d92f9d21154c | 6480 | if (der == NULL) { |
wolfSSL | 0:d92f9d21154c | 6481 | WOLFSSL_MSG("wc_SetAltNames OOF Problem"); |
wolfSSL | 0:d92f9d21154c | 6482 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6483 | } |
wolfSSL | 0:d92f9d21154c | 6484 | derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 0:d92f9d21154c | 6485 | ret = SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6486 | XFREE(der, NULL, DYNAMIC_TYPE_CERT); |
wolfSSL | 0:d92f9d21154c | 6487 | |
wolfSSL | 0:d92f9d21154c | 6488 | return ret; |
wolfSSL | 0:d92f9d21154c | 6489 | } |
wolfSSL | 0:d92f9d21154c | 6490 | |
wolfSSL | 0:d92f9d21154c | 6491 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 0:d92f9d21154c | 6492 | |
wolfSSL | 0:d92f9d21154c | 6493 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 0:d92f9d21154c | 6494 | |
wolfSSL | 0:d92f9d21154c | 6495 | /* Set cert issuer from DER buffer */ |
wolfSSL | 0:d92f9d21154c | 6496 | int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6497 | { |
wolfSSL | 0:d92f9d21154c | 6498 | cert->selfSigned = 0; |
wolfSSL | 0:d92f9d21154c | 6499 | return SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6500 | } |
wolfSSL | 0:d92f9d21154c | 6501 | |
wolfSSL | 0:d92f9d21154c | 6502 | |
wolfSSL | 0:d92f9d21154c | 6503 | /* Set cert subject from DER buffer */ |
wolfSSL | 0:d92f9d21154c | 6504 | int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6505 | { |
wolfSSL | 0:d92f9d21154c | 6506 | return SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6507 | } |
wolfSSL | 0:d92f9d21154c | 6508 | |
wolfSSL | 0:d92f9d21154c | 6509 | |
wolfSSL | 0:d92f9d21154c | 6510 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 0:d92f9d21154c | 6511 | |
wolfSSL | 0:d92f9d21154c | 6512 | /* Set cert alt names from DER buffer */ |
wolfSSL | 0:d92f9d21154c | 6513 | int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6514 | { |
wolfSSL | 0:d92f9d21154c | 6515 | return SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6516 | } |
wolfSSL | 0:d92f9d21154c | 6517 | |
wolfSSL | 0:d92f9d21154c | 6518 | /* Set cert dates from DER buffer */ |
wolfSSL | 0:d92f9d21154c | 6519 | int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 0:d92f9d21154c | 6520 | { |
wolfSSL | 0:d92f9d21154c | 6521 | return SetDatesFromCert(cert, der, derSz); |
wolfSSL | 0:d92f9d21154c | 6522 | } |
wolfSSL | 0:d92f9d21154c | 6523 | |
wolfSSL | 0:d92f9d21154c | 6524 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 0:d92f9d21154c | 6525 | |
wolfSSL | 0:d92f9d21154c | 6526 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 0:d92f9d21154c | 6527 | |
wolfSSL | 0:d92f9d21154c | 6528 | |
wolfSSL | 0:d92f9d21154c | 6529 | #ifdef HAVE_ECC |
wolfSSL | 0:d92f9d21154c | 6530 | |
wolfSSL | 0:d92f9d21154c | 6531 | /* Der Encode r & s ints into out, outLen is (in/out) size */ |
wolfSSL | 0:d92f9d21154c | 6532 | int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) |
wolfSSL | 0:d92f9d21154c | 6533 | { |
wolfSSL | 0:d92f9d21154c | 6534 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 6535 | word32 rSz; /* encoding size */ |
wolfSSL | 0:d92f9d21154c | 6536 | word32 sSz; |
wolfSSL | 0:d92f9d21154c | 6537 | word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ |
wolfSSL | 0:d92f9d21154c | 6538 | |
wolfSSL | 0:d92f9d21154c | 6539 | /* If the leading bit on the INTEGER is a 1, add a leading zero */ |
wolfSSL | 0:d92f9d21154c | 6540 | int rLeadingZero = mp_leading_bit(r); |
wolfSSL | 0:d92f9d21154c | 6541 | int sLeadingZero = mp_leading_bit(s); |
wolfSSL | 0:d92f9d21154c | 6542 | int rLen = mp_unsigned_bin_size(r); /* big int size */ |
wolfSSL | 0:d92f9d21154c | 6543 | int sLen = mp_unsigned_bin_size(s); |
wolfSSL | 0:d92f9d21154c | 6544 | int err; |
wolfSSL | 0:d92f9d21154c | 6545 | |
wolfSSL | 0:d92f9d21154c | 6546 | if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero + |
wolfSSL | 0:d92f9d21154c | 6547 | headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */ |
wolfSSL | 0:d92f9d21154c | 6548 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 6549 | |
wolfSSL | 0:d92f9d21154c | 6550 | idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out); |
wolfSSL | 0:d92f9d21154c | 6551 | |
wolfSSL | 0:d92f9d21154c | 6552 | /* store r */ |
wolfSSL | 0:d92f9d21154c | 6553 | out[idx++] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 6554 | rSz = SetLength(rLen + rLeadingZero, &out[idx]); |
wolfSSL | 0:d92f9d21154c | 6555 | idx += rSz; |
wolfSSL | 0:d92f9d21154c | 6556 | if (rLeadingZero) |
wolfSSL | 0:d92f9d21154c | 6557 | out[idx++] = 0; |
wolfSSL | 0:d92f9d21154c | 6558 | err = mp_to_unsigned_bin(r, &out[idx]); |
wolfSSL | 0:d92f9d21154c | 6559 | if (err != MP_OKAY) return err; |
wolfSSL | 0:d92f9d21154c | 6560 | idx += rLen; |
wolfSSL | 0:d92f9d21154c | 6561 | |
wolfSSL | 0:d92f9d21154c | 6562 | /* store s */ |
wolfSSL | 0:d92f9d21154c | 6563 | out[idx++] = ASN_INTEGER; |
wolfSSL | 0:d92f9d21154c | 6564 | sSz = SetLength(sLen + sLeadingZero, &out[idx]); |
wolfSSL | 0:d92f9d21154c | 6565 | idx += sSz; |
wolfSSL | 0:d92f9d21154c | 6566 | if (sLeadingZero) |
wolfSSL | 0:d92f9d21154c | 6567 | out[idx++] = 0; |
wolfSSL | 0:d92f9d21154c | 6568 | err = mp_to_unsigned_bin(s, &out[idx]); |
wolfSSL | 0:d92f9d21154c | 6569 | if (err != MP_OKAY) return err; |
wolfSSL | 0:d92f9d21154c | 6570 | idx += sLen; |
wolfSSL | 0:d92f9d21154c | 6571 | |
wolfSSL | 0:d92f9d21154c | 6572 | *outLen = idx; |
wolfSSL | 0:d92f9d21154c | 6573 | |
wolfSSL | 0:d92f9d21154c | 6574 | return 0; |
wolfSSL | 0:d92f9d21154c | 6575 | } |
wolfSSL | 0:d92f9d21154c | 6576 | |
wolfSSL | 0:d92f9d21154c | 6577 | |
wolfSSL | 0:d92f9d21154c | 6578 | /* Der Decode ECC-DSA Signautre, r & s stored as big ints */ |
wolfSSL | 0:d92f9d21154c | 6579 | int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s) |
wolfSSL | 0:d92f9d21154c | 6580 | { |
wolfSSL | 0:d92f9d21154c | 6581 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 6582 | int len = 0; |
wolfSSL | 0:d92f9d21154c | 6583 | |
wolfSSL | 0:d92f9d21154c | 6584 | if (GetSequence(sig, &idx, &len, sigLen) < 0) |
wolfSSL | 0:d92f9d21154c | 6585 | return ASN_ECC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6586 | |
wolfSSL | 0:d92f9d21154c | 6587 | if ((word32)len > (sigLen - idx)) |
wolfSSL | 0:d92f9d21154c | 6588 | return ASN_ECC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6589 | |
wolfSSL | 0:d92f9d21154c | 6590 | if (GetInt(r, sig, &idx, sigLen) < 0) |
wolfSSL | 0:d92f9d21154c | 6591 | return ASN_ECC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6592 | |
wolfSSL | 0:d92f9d21154c | 6593 | if (GetInt(s, sig, &idx, sigLen) < 0) |
wolfSSL | 0:d92f9d21154c | 6594 | return ASN_ECC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6595 | |
wolfSSL | 0:d92f9d21154c | 6596 | return 0; |
wolfSSL | 0:d92f9d21154c | 6597 | } |
wolfSSL | 0:d92f9d21154c | 6598 | |
wolfSSL | 0:d92f9d21154c | 6599 | |
wolfSSL | 0:d92f9d21154c | 6600 | int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, |
wolfSSL | 0:d92f9d21154c | 6601 | word32 inSz) |
wolfSSL | 0:d92f9d21154c | 6602 | { |
wolfSSL | 0:d92f9d21154c | 6603 | word32 oid = 0; |
wolfSSL | 0:d92f9d21154c | 6604 | int version, length; |
wolfSSL | 0:d92f9d21154c | 6605 | int privSz, pubSz; |
wolfSSL | 0:d92f9d21154c | 6606 | byte b; |
wolfSSL | 0:d92f9d21154c | 6607 | int ret = 0; |
wolfSSL | 0:d92f9d21154c | 6608 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6609 | byte* priv; |
wolfSSL | 0:d92f9d21154c | 6610 | byte* pub; |
wolfSSL | 0:d92f9d21154c | 6611 | #else |
wolfSSL | 0:d92f9d21154c | 6612 | byte priv[ECC_MAXSIZE]; |
wolfSSL | 0:d92f9d21154c | 6613 | byte pub[ECC_MAXSIZE * 2 + 1]; /* public key has two parts plus header */ |
wolfSSL | 0:d92f9d21154c | 6614 | #endif |
wolfSSL | 0:d92f9d21154c | 6615 | |
wolfSSL | 0:d92f9d21154c | 6616 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 0:d92f9d21154c | 6617 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 6618 | |
wolfSSL | 0:d92f9d21154c | 6619 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 6620 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6621 | |
wolfSSL | 0:d92f9d21154c | 6622 | if (GetMyVersion(input, inOutIdx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 6623 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6624 | |
wolfSSL | 0:d92f9d21154c | 6625 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6626 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6627 | |
wolfSSL | 0:d92f9d21154c | 6628 | /* priv type */ |
wolfSSL | 0:d92f9d21154c | 6629 | if (b != 4 && b != 6 && b != 7) |
wolfSSL | 0:d92f9d21154c | 6630 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6631 | |
wolfSSL | 0:d92f9d21154c | 6632 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 6633 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6634 | |
wolfSSL | 0:d92f9d21154c | 6635 | if (length > ECC_MAXSIZE) |
wolfSSL | 0:d92f9d21154c | 6636 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 6637 | |
wolfSSL | 0:d92f9d21154c | 6638 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6639 | priv = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6640 | if (priv == NULL) |
wolfSSL | 0:d92f9d21154c | 6641 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6642 | |
wolfSSL | 0:d92f9d21154c | 6643 | pub = (byte*)XMALLOC(ECC_MAXSIZE * 2 + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6644 | if (pub == NULL) { |
wolfSSL | 0:d92f9d21154c | 6645 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6646 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 6647 | } |
wolfSSL | 0:d92f9d21154c | 6648 | #endif |
wolfSSL | 0:d92f9d21154c | 6649 | |
wolfSSL | 0:d92f9d21154c | 6650 | /* priv key */ |
wolfSSL | 0:d92f9d21154c | 6651 | privSz = length; |
wolfSSL | 0:d92f9d21154c | 6652 | XMEMCPY(priv, &input[*inOutIdx], privSz); |
wolfSSL | 0:d92f9d21154c | 6653 | *inOutIdx += length; |
wolfSSL | 0:d92f9d21154c | 6654 | |
wolfSSL | 0:d92f9d21154c | 6655 | /* prefix 0, may have */ |
wolfSSL | 0:d92f9d21154c | 6656 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6657 | if (b == ECC_PREFIX_0) { |
wolfSSL | 0:d92f9d21154c | 6658 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6659 | |
wolfSSL | 0:d92f9d21154c | 6660 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 0:d92f9d21154c | 6661 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6662 | else { |
wolfSSL | 0:d92f9d21154c | 6663 | /* object id */ |
wolfSSL | 0:d92f9d21154c | 6664 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6665 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6666 | |
wolfSSL | 0:d92f9d21154c | 6667 | if (b != ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 6668 | ret = ASN_OBJECT_ID_E; |
wolfSSL | 0:d92f9d21154c | 6669 | } |
wolfSSL | 0:d92f9d21154c | 6670 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 0:d92f9d21154c | 6671 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6672 | } |
wolfSSL | 0:d92f9d21154c | 6673 | else { |
wolfSSL | 0:d92f9d21154c | 6674 | while(length--) { |
wolfSSL | 0:d92f9d21154c | 6675 | oid += input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6676 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6677 | } |
wolfSSL | 0:d92f9d21154c | 6678 | if (CheckCurve(oid) < 0) |
wolfSSL | 0:d92f9d21154c | 6679 | ret = ECC_CURVE_OID_E; |
wolfSSL | 0:d92f9d21154c | 6680 | } |
wolfSSL | 0:d92f9d21154c | 6681 | } |
wolfSSL | 0:d92f9d21154c | 6682 | } |
wolfSSL | 0:d92f9d21154c | 6683 | |
wolfSSL | 0:d92f9d21154c | 6684 | if (ret == 0) { |
wolfSSL | 0:d92f9d21154c | 6685 | /* prefix 1 */ |
wolfSSL | 0:d92f9d21154c | 6686 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6687 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6688 | |
wolfSSL | 0:d92f9d21154c | 6689 | if (b != ECC_PREFIX_1) { |
wolfSSL | 0:d92f9d21154c | 6690 | ret = ASN_ECC_KEY_E; |
wolfSSL | 0:d92f9d21154c | 6691 | } |
wolfSSL | 0:d92f9d21154c | 6692 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 0:d92f9d21154c | 6693 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6694 | } |
wolfSSL | 0:d92f9d21154c | 6695 | else { |
wolfSSL | 0:d92f9d21154c | 6696 | /* key header */ |
wolfSSL | 0:d92f9d21154c | 6697 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6698 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6699 | |
wolfSSL | 0:d92f9d21154c | 6700 | if (b != ASN_BIT_STRING) { |
wolfSSL | 0:d92f9d21154c | 6701 | ret = ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 6702 | } |
wolfSSL | 0:d92f9d21154c | 6703 | else if (GetLength(input, inOutIdx, &length, inSz) < 0) { |
wolfSSL | 0:d92f9d21154c | 6704 | ret = ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6705 | } |
wolfSSL | 0:d92f9d21154c | 6706 | else { |
wolfSSL | 0:d92f9d21154c | 6707 | b = input[*inOutIdx]; |
wolfSSL | 0:d92f9d21154c | 6708 | *inOutIdx += 1; |
wolfSSL | 0:d92f9d21154c | 6709 | |
wolfSSL | 0:d92f9d21154c | 6710 | if (b != 0x00) { |
wolfSSL | 0:d92f9d21154c | 6711 | ret = ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 6712 | } |
wolfSSL | 0:d92f9d21154c | 6713 | else { |
wolfSSL | 0:d92f9d21154c | 6714 | /* pub key */ |
wolfSSL | 0:d92f9d21154c | 6715 | pubSz = length - 1; /* null prefix */ |
wolfSSL | 0:d92f9d21154c | 6716 | if (pubSz < (ECC_MAXSIZE*2 + 1)) { |
wolfSSL | 0:d92f9d21154c | 6717 | XMEMCPY(pub, &input[*inOutIdx], pubSz); |
wolfSSL | 0:d92f9d21154c | 6718 | *inOutIdx += length; |
wolfSSL | 0:d92f9d21154c | 6719 | ret = wc_ecc_import_private_key(priv, privSz, pub, pubSz, |
wolfSSL | 0:d92f9d21154c | 6720 | key); |
wolfSSL | 0:d92f9d21154c | 6721 | } else |
wolfSSL | 0:d92f9d21154c | 6722 | ret = BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 6723 | } |
wolfSSL | 0:d92f9d21154c | 6724 | } |
wolfSSL | 0:d92f9d21154c | 6725 | } |
wolfSSL | 0:d92f9d21154c | 6726 | } |
wolfSSL | 0:d92f9d21154c | 6727 | |
wolfSSL | 0:d92f9d21154c | 6728 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 0:d92f9d21154c | 6729 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6730 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 0:d92f9d21154c | 6731 | #endif |
wolfSSL | 0:d92f9d21154c | 6732 | |
wolfSSL | 0:d92f9d21154c | 6733 | return ret; |
wolfSSL | 0:d92f9d21154c | 6734 | } |
wolfSSL | 0:d92f9d21154c | 6735 | |
wolfSSL | 0:d92f9d21154c | 6736 | |
wolfSSL | 0:d92f9d21154c | 6737 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 0:d92f9d21154c | 6738 | |
wolfSSL | 0:d92f9d21154c | 6739 | /* Write a Private ecc key to DER format, length on success else < 0 */ |
wolfSSL | 0:d92f9d21154c | 6740 | int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 0:d92f9d21154c | 6741 | { |
wolfSSL | 0:d92f9d21154c | 6742 | byte curve[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 6743 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 0:d92f9d21154c | 6744 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 6745 | int ret; |
wolfSSL | 0:d92f9d21154c | 6746 | int curveSz; |
wolfSSL | 0:d92f9d21154c | 6747 | int verSz; |
wolfSSL | 0:d92f9d21154c | 6748 | int privHdrSz = ASN_ECC_HEADER_SZ; |
wolfSSL | 0:d92f9d21154c | 6749 | int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ; |
wolfSSL | 0:d92f9d21154c | 6750 | int curveHdrSz = ASN_ECC_CONTEXT_SZ; |
wolfSSL | 0:d92f9d21154c | 6751 | word32 seqSz; |
wolfSSL | 0:d92f9d21154c | 6752 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 6753 | word32 pubSz = ECC_BUFSIZE; |
wolfSSL | 0:d92f9d21154c | 6754 | word32 privSz; |
wolfSSL | 0:d92f9d21154c | 6755 | word32 totalSz; |
wolfSSL | 0:d92f9d21154c | 6756 | |
wolfSSL | 0:d92f9d21154c | 6757 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 0:d92f9d21154c | 6758 | return BAD_FUNC_ARG; |
wolfSSL | 0:d92f9d21154c | 6759 | |
wolfSSL | 0:d92f9d21154c | 6760 | ret = wc_ecc_export_x963(key, NULL, &pubSz); |
wolfSSL | 0:d92f9d21154c | 6761 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 0:d92f9d21154c | 6762 | return ret; |
wolfSSL | 0:d92f9d21154c | 6763 | } |
wolfSSL | 0:d92f9d21154c | 6764 | curveSz = SetCurve(key, curve); |
wolfSSL | 0:d92f9d21154c | 6765 | if (curveSz < 0) { |
wolfSSL | 0:d92f9d21154c | 6766 | return curveSz; |
wolfSSL | 0:d92f9d21154c | 6767 | } |
wolfSSL | 0:d92f9d21154c | 6768 | |
wolfSSL | 0:d92f9d21154c | 6769 | privSz = key->dp->size; |
wolfSSL | 0:d92f9d21154c | 6770 | |
wolfSSL | 0:d92f9d21154c | 6771 | verSz = SetMyVersion(1, ver, FALSE); |
wolfSSL | 0:d92f9d21154c | 6772 | if (verSz < 0) { |
wolfSSL | 0:d92f9d21154c | 6773 | return verSz; |
wolfSSL | 0:d92f9d21154c | 6774 | } |
wolfSSL | 0:d92f9d21154c | 6775 | |
wolfSSL | 0:d92f9d21154c | 6776 | totalSz = verSz + privSz + privHdrSz + curveSz + curveHdrSz + |
wolfSSL | 0:d92f9d21154c | 6777 | pubSz + pubHdrSz + 1; /* plus null byte b4 public */ |
wolfSSL | 0:d92f9d21154c | 6778 | seqSz = SetSequence(totalSz, seq); |
wolfSSL | 0:d92f9d21154c | 6779 | totalSz += seqSz; |
wolfSSL | 0:d92f9d21154c | 6780 | |
wolfSSL | 0:d92f9d21154c | 6781 | if (totalSz > inLen) { |
wolfSSL | 0:d92f9d21154c | 6782 | return BUFFER_E; |
wolfSSL | 0:d92f9d21154c | 6783 | } |
wolfSSL | 0:d92f9d21154c | 6784 | |
wolfSSL | 0:d92f9d21154c | 6785 | /* write it out */ |
wolfSSL | 0:d92f9d21154c | 6786 | /* seq */ |
wolfSSL | 0:d92f9d21154c | 6787 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 0:d92f9d21154c | 6788 | idx += seqSz; |
wolfSSL | 0:d92f9d21154c | 6789 | |
wolfSSL | 0:d92f9d21154c | 6790 | /* ver */ |
wolfSSL | 0:d92f9d21154c | 6791 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 0:d92f9d21154c | 6792 | idx += verSz; |
wolfSSL | 0:d92f9d21154c | 6793 | |
wolfSSL | 0:d92f9d21154c | 6794 | /* private */ |
wolfSSL | 0:d92f9d21154c | 6795 | output[idx++] = ASN_OCTET_STRING; |
wolfSSL | 0:d92f9d21154c | 6796 | output[idx++] = (byte)privSz; |
wolfSSL | 0:d92f9d21154c | 6797 | ret = wc_ecc_export_private_only(key, output + idx, &privSz); |
wolfSSL | 0:d92f9d21154c | 6798 | if (ret < 0) { |
wolfSSL | 0:d92f9d21154c | 6799 | return ret; |
wolfSSL | 0:d92f9d21154c | 6800 | } |
wolfSSL | 0:d92f9d21154c | 6801 | idx += privSz; |
wolfSSL | 0:d92f9d21154c | 6802 | |
wolfSSL | 0:d92f9d21154c | 6803 | /* curve */ |
wolfSSL | 0:d92f9d21154c | 6804 | output[idx++] = ECC_PREFIX_0; |
wolfSSL | 0:d92f9d21154c | 6805 | output[idx++] = (byte)curveSz; |
wolfSSL | 0:d92f9d21154c | 6806 | XMEMCPY(output + idx, curve, curveSz); |
wolfSSL | 0:d92f9d21154c | 6807 | idx += curveSz; |
wolfSSL | 0:d92f9d21154c | 6808 | |
wolfSSL | 0:d92f9d21154c | 6809 | /* public */ |
wolfSSL | 0:d92f9d21154c | 6810 | output[idx++] = ECC_PREFIX_1; |
wolfSSL | 0:d92f9d21154c | 6811 | output[idx++] = (byte)pubSz + ASN_ECC_CONTEXT_SZ + 1; /* plus null byte */ |
wolfSSL | 0:d92f9d21154c | 6812 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 0:d92f9d21154c | 6813 | output[idx++] = (byte)pubSz + 1; /* plus null byte */ |
wolfSSL | 0:d92f9d21154c | 6814 | output[idx++] = (byte)0; /* null byte */ |
wolfSSL | 0:d92f9d21154c | 6815 | ret = wc_ecc_export_x963(key, output + idx, &pubSz); |
wolfSSL | 0:d92f9d21154c | 6816 | if (ret != 0) { |
wolfSSL | 0:d92f9d21154c | 6817 | return ret; |
wolfSSL | 0:d92f9d21154c | 6818 | } |
wolfSSL | 0:d92f9d21154c | 6819 | /* idx += pubSz if do more later */ |
wolfSSL | 0:d92f9d21154c | 6820 | |
wolfSSL | 0:d92f9d21154c | 6821 | return totalSz; |
wolfSSL | 0:d92f9d21154c | 6822 | } |
wolfSSL | 0:d92f9d21154c | 6823 | |
wolfSSL | 0:d92f9d21154c | 6824 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 0:d92f9d21154c | 6825 | |
wolfSSL | 0:d92f9d21154c | 6826 | #endif /* HAVE_ECC */ |
wolfSSL | 0:d92f9d21154c | 6827 | |
wolfSSL | 0:d92f9d21154c | 6828 | |
wolfSSL | 0:d92f9d21154c | 6829 | #if defined(HAVE_OCSP) || defined(HAVE_CRL) |
wolfSSL | 0:d92f9d21154c | 6830 | |
wolfSSL | 0:d92f9d21154c | 6831 | /* Get raw Date only, no processing, 0 on success */ |
wolfSSL | 0:d92f9d21154c | 6832 | static int GetBasicDate(const byte* source, word32* idx, byte* date, |
wolfSSL | 0:d92f9d21154c | 6833 | byte* format, int maxIdx) |
wolfSSL | 0:d92f9d21154c | 6834 | { |
wolfSSL | 0:d92f9d21154c | 6835 | int length; |
wolfSSL | 0:d92f9d21154c | 6836 | |
wolfSSL | 0:d92f9d21154c | 6837 | WOLFSSL_ENTER("GetBasicDate"); |
wolfSSL | 0:d92f9d21154c | 6838 | |
wolfSSL | 0:d92f9d21154c | 6839 | *format = source[*idx]; |
wolfSSL | 0:d92f9d21154c | 6840 | *idx += 1; |
wolfSSL | 0:d92f9d21154c | 6841 | if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME) |
wolfSSL | 0:d92f9d21154c | 6842 | return ASN_TIME_E; |
wolfSSL | 0:d92f9d21154c | 6843 | |
wolfSSL | 0:d92f9d21154c | 6844 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 6845 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6846 | |
wolfSSL | 0:d92f9d21154c | 6847 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 0:d92f9d21154c | 6848 | return ASN_DATE_SZ_E; |
wolfSSL | 0:d92f9d21154c | 6849 | |
wolfSSL | 0:d92f9d21154c | 6850 | XMEMCPY(date, &source[*idx], length); |
wolfSSL | 0:d92f9d21154c | 6851 | *idx += length; |
wolfSSL | 0:d92f9d21154c | 6852 | |
wolfSSL | 0:d92f9d21154c | 6853 | return 0; |
wolfSSL | 0:d92f9d21154c | 6854 | } |
wolfSSL | 0:d92f9d21154c | 6855 | |
wolfSSL | 0:d92f9d21154c | 6856 | #endif |
wolfSSL | 0:d92f9d21154c | 6857 | |
wolfSSL | 0:d92f9d21154c | 6858 | |
wolfSSL | 0:d92f9d21154c | 6859 | #ifdef HAVE_OCSP |
wolfSSL | 0:d92f9d21154c | 6860 | |
wolfSSL | 0:d92f9d21154c | 6861 | static int GetEnumerated(const byte* input, word32* inOutIdx, int *value) |
wolfSSL | 0:d92f9d21154c | 6862 | { |
wolfSSL | 0:d92f9d21154c | 6863 | word32 idx = *inOutIdx; |
wolfSSL | 0:d92f9d21154c | 6864 | word32 len; |
wolfSSL | 0:d92f9d21154c | 6865 | |
wolfSSL | 0:d92f9d21154c | 6866 | WOLFSSL_ENTER("GetEnumerated"); |
wolfSSL | 0:d92f9d21154c | 6867 | |
wolfSSL | 0:d92f9d21154c | 6868 | *value = 0; |
wolfSSL | 0:d92f9d21154c | 6869 | |
wolfSSL | 0:d92f9d21154c | 6870 | if (input[idx++] != ASN_ENUMERATED) |
wolfSSL | 0:d92f9d21154c | 6871 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6872 | |
wolfSSL | 0:d92f9d21154c | 6873 | len = input[idx++]; |
wolfSSL | 0:d92f9d21154c | 6874 | if (len > 4) |
wolfSSL | 0:d92f9d21154c | 6875 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6876 | |
wolfSSL | 0:d92f9d21154c | 6877 | while (len--) { |
wolfSSL | 0:d92f9d21154c | 6878 | *value = *value << 8 | input[idx++]; |
wolfSSL | 0:d92f9d21154c | 6879 | } |
wolfSSL | 0:d92f9d21154c | 6880 | |
wolfSSL | 0:d92f9d21154c | 6881 | *inOutIdx = idx; |
wolfSSL | 0:d92f9d21154c | 6882 | |
wolfSSL | 0:d92f9d21154c | 6883 | return *value; |
wolfSSL | 0:d92f9d21154c | 6884 | } |
wolfSSL | 0:d92f9d21154c | 6885 | |
wolfSSL | 0:d92f9d21154c | 6886 | |
wolfSSL | 0:d92f9d21154c | 6887 | static int DecodeSingleResponse(byte* source, |
wolfSSL | 0:d92f9d21154c | 6888 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 0:d92f9d21154c | 6889 | { |
wolfSSL | 0:d92f9d21154c | 6890 | word32 idx = *ioIndex, prevIndex, oid; |
wolfSSL | 0:d92f9d21154c | 6891 | int length, wrapperSz; |
wolfSSL | 0:d92f9d21154c | 6892 | CertStatus* cs = resp->status; |
wolfSSL | 0:d92f9d21154c | 6893 | |
wolfSSL | 0:d92f9d21154c | 6894 | WOLFSSL_ENTER("DecodeSingleResponse"); |
wolfSSL | 0:d92f9d21154c | 6895 | |
wolfSSL | 0:d92f9d21154c | 6896 | /* Outer wrapper of the SEQUENCE OF Single Responses. */ |
wolfSSL | 0:d92f9d21154c | 6897 | if (GetSequence(source, &idx, &wrapperSz, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6898 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6899 | |
wolfSSL | 0:d92f9d21154c | 6900 | prevIndex = idx; |
wolfSSL | 0:d92f9d21154c | 6901 | |
wolfSSL | 0:d92f9d21154c | 6902 | /* When making a request, we only request one status on one certificate |
wolfSSL | 0:d92f9d21154c | 6903 | * at a time. There should only be one SingleResponse */ |
wolfSSL | 0:d92f9d21154c | 6904 | |
wolfSSL | 0:d92f9d21154c | 6905 | /* Wrapper around the Single Response */ |
wolfSSL | 0:d92f9d21154c | 6906 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6907 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6908 | |
wolfSSL | 0:d92f9d21154c | 6909 | /* Wrapper around the CertID */ |
wolfSSL | 0:d92f9d21154c | 6910 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6911 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6912 | /* Skip the hash algorithm */ |
wolfSSL | 0:d92f9d21154c | 6913 | if (GetAlgoId(source, &idx, &oid, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6914 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6915 | /* Save reference to the hash of CN */ |
wolfSSL | 0:d92f9d21154c | 6916 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 0:d92f9d21154c | 6917 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6918 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6919 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6920 | resp->issuerHash = source + idx; |
wolfSSL | 0:d92f9d21154c | 6921 | idx += length; |
wolfSSL | 0:d92f9d21154c | 6922 | /* Save reference to the hash of the issuer public key */ |
wolfSSL | 0:d92f9d21154c | 6923 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 0:d92f9d21154c | 6924 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6925 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6926 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6927 | resp->issuerKeyHash = source + idx; |
wolfSSL | 0:d92f9d21154c | 6928 | idx += length; |
wolfSSL | 0:d92f9d21154c | 6929 | |
wolfSSL | 0:d92f9d21154c | 6930 | /* Read the serial number, it is handled as a string, not as a |
wolfSSL | 0:d92f9d21154c | 6931 | * proper number. Just XMEMCPY the data over, rather than load it |
wolfSSL | 0:d92f9d21154c | 6932 | * as an mp_int. */ |
wolfSSL | 0:d92f9d21154c | 6933 | if (source[idx++] != ASN_INTEGER) |
wolfSSL | 0:d92f9d21154c | 6934 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6935 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6936 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6937 | if (length <= EXTERNAL_SERIAL_SIZE) |
wolfSSL | 0:d92f9d21154c | 6938 | { |
wolfSSL | 0:d92f9d21154c | 6939 | if (source[idx] == 0) |
wolfSSL | 0:d92f9d21154c | 6940 | { |
wolfSSL | 0:d92f9d21154c | 6941 | idx++; |
wolfSSL | 0:d92f9d21154c | 6942 | length--; |
wolfSSL | 0:d92f9d21154c | 6943 | } |
wolfSSL | 0:d92f9d21154c | 6944 | XMEMCPY(cs->serial, source + idx, length); |
wolfSSL | 0:d92f9d21154c | 6945 | cs->serialSz = length; |
wolfSSL | 0:d92f9d21154c | 6946 | } |
wolfSSL | 0:d92f9d21154c | 6947 | else |
wolfSSL | 0:d92f9d21154c | 6948 | { |
wolfSSL | 0:d92f9d21154c | 6949 | return ASN_GETINT_E; |
wolfSSL | 0:d92f9d21154c | 6950 | } |
wolfSSL | 0:d92f9d21154c | 6951 | idx += length; |
wolfSSL | 0:d92f9d21154c | 6952 | |
wolfSSL | 0:d92f9d21154c | 6953 | /* CertStatus */ |
wolfSSL | 0:d92f9d21154c | 6954 | switch (source[idx++]) |
wolfSSL | 0:d92f9d21154c | 6955 | { |
wolfSSL | 0:d92f9d21154c | 6956 | case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): |
wolfSSL | 0:d92f9d21154c | 6957 | cs->status = CERT_GOOD; |
wolfSSL | 0:d92f9d21154c | 6958 | idx++; |
wolfSSL | 0:d92f9d21154c | 6959 | break; |
wolfSSL | 0:d92f9d21154c | 6960 | case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): |
wolfSSL | 0:d92f9d21154c | 6961 | cs->status = CERT_REVOKED; |
wolfSSL | 0:d92f9d21154c | 6962 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6963 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6964 | idx += length; |
wolfSSL | 0:d92f9d21154c | 6965 | break; |
wolfSSL | 0:d92f9d21154c | 6966 | case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): |
wolfSSL | 0:d92f9d21154c | 6967 | cs->status = CERT_UNKNOWN; |
wolfSSL | 0:d92f9d21154c | 6968 | idx++; |
wolfSSL | 0:d92f9d21154c | 6969 | break; |
wolfSSL | 0:d92f9d21154c | 6970 | default: |
wolfSSL | 0:d92f9d21154c | 6971 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6972 | } |
wolfSSL | 0:d92f9d21154c | 6973 | |
wolfSSL | 0:d92f9d21154c | 6974 | if (GetBasicDate(source, &idx, cs->thisDate, |
wolfSSL | 0:d92f9d21154c | 6975 | &cs->thisDateFormat, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6976 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6977 | if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) |
wolfSSL | 0:d92f9d21154c | 6978 | return ASN_BEFORE_DATE_E; |
wolfSSL | 0:d92f9d21154c | 6979 | |
wolfSSL | 0:d92f9d21154c | 6980 | /* The following items are optional. Only check for them if there is more |
wolfSSL | 0:d92f9d21154c | 6981 | * unprocessed data in the singleResponse wrapper. */ |
wolfSSL | 0:d92f9d21154c | 6982 | |
wolfSSL | 0:d92f9d21154c | 6983 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 0:d92f9d21154c | 6984 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))) |
wolfSSL | 0:d92f9d21154c | 6985 | { |
wolfSSL | 0:d92f9d21154c | 6986 | idx++; |
wolfSSL | 0:d92f9d21154c | 6987 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6988 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6989 | if (GetBasicDate(source, &idx, cs->nextDate, |
wolfSSL | 0:d92f9d21154c | 6990 | &cs->nextDateFormat, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6991 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6992 | } |
wolfSSL | 0:d92f9d21154c | 6993 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 0:d92f9d21154c | 6994 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) |
wolfSSL | 0:d92f9d21154c | 6995 | { |
wolfSSL | 0:d92f9d21154c | 6996 | idx++; |
wolfSSL | 0:d92f9d21154c | 6997 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 6998 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 6999 | idx += length; |
wolfSSL | 0:d92f9d21154c | 7000 | } |
wolfSSL | 0:d92f9d21154c | 7001 | |
wolfSSL | 0:d92f9d21154c | 7002 | *ioIndex = idx; |
wolfSSL | 0:d92f9d21154c | 7003 | |
wolfSSL | 0:d92f9d21154c | 7004 | return 0; |
wolfSSL | 0:d92f9d21154c | 7005 | } |
wolfSSL | 0:d92f9d21154c | 7006 | |
wolfSSL | 0:d92f9d21154c | 7007 | static int DecodeOcspRespExtensions(byte* source, |
wolfSSL | 0:d92f9d21154c | 7008 | word32* ioIndex, OcspResponse* resp, word32 sz) |
wolfSSL | 0:d92f9d21154c | 7009 | { |
wolfSSL | 0:d92f9d21154c | 7010 | word32 idx = *ioIndex; |
wolfSSL | 0:d92f9d21154c | 7011 | int length; |
wolfSSL | 0:d92f9d21154c | 7012 | int ext_bound; /* boundary index for the sequence of extensions */ |
wolfSSL | 0:d92f9d21154c | 7013 | word32 oid; |
wolfSSL | 0:d92f9d21154c | 7014 | |
wolfSSL | 0:d92f9d21154c | 7015 | WOLFSSL_ENTER("DecodeOcspRespExtensions"); |
wolfSSL | 0:d92f9d21154c | 7016 | |
wolfSSL | 0:d92f9d21154c | 7017 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 0:d92f9d21154c | 7018 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7019 | |
wolfSSL | 0:d92f9d21154c | 7020 | if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7021 | |
wolfSSL | 0:d92f9d21154c | 7022 | if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7023 | |
wolfSSL | 0:d92f9d21154c | 7024 | ext_bound = idx + length; |
wolfSSL | 0:d92f9d21154c | 7025 | |
wolfSSL | 0:d92f9d21154c | 7026 | while (idx < (word32)ext_bound) { |
wolfSSL | 0:d92f9d21154c | 7027 | if (GetSequence(source, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 7028 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 0:d92f9d21154c | 7029 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7030 | } |
wolfSSL | 0:d92f9d21154c | 7031 | |
wolfSSL | 0:d92f9d21154c | 7032 | oid = 0; |
wolfSSL | 0:d92f9d21154c | 7033 | if (GetObjectId(source, &idx, &oid, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 7034 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 0:d92f9d21154c | 7035 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7036 | } |
wolfSSL | 0:d92f9d21154c | 7037 | |
wolfSSL | 0:d92f9d21154c | 7038 | /* check for critical flag */ |
wolfSSL | 0:d92f9d21154c | 7039 | if (source[idx] == ASN_BOOLEAN) { |
wolfSSL | 0:d92f9d21154c | 7040 | WOLFSSL_MSG("\tfound optional critical flag, moving past"); |
wolfSSL | 0:d92f9d21154c | 7041 | idx += (ASN_BOOL_SIZE + 1); |
wolfSSL | 0:d92f9d21154c | 7042 | } |
wolfSSL | 0:d92f9d21154c | 7043 | |
wolfSSL | 0:d92f9d21154c | 7044 | /* process the extension based on the OID */ |
wolfSSL | 0:d92f9d21154c | 7045 | if (source[idx++] != ASN_OCTET_STRING) { |
wolfSSL | 0:d92f9d21154c | 7046 | WOLFSSL_MSG("\tfail: should be an OCTET STRING"); |
wolfSSL | 0:d92f9d21154c | 7047 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7048 | } |
wolfSSL | 0:d92f9d21154c | 7049 | |
wolfSSL | 0:d92f9d21154c | 7050 | if (GetLength(source, &idx, &length, sz) < 0) { |
wolfSSL | 0:d92f9d21154c | 7051 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 0:d92f9d21154c | 7052 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7053 | } |
wolfSSL | 0:d92f9d21154c | 7054 | |
wolfSSL | 0:d92f9d21154c | 7055 | if (oid == OCSP_NONCE_OID) { |
wolfSSL | 0:d92f9d21154c | 7056 | resp->nonce = source + idx; |
wolfSSL | 0:d92f9d21154c | 7057 | resp->nonceSz = length; |
wolfSSL | 0:d92f9d21154c | 7058 | } |
wolfSSL | 0:d92f9d21154c | 7059 | |
wolfSSL | 0:d92f9d21154c | 7060 | idx += length; |
wolfSSL | 0:d92f9d21154c | 7061 | } |
wolfSSL | 0:d92f9d21154c | 7062 | |
wolfSSL | 0:d92f9d21154c | 7063 | *ioIndex = idx; |
wolfSSL | 0:d92f9d21154c | 7064 | return 0; |
wolfSSL | 0:d92f9d21154c | 7065 | } |
wolfSSL | 0:d92f9d21154c | 7066 | |
wolfSSL | 0:d92f9d21154c | 7067 | |
wolfSSL | 0:d92f9d21154c | 7068 | static int DecodeResponseData(byte* source, |
wolfSSL | 0:d92f9d21154c | 7069 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 0:d92f9d21154c | 7070 | { |
wolfSSL | 0:d92f9d21154c | 7071 | word32 idx = *ioIndex, prev_idx; |
wolfSSL | 0:d92f9d21154c | 7072 | int length; |
wolfSSL | 0:d92f9d21154c | 7073 | int version; |
wolfSSL | 0:d92f9d21154c | 7074 | word32 responderId = 0; |
wolfSSL | 0:d92f9d21154c | 7075 | |
wolfSSL | 0:d92f9d21154c | 7076 | WOLFSSL_ENTER("DecodeResponseData"); |
wolfSSL | 0:d92f9d21154c | 7077 | |
wolfSSL | 0:d92f9d21154c | 7078 | resp->response = source + idx; |
wolfSSL | 0:d92f9d21154c | 7079 | prev_idx = idx; |
wolfSSL | 0:d92f9d21154c | 7080 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7081 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7082 | resp->responseSz = length + idx - prev_idx; |
wolfSSL | 0:d92f9d21154c | 7083 | |
wolfSSL | 0:d92f9d21154c | 7084 | /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this |
wolfSSL | 0:d92f9d21154c | 7085 | * item isn't an EXPLICIT[0], then set version to zero and move |
wolfSSL | 0:d92f9d21154c | 7086 | * onto the next item. |
wolfSSL | 0:d92f9d21154c | 7087 | */ |
wolfSSL | 0:d92f9d21154c | 7088 | if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) |
wolfSSL | 0:d92f9d21154c | 7089 | { |
wolfSSL | 0:d92f9d21154c | 7090 | idx += 2; /* Eat the value and length */ |
wolfSSL | 0:d92f9d21154c | 7091 | if (GetMyVersion(source, &idx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 7092 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7093 | } else |
wolfSSL | 0:d92f9d21154c | 7094 | version = 0; |
wolfSSL | 0:d92f9d21154c | 7095 | |
wolfSSL | 0:d92f9d21154c | 7096 | responderId = source[idx++]; |
wolfSSL | 0:d92f9d21154c | 7097 | if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) || |
wolfSSL | 0:d92f9d21154c | 7098 | (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2))) |
wolfSSL | 0:d92f9d21154c | 7099 | { |
wolfSSL | 0:d92f9d21154c | 7100 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7101 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7102 | idx += length; |
wolfSSL | 0:d92f9d21154c | 7103 | } |
wolfSSL | 0:d92f9d21154c | 7104 | else |
wolfSSL | 0:d92f9d21154c | 7105 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7106 | |
wolfSSL | 0:d92f9d21154c | 7107 | /* save pointer to the producedAt time */ |
wolfSSL | 0:d92f9d21154c | 7108 | if (GetBasicDate(source, &idx, resp->producedDate, |
wolfSSL | 0:d92f9d21154c | 7109 | &resp->producedDateFormat, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7110 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7111 | |
wolfSSL | 0:d92f9d21154c | 7112 | if (DecodeSingleResponse(source, &idx, resp, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7113 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7114 | |
wolfSSL | 0:d92f9d21154c | 7115 | if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7116 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7117 | |
wolfSSL | 0:d92f9d21154c | 7118 | *ioIndex = idx; |
wolfSSL | 0:d92f9d21154c | 7119 | return 0; |
wolfSSL | 0:d92f9d21154c | 7120 | } |
wolfSSL | 0:d92f9d21154c | 7121 | |
wolfSSL | 0:d92f9d21154c | 7122 | |
wolfSSL | 0:d92f9d21154c | 7123 | static int DecodeCerts(byte* source, |
wolfSSL | 0:d92f9d21154c | 7124 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 0:d92f9d21154c | 7125 | { |
wolfSSL | 0:d92f9d21154c | 7126 | word32 idx = *ioIndex; |
wolfSSL | 0:d92f9d21154c | 7127 | |
wolfSSL | 0:d92f9d21154c | 7128 | WOLFSSL_ENTER("DecodeCerts"); |
wolfSSL | 0:d92f9d21154c | 7129 | |
wolfSSL | 0:d92f9d21154c | 7130 | if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 0:d92f9d21154c | 7131 | { |
wolfSSL | 0:d92f9d21154c | 7132 | int length; |
wolfSSL | 0:d92f9d21154c | 7133 | |
wolfSSL | 0:d92f9d21154c | 7134 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7135 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7136 | |
wolfSSL | 0:d92f9d21154c | 7137 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7138 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7139 | |
wolfSSL | 0:d92f9d21154c | 7140 | resp->cert = source + idx; |
wolfSSL | 0:d92f9d21154c | 7141 | resp->certSz = length; |
wolfSSL | 0:d92f9d21154c | 7142 | |
wolfSSL | 0:d92f9d21154c | 7143 | idx += length; |
wolfSSL | 0:d92f9d21154c | 7144 | } |
wolfSSL | 0:d92f9d21154c | 7145 | *ioIndex = idx; |
wolfSSL | 0:d92f9d21154c | 7146 | return 0; |
wolfSSL | 0:d92f9d21154c | 7147 | } |
wolfSSL | 0:d92f9d21154c | 7148 | |
wolfSSL | 0:d92f9d21154c | 7149 | static int DecodeBasicOcspResponse(byte* source, |
wolfSSL | 0:d92f9d21154c | 7150 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 0:d92f9d21154c | 7151 | { |
wolfSSL | 0:d92f9d21154c | 7152 | int length; |
wolfSSL | 0:d92f9d21154c | 7153 | word32 idx = *ioIndex; |
wolfSSL | 0:d92f9d21154c | 7154 | word32 end_index; |
wolfSSL | 0:d92f9d21154c | 7155 | |
wolfSSL | 0:d92f9d21154c | 7156 | WOLFSSL_ENTER("DecodeBasicOcspResponse"); |
wolfSSL | 0:d92f9d21154c | 7157 | |
wolfSSL | 0:d92f9d21154c | 7158 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7159 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7160 | |
wolfSSL | 0:d92f9d21154c | 7161 | if (idx + length > size) |
wolfSSL | 0:d92f9d21154c | 7162 | return ASN_INPUT_E; |
wolfSSL | 0:d92f9d21154c | 7163 | end_index = idx + length; |
wolfSSL | 0:d92f9d21154c | 7164 | |
wolfSSL | 0:d92f9d21154c | 7165 | if (DecodeResponseData(source, &idx, resp, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7166 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7167 | |
wolfSSL | 0:d92f9d21154c | 7168 | /* Get the signature algorithm */ |
wolfSSL | 0:d92f9d21154c | 7169 | if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7170 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7171 | |
wolfSSL | 0:d92f9d21154c | 7172 | /* Obtain pointer to the start of the signature, and save the size */ |
wolfSSL | 0:d92f9d21154c | 7173 | if (source[idx++] == ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 7174 | { |
wolfSSL | 0:d92f9d21154c | 7175 | int sigLength = 0; |
wolfSSL | 0:d92f9d21154c | 7176 | if (GetLength(source, &idx, &sigLength, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7177 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7178 | resp->sigSz = sigLength; |
wolfSSL | 0:d92f9d21154c | 7179 | resp->sig = source + idx; |
wolfSSL | 0:d92f9d21154c | 7180 | idx += sigLength; |
wolfSSL | 0:d92f9d21154c | 7181 | } |
wolfSSL | 0:d92f9d21154c | 7182 | |
wolfSSL | 0:d92f9d21154c | 7183 | /* |
wolfSSL | 0:d92f9d21154c | 7184 | * Check the length of the BasicOcspResponse against the current index to |
wolfSSL | 0:d92f9d21154c | 7185 | * see if there are certificates, they are optional. |
wolfSSL | 0:d92f9d21154c | 7186 | */ |
wolfSSL | 0:d92f9d21154c | 7187 | if (idx < end_index) |
wolfSSL | 0:d92f9d21154c | 7188 | { |
wolfSSL | 0:d92f9d21154c | 7189 | DecodedCert cert; |
wolfSSL | 0:d92f9d21154c | 7190 | int ret; |
wolfSSL | 0:d92f9d21154c | 7191 | |
wolfSSL | 0:d92f9d21154c | 7192 | if (DecodeCerts(source, &idx, resp, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7193 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7194 | |
wolfSSL | 0:d92f9d21154c | 7195 | InitDecodedCert(&cert, resp->cert, resp->certSz, 0); |
wolfSSL | 0:d92f9d21154c | 7196 | ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 0:d92f9d21154c | 7197 | if (ret < 0) |
wolfSSL | 0:d92f9d21154c | 7198 | return ret; |
wolfSSL | 0:d92f9d21154c | 7199 | |
wolfSSL | 0:d92f9d21154c | 7200 | ret = ConfirmSignature(resp->response, resp->responseSz, |
wolfSSL | 0:d92f9d21154c | 7201 | cert.publicKey, cert.pubKeySize, cert.keyOID, |
wolfSSL | 0:d92f9d21154c | 7202 | resp->sig, resp->sigSz, resp->sigOID, NULL); |
wolfSSL | 0:d92f9d21154c | 7203 | FreeDecodedCert(&cert); |
wolfSSL | 0:d92f9d21154c | 7204 | |
wolfSSL | 0:d92f9d21154c | 7205 | if (ret == 0) |
wolfSSL | 0:d92f9d21154c | 7206 | { |
wolfSSL | 0:d92f9d21154c | 7207 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 0:d92f9d21154c | 7208 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 0:d92f9d21154c | 7209 | } |
wolfSSL | 0:d92f9d21154c | 7210 | } |
wolfSSL | 0:d92f9d21154c | 7211 | |
wolfSSL | 0:d92f9d21154c | 7212 | *ioIndex = idx; |
wolfSSL | 0:d92f9d21154c | 7213 | return 0; |
wolfSSL | 0:d92f9d21154c | 7214 | } |
wolfSSL | 0:d92f9d21154c | 7215 | |
wolfSSL | 0:d92f9d21154c | 7216 | |
wolfSSL | 0:d92f9d21154c | 7217 | void InitOcspResponse(OcspResponse* resp, CertStatus* status, |
wolfSSL | 0:d92f9d21154c | 7218 | byte* source, word32 inSz) |
wolfSSL | 0:d92f9d21154c | 7219 | { |
wolfSSL | 0:d92f9d21154c | 7220 | WOLFSSL_ENTER("InitOcspResponse"); |
wolfSSL | 0:d92f9d21154c | 7221 | |
wolfSSL | 0:d92f9d21154c | 7222 | resp->responseStatus = -1; |
wolfSSL | 0:d92f9d21154c | 7223 | resp->response = NULL; |
wolfSSL | 0:d92f9d21154c | 7224 | resp->responseSz = 0; |
wolfSSL | 0:d92f9d21154c | 7225 | resp->producedDateFormat = 0; |
wolfSSL | 0:d92f9d21154c | 7226 | resp->issuerHash = NULL; |
wolfSSL | 0:d92f9d21154c | 7227 | resp->issuerKeyHash = NULL; |
wolfSSL | 0:d92f9d21154c | 7228 | resp->sig = NULL; |
wolfSSL | 0:d92f9d21154c | 7229 | resp->sigSz = 0; |
wolfSSL | 0:d92f9d21154c | 7230 | resp->sigOID = 0; |
wolfSSL | 0:d92f9d21154c | 7231 | resp->status = status; |
wolfSSL | 0:d92f9d21154c | 7232 | resp->nonce = NULL; |
wolfSSL | 0:d92f9d21154c | 7233 | resp->nonceSz = 0; |
wolfSSL | 0:d92f9d21154c | 7234 | resp->source = source; |
wolfSSL | 0:d92f9d21154c | 7235 | resp->maxIdx = inSz; |
wolfSSL | 0:d92f9d21154c | 7236 | } |
wolfSSL | 0:d92f9d21154c | 7237 | |
wolfSSL | 0:d92f9d21154c | 7238 | |
wolfSSL | 0:d92f9d21154c | 7239 | int OcspResponseDecode(OcspResponse* resp) |
wolfSSL | 0:d92f9d21154c | 7240 | { |
wolfSSL | 0:d92f9d21154c | 7241 | int length = 0; |
wolfSSL | 0:d92f9d21154c | 7242 | word32 idx = 0; |
wolfSSL | 0:d92f9d21154c | 7243 | byte* source = resp->source; |
wolfSSL | 0:d92f9d21154c | 7244 | word32 size = resp->maxIdx; |
wolfSSL | 0:d92f9d21154c | 7245 | word32 oid; |
wolfSSL | 0:d92f9d21154c | 7246 | |
wolfSSL | 0:d92f9d21154c | 7247 | WOLFSSL_ENTER("OcspResponseDecode"); |
wolfSSL | 0:d92f9d21154c | 7248 | |
wolfSSL | 0:d92f9d21154c | 7249 | /* peel the outer SEQUENCE wrapper */ |
wolfSSL | 0:d92f9d21154c | 7250 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7251 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7252 | |
wolfSSL | 0:d92f9d21154c | 7253 | /* First get the responseStatus, an ENUMERATED */ |
wolfSSL | 0:d92f9d21154c | 7254 | if (GetEnumerated(source, &idx, &resp->responseStatus) < 0) |
wolfSSL | 0:d92f9d21154c | 7255 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7256 | |
wolfSSL | 0:d92f9d21154c | 7257 | if (resp->responseStatus != OCSP_SUCCESSFUL) |
wolfSSL | 0:d92f9d21154c | 7258 | return 0; |
wolfSSL | 0:d92f9d21154c | 7259 | |
wolfSSL | 0:d92f9d21154c | 7260 | /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */ |
wolfSSL | 0:d92f9d21154c | 7261 | if (idx >= size) |
wolfSSL | 0:d92f9d21154c | 7262 | return ASN_INPUT_E; |
wolfSSL | 0:d92f9d21154c | 7263 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 0:d92f9d21154c | 7264 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7265 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7266 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7267 | |
wolfSSL | 0:d92f9d21154c | 7268 | /* Get the responseBytes SEQUENCE */ |
wolfSSL | 0:d92f9d21154c | 7269 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7270 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7271 | |
wolfSSL | 0:d92f9d21154c | 7272 | /* Check ObjectID for the resposeBytes */ |
wolfSSL | 0:d92f9d21154c | 7273 | if (GetObjectId(source, &idx, &oid, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7274 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7275 | if (oid != OCSP_BASIC_OID) |
wolfSSL | 0:d92f9d21154c | 7276 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7277 | if (source[idx++] != ASN_OCTET_STRING) |
wolfSSL | 0:d92f9d21154c | 7278 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7279 | |
wolfSSL | 0:d92f9d21154c | 7280 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7281 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7282 | |
wolfSSL | 0:d92f9d21154c | 7283 | if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0) |
wolfSSL | 0:d92f9d21154c | 7284 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7285 | |
wolfSSL | 0:d92f9d21154c | 7286 | return 0; |
wolfSSL | 0:d92f9d21154c | 7287 | } |
wolfSSL | 0:d92f9d21154c | 7288 | |
wolfSSL | 0:d92f9d21154c | 7289 | |
wolfSSL | 0:d92f9d21154c | 7290 | static word32 SetOcspReqExtensions(word32 extSz, byte* output, |
wolfSSL | 0:d92f9d21154c | 7291 | const byte* nonce, word32 nonceSz) |
wolfSSL | 0:d92f9d21154c | 7292 | { |
wolfSSL | 0:d92f9d21154c | 7293 | static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, |
wolfSSL | 0:d92f9d21154c | 7294 | 0x30, 0x01, 0x02 }; |
wolfSSL | 0:d92f9d21154c | 7295 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 7296 | word32 seqSz[5], totalSz; |
wolfSSL | 0:d92f9d21154c | 7297 | |
wolfSSL | 0:d92f9d21154c | 7298 | WOLFSSL_ENTER("SetOcspReqExtensions"); |
wolfSSL | 0:d92f9d21154c | 7299 | |
wolfSSL | 0:d92f9d21154c | 7300 | if (nonce == NULL || nonceSz == 0) return 0; |
wolfSSL | 0:d92f9d21154c | 7301 | |
wolfSSL | 0:d92f9d21154c | 7302 | seqArray[0][0] = ASN_OCTET_STRING; |
wolfSSL | 0:d92f9d21154c | 7303 | seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]); |
wolfSSL | 0:d92f9d21154c | 7304 | |
wolfSSL | 0:d92f9d21154c | 7305 | seqArray[1][0] = ASN_OBJECT_ID; |
wolfSSL | 0:d92f9d21154c | 7306 | seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]); |
wolfSSL | 0:d92f9d21154c | 7307 | |
wolfSSL | 0:d92f9d21154c | 7308 | totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId); |
wolfSSL | 0:d92f9d21154c | 7309 | |
wolfSSL | 0:d92f9d21154c | 7310 | seqSz[2] = SetSequence(totalSz, seqArray[2]); |
wolfSSL | 0:d92f9d21154c | 7311 | totalSz += seqSz[2]; |
wolfSSL | 0:d92f9d21154c | 7312 | |
wolfSSL | 0:d92f9d21154c | 7313 | seqSz[3] = SetSequence(totalSz, seqArray[3]); |
wolfSSL | 0:d92f9d21154c | 7314 | totalSz += seqSz[3]; |
wolfSSL | 0:d92f9d21154c | 7315 | |
wolfSSL | 0:d92f9d21154c | 7316 | seqArray[4][0] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2); |
wolfSSL | 0:d92f9d21154c | 7317 | seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]); |
wolfSSL | 0:d92f9d21154c | 7318 | totalSz += seqSz[4]; |
wolfSSL | 0:d92f9d21154c | 7319 | |
wolfSSL | 0:d92f9d21154c | 7320 | if (totalSz < extSz) |
wolfSSL | 0:d92f9d21154c | 7321 | { |
wolfSSL | 0:d92f9d21154c | 7322 | totalSz = 0; |
wolfSSL | 0:d92f9d21154c | 7323 | XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); |
wolfSSL | 0:d92f9d21154c | 7324 | totalSz += seqSz[4]; |
wolfSSL | 0:d92f9d21154c | 7325 | XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); |
wolfSSL | 0:d92f9d21154c | 7326 | totalSz += seqSz[3]; |
wolfSSL | 0:d92f9d21154c | 7327 | XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); |
wolfSSL | 0:d92f9d21154c | 7328 | totalSz += seqSz[2]; |
wolfSSL | 0:d92f9d21154c | 7329 | XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); |
wolfSSL | 0:d92f9d21154c | 7330 | totalSz += seqSz[1]; |
wolfSSL | 0:d92f9d21154c | 7331 | XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); |
wolfSSL | 0:d92f9d21154c | 7332 | totalSz += (word32)sizeof(NonceObjId); |
wolfSSL | 0:d92f9d21154c | 7333 | XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); |
wolfSSL | 0:d92f9d21154c | 7334 | totalSz += seqSz[0]; |
wolfSSL | 0:d92f9d21154c | 7335 | XMEMCPY(output + totalSz, nonce, nonceSz); |
wolfSSL | 0:d92f9d21154c | 7336 | totalSz += nonceSz; |
wolfSSL | 0:d92f9d21154c | 7337 | } |
wolfSSL | 0:d92f9d21154c | 7338 | |
wolfSSL | 0:d92f9d21154c | 7339 | return totalSz; |
wolfSSL | 0:d92f9d21154c | 7340 | } |
wolfSSL | 0:d92f9d21154c | 7341 | |
wolfSSL | 0:d92f9d21154c | 7342 | |
wolfSSL | 0:d92f9d21154c | 7343 | int EncodeOcspRequest(OcspRequest* req) |
wolfSSL | 0:d92f9d21154c | 7344 | { |
wolfSSL | 0:d92f9d21154c | 7345 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 0:d92f9d21154c | 7346 | /* The ASN.1 of the OCSP Request is an onion of sequences */ |
wolfSSL | 0:d92f9d21154c | 7347 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 0:d92f9d21154c | 7348 | byte issuerArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 7349 | byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 0:d92f9d21154c | 7350 | byte snArray[MAX_SN_SZ]; |
wolfSSL | 0:d92f9d21154c | 7351 | byte extArray[MAX_OCSP_EXT_SZ]; |
wolfSSL | 0:d92f9d21154c | 7352 | byte* output = req->dest; |
wolfSSL | 0:d92f9d21154c | 7353 | word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; |
wolfSSL | 0:d92f9d21154c | 7354 | int i; |
wolfSSL | 0:d92f9d21154c | 7355 | |
wolfSSL | 0:d92f9d21154c | 7356 | WOLFSSL_ENTER("EncodeOcspRequest"); |
wolfSSL | 0:d92f9d21154c | 7357 | |
wolfSSL | 0:d92f9d21154c | 7358 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 7359 | algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0); |
wolfSSL | 0:d92f9d21154c | 7360 | #else |
wolfSSL | 0:d92f9d21154c | 7361 | algoSz = SetAlgoID(SHAh, algoArray, hashType, 0); |
wolfSSL | 0:d92f9d21154c | 7362 | #endif |
wolfSSL | 0:d92f9d21154c | 7363 | |
wolfSSL | 0:d92f9d21154c | 7364 | req->issuerHash = req->cert->issuerHash; |
wolfSSL | 0:d92f9d21154c | 7365 | issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray); |
wolfSSL | 0:d92f9d21154c | 7366 | |
wolfSSL | 0:d92f9d21154c | 7367 | req->issuerKeyHash = req->cert->issuerKeyHash; |
wolfSSL | 0:d92f9d21154c | 7368 | issuerKeySz = SetDigest(req->cert->issuerKeyHash, |
wolfSSL | 0:d92f9d21154c | 7369 | KEYID_SIZE, issuerKeyArray); |
wolfSSL | 0:d92f9d21154c | 7370 | |
wolfSSL | 0:d92f9d21154c | 7371 | req->serial = req->cert->serial; |
wolfSSL | 0:d92f9d21154c | 7372 | req->serialSz = req->cert->serialSz; |
wolfSSL | 0:d92f9d21154c | 7373 | snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray); |
wolfSSL | 0:d92f9d21154c | 7374 | |
wolfSSL | 0:d92f9d21154c | 7375 | extSz = 0; |
wolfSSL | 0:d92f9d21154c | 7376 | if (req->useNonce) { |
wolfSSL | 0:d92f9d21154c | 7377 | RNG rng; |
wolfSSL | 0:d92f9d21154c | 7378 | if (wc_InitRng(&rng) != 0) { |
wolfSSL | 0:d92f9d21154c | 7379 | WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); |
wolfSSL | 0:d92f9d21154c | 7380 | } else { |
wolfSSL | 0:d92f9d21154c | 7381 | if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) |
wolfSSL | 0:d92f9d21154c | 7382 | WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); |
wolfSSL | 0:d92f9d21154c | 7383 | else { |
wolfSSL | 0:d92f9d21154c | 7384 | req->nonceSz = MAX_OCSP_NONCE_SZ; |
wolfSSL | 0:d92f9d21154c | 7385 | extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, |
wolfSSL | 0:d92f9d21154c | 7386 | req->nonce, req->nonceSz); |
wolfSSL | 0:d92f9d21154c | 7387 | } |
wolfSSL | 0:d92f9d21154c | 7388 | wc_FreeRng(&rng); |
wolfSSL | 0:d92f9d21154c | 7389 | } |
wolfSSL | 0:d92f9d21154c | 7390 | } |
wolfSSL | 0:d92f9d21154c | 7391 | |
wolfSSL | 0:d92f9d21154c | 7392 | totalSz = algoSz + issuerSz + issuerKeySz + snSz; |
wolfSSL | 0:d92f9d21154c | 7393 | |
wolfSSL | 0:d92f9d21154c | 7394 | for (i = 4; i >= 0; i--) { |
wolfSSL | 0:d92f9d21154c | 7395 | seqSz[i] = SetSequence(totalSz, seqArray[i]); |
wolfSSL | 0:d92f9d21154c | 7396 | totalSz += seqSz[i]; |
wolfSSL | 0:d92f9d21154c | 7397 | if (i == 2) totalSz += extSz; |
wolfSSL | 0:d92f9d21154c | 7398 | } |
wolfSSL | 0:d92f9d21154c | 7399 | totalSz = 0; |
wolfSSL | 0:d92f9d21154c | 7400 | for (i = 0; i < 5; i++) { |
wolfSSL | 0:d92f9d21154c | 7401 | XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); |
wolfSSL | 0:d92f9d21154c | 7402 | totalSz += seqSz[i]; |
wolfSSL | 0:d92f9d21154c | 7403 | } |
wolfSSL | 0:d92f9d21154c | 7404 | XMEMCPY(output + totalSz, algoArray, algoSz); |
wolfSSL | 0:d92f9d21154c | 7405 | totalSz += algoSz; |
wolfSSL | 0:d92f9d21154c | 7406 | XMEMCPY(output + totalSz, issuerArray, issuerSz); |
wolfSSL | 0:d92f9d21154c | 7407 | totalSz += issuerSz; |
wolfSSL | 0:d92f9d21154c | 7408 | XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); |
wolfSSL | 0:d92f9d21154c | 7409 | totalSz += issuerKeySz; |
wolfSSL | 0:d92f9d21154c | 7410 | XMEMCPY(output + totalSz, snArray, snSz); |
wolfSSL | 0:d92f9d21154c | 7411 | totalSz += snSz; |
wolfSSL | 0:d92f9d21154c | 7412 | if (extSz != 0) { |
wolfSSL | 0:d92f9d21154c | 7413 | XMEMCPY(output + totalSz, extArray, extSz); |
wolfSSL | 0:d92f9d21154c | 7414 | totalSz += extSz; |
wolfSSL | 0:d92f9d21154c | 7415 | } |
wolfSSL | 0:d92f9d21154c | 7416 | |
wolfSSL | 0:d92f9d21154c | 7417 | return totalSz; |
wolfSSL | 0:d92f9d21154c | 7418 | } |
wolfSSL | 0:d92f9d21154c | 7419 | |
wolfSSL | 0:d92f9d21154c | 7420 | |
wolfSSL | 0:d92f9d21154c | 7421 | void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, |
wolfSSL | 0:d92f9d21154c | 7422 | byte* dest, word32 destSz) |
wolfSSL | 0:d92f9d21154c | 7423 | { |
wolfSSL | 0:d92f9d21154c | 7424 | WOLFSSL_ENTER("InitOcspRequest"); |
wolfSSL | 0:d92f9d21154c | 7425 | |
wolfSSL | 0:d92f9d21154c | 7426 | req->cert = cert; |
wolfSSL | 0:d92f9d21154c | 7427 | req->useNonce = useNonce; |
wolfSSL | 0:d92f9d21154c | 7428 | req->nonceSz = 0; |
wolfSSL | 0:d92f9d21154c | 7429 | req->issuerHash = NULL; |
wolfSSL | 0:d92f9d21154c | 7430 | req->issuerKeyHash = NULL; |
wolfSSL | 0:d92f9d21154c | 7431 | req->serial = NULL; |
wolfSSL | 0:d92f9d21154c | 7432 | req->dest = dest; |
wolfSSL | 0:d92f9d21154c | 7433 | req->destSz = destSz; |
wolfSSL | 0:d92f9d21154c | 7434 | } |
wolfSSL | 0:d92f9d21154c | 7435 | |
wolfSSL | 0:d92f9d21154c | 7436 | |
wolfSSL | 0:d92f9d21154c | 7437 | int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) |
wolfSSL | 0:d92f9d21154c | 7438 | { |
wolfSSL | 0:d92f9d21154c | 7439 | int cmp; |
wolfSSL | 0:d92f9d21154c | 7440 | |
wolfSSL | 0:d92f9d21154c | 7441 | WOLFSSL_ENTER("CompareOcspReqResp"); |
wolfSSL | 0:d92f9d21154c | 7442 | |
wolfSSL | 0:d92f9d21154c | 7443 | if (req == NULL) |
wolfSSL | 0:d92f9d21154c | 7444 | { |
wolfSSL | 0:d92f9d21154c | 7445 | WOLFSSL_MSG("\tReq missing"); |
wolfSSL | 0:d92f9d21154c | 7446 | return -1; |
wolfSSL | 0:d92f9d21154c | 7447 | } |
wolfSSL | 0:d92f9d21154c | 7448 | |
wolfSSL | 0:d92f9d21154c | 7449 | if (resp == NULL) |
wolfSSL | 0:d92f9d21154c | 7450 | { |
wolfSSL | 0:d92f9d21154c | 7451 | WOLFSSL_MSG("\tResp missing"); |
wolfSSL | 0:d92f9d21154c | 7452 | return 1; |
wolfSSL | 0:d92f9d21154c | 7453 | } |
wolfSSL | 0:d92f9d21154c | 7454 | |
wolfSSL | 0:d92f9d21154c | 7455 | /* Nonces are not critical. The responder may not necessarily add |
wolfSSL | 0:d92f9d21154c | 7456 | * the nonce to the response. */ |
wolfSSL | 0:d92f9d21154c | 7457 | if (req->useNonce && resp->nonceSz != 0) { |
wolfSSL | 0:d92f9d21154c | 7458 | cmp = req->nonceSz - resp->nonceSz; |
wolfSSL | 0:d92f9d21154c | 7459 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7460 | { |
wolfSSL | 0:d92f9d21154c | 7461 | WOLFSSL_MSG("\tnonceSz mismatch"); |
wolfSSL | 0:d92f9d21154c | 7462 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7463 | } |
wolfSSL | 0:d92f9d21154c | 7464 | |
wolfSSL | 0:d92f9d21154c | 7465 | cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); |
wolfSSL | 0:d92f9d21154c | 7466 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7467 | { |
wolfSSL | 0:d92f9d21154c | 7468 | WOLFSSL_MSG("\tnonce mismatch"); |
wolfSSL | 0:d92f9d21154c | 7469 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7470 | } |
wolfSSL | 0:d92f9d21154c | 7471 | } |
wolfSSL | 0:d92f9d21154c | 7472 | |
wolfSSL | 0:d92f9d21154c | 7473 | cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); |
wolfSSL | 0:d92f9d21154c | 7474 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7475 | { |
wolfSSL | 0:d92f9d21154c | 7476 | WOLFSSL_MSG("\tissuerHash mismatch"); |
wolfSSL | 0:d92f9d21154c | 7477 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7478 | } |
wolfSSL | 0:d92f9d21154c | 7479 | |
wolfSSL | 0:d92f9d21154c | 7480 | cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 0:d92f9d21154c | 7481 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7482 | { |
wolfSSL | 0:d92f9d21154c | 7483 | WOLFSSL_MSG("\tissuerKeyHash mismatch"); |
wolfSSL | 0:d92f9d21154c | 7484 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7485 | } |
wolfSSL | 0:d92f9d21154c | 7486 | |
wolfSSL | 0:d92f9d21154c | 7487 | cmp = req->serialSz - resp->status->serialSz; |
wolfSSL | 0:d92f9d21154c | 7488 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7489 | { |
wolfSSL | 0:d92f9d21154c | 7490 | WOLFSSL_MSG("\tserialSz mismatch"); |
wolfSSL | 0:d92f9d21154c | 7491 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7492 | } |
wolfSSL | 0:d92f9d21154c | 7493 | |
wolfSSL | 0:d92f9d21154c | 7494 | cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); |
wolfSSL | 0:d92f9d21154c | 7495 | if (cmp != 0) |
wolfSSL | 0:d92f9d21154c | 7496 | { |
wolfSSL | 0:d92f9d21154c | 7497 | WOLFSSL_MSG("\tserial mismatch"); |
wolfSSL | 0:d92f9d21154c | 7498 | return cmp; |
wolfSSL | 0:d92f9d21154c | 7499 | } |
wolfSSL | 0:d92f9d21154c | 7500 | |
wolfSSL | 0:d92f9d21154c | 7501 | return 0; |
wolfSSL | 0:d92f9d21154c | 7502 | } |
wolfSSL | 0:d92f9d21154c | 7503 | |
wolfSSL | 0:d92f9d21154c | 7504 | #endif |
wolfSSL | 0:d92f9d21154c | 7505 | |
wolfSSL | 0:d92f9d21154c | 7506 | |
wolfSSL | 0:d92f9d21154c | 7507 | /* store SHA hash of NAME */ |
wolfSSL | 0:d92f9d21154c | 7508 | WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, |
wolfSSL | 0:d92f9d21154c | 7509 | int maxIdx) |
wolfSSL | 0:d92f9d21154c | 7510 | { |
wolfSSL | 0:d92f9d21154c | 7511 | int length; /* length of all distinguished names */ |
wolfSSL | 0:d92f9d21154c | 7512 | int ret; |
wolfSSL | 0:d92f9d21154c | 7513 | word32 dummy; |
wolfSSL | 0:d92f9d21154c | 7514 | |
wolfSSL | 0:d92f9d21154c | 7515 | WOLFSSL_ENTER("GetNameHash"); |
wolfSSL | 0:d92f9d21154c | 7516 | |
wolfSSL | 0:d92f9d21154c | 7517 | if (source[*idx] == ASN_OBJECT_ID) { |
wolfSSL | 0:d92f9d21154c | 7518 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 0:d92f9d21154c | 7519 | |
wolfSSL | 0:d92f9d21154c | 7520 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7521 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7522 | |
wolfSSL | 0:d92f9d21154c | 7523 | *idx += length; |
wolfSSL | 0:d92f9d21154c | 7524 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 0:d92f9d21154c | 7525 | } |
wolfSSL | 0:d92f9d21154c | 7526 | |
wolfSSL | 0:d92f9d21154c | 7527 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 0:d92f9d21154c | 7528 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 0:d92f9d21154c | 7529 | * the tag and length. */ |
wolfSSL | 0:d92f9d21154c | 7530 | dummy = *idx; |
wolfSSL | 0:d92f9d21154c | 7531 | if (GetSequence(source, idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7532 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7533 | |
wolfSSL | 0:d92f9d21154c | 7534 | #ifdef NO_SHA |
wolfSSL | 0:d92f9d21154c | 7535 | ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 0:d92f9d21154c | 7536 | #else |
wolfSSL | 0:d92f9d21154c | 7537 | ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 0:d92f9d21154c | 7538 | #endif |
wolfSSL | 0:d92f9d21154c | 7539 | |
wolfSSL | 0:d92f9d21154c | 7540 | *idx += length; |
wolfSSL | 0:d92f9d21154c | 7541 | |
wolfSSL | 0:d92f9d21154c | 7542 | return ret; |
wolfSSL | 0:d92f9d21154c | 7543 | } |
wolfSSL | 0:d92f9d21154c | 7544 | |
wolfSSL | 0:d92f9d21154c | 7545 | |
wolfSSL | 0:d92f9d21154c | 7546 | #ifdef HAVE_CRL |
wolfSSL | 0:d92f9d21154c | 7547 | |
wolfSSL | 0:d92f9d21154c | 7548 | /* initialize decoded CRL */ |
wolfSSL | 0:d92f9d21154c | 7549 | void InitDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 0:d92f9d21154c | 7550 | { |
wolfSSL | 0:d92f9d21154c | 7551 | WOLFSSL_MSG("InitDecodedCRL"); |
wolfSSL | 0:d92f9d21154c | 7552 | |
wolfSSL | 0:d92f9d21154c | 7553 | dcrl->certBegin = 0; |
wolfSSL | 0:d92f9d21154c | 7554 | dcrl->sigIndex = 0; |
wolfSSL | 0:d92f9d21154c | 7555 | dcrl->sigLength = 0; |
wolfSSL | 0:d92f9d21154c | 7556 | dcrl->signatureOID = 0; |
wolfSSL | 0:d92f9d21154c | 7557 | dcrl->certs = NULL; |
wolfSSL | 0:d92f9d21154c | 7558 | dcrl->totalCerts = 0; |
wolfSSL | 0:d92f9d21154c | 7559 | } |
wolfSSL | 0:d92f9d21154c | 7560 | |
wolfSSL | 0:d92f9d21154c | 7561 | |
wolfSSL | 0:d92f9d21154c | 7562 | /* free decoded CRL resources */ |
wolfSSL | 0:d92f9d21154c | 7563 | void FreeDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 0:d92f9d21154c | 7564 | { |
wolfSSL | 0:d92f9d21154c | 7565 | RevokedCert* tmp = dcrl->certs; |
wolfSSL | 0:d92f9d21154c | 7566 | |
wolfSSL | 0:d92f9d21154c | 7567 | WOLFSSL_MSG("FreeDecodedCRL"); |
wolfSSL | 0:d92f9d21154c | 7568 | |
wolfSSL | 0:d92f9d21154c | 7569 | while(tmp) { |
wolfSSL | 0:d92f9d21154c | 7570 | RevokedCert* next = tmp->next; |
wolfSSL | 0:d92f9d21154c | 7571 | XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 0:d92f9d21154c | 7572 | tmp = next; |
wolfSSL | 0:d92f9d21154c | 7573 | } |
wolfSSL | 0:d92f9d21154c | 7574 | } |
wolfSSL | 0:d92f9d21154c | 7575 | |
wolfSSL | 0:d92f9d21154c | 7576 | |
wolfSSL | 0:d92f9d21154c | 7577 | /* Get Revoked Cert list, 0 on success */ |
wolfSSL | 0:d92f9d21154c | 7578 | static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 0:d92f9d21154c | 7579 | int maxIdx) |
wolfSSL | 0:d92f9d21154c | 7580 | { |
wolfSSL | 0:d92f9d21154c | 7581 | int len; |
wolfSSL | 0:d92f9d21154c | 7582 | word32 end; |
wolfSSL | 0:d92f9d21154c | 7583 | byte b; |
wolfSSL | 0:d92f9d21154c | 7584 | RevokedCert* rc; |
wolfSSL | 0:d92f9d21154c | 7585 | |
wolfSSL | 0:d92f9d21154c | 7586 | WOLFSSL_ENTER("GetRevoked"); |
wolfSSL | 0:d92f9d21154c | 7587 | |
wolfSSL | 0:d92f9d21154c | 7588 | if (GetSequence(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7589 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7590 | |
wolfSSL | 0:d92f9d21154c | 7591 | end = *idx + len; |
wolfSSL | 0:d92f9d21154c | 7592 | |
wolfSSL | 0:d92f9d21154c | 7593 | /* get serial number */ |
wolfSSL | 0:d92f9d21154c | 7594 | b = buff[*idx]; |
wolfSSL | 0:d92f9d21154c | 7595 | *idx += 1; |
wolfSSL | 0:d92f9d21154c | 7596 | |
wolfSSL | 0:d92f9d21154c | 7597 | if (b != ASN_INTEGER) { |
wolfSSL | 0:d92f9d21154c | 7598 | WOLFSSL_MSG("Expecting Integer"); |
wolfSSL | 0:d92f9d21154c | 7599 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7600 | } |
wolfSSL | 0:d92f9d21154c | 7601 | |
wolfSSL | 0:d92f9d21154c | 7602 | if (GetLength(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7603 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7604 | |
wolfSSL | 0:d92f9d21154c | 7605 | if (len > EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 0:d92f9d21154c | 7606 | WOLFSSL_MSG("Serial Size too big"); |
wolfSSL | 0:d92f9d21154c | 7607 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7608 | } |
wolfSSL | 0:d92f9d21154c | 7609 | |
wolfSSL | 0:d92f9d21154c | 7610 | rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL); |
wolfSSL | 0:d92f9d21154c | 7611 | if (rc == NULL) { |
wolfSSL | 0:d92f9d21154c | 7612 | WOLFSSL_MSG("Alloc Revoked Cert failed"); |
wolfSSL | 0:d92f9d21154c | 7613 | return MEMORY_E; |
wolfSSL | 0:d92f9d21154c | 7614 | } |
wolfSSL | 0:d92f9d21154c | 7615 | |
wolfSSL | 0:d92f9d21154c | 7616 | XMEMCPY(rc->serialNumber, &buff[*idx], len); |
wolfSSL | 0:d92f9d21154c | 7617 | rc->serialSz = len; |
wolfSSL | 0:d92f9d21154c | 7618 | |
wolfSSL | 0:d92f9d21154c | 7619 | /* add to list */ |
wolfSSL | 0:d92f9d21154c | 7620 | rc->next = dcrl->certs; |
wolfSSL | 0:d92f9d21154c | 7621 | dcrl->certs = rc; |
wolfSSL | 0:d92f9d21154c | 7622 | dcrl->totalCerts++; |
wolfSSL | 0:d92f9d21154c | 7623 | |
wolfSSL | 0:d92f9d21154c | 7624 | *idx += len; |
wolfSSL | 0:d92f9d21154c | 7625 | |
wolfSSL | 0:d92f9d21154c | 7626 | /* get date */ |
wolfSSL | 0:d92f9d21154c | 7627 | b = buff[*idx]; |
wolfSSL | 0:d92f9d21154c | 7628 | *idx += 1; |
wolfSSL | 0:d92f9d21154c | 7629 | |
wolfSSL | 0:d92f9d21154c | 7630 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) { |
wolfSSL | 0:d92f9d21154c | 7631 | WOLFSSL_MSG("Expecting Date"); |
wolfSSL | 0:d92f9d21154c | 7632 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7633 | } |
wolfSSL | 0:d92f9d21154c | 7634 | |
wolfSSL | 0:d92f9d21154c | 7635 | if (GetLength(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7636 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7637 | |
wolfSSL | 0:d92f9d21154c | 7638 | /* skip for now */ |
wolfSSL | 0:d92f9d21154c | 7639 | *idx += len; |
wolfSSL | 0:d92f9d21154c | 7640 | |
wolfSSL | 0:d92f9d21154c | 7641 | if (*idx != end) /* skip extensions */ |
wolfSSL | 0:d92f9d21154c | 7642 | *idx = end; |
wolfSSL | 0:d92f9d21154c | 7643 | |
wolfSSL | 0:d92f9d21154c | 7644 | return 0; |
wolfSSL | 0:d92f9d21154c | 7645 | } |
wolfSSL | 0:d92f9d21154c | 7646 | |
wolfSSL | 0:d92f9d21154c | 7647 | |
wolfSSL | 0:d92f9d21154c | 7648 | /* Get CRL Signature, 0 on success */ |
wolfSSL | 0:d92f9d21154c | 7649 | static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 0:d92f9d21154c | 7650 | int maxIdx) |
wolfSSL | 0:d92f9d21154c | 7651 | { |
wolfSSL | 0:d92f9d21154c | 7652 | int length; |
wolfSSL | 0:d92f9d21154c | 7653 | byte b; |
wolfSSL | 0:d92f9d21154c | 7654 | |
wolfSSL | 0:d92f9d21154c | 7655 | WOLFSSL_ENTER("GetCRL_Signature"); |
wolfSSL | 0:d92f9d21154c | 7656 | |
wolfSSL | 0:d92f9d21154c | 7657 | b = source[*idx]; |
wolfSSL | 0:d92f9d21154c | 7658 | *idx += 1; |
wolfSSL | 0:d92f9d21154c | 7659 | if (b != ASN_BIT_STRING) |
wolfSSL | 0:d92f9d21154c | 7660 | return ASN_BITSTR_E; |
wolfSSL | 0:d92f9d21154c | 7661 | |
wolfSSL | 0:d92f9d21154c | 7662 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 0:d92f9d21154c | 7663 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7664 | |
wolfSSL | 0:d92f9d21154c | 7665 | dcrl->sigLength = length; |
wolfSSL | 0:d92f9d21154c | 7666 | |
wolfSSL | 0:d92f9d21154c | 7667 | b = source[*idx]; |
wolfSSL | 0:d92f9d21154c | 7668 | *idx += 1; |
wolfSSL | 0:d92f9d21154c | 7669 | if (b != 0x00) |
wolfSSL | 0:d92f9d21154c | 7670 | return ASN_EXPECT_0_E; |
wolfSSL | 0:d92f9d21154c | 7671 | |
wolfSSL | 0:d92f9d21154c | 7672 | dcrl->sigLength--; |
wolfSSL | 0:d92f9d21154c | 7673 | dcrl->signature = (byte*)&source[*idx]; |
wolfSSL | 0:d92f9d21154c | 7674 | |
wolfSSL | 0:d92f9d21154c | 7675 | *idx += dcrl->sigLength; |
wolfSSL | 0:d92f9d21154c | 7676 | |
wolfSSL | 0:d92f9d21154c | 7677 | return 0; |
wolfSSL | 0:d92f9d21154c | 7678 | } |
wolfSSL | 0:d92f9d21154c | 7679 | |
wolfSSL | 0:d92f9d21154c | 7680 | |
wolfSSL | 0:d92f9d21154c | 7681 | /* prase crl buffer into decoded state, 0 on success */ |
wolfSSL | 0:d92f9d21154c | 7682 | int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) |
wolfSSL | 0:d92f9d21154c | 7683 | { |
wolfSSL | 0:d92f9d21154c | 7684 | int version, len; |
wolfSSL | 0:d92f9d21154c | 7685 | word32 oid, idx = 0; |
wolfSSL | 0:d92f9d21154c | 7686 | Signer* ca = NULL; |
wolfSSL | 0:d92f9d21154c | 7687 | |
wolfSSL | 0:d92f9d21154c | 7688 | WOLFSSL_MSG("ParseCRL"); |
wolfSSL | 0:d92f9d21154c | 7689 | |
wolfSSL | 0:d92f9d21154c | 7690 | /* raw crl hash */ |
wolfSSL | 0:d92f9d21154c | 7691 | /* hash here if needed for optimized comparisons |
wolfSSL | 0:d92f9d21154c | 7692 | * Sha sha; |
wolfSSL | 0:d92f9d21154c | 7693 | * wc_InitSha(&sha); |
wolfSSL | 0:d92f9d21154c | 7694 | * wc_ShaUpdate(&sha, buff, sz); |
wolfSSL | 0:d92f9d21154c | 7695 | * wc_ShaFinal(&sha, dcrl->crlHash); */ |
wolfSSL | 0:d92f9d21154c | 7696 | |
wolfSSL | 0:d92f9d21154c | 7697 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7698 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7699 | |
wolfSSL | 0:d92f9d21154c | 7700 | dcrl->certBegin = idx; |
wolfSSL | 0:d92f9d21154c | 7701 | |
wolfSSL | 0:d92f9d21154c | 7702 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7703 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7704 | dcrl->sigIndex = len + idx; |
wolfSSL | 0:d92f9d21154c | 7705 | |
wolfSSL | 0:d92f9d21154c | 7706 | /* may have version */ |
wolfSSL | 0:d92f9d21154c | 7707 | if (buff[idx] == ASN_INTEGER) { |
wolfSSL | 0:d92f9d21154c | 7708 | if (GetMyVersion(buff, &idx, &version) < 0) |
wolfSSL | 0:d92f9d21154c | 7709 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7710 | } |
wolfSSL | 0:d92f9d21154c | 7711 | |
wolfSSL | 0:d92f9d21154c | 7712 | if (GetAlgoId(buff, &idx, &oid, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7713 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7714 | |
wolfSSL | 0:d92f9d21154c | 7715 | if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7716 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7717 | |
wolfSSL | 0:d92f9d21154c | 7718 | if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7719 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7720 | |
wolfSSL | 0:d92f9d21154c | 7721 | if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7722 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7723 | |
wolfSSL | 0:d92f9d21154c | 7724 | if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { |
wolfSSL | 0:d92f9d21154c | 7725 | WOLFSSL_MSG("CRL after date is no longer valid"); |
wolfSSL | 0:d92f9d21154c | 7726 | return ASN_AFTER_DATE_E; |
wolfSSL | 0:d92f9d21154c | 7727 | } |
wolfSSL | 0:d92f9d21154c | 7728 | |
wolfSSL | 0:d92f9d21154c | 7729 | if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { |
wolfSSL | 0:d92f9d21154c | 7730 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7731 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7732 | |
wolfSSL | 0:d92f9d21154c | 7733 | len += idx; |
wolfSSL | 0:d92f9d21154c | 7734 | |
wolfSSL | 0:d92f9d21154c | 7735 | while (idx < (word32)len) { |
wolfSSL | 0:d92f9d21154c | 7736 | if (GetRevoked(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7737 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7738 | } |
wolfSSL | 0:d92f9d21154c | 7739 | } |
wolfSSL | 0:d92f9d21154c | 7740 | |
wolfSSL | 0:d92f9d21154c | 7741 | if (idx != dcrl->sigIndex) |
wolfSSL | 0:d92f9d21154c | 7742 | idx = dcrl->sigIndex; /* skip extensions */ |
wolfSSL | 0:d92f9d21154c | 7743 | |
wolfSSL | 0:d92f9d21154c | 7744 | if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7745 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7746 | |
wolfSSL | 0:d92f9d21154c | 7747 | if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 0:d92f9d21154c | 7748 | return ASN_PARSE_E; |
wolfSSL | 0:d92f9d21154c | 7749 | |
wolfSSL | 0:d92f9d21154c | 7750 | /* openssl doesn't add skid by default for CRLs cause firefox chokes |
wolfSSL | 0:d92f9d21154c | 7751 | we're not assuming it's available yet */ |
wolfSSL | 0:d92f9d21154c | 7752 | #if !defined(NO_SKID) && defined(CRL_SKID_READY) |
wolfSSL | 0:d92f9d21154c | 7753 | if (dcrl->extAuthKeyIdSet) |
wolfSSL | 0:d92f9d21154c | 7754 | ca = GetCA(cm, dcrl->extAuthKeyId); |
wolfSSL | 0:d92f9d21154c | 7755 | if (ca == NULL) |
wolfSSL | 0:d92f9d21154c | 7756 | ca = GetCAByName(cm, dcrl->issuerHash); |
wolfSSL | 0:d92f9d21154c | 7757 | #else /* NO_SKID */ |
wolfSSL | 0:d92f9d21154c | 7758 | ca = GetCA(cm, dcrl->issuerHash); |
wolfSSL | 0:d92f9d21154c | 7759 | #endif /* NO_SKID */ |
wolfSSL | 0:d92f9d21154c | 7760 | WOLFSSL_MSG("About to verify CRL signature"); |
wolfSSL | 0:d92f9d21154c | 7761 | |
wolfSSL | 0:d92f9d21154c | 7762 | if (ca) { |
wolfSSL | 0:d92f9d21154c | 7763 | WOLFSSL_MSG("Found CRL issuer CA"); |
wolfSSL | 0:d92f9d21154c | 7764 | /* try to confirm/verify signature */ |
wolfSSL | 0:d92f9d21154c | 7765 | #ifndef IGNORE_KEY_EXTENSIONS |
wolfSSL | 0:d92f9d21154c | 7766 | if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) { |
wolfSSL | 0:d92f9d21154c | 7767 | WOLFSSL_MSG("CA cannot sign CRLs"); |
wolfSSL | 0:d92f9d21154c | 7768 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 0:d92f9d21154c | 7769 | } |
wolfSSL | 0:d92f9d21154c | 7770 | #endif /* IGNORE_KEY_EXTENSIONS */ |
wolfSSL | 0:d92f9d21154c | 7771 | if (!ConfirmSignature(buff + dcrl->certBegin, |
wolfSSL | 0:d92f9d21154c | 7772 | dcrl->sigIndex - dcrl->certBegin, |
wolfSSL | 0:d92f9d21154c | 7773 | ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 0:d92f9d21154c | 7774 | dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) { |
wolfSSL | 0:d92f9d21154c | 7775 | WOLFSSL_MSG("CRL Confirm signature failed"); |
wolfSSL | 0:d92f9d21154c | 7776 | return ASN_CRL_CONFIRM_E; |
wolfSSL | 0:d92f9d21154c | 7777 | } |
wolfSSL | 0:d92f9d21154c | 7778 | } |
wolfSSL | 0:d92f9d21154c | 7779 | else { |
wolfSSL | 0:d92f9d21154c | 7780 | WOLFSSL_MSG("Did NOT find CRL issuer CA"); |
wolfSSL | 0:d92f9d21154c | 7781 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 0:d92f9d21154c | 7782 | } |
wolfSSL | 0:d92f9d21154c | 7783 | |
wolfSSL | 0:d92f9d21154c | 7784 | return 0; |
wolfSSL | 0:d92f9d21154c | 7785 | } |
wolfSSL | 0:d92f9d21154c | 7786 | |
wolfSSL | 0:d92f9d21154c | 7787 | #endif /* HAVE_CRL */ |
wolfSSL | 0:d92f9d21154c | 7788 | #endif |
wolfSSL | 0:d92f9d21154c | 7789 | |
wolfSSL | 0:d92f9d21154c | 7790 | #ifdef WOLFSSL_SEP |
wolfSSL | 0:d92f9d21154c | 7791 | |
wolfSSL | 0:d92f9d21154c | 7792 | |
wolfSSL | 0:d92f9d21154c | 7793 | |
wolfSSL | 0:d92f9d21154c | 7794 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 0:d92f9d21154c | 7795 | |
wolfSSL | 0:d92f9d21154c | 7796 |