wolfSSL - wolfSSL SSL/TLS library, support up to TLS1.3

Users » wolfSSL » Code » wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/asn.c@0:d92f9d21154c, 2015-06-26 (annotated)

Committer:: wolfSSL
Date:: Fri Jun 26 00:39:20 2015 +0000
Revision:: 0:d92f9d21154c
Child:: 2:28278596c2a2

wolfSSL 3.6.0

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	0:d92f9d21154c	1	/* asn.c
wolfSSL	0:d92f9d21154c	2	*
wolfSSL	0:d92f9d21154c	3	* Copyright (C) 2006-2015 wolfSSL Inc.
wolfSSL	0:d92f9d21154c	4	*
wolfSSL	0:d92f9d21154c	5	* This file is part of wolfSSL. (formerly known as CyaSSL)
wolfSSL	0:d92f9d21154c	6	*
wolfSSL	0:d92f9d21154c	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	0:d92f9d21154c	8	* it under the terms of the GNU General Public License as published by
wolfSSL	0:d92f9d21154c	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	0:d92f9d21154c	10	* (at your option) any later version.
wolfSSL	0:d92f9d21154c	11	*
wolfSSL	0:d92f9d21154c	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	0:d92f9d21154c	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	0:d92f9d21154c	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	0:d92f9d21154c	15	* GNU General Public License for more details.
wolfSSL	0:d92f9d21154c	16	*
wolfSSL	0:d92f9d21154c	17	* You should have received a copy of the GNU General Public License
wolfSSL	0:d92f9d21154c	18	* along with this program; if not, write to the Free Software
wolfSSL	0:d92f9d21154c	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
wolfSSL	0:d92f9d21154c	20	*/
wolfSSL	0:d92f9d21154c	21
wolfSSL	0:d92f9d21154c	22	#ifdef HAVE_CONFIG_H
wolfSSL	0:d92f9d21154c	23	#include <config.h>
wolfSSL	0:d92f9d21154c	24	#endif
wolfSSL	0:d92f9d21154c	25
wolfSSL	0:d92f9d21154c	26	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	0:d92f9d21154c	27
wolfSSL	0:d92f9d21154c	28	#ifndef NO_ASN
wolfSSL	0:d92f9d21154c	29
wolfSSL	0:d92f9d21154c	30	#ifdef HAVE_RTP_SYS
wolfSSL	0:d92f9d21154c	31	#include "os.h" /* dc_rtc_api needs */
wolfSSL	0:d92f9d21154c	32	#include "dc_rtc_api.h" /* to get current time */
wolfSSL	0:d92f9d21154c	33	#endif
wolfSSL	0:d92f9d21154c	34
wolfSSL	0:d92f9d21154c	35	#include <wolfssl/wolfcrypt/asn.h>
wolfSSL	0:d92f9d21154c	36	#include <wolfssl/wolfcrypt/coding.h>
wolfSSL	0:d92f9d21154c	37	#include <wolfssl/wolfcrypt/md2.h>
wolfSSL	0:d92f9d21154c	38	#include <wolfssl/wolfcrypt/hmac.h>
wolfSSL	0:d92f9d21154c	39	#include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL	0:d92f9d21154c	40	#include <wolfssl/wolfcrypt/pwdbased.h>
wolfSSL	0:d92f9d21154c	41	#include <wolfssl/wolfcrypt/des3.h>
wolfSSL	0:d92f9d21154c	42	#include <wolfssl/wolfcrypt/logging.h>
wolfSSL	0:d92f9d21154c	43
wolfSSL	0:d92f9d21154c	44	#include <wolfssl/wolfcrypt/random.h>
wolfSSL	0:d92f9d21154c	45
wolfSSL	0:d92f9d21154c	46
wolfSSL	0:d92f9d21154c	47	#ifndef NO_RC4
wolfSSL	0:d92f9d21154c	48	#include <wolfssl/wolfcrypt/arc4.h>
wolfSSL	0:d92f9d21154c	49	#endif
wolfSSL	0:d92f9d21154c	50
wolfSSL	0:d92f9d21154c	51	#ifdef HAVE_NTRU
wolfSSL	0:d92f9d21154c	52	#include "ntru_crypto.h"
wolfSSL	0:d92f9d21154c	53	#endif
wolfSSL	0:d92f9d21154c	54
wolfSSL	0:d92f9d21154c	55	#if defined(WOLFSSL_SHA512) \|\| defined(WOLFSSL_SHA384)
wolfSSL	0:d92f9d21154c	56	#include <wolfssl/wolfcrypt/sha512.h>
wolfSSL	0:d92f9d21154c	57	#endif
wolfSSL	0:d92f9d21154c	58
wolfSSL	0:d92f9d21154c	59	#ifndef NO_SHA256
wolfSSL	0:d92f9d21154c	60	#include <wolfssl/wolfcrypt/sha256.h>
wolfSSL	0:d92f9d21154c	61	#endif
wolfSSL	0:d92f9d21154c	62
wolfSSL	0:d92f9d21154c	63	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	64	#include <wolfssl/wolfcrypt/ecc.h>
wolfSSL	0:d92f9d21154c	65	#endif
wolfSSL	0:d92f9d21154c	66
wolfSSL	0:d92f9d21154c	67	#ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL	0:d92f9d21154c	68	#ifdef FREESCALE_MQX
wolfSSL	0:d92f9d21154c	69	#include <fio.h>
wolfSSL	0:d92f9d21154c	70	#else
wolfSSL	0:d92f9d21154c	71	#include <stdio.h>
wolfSSL	0:d92f9d21154c	72	#endif
wolfSSL	0:d92f9d21154c	73	#endif
wolfSSL	0:d92f9d21154c	74
wolfSSL	0:d92f9d21154c	75	#ifdef _MSC_VER
wolfSSL	0:d92f9d21154c	76	/* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
wolfSSL	0:d92f9d21154c	77	#pragma warning(disable: 4996)
wolfSSL	0:d92f9d21154c	78	#endif
wolfSSL	0:d92f9d21154c	79
wolfSSL	0:d92f9d21154c	80
wolfSSL	0:d92f9d21154c	81	#ifndef TRUE
wolfSSL	0:d92f9d21154c	82	#define TRUE 1
wolfSSL	0:d92f9d21154c	83	#endif
wolfSSL	0:d92f9d21154c	84	#ifndef FALSE
wolfSSL	0:d92f9d21154c	85	#define FALSE 0
wolfSSL	0:d92f9d21154c	86	#endif
wolfSSL	0:d92f9d21154c	87
wolfSSL	0:d92f9d21154c	88
wolfSSL	0:d92f9d21154c	89	#ifdef HAVE_RTP_SYS
wolfSSL	0:d92f9d21154c	90	/* uses parital <time.h> structures */
wolfSSL	0:d92f9d21154c	91	#define XTIME(tl) (0)
wolfSSL	0:d92f9d21154c	92	#define XGMTIME(c, t) my_gmtime((c))
wolfSSL	0:d92f9d21154c	93	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	94	#elif defined(MICRIUM)
wolfSSL	0:d92f9d21154c	95	#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL	0:d92f9d21154c	96	#define XVALIDATE_DATE(d,f,t) NetSecure_ValidateDateHandler((d),(f),(t))
wolfSSL	0:d92f9d21154c	97	#else
wolfSSL	0:d92f9d21154c	98	#define XVALIDATE_DATE(d, f, t) (0)
wolfSSL	0:d92f9d21154c	99	#endif
wolfSSL	0:d92f9d21154c	100	#define NO_TIME_H
wolfSSL	0:d92f9d21154c	101	/* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
wolfSSL	0:d92f9d21154c	102	#elif defined(MICROCHIP_TCPIP_V5) \|\| defined(MICROCHIP_TCPIP)
wolfSSL	0:d92f9d21154c	103	#include <time.h>
wolfSSL	0:d92f9d21154c	104	#define XTIME(t1) pic32_time((t1))
wolfSSL	0:d92f9d21154c	105	#define XGMTIME(c, t) gmtime((c))
wolfSSL	0:d92f9d21154c	106	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	107	#elif defined(FREESCALE_MQX)
wolfSSL	0:d92f9d21154c	108	#define XTIME(t1) mqx_time((t1))
wolfSSL	0:d92f9d21154c	109	#define XGMTIME(c, t) mqx_gmtime((c), (t))
wolfSSL	0:d92f9d21154c	110	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	111	#elif defined(WOLFSSL_MDK_ARM)
wolfSSL	0:d92f9d21154c	112	#if defined(WOLFSSL_MDK5)
wolfSSL	0:d92f9d21154c	113	#include "cmsis_os.h"
wolfSSL	0:d92f9d21154c	114	#else
wolfSSL	0:d92f9d21154c	115	#include <rtl.h>
wolfSSL	0:d92f9d21154c	116	#endif
wolfSSL	0:d92f9d21154c	117	#undef RNG
wolfSSL	0:d92f9d21154c	118	#include "wolfssl_MDK_ARM.h"
wolfSSL	0:d92f9d21154c	119	#undef RNG
wolfSSL	0:d92f9d21154c	120	#define RNG wolfSSL_RNG /for avoiding name conflict in "stm32f2xx.h" /
wolfSSL	0:d92f9d21154c	121	#define XTIME(tl) (0)
wolfSSL	0:d92f9d21154c	122	#define XGMTIME(c, t) wolfssl_MDK_gmtime((c))
wolfSSL	0:d92f9d21154c	123	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	124	#elif defined(USER_TIME)
wolfSSL	0:d92f9d21154c	125	/* user time, and gmtime compatible functions, there is a gmtime
wolfSSL	0:d92f9d21154c	126	implementation here that WINCE uses, so really just need some ticks
wolfSSL	0:d92f9d21154c	127	since the EPOCH
wolfSSL	0:d92f9d21154c	128	*/
wolfSSL	0:d92f9d21154c	129
wolfSSL	0:d92f9d21154c	130	struct tm {
wolfSSL	0:d92f9d21154c	131	int tm_sec; /* seconds after the minute [0-60] */
wolfSSL	0:d92f9d21154c	132	int tm_min; /* minutes after the hour [0-59] */
wolfSSL	0:d92f9d21154c	133	int tm_hour; /* hours since midnight [0-23] */
wolfSSL	0:d92f9d21154c	134	int tm_mday; /* day of the month [1-31] */
wolfSSL	0:d92f9d21154c	135	int tm_mon; /* months since January [0-11] */
wolfSSL	0:d92f9d21154c	136	int tm_year; /* years since 1900 */
wolfSSL	0:d92f9d21154c	137	int tm_wday; /* days since Sunday [0-6] */
wolfSSL	0:d92f9d21154c	138	int tm_yday; /* days since January 1 [0-365] */
wolfSSL	0:d92f9d21154c	139	int tm_isdst; /* Daylight Savings Time flag */
wolfSSL	0:d92f9d21154c	140	long tm_gmtoff; /* offset from CUT in seconds */
wolfSSL	0:d92f9d21154c	141	char tm_zone; / timezone abbreviation */
wolfSSL	0:d92f9d21154c	142	};
wolfSSL	0:d92f9d21154c	143	typedef long time_t;
wolfSSL	0:d92f9d21154c	144
wolfSSL	0:d92f9d21154c	145	/* forward declaration */
wolfSSL	0:d92f9d21154c	146	struct tm* gmtime(const time_t* timer);
wolfSSL	0:d92f9d21154c	147	extern time_t XTIME(time_t * timer);
wolfSSL	0:d92f9d21154c	148
wolfSSL	0:d92f9d21154c	149	#define XGMTIME(c, t) gmtime((c))
wolfSSL	0:d92f9d21154c	150	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	151
wolfSSL	0:d92f9d21154c	152	#ifdef STACK_TRAP
wolfSSL	0:d92f9d21154c	153	/* for stack trap tracking, don't call os gmtime on OS X/linux,
wolfSSL	0:d92f9d21154c	154	uses a lot of stack spce */
wolfSSL	0:d92f9d21154c	155	extern time_t time(time_t * timer);
wolfSSL	0:d92f9d21154c	156	#define XTIME(tl) time((tl))
wolfSSL	0:d92f9d21154c	157	#endif /* STACK_TRAP */
wolfSSL	0:d92f9d21154c	158
wolfSSL	0:d92f9d21154c	159	#elif defined(TIME_OVERRIDES)
wolfSSL	0:d92f9d21154c	160	/* user would like to override time() and gmtime() functionality */
wolfSSL	0:d92f9d21154c	161
wolfSSL	0:d92f9d21154c	162	#ifndef HAVE_TIME_T_TYPE
wolfSSL	0:d92f9d21154c	163	typedef long time_t;
wolfSSL	0:d92f9d21154c	164	#endif
wolfSSL	0:d92f9d21154c	165	extern time_t XTIME(time_t * timer);
wolfSSL	0:d92f9d21154c	166
wolfSSL	0:d92f9d21154c	167	#ifndef HAVE_TM_TYPE
wolfSSL	0:d92f9d21154c	168	struct tm {
wolfSSL	0:d92f9d21154c	169	int tm_sec; /* seconds after the minute [0-60] */
wolfSSL	0:d92f9d21154c	170	int tm_min; /* minutes after the hour [0-59] */
wolfSSL	0:d92f9d21154c	171	int tm_hour; /* hours since midnight [0-23] */
wolfSSL	0:d92f9d21154c	172	int tm_mday; /* day of the month [1-31] */
wolfSSL	0:d92f9d21154c	173	int tm_mon; /* months since January [0-11] */
wolfSSL	0:d92f9d21154c	174	int tm_year; /* years since 1900 */
wolfSSL	0:d92f9d21154c	175	int tm_wday; /* days since Sunday [0-6] */
wolfSSL	0:d92f9d21154c	176	int tm_yday; /* days since January 1 [0-365] */
wolfSSL	0:d92f9d21154c	177	int tm_isdst; /* Daylight Savings Time flag */
wolfSSL	0:d92f9d21154c	178	long tm_gmtoff; /* offset from CUT in seconds */
wolfSSL	0:d92f9d21154c	179	char tm_zone; / timezone abbreviation */
wolfSSL	0:d92f9d21154c	180	};
wolfSSL	0:d92f9d21154c	181	#endif
wolfSSL	0:d92f9d21154c	182	extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp);
wolfSSL	0:d92f9d21154c	183
wolfSSL	0:d92f9d21154c	184	#ifndef HAVE_VALIDATE_DATE
wolfSSL	0:d92f9d21154c	185	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	186	#endif
wolfSSL	0:d92f9d21154c	187	#else
wolfSSL	0:d92f9d21154c	188	/* default */
wolfSSL	0:d92f9d21154c	189	/* uses complete <time.h> facility */
wolfSSL	0:d92f9d21154c	190	#include <time.h>
wolfSSL	0:d92f9d21154c	191	#define XTIME(tl) time((tl))
wolfSSL	0:d92f9d21154c	192	#define XGMTIME(c, t) gmtime((c))
wolfSSL	0:d92f9d21154c	193	#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
wolfSSL	0:d92f9d21154c	194	#endif
wolfSSL	0:d92f9d21154c	195
wolfSSL	0:d92f9d21154c	196
wolfSSL	0:d92f9d21154c	197	#ifdef _WIN32_WCE
wolfSSL	0:d92f9d21154c	198	/* no time() or gmtime() even though in time.h header?? */
wolfSSL	0:d92f9d21154c	199
wolfSSL	0:d92f9d21154c	200	#include <windows.h>
wolfSSL	0:d92f9d21154c	201
wolfSSL	0:d92f9d21154c	202
wolfSSL	0:d92f9d21154c	203	time_t time(time_t* timer)
wolfSSL	0:d92f9d21154c	204	{
wolfSSL	0:d92f9d21154c	205	SYSTEMTIME sysTime;
wolfSSL	0:d92f9d21154c	206	FILETIME fTime;
wolfSSL	0:d92f9d21154c	207	ULARGE_INTEGER intTime;
wolfSSL	0:d92f9d21154c	208	time_t localTime;
wolfSSL	0:d92f9d21154c	209
wolfSSL	0:d92f9d21154c	210	if (timer == NULL)
wolfSSL	0:d92f9d21154c	211	timer = &localTime;
wolfSSL	0:d92f9d21154c	212
wolfSSL	0:d92f9d21154c	213	GetSystemTime(&sysTime);
wolfSSL	0:d92f9d21154c	214	SystemTimeToFileTime(&sysTime, &fTime);
wolfSSL	0:d92f9d21154c	215
wolfSSL	0:d92f9d21154c	216	XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
wolfSSL	0:d92f9d21154c	217	/* subtract EPOCH */
wolfSSL	0:d92f9d21154c	218	intTime.QuadPart -= 0x19db1ded53e8000;
wolfSSL	0:d92f9d21154c	219	/* to secs */
wolfSSL	0:d92f9d21154c	220	intTime.QuadPart /= 10000000;
wolfSSL	0:d92f9d21154c	221	*timer = (time_t)intTime.QuadPart;
wolfSSL	0:d92f9d21154c	222
wolfSSL	0:d92f9d21154c	223	return *timer;
wolfSSL	0:d92f9d21154c	224	}
wolfSSL	0:d92f9d21154c	225
wolfSSL	0:d92f9d21154c	226	#endif /* _WIN32_WCE */
wolfSSL	0:d92f9d21154c	227	#if defined( _WIN32_WCE ) \|\| defined( USER_TIME )
wolfSSL	0:d92f9d21154c	228
wolfSSL	0:d92f9d21154c	229	struct tm* gmtime(const time_t* timer)
wolfSSL	0:d92f9d21154c	230	{
wolfSSL	0:d92f9d21154c	231	#define YEAR0 1900
wolfSSL	0:d92f9d21154c	232	#define EPOCH_YEAR 1970
wolfSSL	0:d92f9d21154c	233	#define SECS_DAY (24L * 60L * 60L)
wolfSSL	0:d92f9d21154c	234	#define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) \|\| !((year) %400)))
wolfSSL	0:d92f9d21154c	235	#define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
wolfSSL	0:d92f9d21154c	236
wolfSSL	0:d92f9d21154c	237	static const int _ytab[2][12] =
wolfSSL	0:d92f9d21154c	238	{
wolfSSL	0:d92f9d21154c	239	{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
wolfSSL	0:d92f9d21154c	240	{31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
wolfSSL	0:d92f9d21154c	241	};
wolfSSL	0:d92f9d21154c	242
wolfSSL	0:d92f9d21154c	243	static struct tm st_time;
wolfSSL	0:d92f9d21154c	244	struct tm* ret = &st_time;
wolfSSL	0:d92f9d21154c	245	time_t secs = *timer;
wolfSSL	0:d92f9d21154c	246	unsigned long dayclock, dayno;
wolfSSL	0:d92f9d21154c	247	int year = EPOCH_YEAR;
wolfSSL	0:d92f9d21154c	248
wolfSSL	0:d92f9d21154c	249	dayclock = (unsigned long)secs % SECS_DAY;
wolfSSL	0:d92f9d21154c	250	dayno = (unsigned long)secs / SECS_DAY;
wolfSSL	0:d92f9d21154c	251
wolfSSL	0:d92f9d21154c	252	ret->tm_sec = (int) dayclock % 60;
wolfSSL	0:d92f9d21154c	253	ret->tm_min = (int)(dayclock % 3600) / 60;
wolfSSL	0:d92f9d21154c	254	ret->tm_hour = (int) dayclock / 3600;
wolfSSL	0:d92f9d21154c	255	ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */
wolfSSL	0:d92f9d21154c	256
wolfSSL	0:d92f9d21154c	257	while(dayno >= (unsigned long)YEARSIZE(year)) {
wolfSSL	0:d92f9d21154c	258	dayno -= YEARSIZE(year);
wolfSSL	0:d92f9d21154c	259	year++;
wolfSSL	0:d92f9d21154c	260	}
wolfSSL	0:d92f9d21154c	261
wolfSSL	0:d92f9d21154c	262	ret->tm_year = year - YEAR0;
wolfSSL	0:d92f9d21154c	263	ret->tm_yday = (int)dayno;
wolfSSL	0:d92f9d21154c	264	ret->tm_mon = 0;
wolfSSL	0:d92f9d21154c	265
wolfSSL	0:d92f9d21154c	266	while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
wolfSSL	0:d92f9d21154c	267	dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
wolfSSL	0:d92f9d21154c	268	ret->tm_mon++;
wolfSSL	0:d92f9d21154c	269	}
wolfSSL	0:d92f9d21154c	270
wolfSSL	0:d92f9d21154c	271	ret->tm_mday = (int)++dayno;
wolfSSL	0:d92f9d21154c	272	ret->tm_isdst = 0;
wolfSSL	0:d92f9d21154c	273
wolfSSL	0:d92f9d21154c	274	return ret;
wolfSSL	0:d92f9d21154c	275	}
wolfSSL	0:d92f9d21154c	276
wolfSSL	0:d92f9d21154c	277	#endif /* _WIN32_WCE \|\| USER_TIME */
wolfSSL	0:d92f9d21154c	278
wolfSSL	0:d92f9d21154c	279
wolfSSL	0:d92f9d21154c	280	#ifdef HAVE_RTP_SYS
wolfSSL	0:d92f9d21154c	281
wolfSSL	0:d92f9d21154c	282	#define YEAR0 1900
wolfSSL	0:d92f9d21154c	283
wolfSSL	0:d92f9d21154c	284	struct tm* my_gmtime(const time_t* timer) /* has a gmtime() but hangs */
wolfSSL	0:d92f9d21154c	285	{
wolfSSL	0:d92f9d21154c	286	static struct tm st_time;
wolfSSL	0:d92f9d21154c	287	struct tm* ret = &st_time;
wolfSSL	0:d92f9d21154c	288
wolfSSL	0:d92f9d21154c	289	DC_RTC_CALENDAR cal;
wolfSSL	0:d92f9d21154c	290	dc_rtc_time_get(&cal, TRUE);
wolfSSL	0:d92f9d21154c	291
wolfSSL	0:d92f9d21154c	292	ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */
wolfSSL	0:d92f9d21154c	293	ret->tm_mon = cal.month - 1; /* gm starts at 0 */
wolfSSL	0:d92f9d21154c	294	ret->tm_mday = cal.day;
wolfSSL	0:d92f9d21154c	295	ret->tm_hour = cal.hour;
wolfSSL	0:d92f9d21154c	296	ret->tm_min = cal.minute;
wolfSSL	0:d92f9d21154c	297	ret->tm_sec = cal.second;
wolfSSL	0:d92f9d21154c	298
wolfSSL	0:d92f9d21154c	299	return ret;
wolfSSL	0:d92f9d21154c	300	}
wolfSSL	0:d92f9d21154c	301
wolfSSL	0:d92f9d21154c	302	#endif /* HAVE_RTP_SYS */
wolfSSL	0:d92f9d21154c	303
wolfSSL	0:d92f9d21154c	304
wolfSSL	0:d92f9d21154c	305	#if defined(MICROCHIP_TCPIP_V5) \|\| defined(MICROCHIP_TCPIP)
wolfSSL	0:d92f9d21154c	306
wolfSSL	0:d92f9d21154c	307	/*
wolfSSL	0:d92f9d21154c	308	* time() is just a stub in Microchip libraries. We need our own
wolfSSL	0:d92f9d21154c	309	* implementation. Use SNTP client to get seconds since epoch.
wolfSSL	0:d92f9d21154c	310	*/
wolfSSL	0:d92f9d21154c	311	time_t pic32_time(time_t* timer)
wolfSSL	0:d92f9d21154c	312	{
wolfSSL	0:d92f9d21154c	313	#ifdef MICROCHIP_TCPIP_V5
wolfSSL	0:d92f9d21154c	314	DWORD sec = 0;
wolfSSL	0:d92f9d21154c	315	#else
wolfSSL	0:d92f9d21154c	316	uint32_t sec = 0;
wolfSSL	0:d92f9d21154c	317	#endif
wolfSSL	0:d92f9d21154c	318	time_t localTime;
wolfSSL	0:d92f9d21154c	319
wolfSSL	0:d92f9d21154c	320	if (timer == NULL)
wolfSSL	0:d92f9d21154c	321	timer = &localTime;
wolfSSL	0:d92f9d21154c	322
wolfSSL	0:d92f9d21154c	323	#ifdef MICROCHIP_MPLAB_HARMONY
wolfSSL	0:d92f9d21154c	324	sec = TCPIP_SNTP_UTCSecondsGet();
wolfSSL	0:d92f9d21154c	325	#else
wolfSSL	0:d92f9d21154c	326	sec = SNTPGetUTCSeconds();
wolfSSL	0:d92f9d21154c	327	#endif
wolfSSL	0:d92f9d21154c	328	*timer = (time_t) sec;
wolfSSL	0:d92f9d21154c	329
wolfSSL	0:d92f9d21154c	330	return *timer;
wolfSSL	0:d92f9d21154c	331	}
wolfSSL	0:d92f9d21154c	332
wolfSSL	0:d92f9d21154c	333	#endif /* MICROCHIP_TCPIP */
wolfSSL	0:d92f9d21154c	334
wolfSSL	0:d92f9d21154c	335
wolfSSL	0:d92f9d21154c	336	#ifdef FREESCALE_MQX
wolfSSL	0:d92f9d21154c	337
wolfSSL	0:d92f9d21154c	338	time_t mqx_time(time_t* timer)
wolfSSL	0:d92f9d21154c	339	{
wolfSSL	0:d92f9d21154c	340	time_t localTime;
wolfSSL	0:d92f9d21154c	341	TIME_STRUCT time_s;
wolfSSL	0:d92f9d21154c	342
wolfSSL	0:d92f9d21154c	343	if (timer == NULL)
wolfSSL	0:d92f9d21154c	344	timer = &localTime;
wolfSSL	0:d92f9d21154c	345
wolfSSL	0:d92f9d21154c	346	_time_get(&time_s);
wolfSSL	0:d92f9d21154c	347	*timer = (time_t) time_s.SECONDS;
wolfSSL	0:d92f9d21154c	348
wolfSSL	0:d92f9d21154c	349	return *timer;
wolfSSL	0:d92f9d21154c	350	}
wolfSSL	0:d92f9d21154c	351
wolfSSL	0:d92f9d21154c	352	/* CodeWarrior GCC toolchain only has gmtime_r(), no gmtime() */
wolfSSL	0:d92f9d21154c	353	struct tm* mqx_gmtime(const time_t* clock, struct tm* tmpTime)
wolfSSL	0:d92f9d21154c	354	{
wolfSSL	0:d92f9d21154c	355	return gmtime_r(clock, tmpTime);
wolfSSL	0:d92f9d21154c	356	}
wolfSSL	0:d92f9d21154c	357
wolfSSL	0:d92f9d21154c	358	#endif /* FREESCALE_MQX */
wolfSSL	0:d92f9d21154c	359
wolfSSL	0:d92f9d21154c	360	#ifdef WOLFSSL_TIRTOS
wolfSSL	0:d92f9d21154c	361
wolfSSL	0:d92f9d21154c	362	time_t XTIME(time_t * timer)
wolfSSL	0:d92f9d21154c	363	{
wolfSSL	0:d92f9d21154c	364	time_t sec = 0;
wolfSSL	0:d92f9d21154c	365
wolfSSL	0:d92f9d21154c	366	sec = (time_t) Seconds_get();
wolfSSL	0:d92f9d21154c	367
wolfSSL	0:d92f9d21154c	368	if (timer != NULL)
wolfSSL	0:d92f9d21154c	369	*timer = sec;
wolfSSL	0:d92f9d21154c	370
wolfSSL	0:d92f9d21154c	371	return sec;
wolfSSL	0:d92f9d21154c	372	}
wolfSSL	0:d92f9d21154c	373
wolfSSL	0:d92f9d21154c	374	#endif /* WOLFSSL_TIRTOS */
wolfSSL	0:d92f9d21154c	375
wolfSSL	0:d92f9d21154c	376	static INLINE word32 btoi(byte b)
wolfSSL	0:d92f9d21154c	377	{
wolfSSL	0:d92f9d21154c	378	return b - 0x30;
wolfSSL	0:d92f9d21154c	379	}
wolfSSL	0:d92f9d21154c	380
wolfSSL	0:d92f9d21154c	381
wolfSSL	0:d92f9d21154c	382	/* two byte date/time, add to value */
wolfSSL	0:d92f9d21154c	383	static INLINE void GetTime(int* value, const byte* date, int* idx)
wolfSSL	0:d92f9d21154c	384	{
wolfSSL	0:d92f9d21154c	385	int i = *idx;
wolfSSL	0:d92f9d21154c	386
wolfSSL	0:d92f9d21154c	387	value += btoi(date[i++]) 10;
wolfSSL	0:d92f9d21154c	388	*value += btoi(date[i++]);
wolfSSL	0:d92f9d21154c	389
wolfSSL	0:d92f9d21154c	390	*idx = i;
wolfSSL	0:d92f9d21154c	391	}
wolfSSL	0:d92f9d21154c	392
wolfSSL	0:d92f9d21154c	393
wolfSSL	0:d92f9d21154c	394	#if defined(MICRIUM)
wolfSSL	0:d92f9d21154c	395
wolfSSL	0:d92f9d21154c	396	CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
wolfSSL	0:d92f9d21154c	397	CPU_INT08U dateType)
wolfSSL	0:d92f9d21154c	398	{
wolfSSL	0:d92f9d21154c	399	CPU_BOOLEAN rtn_code;
wolfSSL	0:d92f9d21154c	400	CPU_INT32S i;
wolfSSL	0:d92f9d21154c	401	CPU_INT32S val;
wolfSSL	0:d92f9d21154c	402	CPU_INT16U year;
wolfSSL	0:d92f9d21154c	403	CPU_INT08U month;
wolfSSL	0:d92f9d21154c	404	CPU_INT16U day;
wolfSSL	0:d92f9d21154c	405	CPU_INT08U hour;
wolfSSL	0:d92f9d21154c	406	CPU_INT08U min;
wolfSSL	0:d92f9d21154c	407	CPU_INT08U sec;
wolfSSL	0:d92f9d21154c	408
wolfSSL	0:d92f9d21154c	409	i = 0;
wolfSSL	0:d92f9d21154c	410	year = 0u;
wolfSSL	0:d92f9d21154c	411
wolfSSL	0:d92f9d21154c	412	if (format == ASN_UTC_TIME) {
wolfSSL	0:d92f9d21154c	413	if (btoi(date[0]) >= 5)
wolfSSL	0:d92f9d21154c	414	year = 1900;
wolfSSL	0:d92f9d21154c	415	else
wolfSSL	0:d92f9d21154c	416	year = 2000;
wolfSSL	0:d92f9d21154c	417	}
wolfSSL	0:d92f9d21154c	418	else { /* format == GENERALIZED_TIME */
wolfSSL	0:d92f9d21154c	419	year += btoi(date[i++]) * 1000;
wolfSSL	0:d92f9d21154c	420	year += btoi(date[i++]) * 100;
wolfSSL	0:d92f9d21154c	421	}
wolfSSL	0:d92f9d21154c	422
wolfSSL	0:d92f9d21154c	423	val = year;
wolfSSL	0:d92f9d21154c	424	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	425	year = (CPU_INT16U)val;
wolfSSL	0:d92f9d21154c	426
wolfSSL	0:d92f9d21154c	427	val = 0;
wolfSSL	0:d92f9d21154c	428	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	429	month = (CPU_INT08U)val;
wolfSSL	0:d92f9d21154c	430
wolfSSL	0:d92f9d21154c	431	val = 0;
wolfSSL	0:d92f9d21154c	432	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	433	day = (CPU_INT16U)val;
wolfSSL	0:d92f9d21154c	434
wolfSSL	0:d92f9d21154c	435	val = 0;
wolfSSL	0:d92f9d21154c	436	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	437	hour = (CPU_INT08U)val;
wolfSSL	0:d92f9d21154c	438
wolfSSL	0:d92f9d21154c	439	val = 0;
wolfSSL	0:d92f9d21154c	440	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	441	min = (CPU_INT08U)val;
wolfSSL	0:d92f9d21154c	442
wolfSSL	0:d92f9d21154c	443	val = 0;
wolfSSL	0:d92f9d21154c	444	GetTime(&val, date, &i);
wolfSSL	0:d92f9d21154c	445	sec = (CPU_INT08U)val;
wolfSSL	0:d92f9d21154c	446
wolfSSL	0:d92f9d21154c	447	return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType);
wolfSSL	0:d92f9d21154c	448	}
wolfSSL	0:d92f9d21154c	449
wolfSSL	0:d92f9d21154c	450	#endif /* MICRIUM */
wolfSSL	0:d92f9d21154c	451
wolfSSL	0:d92f9d21154c	452
wolfSSL	0:d92f9d21154c	453	WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
wolfSSL	0:d92f9d21154c	454	word32 maxIdx)
wolfSSL	0:d92f9d21154c	455	{
wolfSSL	0:d92f9d21154c	456	int length = 0;
wolfSSL	0:d92f9d21154c	457	word32 i = *inOutIdx;
wolfSSL	0:d92f9d21154c	458	byte b;
wolfSSL	0:d92f9d21154c	459
wolfSSL	0:d92f9d21154c	460	len = 0; / default length */
wolfSSL	0:d92f9d21154c	461
wolfSSL	0:d92f9d21154c	462	if ( (i+1) > maxIdx) { /* for first read */
wolfSSL	0:d92f9d21154c	463	WOLFSSL_MSG("GetLength bad index on input");
wolfSSL	0:d92f9d21154c	464	return BUFFER_E;
wolfSSL	0:d92f9d21154c	465	}
wolfSSL	0:d92f9d21154c	466
wolfSSL	0:d92f9d21154c	467	b = input[i++];
wolfSSL	0:d92f9d21154c	468	if (b >= ASN_LONG_LENGTH) {
wolfSSL	0:d92f9d21154c	469	word32 bytes = b & 0x7F;
wolfSSL	0:d92f9d21154c	470
wolfSSL	0:d92f9d21154c	471	if ( (i+bytes) > maxIdx) { /* for reading bytes */
wolfSSL	0:d92f9d21154c	472	WOLFSSL_MSG("GetLength bad long length");
wolfSSL	0:d92f9d21154c	473	return BUFFER_E;
wolfSSL	0:d92f9d21154c	474	}
wolfSSL	0:d92f9d21154c	475
wolfSSL	0:d92f9d21154c	476	while (bytes--) {
wolfSSL	0:d92f9d21154c	477	b = input[i++];
wolfSSL	0:d92f9d21154c	478	length = (length << 8) \| b;
wolfSSL	0:d92f9d21154c	479	}
wolfSSL	0:d92f9d21154c	480	}
wolfSSL	0:d92f9d21154c	481	else
wolfSSL	0:d92f9d21154c	482	length = b;
wolfSSL	0:d92f9d21154c	483
wolfSSL	0:d92f9d21154c	484	if ( (i+length) > maxIdx) { /* for user of length */
wolfSSL	0:d92f9d21154c	485	WOLFSSL_MSG("GetLength value exceeds buffer length");
wolfSSL	0:d92f9d21154c	486	return BUFFER_E;
wolfSSL	0:d92f9d21154c	487	}
wolfSSL	0:d92f9d21154c	488
wolfSSL	0:d92f9d21154c	489	*inOutIdx = i;
wolfSSL	0:d92f9d21154c	490	if (length > 0)
wolfSSL	0:d92f9d21154c	491	*len = length;
wolfSSL	0:d92f9d21154c	492
wolfSSL	0:d92f9d21154c	493	return length;
wolfSSL	0:d92f9d21154c	494	}
wolfSSL	0:d92f9d21154c	495
wolfSSL	0:d92f9d21154c	496
wolfSSL	0:d92f9d21154c	497	WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
wolfSSL	0:d92f9d21154c	498	word32 maxIdx)
wolfSSL	0:d92f9d21154c	499	{
wolfSSL	0:d92f9d21154c	500	int length = -1;
wolfSSL	0:d92f9d21154c	501	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	502
wolfSSL	0:d92f9d21154c	503	if (input[idx++] != (ASN_SEQUENCE \| ASN_CONSTRUCTED) \|\|
wolfSSL	0:d92f9d21154c	504	GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	505	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	506
wolfSSL	0:d92f9d21154c	507	*len = length;
wolfSSL	0:d92f9d21154c	508	*inOutIdx = idx;
wolfSSL	0:d92f9d21154c	509
wolfSSL	0:d92f9d21154c	510	return length;
wolfSSL	0:d92f9d21154c	511	}
wolfSSL	0:d92f9d21154c	512
wolfSSL	0:d92f9d21154c	513
wolfSSL	0:d92f9d21154c	514	WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
wolfSSL	0:d92f9d21154c	515	word32 maxIdx)
wolfSSL	0:d92f9d21154c	516	{
wolfSSL	0:d92f9d21154c	517	int length = -1;
wolfSSL	0:d92f9d21154c	518	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	519
wolfSSL	0:d92f9d21154c	520	if (input[idx++] != (ASN_SET \| ASN_CONSTRUCTED) \|\|
wolfSSL	0:d92f9d21154c	521	GetLength(input, &idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	522	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	523
wolfSSL	0:d92f9d21154c	524	*len = length;
wolfSSL	0:d92f9d21154c	525	*inOutIdx = idx;
wolfSSL	0:d92f9d21154c	526
wolfSSL	0:d92f9d21154c	527	return length;
wolfSSL	0:d92f9d21154c	528	}
wolfSSL	0:d92f9d21154c	529
wolfSSL	0:d92f9d21154c	530
wolfSSL	0:d92f9d21154c	531	/* winodws header clash for WinCE using GetVersion */
wolfSSL	0:d92f9d21154c	532	WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
wolfSSL	0:d92f9d21154c	533	{
wolfSSL	0:d92f9d21154c	534	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	535
wolfSSL	0:d92f9d21154c	536	WOLFSSL_ENTER("GetMyVersion");
wolfSSL	0:d92f9d21154c	537
wolfSSL	0:d92f9d21154c	538	if (input[idx++] != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	539	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	540
wolfSSL	0:d92f9d21154c	541	if (input[idx++] != 0x01)
wolfSSL	0:d92f9d21154c	542	return ASN_VERSION_E;
wolfSSL	0:d92f9d21154c	543
wolfSSL	0:d92f9d21154c	544	*version = input[idx++];
wolfSSL	0:d92f9d21154c	545	*inOutIdx = idx;
wolfSSL	0:d92f9d21154c	546
wolfSSL	0:d92f9d21154c	547	return *version;
wolfSSL	0:d92f9d21154c	548	}
wolfSSL	0:d92f9d21154c	549
wolfSSL	0:d92f9d21154c	550
wolfSSL	0:d92f9d21154c	551	#ifndef NO_PWDBASED
wolfSSL	0:d92f9d21154c	552	/* Get small count integer, 32 bits or less */
wolfSSL	0:d92f9d21154c	553	static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
wolfSSL	0:d92f9d21154c	554	{
wolfSSL	0:d92f9d21154c	555	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	556	word32 len;
wolfSSL	0:d92f9d21154c	557
wolfSSL	0:d92f9d21154c	558	*number = 0;
wolfSSL	0:d92f9d21154c	559
wolfSSL	0:d92f9d21154c	560	if (input[idx++] != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	561	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	562
wolfSSL	0:d92f9d21154c	563	len = input[idx++];
wolfSSL	0:d92f9d21154c	564	if (len > 4)
wolfSSL	0:d92f9d21154c	565	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	566
wolfSSL	0:d92f9d21154c	567	while (len--) {
wolfSSL	0:d92f9d21154c	568	number = number << 8 \| input[idx++];
wolfSSL	0:d92f9d21154c	569	}
wolfSSL	0:d92f9d21154c	570
wolfSSL	0:d92f9d21154c	571	*inOutIdx = idx;
wolfSSL	0:d92f9d21154c	572
wolfSSL	0:d92f9d21154c	573	return *number;
wolfSSL	0:d92f9d21154c	574	}
wolfSSL	0:d92f9d21154c	575	#endif /* !NO_PWDBASED */
wolfSSL	0:d92f9d21154c	576
wolfSSL	0:d92f9d21154c	577
wolfSSL	0:d92f9d21154c	578	/* May not have one, not an error */
wolfSSL	0:d92f9d21154c	579	static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
wolfSSL	0:d92f9d21154c	580	{
wolfSSL	0:d92f9d21154c	581	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	582
wolfSSL	0:d92f9d21154c	583	WOLFSSL_ENTER("GetExplicitVersion");
wolfSSL	0:d92f9d21154c	584	if (input[idx++] == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED)) {
wolfSSL	0:d92f9d21154c	585	inOutIdx = ++idx; / eat header */
wolfSSL	0:d92f9d21154c	586	return GetMyVersion(input, inOutIdx, version);
wolfSSL	0:d92f9d21154c	587	}
wolfSSL	0:d92f9d21154c	588
wolfSSL	0:d92f9d21154c	589	/* go back as is */
wolfSSL	0:d92f9d21154c	590	*version = 0;
wolfSSL	0:d92f9d21154c	591
wolfSSL	0:d92f9d21154c	592	return 0;
wolfSSL	0:d92f9d21154c	593	}
wolfSSL	0:d92f9d21154c	594
wolfSSL	0:d92f9d21154c	595
wolfSSL	0:d92f9d21154c	596	WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
wolfSSL	0:d92f9d21154c	597	word32 maxIdx)
wolfSSL	0:d92f9d21154c	598	{
wolfSSL	0:d92f9d21154c	599	word32 i = *inOutIdx;
wolfSSL	0:d92f9d21154c	600	byte b = input[i++];
wolfSSL	0:d92f9d21154c	601	int length;
wolfSSL	0:d92f9d21154c	602
wolfSSL	0:d92f9d21154c	603	if (b != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	604	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	605
wolfSSL	0:d92f9d21154c	606	if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	607	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	608
wolfSSL	0:d92f9d21154c	609	if ( (b = input[i++]) == 0x00)
wolfSSL	0:d92f9d21154c	610	length--;
wolfSSL	0:d92f9d21154c	611	else
wolfSSL	0:d92f9d21154c	612	i--;
wolfSSL	0:d92f9d21154c	613
wolfSSL	0:d92f9d21154c	614	if (mp_init(mpi) != MP_OKAY)
wolfSSL	0:d92f9d21154c	615	return MP_INIT_E;
wolfSSL	0:d92f9d21154c	616
wolfSSL	0:d92f9d21154c	617	if (mp_read_unsigned_bin(mpi, (byte*)input + i, length) != 0) {
wolfSSL	0:d92f9d21154c	618	mp_clear(mpi);
wolfSSL	0:d92f9d21154c	619	return ASN_GETINT_E;
wolfSSL	0:d92f9d21154c	620	}
wolfSSL	0:d92f9d21154c	621
wolfSSL	0:d92f9d21154c	622	*inOutIdx = i + length;
wolfSSL	0:d92f9d21154c	623	return 0;
wolfSSL	0:d92f9d21154c	624	}
wolfSSL	0:d92f9d21154c	625
wolfSSL	0:d92f9d21154c	626
wolfSSL	0:d92f9d21154c	627	static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL	0:d92f9d21154c	628	word32 maxIdx)
wolfSSL	0:d92f9d21154c	629	{
wolfSSL	0:d92f9d21154c	630	int length;
wolfSSL	0:d92f9d21154c	631	word32 i = *inOutIdx;
wolfSSL	0:d92f9d21154c	632	byte b;
wolfSSL	0:d92f9d21154c	633	*oid = 0;
wolfSSL	0:d92f9d21154c	634
wolfSSL	0:d92f9d21154c	635	b = input[i++];
wolfSSL	0:d92f9d21154c	636	if (b != ASN_OBJECT_ID)
wolfSSL	0:d92f9d21154c	637	return ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	638
wolfSSL	0:d92f9d21154c	639	if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	640	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	641
wolfSSL	0:d92f9d21154c	642	while(length--)
wolfSSL	0:d92f9d21154c	643	*oid += input[i++];
wolfSSL	0:d92f9d21154c	644	/* just sum it up for now */
wolfSSL	0:d92f9d21154c	645
wolfSSL	0:d92f9d21154c	646	*inOutIdx = i;
wolfSSL	0:d92f9d21154c	647
wolfSSL	0:d92f9d21154c	648	return 0;
wolfSSL	0:d92f9d21154c	649	}
wolfSSL	0:d92f9d21154c	650
wolfSSL	0:d92f9d21154c	651
wolfSSL	0:d92f9d21154c	652	WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
wolfSSL	0:d92f9d21154c	653	word32 maxIdx)
wolfSSL	0:d92f9d21154c	654	{
wolfSSL	0:d92f9d21154c	655	int length;
wolfSSL	0:d92f9d21154c	656	word32 i = *inOutIdx;
wolfSSL	0:d92f9d21154c	657	byte b;
wolfSSL	0:d92f9d21154c	658	*oid = 0;
wolfSSL	0:d92f9d21154c	659
wolfSSL	0:d92f9d21154c	660	WOLFSSL_ENTER("GetAlgoId");
wolfSSL	0:d92f9d21154c	661
wolfSSL	0:d92f9d21154c	662	if (GetSequence(input, &i, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	663	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	664
wolfSSL	0:d92f9d21154c	665	b = input[i++];
wolfSSL	0:d92f9d21154c	666	if (b != ASN_OBJECT_ID)
wolfSSL	0:d92f9d21154c	667	return ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	668
wolfSSL	0:d92f9d21154c	669	if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	670	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	671
wolfSSL	0:d92f9d21154c	672	while(length--) {
wolfSSL	0:d92f9d21154c	673	/* odd HC08 compiler behavior here when input[i++] */
wolfSSL	0:d92f9d21154c	674	*oid += input[i];
wolfSSL	0:d92f9d21154c	675	i++;
wolfSSL	0:d92f9d21154c	676	}
wolfSSL	0:d92f9d21154c	677	/* just sum it up for now */
wolfSSL	0:d92f9d21154c	678
wolfSSL	0:d92f9d21154c	679	/* could have NULL tag and 0 terminator, but may not */
wolfSSL	0:d92f9d21154c	680	b = input[i++];
wolfSSL	0:d92f9d21154c	681
wolfSSL	0:d92f9d21154c	682	if (b == ASN_TAG_NULL) {
wolfSSL	0:d92f9d21154c	683	b = input[i++];
wolfSSL	0:d92f9d21154c	684	if (b != 0)
wolfSSL	0:d92f9d21154c	685	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	686	}
wolfSSL	0:d92f9d21154c	687	else
wolfSSL	0:d92f9d21154c	688	/* go back, didn't have it */
wolfSSL	0:d92f9d21154c	689	i--;
wolfSSL	0:d92f9d21154c	690
wolfSSL	0:d92f9d21154c	691	*inOutIdx = i;
wolfSSL	0:d92f9d21154c	692
wolfSSL	0:d92f9d21154c	693	return 0;
wolfSSL	0:d92f9d21154c	694	}
wolfSSL	0:d92f9d21154c	695
wolfSSL	0:d92f9d21154c	696	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	697
wolfSSL	0:d92f9d21154c	698
wolfSSL	0:d92f9d21154c	699	#ifdef HAVE_CAVIUM
wolfSSL	0:d92f9d21154c	700
wolfSSL	0:d92f9d21154c	701	static int GetCaviumInt(byte** buff, word16* buffSz, const byte* input,
wolfSSL	0:d92f9d21154c	702	word32* inOutIdx, word32 maxIdx, void* heap)
wolfSSL	0:d92f9d21154c	703	{
wolfSSL	0:d92f9d21154c	704	word32 i = *inOutIdx;
wolfSSL	0:d92f9d21154c	705	byte b = input[i++];
wolfSSL	0:d92f9d21154c	706	int length;
wolfSSL	0:d92f9d21154c	707
wolfSSL	0:d92f9d21154c	708	if (b != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	709	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	710
wolfSSL	0:d92f9d21154c	711	if (GetLength(input, &i, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	712	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	713
wolfSSL	0:d92f9d21154c	714	if ( (b = input[i++]) == 0x00)
wolfSSL	0:d92f9d21154c	715	length--;
wolfSSL	0:d92f9d21154c	716	else
wolfSSL	0:d92f9d21154c	717	i--;
wolfSSL	0:d92f9d21154c	718
wolfSSL	0:d92f9d21154c	719	*buffSz = (word16)length;
wolfSSL	0:d92f9d21154c	720	buff = XMALLOC(buffSz, heap, DYNAMIC_TYPE_CAVIUM_RSA);
wolfSSL	0:d92f9d21154c	721	if (*buff == NULL)
wolfSSL	0:d92f9d21154c	722	return MEMORY_E;
wolfSSL	0:d92f9d21154c	723
wolfSSL	0:d92f9d21154c	724	XMEMCPY(buff, input + i, buffSz);
wolfSSL	0:d92f9d21154c	725
wolfSSL	0:d92f9d21154c	726	*inOutIdx = i + length;
wolfSSL	0:d92f9d21154c	727	return 0;
wolfSSL	0:d92f9d21154c	728	}
wolfSSL	0:d92f9d21154c	729
wolfSSL	0:d92f9d21154c	730	static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx,
wolfSSL	0:d92f9d21154c	731	RsaKey* key, word32 inSz)
wolfSSL	0:d92f9d21154c	732	{
wolfSSL	0:d92f9d21154c	733	int version, length;
wolfSSL	0:d92f9d21154c	734	void* h = key->heap;
wolfSSL	0:d92f9d21154c	735
wolfSSL	0:d92f9d21154c	736	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	737	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	738
wolfSSL	0:d92f9d21154c	739	if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL	0:d92f9d21154c	740	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	741
wolfSSL	0:d92f9d21154c	742	key->type = RSA_PRIVATE;
wolfSSL	0:d92f9d21154c	743
wolfSSL	0:d92f9d21154c	744	if (GetCaviumInt(&key->c_n, &key->c_nSz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	745	GetCaviumInt(&key->c_e, &key->c_eSz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	746	GetCaviumInt(&key->c_d, &key->c_dSz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	747	GetCaviumInt(&key->c_p, &key->c_pSz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	748	GetCaviumInt(&key->c_q, &key->c_qSz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	749	GetCaviumInt(&key->c_dP, &key->c_dP_Sz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	750	GetCaviumInt(&key->c_dQ, &key->c_dQ_Sz, input, inOutIdx, inSz, h) < 0 \|\|
wolfSSL	0:d92f9d21154c	751	GetCaviumInt(&key->c_u, &key->c_uSz, input, inOutIdx, inSz, h) < 0 )
wolfSSL	0:d92f9d21154c	752	return ASN_RSA_KEY_E;
wolfSSL	0:d92f9d21154c	753
wolfSSL	0:d92f9d21154c	754	return 0;
wolfSSL	0:d92f9d21154c	755	}
wolfSSL	0:d92f9d21154c	756
wolfSSL	0:d92f9d21154c	757
wolfSSL	0:d92f9d21154c	758	#endif /* HAVE_CAVIUM */
wolfSSL	0:d92f9d21154c	759
wolfSSL	0:d92f9d21154c	760	int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL	0:d92f9d21154c	761	word32 inSz)
wolfSSL	0:d92f9d21154c	762	{
wolfSSL	0:d92f9d21154c	763	int version, length;
wolfSSL	0:d92f9d21154c	764
wolfSSL	0:d92f9d21154c	765	#ifdef HAVE_CAVIUM
wolfSSL	0:d92f9d21154c	766	if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
wolfSSL	0:d92f9d21154c	767	return CaviumRsaPrivateKeyDecode(input, inOutIdx, key, inSz);
wolfSSL	0:d92f9d21154c	768	#endif
wolfSSL	0:d92f9d21154c	769
wolfSSL	0:d92f9d21154c	770	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	771	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	772
wolfSSL	0:d92f9d21154c	773	if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL	0:d92f9d21154c	774	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	775
wolfSSL	0:d92f9d21154c	776	key->type = RSA_PRIVATE;
wolfSSL	0:d92f9d21154c	777
wolfSSL	0:d92f9d21154c	778	if (GetInt(&key->n, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	779	GetInt(&key->e, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	780	GetInt(&key->d, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	781	GetInt(&key->p, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	782	GetInt(&key->q, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	783	GetInt(&key->dP, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	784	GetInt(&key->dQ, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	785	GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL	0:d92f9d21154c	786
wolfSSL	0:d92f9d21154c	787	return 0;
wolfSSL	0:d92f9d21154c	788	}
wolfSSL	0:d92f9d21154c	789
wolfSSL	0:d92f9d21154c	790	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	791
wolfSSL	0:d92f9d21154c	792	/* Remove PKCS8 header, move beginning of traditional to beginning of input */
wolfSSL	0:d92f9d21154c	793	int ToTraditional(byte* input, word32 sz)
wolfSSL	0:d92f9d21154c	794	{
wolfSSL	0:d92f9d21154c	795	word32 inOutIdx = 0, oid;
wolfSSL	0:d92f9d21154c	796	int version, length;
wolfSSL	0:d92f9d21154c	797
wolfSSL	0:d92f9d21154c	798	if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	799	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	800
wolfSSL	0:d92f9d21154c	801	if (GetMyVersion(input, &inOutIdx, &version) < 0)
wolfSSL	0:d92f9d21154c	802	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	803
wolfSSL	0:d92f9d21154c	804	if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	805	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	806
wolfSSL	0:d92f9d21154c	807	if (input[inOutIdx] == ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	808	/* pkcs8 ecc uses slightly different format */
wolfSSL	0:d92f9d21154c	809	inOutIdx++; /* past id */
wolfSSL	0:d92f9d21154c	810	if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	811	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	812	inOutIdx += length; /* over sub id, key input will verify */
wolfSSL	0:d92f9d21154c	813	}
wolfSSL	0:d92f9d21154c	814
wolfSSL	0:d92f9d21154c	815	if (input[inOutIdx++] != ASN_OCTET_STRING)
wolfSSL	0:d92f9d21154c	816	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	817
wolfSSL	0:d92f9d21154c	818	if (GetLength(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	819	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	820
wolfSSL	0:d92f9d21154c	821	XMEMMOVE(input, input + inOutIdx, length);
wolfSSL	0:d92f9d21154c	822
wolfSSL	0:d92f9d21154c	823	return length;
wolfSSL	0:d92f9d21154c	824	}
wolfSSL	0:d92f9d21154c	825
wolfSSL	0:d92f9d21154c	826
wolfSSL	0:d92f9d21154c	827	#ifndef NO_PWDBASED
wolfSSL	0:d92f9d21154c	828
wolfSSL	0:d92f9d21154c	829	/* Check To see if PKCS version algo is supported, set id if it is return 0
wolfSSL	0:d92f9d21154c	830	< 0 on error */
wolfSSL	0:d92f9d21154c	831	static int CheckAlgo(int first, int second, int* id, int* version)
wolfSSL	0:d92f9d21154c	832	{
wolfSSL	0:d92f9d21154c	833	*id = ALGO_ID_E;
wolfSSL	0:d92f9d21154c	834	version = PKCS5; / default */
wolfSSL	0:d92f9d21154c	835
wolfSSL	0:d92f9d21154c	836	if (first == 1) {
wolfSSL	0:d92f9d21154c	837	switch (second) {
wolfSSL	0:d92f9d21154c	838	case 1:
wolfSSL	0:d92f9d21154c	839	*id = PBE_SHA1_RC4_128;
wolfSSL	0:d92f9d21154c	840	*version = PKCS12;
wolfSSL	0:d92f9d21154c	841	return 0;
wolfSSL	0:d92f9d21154c	842	case 3:
wolfSSL	0:d92f9d21154c	843	*id = PBE_SHA1_DES3;
wolfSSL	0:d92f9d21154c	844	*version = PKCS12;
wolfSSL	0:d92f9d21154c	845	return 0;
wolfSSL	0:d92f9d21154c	846	default:
wolfSSL	0:d92f9d21154c	847	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	848	}
wolfSSL	0:d92f9d21154c	849	}
wolfSSL	0:d92f9d21154c	850
wolfSSL	0:d92f9d21154c	851	if (first != PKCS5)
wolfSSL	0:d92f9d21154c	852	return ASN_INPUT_E; /* VERSION ERROR */
wolfSSL	0:d92f9d21154c	853
wolfSSL	0:d92f9d21154c	854	if (second == PBES2) {
wolfSSL	0:d92f9d21154c	855	*version = PKCS5v2;
wolfSSL	0:d92f9d21154c	856	return 0;
wolfSSL	0:d92f9d21154c	857	}
wolfSSL	0:d92f9d21154c	858
wolfSSL	0:d92f9d21154c	859	switch (second) {
wolfSSL	0:d92f9d21154c	860	case 3: /* see RFC 2898 for ids */
wolfSSL	0:d92f9d21154c	861	*id = PBE_MD5_DES;
wolfSSL	0:d92f9d21154c	862	return 0;
wolfSSL	0:d92f9d21154c	863	case 10:
wolfSSL	0:d92f9d21154c	864	*id = PBE_SHA1_DES;
wolfSSL	0:d92f9d21154c	865	return 0;
wolfSSL	0:d92f9d21154c	866	default:
wolfSSL	0:d92f9d21154c	867	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	868
wolfSSL	0:d92f9d21154c	869	}
wolfSSL	0:d92f9d21154c	870	}
wolfSSL	0:d92f9d21154c	871
wolfSSL	0:d92f9d21154c	872
wolfSSL	0:d92f9d21154c	873	/* Check To see if PKCS v2 algo is supported, set id if it is return 0
wolfSSL	0:d92f9d21154c	874	< 0 on error */
wolfSSL	0:d92f9d21154c	875	static int CheckAlgoV2(int oid, int* id)
wolfSSL	0:d92f9d21154c	876	{
wolfSSL	0:d92f9d21154c	877	switch (oid) {
wolfSSL	0:d92f9d21154c	878	case 69:
wolfSSL	0:d92f9d21154c	879	*id = PBE_SHA1_DES;
wolfSSL	0:d92f9d21154c	880	return 0;
wolfSSL	0:d92f9d21154c	881	case 652:
wolfSSL	0:d92f9d21154c	882	*id = PBE_SHA1_DES3;
wolfSSL	0:d92f9d21154c	883	return 0;
wolfSSL	0:d92f9d21154c	884	default:
wolfSSL	0:d92f9d21154c	885	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	886
wolfSSL	0:d92f9d21154c	887	}
wolfSSL	0:d92f9d21154c	888	}
wolfSSL	0:d92f9d21154c	889
wolfSSL	0:d92f9d21154c	890
wolfSSL	0:d92f9d21154c	891	/* Decrypt intput in place from parameters based on id */
wolfSSL	0:d92f9d21154c	892	static int DecryptKey(const char* password, int passwordSz, byte* salt,
wolfSSL	0:d92f9d21154c	893	int saltSz, int iterations, int id, byte* input,
wolfSSL	0:d92f9d21154c	894	int length, int version, byte* cbcIv)
wolfSSL	0:d92f9d21154c	895	{
wolfSSL	0:d92f9d21154c	896	int typeH;
wolfSSL	0:d92f9d21154c	897	int derivedLen;
wolfSSL	0:d92f9d21154c	898	int decryptionType;
wolfSSL	0:d92f9d21154c	899	int ret = 0;
wolfSSL	0:d92f9d21154c	900	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	901	byte* key;
wolfSSL	0:d92f9d21154c	902	#else
wolfSSL	0:d92f9d21154c	903	byte key[MAX_KEY_SIZE];
wolfSSL	0:d92f9d21154c	904	#endif
wolfSSL	0:d92f9d21154c	905
wolfSSL	0:d92f9d21154c	906	switch (id) {
wolfSSL	0:d92f9d21154c	907	case PBE_MD5_DES:
wolfSSL	0:d92f9d21154c	908	typeH = MD5;
wolfSSL	0:d92f9d21154c	909	derivedLen = 16; /* may need iv for v1.5 */
wolfSSL	0:d92f9d21154c	910	decryptionType = DES_TYPE;
wolfSSL	0:d92f9d21154c	911	break;
wolfSSL	0:d92f9d21154c	912
wolfSSL	0:d92f9d21154c	913	case PBE_SHA1_DES:
wolfSSL	0:d92f9d21154c	914	typeH = SHA;
wolfSSL	0:d92f9d21154c	915	derivedLen = 16; /* may need iv for v1.5 */
wolfSSL	0:d92f9d21154c	916	decryptionType = DES_TYPE;
wolfSSL	0:d92f9d21154c	917	break;
wolfSSL	0:d92f9d21154c	918
wolfSSL	0:d92f9d21154c	919	case PBE_SHA1_DES3:
wolfSSL	0:d92f9d21154c	920	typeH = SHA;
wolfSSL	0:d92f9d21154c	921	derivedLen = 32; /* may need iv for v1.5 */
wolfSSL	0:d92f9d21154c	922	decryptionType = DES3_TYPE;
wolfSSL	0:d92f9d21154c	923	break;
wolfSSL	0:d92f9d21154c	924
wolfSSL	0:d92f9d21154c	925	case PBE_SHA1_RC4_128:
wolfSSL	0:d92f9d21154c	926	typeH = SHA;
wolfSSL	0:d92f9d21154c	927	derivedLen = 16;
wolfSSL	0:d92f9d21154c	928	decryptionType = RC4_TYPE;
wolfSSL	0:d92f9d21154c	929	break;
wolfSSL	0:d92f9d21154c	930
wolfSSL	0:d92f9d21154c	931	default:
wolfSSL	0:d92f9d21154c	932	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	933	}
wolfSSL	0:d92f9d21154c	934
wolfSSL	0:d92f9d21154c	935	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	936	key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	937	if (key == NULL)
wolfSSL	0:d92f9d21154c	938	return MEMORY_E;
wolfSSL	0:d92f9d21154c	939	#endif
wolfSSL	0:d92f9d21154c	940
wolfSSL	0:d92f9d21154c	941	if (version == PKCS5v2)
wolfSSL	0:d92f9d21154c	942	ret = wc_PBKDF2(key, (byte*)password, passwordSz, salt, saltSz, iterations,
wolfSSL	0:d92f9d21154c	943	derivedLen, typeH);
wolfSSL	0:d92f9d21154c	944	#ifndef NO_SHA
wolfSSL	0:d92f9d21154c	945	else if (version == PKCS5)
wolfSSL	0:d92f9d21154c	946	ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations,
wolfSSL	0:d92f9d21154c	947	derivedLen, typeH);
wolfSSL	0:d92f9d21154c	948	#endif
wolfSSL	0:d92f9d21154c	949	else if (version == PKCS12) {
wolfSSL	0:d92f9d21154c	950	int i, idx = 0;
wolfSSL	0:d92f9d21154c	951	byte unicodePasswd[MAX_UNICODE_SZ];
wolfSSL	0:d92f9d21154c	952
wolfSSL	0:d92f9d21154c	953	if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
wolfSSL	0:d92f9d21154c	954	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	955	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	956	#endif
wolfSSL	0:d92f9d21154c	957	return UNICODE_SIZE_E;
wolfSSL	0:d92f9d21154c	958	}
wolfSSL	0:d92f9d21154c	959
wolfSSL	0:d92f9d21154c	960	for (i = 0; i < passwordSz; i++) {
wolfSSL	0:d92f9d21154c	961	unicodePasswd[idx++] = 0x00;
wolfSSL	0:d92f9d21154c	962	unicodePasswd[idx++] = (byte)password[i];
wolfSSL	0:d92f9d21154c	963	}
wolfSSL	0:d92f9d21154c	964	/* add trailing NULL */
wolfSSL	0:d92f9d21154c	965	unicodePasswd[idx++] = 0x00;
wolfSSL	0:d92f9d21154c	966	unicodePasswd[idx++] = 0x00;
wolfSSL	0:d92f9d21154c	967
wolfSSL	0:d92f9d21154c	968	ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
wolfSSL	0:d92f9d21154c	969	iterations, derivedLen, typeH, 1);
wolfSSL	0:d92f9d21154c	970	if (decryptionType != RC4_TYPE)
wolfSSL	0:d92f9d21154c	971	ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
wolfSSL	0:d92f9d21154c	972	iterations, 8, typeH, 2);
wolfSSL	0:d92f9d21154c	973	}
wolfSSL	0:d92f9d21154c	974	else {
wolfSSL	0:d92f9d21154c	975	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	976	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	977	#endif
wolfSSL	0:d92f9d21154c	978	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	979	}
wolfSSL	0:d92f9d21154c	980
wolfSSL	0:d92f9d21154c	981	if (ret != 0) {
wolfSSL	0:d92f9d21154c	982	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	983	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	984	#endif
wolfSSL	0:d92f9d21154c	985	return ret;
wolfSSL	0:d92f9d21154c	986	}
wolfSSL	0:d92f9d21154c	987
wolfSSL	0:d92f9d21154c	988	switch (decryptionType) {
wolfSSL	0:d92f9d21154c	989	#ifndef NO_DES3
wolfSSL	0:d92f9d21154c	990	case DES_TYPE:
wolfSSL	0:d92f9d21154c	991	{
wolfSSL	0:d92f9d21154c	992	Des dec;
wolfSSL	0:d92f9d21154c	993	byte* desIv = key + 8;
wolfSSL	0:d92f9d21154c	994
wolfSSL	0:d92f9d21154c	995	if (version == PKCS5v2 \|\| version == PKCS12)
wolfSSL	0:d92f9d21154c	996	desIv = cbcIv;
wolfSSL	0:d92f9d21154c	997
wolfSSL	0:d92f9d21154c	998	ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL	0:d92f9d21154c	999	if (ret != 0) {
wolfSSL	0:d92f9d21154c	1000	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1001	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1002	#endif
wolfSSL	0:d92f9d21154c	1003	return ret;
wolfSSL	0:d92f9d21154c	1004	}
wolfSSL	0:d92f9d21154c	1005
wolfSSL	0:d92f9d21154c	1006	wc_Des_CbcDecrypt(&dec, input, input, length);
wolfSSL	0:d92f9d21154c	1007	break;
wolfSSL	0:d92f9d21154c	1008	}
wolfSSL	0:d92f9d21154c	1009
wolfSSL	0:d92f9d21154c	1010	case DES3_TYPE:
wolfSSL	0:d92f9d21154c	1011	{
wolfSSL	0:d92f9d21154c	1012	Des3 dec;
wolfSSL	0:d92f9d21154c	1013	byte* desIv = key + 24;
wolfSSL	0:d92f9d21154c	1014
wolfSSL	0:d92f9d21154c	1015	if (version == PKCS5v2 \|\| version == PKCS12)
wolfSSL	0:d92f9d21154c	1016	desIv = cbcIv;
wolfSSL	0:d92f9d21154c	1017	ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION);
wolfSSL	0:d92f9d21154c	1018	if (ret != 0) {
wolfSSL	0:d92f9d21154c	1019	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1020	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1021	#endif
wolfSSL	0:d92f9d21154c	1022	return ret;
wolfSSL	0:d92f9d21154c	1023	}
wolfSSL	0:d92f9d21154c	1024	ret = wc_Des3_CbcDecrypt(&dec, input, input, length);
wolfSSL	0:d92f9d21154c	1025	if (ret != 0) {
wolfSSL	0:d92f9d21154c	1026	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1027	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1028	#endif
wolfSSL	0:d92f9d21154c	1029	return ret;
wolfSSL	0:d92f9d21154c	1030	}
wolfSSL	0:d92f9d21154c	1031	break;
wolfSSL	0:d92f9d21154c	1032	}
wolfSSL	0:d92f9d21154c	1033	#endif
wolfSSL	0:d92f9d21154c	1034	#ifndef NO_RC4
wolfSSL	0:d92f9d21154c	1035	case RC4_TYPE:
wolfSSL	0:d92f9d21154c	1036	{
wolfSSL	0:d92f9d21154c	1037	Arc4 dec;
wolfSSL	0:d92f9d21154c	1038
wolfSSL	0:d92f9d21154c	1039	wc_Arc4SetKey(&dec, key, derivedLen);
wolfSSL	0:d92f9d21154c	1040	wc_Arc4Process(&dec, input, input, length);
wolfSSL	0:d92f9d21154c	1041	break;
wolfSSL	0:d92f9d21154c	1042	}
wolfSSL	0:d92f9d21154c	1043	#endif
wolfSSL	0:d92f9d21154c	1044
wolfSSL	0:d92f9d21154c	1045	default:
wolfSSL	0:d92f9d21154c	1046	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1047	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1048	#endif
wolfSSL	0:d92f9d21154c	1049	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	1050	}
wolfSSL	0:d92f9d21154c	1051
wolfSSL	0:d92f9d21154c	1052	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1053	XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1054	#endif
wolfSSL	0:d92f9d21154c	1055
wolfSSL	0:d92f9d21154c	1056	return 0;
wolfSSL	0:d92f9d21154c	1057	}
wolfSSL	0:d92f9d21154c	1058
wolfSSL	0:d92f9d21154c	1059
wolfSSL	0:d92f9d21154c	1060	/* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
wolfSSL	0:d92f9d21154c	1061	of input */
wolfSSL	0:d92f9d21154c	1062	int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
wolfSSL	0:d92f9d21154c	1063	{
wolfSSL	0:d92f9d21154c	1064	word32 inOutIdx = 0, oid;
wolfSSL	0:d92f9d21154c	1065	int first, second, length, version, saltSz, id;
wolfSSL	0:d92f9d21154c	1066	int iterations = 0;
wolfSSL	0:d92f9d21154c	1067	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1068	byte* salt = NULL;
wolfSSL	0:d92f9d21154c	1069	byte* cbcIv = NULL;
wolfSSL	0:d92f9d21154c	1070	#else
wolfSSL	0:d92f9d21154c	1071	byte salt[MAX_SALT_SIZE];
wolfSSL	0:d92f9d21154c	1072	byte cbcIv[MAX_IV_SIZE];
wolfSSL	0:d92f9d21154c	1073	#endif
wolfSSL	0:d92f9d21154c	1074
wolfSSL	0:d92f9d21154c	1075	if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	1076	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1077
wolfSSL	0:d92f9d21154c	1078	if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	1079	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1080
wolfSSL	0:d92f9d21154c	1081	first = input[inOutIdx - 2]; /* PKCS version alwyas 2nd to last byte */
wolfSSL	0:d92f9d21154c	1082	second = input[inOutIdx - 1]; /* version.algo, algo id last byte */
wolfSSL	0:d92f9d21154c	1083
wolfSSL	0:d92f9d21154c	1084	if (CheckAlgo(first, second, &id, &version) < 0)
wolfSSL	0:d92f9d21154c	1085	return ASN_INPUT_E; /* Algo ID error */
wolfSSL	0:d92f9d21154c	1086
wolfSSL	0:d92f9d21154c	1087	if (version == PKCS5v2) {
wolfSSL	0:d92f9d21154c	1088
wolfSSL	0:d92f9d21154c	1089	if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	1090	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1091
wolfSSL	0:d92f9d21154c	1092	if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	1093	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1094
wolfSSL	0:d92f9d21154c	1095	if (oid != PBKDF2_OID)
wolfSSL	0:d92f9d21154c	1096	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1097	}
wolfSSL	0:d92f9d21154c	1098
wolfSSL	0:d92f9d21154c	1099	if (GetSequence(input, &inOutIdx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	1100	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1101
wolfSSL	0:d92f9d21154c	1102	if (input[inOutIdx++] != ASN_OCTET_STRING)
wolfSSL	0:d92f9d21154c	1103	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1104
wolfSSL	0:d92f9d21154c	1105	if (GetLength(input, &inOutIdx, &saltSz, sz) < 0)
wolfSSL	0:d92f9d21154c	1106	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1107
wolfSSL	0:d92f9d21154c	1108	if (saltSz > MAX_SALT_SIZE)
wolfSSL	0:d92f9d21154c	1109	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1110
wolfSSL	0:d92f9d21154c	1111	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1112	salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1113	if (salt == NULL)
wolfSSL	0:d92f9d21154c	1114	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1115	#endif
wolfSSL	0:d92f9d21154c	1116
wolfSSL	0:d92f9d21154c	1117	XMEMCPY(salt, &input[inOutIdx], saltSz);
wolfSSL	0:d92f9d21154c	1118	inOutIdx += saltSz;
wolfSSL	0:d92f9d21154c	1119
wolfSSL	0:d92f9d21154c	1120	if (GetShortInt(input, &inOutIdx, &iterations) < 0) {
wolfSSL	0:d92f9d21154c	1121	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1122	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1123	#endif
wolfSSL	0:d92f9d21154c	1124	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1125	}
wolfSSL	0:d92f9d21154c	1126
wolfSSL	0:d92f9d21154c	1127	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1128	cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1129	if (cbcIv == NULL) {
wolfSSL	0:d92f9d21154c	1130	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1131	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1132	}
wolfSSL	0:d92f9d21154c	1133	#endif
wolfSSL	0:d92f9d21154c	1134
wolfSSL	0:d92f9d21154c	1135	if (version == PKCS5v2) {
wolfSSL	0:d92f9d21154c	1136	/* get encryption algo */
wolfSSL	0:d92f9d21154c	1137	if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) {
wolfSSL	0:d92f9d21154c	1138	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1139	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1140	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1141	#endif
wolfSSL	0:d92f9d21154c	1142	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1143	}
wolfSSL	0:d92f9d21154c	1144
wolfSSL	0:d92f9d21154c	1145	if (CheckAlgoV2(oid, &id) < 0) {
wolfSSL	0:d92f9d21154c	1146	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1147	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1148	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1149	#endif
wolfSSL	0:d92f9d21154c	1150	return ASN_PARSE_E; /* PKCS v2 algo id error */
wolfSSL	0:d92f9d21154c	1151	}
wolfSSL	0:d92f9d21154c	1152
wolfSSL	0:d92f9d21154c	1153	if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	1154	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1155	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1156	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1157	#endif
wolfSSL	0:d92f9d21154c	1158	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1159	}
wolfSSL	0:d92f9d21154c	1160
wolfSSL	0:d92f9d21154c	1161	if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	1162	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1163	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1164	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1165	#endif
wolfSSL	0:d92f9d21154c	1166	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1167	}
wolfSSL	0:d92f9d21154c	1168
wolfSSL	0:d92f9d21154c	1169	XMEMCPY(cbcIv, &input[inOutIdx], length);
wolfSSL	0:d92f9d21154c	1170	inOutIdx += length;
wolfSSL	0:d92f9d21154c	1171	}
wolfSSL	0:d92f9d21154c	1172
wolfSSL	0:d92f9d21154c	1173	if (input[inOutIdx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	1174	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1175	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1176	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1177	#endif
wolfSSL	0:d92f9d21154c	1178	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1179	}
wolfSSL	0:d92f9d21154c	1180
wolfSSL	0:d92f9d21154c	1181	if (GetLength(input, &inOutIdx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	1182	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1183	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1184	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1185	#endif
wolfSSL	0:d92f9d21154c	1186	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1187	}
wolfSSL	0:d92f9d21154c	1188
wolfSSL	0:d92f9d21154c	1189	if (DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
wolfSSL	0:d92f9d21154c	1190	input + inOutIdx, length, version, cbcIv) < 0) {
wolfSSL	0:d92f9d21154c	1191	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1192	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1193	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1194	#endif
wolfSSL	0:d92f9d21154c	1195	return ASN_INPUT_E; /* decrypt failure */
wolfSSL	0:d92f9d21154c	1196	}
wolfSSL	0:d92f9d21154c	1197
wolfSSL	0:d92f9d21154c	1198	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1199	XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1200	XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1201	#endif
wolfSSL	0:d92f9d21154c	1202
wolfSSL	0:d92f9d21154c	1203	XMEMMOVE(input, input + inOutIdx, length);
wolfSSL	0:d92f9d21154c	1204	return ToTraditional(input, length);
wolfSSL	0:d92f9d21154c	1205	}
wolfSSL	0:d92f9d21154c	1206
wolfSSL	0:d92f9d21154c	1207	#endif /* NO_PWDBASED */
wolfSSL	0:d92f9d21154c	1208
wolfSSL	0:d92f9d21154c	1209	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	1210
wolfSSL	0:d92f9d21154c	1211	int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
wolfSSL	0:d92f9d21154c	1212	word32 inSz)
wolfSSL	0:d92f9d21154c	1213	{
wolfSSL	0:d92f9d21154c	1214	int length;
wolfSSL	0:d92f9d21154c	1215
wolfSSL	0:d92f9d21154c	1216	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1217	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1218
wolfSSL	0:d92f9d21154c	1219	key->type = RSA_PUBLIC;
wolfSSL	0:d92f9d21154c	1220
wolfSSL	0:d92f9d21154c	1221	#if defined(OPENSSL_EXTRA) \|\| defined(RSA_DECODE_EXTRA)
wolfSSL	0:d92f9d21154c	1222	{
wolfSSL	0:d92f9d21154c	1223	byte b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	1224	if (b != ASN_INTEGER) {
wolfSSL	0:d92f9d21154c	1225	/* not from decoded cert, will have algo id, skip past */
wolfSSL	0:d92f9d21154c	1226	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1227	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1228
wolfSSL	0:d92f9d21154c	1229	b = input[(*inOutIdx)++];
wolfSSL	0:d92f9d21154c	1230	if (b != ASN_OBJECT_ID)
wolfSSL	0:d92f9d21154c	1231	return ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	1232
wolfSSL	0:d92f9d21154c	1233	if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1234	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1235
wolfSSL	0:d92f9d21154c	1236	inOutIdx += length; / skip past */
wolfSSL	0:d92f9d21154c	1237
wolfSSL	0:d92f9d21154c	1238	/* could have NULL tag and 0 terminator, but may not */
wolfSSL	0:d92f9d21154c	1239	b = input[(*inOutIdx)++];
wolfSSL	0:d92f9d21154c	1240
wolfSSL	0:d92f9d21154c	1241	if (b == ASN_TAG_NULL) {
wolfSSL	0:d92f9d21154c	1242	b = input[(*inOutIdx)++];
wolfSSL	0:d92f9d21154c	1243	if (b != 0)
wolfSSL	0:d92f9d21154c	1244	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	1245	}
wolfSSL	0:d92f9d21154c	1246	else
wolfSSL	0:d92f9d21154c	1247	/* go back, didn't have it */
wolfSSL	0:d92f9d21154c	1248	(*inOutIdx)--;
wolfSSL	0:d92f9d21154c	1249
wolfSSL	0:d92f9d21154c	1250	/* should have bit tag length and seq next */
wolfSSL	0:d92f9d21154c	1251	b = input[(*inOutIdx)++];
wolfSSL	0:d92f9d21154c	1252	if (b != ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	1253	return ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	1254
wolfSSL	0:d92f9d21154c	1255	if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1256	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1257
wolfSSL	0:d92f9d21154c	1258	/* could have 0 */
wolfSSL	0:d92f9d21154c	1259	b = input[(*inOutIdx)++];
wolfSSL	0:d92f9d21154c	1260	if (b != 0)
wolfSSL	0:d92f9d21154c	1261	(*inOutIdx)--;
wolfSSL	0:d92f9d21154c	1262
wolfSSL	0:d92f9d21154c	1263	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1264	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1265	} /* end if */
wolfSSL	0:d92f9d21154c	1266	} /* openssl var block */
wolfSSL	0:d92f9d21154c	1267	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1268
wolfSSL	0:d92f9d21154c	1269	if (GetInt(&key->n, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1270	GetInt(&key->e, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E;
wolfSSL	0:d92f9d21154c	1271
wolfSSL	0:d92f9d21154c	1272	return 0;
wolfSSL	0:d92f9d21154c	1273	}
wolfSSL	0:d92f9d21154c	1274
wolfSSL	0:d92f9d21154c	1275	/* import RSA public key elements (n, e) into RsaKey structure (key) */
wolfSSL	0:d92f9d21154c	1276	int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
wolfSSL	0:d92f9d21154c	1277	word32 eSz, RsaKey* key)
wolfSSL	0:d92f9d21154c	1278	{
wolfSSL	0:d92f9d21154c	1279	if (n == NULL \|\| e == NULL \|\| key == NULL)
wolfSSL	0:d92f9d21154c	1280	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	1281
wolfSSL	0:d92f9d21154c	1282	key->type = RSA_PUBLIC;
wolfSSL	0:d92f9d21154c	1283
wolfSSL	0:d92f9d21154c	1284	if (mp_init(&key->n) != MP_OKAY)
wolfSSL	0:d92f9d21154c	1285	return MP_INIT_E;
wolfSSL	0:d92f9d21154c	1286
wolfSSL	0:d92f9d21154c	1287	if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) {
wolfSSL	0:d92f9d21154c	1288	mp_clear(&key->n);
wolfSSL	0:d92f9d21154c	1289	return ASN_GETINT_E;
wolfSSL	0:d92f9d21154c	1290	}
wolfSSL	0:d92f9d21154c	1291
wolfSSL	0:d92f9d21154c	1292	if (mp_init(&key->e) != MP_OKAY) {
wolfSSL	0:d92f9d21154c	1293	mp_clear(&key->n);
wolfSSL	0:d92f9d21154c	1294	return MP_INIT_E;
wolfSSL	0:d92f9d21154c	1295	}
wolfSSL	0:d92f9d21154c	1296
wolfSSL	0:d92f9d21154c	1297	if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) {
wolfSSL	0:d92f9d21154c	1298	mp_clear(&key->n);
wolfSSL	0:d92f9d21154c	1299	mp_clear(&key->e);
wolfSSL	0:d92f9d21154c	1300	return ASN_GETINT_E;
wolfSSL	0:d92f9d21154c	1301	}
wolfSSL	0:d92f9d21154c	1302
wolfSSL	0:d92f9d21154c	1303	return 0;
wolfSSL	0:d92f9d21154c	1304	}
wolfSSL	0:d92f9d21154c	1305
wolfSSL	0:d92f9d21154c	1306	#endif
wolfSSL	0:d92f9d21154c	1307
wolfSSL	0:d92f9d21154c	1308	#ifndef NO_DH
wolfSSL	0:d92f9d21154c	1309
wolfSSL	0:d92f9d21154c	1310	int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
wolfSSL	0:d92f9d21154c	1311	{
wolfSSL	0:d92f9d21154c	1312	int length;
wolfSSL	0:d92f9d21154c	1313
wolfSSL	0:d92f9d21154c	1314	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1315	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1316
wolfSSL	0:d92f9d21154c	1317	if (GetInt(&key->p, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1318	GetInt(&key->g, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E;
wolfSSL	0:d92f9d21154c	1319
wolfSSL	0:d92f9d21154c	1320	return 0;
wolfSSL	0:d92f9d21154c	1321	}
wolfSSL	0:d92f9d21154c	1322
wolfSSL	0:d92f9d21154c	1323
wolfSSL	0:d92f9d21154c	1324	int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
wolfSSL	0:d92f9d21154c	1325	byte* g, word32* gInOutSz)
wolfSSL	0:d92f9d21154c	1326	{
wolfSSL	0:d92f9d21154c	1327	word32 i = 0;
wolfSSL	0:d92f9d21154c	1328	byte b;
wolfSSL	0:d92f9d21154c	1329	int length;
wolfSSL	0:d92f9d21154c	1330
wolfSSL	0:d92f9d21154c	1331	if (GetSequence(input, &i, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1332	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1333
wolfSSL	0:d92f9d21154c	1334	b = input[i++];
wolfSSL	0:d92f9d21154c	1335	if (b != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	1336	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1337
wolfSSL	0:d92f9d21154c	1338	if (GetLength(input, &i, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1339	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1340
wolfSSL	0:d92f9d21154c	1341	if ( (b = input[i++]) == 0x00)
wolfSSL	0:d92f9d21154c	1342	length--;
wolfSSL	0:d92f9d21154c	1343	else
wolfSSL	0:d92f9d21154c	1344	i--;
wolfSSL	0:d92f9d21154c	1345
wolfSSL	0:d92f9d21154c	1346	if (length <= (int)*pInOutSz) {
wolfSSL	0:d92f9d21154c	1347	XMEMCPY(p, &input[i], length);
wolfSSL	0:d92f9d21154c	1348	*pInOutSz = length;
wolfSSL	0:d92f9d21154c	1349	}
wolfSSL	0:d92f9d21154c	1350	else
wolfSSL	0:d92f9d21154c	1351	return BUFFER_E;
wolfSSL	0:d92f9d21154c	1352
wolfSSL	0:d92f9d21154c	1353	i += length;
wolfSSL	0:d92f9d21154c	1354
wolfSSL	0:d92f9d21154c	1355	b = input[i++];
wolfSSL	0:d92f9d21154c	1356	if (b != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	1357	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1358
wolfSSL	0:d92f9d21154c	1359	if (GetLength(input, &i, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1360	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1361
wolfSSL	0:d92f9d21154c	1362	if (length <= (int)*gInOutSz) {
wolfSSL	0:d92f9d21154c	1363	XMEMCPY(g, &input[i], length);
wolfSSL	0:d92f9d21154c	1364	*gInOutSz = length;
wolfSSL	0:d92f9d21154c	1365	}
wolfSSL	0:d92f9d21154c	1366	else
wolfSSL	0:d92f9d21154c	1367	return BUFFER_E;
wolfSSL	0:d92f9d21154c	1368
wolfSSL	0:d92f9d21154c	1369	return 0;
wolfSSL	0:d92f9d21154c	1370	}
wolfSSL	0:d92f9d21154c	1371
wolfSSL	0:d92f9d21154c	1372	#endif /* NO_DH */
wolfSSL	0:d92f9d21154c	1373
wolfSSL	0:d92f9d21154c	1374
wolfSSL	0:d92f9d21154c	1375	#ifndef NO_DSA
wolfSSL	0:d92f9d21154c	1376
wolfSSL	0:d92f9d21154c	1377	int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL	0:d92f9d21154c	1378	word32 inSz)
wolfSSL	0:d92f9d21154c	1379	{
wolfSSL	0:d92f9d21154c	1380	int length;
wolfSSL	0:d92f9d21154c	1381
wolfSSL	0:d92f9d21154c	1382	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1383	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1384
wolfSSL	0:d92f9d21154c	1385	if (GetInt(&key->p, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1386	GetInt(&key->q, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1387	GetInt(&key->g, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1388	GetInt(&key->y, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E;
wolfSSL	0:d92f9d21154c	1389
wolfSSL	0:d92f9d21154c	1390	key->type = DSA_PUBLIC;
wolfSSL	0:d92f9d21154c	1391	return 0;
wolfSSL	0:d92f9d21154c	1392	}
wolfSSL	0:d92f9d21154c	1393
wolfSSL	0:d92f9d21154c	1394
wolfSSL	0:d92f9d21154c	1395	int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
wolfSSL	0:d92f9d21154c	1396	word32 inSz)
wolfSSL	0:d92f9d21154c	1397	{
wolfSSL	0:d92f9d21154c	1398	int length, version;
wolfSSL	0:d92f9d21154c	1399
wolfSSL	0:d92f9d21154c	1400	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	1401	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1402
wolfSSL	0:d92f9d21154c	1403	if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL	0:d92f9d21154c	1404	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1405
wolfSSL	0:d92f9d21154c	1406	if (GetInt(&key->p, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1407	GetInt(&key->q, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1408	GetInt(&key->g, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1409	GetInt(&key->y, input, inOutIdx, inSz) < 0 \|\|
wolfSSL	0:d92f9d21154c	1410	GetInt(&key->x, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E;
wolfSSL	0:d92f9d21154c	1411
wolfSSL	0:d92f9d21154c	1412	key->type = DSA_PRIVATE;
wolfSSL	0:d92f9d21154c	1413	return 0;
wolfSSL	0:d92f9d21154c	1414	}
wolfSSL	0:d92f9d21154c	1415
wolfSSL	0:d92f9d21154c	1416	#endif /* NO_DSA */
wolfSSL	0:d92f9d21154c	1417
wolfSSL	0:d92f9d21154c	1418
wolfSSL	0:d92f9d21154c	1419	void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
wolfSSL	0:d92f9d21154c	1420	{
wolfSSL	0:d92f9d21154c	1421	cert->publicKey = 0;
wolfSSL	0:d92f9d21154c	1422	cert->pubKeySize = 0;
wolfSSL	0:d92f9d21154c	1423	cert->pubKeyStored = 0;
wolfSSL	0:d92f9d21154c	1424	cert->version = 0;
wolfSSL	0:d92f9d21154c	1425	cert->signature = 0;
wolfSSL	0:d92f9d21154c	1426	cert->subjectCN = 0;
wolfSSL	0:d92f9d21154c	1427	cert->subjectCNLen = 0;
wolfSSL	0:d92f9d21154c	1428	cert->subjectCNEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1429	cert->subjectCNStored = 0;
wolfSSL	0:d92f9d21154c	1430	cert->weOwnAltNames = 0;
wolfSSL	0:d92f9d21154c	1431	cert->altNames = NULL;
wolfSSL	0:d92f9d21154c	1432	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	1433	cert->altEmailNames = NULL;
wolfSSL	0:d92f9d21154c	1434	cert->permittedNames = NULL;
wolfSSL	0:d92f9d21154c	1435	cert->excludedNames = NULL;
wolfSSL	0:d92f9d21154c	1436	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	1437	cert->issuer[0] = '\0';
wolfSSL	0:d92f9d21154c	1438	cert->subject[0] = '\0';
wolfSSL	0:d92f9d21154c	1439	cert->source = source; /* don't own */
wolfSSL	0:d92f9d21154c	1440	cert->srcIdx = 0;
wolfSSL	0:d92f9d21154c	1441	cert->maxIdx = inSz; /* can't go over this index */
wolfSSL	0:d92f9d21154c	1442	cert->heap = heap;
wolfSSL	0:d92f9d21154c	1443	XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE);
wolfSSL	0:d92f9d21154c	1444	cert->serialSz = 0;
wolfSSL	0:d92f9d21154c	1445	cert->extensions = 0;
wolfSSL	0:d92f9d21154c	1446	cert->extensionsSz = 0;
wolfSSL	0:d92f9d21154c	1447	cert->extensionsIdx = 0;
wolfSSL	0:d92f9d21154c	1448	cert->extAuthInfo = NULL;
wolfSSL	0:d92f9d21154c	1449	cert->extAuthInfoSz = 0;
wolfSSL	0:d92f9d21154c	1450	cert->extCrlInfo = NULL;
wolfSSL	0:d92f9d21154c	1451	cert->extCrlInfoSz = 0;
wolfSSL	0:d92f9d21154c	1452	XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE);
wolfSSL	0:d92f9d21154c	1453	cert->extSubjKeyIdSet = 0;
wolfSSL	0:d92f9d21154c	1454	XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE);
wolfSSL	0:d92f9d21154c	1455	cert->extAuthKeyIdSet = 0;
wolfSSL	0:d92f9d21154c	1456	cert->extKeyUsageSet = 0;
wolfSSL	0:d92f9d21154c	1457	cert->extKeyUsage = 0;
wolfSSL	0:d92f9d21154c	1458	cert->extExtKeyUsageSet = 0;
wolfSSL	0:d92f9d21154c	1459	cert->extExtKeyUsage = 0;
wolfSSL	0:d92f9d21154c	1460	cert->isCA = 0;
wolfSSL	0:d92f9d21154c	1461	#ifdef HAVE_PKCS7
wolfSSL	0:d92f9d21154c	1462	cert->issuerRaw = NULL;
wolfSSL	0:d92f9d21154c	1463	cert->issuerRawLen = 0;
wolfSSL	0:d92f9d21154c	1464	#endif
wolfSSL	0:d92f9d21154c	1465	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	1466	cert->subjectSN = 0;
wolfSSL	0:d92f9d21154c	1467	cert->subjectSNLen = 0;
wolfSSL	0:d92f9d21154c	1468	cert->subjectSNEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1469	cert->subjectC = 0;
wolfSSL	0:d92f9d21154c	1470	cert->subjectCLen = 0;
wolfSSL	0:d92f9d21154c	1471	cert->subjectCEnc = CTC_PRINTABLE;
wolfSSL	0:d92f9d21154c	1472	cert->subjectL = 0;
wolfSSL	0:d92f9d21154c	1473	cert->subjectLLen = 0;
wolfSSL	0:d92f9d21154c	1474	cert->subjectLEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1475	cert->subjectST = 0;
wolfSSL	0:d92f9d21154c	1476	cert->subjectSTLen = 0;
wolfSSL	0:d92f9d21154c	1477	cert->subjectSTEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1478	cert->subjectO = 0;
wolfSSL	0:d92f9d21154c	1479	cert->subjectOLen = 0;
wolfSSL	0:d92f9d21154c	1480	cert->subjectOEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1481	cert->subjectOU = 0;
wolfSSL	0:d92f9d21154c	1482	cert->subjectOULen = 0;
wolfSSL	0:d92f9d21154c	1483	cert->subjectOUEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	1484	cert->subjectEmail = 0;
wolfSSL	0:d92f9d21154c	1485	cert->subjectEmailLen = 0;
wolfSSL	0:d92f9d21154c	1486	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	1487	cert->beforeDate = NULL;
wolfSSL	0:d92f9d21154c	1488	cert->beforeDateLen = 0;
wolfSSL	0:d92f9d21154c	1489	cert->afterDate = NULL;
wolfSSL	0:d92f9d21154c	1490	cert->afterDateLen = 0;
wolfSSL	0:d92f9d21154c	1491	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1492	XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
wolfSSL	0:d92f9d21154c	1493	XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
wolfSSL	0:d92f9d21154c	1494	cert->extBasicConstSet = 0;
wolfSSL	0:d92f9d21154c	1495	cert->extBasicConstCrit = 0;
wolfSSL	0:d92f9d21154c	1496	cert->extBasicConstPlSet = 0;
wolfSSL	0:d92f9d21154c	1497	cert->pathLength = 0;
wolfSSL	0:d92f9d21154c	1498	cert->extSubjAltNameSet = 0;
wolfSSL	0:d92f9d21154c	1499	cert->extSubjAltNameCrit = 0;
wolfSSL	0:d92f9d21154c	1500	cert->extAuthKeyIdCrit = 0;
wolfSSL	0:d92f9d21154c	1501	cert->extSubjKeyIdCrit = 0;
wolfSSL	0:d92f9d21154c	1502	cert->extKeyUsageCrit = 0;
wolfSSL	0:d92f9d21154c	1503	cert->extExtKeyUsageCrit = 0;
wolfSSL	0:d92f9d21154c	1504	cert->extExtKeyUsageSrc = NULL;
wolfSSL	0:d92f9d21154c	1505	cert->extExtKeyUsageSz = 0;
wolfSSL	0:d92f9d21154c	1506	cert->extExtKeyUsageCount = 0;
wolfSSL	0:d92f9d21154c	1507	cert->extAuthKeyIdSrc = NULL;
wolfSSL	0:d92f9d21154c	1508	cert->extAuthKeyIdSz = 0;
wolfSSL	0:d92f9d21154c	1509	cert->extSubjKeyIdSrc = NULL;
wolfSSL	0:d92f9d21154c	1510	cert->extSubjKeyIdSz = 0;
wolfSSL	0:d92f9d21154c	1511	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1512	#if defined(OPENSSL_EXTRA) \|\| !defined(IGNORE_NAME_CONSTRAINTS)
wolfSSL	0:d92f9d21154c	1513	cert->extNameConstraintSet = 0;
wolfSSL	0:d92f9d21154c	1514	#endif /* OPENSSL_EXTRA \|\| !IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	1515	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	1516	cert->pkCurveOID = 0;
wolfSSL	0:d92f9d21154c	1517	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	1518	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	1519	cert->deviceTypeSz = 0;
wolfSSL	0:d92f9d21154c	1520	cert->deviceType = NULL;
wolfSSL	0:d92f9d21154c	1521	cert->hwTypeSz = 0;
wolfSSL	0:d92f9d21154c	1522	cert->hwType = NULL;
wolfSSL	0:d92f9d21154c	1523	cert->hwSerialNumSz = 0;
wolfSSL	0:d92f9d21154c	1524	cert->hwSerialNum = NULL;
wolfSSL	0:d92f9d21154c	1525	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1526	cert->extCertPolicySet = 0;
wolfSSL	0:d92f9d21154c	1527	cert->extCertPolicyCrit = 0;
wolfSSL	0:d92f9d21154c	1528	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1529	#endif /* WOLFSSL_SEP */
wolfSSL	0:d92f9d21154c	1530	}
wolfSSL	0:d92f9d21154c	1531
wolfSSL	0:d92f9d21154c	1532
wolfSSL	0:d92f9d21154c	1533	void FreeAltNames(DNS_entry* altNames, void* heap)
wolfSSL	0:d92f9d21154c	1534	{
wolfSSL	0:d92f9d21154c	1535	(void)heap;
wolfSSL	0:d92f9d21154c	1536
wolfSSL	0:d92f9d21154c	1537	while (altNames) {
wolfSSL	0:d92f9d21154c	1538	DNS_entry* tmp = altNames->next;
wolfSSL	0:d92f9d21154c	1539
wolfSSL	0:d92f9d21154c	1540	XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	1541	XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	1542	altNames = tmp;
wolfSSL	0:d92f9d21154c	1543	}
wolfSSL	0:d92f9d21154c	1544	}
wolfSSL	0:d92f9d21154c	1545
wolfSSL	0:d92f9d21154c	1546	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	1547
wolfSSL	0:d92f9d21154c	1548	void FreeNameSubtrees(Base_entry* names, void* heap)
wolfSSL	0:d92f9d21154c	1549	{
wolfSSL	0:d92f9d21154c	1550	(void)heap;
wolfSSL	0:d92f9d21154c	1551
wolfSSL	0:d92f9d21154c	1552	while (names) {
wolfSSL	0:d92f9d21154c	1553	Base_entry* tmp = names->next;
wolfSSL	0:d92f9d21154c	1554
wolfSSL	0:d92f9d21154c	1555	XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	1556	XFREE(names, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	1557	names = tmp;
wolfSSL	0:d92f9d21154c	1558	}
wolfSSL	0:d92f9d21154c	1559	}
wolfSSL	0:d92f9d21154c	1560
wolfSSL	0:d92f9d21154c	1561	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	1562
wolfSSL	0:d92f9d21154c	1563	void FreeDecodedCert(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	1564	{
wolfSSL	0:d92f9d21154c	1565	if (cert->subjectCNStored == 1)
wolfSSL	0:d92f9d21154c	1566	XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL	0:d92f9d21154c	1567	if (cert->pubKeyStored == 1)
wolfSSL	0:d92f9d21154c	1568	XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL	0:d92f9d21154c	1569	if (cert->weOwnAltNames && cert->altNames)
wolfSSL	0:d92f9d21154c	1570	FreeAltNames(cert->altNames, cert->heap);
wolfSSL	0:d92f9d21154c	1571	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	1572	if (cert->altEmailNames)
wolfSSL	0:d92f9d21154c	1573	FreeAltNames(cert->altEmailNames, cert->heap);
wolfSSL	0:d92f9d21154c	1574	if (cert->permittedNames)
wolfSSL	0:d92f9d21154c	1575	FreeNameSubtrees(cert->permittedNames, cert->heap);
wolfSSL	0:d92f9d21154c	1576	if (cert->excludedNames)
wolfSSL	0:d92f9d21154c	1577	FreeNameSubtrees(cert->excludedNames, cert->heap);
wolfSSL	0:d92f9d21154c	1578	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	1579	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	1580	XFREE(cert->deviceType, cert->heap, 0);
wolfSSL	0:d92f9d21154c	1581	XFREE(cert->hwType, cert->heap, 0);
wolfSSL	0:d92f9d21154c	1582	XFREE(cert->hwSerialNum, cert->heap, 0);
wolfSSL	0:d92f9d21154c	1583	#endif /* WOLFSSL_SEP */
wolfSSL	0:d92f9d21154c	1584	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1585	if (cert->issuerName.fullName != NULL)
wolfSSL	0:d92f9d21154c	1586	XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509);
wolfSSL	0:d92f9d21154c	1587	if (cert->subjectName.fullName != NULL)
wolfSSL	0:d92f9d21154c	1588	XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509);
wolfSSL	0:d92f9d21154c	1589	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1590	}
wolfSSL	0:d92f9d21154c	1591
wolfSSL	0:d92f9d21154c	1592
wolfSSL	0:d92f9d21154c	1593	static int GetCertHeader(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	1594	{
wolfSSL	0:d92f9d21154c	1595	int ret = 0, len;
wolfSSL	0:d92f9d21154c	1596	byte serialTmp[EXTERNAL_SERIAL_SIZE];
wolfSSL	0:d92f9d21154c	1597	#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL	0:d92f9d21154c	1598	mp_int* mpi = NULL;
wolfSSL	0:d92f9d21154c	1599	#else
wolfSSL	0:d92f9d21154c	1600	mp_int stack_mpi;
wolfSSL	0:d92f9d21154c	1601	mp_int* mpi = &stack_mpi;
wolfSSL	0:d92f9d21154c	1602	#endif
wolfSSL	0:d92f9d21154c	1603
wolfSSL	0:d92f9d21154c	1604	if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1605	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1606
wolfSSL	0:d92f9d21154c	1607	cert->certBegin = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1608
wolfSSL	0:d92f9d21154c	1609	if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1610	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1611	cert->sigIndex = len + cert->srcIdx;
wolfSSL	0:d92f9d21154c	1612
wolfSSL	0:d92f9d21154c	1613	if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0)
wolfSSL	0:d92f9d21154c	1614	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1615
wolfSSL	0:d92f9d21154c	1616	#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL	0:d92f9d21154c	1617	mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1618	if (mpi == NULL)
wolfSSL	0:d92f9d21154c	1619	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1620	#endif
wolfSSL	0:d92f9d21154c	1621
wolfSSL	0:d92f9d21154c	1622	if (GetInt(mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	1623	#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL	0:d92f9d21154c	1624	XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1625	#endif
wolfSSL	0:d92f9d21154c	1626	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1627	}
wolfSSL	0:d92f9d21154c	1628
wolfSSL	0:d92f9d21154c	1629	len = mp_unsigned_bin_size(mpi);
wolfSSL	0:d92f9d21154c	1630	if (len < (int)sizeof(serialTmp)) {
wolfSSL	0:d92f9d21154c	1631	if ( (ret = mp_to_unsigned_bin(mpi, serialTmp)) == MP_OKAY) {
wolfSSL	0:d92f9d21154c	1632	XMEMCPY(cert->serial, serialTmp, len);
wolfSSL	0:d92f9d21154c	1633	cert->serialSz = len;
wolfSSL	0:d92f9d21154c	1634	}
wolfSSL	0:d92f9d21154c	1635	}
wolfSSL	0:d92f9d21154c	1636	mp_clear(mpi);
wolfSSL	0:d92f9d21154c	1637
wolfSSL	0:d92f9d21154c	1638	#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
wolfSSL	0:d92f9d21154c	1639	XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1640	#endif
wolfSSL	0:d92f9d21154c	1641
wolfSSL	0:d92f9d21154c	1642	return ret;
wolfSSL	0:d92f9d21154c	1643	}
wolfSSL	0:d92f9d21154c	1644
wolfSSL	0:d92f9d21154c	1645	#if !defined(NO_RSA)
wolfSSL	0:d92f9d21154c	1646	/* Store Rsa Key, may save later, Dsa could use in future */
wolfSSL	0:d92f9d21154c	1647	static int StoreRsaKey(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	1648	{
wolfSSL	0:d92f9d21154c	1649	int length;
wolfSSL	0:d92f9d21154c	1650	word32 recvd = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1651
wolfSSL	0:d92f9d21154c	1652	if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1653	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1654
wolfSSL	0:d92f9d21154c	1655	recvd = cert->srcIdx - recvd;
wolfSSL	0:d92f9d21154c	1656	length += recvd;
wolfSSL	0:d92f9d21154c	1657
wolfSSL	0:d92f9d21154c	1658	while (recvd--)
wolfSSL	0:d92f9d21154c	1659	cert->srcIdx--;
wolfSSL	0:d92f9d21154c	1660
wolfSSL	0:d92f9d21154c	1661	cert->pubKeySize = length;
wolfSSL	0:d92f9d21154c	1662	cert->publicKey = cert->source + cert->srcIdx;
wolfSSL	0:d92f9d21154c	1663	cert->srcIdx += length;
wolfSSL	0:d92f9d21154c	1664
wolfSSL	0:d92f9d21154c	1665	return 0;
wolfSSL	0:d92f9d21154c	1666	}
wolfSSL	0:d92f9d21154c	1667	#endif
wolfSSL	0:d92f9d21154c	1668
wolfSSL	0:d92f9d21154c	1669
wolfSSL	0:d92f9d21154c	1670	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	1671
wolfSSL	0:d92f9d21154c	1672	/* return 0 on sucess if the ECC curve oid sum is supported */
wolfSSL	0:d92f9d21154c	1673	static int CheckCurve(word32 oid)
wolfSSL	0:d92f9d21154c	1674	{
wolfSSL	0:d92f9d21154c	1675	int ret = 0;
wolfSSL	0:d92f9d21154c	1676
wolfSSL	0:d92f9d21154c	1677	switch (oid) {
wolfSSL	0:d92f9d21154c	1678	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC160)
wolfSSL	0:d92f9d21154c	1679	case ECC_160R1:
wolfSSL	0:d92f9d21154c	1680	#endif
wolfSSL	0:d92f9d21154c	1681	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC192)
wolfSSL	0:d92f9d21154c	1682	case ECC_192R1:
wolfSSL	0:d92f9d21154c	1683	#endif
wolfSSL	0:d92f9d21154c	1684	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC224)
wolfSSL	0:d92f9d21154c	1685	case ECC_224R1:
wolfSSL	0:d92f9d21154c	1686	#endif
wolfSSL	0:d92f9d21154c	1687	#if defined(HAVE_ALL_CURVES) \|\| !defined(NO_ECC256)
wolfSSL	0:d92f9d21154c	1688	case ECC_256R1:
wolfSSL	0:d92f9d21154c	1689	#endif
wolfSSL	0:d92f9d21154c	1690	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC384)
wolfSSL	0:d92f9d21154c	1691	case ECC_384R1:
wolfSSL	0:d92f9d21154c	1692	#endif
wolfSSL	0:d92f9d21154c	1693	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC521)
wolfSSL	0:d92f9d21154c	1694	case ECC_521R1:
wolfSSL	0:d92f9d21154c	1695	#endif
wolfSSL	0:d92f9d21154c	1696	break;
wolfSSL	0:d92f9d21154c	1697
wolfSSL	0:d92f9d21154c	1698	default:
wolfSSL	0:d92f9d21154c	1699	ret = ALGO_ID_E;
wolfSSL	0:d92f9d21154c	1700	}
wolfSSL	0:d92f9d21154c	1701
wolfSSL	0:d92f9d21154c	1702	return ret;
wolfSSL	0:d92f9d21154c	1703	}
wolfSSL	0:d92f9d21154c	1704
wolfSSL	0:d92f9d21154c	1705	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	1706
wolfSSL	0:d92f9d21154c	1707
wolfSSL	0:d92f9d21154c	1708	static int GetKey(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	1709	{
wolfSSL	0:d92f9d21154c	1710	int length;
wolfSSL	0:d92f9d21154c	1711	#ifdef HAVE_NTRU
wolfSSL	0:d92f9d21154c	1712	int tmpIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1713	#endif
wolfSSL	0:d92f9d21154c	1714
wolfSSL	0:d92f9d21154c	1715	if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1716	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1717
wolfSSL	0:d92f9d21154c	1718	if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1719	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1720
wolfSSL	0:d92f9d21154c	1721	switch (cert->keyOID) {
wolfSSL	0:d92f9d21154c	1722	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	1723	case RSAk:
wolfSSL	0:d92f9d21154c	1724	{
wolfSSL	0:d92f9d21154c	1725	byte b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1726	if (b != ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	1727	return ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	1728
wolfSSL	0:d92f9d21154c	1729	if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1730	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1731	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1732	if (b != 0x00)
wolfSSL	0:d92f9d21154c	1733	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	1734
wolfSSL	0:d92f9d21154c	1735	return StoreRsaKey(cert);
wolfSSL	0:d92f9d21154c	1736	}
wolfSSL	0:d92f9d21154c	1737
wolfSSL	0:d92f9d21154c	1738	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	1739	#ifdef HAVE_NTRU
wolfSSL	0:d92f9d21154c	1740	case NTRUk:
wolfSSL	0:d92f9d21154c	1741	{
wolfSSL	0:d92f9d21154c	1742	const byte* key = &cert->source[tmpIdx];
wolfSSL	0:d92f9d21154c	1743	byte* next = (byte*)key;
wolfSSL	0:d92f9d21154c	1744	word16 keyLen;
wolfSSL	0:d92f9d21154c	1745	word32 rc;
wolfSSL	0:d92f9d21154c	1746	word32 remaining = cert->maxIdx - cert->srcIdx;
wolfSSL	0:d92f9d21154c	1747	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1748	byte* keyBlob = NULL;
wolfSSL	0:d92f9d21154c	1749	#else
wolfSSL	0:d92f9d21154c	1750	byte keyBlob[MAX_NTRU_KEY_SZ];
wolfSSL	0:d92f9d21154c	1751	#endif
wolfSSL	0:d92f9d21154c	1752	rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL	0:d92f9d21154c	1753	&keyLen, NULL, &next, &remaining);
wolfSSL	0:d92f9d21154c	1754	if (rc != NTRU_OK)
wolfSSL	0:d92f9d21154c	1755	return ASN_NTRU_KEY_E;
wolfSSL	0:d92f9d21154c	1756	if (keyLen > MAX_NTRU_KEY_SZ)
wolfSSL	0:d92f9d21154c	1757	return ASN_NTRU_KEY_E;
wolfSSL	0:d92f9d21154c	1758
wolfSSL	0:d92f9d21154c	1759	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1760	keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL,
wolfSSL	0:d92f9d21154c	1761	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1762	if (keyBlob == NULL)
wolfSSL	0:d92f9d21154c	1763	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1764	#endif
wolfSSL	0:d92f9d21154c	1765
wolfSSL	0:d92f9d21154c	1766	rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key,
wolfSSL	0:d92f9d21154c	1767	&keyLen, keyBlob, &next, &remaining);
wolfSSL	0:d92f9d21154c	1768	if (rc != NTRU_OK) {
wolfSSL	0:d92f9d21154c	1769	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1770	XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1771	#endif
wolfSSL	0:d92f9d21154c	1772	return ASN_NTRU_KEY_E;
wolfSSL	0:d92f9d21154c	1773	}
wolfSSL	0:d92f9d21154c	1774
wolfSSL	0:d92f9d21154c	1775	if ( (next - key) < 0) {
wolfSSL	0:d92f9d21154c	1776	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1777	XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1778	#endif
wolfSSL	0:d92f9d21154c	1779	return ASN_NTRU_KEY_E;
wolfSSL	0:d92f9d21154c	1780	}
wolfSSL	0:d92f9d21154c	1781
wolfSSL	0:d92f9d21154c	1782	cert->srcIdx = tmpIdx + (int)(next - key);
wolfSSL	0:d92f9d21154c	1783
wolfSSL	0:d92f9d21154c	1784	cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap,
wolfSSL	0:d92f9d21154c	1785	DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL	0:d92f9d21154c	1786	if (cert->publicKey == NULL) {
wolfSSL	0:d92f9d21154c	1787	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1788	XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1789	#endif
wolfSSL	0:d92f9d21154c	1790	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1791	}
wolfSSL	0:d92f9d21154c	1792	XMEMCPY(cert->publicKey, keyBlob, keyLen);
wolfSSL	0:d92f9d21154c	1793	cert->pubKeyStored = 1;
wolfSSL	0:d92f9d21154c	1794	cert->pubKeySize = keyLen;
wolfSSL	0:d92f9d21154c	1795
wolfSSL	0:d92f9d21154c	1796	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	1797	XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	1798	#endif
wolfSSL	0:d92f9d21154c	1799
wolfSSL	0:d92f9d21154c	1800	return 0;
wolfSSL	0:d92f9d21154c	1801	}
wolfSSL	0:d92f9d21154c	1802	#endif /* HAVE_NTRU */
wolfSSL	0:d92f9d21154c	1803	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	1804	case ECDSAk:
wolfSSL	0:d92f9d21154c	1805	{
wolfSSL	0:d92f9d21154c	1806	int oidSz = 0;
wolfSSL	0:d92f9d21154c	1807	byte b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1808
wolfSSL	0:d92f9d21154c	1809	if (b != ASN_OBJECT_ID)
wolfSSL	0:d92f9d21154c	1810	return ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	1811
wolfSSL	0:d92f9d21154c	1812	if (GetLength(cert->source,&cert->srcIdx,&oidSz,cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1813	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1814
wolfSSL	0:d92f9d21154c	1815	while(oidSz--)
wolfSSL	0:d92f9d21154c	1816	cert->pkCurveOID += cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1817
wolfSSL	0:d92f9d21154c	1818	if (CheckCurve(cert->pkCurveOID) < 0)
wolfSSL	0:d92f9d21154c	1819	return ECC_CURVE_OID_E;
wolfSSL	0:d92f9d21154c	1820
wolfSSL	0:d92f9d21154c	1821	/* key header */
wolfSSL	0:d92f9d21154c	1822	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1823	if (b != ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	1824	return ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	1825
wolfSSL	0:d92f9d21154c	1826	if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1827	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1828	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1829	if (b != 0x00)
wolfSSL	0:d92f9d21154c	1830	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	1831
wolfSSL	0:d92f9d21154c	1832	/* actual key, use length - 1 since ate preceding 0 */
wolfSSL	0:d92f9d21154c	1833	length -= 1;
wolfSSL	0:d92f9d21154c	1834
wolfSSL	0:d92f9d21154c	1835	cert->publicKey = (byte*) XMALLOC(length, cert->heap,
wolfSSL	0:d92f9d21154c	1836	DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL	0:d92f9d21154c	1837	if (cert->publicKey == NULL)
wolfSSL	0:d92f9d21154c	1838	return MEMORY_E;
wolfSSL	0:d92f9d21154c	1839	XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
wolfSSL	0:d92f9d21154c	1840	cert->pubKeyStored = 1;
wolfSSL	0:d92f9d21154c	1841	cert->pubKeySize = length;
wolfSSL	0:d92f9d21154c	1842
wolfSSL	0:d92f9d21154c	1843	cert->srcIdx += length;
wolfSSL	0:d92f9d21154c	1844
wolfSSL	0:d92f9d21154c	1845	return 0;
wolfSSL	0:d92f9d21154c	1846	}
wolfSSL	0:d92f9d21154c	1847	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	1848	default:
wolfSSL	0:d92f9d21154c	1849	return ASN_UNKNOWN_OID_E;
wolfSSL	0:d92f9d21154c	1850	}
wolfSSL	0:d92f9d21154c	1851	}
wolfSSL	0:d92f9d21154c	1852
wolfSSL	0:d92f9d21154c	1853
wolfSSL	0:d92f9d21154c	1854	/* process NAME, either issuer or subject */
wolfSSL	0:d92f9d21154c	1855	static int GetName(DecodedCert* cert, int nameType)
wolfSSL	0:d92f9d21154c	1856	{
wolfSSL	0:d92f9d21154c	1857	int length; /* length of all distinguished names */
wolfSSL	0:d92f9d21154c	1858	int dummy;
wolfSSL	0:d92f9d21154c	1859	int ret;
wolfSSL	0:d92f9d21154c	1860	char* full;
wolfSSL	0:d92f9d21154c	1861	byte* hash;
wolfSSL	0:d92f9d21154c	1862	word32 idx;
wolfSSL	0:d92f9d21154c	1863	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1864	DecodedName* dName =
wolfSSL	0:d92f9d21154c	1865	(nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
wolfSSL	0:d92f9d21154c	1866	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1867
wolfSSL	0:d92f9d21154c	1868	WOLFSSL_MSG("Getting Cert Name");
wolfSSL	0:d92f9d21154c	1869
wolfSSL	0:d92f9d21154c	1870	if (nameType == ISSUER) {
wolfSSL	0:d92f9d21154c	1871	full = cert->issuer;
wolfSSL	0:d92f9d21154c	1872	hash = cert->issuerHash;
wolfSSL	0:d92f9d21154c	1873	}
wolfSSL	0:d92f9d21154c	1874	else {
wolfSSL	0:d92f9d21154c	1875	full = cert->subject;
wolfSSL	0:d92f9d21154c	1876	hash = cert->subjectHash;
wolfSSL	0:d92f9d21154c	1877	}
wolfSSL	0:d92f9d21154c	1878
wolfSSL	0:d92f9d21154c	1879	if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	1880	WOLFSSL_MSG("Trying optional prefix...");
wolfSSL	0:d92f9d21154c	1881
wolfSSL	0:d92f9d21154c	1882	if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1883	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1884
wolfSSL	0:d92f9d21154c	1885	cert->srcIdx += length;
wolfSSL	0:d92f9d21154c	1886	WOLFSSL_MSG("Got optional prefix");
wolfSSL	0:d92f9d21154c	1887	}
wolfSSL	0:d92f9d21154c	1888
wolfSSL	0:d92f9d21154c	1889	/* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL	0:d92f9d21154c	1890	* calculated over the entire DER encoding of the Name field, including
wolfSSL	0:d92f9d21154c	1891	* the tag and length. */
wolfSSL	0:d92f9d21154c	1892	idx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1893	if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1894	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1895
wolfSSL	0:d92f9d21154c	1896	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	1897	ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL	0:d92f9d21154c	1898	#else
wolfSSL	0:d92f9d21154c	1899	ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
wolfSSL	0:d92f9d21154c	1900	#endif
wolfSSL	0:d92f9d21154c	1901	if (ret != 0)
wolfSSL	0:d92f9d21154c	1902	return ret;
wolfSSL	0:d92f9d21154c	1903
wolfSSL	0:d92f9d21154c	1904	length += cert->srcIdx;
wolfSSL	0:d92f9d21154c	1905	idx = 0;
wolfSSL	0:d92f9d21154c	1906
wolfSSL	0:d92f9d21154c	1907	#ifdef HAVE_PKCS7
wolfSSL	0:d92f9d21154c	1908	/* store pointer to raw issuer */
wolfSSL	0:d92f9d21154c	1909	if (nameType == ISSUER) {
wolfSSL	0:d92f9d21154c	1910	cert->issuerRaw = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	1911	cert->issuerRawLen = length - cert->srcIdx;
wolfSSL	0:d92f9d21154c	1912	}
wolfSSL	0:d92f9d21154c	1913	#endif
wolfSSL	0:d92f9d21154c	1914	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	1915	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	1916	cert->subjectRaw = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	1917	cert->subjectRawLen = length - cert->srcIdx;
wolfSSL	0:d92f9d21154c	1918	}
wolfSSL	0:d92f9d21154c	1919	#endif
wolfSSL	0:d92f9d21154c	1920
wolfSSL	0:d92f9d21154c	1921	while (cert->srcIdx < (word32)length) {
wolfSSL	0:d92f9d21154c	1922	byte b;
wolfSSL	0:d92f9d21154c	1923	byte joint[2];
wolfSSL	0:d92f9d21154c	1924	byte tooBig = FALSE;
wolfSSL	0:d92f9d21154c	1925	int oidSz;
wolfSSL	0:d92f9d21154c	1926
wolfSSL	0:d92f9d21154c	1927	if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	1928	WOLFSSL_MSG("Cert name lacks set header, trying sequence");
wolfSSL	0:d92f9d21154c	1929	}
wolfSSL	0:d92f9d21154c	1930
wolfSSL	0:d92f9d21154c	1931	if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1932	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1933
wolfSSL	0:d92f9d21154c	1934	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1935	if (b != ASN_OBJECT_ID)
wolfSSL	0:d92f9d21154c	1936	return ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	1937
wolfSSL	0:d92f9d21154c	1938	if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1939	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1940
wolfSSL	0:d92f9d21154c	1941	XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint));
wolfSSL	0:d92f9d21154c	1942
wolfSSL	0:d92f9d21154c	1943	/* v1 name types */
wolfSSL	0:d92f9d21154c	1944	if (joint[0] == 0x55 && joint[1] == 0x04) {
wolfSSL	0:d92f9d21154c	1945	byte id;
wolfSSL	0:d92f9d21154c	1946	byte copy = FALSE;
wolfSSL	0:d92f9d21154c	1947	int strLen;
wolfSSL	0:d92f9d21154c	1948
wolfSSL	0:d92f9d21154c	1949	cert->srcIdx += 2;
wolfSSL	0:d92f9d21154c	1950	id = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	1951	b = cert->source[cert->srcIdx++]; /* encoding */
wolfSSL	0:d92f9d21154c	1952
wolfSSL	0:d92f9d21154c	1953	if (GetLength(cert->source, &cert->srcIdx, &strLen,
wolfSSL	0:d92f9d21154c	1954	cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	1955	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	1956
wolfSSL	0:d92f9d21154c	1957	if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL	0:d92f9d21154c	1958	/* include biggest pre fix header too 4 = "/serialNumber=" */
wolfSSL	0:d92f9d21154c	1959	WOLFSSL_MSG("ASN Name too big, skipping");
wolfSSL	0:d92f9d21154c	1960	tooBig = TRUE;
wolfSSL	0:d92f9d21154c	1961	}
wolfSSL	0:d92f9d21154c	1962
wolfSSL	0:d92f9d21154c	1963	if (id == ASN_COMMON_NAME) {
wolfSSL	0:d92f9d21154c	1964	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	1965	cert->subjectCN = (char *)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	1966	cert->subjectCNLen = strLen;
wolfSSL	0:d92f9d21154c	1967	cert->subjectCNEnc = b;
wolfSSL	0:d92f9d21154c	1968	}
wolfSSL	0:d92f9d21154c	1969
wolfSSL	0:d92f9d21154c	1970	if (!tooBig) {
wolfSSL	0:d92f9d21154c	1971	XMEMCPY(&full[idx], "/CN=", 4);
wolfSSL	0:d92f9d21154c	1972	idx += 4;
wolfSSL	0:d92f9d21154c	1973	copy = TRUE;
wolfSSL	0:d92f9d21154c	1974	}
wolfSSL	0:d92f9d21154c	1975	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1976	dName->cnIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1977	dName->cnLen = strLen;
wolfSSL	0:d92f9d21154c	1978	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1979	}
wolfSSL	0:d92f9d21154c	1980	else if (id == ASN_SUR_NAME) {
wolfSSL	0:d92f9d21154c	1981	if (!tooBig) {
wolfSSL	0:d92f9d21154c	1982	XMEMCPY(&full[idx], "/SN=", 4);
wolfSSL	0:d92f9d21154c	1983	idx += 4;
wolfSSL	0:d92f9d21154c	1984	copy = TRUE;
wolfSSL	0:d92f9d21154c	1985	}
wolfSSL	0:d92f9d21154c	1986	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	1987	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	1988	cert->subjectSN = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	1989	cert->subjectSNLen = strLen;
wolfSSL	0:d92f9d21154c	1990	cert->subjectSNEnc = b;
wolfSSL	0:d92f9d21154c	1991	}
wolfSSL	0:d92f9d21154c	1992	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	1993	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	1994	dName->snIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	1995	dName->snLen = strLen;
wolfSSL	0:d92f9d21154c	1996	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	1997	}
wolfSSL	0:d92f9d21154c	1998	else if (id == ASN_COUNTRY_NAME) {
wolfSSL	0:d92f9d21154c	1999	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2000	XMEMCPY(&full[idx], "/C=", 3);
wolfSSL	0:d92f9d21154c	2001	idx += 3;
wolfSSL	0:d92f9d21154c	2002	copy = TRUE;
wolfSSL	0:d92f9d21154c	2003	}
wolfSSL	0:d92f9d21154c	2004	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2005	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2006	cert->subjectC = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2007	cert->subjectCLen = strLen;
wolfSSL	0:d92f9d21154c	2008	cert->subjectCEnc = b;
wolfSSL	0:d92f9d21154c	2009	}
wolfSSL	0:d92f9d21154c	2010	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2011	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2012	dName->cIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2013	dName->cLen = strLen;
wolfSSL	0:d92f9d21154c	2014	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2015	}
wolfSSL	0:d92f9d21154c	2016	else if (id == ASN_LOCALITY_NAME) {
wolfSSL	0:d92f9d21154c	2017	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2018	XMEMCPY(&full[idx], "/L=", 3);
wolfSSL	0:d92f9d21154c	2019	idx += 3;
wolfSSL	0:d92f9d21154c	2020	copy = TRUE;
wolfSSL	0:d92f9d21154c	2021	}
wolfSSL	0:d92f9d21154c	2022	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2023	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2024	cert->subjectL = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2025	cert->subjectLLen = strLen;
wolfSSL	0:d92f9d21154c	2026	cert->subjectLEnc = b;
wolfSSL	0:d92f9d21154c	2027	}
wolfSSL	0:d92f9d21154c	2028	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2029	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2030	dName->lIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2031	dName->lLen = strLen;
wolfSSL	0:d92f9d21154c	2032	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2033	}
wolfSSL	0:d92f9d21154c	2034	else if (id == ASN_STATE_NAME) {
wolfSSL	0:d92f9d21154c	2035	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2036	XMEMCPY(&full[idx], "/ST=", 4);
wolfSSL	0:d92f9d21154c	2037	idx += 4;
wolfSSL	0:d92f9d21154c	2038	copy = TRUE;
wolfSSL	0:d92f9d21154c	2039	}
wolfSSL	0:d92f9d21154c	2040	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2041	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2042	cert->subjectST = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2043	cert->subjectSTLen = strLen;
wolfSSL	0:d92f9d21154c	2044	cert->subjectSTEnc = b;
wolfSSL	0:d92f9d21154c	2045	}
wolfSSL	0:d92f9d21154c	2046	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2047	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2048	dName->stIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2049	dName->stLen = strLen;
wolfSSL	0:d92f9d21154c	2050	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2051	}
wolfSSL	0:d92f9d21154c	2052	else if (id == ASN_ORG_NAME) {
wolfSSL	0:d92f9d21154c	2053	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2054	XMEMCPY(&full[idx], "/O=", 3);
wolfSSL	0:d92f9d21154c	2055	idx += 3;
wolfSSL	0:d92f9d21154c	2056	copy = TRUE;
wolfSSL	0:d92f9d21154c	2057	}
wolfSSL	0:d92f9d21154c	2058	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2059	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2060	cert->subjectO = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2061	cert->subjectOLen = strLen;
wolfSSL	0:d92f9d21154c	2062	cert->subjectOEnc = b;
wolfSSL	0:d92f9d21154c	2063	}
wolfSSL	0:d92f9d21154c	2064	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2065	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2066	dName->oIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2067	dName->oLen = strLen;
wolfSSL	0:d92f9d21154c	2068	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2069	}
wolfSSL	0:d92f9d21154c	2070	else if (id == ASN_ORGUNIT_NAME) {
wolfSSL	0:d92f9d21154c	2071	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2072	XMEMCPY(&full[idx], "/OU=", 4);
wolfSSL	0:d92f9d21154c	2073	idx += 4;
wolfSSL	0:d92f9d21154c	2074	copy = TRUE;
wolfSSL	0:d92f9d21154c	2075	}
wolfSSL	0:d92f9d21154c	2076	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2077	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2078	cert->subjectOU = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2079	cert->subjectOULen = strLen;
wolfSSL	0:d92f9d21154c	2080	cert->subjectOUEnc = b;
wolfSSL	0:d92f9d21154c	2081	}
wolfSSL	0:d92f9d21154c	2082	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2083	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2084	dName->ouIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2085	dName->ouLen = strLen;
wolfSSL	0:d92f9d21154c	2086	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2087	}
wolfSSL	0:d92f9d21154c	2088	else if (id == ASN_SERIAL_NUMBER) {
wolfSSL	0:d92f9d21154c	2089	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2090	XMEMCPY(&full[idx], "/serialNumber=", 14);
wolfSSL	0:d92f9d21154c	2091	idx += 14;
wolfSSL	0:d92f9d21154c	2092	copy = TRUE;
wolfSSL	0:d92f9d21154c	2093	}
wolfSSL	0:d92f9d21154c	2094	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2095	dName->snIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2096	dName->snLen = strLen;
wolfSSL	0:d92f9d21154c	2097	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2098	}
wolfSSL	0:d92f9d21154c	2099
wolfSSL	0:d92f9d21154c	2100	if (copy && !tooBig) {
wolfSSL	0:d92f9d21154c	2101	XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
wolfSSL	0:d92f9d21154c	2102	idx += strLen;
wolfSSL	0:d92f9d21154c	2103	}
wolfSSL	0:d92f9d21154c	2104
wolfSSL	0:d92f9d21154c	2105	cert->srcIdx += strLen;
wolfSSL	0:d92f9d21154c	2106	}
wolfSSL	0:d92f9d21154c	2107	else {
wolfSSL	0:d92f9d21154c	2108	/* skip */
wolfSSL	0:d92f9d21154c	2109	byte email = FALSE;
wolfSSL	0:d92f9d21154c	2110	byte uid = FALSE;
wolfSSL	0:d92f9d21154c	2111	int adv;
wolfSSL	0:d92f9d21154c	2112
wolfSSL	0:d92f9d21154c	2113	if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */
wolfSSL	0:d92f9d21154c	2114	email = TRUE;
wolfSSL	0:d92f9d21154c	2115
wolfSSL	0:d92f9d21154c	2116	if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */
wolfSSL	0:d92f9d21154c	2117	uid = TRUE;
wolfSSL	0:d92f9d21154c	2118
wolfSSL	0:d92f9d21154c	2119	cert->srcIdx += oidSz + 1;
wolfSSL	0:d92f9d21154c	2120
wolfSSL	0:d92f9d21154c	2121	if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	2122	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	2123
wolfSSL	0:d92f9d21154c	2124	if (adv > (int)(ASN_NAME_MAX - idx)) {
wolfSSL	0:d92f9d21154c	2125	WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL	0:d92f9d21154c	2126	tooBig = TRUE;
wolfSSL	0:d92f9d21154c	2127	}
wolfSSL	0:d92f9d21154c	2128
wolfSSL	0:d92f9d21154c	2129	if (email) {
wolfSSL	0:d92f9d21154c	2130	if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL	0:d92f9d21154c	2131	WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL	0:d92f9d21154c	2132	tooBig = TRUE;
wolfSSL	0:d92f9d21154c	2133	}
wolfSSL	0:d92f9d21154c	2134	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2135	XMEMCPY(&full[idx], "/emailAddress=", 14);
wolfSSL	0:d92f9d21154c	2136	idx += 14;
wolfSSL	0:d92f9d21154c	2137	}
wolfSSL	0:d92f9d21154c	2138
wolfSSL	0:d92f9d21154c	2139	#ifdef WOLFSSL_CERT_GEN
wolfSSL	0:d92f9d21154c	2140	if (nameType == SUBJECT) {
wolfSSL	0:d92f9d21154c	2141	cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2142	cert->subjectEmailLen = adv;
wolfSSL	0:d92f9d21154c	2143	}
wolfSSL	0:d92f9d21154c	2144	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2145	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2146	dName->emailIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2147	dName->emailLen = adv;
wolfSSL	0:d92f9d21154c	2148	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2149	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	2150	{
wolfSSL	0:d92f9d21154c	2151	DNS_entry* emailName = NULL;
wolfSSL	0:d92f9d21154c	2152
wolfSSL	0:d92f9d21154c	2153	emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry),
wolfSSL	0:d92f9d21154c	2154	cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	2155	if (emailName == NULL) {
wolfSSL	0:d92f9d21154c	2156	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	2157	return MEMORY_E;
wolfSSL	0:d92f9d21154c	2158	}
wolfSSL	0:d92f9d21154c	2159	emailName->name = (char*)XMALLOC(adv + 1,
wolfSSL	0:d92f9d21154c	2160	cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	2161	if (emailName->name == NULL) {
wolfSSL	0:d92f9d21154c	2162	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	2163	return MEMORY_E;
wolfSSL	0:d92f9d21154c	2164	}
wolfSSL	0:d92f9d21154c	2165	XMEMCPY(emailName->name,
wolfSSL	0:d92f9d21154c	2166	&cert->source[cert->srcIdx], adv);
wolfSSL	0:d92f9d21154c	2167	emailName->name[adv] = 0;
wolfSSL	0:d92f9d21154c	2168
wolfSSL	0:d92f9d21154c	2169	emailName->next = cert->altEmailNames;
wolfSSL	0:d92f9d21154c	2170	cert->altEmailNames = emailName;
wolfSSL	0:d92f9d21154c	2171	}
wolfSSL	0:d92f9d21154c	2172	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	2173	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2174	XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL	0:d92f9d21154c	2175	idx += adv;
wolfSSL	0:d92f9d21154c	2176	}
wolfSSL	0:d92f9d21154c	2177	}
wolfSSL	0:d92f9d21154c	2178
wolfSSL	0:d92f9d21154c	2179	if (uid) {
wolfSSL	0:d92f9d21154c	2180	if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
wolfSSL	0:d92f9d21154c	2181	WOLFSSL_MSG("ASN name too big, skipping");
wolfSSL	0:d92f9d21154c	2182	tooBig = TRUE;
wolfSSL	0:d92f9d21154c	2183	}
wolfSSL	0:d92f9d21154c	2184	if (!tooBig) {
wolfSSL	0:d92f9d21154c	2185	XMEMCPY(&full[idx], "/UID=", 5);
wolfSSL	0:d92f9d21154c	2186	idx += 5;
wolfSSL	0:d92f9d21154c	2187
wolfSSL	0:d92f9d21154c	2188	XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
wolfSSL	0:d92f9d21154c	2189	idx += adv;
wolfSSL	0:d92f9d21154c	2190	}
wolfSSL	0:d92f9d21154c	2191	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2192	dName->uidIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2193	dName->uidLen = adv;
wolfSSL	0:d92f9d21154c	2194	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2195	}
wolfSSL	0:d92f9d21154c	2196
wolfSSL	0:d92f9d21154c	2197	cert->srcIdx += adv;
wolfSSL	0:d92f9d21154c	2198	}
wolfSSL	0:d92f9d21154c	2199	}
wolfSSL	0:d92f9d21154c	2200	full[idx++] = 0;
wolfSSL	0:d92f9d21154c	2201
wolfSSL	0:d92f9d21154c	2202	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	2203	{
wolfSSL	0:d92f9d21154c	2204	int totalLen = 0;
wolfSSL	0:d92f9d21154c	2205
wolfSSL	0:d92f9d21154c	2206	if (dName->cnLen != 0)
wolfSSL	0:d92f9d21154c	2207	totalLen += dName->cnLen + 4;
wolfSSL	0:d92f9d21154c	2208	if (dName->snLen != 0)
wolfSSL	0:d92f9d21154c	2209	totalLen += dName->snLen + 4;
wolfSSL	0:d92f9d21154c	2210	if (dName->cLen != 0)
wolfSSL	0:d92f9d21154c	2211	totalLen += dName->cLen + 3;
wolfSSL	0:d92f9d21154c	2212	if (dName->lLen != 0)
wolfSSL	0:d92f9d21154c	2213	totalLen += dName->lLen + 3;
wolfSSL	0:d92f9d21154c	2214	if (dName->stLen != 0)
wolfSSL	0:d92f9d21154c	2215	totalLen += dName->stLen + 4;
wolfSSL	0:d92f9d21154c	2216	if (dName->oLen != 0)
wolfSSL	0:d92f9d21154c	2217	totalLen += dName->oLen + 3;
wolfSSL	0:d92f9d21154c	2218	if (dName->ouLen != 0)
wolfSSL	0:d92f9d21154c	2219	totalLen += dName->ouLen + 4;
wolfSSL	0:d92f9d21154c	2220	if (dName->emailLen != 0)
wolfSSL	0:d92f9d21154c	2221	totalLen += dName->emailLen + 14;
wolfSSL	0:d92f9d21154c	2222	if (dName->uidLen != 0)
wolfSSL	0:d92f9d21154c	2223	totalLen += dName->uidLen + 5;
wolfSSL	0:d92f9d21154c	2224	if (dName->serialLen != 0)
wolfSSL	0:d92f9d21154c	2225	totalLen += dName->serialLen + 14;
wolfSSL	0:d92f9d21154c	2226
wolfSSL	0:d92f9d21154c	2227	dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509);
wolfSSL	0:d92f9d21154c	2228	if (dName->fullName != NULL) {
wolfSSL	0:d92f9d21154c	2229	idx = 0;
wolfSSL	0:d92f9d21154c	2230
wolfSSL	0:d92f9d21154c	2231	if (dName->cnLen != 0) {
wolfSSL	0:d92f9d21154c	2232	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2233	XMEMCPY(&dName->fullName[idx], "/CN=", 4);
wolfSSL	0:d92f9d21154c	2234	idx += 4;
wolfSSL	0:d92f9d21154c	2235	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2236	&cert->source[dName->cnIdx], dName->cnLen);
wolfSSL	0:d92f9d21154c	2237	dName->cnIdx = idx;
wolfSSL	0:d92f9d21154c	2238	idx += dName->cnLen;
wolfSSL	0:d92f9d21154c	2239	}
wolfSSL	0:d92f9d21154c	2240	if (dName->snLen != 0) {
wolfSSL	0:d92f9d21154c	2241	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2242	XMEMCPY(&dName->fullName[idx], "/SN=", 4);
wolfSSL	0:d92f9d21154c	2243	idx += 4;
wolfSSL	0:d92f9d21154c	2244	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2245	&cert->source[dName->snIdx], dName->snLen);
wolfSSL	0:d92f9d21154c	2246	dName->snIdx = idx;
wolfSSL	0:d92f9d21154c	2247	idx += dName->snLen;
wolfSSL	0:d92f9d21154c	2248	}
wolfSSL	0:d92f9d21154c	2249	if (dName->cLen != 0) {
wolfSSL	0:d92f9d21154c	2250	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2251	XMEMCPY(&dName->fullName[idx], "/C=", 3);
wolfSSL	0:d92f9d21154c	2252	idx += 3;
wolfSSL	0:d92f9d21154c	2253	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2254	&cert->source[dName->cIdx], dName->cLen);
wolfSSL	0:d92f9d21154c	2255	dName->cIdx = idx;
wolfSSL	0:d92f9d21154c	2256	idx += dName->cLen;
wolfSSL	0:d92f9d21154c	2257	}
wolfSSL	0:d92f9d21154c	2258	if (dName->lLen != 0) {
wolfSSL	0:d92f9d21154c	2259	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2260	XMEMCPY(&dName->fullName[idx], "/L=", 3);
wolfSSL	0:d92f9d21154c	2261	idx += 3;
wolfSSL	0:d92f9d21154c	2262	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2263	&cert->source[dName->lIdx], dName->lLen);
wolfSSL	0:d92f9d21154c	2264	dName->lIdx = idx;
wolfSSL	0:d92f9d21154c	2265	idx += dName->lLen;
wolfSSL	0:d92f9d21154c	2266	}
wolfSSL	0:d92f9d21154c	2267	if (dName->stLen != 0) {
wolfSSL	0:d92f9d21154c	2268	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2269	XMEMCPY(&dName->fullName[idx], "/ST=", 4);
wolfSSL	0:d92f9d21154c	2270	idx += 4;
wolfSSL	0:d92f9d21154c	2271	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2272	&cert->source[dName->stIdx], dName->stLen);
wolfSSL	0:d92f9d21154c	2273	dName->stIdx = idx;
wolfSSL	0:d92f9d21154c	2274	idx += dName->stLen;
wolfSSL	0:d92f9d21154c	2275	}
wolfSSL	0:d92f9d21154c	2276	if (dName->oLen != 0) {
wolfSSL	0:d92f9d21154c	2277	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2278	XMEMCPY(&dName->fullName[idx], "/O=", 3);
wolfSSL	0:d92f9d21154c	2279	idx += 3;
wolfSSL	0:d92f9d21154c	2280	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2281	&cert->source[dName->oIdx], dName->oLen);
wolfSSL	0:d92f9d21154c	2282	dName->oIdx = idx;
wolfSSL	0:d92f9d21154c	2283	idx += dName->oLen;
wolfSSL	0:d92f9d21154c	2284	}
wolfSSL	0:d92f9d21154c	2285	if (dName->ouLen != 0) {
wolfSSL	0:d92f9d21154c	2286	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2287	XMEMCPY(&dName->fullName[idx], "/OU=", 4);
wolfSSL	0:d92f9d21154c	2288	idx += 4;
wolfSSL	0:d92f9d21154c	2289	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2290	&cert->source[dName->ouIdx], dName->ouLen);
wolfSSL	0:d92f9d21154c	2291	dName->ouIdx = idx;
wolfSSL	0:d92f9d21154c	2292	idx += dName->ouLen;
wolfSSL	0:d92f9d21154c	2293	}
wolfSSL	0:d92f9d21154c	2294	if (dName->emailLen != 0) {
wolfSSL	0:d92f9d21154c	2295	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2296	XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
wolfSSL	0:d92f9d21154c	2297	idx += 14;
wolfSSL	0:d92f9d21154c	2298	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2299	&cert->source[dName->emailIdx], dName->emailLen);
wolfSSL	0:d92f9d21154c	2300	dName->emailIdx = idx;
wolfSSL	0:d92f9d21154c	2301	idx += dName->emailLen;
wolfSSL	0:d92f9d21154c	2302	}
wolfSSL	0:d92f9d21154c	2303	if (dName->uidLen != 0) {
wolfSSL	0:d92f9d21154c	2304	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2305	XMEMCPY(&dName->fullName[idx], "/UID=", 5);
wolfSSL	0:d92f9d21154c	2306	idx += 5;
wolfSSL	0:d92f9d21154c	2307	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2308	&cert->source[dName->uidIdx], dName->uidLen);
wolfSSL	0:d92f9d21154c	2309	dName->uidIdx = idx;
wolfSSL	0:d92f9d21154c	2310	idx += dName->uidLen;
wolfSSL	0:d92f9d21154c	2311	}
wolfSSL	0:d92f9d21154c	2312	if (dName->serialLen != 0) {
wolfSSL	0:d92f9d21154c	2313	dName->entryCount++;
wolfSSL	0:d92f9d21154c	2314	XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
wolfSSL	0:d92f9d21154c	2315	idx += 14;
wolfSSL	0:d92f9d21154c	2316	XMEMCPY(&dName->fullName[idx],
wolfSSL	0:d92f9d21154c	2317	&cert->source[dName->serialIdx], dName->serialLen);
wolfSSL	0:d92f9d21154c	2318	dName->serialIdx = idx;
wolfSSL	0:d92f9d21154c	2319	idx += dName->serialLen;
wolfSSL	0:d92f9d21154c	2320	}
wolfSSL	0:d92f9d21154c	2321	dName->fullName[idx] = '\0';
wolfSSL	0:d92f9d21154c	2322	dName->fullNameLen = totalLen;
wolfSSL	0:d92f9d21154c	2323	}
wolfSSL	0:d92f9d21154c	2324	}
wolfSSL	0:d92f9d21154c	2325	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	2326
wolfSSL	0:d92f9d21154c	2327	return 0;
wolfSSL	0:d92f9d21154c	2328	}
wolfSSL	0:d92f9d21154c	2329
wolfSSL	0:d92f9d21154c	2330
wolfSSL	0:d92f9d21154c	2331	#ifndef NO_TIME_H
wolfSSL	0:d92f9d21154c	2332
wolfSSL	0:d92f9d21154c	2333	/* to the second */
wolfSSL	0:d92f9d21154c	2334	static int DateGreaterThan(const struct tm* a, const struct tm* b)
wolfSSL	0:d92f9d21154c	2335	{
wolfSSL	0:d92f9d21154c	2336	if (a->tm_year > b->tm_year)
wolfSSL	0:d92f9d21154c	2337	return 1;
wolfSSL	0:d92f9d21154c	2338
wolfSSL	0:d92f9d21154c	2339	if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon)
wolfSSL	0:d92f9d21154c	2340	return 1;
wolfSSL	0:d92f9d21154c	2341
wolfSSL	0:d92f9d21154c	2342	if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL	0:d92f9d21154c	2343	a->tm_mday > b->tm_mday)
wolfSSL	0:d92f9d21154c	2344	return 1;
wolfSSL	0:d92f9d21154c	2345
wolfSSL	0:d92f9d21154c	2346	if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL	0:d92f9d21154c	2347	a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour)
wolfSSL	0:d92f9d21154c	2348	return 1;
wolfSSL	0:d92f9d21154c	2349
wolfSSL	0:d92f9d21154c	2350	if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL	0:d92f9d21154c	2351	a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL	0:d92f9d21154c	2352	a->tm_min > b->tm_min)
wolfSSL	0:d92f9d21154c	2353	return 1;
wolfSSL	0:d92f9d21154c	2354
wolfSSL	0:d92f9d21154c	2355	if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
wolfSSL	0:d92f9d21154c	2356	a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour &&
wolfSSL	0:d92f9d21154c	2357	a->tm_min == b->tm_min && a->tm_sec > b->tm_sec)
wolfSSL	0:d92f9d21154c	2358	return 1;
wolfSSL	0:d92f9d21154c	2359
wolfSSL	0:d92f9d21154c	2360	return 0; /* false */
wolfSSL	0:d92f9d21154c	2361	}
wolfSSL	0:d92f9d21154c	2362
wolfSSL	0:d92f9d21154c	2363
wolfSSL	0:d92f9d21154c	2364	static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
wolfSSL	0:d92f9d21154c	2365	{
wolfSSL	0:d92f9d21154c	2366	return DateGreaterThan(b,a);
wolfSSL	0:d92f9d21154c	2367	}
wolfSSL	0:d92f9d21154c	2368
wolfSSL	0:d92f9d21154c	2369
wolfSSL	0:d92f9d21154c	2370	/* like atoi but only use first byte */
wolfSSL	0:d92f9d21154c	2371	/* Make sure before and after dates are valid */
wolfSSL	0:d92f9d21154c	2372	int ValidateDate(const byte* date, byte format, int dateType)
wolfSSL	0:d92f9d21154c	2373	{
wolfSSL	0:d92f9d21154c	2374	time_t ltime;
wolfSSL	0:d92f9d21154c	2375	struct tm certTime;
wolfSSL	0:d92f9d21154c	2376	struct tm* localTime;
wolfSSL	0:d92f9d21154c	2377	struct tm* tmpTime = NULL;
wolfSSL	0:d92f9d21154c	2378	int i = 0;
wolfSSL	0:d92f9d21154c	2379
wolfSSL	0:d92f9d21154c	2380	#if defined(FREESCALE_MQX) \|\| defined(TIME_OVERRIDES)
wolfSSL	0:d92f9d21154c	2381	struct tm tmpTimeStorage;
wolfSSL	0:d92f9d21154c	2382	tmpTime = &tmpTimeStorage;
wolfSSL	0:d92f9d21154c	2383	#else
wolfSSL	0:d92f9d21154c	2384	(void)tmpTime;
wolfSSL	0:d92f9d21154c	2385	#endif
wolfSSL	0:d92f9d21154c	2386
wolfSSL	0:d92f9d21154c	2387	ltime = XTIME(0);
wolfSSL	0:d92f9d21154c	2388	XMEMSET(&certTime, 0, sizeof(certTime));
wolfSSL	0:d92f9d21154c	2389
wolfSSL	0:d92f9d21154c	2390	if (format == ASN_UTC_TIME) {
wolfSSL	0:d92f9d21154c	2391	if (btoi(date[0]) >= 5)
wolfSSL	0:d92f9d21154c	2392	certTime.tm_year = 1900;
wolfSSL	0:d92f9d21154c	2393	else
wolfSSL	0:d92f9d21154c	2394	certTime.tm_year = 2000;
wolfSSL	0:d92f9d21154c	2395	}
wolfSSL	0:d92f9d21154c	2396	else { /* format == GENERALIZED_TIME */
wolfSSL	0:d92f9d21154c	2397	certTime.tm_year += btoi(date[i++]) * 1000;
wolfSSL	0:d92f9d21154c	2398	certTime.tm_year += btoi(date[i++]) * 100;
wolfSSL	0:d92f9d21154c	2399	}
wolfSSL	0:d92f9d21154c	2400
wolfSSL	0:d92f9d21154c	2401	/* adjust tm_year, tm_mon */
wolfSSL	0:d92f9d21154c	2402	GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900;
wolfSSL	0:d92f9d21154c	2403	GetTime((int*)&certTime.tm_mon, date, &i); certTime.tm_mon -= 1;
wolfSSL	0:d92f9d21154c	2404	GetTime((int*)&certTime.tm_mday, date, &i);
wolfSSL	0:d92f9d21154c	2405	GetTime((int*)&certTime.tm_hour, date, &i);
wolfSSL	0:d92f9d21154c	2406	GetTime((int*)&certTime.tm_min, date, &i);
wolfSSL	0:d92f9d21154c	2407	GetTime((int*)&certTime.tm_sec, date, &i);
wolfSSL	0:d92f9d21154c	2408
wolfSSL	0:d92f9d21154c	2409	if (date[i] != 'Z') { /* only Zulu supported for this profile */
wolfSSL	0:d92f9d21154c	2410	WOLFSSL_MSG("Only Zulu time supported for this profile");
wolfSSL	0:d92f9d21154c	2411	return 0;
wolfSSL	0:d92f9d21154c	2412	}
wolfSSL	0:d92f9d21154c	2413
wolfSSL	0:d92f9d21154c	2414	localTime = XGMTIME(&ltime, tmpTime);
wolfSSL	0:d92f9d21154c	2415
wolfSSL	0:d92f9d21154c	2416	if (dateType == BEFORE) {
wolfSSL	0:d92f9d21154c	2417	if (DateLessThan(localTime, &certTime))
wolfSSL	0:d92f9d21154c	2418	return 0;
wolfSSL	0:d92f9d21154c	2419	}
wolfSSL	0:d92f9d21154c	2420	else
wolfSSL	0:d92f9d21154c	2421	if (DateGreaterThan(localTime, &certTime))
wolfSSL	0:d92f9d21154c	2422	return 0;
wolfSSL	0:d92f9d21154c	2423
wolfSSL	0:d92f9d21154c	2424	return 1;
wolfSSL	0:d92f9d21154c	2425	}
wolfSSL	0:d92f9d21154c	2426
wolfSSL	0:d92f9d21154c	2427	#endif /* NO_TIME_H */
wolfSSL	0:d92f9d21154c	2428
wolfSSL	0:d92f9d21154c	2429
wolfSSL	0:d92f9d21154c	2430	static int GetDate(DecodedCert* cert, int dateType)
wolfSSL	0:d92f9d21154c	2431	{
wolfSSL	0:d92f9d21154c	2432	int length;
wolfSSL	0:d92f9d21154c	2433	byte date[MAX_DATE_SIZE];
wolfSSL	0:d92f9d21154c	2434	byte b;
wolfSSL	0:d92f9d21154c	2435	word32 startIdx = 0;
wolfSSL	0:d92f9d21154c	2436
wolfSSL	0:d92f9d21154c	2437	if (dateType == BEFORE)
wolfSSL	0:d92f9d21154c	2438	cert->beforeDate = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2439	else
wolfSSL	0:d92f9d21154c	2440	cert->afterDate = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2441	startIdx = cert->srcIdx;
wolfSSL	0:d92f9d21154c	2442
wolfSSL	0:d92f9d21154c	2443	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	2444	if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
wolfSSL	0:d92f9d21154c	2445	return ASN_TIME_E;
wolfSSL	0:d92f9d21154c	2446
wolfSSL	0:d92f9d21154c	2447	if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	2448	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	2449
wolfSSL	0:d92f9d21154c	2450	if (length > MAX_DATE_SIZE \|\| length < MIN_DATE_SIZE)
wolfSSL	0:d92f9d21154c	2451	return ASN_DATE_SZ_E;
wolfSSL	0:d92f9d21154c	2452
wolfSSL	0:d92f9d21154c	2453	XMEMCPY(date, &cert->source[cert->srcIdx], length);
wolfSSL	0:d92f9d21154c	2454	cert->srcIdx += length;
wolfSSL	0:d92f9d21154c	2455
wolfSSL	0:d92f9d21154c	2456	if (dateType == BEFORE)
wolfSSL	0:d92f9d21154c	2457	cert->beforeDateLen = cert->srcIdx - startIdx;
wolfSSL	0:d92f9d21154c	2458	else
wolfSSL	0:d92f9d21154c	2459	cert->afterDateLen = cert->srcIdx - startIdx;
wolfSSL	0:d92f9d21154c	2460
wolfSSL	0:d92f9d21154c	2461	if (!XVALIDATE_DATE(date, b, dateType)) {
wolfSSL	0:d92f9d21154c	2462	if (dateType == BEFORE)
wolfSSL	0:d92f9d21154c	2463	return ASN_BEFORE_DATE_E;
wolfSSL	0:d92f9d21154c	2464	else
wolfSSL	0:d92f9d21154c	2465	return ASN_AFTER_DATE_E;
wolfSSL	0:d92f9d21154c	2466	}
wolfSSL	0:d92f9d21154c	2467
wolfSSL	0:d92f9d21154c	2468	return 0;
wolfSSL	0:d92f9d21154c	2469	}
wolfSSL	0:d92f9d21154c	2470
wolfSSL	0:d92f9d21154c	2471
wolfSSL	0:d92f9d21154c	2472	static int GetValidity(DecodedCert* cert, int verify)
wolfSSL	0:d92f9d21154c	2473	{
wolfSSL	0:d92f9d21154c	2474	int length;
wolfSSL	0:d92f9d21154c	2475	int badDate = 0;
wolfSSL	0:d92f9d21154c	2476
wolfSSL	0:d92f9d21154c	2477	if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	2478	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	2479
wolfSSL	0:d92f9d21154c	2480	if (GetDate(cert, BEFORE) < 0 && verify)
wolfSSL	0:d92f9d21154c	2481	badDate = ASN_BEFORE_DATE_E; /* continue parsing */
wolfSSL	0:d92f9d21154c	2482
wolfSSL	0:d92f9d21154c	2483	if (GetDate(cert, AFTER) < 0 && verify)
wolfSSL	0:d92f9d21154c	2484	return ASN_AFTER_DATE_E;
wolfSSL	0:d92f9d21154c	2485
wolfSSL	0:d92f9d21154c	2486	if (badDate != 0)
wolfSSL	0:d92f9d21154c	2487	return badDate;
wolfSSL	0:d92f9d21154c	2488
wolfSSL	0:d92f9d21154c	2489	return 0;
wolfSSL	0:d92f9d21154c	2490	}
wolfSSL	0:d92f9d21154c	2491
wolfSSL	0:d92f9d21154c	2492
wolfSSL	0:d92f9d21154c	2493	int DecodeToKey(DecodedCert* cert, int verify)
wolfSSL	0:d92f9d21154c	2494	{
wolfSSL	0:d92f9d21154c	2495	int badDate = 0;
wolfSSL	0:d92f9d21154c	2496	int ret;
wolfSSL	0:d92f9d21154c	2497
wolfSSL	0:d92f9d21154c	2498	if ( (ret = GetCertHeader(cert)) < 0)
wolfSSL	0:d92f9d21154c	2499	return ret;
wolfSSL	0:d92f9d21154c	2500
wolfSSL	0:d92f9d21154c	2501	WOLFSSL_MSG("Got Cert Header");
wolfSSL	0:d92f9d21154c	2502
wolfSSL	0:d92f9d21154c	2503	if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
wolfSSL	0:d92f9d21154c	2504	cert->maxIdx)) < 0)
wolfSSL	0:d92f9d21154c	2505	return ret;
wolfSSL	0:d92f9d21154c	2506
wolfSSL	0:d92f9d21154c	2507	WOLFSSL_MSG("Got Algo ID");
wolfSSL	0:d92f9d21154c	2508
wolfSSL	0:d92f9d21154c	2509	if ( (ret = GetName(cert, ISSUER)) < 0)
wolfSSL	0:d92f9d21154c	2510	return ret;
wolfSSL	0:d92f9d21154c	2511
wolfSSL	0:d92f9d21154c	2512	if ( (ret = GetValidity(cert, verify)) < 0)
wolfSSL	0:d92f9d21154c	2513	badDate = ret;
wolfSSL	0:d92f9d21154c	2514
wolfSSL	0:d92f9d21154c	2515	if ( (ret = GetName(cert, SUBJECT)) < 0)
wolfSSL	0:d92f9d21154c	2516	return ret;
wolfSSL	0:d92f9d21154c	2517
wolfSSL	0:d92f9d21154c	2518	WOLFSSL_MSG("Got Subject Name");
wolfSSL	0:d92f9d21154c	2519
wolfSSL	0:d92f9d21154c	2520	if ( (ret = GetKey(cert)) < 0)
wolfSSL	0:d92f9d21154c	2521	return ret;
wolfSSL	0:d92f9d21154c	2522
wolfSSL	0:d92f9d21154c	2523	WOLFSSL_MSG("Got Key");
wolfSSL	0:d92f9d21154c	2524
wolfSSL	0:d92f9d21154c	2525	if (badDate != 0)
wolfSSL	0:d92f9d21154c	2526	return badDate;
wolfSSL	0:d92f9d21154c	2527
wolfSSL	0:d92f9d21154c	2528	return ret;
wolfSSL	0:d92f9d21154c	2529	}
wolfSSL	0:d92f9d21154c	2530
wolfSSL	0:d92f9d21154c	2531
wolfSSL	0:d92f9d21154c	2532	static int GetSignature(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	2533	{
wolfSSL	0:d92f9d21154c	2534	int length;
wolfSSL	0:d92f9d21154c	2535	byte b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	2536
wolfSSL	0:d92f9d21154c	2537	if (b != ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	2538	return ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	2539
wolfSSL	0:d92f9d21154c	2540	if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
wolfSSL	0:d92f9d21154c	2541	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	2542
wolfSSL	0:d92f9d21154c	2543	cert->sigLength = length;
wolfSSL	0:d92f9d21154c	2544
wolfSSL	0:d92f9d21154c	2545	b = cert->source[cert->srcIdx++];
wolfSSL	0:d92f9d21154c	2546	if (b != 0x00)
wolfSSL	0:d92f9d21154c	2547	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	2548
wolfSSL	0:d92f9d21154c	2549	cert->sigLength--;
wolfSSL	0:d92f9d21154c	2550	cert->signature = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	2551	cert->srcIdx += cert->sigLength;
wolfSSL	0:d92f9d21154c	2552
wolfSSL	0:d92f9d21154c	2553	return 0;
wolfSSL	0:d92f9d21154c	2554	}
wolfSSL	0:d92f9d21154c	2555
wolfSSL	0:d92f9d21154c	2556
wolfSSL	0:d92f9d21154c	2557	static word32 SetDigest(const byte* digest, word32 digSz, byte* output)
wolfSSL	0:d92f9d21154c	2558	{
wolfSSL	0:d92f9d21154c	2559	output[0] = ASN_OCTET_STRING;
wolfSSL	0:d92f9d21154c	2560	output[1] = (byte)digSz;
wolfSSL	0:d92f9d21154c	2561	XMEMCPY(&output[2], digest, digSz);
wolfSSL	0:d92f9d21154c	2562
wolfSSL	0:d92f9d21154c	2563	return digSz + 2;
wolfSSL	0:d92f9d21154c	2564	}
wolfSSL	0:d92f9d21154c	2565
wolfSSL	0:d92f9d21154c	2566
wolfSSL	0:d92f9d21154c	2567	static word32 BytePrecision(word32 value)
wolfSSL	0:d92f9d21154c	2568	{
wolfSSL	0:d92f9d21154c	2569	word32 i;
wolfSSL	0:d92f9d21154c	2570	for (i = sizeof(value); i; --i)
wolfSSL	0:d92f9d21154c	2571	if (value >> ((i - 1) * WOLFSSL_BIT_SIZE))
wolfSSL	0:d92f9d21154c	2572	break;
wolfSSL	0:d92f9d21154c	2573
wolfSSL	0:d92f9d21154c	2574	return i;
wolfSSL	0:d92f9d21154c	2575	}
wolfSSL	0:d92f9d21154c	2576
wolfSSL	0:d92f9d21154c	2577
wolfSSL	0:d92f9d21154c	2578	WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
wolfSSL	0:d92f9d21154c	2579	{
wolfSSL	0:d92f9d21154c	2580	word32 i = 0, j;
wolfSSL	0:d92f9d21154c	2581
wolfSSL	0:d92f9d21154c	2582	if (length < ASN_LONG_LENGTH)
wolfSSL	0:d92f9d21154c	2583	output[i++] = (byte)length;
wolfSSL	0:d92f9d21154c	2584	else {
wolfSSL	0:d92f9d21154c	2585	output[i++] = (byte)(BytePrecision(length) \| ASN_LONG_LENGTH);
wolfSSL	0:d92f9d21154c	2586
wolfSSL	0:d92f9d21154c	2587	for (j = BytePrecision(length); j; --j) {
wolfSSL	0:d92f9d21154c	2588	output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
wolfSSL	0:d92f9d21154c	2589	i++;
wolfSSL	0:d92f9d21154c	2590	}
wolfSSL	0:d92f9d21154c	2591	}
wolfSSL	0:d92f9d21154c	2592
wolfSSL	0:d92f9d21154c	2593	return i;
wolfSSL	0:d92f9d21154c	2594	}
wolfSSL	0:d92f9d21154c	2595
wolfSSL	0:d92f9d21154c	2596
wolfSSL	0:d92f9d21154c	2597	WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
wolfSSL	0:d92f9d21154c	2598	{
wolfSSL	0:d92f9d21154c	2599	output[0] = ASN_SEQUENCE \| ASN_CONSTRUCTED;
wolfSSL	0:d92f9d21154c	2600	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	2601	}
wolfSSL	0:d92f9d21154c	2602
wolfSSL	0:d92f9d21154c	2603	WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
wolfSSL	0:d92f9d21154c	2604	{
wolfSSL	0:d92f9d21154c	2605	output[0] = ASN_OCTET_STRING;
wolfSSL	0:d92f9d21154c	2606	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	2607	}
wolfSSL	0:d92f9d21154c	2608
wolfSSL	0:d92f9d21154c	2609	/* Write a set header to output */
wolfSSL	0:d92f9d21154c	2610	WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output)
wolfSSL	0:d92f9d21154c	2611	{
wolfSSL	0:d92f9d21154c	2612	output[0] = ASN_SET \| ASN_CONSTRUCTED;
wolfSSL	0:d92f9d21154c	2613	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	2614	}
wolfSSL	0:d92f9d21154c	2615
wolfSSL	0:d92f9d21154c	2616	WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
wolfSSL	0:d92f9d21154c	2617	{
wolfSSL	0:d92f9d21154c	2618
wolfSSL	0:d92f9d21154c	2619	output[0] = ((tag == ASN_SEQUENCE \|\| tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
wolfSSL	0:d92f9d21154c	2620	\| ASN_CONTEXT_SPECIFIC \| number;
wolfSSL	0:d92f9d21154c	2621	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	2622	}
wolfSSL	0:d92f9d21154c	2623
wolfSSL	0:d92f9d21154c	2624	WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
wolfSSL	0:d92f9d21154c	2625	{
wolfSSL	0:d92f9d21154c	2626	output[0] = ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| number;
wolfSSL	0:d92f9d21154c	2627	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	2628	}
wolfSSL	0:d92f9d21154c	2629
wolfSSL	0:d92f9d21154c	2630
wolfSSL	0:d92f9d21154c	2631	#if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) \|\| defined(WOLFSSL_KEY_GEN))
wolfSSL	0:d92f9d21154c	2632
wolfSSL	0:d92f9d21154c	2633	static word32 SetCurve(ecc_key* key, byte* output)
wolfSSL	0:d92f9d21154c	2634	{
wolfSSL	0:d92f9d21154c	2635
wolfSSL	0:d92f9d21154c	2636	/* curve types */
wolfSSL	0:d92f9d21154c	2637	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC192)
wolfSSL	0:d92f9d21154c	2638	static const byte ECC_192v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL	0:d92f9d21154c	2639	0x03, 0x01, 0x01};
wolfSSL	0:d92f9d21154c	2640	#endif
wolfSSL	0:d92f9d21154c	2641	#if defined(HAVE_ALL_CURVES) \|\| !defined(NO_ECC256)
wolfSSL	0:d92f9d21154c	2642	static const byte ECC_256v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL	0:d92f9d21154c	2643	0x03, 0x01, 0x07};
wolfSSL	0:d92f9d21154c	2644	#endif
wolfSSL	0:d92f9d21154c	2645	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC160)
wolfSSL	0:d92f9d21154c	2646	static const byte ECC_160r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL	0:d92f9d21154c	2647	0x02};
wolfSSL	0:d92f9d21154c	2648	#endif
wolfSSL	0:d92f9d21154c	2649	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC224)
wolfSSL	0:d92f9d21154c	2650	static const byte ECC_224r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL	0:d92f9d21154c	2651	0x21};
wolfSSL	0:d92f9d21154c	2652	#endif
wolfSSL	0:d92f9d21154c	2653	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC384)
wolfSSL	0:d92f9d21154c	2654	static const byte ECC_384r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL	0:d92f9d21154c	2655	0x22};
wolfSSL	0:d92f9d21154c	2656	#endif
wolfSSL	0:d92f9d21154c	2657	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC521)
wolfSSL	0:d92f9d21154c	2658	static const byte ECC_521r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
wolfSSL	0:d92f9d21154c	2659	0x23};
wolfSSL	0:d92f9d21154c	2660	#endif
wolfSSL	0:d92f9d21154c	2661
wolfSSL	0:d92f9d21154c	2662	int oidSz = 0;
wolfSSL	0:d92f9d21154c	2663	int idx = 0;
wolfSSL	0:d92f9d21154c	2664	int lenSz = 0;
wolfSSL	0:d92f9d21154c	2665	const byte* oid = 0;
wolfSSL	0:d92f9d21154c	2666
wolfSSL	0:d92f9d21154c	2667	output[0] = ASN_OBJECT_ID;
wolfSSL	0:d92f9d21154c	2668	idx++;
wolfSSL	0:d92f9d21154c	2669
wolfSSL	0:d92f9d21154c	2670	switch (key->dp->size) {
wolfSSL	0:d92f9d21154c	2671	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC160)
wolfSSL	0:d92f9d21154c	2672	case 20:
wolfSSL	0:d92f9d21154c	2673	oidSz = sizeof(ECC_160r1_AlgoID);
wolfSSL	0:d92f9d21154c	2674	oid = ECC_160r1_AlgoID;
wolfSSL	0:d92f9d21154c	2675	break;
wolfSSL	0:d92f9d21154c	2676	#endif
wolfSSL	0:d92f9d21154c	2677
wolfSSL	0:d92f9d21154c	2678	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC192)
wolfSSL	0:d92f9d21154c	2679	case 24:
wolfSSL	0:d92f9d21154c	2680	oidSz = sizeof(ECC_192v1_AlgoID);
wolfSSL	0:d92f9d21154c	2681	oid = ECC_192v1_AlgoID;
wolfSSL	0:d92f9d21154c	2682	break;
wolfSSL	0:d92f9d21154c	2683	#endif
wolfSSL	0:d92f9d21154c	2684
wolfSSL	0:d92f9d21154c	2685	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC224)
wolfSSL	0:d92f9d21154c	2686	case 28:
wolfSSL	0:d92f9d21154c	2687	oidSz = sizeof(ECC_224r1_AlgoID);
wolfSSL	0:d92f9d21154c	2688	oid = ECC_224r1_AlgoID;
wolfSSL	0:d92f9d21154c	2689	break;
wolfSSL	0:d92f9d21154c	2690	#endif
wolfSSL	0:d92f9d21154c	2691
wolfSSL	0:d92f9d21154c	2692	#if defined(HAVE_ALL_CURVES) \|\| !defined(NO_ECC256)
wolfSSL	0:d92f9d21154c	2693	case 32:
wolfSSL	0:d92f9d21154c	2694	oidSz = sizeof(ECC_256v1_AlgoID);
wolfSSL	0:d92f9d21154c	2695	oid = ECC_256v1_AlgoID;
wolfSSL	0:d92f9d21154c	2696	break;
wolfSSL	0:d92f9d21154c	2697	#endif
wolfSSL	0:d92f9d21154c	2698
wolfSSL	0:d92f9d21154c	2699	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC384)
wolfSSL	0:d92f9d21154c	2700	case 48:
wolfSSL	0:d92f9d21154c	2701	oidSz = sizeof(ECC_384r1_AlgoID);
wolfSSL	0:d92f9d21154c	2702	oid = ECC_384r1_AlgoID;
wolfSSL	0:d92f9d21154c	2703	break;
wolfSSL	0:d92f9d21154c	2704	#endif
wolfSSL	0:d92f9d21154c	2705
wolfSSL	0:d92f9d21154c	2706	#if defined(HAVE_ALL_CURVES) \|\| defined(HAVE_ECC521)
wolfSSL	0:d92f9d21154c	2707	case 66:
wolfSSL	0:d92f9d21154c	2708	oidSz = sizeof(ECC_521r1_AlgoID);
wolfSSL	0:d92f9d21154c	2709	oid = ECC_521r1_AlgoID;
wolfSSL	0:d92f9d21154c	2710	break;
wolfSSL	0:d92f9d21154c	2711	#endif
wolfSSL	0:d92f9d21154c	2712
wolfSSL	0:d92f9d21154c	2713	default:
wolfSSL	0:d92f9d21154c	2714	return ASN_UNKNOWN_OID_E;
wolfSSL	0:d92f9d21154c	2715	}
wolfSSL	0:d92f9d21154c	2716	lenSz = SetLength(oidSz, output+idx);
wolfSSL	0:d92f9d21154c	2717	idx += lenSz;
wolfSSL	0:d92f9d21154c	2718
wolfSSL	0:d92f9d21154c	2719	XMEMCPY(output+idx, oid, oidSz);
wolfSSL	0:d92f9d21154c	2720	idx += oidSz;
wolfSSL	0:d92f9d21154c	2721
wolfSSL	0:d92f9d21154c	2722	return idx;
wolfSSL	0:d92f9d21154c	2723	}
wolfSSL	0:d92f9d21154c	2724
wolfSSL	0:d92f9d21154c	2725	#endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	2726
wolfSSL	0:d92f9d21154c	2727
wolfSSL	0:d92f9d21154c	2728	WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
wolfSSL	0:d92f9d21154c	2729	{
wolfSSL	0:d92f9d21154c	2730	/* adding TAG_NULL and 0 to end */
wolfSSL	0:d92f9d21154c	2731
wolfSSL	0:d92f9d21154c	2732	/* hashTypes */
wolfSSL	0:d92f9d21154c	2733	static const byte shaAlgoID[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a,
wolfSSL	0:d92f9d21154c	2734	0x05, 0x00 };
wolfSSL	0:d92f9d21154c	2735	static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
wolfSSL	0:d92f9d21154c	2736	0x04, 0x02, 0x01, 0x05, 0x00 };
wolfSSL	0:d92f9d21154c	2737	static const byte sha384AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
wolfSSL	0:d92f9d21154c	2738	0x04, 0x02, 0x02, 0x05, 0x00 };
wolfSSL	0:d92f9d21154c	2739	static const byte sha512AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
wolfSSL	0:d92f9d21154c	2740	0x04, 0x02, 0x03, 0x05, 0x00 };
wolfSSL	0:d92f9d21154c	2741	static const byte md5AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL	0:d92f9d21154c	2742	0x02, 0x05, 0x05, 0x00 };
wolfSSL	0:d92f9d21154c	2743	static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL	0:d92f9d21154c	2744	0x02, 0x02, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2745
wolfSSL	0:d92f9d21154c	2746	/* blkTypes, no NULL tags because IV is there instead */
wolfSSL	0:d92f9d21154c	2747	static const byte desCbcAlgoID[] = { 0x2B, 0x0E, 0x03, 0x02, 0x07 };
wolfSSL	0:d92f9d21154c	2748	static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
wolfSSL	0:d92f9d21154c	2749	0x0D, 0x03, 0x07 };
wolfSSL	0:d92f9d21154c	2750
wolfSSL	0:d92f9d21154c	2751	/* RSA sigTypes */
wolfSSL	0:d92f9d21154c	2752	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	2753	static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
wolfSSL	0:d92f9d21154c	2754	0x0d, 0x01, 0x01, 0x04, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2755	static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
wolfSSL	0:d92f9d21154c	2756	0x0d, 0x01, 0x01, 0x05, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2757	static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
wolfSSL	0:d92f9d21154c	2758	0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2759	static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
wolfSSL	0:d92f9d21154c	2760	0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2761	static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
wolfSSL	0:d92f9d21154c	2762	0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2763	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	2764
wolfSSL	0:d92f9d21154c	2765	/* ECDSA sigTypes */
wolfSSL	0:d92f9d21154c	2766	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	2767	static const byte shawECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL	0:d92f9d21154c	2768	0x04, 0x01, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2769	static const byte sha256wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
wolfSSL	0:d92f9d21154c	2770	0x04, 0x03, 0x02, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2771	static const byte sha384wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
wolfSSL	0:d92f9d21154c	2772	0x04, 0x03, 0x03, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2773	static const byte sha512wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
wolfSSL	0:d92f9d21154c	2774	0x04, 0x03, 0x04, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2775	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	2776
wolfSSL	0:d92f9d21154c	2777	/* RSA keyType */
wolfSSL	0:d92f9d21154c	2778	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	2779	static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL	0:d92f9d21154c	2780	0x01, 0x01, 0x01, 0x05, 0x00};
wolfSSL	0:d92f9d21154c	2781	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	2782
wolfSSL	0:d92f9d21154c	2783	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	2784	/* ECC keyType */
wolfSSL	0:d92f9d21154c	2785	/* no tags, so set tagSz smaller later */
wolfSSL	0:d92f9d21154c	2786	static const byte ECC_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
wolfSSL	0:d92f9d21154c	2787	0x02, 0x01};
wolfSSL	0:d92f9d21154c	2788	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	2789
wolfSSL	0:d92f9d21154c	2790	int algoSz = 0;
wolfSSL	0:d92f9d21154c	2791	int tagSz = 2; /* tag null and terminator */
wolfSSL	0:d92f9d21154c	2792	word32 idSz, seqSz;
wolfSSL	0:d92f9d21154c	2793	const byte* algoName = 0;
wolfSSL	0:d92f9d21154c	2794	byte ID_Length[MAX_LENGTH_SZ];
wolfSSL	0:d92f9d21154c	2795	byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
wolfSSL	0:d92f9d21154c	2796
wolfSSL	0:d92f9d21154c	2797	if (type == hashType) {
wolfSSL	0:d92f9d21154c	2798	switch (algoOID) {
wolfSSL	0:d92f9d21154c	2799	case SHAh:
wolfSSL	0:d92f9d21154c	2800	algoSz = sizeof(shaAlgoID);
wolfSSL	0:d92f9d21154c	2801	algoName = shaAlgoID;
wolfSSL	0:d92f9d21154c	2802	break;
wolfSSL	0:d92f9d21154c	2803
wolfSSL	0:d92f9d21154c	2804	case SHA256h:
wolfSSL	0:d92f9d21154c	2805	algoSz = sizeof(sha256AlgoID);
wolfSSL	0:d92f9d21154c	2806	algoName = sha256AlgoID;
wolfSSL	0:d92f9d21154c	2807	break;
wolfSSL	0:d92f9d21154c	2808
wolfSSL	0:d92f9d21154c	2809	case SHA384h:
wolfSSL	0:d92f9d21154c	2810	algoSz = sizeof(sha384AlgoID);
wolfSSL	0:d92f9d21154c	2811	algoName = sha384AlgoID;
wolfSSL	0:d92f9d21154c	2812	break;
wolfSSL	0:d92f9d21154c	2813
wolfSSL	0:d92f9d21154c	2814	case SHA512h:
wolfSSL	0:d92f9d21154c	2815	algoSz = sizeof(sha512AlgoID);
wolfSSL	0:d92f9d21154c	2816	algoName = sha512AlgoID;
wolfSSL	0:d92f9d21154c	2817	break;
wolfSSL	0:d92f9d21154c	2818
wolfSSL	0:d92f9d21154c	2819	case MD2h:
wolfSSL	0:d92f9d21154c	2820	algoSz = sizeof(md2AlgoID);
wolfSSL	0:d92f9d21154c	2821	algoName = md2AlgoID;
wolfSSL	0:d92f9d21154c	2822	break;
wolfSSL	0:d92f9d21154c	2823
wolfSSL	0:d92f9d21154c	2824	case MD5h:
wolfSSL	0:d92f9d21154c	2825	algoSz = sizeof(md5AlgoID);
wolfSSL	0:d92f9d21154c	2826	algoName = md5AlgoID;
wolfSSL	0:d92f9d21154c	2827	break;
wolfSSL	0:d92f9d21154c	2828
wolfSSL	0:d92f9d21154c	2829	default:
wolfSSL	0:d92f9d21154c	2830	WOLFSSL_MSG("Unknown Hash Algo");
wolfSSL	0:d92f9d21154c	2831	return 0; /* UNKOWN_HASH_E; */
wolfSSL	0:d92f9d21154c	2832	}
wolfSSL	0:d92f9d21154c	2833	}
wolfSSL	0:d92f9d21154c	2834	else if (type == blkType) {
wolfSSL	0:d92f9d21154c	2835	switch (algoOID) {
wolfSSL	0:d92f9d21154c	2836	case DESb:
wolfSSL	0:d92f9d21154c	2837	algoSz = sizeof(desCbcAlgoID);
wolfSSL	0:d92f9d21154c	2838	algoName = desCbcAlgoID;
wolfSSL	0:d92f9d21154c	2839	tagSz = 0;
wolfSSL	0:d92f9d21154c	2840	break;
wolfSSL	0:d92f9d21154c	2841	case DES3b:
wolfSSL	0:d92f9d21154c	2842	algoSz = sizeof(des3CbcAlgoID);
wolfSSL	0:d92f9d21154c	2843	algoName = des3CbcAlgoID;
wolfSSL	0:d92f9d21154c	2844	tagSz = 0;
wolfSSL	0:d92f9d21154c	2845	break;
wolfSSL	0:d92f9d21154c	2846	default:
wolfSSL	0:d92f9d21154c	2847	WOLFSSL_MSG("Unknown Block Algo");
wolfSSL	0:d92f9d21154c	2848	return 0;
wolfSSL	0:d92f9d21154c	2849	}
wolfSSL	0:d92f9d21154c	2850	}
wolfSSL	0:d92f9d21154c	2851	else if (type == sigType) { /* sigType */
wolfSSL	0:d92f9d21154c	2852	switch (algoOID) {
wolfSSL	0:d92f9d21154c	2853	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	2854	case CTC_MD5wRSA:
wolfSSL	0:d92f9d21154c	2855	algoSz = sizeof(md5wRSA_AlgoID);
wolfSSL	0:d92f9d21154c	2856	algoName = md5wRSA_AlgoID;
wolfSSL	0:d92f9d21154c	2857	break;
wolfSSL	0:d92f9d21154c	2858
wolfSSL	0:d92f9d21154c	2859	case CTC_SHAwRSA:
wolfSSL	0:d92f9d21154c	2860	algoSz = sizeof(shawRSA_AlgoID);
wolfSSL	0:d92f9d21154c	2861	algoName = shawRSA_AlgoID;
wolfSSL	0:d92f9d21154c	2862	break;
wolfSSL	0:d92f9d21154c	2863
wolfSSL	0:d92f9d21154c	2864	case CTC_SHA256wRSA:
wolfSSL	0:d92f9d21154c	2865	algoSz = sizeof(sha256wRSA_AlgoID);
wolfSSL	0:d92f9d21154c	2866	algoName = sha256wRSA_AlgoID;
wolfSSL	0:d92f9d21154c	2867	break;
wolfSSL	0:d92f9d21154c	2868
wolfSSL	0:d92f9d21154c	2869	case CTC_SHA384wRSA:
wolfSSL	0:d92f9d21154c	2870	algoSz = sizeof(sha384wRSA_AlgoID);
wolfSSL	0:d92f9d21154c	2871	algoName = sha384wRSA_AlgoID;
wolfSSL	0:d92f9d21154c	2872	break;
wolfSSL	0:d92f9d21154c	2873
wolfSSL	0:d92f9d21154c	2874	case CTC_SHA512wRSA:
wolfSSL	0:d92f9d21154c	2875	algoSz = sizeof(sha512wRSA_AlgoID);
wolfSSL	0:d92f9d21154c	2876	algoName = sha512wRSA_AlgoID;
wolfSSL	0:d92f9d21154c	2877	break;
wolfSSL	0:d92f9d21154c	2878	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	2879	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	2880	case CTC_SHAwECDSA:
wolfSSL	0:d92f9d21154c	2881	algoSz = sizeof(shawECDSA_AlgoID);
wolfSSL	0:d92f9d21154c	2882	algoName = shawECDSA_AlgoID;
wolfSSL	0:d92f9d21154c	2883	break;
wolfSSL	0:d92f9d21154c	2884
wolfSSL	0:d92f9d21154c	2885	case CTC_SHA256wECDSA:
wolfSSL	0:d92f9d21154c	2886	algoSz = sizeof(sha256wECDSA_AlgoID);
wolfSSL	0:d92f9d21154c	2887	algoName = sha256wECDSA_AlgoID;
wolfSSL	0:d92f9d21154c	2888	break;
wolfSSL	0:d92f9d21154c	2889
wolfSSL	0:d92f9d21154c	2890	case CTC_SHA384wECDSA:
wolfSSL	0:d92f9d21154c	2891	algoSz = sizeof(sha384wECDSA_AlgoID);
wolfSSL	0:d92f9d21154c	2892	algoName = sha384wECDSA_AlgoID;
wolfSSL	0:d92f9d21154c	2893	break;
wolfSSL	0:d92f9d21154c	2894
wolfSSL	0:d92f9d21154c	2895	case CTC_SHA512wECDSA:
wolfSSL	0:d92f9d21154c	2896	algoSz = sizeof(sha512wECDSA_AlgoID);
wolfSSL	0:d92f9d21154c	2897	algoName = sha512wECDSA_AlgoID;
wolfSSL	0:d92f9d21154c	2898	break;
wolfSSL	0:d92f9d21154c	2899	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	2900	default:
wolfSSL	0:d92f9d21154c	2901	WOLFSSL_MSG("Unknown Signature Algo");
wolfSSL	0:d92f9d21154c	2902	return 0;
wolfSSL	0:d92f9d21154c	2903	}
wolfSSL	0:d92f9d21154c	2904	}
wolfSSL	0:d92f9d21154c	2905	else if (type == keyType) { /* keyType */
wolfSSL	0:d92f9d21154c	2906	switch (algoOID) {
wolfSSL	0:d92f9d21154c	2907	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	2908	case RSAk:
wolfSSL	0:d92f9d21154c	2909	algoSz = sizeof(RSA_AlgoID);
wolfSSL	0:d92f9d21154c	2910	algoName = RSA_AlgoID;
wolfSSL	0:d92f9d21154c	2911	break;
wolfSSL	0:d92f9d21154c	2912	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	2913	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	2914	case ECDSAk:
wolfSSL	0:d92f9d21154c	2915	algoSz = sizeof(ECC_AlgoID);
wolfSSL	0:d92f9d21154c	2916	algoName = ECC_AlgoID;
wolfSSL	0:d92f9d21154c	2917	tagSz = 0;
wolfSSL	0:d92f9d21154c	2918	break;
wolfSSL	0:d92f9d21154c	2919	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	2920	default:
wolfSSL	0:d92f9d21154c	2921	WOLFSSL_MSG("Unknown Key Algo");
wolfSSL	0:d92f9d21154c	2922	return 0;
wolfSSL	0:d92f9d21154c	2923	}
wolfSSL	0:d92f9d21154c	2924	}
wolfSSL	0:d92f9d21154c	2925	else {
wolfSSL	0:d92f9d21154c	2926	WOLFSSL_MSG("Unknown Algo type");
wolfSSL	0:d92f9d21154c	2927	return 0;
wolfSSL	0:d92f9d21154c	2928	}
wolfSSL	0:d92f9d21154c	2929
wolfSSL	0:d92f9d21154c	2930	idSz = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */
wolfSSL	0:d92f9d21154c	2931	seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray);
wolfSSL	0:d92f9d21154c	2932	/* +1 for object id, curveID of curveSz follows for ecc */
wolfSSL	0:d92f9d21154c	2933	seqArray[seqSz++] = ASN_OBJECT_ID;
wolfSSL	0:d92f9d21154c	2934
wolfSSL	0:d92f9d21154c	2935	XMEMCPY(output, seqArray, seqSz);
wolfSSL	0:d92f9d21154c	2936	XMEMCPY(output + seqSz, ID_Length, idSz);
wolfSSL	0:d92f9d21154c	2937	XMEMCPY(output + seqSz + idSz, algoName, algoSz);
wolfSSL	0:d92f9d21154c	2938
wolfSSL	0:d92f9d21154c	2939	return seqSz + idSz + algoSz;
wolfSSL	0:d92f9d21154c	2940
wolfSSL	0:d92f9d21154c	2941	}
wolfSSL	0:d92f9d21154c	2942
wolfSSL	0:d92f9d21154c	2943
wolfSSL	0:d92f9d21154c	2944	word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
wolfSSL	0:d92f9d21154c	2945	int hashOID)
wolfSSL	0:d92f9d21154c	2946	{
wolfSSL	0:d92f9d21154c	2947	byte digArray[MAX_ENCODED_DIG_SZ];
wolfSSL	0:d92f9d21154c	2948	byte algoArray[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	2949	byte seqArray[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	2950	word32 encDigSz, algoSz, seqSz;
wolfSSL	0:d92f9d21154c	2951
wolfSSL	0:d92f9d21154c	2952	encDigSz = SetDigest(digest, digSz, digArray);
wolfSSL	0:d92f9d21154c	2953	algoSz = SetAlgoID(hashOID, algoArray, hashType, 0);
wolfSSL	0:d92f9d21154c	2954	seqSz = SetSequence(encDigSz + algoSz, seqArray);
wolfSSL	0:d92f9d21154c	2955
wolfSSL	0:d92f9d21154c	2956	XMEMCPY(out, seqArray, seqSz);
wolfSSL	0:d92f9d21154c	2957	XMEMCPY(out + seqSz, algoArray, algoSz);
wolfSSL	0:d92f9d21154c	2958	XMEMCPY(out + seqSz + algoSz, digArray, encDigSz);
wolfSSL	0:d92f9d21154c	2959
wolfSSL	0:d92f9d21154c	2960	return encDigSz + algoSz + seqSz;
wolfSSL	0:d92f9d21154c	2961	}
wolfSSL	0:d92f9d21154c	2962
wolfSSL	0:d92f9d21154c	2963
wolfSSL	0:d92f9d21154c	2964	int wc_GetCTC_HashOID(int type)
wolfSSL	0:d92f9d21154c	2965	{
wolfSSL	0:d92f9d21154c	2966	switch (type) {
wolfSSL	0:d92f9d21154c	2967	#ifdef WOLFSSL_MD2
wolfSSL	0:d92f9d21154c	2968	case MD2:
wolfSSL	0:d92f9d21154c	2969	return MD2h;
wolfSSL	0:d92f9d21154c	2970	#endif
wolfSSL	0:d92f9d21154c	2971	#ifndef NO_MD5
wolfSSL	0:d92f9d21154c	2972	case MD5:
wolfSSL	0:d92f9d21154c	2973	return MD5h;
wolfSSL	0:d92f9d21154c	2974	#endif
wolfSSL	0:d92f9d21154c	2975	#ifndef NO_SHA
wolfSSL	0:d92f9d21154c	2976	case SHA:
wolfSSL	0:d92f9d21154c	2977	return SHAh;
wolfSSL	0:d92f9d21154c	2978	#endif
wolfSSL	0:d92f9d21154c	2979	#ifndef NO_SHA256
wolfSSL	0:d92f9d21154c	2980	case SHA256:
wolfSSL	0:d92f9d21154c	2981	return SHA256h;
wolfSSL	0:d92f9d21154c	2982	#endif
wolfSSL	0:d92f9d21154c	2983	#ifdef WOLFSSL_SHA384
wolfSSL	0:d92f9d21154c	2984	case SHA384:
wolfSSL	0:d92f9d21154c	2985	return SHA384h;
wolfSSL	0:d92f9d21154c	2986	#endif
wolfSSL	0:d92f9d21154c	2987	#ifdef WOLFSSL_SHA512
wolfSSL	0:d92f9d21154c	2988	case SHA512:
wolfSSL	0:d92f9d21154c	2989	return SHA512h;
wolfSSL	0:d92f9d21154c	2990	#endif
wolfSSL	0:d92f9d21154c	2991	default:
wolfSSL	0:d92f9d21154c	2992	return 0;
wolfSSL	0:d92f9d21154c	2993	};
wolfSSL	0:d92f9d21154c	2994	}
wolfSSL	0:d92f9d21154c	2995
wolfSSL	0:d92f9d21154c	2996
wolfSSL	0:d92f9d21154c	2997	/* return true (1) or false (0) for Confirmation */
wolfSSL	0:d92f9d21154c	2998	static int ConfirmSignature(const byte* buf, word32 bufSz,
wolfSSL	0:d92f9d21154c	2999	const byte* key, word32 keySz, word32 keyOID,
wolfSSL	0:d92f9d21154c	3000	const byte* sig, word32 sigSz, word32 sigOID,
wolfSSL	0:d92f9d21154c	3001	void* heap)
wolfSSL	0:d92f9d21154c	3002	{
wolfSSL	0:d92f9d21154c	3003	int typeH = 0, digestSz = 0, ret = 0;
wolfSSL	0:d92f9d21154c	3004	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3005	byte* digest;
wolfSSL	0:d92f9d21154c	3006	#else
wolfSSL	0:d92f9d21154c	3007	byte digest[MAX_DIGEST_SIZE];
wolfSSL	0:d92f9d21154c	3008	#endif
wolfSSL	0:d92f9d21154c	3009
wolfSSL	0:d92f9d21154c	3010	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3011	digest = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3012	if (digest == NULL)
wolfSSL	0:d92f9d21154c	3013	return 0; /* not confirmed */
wolfSSL	0:d92f9d21154c	3014	#endif
wolfSSL	0:d92f9d21154c	3015
wolfSSL	0:d92f9d21154c	3016	(void)key;
wolfSSL	0:d92f9d21154c	3017	(void)keySz;
wolfSSL	0:d92f9d21154c	3018	(void)sig;
wolfSSL	0:d92f9d21154c	3019	(void)sigSz;
wolfSSL	0:d92f9d21154c	3020	(void)heap;
wolfSSL	0:d92f9d21154c	3021
wolfSSL	0:d92f9d21154c	3022	switch (sigOID) {
wolfSSL	0:d92f9d21154c	3023	#ifndef NO_MD5
wolfSSL	0:d92f9d21154c	3024	case CTC_MD5wRSA:
wolfSSL	0:d92f9d21154c	3025	if (wc_Md5Hash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3026	typeH = MD5h;
wolfSSL	0:d92f9d21154c	3027	digestSz = MD5_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3028	}
wolfSSL	0:d92f9d21154c	3029	break;
wolfSSL	0:d92f9d21154c	3030	#endif
wolfSSL	0:d92f9d21154c	3031	#if defined(WOLFSSL_MD2)
wolfSSL	0:d92f9d21154c	3032	case CTC_MD2wRSA:
wolfSSL	0:d92f9d21154c	3033	if (wc_Md2Hash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3034	typeH = MD2h;
wolfSSL	0:d92f9d21154c	3035	digestSz = MD2_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3036	}
wolfSSL	0:d92f9d21154c	3037	break;
wolfSSL	0:d92f9d21154c	3038	#endif
wolfSSL	0:d92f9d21154c	3039	#ifndef NO_SHA
wolfSSL	0:d92f9d21154c	3040	case CTC_SHAwRSA:
wolfSSL	0:d92f9d21154c	3041	case CTC_SHAwDSA:
wolfSSL	0:d92f9d21154c	3042	case CTC_SHAwECDSA:
wolfSSL	0:d92f9d21154c	3043	if (wc_ShaHash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3044	typeH = SHAh;
wolfSSL	0:d92f9d21154c	3045	digestSz = SHA_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3046	}
wolfSSL	0:d92f9d21154c	3047	break;
wolfSSL	0:d92f9d21154c	3048	#endif
wolfSSL	0:d92f9d21154c	3049	#ifndef NO_SHA256
wolfSSL	0:d92f9d21154c	3050	case CTC_SHA256wRSA:
wolfSSL	0:d92f9d21154c	3051	case CTC_SHA256wECDSA:
wolfSSL	0:d92f9d21154c	3052	if (wc_Sha256Hash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3053	typeH = SHA256h;
wolfSSL	0:d92f9d21154c	3054	digestSz = SHA256_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3055	}
wolfSSL	0:d92f9d21154c	3056	break;
wolfSSL	0:d92f9d21154c	3057	#endif
wolfSSL	0:d92f9d21154c	3058	#ifdef WOLFSSL_SHA512
wolfSSL	0:d92f9d21154c	3059	case CTC_SHA512wRSA:
wolfSSL	0:d92f9d21154c	3060	case CTC_SHA512wECDSA:
wolfSSL	0:d92f9d21154c	3061	if (wc_Sha512Hash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3062	typeH = SHA512h;
wolfSSL	0:d92f9d21154c	3063	digestSz = SHA512_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3064	}
wolfSSL	0:d92f9d21154c	3065	break;
wolfSSL	0:d92f9d21154c	3066	#endif
wolfSSL	0:d92f9d21154c	3067	#ifdef WOLFSSL_SHA384
wolfSSL	0:d92f9d21154c	3068	case CTC_SHA384wRSA:
wolfSSL	0:d92f9d21154c	3069	case CTC_SHA384wECDSA:
wolfSSL	0:d92f9d21154c	3070	if (wc_Sha384Hash(buf, bufSz, digest) == 0) {
wolfSSL	0:d92f9d21154c	3071	typeH = SHA384h;
wolfSSL	0:d92f9d21154c	3072	digestSz = SHA384_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	3073	}
wolfSSL	0:d92f9d21154c	3074	break;
wolfSSL	0:d92f9d21154c	3075	#endif
wolfSSL	0:d92f9d21154c	3076	default:
wolfSSL	0:d92f9d21154c	3077	WOLFSSL_MSG("Verify Signautre has unsupported type");
wolfSSL	0:d92f9d21154c	3078	}
wolfSSL	0:d92f9d21154c	3079
wolfSSL	0:d92f9d21154c	3080	if (typeH == 0) {
wolfSSL	0:d92f9d21154c	3081	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3082	XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3083	#endif
wolfSSL	0:d92f9d21154c	3084	return 0; /* not confirmed */
wolfSSL	0:d92f9d21154c	3085	}
wolfSSL	0:d92f9d21154c	3086
wolfSSL	0:d92f9d21154c	3087	switch (keyOID) {
wolfSSL	0:d92f9d21154c	3088	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	3089	case RSAk:
wolfSSL	0:d92f9d21154c	3090	{
wolfSSL	0:d92f9d21154c	3091	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3092	int encodedSigSz, verifySz;
wolfSSL	0:d92f9d21154c	3093	byte* out;
wolfSSL	0:d92f9d21154c	3094	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3095	RsaKey* pubKey;
wolfSSL	0:d92f9d21154c	3096	byte* plain;
wolfSSL	0:d92f9d21154c	3097	byte* encodedSig;
wolfSSL	0:d92f9d21154c	3098	#else
wolfSSL	0:d92f9d21154c	3099	RsaKey pubKey[1];
wolfSSL	0:d92f9d21154c	3100	byte plain[MAX_ENCODED_SIG_SZ];
wolfSSL	0:d92f9d21154c	3101	byte encodedSig[MAX_ENCODED_SIG_SZ];
wolfSSL	0:d92f9d21154c	3102	#endif
wolfSSL	0:d92f9d21154c	3103
wolfSSL	0:d92f9d21154c	3104	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3105	pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
wolfSSL	0:d92f9d21154c	3106	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3107	plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL	0:d92f9d21154c	3108	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3109	encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
wolfSSL	0:d92f9d21154c	3110	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3111
wolfSSL	0:d92f9d21154c	3112	if (pubKey == NULL \|\| plain == NULL \|\| encodedSig == NULL) {
wolfSSL	0:d92f9d21154c	3113	WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature");
wolfSSL	0:d92f9d21154c	3114
wolfSSL	0:d92f9d21154c	3115	if (pubKey)
wolfSSL	0:d92f9d21154c	3116	XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3117	if (plain)
wolfSSL	0:d92f9d21154c	3118	XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3119	if (encodedSig)
wolfSSL	0:d92f9d21154c	3120	XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3121
wolfSSL	0:d92f9d21154c	3122	break; /* not confirmed */
wolfSSL	0:d92f9d21154c	3123	}
wolfSSL	0:d92f9d21154c	3124	#endif
wolfSSL	0:d92f9d21154c	3125
wolfSSL	0:d92f9d21154c	3126	if (sigSz > MAX_ENCODED_SIG_SZ) {
wolfSSL	0:d92f9d21154c	3127	WOLFSSL_MSG("Verify Signautre is too big");
wolfSSL	0:d92f9d21154c	3128	}
wolfSSL	0:d92f9d21154c	3129	else if (wc_InitRsaKey(pubKey, heap) != 0) {
wolfSSL	0:d92f9d21154c	3130	WOLFSSL_MSG("InitRsaKey failed");
wolfSSL	0:d92f9d21154c	3131	}
wolfSSL	0:d92f9d21154c	3132	else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) {
wolfSSL	0:d92f9d21154c	3133	WOLFSSL_MSG("ASN Key decode error RSA");
wolfSSL	0:d92f9d21154c	3134	}
wolfSSL	0:d92f9d21154c	3135	else {
wolfSSL	0:d92f9d21154c	3136	XMEMCPY(plain, sig, sigSz);
wolfSSL	0:d92f9d21154c	3137
wolfSSL	0:d92f9d21154c	3138	if ((verifySz = wc_RsaSSL_VerifyInline(plain, sigSz, &out,
wolfSSL	0:d92f9d21154c	3139	pubKey)) < 0) {
wolfSSL	0:d92f9d21154c	3140	WOLFSSL_MSG("Rsa SSL verify error");
wolfSSL	0:d92f9d21154c	3141	}
wolfSSL	0:d92f9d21154c	3142	else {
wolfSSL	0:d92f9d21154c	3143	/* make sure we're right justified */
wolfSSL	0:d92f9d21154c	3144	encodedSigSz =
wolfSSL	0:d92f9d21154c	3145	wc_EncodeSignature(encodedSig, digest, digestSz, typeH);
wolfSSL	0:d92f9d21154c	3146	if (encodedSigSz != verifySz \|\|
wolfSSL	0:d92f9d21154c	3147	XMEMCMP(out, encodedSig, encodedSigSz) != 0) {
wolfSSL	0:d92f9d21154c	3148	WOLFSSL_MSG("Rsa SSL verify match encode error");
wolfSSL	0:d92f9d21154c	3149	}
wolfSSL	0:d92f9d21154c	3150	else
wolfSSL	0:d92f9d21154c	3151	ret = 1; /* match */
wolfSSL	0:d92f9d21154c	3152
wolfSSL	0:d92f9d21154c	3153	#ifdef WOLFSSL_DEBUG_ENCODING
wolfSSL	0:d92f9d21154c	3154	{
wolfSSL	0:d92f9d21154c	3155	int x;
wolfSSL	0:d92f9d21154c	3156
wolfSSL	0:d92f9d21154c	3157	printf("wolfssl encodedSig:\n");
wolfSSL	0:d92f9d21154c	3158
wolfSSL	0:d92f9d21154c	3159	for (x = 0; x < encodedSigSz; x++) {
wolfSSL	0:d92f9d21154c	3160	printf("%02x ", encodedSig[x]);
wolfSSL	0:d92f9d21154c	3161	if ( (x % 16) == 15)
wolfSSL	0:d92f9d21154c	3162	printf("\n");
wolfSSL	0:d92f9d21154c	3163	}
wolfSSL	0:d92f9d21154c	3164
wolfSSL	0:d92f9d21154c	3165	printf("\n");
wolfSSL	0:d92f9d21154c	3166	printf("actual digest:\n");
wolfSSL	0:d92f9d21154c	3167
wolfSSL	0:d92f9d21154c	3168	for (x = 0; x < verifySz; x++) {
wolfSSL	0:d92f9d21154c	3169	printf("%02x ", out[x]);
wolfSSL	0:d92f9d21154c	3170	if ( (x % 16) == 15)
wolfSSL	0:d92f9d21154c	3171	printf("\n");
wolfSSL	0:d92f9d21154c	3172	}
wolfSSL	0:d92f9d21154c	3173
wolfSSL	0:d92f9d21154c	3174	printf("\n");
wolfSSL	0:d92f9d21154c	3175	}
wolfSSL	0:d92f9d21154c	3176	#endif /* WOLFSSL_DEBUG_ENCODING */
wolfSSL	0:d92f9d21154c	3177
wolfSSL	0:d92f9d21154c	3178	}
wolfSSL	0:d92f9d21154c	3179
wolfSSL	0:d92f9d21154c	3180	}
wolfSSL	0:d92f9d21154c	3181
wolfSSL	0:d92f9d21154c	3182	wc_FreeRsaKey(pubKey);
wolfSSL	0:d92f9d21154c	3183
wolfSSL	0:d92f9d21154c	3184	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3185	XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3186	XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3187	XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3188	#endif
wolfSSL	0:d92f9d21154c	3189	break;
wolfSSL	0:d92f9d21154c	3190	}
wolfSSL	0:d92f9d21154c	3191
wolfSSL	0:d92f9d21154c	3192	#endif /* NO_RSA */
wolfSSL	0:d92f9d21154c	3193	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	3194	case ECDSAk:
wolfSSL	0:d92f9d21154c	3195	{
wolfSSL	0:d92f9d21154c	3196	int verify = 0;
wolfSSL	0:d92f9d21154c	3197	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3198	ecc_key* pubKey;
wolfSSL	0:d92f9d21154c	3199	#else
wolfSSL	0:d92f9d21154c	3200	ecc_key pubKey[1];
wolfSSL	0:d92f9d21154c	3201	#endif
wolfSSL	0:d92f9d21154c	3202
wolfSSL	0:d92f9d21154c	3203	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3204	pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL,
wolfSSL	0:d92f9d21154c	3205	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3206	if (pubKey == NULL) {
wolfSSL	0:d92f9d21154c	3207	WOLFSSL_MSG("Failed to allocate pubKey");
wolfSSL	0:d92f9d21154c	3208	break; /* not confirmed */
wolfSSL	0:d92f9d21154c	3209	}
wolfSSL	0:d92f9d21154c	3210	#endif
wolfSSL	0:d92f9d21154c	3211
wolfSSL	0:d92f9d21154c	3212	if (wc_ecc_init(pubKey) < 0) {
wolfSSL	0:d92f9d21154c	3213	WOLFSSL_MSG("Failed to initialize key");
wolfSSL	0:d92f9d21154c	3214	break; /* not confirmed */
wolfSSL	0:d92f9d21154c	3215	}
wolfSSL	0:d92f9d21154c	3216	if (wc_ecc_import_x963(key, keySz, pubKey) < 0) {
wolfSSL	0:d92f9d21154c	3217	WOLFSSL_MSG("ASN Key import error ECC");
wolfSSL	0:d92f9d21154c	3218	}
wolfSSL	0:d92f9d21154c	3219	else {
wolfSSL	0:d92f9d21154c	3220	if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify,
wolfSSL	0:d92f9d21154c	3221	pubKey) != 0) {
wolfSSL	0:d92f9d21154c	3222	WOLFSSL_MSG("ECC verify hash error");
wolfSSL	0:d92f9d21154c	3223	}
wolfSSL	0:d92f9d21154c	3224	else if (1 != verify) {
wolfSSL	0:d92f9d21154c	3225	WOLFSSL_MSG("ECC Verify didn't match");
wolfSSL	0:d92f9d21154c	3226	} else
wolfSSL	0:d92f9d21154c	3227	ret = 1; /* match */
wolfSSL	0:d92f9d21154c	3228
wolfSSL	0:d92f9d21154c	3229	}
wolfSSL	0:d92f9d21154c	3230	wc_ecc_free(pubKey);
wolfSSL	0:d92f9d21154c	3231
wolfSSL	0:d92f9d21154c	3232	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3233	XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3234	#endif
wolfSSL	0:d92f9d21154c	3235	break;
wolfSSL	0:d92f9d21154c	3236	}
wolfSSL	0:d92f9d21154c	3237	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	3238	default:
wolfSSL	0:d92f9d21154c	3239	WOLFSSL_MSG("Verify Key type unknown");
wolfSSL	0:d92f9d21154c	3240	}
wolfSSL	0:d92f9d21154c	3241
wolfSSL	0:d92f9d21154c	3242	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	3243	XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	3244	#endif
wolfSSL	0:d92f9d21154c	3245
wolfSSL	0:d92f9d21154c	3246	return ret;
wolfSSL	0:d92f9d21154c	3247	}
wolfSSL	0:d92f9d21154c	3248
wolfSSL	0:d92f9d21154c	3249
wolfSSL	0:d92f9d21154c	3250	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	3251
wolfSSL	0:d92f9d21154c	3252	static int MatchBaseName(int type, const char* name, int nameSz,
wolfSSL	0:d92f9d21154c	3253	const char* base, int baseSz)
wolfSSL	0:d92f9d21154c	3254	{
wolfSSL	0:d92f9d21154c	3255	if (base == NULL \|\| baseSz <= 0 \|\| name == NULL \|\| nameSz <= 0 \|\|
wolfSSL	0:d92f9d21154c	3256	name[0] == '.' \|\| nameSz < baseSz \|\|
wolfSSL	0:d92f9d21154c	3257	(type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE))
wolfSSL	0:d92f9d21154c	3258	return 0;
wolfSSL	0:d92f9d21154c	3259
wolfSSL	0:d92f9d21154c	3260	/* If an email type, handle special cases where the base is only
wolfSSL	0:d92f9d21154c	3261	* a domain, or is an email address itself. */
wolfSSL	0:d92f9d21154c	3262	if (type == ASN_RFC822_TYPE) {
wolfSSL	0:d92f9d21154c	3263	const char* p = NULL;
wolfSSL	0:d92f9d21154c	3264	int count = 0;
wolfSSL	0:d92f9d21154c	3265
wolfSSL	0:d92f9d21154c	3266	if (base[0] != '.') {
wolfSSL	0:d92f9d21154c	3267	p = base;
wolfSSL	0:d92f9d21154c	3268	count = 0;
wolfSSL	0:d92f9d21154c	3269
wolfSSL	0:d92f9d21154c	3270	/* find the '@' in the base */
wolfSSL	0:d92f9d21154c	3271	while (*p != '@' && count < baseSz) {
wolfSSL	0:d92f9d21154c	3272	count++;
wolfSSL	0:d92f9d21154c	3273	p++;
wolfSSL	0:d92f9d21154c	3274	}
wolfSSL	0:d92f9d21154c	3275
wolfSSL	0:d92f9d21154c	3276	/* No '@' in base, reset p to NULL */
wolfSSL	0:d92f9d21154c	3277	if (count >= baseSz)
wolfSSL	0:d92f9d21154c	3278	p = NULL;
wolfSSL	0:d92f9d21154c	3279	}
wolfSSL	0:d92f9d21154c	3280
wolfSSL	0:d92f9d21154c	3281	if (p == NULL) {
wolfSSL	0:d92f9d21154c	3282	/* Base isn't an email address, it is a domain name,
wolfSSL	0:d92f9d21154c	3283	* wind the name forward one character past its '@'. */
wolfSSL	0:d92f9d21154c	3284	p = name;
wolfSSL	0:d92f9d21154c	3285	count = 0;
wolfSSL	0:d92f9d21154c	3286	while (*p != '@' && count < baseSz) {
wolfSSL	0:d92f9d21154c	3287	count++;
wolfSSL	0:d92f9d21154c	3288	p++;
wolfSSL	0:d92f9d21154c	3289	}
wolfSSL	0:d92f9d21154c	3290
wolfSSL	0:d92f9d21154c	3291	if (count < baseSz && *p == '@') {
wolfSSL	0:d92f9d21154c	3292	name = p + 1;
wolfSSL	0:d92f9d21154c	3293	nameSz -= count + 1;
wolfSSL	0:d92f9d21154c	3294	}
wolfSSL	0:d92f9d21154c	3295	}
wolfSSL	0:d92f9d21154c	3296	}
wolfSSL	0:d92f9d21154c	3297
wolfSSL	0:d92f9d21154c	3298	if ((type == ASN_DNS_TYPE \|\| type == ASN_RFC822_TYPE) && base[0] == '.') {
wolfSSL	0:d92f9d21154c	3299	int szAdjust = nameSz - baseSz;
wolfSSL	0:d92f9d21154c	3300	name += szAdjust;
wolfSSL	0:d92f9d21154c	3301	nameSz -= szAdjust;
wolfSSL	0:d92f9d21154c	3302	}
wolfSSL	0:d92f9d21154c	3303
wolfSSL	0:d92f9d21154c	3304	while (nameSz > 0) {
wolfSSL	0:d92f9d21154c	3305	if (XTOLOWER((unsigned char)*name++) !=
wolfSSL	0:d92f9d21154c	3306	XTOLOWER((unsigned char)*base++))
wolfSSL	0:d92f9d21154c	3307	return 0;
wolfSSL	0:d92f9d21154c	3308	nameSz--;
wolfSSL	0:d92f9d21154c	3309	}
wolfSSL	0:d92f9d21154c	3310
wolfSSL	0:d92f9d21154c	3311	return 1;
wolfSSL	0:d92f9d21154c	3312	}
wolfSSL	0:d92f9d21154c	3313
wolfSSL	0:d92f9d21154c	3314
wolfSSL	0:d92f9d21154c	3315	static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3316	{
wolfSSL	0:d92f9d21154c	3317	if (signer == NULL \|\| cert == NULL)
wolfSSL	0:d92f9d21154c	3318	return 0;
wolfSSL	0:d92f9d21154c	3319
wolfSSL	0:d92f9d21154c	3320	/* Check against the excluded list */
wolfSSL	0:d92f9d21154c	3321	if (signer->excludedNames) {
wolfSSL	0:d92f9d21154c	3322	Base_entry* base = signer->excludedNames;
wolfSSL	0:d92f9d21154c	3323
wolfSSL	0:d92f9d21154c	3324	while (base != NULL) {
wolfSSL	0:d92f9d21154c	3325	if (base->type == ASN_DNS_TYPE) {
wolfSSL	0:d92f9d21154c	3326	DNS_entry* name = cert->altNames;
wolfSSL	0:d92f9d21154c	3327	while (name != NULL) {
wolfSSL	0:d92f9d21154c	3328	if (MatchBaseName(ASN_DNS_TYPE,
wolfSSL	0:d92f9d21154c	3329	name->name, (int)XSTRLEN(name->name),
wolfSSL	0:d92f9d21154c	3330	base->name, base->nameSz))
wolfSSL	0:d92f9d21154c	3331	return 0;
wolfSSL	0:d92f9d21154c	3332	name = name->next;
wolfSSL	0:d92f9d21154c	3333	}
wolfSSL	0:d92f9d21154c	3334	}
wolfSSL	0:d92f9d21154c	3335	else if (base->type == ASN_RFC822_TYPE) {
wolfSSL	0:d92f9d21154c	3336	DNS_entry* name = cert->altEmailNames;
wolfSSL	0:d92f9d21154c	3337	while (name != NULL) {
wolfSSL	0:d92f9d21154c	3338	if (MatchBaseName(ASN_RFC822_TYPE,
wolfSSL	0:d92f9d21154c	3339	name->name, (int)XSTRLEN(name->name),
wolfSSL	0:d92f9d21154c	3340	base->name, base->nameSz))
wolfSSL	0:d92f9d21154c	3341	return 0;
wolfSSL	0:d92f9d21154c	3342
wolfSSL	0:d92f9d21154c	3343	name = name->next;
wolfSSL	0:d92f9d21154c	3344	}
wolfSSL	0:d92f9d21154c	3345	}
wolfSSL	0:d92f9d21154c	3346	else if (base->type == ASN_DIR_TYPE) {
wolfSSL	0:d92f9d21154c	3347	if (cert->subjectRawLen == base->nameSz &&
wolfSSL	0:d92f9d21154c	3348	XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL	0:d92f9d21154c	3349
wolfSSL	0:d92f9d21154c	3350	return 0;
wolfSSL	0:d92f9d21154c	3351	}
wolfSSL	0:d92f9d21154c	3352	}
wolfSSL	0:d92f9d21154c	3353	base = base->next;
wolfSSL	0:d92f9d21154c	3354	}
wolfSSL	0:d92f9d21154c	3355	}
wolfSSL	0:d92f9d21154c	3356
wolfSSL	0:d92f9d21154c	3357	/* Check against the permitted list */
wolfSSL	0:d92f9d21154c	3358	if (signer->permittedNames != NULL) {
wolfSSL	0:d92f9d21154c	3359	int needDns = 0;
wolfSSL	0:d92f9d21154c	3360	int matchDns = 0;
wolfSSL	0:d92f9d21154c	3361	int needEmail = 0;
wolfSSL	0:d92f9d21154c	3362	int matchEmail = 0;
wolfSSL	0:d92f9d21154c	3363	int needDir = 0;
wolfSSL	0:d92f9d21154c	3364	int matchDir = 0;
wolfSSL	0:d92f9d21154c	3365	Base_entry* base = signer->permittedNames;
wolfSSL	0:d92f9d21154c	3366
wolfSSL	0:d92f9d21154c	3367	while (base != NULL) {
wolfSSL	0:d92f9d21154c	3368	if (base->type == ASN_DNS_TYPE) {
wolfSSL	0:d92f9d21154c	3369	DNS_entry* name = cert->altNames;
wolfSSL	0:d92f9d21154c	3370
wolfSSL	0:d92f9d21154c	3371	if (name != NULL)
wolfSSL	0:d92f9d21154c	3372	needDns = 1;
wolfSSL	0:d92f9d21154c	3373
wolfSSL	0:d92f9d21154c	3374	while (name != NULL) {
wolfSSL	0:d92f9d21154c	3375	matchDns = MatchBaseName(ASN_DNS_TYPE,
wolfSSL	0:d92f9d21154c	3376	name->name, (int)XSTRLEN(name->name),
wolfSSL	0:d92f9d21154c	3377	base->name, base->nameSz);
wolfSSL	0:d92f9d21154c	3378	name = name->next;
wolfSSL	0:d92f9d21154c	3379	}
wolfSSL	0:d92f9d21154c	3380	}
wolfSSL	0:d92f9d21154c	3381	else if (base->type == ASN_RFC822_TYPE) {
wolfSSL	0:d92f9d21154c	3382	DNS_entry* name = cert->altEmailNames;
wolfSSL	0:d92f9d21154c	3383
wolfSSL	0:d92f9d21154c	3384	if (name != NULL)
wolfSSL	0:d92f9d21154c	3385	needEmail = 1;
wolfSSL	0:d92f9d21154c	3386
wolfSSL	0:d92f9d21154c	3387	while (name != NULL) {
wolfSSL	0:d92f9d21154c	3388	matchEmail = MatchBaseName(ASN_DNS_TYPE,
wolfSSL	0:d92f9d21154c	3389	name->name, (int)XSTRLEN(name->name),
wolfSSL	0:d92f9d21154c	3390	base->name, base->nameSz);
wolfSSL	0:d92f9d21154c	3391	name = name->next;
wolfSSL	0:d92f9d21154c	3392	}
wolfSSL	0:d92f9d21154c	3393	}
wolfSSL	0:d92f9d21154c	3394	else if (base->type == ASN_DIR_TYPE) {
wolfSSL	0:d92f9d21154c	3395	needDir = 1;
wolfSSL	0:d92f9d21154c	3396	if (cert->subjectRaw != NULL &&
wolfSSL	0:d92f9d21154c	3397	cert->subjectRawLen == base->nameSz &&
wolfSSL	0:d92f9d21154c	3398	XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
wolfSSL	0:d92f9d21154c	3399
wolfSSL	0:d92f9d21154c	3400	matchDir = 1;
wolfSSL	0:d92f9d21154c	3401	}
wolfSSL	0:d92f9d21154c	3402	}
wolfSSL	0:d92f9d21154c	3403	base = base->next;
wolfSSL	0:d92f9d21154c	3404	}
wolfSSL	0:d92f9d21154c	3405
wolfSSL	0:d92f9d21154c	3406	if ((needDns && !matchDns) \|\| (needEmail && !matchEmail) \|\|
wolfSSL	0:d92f9d21154c	3407	(needDir && !matchDir)) {
wolfSSL	0:d92f9d21154c	3408
wolfSSL	0:d92f9d21154c	3409	return 0;
wolfSSL	0:d92f9d21154c	3410	}
wolfSSL	0:d92f9d21154c	3411	}
wolfSSL	0:d92f9d21154c	3412
wolfSSL	0:d92f9d21154c	3413	return 1;
wolfSSL	0:d92f9d21154c	3414	}
wolfSSL	0:d92f9d21154c	3415
wolfSSL	0:d92f9d21154c	3416	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	3417
wolfSSL	0:d92f9d21154c	3418
wolfSSL	0:d92f9d21154c	3419	static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3420	{
wolfSSL	0:d92f9d21154c	3421	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3422	int length = 0;
wolfSSL	0:d92f9d21154c	3423
wolfSSL	0:d92f9d21154c	3424	WOLFSSL_ENTER("DecodeAltNames");
wolfSSL	0:d92f9d21154c	3425
wolfSSL	0:d92f9d21154c	3426	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3427	WOLFSSL_MSG("\tBad Sequence");
wolfSSL	0:d92f9d21154c	3428	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3429	}
wolfSSL	0:d92f9d21154c	3430
wolfSSL	0:d92f9d21154c	3431	cert->weOwnAltNames = 1;
wolfSSL	0:d92f9d21154c	3432
wolfSSL	0:d92f9d21154c	3433	while (length > 0) {
wolfSSL	0:d92f9d21154c	3434	byte b = input[idx++];
wolfSSL	0:d92f9d21154c	3435
wolfSSL	0:d92f9d21154c	3436	length--;
wolfSSL	0:d92f9d21154c	3437
wolfSSL	0:d92f9d21154c	3438	/* Save DNS Type names in the altNames list. */
wolfSSL	0:d92f9d21154c	3439	/* Save Other Type names in the cert's OidMap */
wolfSSL	0:d92f9d21154c	3440	if (b == (ASN_CONTEXT_SPECIFIC \| ASN_DNS_TYPE)) {
wolfSSL	0:d92f9d21154c	3441	DNS_entry* dnsEntry;
wolfSSL	0:d92f9d21154c	3442	int strLen;
wolfSSL	0:d92f9d21154c	3443	word32 lenStartIdx = idx;
wolfSSL	0:d92f9d21154c	3444
wolfSSL	0:d92f9d21154c	3445	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3446	WOLFSSL_MSG("\tfail: str length");
wolfSSL	0:d92f9d21154c	3447	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3448	}
wolfSSL	0:d92f9d21154c	3449	length -= (idx - lenStartIdx);
wolfSSL	0:d92f9d21154c	3450
wolfSSL	0:d92f9d21154c	3451	dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL	0:d92f9d21154c	3452	DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3453	if (dnsEntry == NULL) {
wolfSSL	0:d92f9d21154c	3454	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3455	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3456	}
wolfSSL	0:d92f9d21154c	3457
wolfSSL	0:d92f9d21154c	3458	dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL	0:d92f9d21154c	3459	DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3460	if (dnsEntry->name == NULL) {
wolfSSL	0:d92f9d21154c	3461	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3462	XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3463	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3464	}
wolfSSL	0:d92f9d21154c	3465
wolfSSL	0:d92f9d21154c	3466	XMEMCPY(dnsEntry->name, &input[idx], strLen);
wolfSSL	0:d92f9d21154c	3467	dnsEntry->name[strLen] = '\0';
wolfSSL	0:d92f9d21154c	3468
wolfSSL	0:d92f9d21154c	3469	dnsEntry->next = cert->altNames;
wolfSSL	0:d92f9d21154c	3470	cert->altNames = dnsEntry;
wolfSSL	0:d92f9d21154c	3471
wolfSSL	0:d92f9d21154c	3472	length -= strLen;
wolfSSL	0:d92f9d21154c	3473	idx += strLen;
wolfSSL	0:d92f9d21154c	3474	}
wolfSSL	0:d92f9d21154c	3475	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	3476	else if (b == (ASN_CONTEXT_SPECIFIC \| ASN_RFC822_TYPE)) {
wolfSSL	0:d92f9d21154c	3477	DNS_entry* emailEntry;
wolfSSL	0:d92f9d21154c	3478	int strLen;
wolfSSL	0:d92f9d21154c	3479	word32 lenStartIdx = idx;
wolfSSL	0:d92f9d21154c	3480
wolfSSL	0:d92f9d21154c	3481	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3482	WOLFSSL_MSG("\tfail: str length");
wolfSSL	0:d92f9d21154c	3483	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3484	}
wolfSSL	0:d92f9d21154c	3485	length -= (idx - lenStartIdx);
wolfSSL	0:d92f9d21154c	3486
wolfSSL	0:d92f9d21154c	3487	emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
wolfSSL	0:d92f9d21154c	3488	DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3489	if (emailEntry == NULL) {
wolfSSL	0:d92f9d21154c	3490	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3491	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3492	}
wolfSSL	0:d92f9d21154c	3493
wolfSSL	0:d92f9d21154c	3494	emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
wolfSSL	0:d92f9d21154c	3495	DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3496	if (emailEntry->name == NULL) {
wolfSSL	0:d92f9d21154c	3497	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3498	XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3499	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3500	}
wolfSSL	0:d92f9d21154c	3501
wolfSSL	0:d92f9d21154c	3502	XMEMCPY(emailEntry->name, &input[idx], strLen);
wolfSSL	0:d92f9d21154c	3503	emailEntry->name[strLen] = '\0';
wolfSSL	0:d92f9d21154c	3504
wolfSSL	0:d92f9d21154c	3505	emailEntry->next = cert->altEmailNames;
wolfSSL	0:d92f9d21154c	3506	cert->altEmailNames = emailEntry;
wolfSSL	0:d92f9d21154c	3507
wolfSSL	0:d92f9d21154c	3508	length -= strLen;
wolfSSL	0:d92f9d21154c	3509	idx += strLen;
wolfSSL	0:d92f9d21154c	3510	}
wolfSSL	0:d92f9d21154c	3511	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	3512	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	3513	else if (b == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| ASN_OTHER_TYPE))
wolfSSL	0:d92f9d21154c	3514	{
wolfSSL	0:d92f9d21154c	3515	int strLen;
wolfSSL	0:d92f9d21154c	3516	word32 lenStartIdx = idx;
wolfSSL	0:d92f9d21154c	3517	word32 oid = 0;
wolfSSL	0:d92f9d21154c	3518
wolfSSL	0:d92f9d21154c	3519	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3520	WOLFSSL_MSG("\tfail: other name length");
wolfSSL	0:d92f9d21154c	3521	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3522	}
wolfSSL	0:d92f9d21154c	3523	/* Consume the rest of this sequence. */
wolfSSL	0:d92f9d21154c	3524	length -= (strLen + idx - lenStartIdx);
wolfSSL	0:d92f9d21154c	3525
wolfSSL	0:d92f9d21154c	3526	if (GetObjectId(input, &idx, &oid, sz) < 0) {
wolfSSL	0:d92f9d21154c	3527	WOLFSSL_MSG("\tbad OID");
wolfSSL	0:d92f9d21154c	3528	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3529	}
wolfSSL	0:d92f9d21154c	3530
wolfSSL	0:d92f9d21154c	3531	if (oid != HW_NAME_OID) {
wolfSSL	0:d92f9d21154c	3532	WOLFSSL_MSG("\tincorrect OID");
wolfSSL	0:d92f9d21154c	3533	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3534	}
wolfSSL	0:d92f9d21154c	3535
wolfSSL	0:d92f9d21154c	3536	if (input[idx++] != (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED)) {
wolfSSL	0:d92f9d21154c	3537	WOLFSSL_MSG("\twrong type");
wolfSSL	0:d92f9d21154c	3538	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3539	}
wolfSSL	0:d92f9d21154c	3540
wolfSSL	0:d92f9d21154c	3541	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3542	WOLFSSL_MSG("\tfail: str len");
wolfSSL	0:d92f9d21154c	3543	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3544	}
wolfSSL	0:d92f9d21154c	3545
wolfSSL	0:d92f9d21154c	3546	if (GetSequence(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3547	WOLFSSL_MSG("\tBad Sequence");
wolfSSL	0:d92f9d21154c	3548	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3549	}
wolfSSL	0:d92f9d21154c	3550
wolfSSL	0:d92f9d21154c	3551	if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	3552	WOLFSSL_MSG("\texpected OID");
wolfSSL	0:d92f9d21154c	3553	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3554	}
wolfSSL	0:d92f9d21154c	3555
wolfSSL	0:d92f9d21154c	3556	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3557	WOLFSSL_MSG("\tfailed: str len");
wolfSSL	0:d92f9d21154c	3558	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3559	}
wolfSSL	0:d92f9d21154c	3560
wolfSSL	0:d92f9d21154c	3561	cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0);
wolfSSL	0:d92f9d21154c	3562	if (cert->hwType == NULL) {
wolfSSL	0:d92f9d21154c	3563	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3564	return MEMORY_E;
wolfSSL	0:d92f9d21154c	3565	}
wolfSSL	0:d92f9d21154c	3566
wolfSSL	0:d92f9d21154c	3567	XMEMCPY(cert->hwType, &input[idx], strLen);
wolfSSL	0:d92f9d21154c	3568	cert->hwTypeSz = strLen;
wolfSSL	0:d92f9d21154c	3569	idx += strLen;
wolfSSL	0:d92f9d21154c	3570
wolfSSL	0:d92f9d21154c	3571	if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	3572	WOLFSSL_MSG("\texpected Octet String");
wolfSSL	0:d92f9d21154c	3573	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3574	}
wolfSSL	0:d92f9d21154c	3575
wolfSSL	0:d92f9d21154c	3576	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3577	WOLFSSL_MSG("\tfailed: str len");
wolfSSL	0:d92f9d21154c	3578	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3579	}
wolfSSL	0:d92f9d21154c	3580
wolfSSL	0:d92f9d21154c	3581	cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0);
wolfSSL	0:d92f9d21154c	3582	if (cert->hwSerialNum == NULL) {
wolfSSL	0:d92f9d21154c	3583	WOLFSSL_MSG("\tOut of Memory");
wolfSSL	0:d92f9d21154c	3584	return MEMORY_E;
wolfSSL	0:d92f9d21154c	3585	}
wolfSSL	0:d92f9d21154c	3586
wolfSSL	0:d92f9d21154c	3587	XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
wolfSSL	0:d92f9d21154c	3588	cert->hwSerialNum[strLen] = '\0';
wolfSSL	0:d92f9d21154c	3589	cert->hwSerialNumSz = strLen;
wolfSSL	0:d92f9d21154c	3590	idx += strLen;
wolfSSL	0:d92f9d21154c	3591	}
wolfSSL	0:d92f9d21154c	3592	#endif /* WOLFSSL_SEP */
wolfSSL	0:d92f9d21154c	3593	else {
wolfSSL	0:d92f9d21154c	3594	int strLen;
wolfSSL	0:d92f9d21154c	3595	word32 lenStartIdx = idx;
wolfSSL	0:d92f9d21154c	3596
wolfSSL	0:d92f9d21154c	3597	WOLFSSL_MSG("\tUnsupported name type, skipping");
wolfSSL	0:d92f9d21154c	3598
wolfSSL	0:d92f9d21154c	3599	if (GetLength(input, &idx, &strLen, sz) < 0) {
wolfSSL	0:d92f9d21154c	3600	WOLFSSL_MSG("\tfail: unsupported name length");
wolfSSL	0:d92f9d21154c	3601	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3602	}
wolfSSL	0:d92f9d21154c	3603	length -= (strLen + idx - lenStartIdx);
wolfSSL	0:d92f9d21154c	3604	idx += strLen;
wolfSSL	0:d92f9d21154c	3605	}
wolfSSL	0:d92f9d21154c	3606	}
wolfSSL	0:d92f9d21154c	3607	return 0;
wolfSSL	0:d92f9d21154c	3608	}
wolfSSL	0:d92f9d21154c	3609
wolfSSL	0:d92f9d21154c	3610
wolfSSL	0:d92f9d21154c	3611	static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3612	{
wolfSSL	0:d92f9d21154c	3613	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3614	int length = 0;
wolfSSL	0:d92f9d21154c	3615
wolfSSL	0:d92f9d21154c	3616	WOLFSSL_ENTER("DecodeBasicCaConstraint");
wolfSSL	0:d92f9d21154c	3617	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3618	WOLFSSL_MSG("\tfail: bad SEQUENCE");
wolfSSL	0:d92f9d21154c	3619	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3620	}
wolfSSL	0:d92f9d21154c	3621
wolfSSL	0:d92f9d21154c	3622	if (length == 0)
wolfSSL	0:d92f9d21154c	3623	return 0;
wolfSSL	0:d92f9d21154c	3624
wolfSSL	0:d92f9d21154c	3625	/* If the basic ca constraint is false, this extension may be named, but
wolfSSL	0:d92f9d21154c	3626	* left empty. So, if the length is 0, just return. */
wolfSSL	0:d92f9d21154c	3627
wolfSSL	0:d92f9d21154c	3628	if (input[idx++] != ASN_BOOLEAN)
wolfSSL	0:d92f9d21154c	3629	{
wolfSSL	0:d92f9d21154c	3630	WOLFSSL_MSG("\tfail: constraint not BOOLEAN");
wolfSSL	0:d92f9d21154c	3631	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3632	}
wolfSSL	0:d92f9d21154c	3633
wolfSSL	0:d92f9d21154c	3634	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3635	{
wolfSSL	0:d92f9d21154c	3636	WOLFSSL_MSG("\tfail: length");
wolfSSL	0:d92f9d21154c	3637	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3638	}
wolfSSL	0:d92f9d21154c	3639
wolfSSL	0:d92f9d21154c	3640	if (input[idx++])
wolfSSL	0:d92f9d21154c	3641	cert->isCA = 1;
wolfSSL	0:d92f9d21154c	3642
wolfSSL	0:d92f9d21154c	3643	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	3644	/* If there isn't any more data, return. */
wolfSSL	0:d92f9d21154c	3645	if (idx >= (word32)sz)
wolfSSL	0:d92f9d21154c	3646	return 0;
wolfSSL	0:d92f9d21154c	3647
wolfSSL	0:d92f9d21154c	3648	/* Anything left should be the optional pathlength */
wolfSSL	0:d92f9d21154c	3649	if (input[idx++] != ASN_INTEGER) {
wolfSSL	0:d92f9d21154c	3650	WOLFSSL_MSG("\tfail: pathlen not INTEGER");
wolfSSL	0:d92f9d21154c	3651	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3652	}
wolfSSL	0:d92f9d21154c	3653
wolfSSL	0:d92f9d21154c	3654	if (input[idx++] != 1) {
wolfSSL	0:d92f9d21154c	3655	WOLFSSL_MSG("\tfail: pathlen too long");
wolfSSL	0:d92f9d21154c	3656	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3657	}
wolfSSL	0:d92f9d21154c	3658
wolfSSL	0:d92f9d21154c	3659	cert->pathLength = input[idx];
wolfSSL	0:d92f9d21154c	3660	cert->extBasicConstPlSet = 1;
wolfSSL	0:d92f9d21154c	3661	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	3662
wolfSSL	0:d92f9d21154c	3663	return 0;
wolfSSL	0:d92f9d21154c	3664	}
wolfSSL	0:d92f9d21154c	3665
wolfSSL	0:d92f9d21154c	3666
wolfSSL	0:d92f9d21154c	3667	#define CRLDP_FULL_NAME 0
wolfSSL	0:d92f9d21154c	3668	/* From RFC3280 SS4.2.1.14, Distribution Point Name*/
wolfSSL	0:d92f9d21154c	3669	#define GENERALNAME_URI 6
wolfSSL	0:d92f9d21154c	3670	/* From RFC3280 SS4.2.1.7, GeneralName */
wolfSSL	0:d92f9d21154c	3671
wolfSSL	0:d92f9d21154c	3672	static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3673	{
wolfSSL	0:d92f9d21154c	3674	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3675	int length = 0;
wolfSSL	0:d92f9d21154c	3676
wolfSSL	0:d92f9d21154c	3677	WOLFSSL_ENTER("DecodeCrlDist");
wolfSSL	0:d92f9d21154c	3678
wolfSSL	0:d92f9d21154c	3679	/* Unwrap the list of Distribution Points*/
wolfSSL	0:d92f9d21154c	3680	if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3681	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3682
wolfSSL	0:d92f9d21154c	3683	/* Unwrap a single Distribution Point */
wolfSSL	0:d92f9d21154c	3684	if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3685	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3686
wolfSSL	0:d92f9d21154c	3687	/* The Distribution Point has three explicit optional members
wolfSSL	0:d92f9d21154c	3688	* First check for a DistributionPointName
wolfSSL	0:d92f9d21154c	3689	*/
wolfSSL	0:d92f9d21154c	3690	if (input[idx] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 0))
wolfSSL	0:d92f9d21154c	3691	{
wolfSSL	0:d92f9d21154c	3692	idx++;
wolfSSL	0:d92f9d21154c	3693	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3694	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3695
wolfSSL	0:d92f9d21154c	3696	if (input[idx] ==
wolfSSL	0:d92f9d21154c	3697	(ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| CRLDP_FULL_NAME))
wolfSSL	0:d92f9d21154c	3698	{
wolfSSL	0:d92f9d21154c	3699	idx++;
wolfSSL	0:d92f9d21154c	3700	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3701	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3702
wolfSSL	0:d92f9d21154c	3703	if (input[idx] == (ASN_CONTEXT_SPECIFIC \| GENERALNAME_URI))
wolfSSL	0:d92f9d21154c	3704	{
wolfSSL	0:d92f9d21154c	3705	idx++;
wolfSSL	0:d92f9d21154c	3706	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3707	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3708
wolfSSL	0:d92f9d21154c	3709	cert->extCrlInfoSz = length;
wolfSSL	0:d92f9d21154c	3710	cert->extCrlInfo = input + idx;
wolfSSL	0:d92f9d21154c	3711	idx += length;
wolfSSL	0:d92f9d21154c	3712	}
wolfSSL	0:d92f9d21154c	3713	else
wolfSSL	0:d92f9d21154c	3714	/* This isn't a URI, skip it. */
wolfSSL	0:d92f9d21154c	3715	idx += length;
wolfSSL	0:d92f9d21154c	3716	}
wolfSSL	0:d92f9d21154c	3717	else
wolfSSL	0:d92f9d21154c	3718	/* This isn't a FULLNAME, skip it. */
wolfSSL	0:d92f9d21154c	3719	idx += length;
wolfSSL	0:d92f9d21154c	3720	}
wolfSSL	0:d92f9d21154c	3721
wolfSSL	0:d92f9d21154c	3722	/* Check for reasonFlags */
wolfSSL	0:d92f9d21154c	3723	if (idx < (word32)sz &&
wolfSSL	0:d92f9d21154c	3724	input[idx] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 1))
wolfSSL	0:d92f9d21154c	3725	{
wolfSSL	0:d92f9d21154c	3726	idx++;
wolfSSL	0:d92f9d21154c	3727	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3728	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3729	idx += length;
wolfSSL	0:d92f9d21154c	3730	}
wolfSSL	0:d92f9d21154c	3731
wolfSSL	0:d92f9d21154c	3732	/* Check for cRLIssuer */
wolfSSL	0:d92f9d21154c	3733	if (idx < (word32)sz &&
wolfSSL	0:d92f9d21154c	3734	input[idx] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 2))
wolfSSL	0:d92f9d21154c	3735	{
wolfSSL	0:d92f9d21154c	3736	idx++;
wolfSSL	0:d92f9d21154c	3737	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3738	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3739	idx += length;
wolfSSL	0:d92f9d21154c	3740	}
wolfSSL	0:d92f9d21154c	3741
wolfSSL	0:d92f9d21154c	3742	if (idx < (word32)sz)
wolfSSL	0:d92f9d21154c	3743	{
wolfSSL	0:d92f9d21154c	3744	WOLFSSL_MSG("\tThere are more CRL Distribution Point records, "
wolfSSL	0:d92f9d21154c	3745	"but we only use the first one.");
wolfSSL	0:d92f9d21154c	3746	}
wolfSSL	0:d92f9d21154c	3747
wolfSSL	0:d92f9d21154c	3748	return 0;
wolfSSL	0:d92f9d21154c	3749	}
wolfSSL	0:d92f9d21154c	3750
wolfSSL	0:d92f9d21154c	3751
wolfSSL	0:d92f9d21154c	3752	static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3753	/*
wolfSSL	0:d92f9d21154c	3754	* Read the first of the Authority Information Access records. If there are
wolfSSL	0:d92f9d21154c	3755	* any issues, return without saving the record.
wolfSSL	0:d92f9d21154c	3756	*/
wolfSSL	0:d92f9d21154c	3757	{
wolfSSL	0:d92f9d21154c	3758	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3759	int length = 0;
wolfSSL	0:d92f9d21154c	3760	byte b;
wolfSSL	0:d92f9d21154c	3761	word32 oid;
wolfSSL	0:d92f9d21154c	3762
wolfSSL	0:d92f9d21154c	3763	WOLFSSL_ENTER("DecodeAuthInfo");
wolfSSL	0:d92f9d21154c	3764
wolfSSL	0:d92f9d21154c	3765	/* Unwrap the list of AIAs */
wolfSSL	0:d92f9d21154c	3766	if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3767	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3768
wolfSSL	0:d92f9d21154c	3769	while (idx < (word32)sz) {
wolfSSL	0:d92f9d21154c	3770	/* Unwrap a single AIA */
wolfSSL	0:d92f9d21154c	3771	if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3772	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3773
wolfSSL	0:d92f9d21154c	3774	oid = 0;
wolfSSL	0:d92f9d21154c	3775	if (GetObjectId(input, &idx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	3776	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3777
wolfSSL	0:d92f9d21154c	3778	/* Only supporting URIs right now. */
wolfSSL	0:d92f9d21154c	3779	b = input[idx++];
wolfSSL	0:d92f9d21154c	3780	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	3781	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3782
wolfSSL	0:d92f9d21154c	3783	if (b == (ASN_CONTEXT_SPECIFIC \| GENERALNAME_URI) &&
wolfSSL	0:d92f9d21154c	3784	oid == AIA_OCSP_OID)
wolfSSL	0:d92f9d21154c	3785	{
wolfSSL	0:d92f9d21154c	3786	cert->extAuthInfoSz = length;
wolfSSL	0:d92f9d21154c	3787	cert->extAuthInfo = input + idx;
wolfSSL	0:d92f9d21154c	3788	break;
wolfSSL	0:d92f9d21154c	3789	}
wolfSSL	0:d92f9d21154c	3790	idx += length;
wolfSSL	0:d92f9d21154c	3791	}
wolfSSL	0:d92f9d21154c	3792
wolfSSL	0:d92f9d21154c	3793	return 0;
wolfSSL	0:d92f9d21154c	3794	}
wolfSSL	0:d92f9d21154c	3795
wolfSSL	0:d92f9d21154c	3796
wolfSSL	0:d92f9d21154c	3797	static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3798	{
wolfSSL	0:d92f9d21154c	3799	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3800	int length = 0, ret = 0;
wolfSSL	0:d92f9d21154c	3801
wolfSSL	0:d92f9d21154c	3802	WOLFSSL_ENTER("DecodeAuthKeyId");
wolfSSL	0:d92f9d21154c	3803
wolfSSL	0:d92f9d21154c	3804	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3805	WOLFSSL_MSG("\tfail: should be a SEQUENCE\n");
wolfSSL	0:d92f9d21154c	3806	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3807	}
wolfSSL	0:d92f9d21154c	3808
wolfSSL	0:d92f9d21154c	3809	if (input[idx++] != (ASN_CONTEXT_SPECIFIC \| 0)) {
wolfSSL	0:d92f9d21154c	3810	WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
wolfSSL	0:d92f9d21154c	3811	return 0;
wolfSSL	0:d92f9d21154c	3812	}
wolfSSL	0:d92f9d21154c	3813
wolfSSL	0:d92f9d21154c	3814	if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3815	WOLFSSL_MSG("\tfail: extension data length");
wolfSSL	0:d92f9d21154c	3816	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3817	}
wolfSSL	0:d92f9d21154c	3818
wolfSSL	0:d92f9d21154c	3819	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	3820	cert->extAuthKeyIdSrc = &input[idx];
wolfSSL	0:d92f9d21154c	3821	cert->extAuthKeyIdSz = length;
wolfSSL	0:d92f9d21154c	3822	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	3823
wolfSSL	0:d92f9d21154c	3824	if (length == KEYID_SIZE) {
wolfSSL	0:d92f9d21154c	3825	XMEMCPY(cert->extAuthKeyId, input + idx, length);
wolfSSL	0:d92f9d21154c	3826	}
wolfSSL	0:d92f9d21154c	3827	else {
wolfSSL	0:d92f9d21154c	3828	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	3829	ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId);
wolfSSL	0:d92f9d21154c	3830	#else
wolfSSL	0:d92f9d21154c	3831	ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId);
wolfSSL	0:d92f9d21154c	3832	#endif
wolfSSL	0:d92f9d21154c	3833	}
wolfSSL	0:d92f9d21154c	3834
wolfSSL	0:d92f9d21154c	3835	return ret;
wolfSSL	0:d92f9d21154c	3836	}
wolfSSL	0:d92f9d21154c	3837
wolfSSL	0:d92f9d21154c	3838
wolfSSL	0:d92f9d21154c	3839	static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3840	{
wolfSSL	0:d92f9d21154c	3841	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3842	int length = 0, ret = 0;
wolfSSL	0:d92f9d21154c	3843
wolfSSL	0:d92f9d21154c	3844	WOLFSSL_ENTER("DecodeSubjKeyId");
wolfSSL	0:d92f9d21154c	3845
wolfSSL	0:d92f9d21154c	3846	if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	3847	WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL	0:d92f9d21154c	3848	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3849	}
wolfSSL	0:d92f9d21154c	3850
wolfSSL	0:d92f9d21154c	3851	if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3852	WOLFSSL_MSG("\tfail: extension data length");
wolfSSL	0:d92f9d21154c	3853	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3854	}
wolfSSL	0:d92f9d21154c	3855
wolfSSL	0:d92f9d21154c	3856	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	3857	cert->extSubjKeyIdSrc = &input[idx];
wolfSSL	0:d92f9d21154c	3858	cert->extSubjKeyIdSz = length;
wolfSSL	0:d92f9d21154c	3859	#endif /* OPENSSL_EXTRA */
wolfSSL	0:d92f9d21154c	3860
wolfSSL	0:d92f9d21154c	3861	if (length == SIGNER_DIGEST_SIZE) {
wolfSSL	0:d92f9d21154c	3862	XMEMCPY(cert->extSubjKeyId, input + idx, length);
wolfSSL	0:d92f9d21154c	3863	}
wolfSSL	0:d92f9d21154c	3864	else {
wolfSSL	0:d92f9d21154c	3865	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	3866	ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId);
wolfSSL	0:d92f9d21154c	3867	#else
wolfSSL	0:d92f9d21154c	3868	ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId);
wolfSSL	0:d92f9d21154c	3869	#endif
wolfSSL	0:d92f9d21154c	3870	}
wolfSSL	0:d92f9d21154c	3871
wolfSSL	0:d92f9d21154c	3872	return ret;
wolfSSL	0:d92f9d21154c	3873	}
wolfSSL	0:d92f9d21154c	3874
wolfSSL	0:d92f9d21154c	3875
wolfSSL	0:d92f9d21154c	3876	static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3877	{
wolfSSL	0:d92f9d21154c	3878	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3879	int length;
wolfSSL	0:d92f9d21154c	3880	byte unusedBits;
wolfSSL	0:d92f9d21154c	3881	WOLFSSL_ENTER("DecodeKeyUsage");
wolfSSL	0:d92f9d21154c	3882
wolfSSL	0:d92f9d21154c	3883	if (input[idx++] != ASN_BIT_STRING) {
wolfSSL	0:d92f9d21154c	3884	WOLFSSL_MSG("\tfail: key usage expected bit string");
wolfSSL	0:d92f9d21154c	3885	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3886	}
wolfSSL	0:d92f9d21154c	3887
wolfSSL	0:d92f9d21154c	3888	if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3889	WOLFSSL_MSG("\tfail: key usage bad length");
wolfSSL	0:d92f9d21154c	3890	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3891	}
wolfSSL	0:d92f9d21154c	3892
wolfSSL	0:d92f9d21154c	3893	unusedBits = input[idx++];
wolfSSL	0:d92f9d21154c	3894	length--;
wolfSSL	0:d92f9d21154c	3895
wolfSSL	0:d92f9d21154c	3896	if (length == 2) {
wolfSSL	0:d92f9d21154c	3897	cert->extKeyUsage = (word16)((input[idx] << 8) \| input[idx+1]);
wolfSSL	0:d92f9d21154c	3898	cert->extKeyUsage >>= unusedBits;
wolfSSL	0:d92f9d21154c	3899	}
wolfSSL	0:d92f9d21154c	3900	else if (length == 1)
wolfSSL	0:d92f9d21154c	3901	cert->extKeyUsage = (word16)(input[idx] << 1);
wolfSSL	0:d92f9d21154c	3902
wolfSSL	0:d92f9d21154c	3903	return 0;
wolfSSL	0:d92f9d21154c	3904	}
wolfSSL	0:d92f9d21154c	3905
wolfSSL	0:d92f9d21154c	3906
wolfSSL	0:d92f9d21154c	3907	static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	3908	{
wolfSSL	0:d92f9d21154c	3909	word32 idx = 0, oid;
wolfSSL	0:d92f9d21154c	3910	int length;
wolfSSL	0:d92f9d21154c	3911
wolfSSL	0:d92f9d21154c	3912	WOLFSSL_ENTER("DecodeExtKeyUsage");
wolfSSL	0:d92f9d21154c	3913
wolfSSL	0:d92f9d21154c	3914	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	3915	WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL	0:d92f9d21154c	3916	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3917	}
wolfSSL	0:d92f9d21154c	3918
wolfSSL	0:d92f9d21154c	3919	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	3920	cert->extExtKeyUsageSrc = input + idx;
wolfSSL	0:d92f9d21154c	3921	cert->extExtKeyUsageSz = length;
wolfSSL	0:d92f9d21154c	3922	#endif
wolfSSL	0:d92f9d21154c	3923
wolfSSL	0:d92f9d21154c	3924	while (idx < (word32)sz) {
wolfSSL	0:d92f9d21154c	3925	if (GetObjectId(input, &idx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	3926	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3927
wolfSSL	0:d92f9d21154c	3928	switch (oid) {
wolfSSL	0:d92f9d21154c	3929	case EKU_ANY_OID:
wolfSSL	0:d92f9d21154c	3930	cert->extExtKeyUsage \|= EXTKEYUSE_ANY;
wolfSSL	0:d92f9d21154c	3931	break;
wolfSSL	0:d92f9d21154c	3932	case EKU_SERVER_AUTH_OID:
wolfSSL	0:d92f9d21154c	3933	cert->extExtKeyUsage \|= EXTKEYUSE_SERVER_AUTH;
wolfSSL	0:d92f9d21154c	3934	break;
wolfSSL	0:d92f9d21154c	3935	case EKU_CLIENT_AUTH_OID:
wolfSSL	0:d92f9d21154c	3936	cert->extExtKeyUsage \|= EXTKEYUSE_CLIENT_AUTH;
wolfSSL	0:d92f9d21154c	3937	break;
wolfSSL	0:d92f9d21154c	3938	case EKU_OCSP_SIGN_OID:
wolfSSL	0:d92f9d21154c	3939	cert->extExtKeyUsage \|= EXTKEYUSE_OCSP_SIGN;
wolfSSL	0:d92f9d21154c	3940	break;
wolfSSL	0:d92f9d21154c	3941	}
wolfSSL	0:d92f9d21154c	3942
wolfSSL	0:d92f9d21154c	3943	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	3944	cert->extExtKeyUsageCount++;
wolfSSL	0:d92f9d21154c	3945	#endif
wolfSSL	0:d92f9d21154c	3946	}
wolfSSL	0:d92f9d21154c	3947
wolfSSL	0:d92f9d21154c	3948	return 0;
wolfSSL	0:d92f9d21154c	3949	}
wolfSSL	0:d92f9d21154c	3950
wolfSSL	0:d92f9d21154c	3951
wolfSSL	0:d92f9d21154c	3952	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	3953	static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
wolfSSL	0:d92f9d21154c	3954	{
wolfSSL	0:d92f9d21154c	3955	word32 idx = 0;
wolfSSL	0:d92f9d21154c	3956
wolfSSL	0:d92f9d21154c	3957	(void)heap;
wolfSSL	0:d92f9d21154c	3958
wolfSSL	0:d92f9d21154c	3959	while (idx < (word32)sz) {
wolfSSL	0:d92f9d21154c	3960	int seqLength, strLength;
wolfSSL	0:d92f9d21154c	3961	word32 nameIdx;
wolfSSL	0:d92f9d21154c	3962	byte b;
wolfSSL	0:d92f9d21154c	3963
wolfSSL	0:d92f9d21154c	3964	if (GetSequence(input, &idx, &seqLength, sz) < 0) {
wolfSSL	0:d92f9d21154c	3965	WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL	0:d92f9d21154c	3966	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3967	}
wolfSSL	0:d92f9d21154c	3968
wolfSSL	0:d92f9d21154c	3969	nameIdx = idx;
wolfSSL	0:d92f9d21154c	3970	b = input[nameIdx++];
wolfSSL	0:d92f9d21154c	3971	if (GetLength(input, &nameIdx, &strLength, sz) <= 0) {
wolfSSL	0:d92f9d21154c	3972	WOLFSSL_MSG("\tinvalid length");
wolfSSL	0:d92f9d21154c	3973	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	3974	}
wolfSSL	0:d92f9d21154c	3975
wolfSSL	0:d92f9d21154c	3976	if (b == (ASN_CONTEXT_SPECIFIC \| ASN_DNS_TYPE) \|\|
wolfSSL	0:d92f9d21154c	3977	b == (ASN_CONTEXT_SPECIFIC \| ASN_RFC822_TYPE) \|\|
wolfSSL	0:d92f9d21154c	3978	b == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| ASN_DIR_TYPE)) {
wolfSSL	0:d92f9d21154c	3979
wolfSSL	0:d92f9d21154c	3980	Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
wolfSSL	0:d92f9d21154c	3981	heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3982
wolfSSL	0:d92f9d21154c	3983	if (entry == NULL) {
wolfSSL	0:d92f9d21154c	3984	WOLFSSL_MSG("allocate error");
wolfSSL	0:d92f9d21154c	3985	return MEMORY_E;
wolfSSL	0:d92f9d21154c	3986	}
wolfSSL	0:d92f9d21154c	3987
wolfSSL	0:d92f9d21154c	3988	entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
wolfSSL	0:d92f9d21154c	3989	if (entry->name == NULL) {
wolfSSL	0:d92f9d21154c	3990	WOLFSSL_MSG("allocate error");
wolfSSL	0:d92f9d21154c	3991	return MEMORY_E;
wolfSSL	0:d92f9d21154c	3992	}
wolfSSL	0:d92f9d21154c	3993
wolfSSL	0:d92f9d21154c	3994	XMEMCPY(entry->name, &input[nameIdx], strLength);
wolfSSL	0:d92f9d21154c	3995	entry->nameSz = strLength;
wolfSSL	0:d92f9d21154c	3996	entry->type = b & 0x0F;
wolfSSL	0:d92f9d21154c	3997
wolfSSL	0:d92f9d21154c	3998	entry->next = *head;
wolfSSL	0:d92f9d21154c	3999	*head = entry;
wolfSSL	0:d92f9d21154c	4000	}
wolfSSL	0:d92f9d21154c	4001
wolfSSL	0:d92f9d21154c	4002	idx += seqLength;
wolfSSL	0:d92f9d21154c	4003	}
wolfSSL	0:d92f9d21154c	4004
wolfSSL	0:d92f9d21154c	4005	return 0;
wolfSSL	0:d92f9d21154c	4006	}
wolfSSL	0:d92f9d21154c	4007
wolfSSL	0:d92f9d21154c	4008
wolfSSL	0:d92f9d21154c	4009	static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	4010	{
wolfSSL	0:d92f9d21154c	4011	word32 idx = 0;
wolfSSL	0:d92f9d21154c	4012	int length = 0;
wolfSSL	0:d92f9d21154c	4013
wolfSSL	0:d92f9d21154c	4014	WOLFSSL_ENTER("DecodeNameConstraints");
wolfSSL	0:d92f9d21154c	4015
wolfSSL	0:d92f9d21154c	4016	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4017	WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL	0:d92f9d21154c	4018	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4019	}
wolfSSL	0:d92f9d21154c	4020
wolfSSL	0:d92f9d21154c	4021	while (idx < (word32)sz) {
wolfSSL	0:d92f9d21154c	4022	byte b = input[idx++];
wolfSSL	0:d92f9d21154c	4023	Base_entry** subtree = NULL;
wolfSSL	0:d92f9d21154c	4024
wolfSSL	0:d92f9d21154c	4025	if (GetLength(input, &idx, &length, sz) <= 0) {
wolfSSL	0:d92f9d21154c	4026	WOLFSSL_MSG("\tinvalid length");
wolfSSL	0:d92f9d21154c	4027	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4028	}
wolfSSL	0:d92f9d21154c	4029
wolfSSL	0:d92f9d21154c	4030	if (b == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| 0))
wolfSSL	0:d92f9d21154c	4031	subtree = &cert->permittedNames;
wolfSSL	0:d92f9d21154c	4032	else if (b == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| 1))
wolfSSL	0:d92f9d21154c	4033	subtree = &cert->excludedNames;
wolfSSL	0:d92f9d21154c	4034	else {
wolfSSL	0:d92f9d21154c	4035	WOLFSSL_MSG("\tinvalid subtree");
wolfSSL	0:d92f9d21154c	4036	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4037	}
wolfSSL	0:d92f9d21154c	4038
wolfSSL	0:d92f9d21154c	4039	DecodeSubtree(input + idx, length, subtree, cert->heap);
wolfSSL	0:d92f9d21154c	4040
wolfSSL	0:d92f9d21154c	4041	idx += length;
wolfSSL	0:d92f9d21154c	4042	}
wolfSSL	0:d92f9d21154c	4043
wolfSSL	0:d92f9d21154c	4044	return 0;
wolfSSL	0:d92f9d21154c	4045	}
wolfSSL	0:d92f9d21154c	4046	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	4047
wolfSSL	0:d92f9d21154c	4048
wolfSSL	0:d92f9d21154c	4049	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	4050	static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
wolfSSL	0:d92f9d21154c	4051	{
wolfSSL	0:d92f9d21154c	4052	word32 idx = 0;
wolfSSL	0:d92f9d21154c	4053	int length = 0;
wolfSSL	0:d92f9d21154c	4054
wolfSSL	0:d92f9d21154c	4055	WOLFSSL_ENTER("DecodeCertPolicy");
wolfSSL	0:d92f9d21154c	4056
wolfSSL	0:d92f9d21154c	4057	/* Unwrap certificatePolicies */
wolfSSL	0:d92f9d21154c	4058	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4059	WOLFSSL_MSG("\tdeviceType isn't OID");
wolfSSL	0:d92f9d21154c	4060	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4061	}
wolfSSL	0:d92f9d21154c	4062
wolfSSL	0:d92f9d21154c	4063	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4064	WOLFSSL_MSG("\tdeviceType isn't OID");
wolfSSL	0:d92f9d21154c	4065	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4066	}
wolfSSL	0:d92f9d21154c	4067
wolfSSL	0:d92f9d21154c	4068	if (input[idx++] != ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	4069	WOLFSSL_MSG("\tdeviceType isn't OID");
wolfSSL	0:d92f9d21154c	4070	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4071	}
wolfSSL	0:d92f9d21154c	4072
wolfSSL	0:d92f9d21154c	4073	if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4074	WOLFSSL_MSG("\tCouldn't read length of deviceType");
wolfSSL	0:d92f9d21154c	4075	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4076	}
wolfSSL	0:d92f9d21154c	4077
wolfSSL	0:d92f9d21154c	4078	if (length > 0) {
wolfSSL	0:d92f9d21154c	4079	cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0);
wolfSSL	0:d92f9d21154c	4080	if (cert->deviceType == NULL) {
wolfSSL	0:d92f9d21154c	4081	WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
wolfSSL	0:d92f9d21154c	4082	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4083	}
wolfSSL	0:d92f9d21154c	4084	cert->deviceTypeSz = length;
wolfSSL	0:d92f9d21154c	4085	XMEMCPY(cert->deviceType, input + idx, length);
wolfSSL	0:d92f9d21154c	4086	}
wolfSSL	0:d92f9d21154c	4087
wolfSSL	0:d92f9d21154c	4088	WOLFSSL_LEAVE("DecodeCertPolicy", 0);
wolfSSL	0:d92f9d21154c	4089	return 0;
wolfSSL	0:d92f9d21154c	4090	}
wolfSSL	0:d92f9d21154c	4091	#endif /* WOLFSSL_SEP */
wolfSSL	0:d92f9d21154c	4092
wolfSSL	0:d92f9d21154c	4093
wolfSSL	0:d92f9d21154c	4094	static int DecodeCertExtensions(DecodedCert* cert)
wolfSSL	0:d92f9d21154c	4095	/*
wolfSSL	0:d92f9d21154c	4096	* Processing the Certificate Extensions. This does not modify the current
wolfSSL	0:d92f9d21154c	4097	* index. It is works starting with the recorded extensions pointer.
wolfSSL	0:d92f9d21154c	4098	*/
wolfSSL	0:d92f9d21154c	4099	{
wolfSSL	0:d92f9d21154c	4100	word32 idx = 0;
wolfSSL	0:d92f9d21154c	4101	int sz = cert->extensionsSz;
wolfSSL	0:d92f9d21154c	4102	byte* input = cert->extensions;
wolfSSL	0:d92f9d21154c	4103	int length;
wolfSSL	0:d92f9d21154c	4104	word32 oid;
wolfSSL	0:d92f9d21154c	4105	byte critical = 0;
wolfSSL	0:d92f9d21154c	4106	byte criticalFail = 0;
wolfSSL	0:d92f9d21154c	4107
wolfSSL	0:d92f9d21154c	4108	WOLFSSL_ENTER("DecodeCertExtensions");
wolfSSL	0:d92f9d21154c	4109
wolfSSL	0:d92f9d21154c	4110	if (input == NULL \|\| sz == 0)
wolfSSL	0:d92f9d21154c	4111	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4112
wolfSSL	0:d92f9d21154c	4113	if (input[idx++] != ASN_EXTENSIONS)
wolfSSL	0:d92f9d21154c	4114	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4115
wolfSSL	0:d92f9d21154c	4116	if (GetLength(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	4117	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4118
wolfSSL	0:d92f9d21154c	4119	if (GetSequence(input, &idx, &length, sz) < 0)
wolfSSL	0:d92f9d21154c	4120	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4121
wolfSSL	0:d92f9d21154c	4122	while (idx < (word32)sz) {
wolfSSL	0:d92f9d21154c	4123	if (GetSequence(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4124	WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL	0:d92f9d21154c	4125	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4126	}
wolfSSL	0:d92f9d21154c	4127
wolfSSL	0:d92f9d21154c	4128	oid = 0;
wolfSSL	0:d92f9d21154c	4129	if (GetObjectId(input, &idx, &oid, sz) < 0) {
wolfSSL	0:d92f9d21154c	4130	WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL	0:d92f9d21154c	4131	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4132	}
wolfSSL	0:d92f9d21154c	4133
wolfSSL	0:d92f9d21154c	4134	/* check for critical flag */
wolfSSL	0:d92f9d21154c	4135	critical = 0;
wolfSSL	0:d92f9d21154c	4136	if (input[idx] == ASN_BOOLEAN) {
wolfSSL	0:d92f9d21154c	4137	int boolLength = 0;
wolfSSL	0:d92f9d21154c	4138	idx++;
wolfSSL	0:d92f9d21154c	4139	if (GetLength(input, &idx, &boolLength, sz) < 0) {
wolfSSL	0:d92f9d21154c	4140	WOLFSSL_MSG("\tfail: critical boolean length");
wolfSSL	0:d92f9d21154c	4141	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4142	}
wolfSSL	0:d92f9d21154c	4143	if (input[idx++])
wolfSSL	0:d92f9d21154c	4144	critical = 1;
wolfSSL	0:d92f9d21154c	4145	}
wolfSSL	0:d92f9d21154c	4146
wolfSSL	0:d92f9d21154c	4147	/* process the extension based on the OID */
wolfSSL	0:d92f9d21154c	4148	if (input[idx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	4149	WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL	0:d92f9d21154c	4150	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4151	}
wolfSSL	0:d92f9d21154c	4152
wolfSSL	0:d92f9d21154c	4153	if (GetLength(input, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	4154	WOLFSSL_MSG("\tfail: extension data length");
wolfSSL	0:d92f9d21154c	4155	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4156	}
wolfSSL	0:d92f9d21154c	4157
wolfSSL	0:d92f9d21154c	4158	switch (oid) {
wolfSSL	0:d92f9d21154c	4159	case BASIC_CA_OID:
wolfSSL	0:d92f9d21154c	4160	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4161	cert->extBasicConstSet = 1;
wolfSSL	0:d92f9d21154c	4162	cert->extBasicConstCrit = critical;
wolfSSL	0:d92f9d21154c	4163	#endif
wolfSSL	0:d92f9d21154c	4164	if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4165	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4166	break;
wolfSSL	0:d92f9d21154c	4167
wolfSSL	0:d92f9d21154c	4168	case CRL_DIST_OID:
wolfSSL	0:d92f9d21154c	4169	if (DecodeCrlDist(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4170	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4171	break;
wolfSSL	0:d92f9d21154c	4172
wolfSSL	0:d92f9d21154c	4173	case AUTH_INFO_OID:
wolfSSL	0:d92f9d21154c	4174	if (DecodeAuthInfo(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4175	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4176	break;
wolfSSL	0:d92f9d21154c	4177
wolfSSL	0:d92f9d21154c	4178	case ALT_NAMES_OID:
wolfSSL	0:d92f9d21154c	4179	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4180	cert->extSubjAltNameSet = 1;
wolfSSL	0:d92f9d21154c	4181	cert->extSubjAltNameCrit = critical;
wolfSSL	0:d92f9d21154c	4182	#endif
wolfSSL	0:d92f9d21154c	4183	if (DecodeAltNames(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4184	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4185	break;
wolfSSL	0:d92f9d21154c	4186
wolfSSL	0:d92f9d21154c	4187	case AUTH_KEY_OID:
wolfSSL	0:d92f9d21154c	4188	cert->extAuthKeyIdSet = 1;
wolfSSL	0:d92f9d21154c	4189	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4190	cert->extAuthKeyIdCrit = critical;
wolfSSL	0:d92f9d21154c	4191	#endif
wolfSSL	0:d92f9d21154c	4192	if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4193	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4194	break;
wolfSSL	0:d92f9d21154c	4195
wolfSSL	0:d92f9d21154c	4196	case SUBJ_KEY_OID:
wolfSSL	0:d92f9d21154c	4197	cert->extSubjKeyIdSet = 1;
wolfSSL	0:d92f9d21154c	4198	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4199	cert->extSubjKeyIdCrit = critical;
wolfSSL	0:d92f9d21154c	4200	#endif
wolfSSL	0:d92f9d21154c	4201	if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4202	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4203	break;
wolfSSL	0:d92f9d21154c	4204
wolfSSL	0:d92f9d21154c	4205	case CERT_POLICY_OID:
wolfSSL	0:d92f9d21154c	4206	WOLFSSL_MSG("Certificate Policy extension not supported yet.");
wolfSSL	0:d92f9d21154c	4207	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	4208	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4209	cert->extCertPolicySet = 1;
wolfSSL	0:d92f9d21154c	4210	cert->extCertPolicyCrit = critical;
wolfSSL	0:d92f9d21154c	4211	#endif
wolfSSL	0:d92f9d21154c	4212	if (DecodeCertPolicy(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4213	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4214	#endif
wolfSSL	0:d92f9d21154c	4215	break;
wolfSSL	0:d92f9d21154c	4216
wolfSSL	0:d92f9d21154c	4217	case KEY_USAGE_OID:
wolfSSL	0:d92f9d21154c	4218	cert->extKeyUsageSet = 1;
wolfSSL	0:d92f9d21154c	4219	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4220	cert->extKeyUsageCrit = critical;
wolfSSL	0:d92f9d21154c	4221	#endif
wolfSSL	0:d92f9d21154c	4222	if (DecodeKeyUsage(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4223	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4224	break;
wolfSSL	0:d92f9d21154c	4225
wolfSSL	0:d92f9d21154c	4226	case EXT_KEY_USAGE_OID:
wolfSSL	0:d92f9d21154c	4227	cert->extExtKeyUsageSet = 1;
wolfSSL	0:d92f9d21154c	4228	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4229	cert->extExtKeyUsageCrit = critical;
wolfSSL	0:d92f9d21154c	4230	#endif
wolfSSL	0:d92f9d21154c	4231	if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4232	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4233	break;
wolfSSL	0:d92f9d21154c	4234
wolfSSL	0:d92f9d21154c	4235	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	4236	case NAME_CONS_OID:
wolfSSL	0:d92f9d21154c	4237	cert->extNameConstraintSet = 1;
wolfSSL	0:d92f9d21154c	4238	#ifdef OPENSSL_EXTRA
wolfSSL	0:d92f9d21154c	4239	cert->extNameConstraintCrit = critical;
wolfSSL	0:d92f9d21154c	4240	#endif
wolfSSL	0:d92f9d21154c	4241	if (DecodeNameConstraints(&input[idx], length, cert) < 0)
wolfSSL	0:d92f9d21154c	4242	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	4243	break;
wolfSSL	0:d92f9d21154c	4244	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	4245
wolfSSL	0:d92f9d21154c	4246	case INHIBIT_ANY_OID:
wolfSSL	0:d92f9d21154c	4247	WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
wolfSSL	0:d92f9d21154c	4248	break;
wolfSSL	0:d92f9d21154c	4249
wolfSSL	0:d92f9d21154c	4250	default:
wolfSSL	0:d92f9d21154c	4251	/* While it is a failure to not support critical extensions,
wolfSSL	0:d92f9d21154c	4252	* still parse the certificate ignoring the unsupported
wolfSSL	0:d92f9d21154c	4253	* extention to allow caller to accept it with the verify
wolfSSL	0:d92f9d21154c	4254	* callback. */
wolfSSL	0:d92f9d21154c	4255	if (critical)
wolfSSL	0:d92f9d21154c	4256	criticalFail = 1;
wolfSSL	0:d92f9d21154c	4257	break;
wolfSSL	0:d92f9d21154c	4258	}
wolfSSL	0:d92f9d21154c	4259	idx += length;
wolfSSL	0:d92f9d21154c	4260	}
wolfSSL	0:d92f9d21154c	4261
wolfSSL	0:d92f9d21154c	4262	return criticalFail ? ASN_CRIT_EXT_E : 0;
wolfSSL	0:d92f9d21154c	4263	}
wolfSSL	0:d92f9d21154c	4264
wolfSSL	0:d92f9d21154c	4265
wolfSSL	0:d92f9d21154c	4266	int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL	0:d92f9d21154c	4267	{
wolfSSL	0:d92f9d21154c	4268	int ret;
wolfSSL	0:d92f9d21154c	4269	char* ptr;
wolfSSL	0:d92f9d21154c	4270
wolfSSL	0:d92f9d21154c	4271	ret = ParseCertRelative(cert, type, verify, cm);
wolfSSL	0:d92f9d21154c	4272	if (ret < 0)
wolfSSL	0:d92f9d21154c	4273	return ret;
wolfSSL	0:d92f9d21154c	4274
wolfSSL	0:d92f9d21154c	4275	if (cert->subjectCNLen > 0) {
wolfSSL	0:d92f9d21154c	4276	ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap,
wolfSSL	0:d92f9d21154c	4277	DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL	0:d92f9d21154c	4278	if (ptr == NULL)
wolfSSL	0:d92f9d21154c	4279	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4280	XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen);
wolfSSL	0:d92f9d21154c	4281	ptr[cert->subjectCNLen] = '\0';
wolfSSL	0:d92f9d21154c	4282	cert->subjectCN = ptr;
wolfSSL	0:d92f9d21154c	4283	cert->subjectCNStored = 1;
wolfSSL	0:d92f9d21154c	4284	}
wolfSSL	0:d92f9d21154c	4285
wolfSSL	0:d92f9d21154c	4286	if (cert->keyOID == RSAk &&
wolfSSL	0:d92f9d21154c	4287	cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL	0:d92f9d21154c	4288	ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap,
wolfSSL	0:d92f9d21154c	4289	DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL	0:d92f9d21154c	4290	if (ptr == NULL)
wolfSSL	0:d92f9d21154c	4291	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4292	XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
wolfSSL	0:d92f9d21154c	4293	cert->publicKey = (byte *)ptr;
wolfSSL	0:d92f9d21154c	4294	cert->pubKeyStored = 1;
wolfSSL	0:d92f9d21154c	4295	}
wolfSSL	0:d92f9d21154c	4296
wolfSSL	0:d92f9d21154c	4297	return ret;
wolfSSL	0:d92f9d21154c	4298	}
wolfSSL	0:d92f9d21154c	4299
wolfSSL	0:d92f9d21154c	4300
wolfSSL	0:d92f9d21154c	4301	/* from SSL proper, for locking can't do find here anymore */
wolfSSL	0:d92f9d21154c	4302	#ifdef __cplusplus
wolfSSL	0:d92f9d21154c	4303	extern "C" {
wolfSSL	0:d92f9d21154c	4304	#endif
wolfSSL	0:d92f9d21154c	4305	WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
wolfSSL	0:d92f9d21154c	4306	#ifndef NO_SKID
wolfSSL	0:d92f9d21154c	4307	WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
wolfSSL	0:d92f9d21154c	4308	#endif
wolfSSL	0:d92f9d21154c	4309	#ifdef __cplusplus
wolfSSL	0:d92f9d21154c	4310	}
wolfSSL	0:d92f9d21154c	4311	#endif
wolfSSL	0:d92f9d21154c	4312
wolfSSL	0:d92f9d21154c	4313
wolfSSL	0:d92f9d21154c	4314	int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
wolfSSL	0:d92f9d21154c	4315	{
wolfSSL	0:d92f9d21154c	4316	word32 confirmOID;
wolfSSL	0:d92f9d21154c	4317	int ret;
wolfSSL	0:d92f9d21154c	4318	int badDate = 0;
wolfSSL	0:d92f9d21154c	4319	int criticalExt = 0;
wolfSSL	0:d92f9d21154c	4320
wolfSSL	0:d92f9d21154c	4321	if ((ret = DecodeToKey(cert, verify)) < 0) {
wolfSSL	0:d92f9d21154c	4322	if (ret == ASN_BEFORE_DATE_E \|\| ret == ASN_AFTER_DATE_E)
wolfSSL	0:d92f9d21154c	4323	badDate = ret;
wolfSSL	0:d92f9d21154c	4324	else
wolfSSL	0:d92f9d21154c	4325	return ret;
wolfSSL	0:d92f9d21154c	4326	}
wolfSSL	0:d92f9d21154c	4327
wolfSSL	0:d92f9d21154c	4328	WOLFSSL_MSG("Parsed Past Key");
wolfSSL	0:d92f9d21154c	4329
wolfSSL	0:d92f9d21154c	4330	if (cert->srcIdx < cert->sigIndex) {
wolfSSL	0:d92f9d21154c	4331	#ifndef ALLOW_V1_EXTENSIONS
wolfSSL	0:d92f9d21154c	4332	if (cert->version < 2) {
wolfSSL	0:d92f9d21154c	4333	WOLFSSL_MSG(" v1 and v2 certs not allowed extensions");
wolfSSL	0:d92f9d21154c	4334	return ASN_VERSION_E;
wolfSSL	0:d92f9d21154c	4335	}
wolfSSL	0:d92f9d21154c	4336	#endif
wolfSSL	0:d92f9d21154c	4337	/* save extensions */
wolfSSL	0:d92f9d21154c	4338	cert->extensions = &cert->source[cert->srcIdx];
wolfSSL	0:d92f9d21154c	4339	cert->extensionsSz = cert->sigIndex - cert->srcIdx;
wolfSSL	0:d92f9d21154c	4340	cert->extensionsIdx = cert->srcIdx; /* for potential later use */
wolfSSL	0:d92f9d21154c	4341
wolfSSL	0:d92f9d21154c	4342	if ((ret = DecodeCertExtensions(cert)) < 0) {
wolfSSL	0:d92f9d21154c	4343	if (ret == ASN_CRIT_EXT_E)
wolfSSL	0:d92f9d21154c	4344	criticalExt = ret;
wolfSSL	0:d92f9d21154c	4345	else
wolfSSL	0:d92f9d21154c	4346	return ret;
wolfSSL	0:d92f9d21154c	4347	}
wolfSSL	0:d92f9d21154c	4348
wolfSSL	0:d92f9d21154c	4349	/* advance past extensions */
wolfSSL	0:d92f9d21154c	4350	cert->srcIdx = cert->sigIndex;
wolfSSL	0:d92f9d21154c	4351	}
wolfSSL	0:d92f9d21154c	4352
wolfSSL	0:d92f9d21154c	4353	if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
wolfSSL	0:d92f9d21154c	4354	cert->maxIdx)) < 0)
wolfSSL	0:d92f9d21154c	4355	return ret;
wolfSSL	0:d92f9d21154c	4356
wolfSSL	0:d92f9d21154c	4357	if ((ret = GetSignature(cert)) < 0)
wolfSSL	0:d92f9d21154c	4358	return ret;
wolfSSL	0:d92f9d21154c	4359
wolfSSL	0:d92f9d21154c	4360	if (confirmOID != cert->signatureOID)
wolfSSL	0:d92f9d21154c	4361	return ASN_SIG_OID_E;
wolfSSL	0:d92f9d21154c	4362
wolfSSL	0:d92f9d21154c	4363	#ifndef NO_SKID
wolfSSL	0:d92f9d21154c	4364	if (cert->extSubjKeyIdSet == 0
wolfSSL	0:d92f9d21154c	4365	&& cert->publicKey != NULL && cert->pubKeySize > 0) {
wolfSSL	0:d92f9d21154c	4366	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	4367	ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize,
wolfSSL	0:d92f9d21154c	4368	cert->extSubjKeyId);
wolfSSL	0:d92f9d21154c	4369	#else
wolfSSL	0:d92f9d21154c	4370	ret = wc_ShaHash(cert->publicKey, cert->pubKeySize,
wolfSSL	0:d92f9d21154c	4371	cert->extSubjKeyId);
wolfSSL	0:d92f9d21154c	4372	#endif
wolfSSL	0:d92f9d21154c	4373	if (ret != 0)
wolfSSL	0:d92f9d21154c	4374	return ret;
wolfSSL	0:d92f9d21154c	4375	}
wolfSSL	0:d92f9d21154c	4376	#endif
wolfSSL	0:d92f9d21154c	4377
wolfSSL	0:d92f9d21154c	4378	if (verify && type != CA_TYPE) {
wolfSSL	0:d92f9d21154c	4379	Signer* ca = NULL;
wolfSSL	0:d92f9d21154c	4380	#ifndef NO_SKID
wolfSSL	0:d92f9d21154c	4381	if (cert->extAuthKeyIdSet)
wolfSSL	0:d92f9d21154c	4382	ca = GetCA(cm, cert->extAuthKeyId);
wolfSSL	0:d92f9d21154c	4383	if (ca == NULL)
wolfSSL	0:d92f9d21154c	4384	ca = GetCAByName(cm, cert->issuerHash);
wolfSSL	0:d92f9d21154c	4385	#else /* NO_SKID */
wolfSSL	0:d92f9d21154c	4386	ca = GetCA(cm, cert->issuerHash);
wolfSSL	0:d92f9d21154c	4387	#endif /* NO SKID */
wolfSSL	0:d92f9d21154c	4388	WOLFSSL_MSG("About to verify certificate signature");
wolfSSL	0:d92f9d21154c	4389
wolfSSL	0:d92f9d21154c	4390	if (ca) {
wolfSSL	0:d92f9d21154c	4391	#ifdef HAVE_OCSP
wolfSSL	0:d92f9d21154c	4392	/* Need the ca's public key hash for OCSP */
wolfSSL	0:d92f9d21154c	4393	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	4394	ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize,
wolfSSL	0:d92f9d21154c	4395	cert->issuerKeyHash);
wolfSSL	0:d92f9d21154c	4396	#else /* NO_SHA */
wolfSSL	0:d92f9d21154c	4397	ret = wc_ShaHash(ca->publicKey, ca->pubKeySize,
wolfSSL	0:d92f9d21154c	4398	cert->issuerKeyHash);
wolfSSL	0:d92f9d21154c	4399	#endif /* NO_SHA */
wolfSSL	0:d92f9d21154c	4400	if (ret != 0)
wolfSSL	0:d92f9d21154c	4401	return ret;
wolfSSL	0:d92f9d21154c	4402	#endif /* HAVE_OCSP */
wolfSSL	0:d92f9d21154c	4403	/* try to confirm/verify signature */
wolfSSL	0:d92f9d21154c	4404	if (!ConfirmSignature(cert->source + cert->certBegin,
wolfSSL	0:d92f9d21154c	4405	cert->sigIndex - cert->certBegin,
wolfSSL	0:d92f9d21154c	4406	ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL	0:d92f9d21154c	4407	cert->signature, cert->sigLength, cert->signatureOID,
wolfSSL	0:d92f9d21154c	4408	cert->heap)) {
wolfSSL	0:d92f9d21154c	4409	WOLFSSL_MSG("Confirm signature failed");
wolfSSL	0:d92f9d21154c	4410	return ASN_SIG_CONFIRM_E;
wolfSSL	0:d92f9d21154c	4411	}
wolfSSL	0:d92f9d21154c	4412	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	4413	/* check that this cert's name is permitted by the signer's
wolfSSL	0:d92f9d21154c	4414	* name constraints */
wolfSSL	0:d92f9d21154c	4415	if (!ConfirmNameConstraints(ca, cert)) {
wolfSSL	0:d92f9d21154c	4416	WOLFSSL_MSG("Confirm name constraint failed");
wolfSSL	0:d92f9d21154c	4417	return ASN_NAME_INVALID_E;
wolfSSL	0:d92f9d21154c	4418	}
wolfSSL	0:d92f9d21154c	4419	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	4420	}
wolfSSL	0:d92f9d21154c	4421	else {
wolfSSL	0:d92f9d21154c	4422	/* no signer */
wolfSSL	0:d92f9d21154c	4423	WOLFSSL_MSG("No CA signer to verify with");
wolfSSL	0:d92f9d21154c	4424	return ASN_NO_SIGNER_E;
wolfSSL	0:d92f9d21154c	4425	}
wolfSSL	0:d92f9d21154c	4426	}
wolfSSL	0:d92f9d21154c	4427
wolfSSL	0:d92f9d21154c	4428	if (badDate != 0)
wolfSSL	0:d92f9d21154c	4429	return badDate;
wolfSSL	0:d92f9d21154c	4430
wolfSSL	0:d92f9d21154c	4431	if (criticalExt != 0)
wolfSSL	0:d92f9d21154c	4432	return criticalExt;
wolfSSL	0:d92f9d21154c	4433
wolfSSL	0:d92f9d21154c	4434	return 0;
wolfSSL	0:d92f9d21154c	4435	}
wolfSSL	0:d92f9d21154c	4436
wolfSSL	0:d92f9d21154c	4437
wolfSSL	0:d92f9d21154c	4438	/* Create and init an new signer */
wolfSSL	0:d92f9d21154c	4439	Signer* MakeSigner(void* heap)
wolfSSL	0:d92f9d21154c	4440	{
wolfSSL	0:d92f9d21154c	4441	Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap,
wolfSSL	0:d92f9d21154c	4442	DYNAMIC_TYPE_SIGNER);
wolfSSL	0:d92f9d21154c	4443	if (signer) {
wolfSSL	0:d92f9d21154c	4444	signer->pubKeySize = 0;
wolfSSL	0:d92f9d21154c	4445	signer->keyOID = 0;
wolfSSL	0:d92f9d21154c	4446	signer->publicKey = NULL;
wolfSSL	0:d92f9d21154c	4447	signer->nameLen = 0;
wolfSSL	0:d92f9d21154c	4448	signer->name = NULL;
wolfSSL	0:d92f9d21154c	4449	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	4450	signer->permittedNames = NULL;
wolfSSL	0:d92f9d21154c	4451	signer->excludedNames = NULL;
wolfSSL	0:d92f9d21154c	4452	#endif /* IGNORE_NAME_CONSTRAINTS */
wolfSSL	0:d92f9d21154c	4453	signer->next = NULL;
wolfSSL	0:d92f9d21154c	4454	}
wolfSSL	0:d92f9d21154c	4455	(void)heap;
wolfSSL	0:d92f9d21154c	4456
wolfSSL	0:d92f9d21154c	4457	return signer;
wolfSSL	0:d92f9d21154c	4458	}
wolfSSL	0:d92f9d21154c	4459
wolfSSL	0:d92f9d21154c	4460
wolfSSL	0:d92f9d21154c	4461	/* Free an individual signer */
wolfSSL	0:d92f9d21154c	4462	void FreeSigner(Signer* signer, void* heap)
wolfSSL	0:d92f9d21154c	4463	{
wolfSSL	0:d92f9d21154c	4464	XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
wolfSSL	0:d92f9d21154c	4465	XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
wolfSSL	0:d92f9d21154c	4466	#ifndef IGNORE_NAME_CONSTRAINTS
wolfSSL	0:d92f9d21154c	4467	if (signer->permittedNames)
wolfSSL	0:d92f9d21154c	4468	FreeNameSubtrees(signer->permittedNames, heap);
wolfSSL	0:d92f9d21154c	4469	if (signer->excludedNames)
wolfSSL	0:d92f9d21154c	4470	FreeNameSubtrees(signer->excludedNames, heap);
wolfSSL	0:d92f9d21154c	4471	#endif
wolfSSL	0:d92f9d21154c	4472	XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
wolfSSL	0:d92f9d21154c	4473
wolfSSL	0:d92f9d21154c	4474	(void)heap;
wolfSSL	0:d92f9d21154c	4475	}
wolfSSL	0:d92f9d21154c	4476
wolfSSL	0:d92f9d21154c	4477
wolfSSL	0:d92f9d21154c	4478	/* Free the whole singer table with number of rows */
wolfSSL	0:d92f9d21154c	4479	void FreeSignerTable(Signer** table, int rows, void* heap)
wolfSSL	0:d92f9d21154c	4480	{
wolfSSL	0:d92f9d21154c	4481	int i;
wolfSSL	0:d92f9d21154c	4482
wolfSSL	0:d92f9d21154c	4483	for (i = 0; i < rows; i++) {
wolfSSL	0:d92f9d21154c	4484	Signer* signer = table[i];
wolfSSL	0:d92f9d21154c	4485	while (signer) {
wolfSSL	0:d92f9d21154c	4486	Signer* next = signer->next;
wolfSSL	0:d92f9d21154c	4487	FreeSigner(signer, heap);
wolfSSL	0:d92f9d21154c	4488	signer = next;
wolfSSL	0:d92f9d21154c	4489	}
wolfSSL	0:d92f9d21154c	4490	table[i] = NULL;
wolfSSL	0:d92f9d21154c	4491	}
wolfSSL	0:d92f9d21154c	4492	}
wolfSSL	0:d92f9d21154c	4493
wolfSSL	0:d92f9d21154c	4494
wolfSSL	0:d92f9d21154c	4495	WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
wolfSSL	0:d92f9d21154c	4496	{
wolfSSL	0:d92f9d21154c	4497	int i = 0;
wolfSSL	0:d92f9d21154c	4498
wolfSSL	0:d92f9d21154c	4499	if (header) {
wolfSSL	0:d92f9d21154c	4500	output[i++] = ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED;
wolfSSL	0:d92f9d21154c	4501	output[i++] = ASN_BIT_STRING;
wolfSSL	0:d92f9d21154c	4502	}
wolfSSL	0:d92f9d21154c	4503	output[i++] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	4504	output[i++] = 0x01;
wolfSSL	0:d92f9d21154c	4505	output[i++] = (byte)version;
wolfSSL	0:d92f9d21154c	4506
wolfSSL	0:d92f9d21154c	4507	return i;
wolfSSL	0:d92f9d21154c	4508	}
wolfSSL	0:d92f9d21154c	4509
wolfSSL	0:d92f9d21154c	4510
wolfSSL	0:d92f9d21154c	4511	WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
wolfSSL	0:d92f9d21154c	4512	{
wolfSSL	0:d92f9d21154c	4513	int result = 0;
wolfSSL	0:d92f9d21154c	4514
wolfSSL	0:d92f9d21154c	4515	WOLFSSL_ENTER("SetSerialNumber");
wolfSSL	0:d92f9d21154c	4516
wolfSSL	0:d92f9d21154c	4517	if (snSz <= EXTERNAL_SERIAL_SIZE) {
wolfSSL	0:d92f9d21154c	4518	output[0] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	4519	/* The serial number is always positive. When encoding the
wolfSSL	0:d92f9d21154c	4520	* INTEGER, if the MSB is 1, add a padding zero to keep the
wolfSSL	0:d92f9d21154c	4521	* number positive. */
wolfSSL	0:d92f9d21154c	4522	if (sn[0] & 0x80) {
wolfSSL	0:d92f9d21154c	4523	output[1] = (byte)snSz + 1;
wolfSSL	0:d92f9d21154c	4524	output[2] = 0;
wolfSSL	0:d92f9d21154c	4525	XMEMCPY(&output[3], sn, snSz);
wolfSSL	0:d92f9d21154c	4526	result = snSz + 3;
wolfSSL	0:d92f9d21154c	4527	}
wolfSSL	0:d92f9d21154c	4528	else {
wolfSSL	0:d92f9d21154c	4529	output[1] = (byte)snSz;
wolfSSL	0:d92f9d21154c	4530	XMEMCPY(&output[2], sn, snSz);
wolfSSL	0:d92f9d21154c	4531	result = snSz + 2;
wolfSSL	0:d92f9d21154c	4532	}
wolfSSL	0:d92f9d21154c	4533	}
wolfSSL	0:d92f9d21154c	4534	return result;
wolfSSL	0:d92f9d21154c	4535	}
wolfSSL	0:d92f9d21154c	4536
wolfSSL	0:d92f9d21154c	4537
wolfSSL	0:d92f9d21154c	4538
wolfSSL	0:d92f9d21154c	4539
wolfSSL	0:d92f9d21154c	4540	#if defined(WOLFSSL_KEY_GEN) \|\| defined(WOLFSSL_CERT_GEN)
wolfSSL	0:d92f9d21154c	4541
wolfSSL	0:d92f9d21154c	4542	/* convert der buffer to pem into output, can't do inplace, der and output
wolfSSL	0:d92f9d21154c	4543	need to be different */
wolfSSL	0:d92f9d21154c	4544	int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
wolfSSL	0:d92f9d21154c	4545	int type)
wolfSSL	0:d92f9d21154c	4546	{
wolfSSL	0:d92f9d21154c	4547	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4548	char* header = NULL;
wolfSSL	0:d92f9d21154c	4549	char* footer = NULL;
wolfSSL	0:d92f9d21154c	4550	#else
wolfSSL	0:d92f9d21154c	4551	char header[80];
wolfSSL	0:d92f9d21154c	4552	char footer[80];
wolfSSL	0:d92f9d21154c	4553	#endif
wolfSSL	0:d92f9d21154c	4554
wolfSSL	0:d92f9d21154c	4555	int headerLen = 80;
wolfSSL	0:d92f9d21154c	4556	int footerLen = 80;
wolfSSL	0:d92f9d21154c	4557	int i;
wolfSSL	0:d92f9d21154c	4558	int err;
wolfSSL	0:d92f9d21154c	4559	int outLen; /* return length or error */
wolfSSL	0:d92f9d21154c	4560
wolfSSL	0:d92f9d21154c	4561	if (der == output) /* no in place conversion */
wolfSSL	0:d92f9d21154c	4562	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4563
wolfSSL	0:d92f9d21154c	4564	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4565	header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4566	if (header == NULL)
wolfSSL	0:d92f9d21154c	4567	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4568
wolfSSL	0:d92f9d21154c	4569	footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4570	if (footer == NULL) {
wolfSSL	0:d92f9d21154c	4571	XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4572	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4573	}
wolfSSL	0:d92f9d21154c	4574	#endif
wolfSSL	0:d92f9d21154c	4575
wolfSSL	0:d92f9d21154c	4576	if (type == CERT_TYPE) {
wolfSSL	0:d92f9d21154c	4577	XSTRNCPY(header, "-----BEGIN CERTIFICATE-----\n", headerLen);
wolfSSL	0:d92f9d21154c	4578	XSTRNCPY(footer, "-----END CERTIFICATE-----\n", footerLen);
wolfSSL	0:d92f9d21154c	4579	}
wolfSSL	0:d92f9d21154c	4580	else if (type == PRIVATEKEY_TYPE) {
wolfSSL	0:d92f9d21154c	4581	XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----\n", headerLen);
wolfSSL	0:d92f9d21154c	4582	XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----\n", footerLen);
wolfSSL	0:d92f9d21154c	4583	}
wolfSSL	0:d92f9d21154c	4584	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	4585	else if (type == ECC_PRIVATEKEY_TYPE) {
wolfSSL	0:d92f9d21154c	4586	XSTRNCPY(header, "-----BEGIN EC PRIVATE KEY-----\n", headerLen);
wolfSSL	0:d92f9d21154c	4587	XSTRNCPY(footer, "-----END EC PRIVATE KEY-----\n", footerLen);
wolfSSL	0:d92f9d21154c	4588	}
wolfSSL	0:d92f9d21154c	4589	#endif
wolfSSL	0:d92f9d21154c	4590	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	4591	else if (type == CERTREQ_TYPE)
wolfSSL	0:d92f9d21154c	4592	{
wolfSSL	0:d92f9d21154c	4593	XSTRNCPY(header,
wolfSSL	0:d92f9d21154c	4594	"-----BEGIN CERTIFICATE REQUEST-----\n", headerLen);
wolfSSL	0:d92f9d21154c	4595	XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----\n", footerLen);
wolfSSL	0:d92f9d21154c	4596	}
wolfSSL	0:d92f9d21154c	4597	#endif
wolfSSL	0:d92f9d21154c	4598	else {
wolfSSL	0:d92f9d21154c	4599	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4600	XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4601	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4602	#endif
wolfSSL	0:d92f9d21154c	4603	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4604	}
wolfSSL	0:d92f9d21154c	4605
wolfSSL	0:d92f9d21154c	4606	headerLen = (int)XSTRLEN(header);
wolfSSL	0:d92f9d21154c	4607	footerLen = (int)XSTRLEN(footer);
wolfSSL	0:d92f9d21154c	4608
wolfSSL	0:d92f9d21154c	4609	if (!der \|\| !output) {
wolfSSL	0:d92f9d21154c	4610	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4611	XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4612	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4613	#endif
wolfSSL	0:d92f9d21154c	4614	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4615	}
wolfSSL	0:d92f9d21154c	4616
wolfSSL	0:d92f9d21154c	4617	/* don't even try if outSz too short */
wolfSSL	0:d92f9d21154c	4618	if (outSz < headerLen + footerLen + derSz) {
wolfSSL	0:d92f9d21154c	4619	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4620	XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4621	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4622	#endif
wolfSSL	0:d92f9d21154c	4623	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4624	}
wolfSSL	0:d92f9d21154c	4625
wolfSSL	0:d92f9d21154c	4626	/* header */
wolfSSL	0:d92f9d21154c	4627	XMEMCPY(output, header, headerLen);
wolfSSL	0:d92f9d21154c	4628	i = headerLen;
wolfSSL	0:d92f9d21154c	4629
wolfSSL	0:d92f9d21154c	4630	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4631	XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4632	#endif
wolfSSL	0:d92f9d21154c	4633
wolfSSL	0:d92f9d21154c	4634	/* body */
wolfSSL	0:d92f9d21154c	4635	outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */
wolfSSL	0:d92f9d21154c	4636	if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) {
wolfSSL	0:d92f9d21154c	4637	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4638	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4639	#endif
wolfSSL	0:d92f9d21154c	4640	return err;
wolfSSL	0:d92f9d21154c	4641	}
wolfSSL	0:d92f9d21154c	4642	i += outLen;
wolfSSL	0:d92f9d21154c	4643
wolfSSL	0:d92f9d21154c	4644	/* footer */
wolfSSL	0:d92f9d21154c	4645	if ( (i + footerLen) > (int)outSz) {
wolfSSL	0:d92f9d21154c	4646	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4647	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4648	#endif
wolfSSL	0:d92f9d21154c	4649	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4650	}
wolfSSL	0:d92f9d21154c	4651	XMEMCPY(output + i, footer, footerLen);
wolfSSL	0:d92f9d21154c	4652
wolfSSL	0:d92f9d21154c	4653	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4654	XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4655	#endif
wolfSSL	0:d92f9d21154c	4656
wolfSSL	0:d92f9d21154c	4657	return outLen + headerLen + footerLen;
wolfSSL	0:d92f9d21154c	4658	}
wolfSSL	0:d92f9d21154c	4659
wolfSSL	0:d92f9d21154c	4660
wolfSSL	0:d92f9d21154c	4661	#endif /* WOLFSSL_KEY_GEN \|\| WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	4662
wolfSSL	0:d92f9d21154c	4663
wolfSSL	0:d92f9d21154c	4664	#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
wolfSSL	0:d92f9d21154c	4665
wolfSSL	0:d92f9d21154c	4666
wolfSSL	0:d92f9d21154c	4667	static mp_int* GetRsaInt(RsaKey* key, int idx)
wolfSSL	0:d92f9d21154c	4668	{
wolfSSL	0:d92f9d21154c	4669	if (idx == 0)
wolfSSL	0:d92f9d21154c	4670	return &key->n;
wolfSSL	0:d92f9d21154c	4671	if (idx == 1)
wolfSSL	0:d92f9d21154c	4672	return &key->e;
wolfSSL	0:d92f9d21154c	4673	if (idx == 2)
wolfSSL	0:d92f9d21154c	4674	return &key->d;
wolfSSL	0:d92f9d21154c	4675	if (idx == 3)
wolfSSL	0:d92f9d21154c	4676	return &key->p;
wolfSSL	0:d92f9d21154c	4677	if (idx == 4)
wolfSSL	0:d92f9d21154c	4678	return &key->q;
wolfSSL	0:d92f9d21154c	4679	if (idx == 5)
wolfSSL	0:d92f9d21154c	4680	return &key->dP;
wolfSSL	0:d92f9d21154c	4681	if (idx == 6)
wolfSSL	0:d92f9d21154c	4682	return &key->dQ;
wolfSSL	0:d92f9d21154c	4683	if (idx == 7)
wolfSSL	0:d92f9d21154c	4684	return &key->u;
wolfSSL	0:d92f9d21154c	4685
wolfSSL	0:d92f9d21154c	4686	return NULL;
wolfSSL	0:d92f9d21154c	4687	}
wolfSSL	0:d92f9d21154c	4688
wolfSSL	0:d92f9d21154c	4689
wolfSSL	0:d92f9d21154c	4690	/* Release Tmp RSA resources */
wolfSSL	0:d92f9d21154c	4691	static INLINE void FreeTmpRsas(byte** tmps, void* heap)
wolfSSL	0:d92f9d21154c	4692	{
wolfSSL	0:d92f9d21154c	4693	int i;
wolfSSL	0:d92f9d21154c	4694
wolfSSL	0:d92f9d21154c	4695	(void)heap;
wolfSSL	0:d92f9d21154c	4696
wolfSSL	0:d92f9d21154c	4697	for (i = 0; i < RSA_INTS; i++)
wolfSSL	0:d92f9d21154c	4698	XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA);
wolfSSL	0:d92f9d21154c	4699	}
wolfSSL	0:d92f9d21154c	4700
wolfSSL	0:d92f9d21154c	4701
wolfSSL	0:d92f9d21154c	4702	/* Convert RsaKey key to DER format, write to output (inLen), return bytes
wolfSSL	0:d92f9d21154c	4703	written */
wolfSSL	0:d92f9d21154c	4704	int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
wolfSSL	0:d92f9d21154c	4705	{
wolfSSL	0:d92f9d21154c	4706	word32 seqSz, verSz, rawLen, intTotalLen = 0;
wolfSSL	0:d92f9d21154c	4707	word32 sizes[RSA_INTS];
wolfSSL	0:d92f9d21154c	4708	int i, j, outLen, ret = 0;
wolfSSL	0:d92f9d21154c	4709
wolfSSL	0:d92f9d21154c	4710	byte seq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	4711	byte ver[MAX_VERSION_SZ];
wolfSSL	0:d92f9d21154c	4712	byte* tmps[RSA_INTS];
wolfSSL	0:d92f9d21154c	4713
wolfSSL	0:d92f9d21154c	4714	if (!key \|\| !output)
wolfSSL	0:d92f9d21154c	4715	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4716
wolfSSL	0:d92f9d21154c	4717	if (key->type != RSA_PRIVATE)
wolfSSL	0:d92f9d21154c	4718	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4719
wolfSSL	0:d92f9d21154c	4720	for (i = 0; i < RSA_INTS; i++)
wolfSSL	0:d92f9d21154c	4721	tmps[i] = NULL;
wolfSSL	0:d92f9d21154c	4722
wolfSSL	0:d92f9d21154c	4723	/* write all big ints from key to DER tmps */
wolfSSL	0:d92f9d21154c	4724	for (i = 0; i < RSA_INTS; i++) {
wolfSSL	0:d92f9d21154c	4725	mp_int* keyInt = GetRsaInt(key, i);
wolfSSL	0:d92f9d21154c	4726	rawLen = mp_unsigned_bin_size(keyInt);
wolfSSL	0:d92f9d21154c	4727	tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
wolfSSL	0:d92f9d21154c	4728	DYNAMIC_TYPE_RSA);
wolfSSL	0:d92f9d21154c	4729	if (tmps[i] == NULL) {
wolfSSL	0:d92f9d21154c	4730	ret = MEMORY_E;
wolfSSL	0:d92f9d21154c	4731	break;
wolfSSL	0:d92f9d21154c	4732	}
wolfSSL	0:d92f9d21154c	4733
wolfSSL	0:d92f9d21154c	4734	tmps[i][0] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	4735	sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1; /* int tag */
wolfSSL	0:d92f9d21154c	4736
wolfSSL	0:d92f9d21154c	4737	if (sizes[i] <= MAX_SEQ_SZ) {
wolfSSL	0:d92f9d21154c	4738	int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
wolfSSL	0:d92f9d21154c	4739	if (err == MP_OKAY) {
wolfSSL	0:d92f9d21154c	4740	sizes[i] += rawLen;
wolfSSL	0:d92f9d21154c	4741	intTotalLen += sizes[i];
wolfSSL	0:d92f9d21154c	4742	}
wolfSSL	0:d92f9d21154c	4743	else {
wolfSSL	0:d92f9d21154c	4744	ret = err;
wolfSSL	0:d92f9d21154c	4745	break;
wolfSSL	0:d92f9d21154c	4746	}
wolfSSL	0:d92f9d21154c	4747	}
wolfSSL	0:d92f9d21154c	4748	else {
wolfSSL	0:d92f9d21154c	4749	ret = ASN_INPUT_E;
wolfSSL	0:d92f9d21154c	4750	break;
wolfSSL	0:d92f9d21154c	4751	}
wolfSSL	0:d92f9d21154c	4752	}
wolfSSL	0:d92f9d21154c	4753
wolfSSL	0:d92f9d21154c	4754	if (ret != 0) {
wolfSSL	0:d92f9d21154c	4755	FreeTmpRsas(tmps, key->heap);
wolfSSL	0:d92f9d21154c	4756	return ret;
wolfSSL	0:d92f9d21154c	4757	}
wolfSSL	0:d92f9d21154c	4758
wolfSSL	0:d92f9d21154c	4759	/* make headers */
wolfSSL	0:d92f9d21154c	4760	verSz = SetMyVersion(0, ver, FALSE);
wolfSSL	0:d92f9d21154c	4761	seqSz = SetSequence(verSz + intTotalLen, seq);
wolfSSL	0:d92f9d21154c	4762
wolfSSL	0:d92f9d21154c	4763	outLen = seqSz + verSz + intTotalLen;
wolfSSL	0:d92f9d21154c	4764	if (outLen > (int)inLen)
wolfSSL	0:d92f9d21154c	4765	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	4766
wolfSSL	0:d92f9d21154c	4767	/* write to output */
wolfSSL	0:d92f9d21154c	4768	XMEMCPY(output, seq, seqSz);
wolfSSL	0:d92f9d21154c	4769	j = seqSz;
wolfSSL	0:d92f9d21154c	4770	XMEMCPY(output + j, ver, verSz);
wolfSSL	0:d92f9d21154c	4771	j += verSz;
wolfSSL	0:d92f9d21154c	4772
wolfSSL	0:d92f9d21154c	4773	for (i = 0; i < RSA_INTS; i++) {
wolfSSL	0:d92f9d21154c	4774	XMEMCPY(output + j, tmps[i], sizes[i]);
wolfSSL	0:d92f9d21154c	4775	j += sizes[i];
wolfSSL	0:d92f9d21154c	4776	}
wolfSSL	0:d92f9d21154c	4777	FreeTmpRsas(tmps, key->heap);
wolfSSL	0:d92f9d21154c	4778
wolfSSL	0:d92f9d21154c	4779	return outLen;
wolfSSL	0:d92f9d21154c	4780	}
wolfSSL	0:d92f9d21154c	4781
wolfSSL	0:d92f9d21154c	4782	#endif /* WOLFSSL_KEY_GEN && !NO_RSA */
wolfSSL	0:d92f9d21154c	4783
wolfSSL	0:d92f9d21154c	4784
wolfSSL	0:d92f9d21154c	4785	#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
wolfSSL	0:d92f9d21154c	4786
wolfSSL	0:d92f9d21154c	4787
wolfSSL	0:d92f9d21154c	4788	#ifndef WOLFSSL_HAVE_MIN
wolfSSL	0:d92f9d21154c	4789	#define WOLFSSL_HAVE_MIN
wolfSSL	0:d92f9d21154c	4790
wolfSSL	0:d92f9d21154c	4791	static INLINE word32 min(word32 a, word32 b)
wolfSSL	0:d92f9d21154c	4792	{
wolfSSL	0:d92f9d21154c	4793	return a > b ? b : a;
wolfSSL	0:d92f9d21154c	4794	}
wolfSSL	0:d92f9d21154c	4795
wolfSSL	0:d92f9d21154c	4796	#endif /* WOLFSSL_HAVE_MIN */
wolfSSL	0:d92f9d21154c	4797
wolfSSL	0:d92f9d21154c	4798
wolfSSL	0:d92f9d21154c	4799	/* Initialize and Set Certficate defaults:
wolfSSL	0:d92f9d21154c	4800	version = 3 (0x2)
wolfSSL	0:d92f9d21154c	4801	serial = 0
wolfSSL	0:d92f9d21154c	4802	sigType = SHA_WITH_RSA
wolfSSL	0:d92f9d21154c	4803	issuer = blank
wolfSSL	0:d92f9d21154c	4804	daysValid = 500
wolfSSL	0:d92f9d21154c	4805	selfSigned = 1 (true) use subject as issuer
wolfSSL	0:d92f9d21154c	4806	subject = blank
wolfSSL	0:d92f9d21154c	4807	*/
wolfSSL	0:d92f9d21154c	4808	void wc_InitCert(Cert* cert)
wolfSSL	0:d92f9d21154c	4809	{
wolfSSL	0:d92f9d21154c	4810	cert->version = 2; /* version 3 is hex 2 */
wolfSSL	0:d92f9d21154c	4811	cert->sigType = CTC_SHAwRSA;
wolfSSL	0:d92f9d21154c	4812	cert->daysValid = 500;
wolfSSL	0:d92f9d21154c	4813	cert->selfSigned = 1;
wolfSSL	0:d92f9d21154c	4814	cert->isCA = 0;
wolfSSL	0:d92f9d21154c	4815	cert->bodySz = 0;
wolfSSL	0:d92f9d21154c	4816	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	4817	cert->altNamesSz = 0;
wolfSSL	0:d92f9d21154c	4818	cert->beforeDateSz = 0;
wolfSSL	0:d92f9d21154c	4819	cert->afterDateSz = 0;
wolfSSL	0:d92f9d21154c	4820	#endif
wolfSSL	0:d92f9d21154c	4821	cert->keyType = RSA_KEY;
wolfSSL	0:d92f9d21154c	4822	XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE);
wolfSSL	0:d92f9d21154c	4823
wolfSSL	0:d92f9d21154c	4824	cert->issuer.country[0] = '\0';
wolfSSL	0:d92f9d21154c	4825	cert->issuer.countryEnc = CTC_PRINTABLE;
wolfSSL	0:d92f9d21154c	4826	cert->issuer.state[0] = '\0';
wolfSSL	0:d92f9d21154c	4827	cert->issuer.stateEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4828	cert->issuer.locality[0] = '\0';
wolfSSL	0:d92f9d21154c	4829	cert->issuer.localityEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4830	cert->issuer.sur[0] = '\0';
wolfSSL	0:d92f9d21154c	4831	cert->issuer.surEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4832	cert->issuer.org[0] = '\0';
wolfSSL	0:d92f9d21154c	4833	cert->issuer.orgEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4834	cert->issuer.unit[0] = '\0';
wolfSSL	0:d92f9d21154c	4835	cert->issuer.unitEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4836	cert->issuer.commonName[0] = '\0';
wolfSSL	0:d92f9d21154c	4837	cert->issuer.commonNameEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4838	cert->issuer.email[0] = '\0';
wolfSSL	0:d92f9d21154c	4839
wolfSSL	0:d92f9d21154c	4840	cert->subject.country[0] = '\0';
wolfSSL	0:d92f9d21154c	4841	cert->subject.countryEnc = CTC_PRINTABLE;
wolfSSL	0:d92f9d21154c	4842	cert->subject.state[0] = '\0';
wolfSSL	0:d92f9d21154c	4843	cert->subject.stateEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4844	cert->subject.locality[0] = '\0';
wolfSSL	0:d92f9d21154c	4845	cert->subject.localityEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4846	cert->subject.sur[0] = '\0';
wolfSSL	0:d92f9d21154c	4847	cert->subject.surEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4848	cert->subject.org[0] = '\0';
wolfSSL	0:d92f9d21154c	4849	cert->subject.orgEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4850	cert->subject.unit[0] = '\0';
wolfSSL	0:d92f9d21154c	4851	cert->subject.unitEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4852	cert->subject.commonName[0] = '\0';
wolfSSL	0:d92f9d21154c	4853	cert->subject.commonNameEnc = CTC_UTF8;
wolfSSL	0:d92f9d21154c	4854	cert->subject.email[0] = '\0';
wolfSSL	0:d92f9d21154c	4855
wolfSSL	0:d92f9d21154c	4856	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	4857	cert->challengePw[0] ='\0';
wolfSSL	0:d92f9d21154c	4858	#endif
wolfSSL	0:d92f9d21154c	4859	}
wolfSSL	0:d92f9d21154c	4860
wolfSSL	0:d92f9d21154c	4861
wolfSSL	0:d92f9d21154c	4862	/* DER encoded x509 Certificate */
wolfSSL	0:d92f9d21154c	4863	typedef struct DerCert {
wolfSSL	0:d92f9d21154c	4864	byte size[MAX_LENGTH_SZ]; /* length encoded */
wolfSSL	0:d92f9d21154c	4865	byte version[MAX_VERSION_SZ]; /* version encoded */
wolfSSL	0:d92f9d21154c	4866	byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */
wolfSSL	0:d92f9d21154c	4867	byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */
wolfSSL	0:d92f9d21154c	4868	byte issuer[ASN_NAME_MAX]; /* issuer encoded */
wolfSSL	0:d92f9d21154c	4869	byte subject[ASN_NAME_MAX]; /* subject encoded */
wolfSSL	0:d92f9d21154c	4870	byte validity[MAX_DATE_SIZE2 + MAX_SEQ_SZ2]; /* before and after dates */
wolfSSL	0:d92f9d21154c	4871	byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
wolfSSL	0:d92f9d21154c	4872	byte ca[MAX_CA_SZ]; /* basic constraint CA true size */
wolfSSL	0:d92f9d21154c	4873	byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
wolfSSL	0:d92f9d21154c	4874	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	4875	byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */
wolfSSL	0:d92f9d21154c	4876	#endif
wolfSSL	0:d92f9d21154c	4877	int sizeSz; /* encoded size length */
wolfSSL	0:d92f9d21154c	4878	int versionSz; /* encoded version length */
wolfSSL	0:d92f9d21154c	4879	int serialSz; /* encoded serial length */
wolfSSL	0:d92f9d21154c	4880	int sigAlgoSz; /* enocded sig alog length */
wolfSSL	0:d92f9d21154c	4881	int issuerSz; /* encoded issuer length */
wolfSSL	0:d92f9d21154c	4882	int subjectSz; /* encoded subject length */
wolfSSL	0:d92f9d21154c	4883	int validitySz; /* encoded validity length */
wolfSSL	0:d92f9d21154c	4884	int publicKeySz; /* encoded public key length */
wolfSSL	0:d92f9d21154c	4885	int caSz; /* encoded CA extension length */
wolfSSL	0:d92f9d21154c	4886	int extensionsSz; /* encoded extensions total length */
wolfSSL	0:d92f9d21154c	4887	int total; /* total encoded lengths */
wolfSSL	0:d92f9d21154c	4888	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	4889	int attribSz;
wolfSSL	0:d92f9d21154c	4890	#endif
wolfSSL	0:d92f9d21154c	4891	} DerCert;
wolfSSL	0:d92f9d21154c	4892
wolfSSL	0:d92f9d21154c	4893
wolfSSL	0:d92f9d21154c	4894	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	4895
wolfSSL	0:d92f9d21154c	4896	/* Write a set header to output */
wolfSSL	0:d92f9d21154c	4897	static word32 SetUTF8String(word32 len, byte* output)
wolfSSL	0:d92f9d21154c	4898	{
wolfSSL	0:d92f9d21154c	4899	output[0] = ASN_UTF8STRING;
wolfSSL	0:d92f9d21154c	4900	return SetLength(len, output + 1) + 1;
wolfSSL	0:d92f9d21154c	4901	}
wolfSSL	0:d92f9d21154c	4902
wolfSSL	0:d92f9d21154c	4903	#endif /* WOLFSSL_CERT_REQ */
wolfSSL	0:d92f9d21154c	4904
wolfSSL	0:d92f9d21154c	4905
wolfSSL	0:d92f9d21154c	4906	/* Write a serial number to output */
wolfSSL	0:d92f9d21154c	4907	static int SetSerial(const byte* serial, byte* output)
wolfSSL	0:d92f9d21154c	4908	{
wolfSSL	0:d92f9d21154c	4909	int length = 0;
wolfSSL	0:d92f9d21154c	4910
wolfSSL	0:d92f9d21154c	4911	output[length++] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	4912	length += SetLength(CTC_SERIAL_SIZE, &output[length]);
wolfSSL	0:d92f9d21154c	4913	XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE);
wolfSSL	0:d92f9d21154c	4914
wolfSSL	0:d92f9d21154c	4915	return length + CTC_SERIAL_SIZE;
wolfSSL	0:d92f9d21154c	4916	}
wolfSSL	0:d92f9d21154c	4917
wolfSSL	0:d92f9d21154c	4918
wolfSSL	0:d92f9d21154c	4919	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	4920
wolfSSL	0:d92f9d21154c	4921
wolfSSL	0:d92f9d21154c	4922	/* Write a public ECC key to output */
wolfSSL	0:d92f9d21154c	4923	static int SetEccPublicKey(byte* output, ecc_key* key)
wolfSSL	0:d92f9d21154c	4924	{
wolfSSL	0:d92f9d21154c	4925	byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */
wolfSSL	0:d92f9d21154c	4926	int algoSz;
wolfSSL	0:d92f9d21154c	4927	int curveSz;
wolfSSL	0:d92f9d21154c	4928	int lenSz;
wolfSSL	0:d92f9d21154c	4929	int idx;
wolfSSL	0:d92f9d21154c	4930	word32 pubSz = ECC_BUFSIZE;
wolfSSL	0:d92f9d21154c	4931	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4932	byte* algo = NULL;
wolfSSL	0:d92f9d21154c	4933	byte* curve = NULL;
wolfSSL	0:d92f9d21154c	4934	byte* pub = NULL;
wolfSSL	0:d92f9d21154c	4935	#else
wolfSSL	0:d92f9d21154c	4936	byte algo[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	4937	byte curve[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	4938	byte pub[ECC_BUFSIZE];
wolfSSL	0:d92f9d21154c	4939	#endif
wolfSSL	0:d92f9d21154c	4940
wolfSSL	0:d92f9d21154c	4941	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4942	pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4943	if (pub == NULL)
wolfSSL	0:d92f9d21154c	4944	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4945	#endif
wolfSSL	0:d92f9d21154c	4946
wolfSSL	0:d92f9d21154c	4947	int ret = wc_ecc_export_x963(key, pub, &pubSz);
wolfSSL	0:d92f9d21154c	4948	if (ret != 0) {
wolfSSL	0:d92f9d21154c	4949	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4950	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4951	#endif
wolfSSL	0:d92f9d21154c	4952	return ret;
wolfSSL	0:d92f9d21154c	4953	}
wolfSSL	0:d92f9d21154c	4954
wolfSSL	0:d92f9d21154c	4955	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4956	curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4957	if (curve == NULL) {
wolfSSL	0:d92f9d21154c	4958	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4959	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4960	}
wolfSSL	0:d92f9d21154c	4961	#endif
wolfSSL	0:d92f9d21154c	4962
wolfSSL	0:d92f9d21154c	4963	/* headers */
wolfSSL	0:d92f9d21154c	4964	curveSz = SetCurve(key, curve);
wolfSSL	0:d92f9d21154c	4965	if (curveSz <= 0) {
wolfSSL	0:d92f9d21154c	4966	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4967	XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4968	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4969	#endif
wolfSSL	0:d92f9d21154c	4970	return curveSz;
wolfSSL	0:d92f9d21154c	4971	}
wolfSSL	0:d92f9d21154c	4972
wolfSSL	0:d92f9d21154c	4973	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	4974	algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4975	if (algo == NULL) {
wolfSSL	0:d92f9d21154c	4976	XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4977	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	4978	return MEMORY_E;
wolfSSL	0:d92f9d21154c	4979	}
wolfSSL	0:d92f9d21154c	4980	#endif
wolfSSL	0:d92f9d21154c	4981
wolfSSL	0:d92f9d21154c	4982	algoSz = SetAlgoID(ECDSAk, algo, keyType, curveSz);
wolfSSL	0:d92f9d21154c	4983	lenSz = SetLength(pubSz + 1, len);
wolfSSL	0:d92f9d21154c	4984	len[lenSz++] = 0; /* trailing 0 */
wolfSSL	0:d92f9d21154c	4985
wolfSSL	0:d92f9d21154c	4986	/* write */
wolfSSL	0:d92f9d21154c	4987	idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output);
wolfSSL	0:d92f9d21154c	4988	/* 1 is for ASN_BIT_STRING */
wolfSSL	0:d92f9d21154c	4989	/* algo */
wolfSSL	0:d92f9d21154c	4990	XMEMCPY(output + idx, algo, algoSz);
wolfSSL	0:d92f9d21154c	4991	idx += algoSz;
wolfSSL	0:d92f9d21154c	4992	/* curve */
wolfSSL	0:d92f9d21154c	4993	XMEMCPY(output + idx, curve, curveSz);
wolfSSL	0:d92f9d21154c	4994	idx += curveSz;
wolfSSL	0:d92f9d21154c	4995	/* bit string */
wolfSSL	0:d92f9d21154c	4996	output[idx++] = ASN_BIT_STRING;
wolfSSL	0:d92f9d21154c	4997	/* length */
wolfSSL	0:d92f9d21154c	4998	XMEMCPY(output + idx, len, lenSz);
wolfSSL	0:d92f9d21154c	4999	idx += lenSz;
wolfSSL	0:d92f9d21154c	5000	/* pub */
wolfSSL	0:d92f9d21154c	5001	XMEMCPY(output + idx, pub, pubSz);
wolfSSL	0:d92f9d21154c	5002	idx += pubSz;
wolfSSL	0:d92f9d21154c	5003
wolfSSL	0:d92f9d21154c	5004	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5005	XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5006	XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5007	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5008	#endif
wolfSSL	0:d92f9d21154c	5009
wolfSSL	0:d92f9d21154c	5010	return idx;
wolfSSL	0:d92f9d21154c	5011	}
wolfSSL	0:d92f9d21154c	5012
wolfSSL	0:d92f9d21154c	5013
wolfSSL	0:d92f9d21154c	5014	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	5015
wolfSSL	0:d92f9d21154c	5016
wolfSSL	0:d92f9d21154c	5017	/* Write a public RSA key to output */
wolfSSL	0:d92f9d21154c	5018	static int SetRsaPublicKey(byte* output, RsaKey* key)
wolfSSL	0:d92f9d21154c	5019	{
wolfSSL	0:d92f9d21154c	5020	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5021	byte* n = NULL;
wolfSSL	0:d92f9d21154c	5022	byte* e = NULL;
wolfSSL	0:d92f9d21154c	5023	byte* algo = NULL;
wolfSSL	0:d92f9d21154c	5024	#else
wolfSSL	0:d92f9d21154c	5025	byte n[MAX_RSA_INT_SZ];
wolfSSL	0:d92f9d21154c	5026	byte e[MAX_RSA_E_SZ];
wolfSSL	0:d92f9d21154c	5027	byte algo[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	5028	#endif
wolfSSL	0:d92f9d21154c	5029	byte seq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5030	byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */
wolfSSL	0:d92f9d21154c	5031	int nSz;
wolfSSL	0:d92f9d21154c	5032	int eSz;
wolfSSL	0:d92f9d21154c	5033	int algoSz;
wolfSSL	0:d92f9d21154c	5034	int seqSz;
wolfSSL	0:d92f9d21154c	5035	int lenSz;
wolfSSL	0:d92f9d21154c	5036	int idx;
wolfSSL	0:d92f9d21154c	5037	int rawLen;
wolfSSL	0:d92f9d21154c	5038	int leadingBit;
wolfSSL	0:d92f9d21154c	5039	int err;
wolfSSL	0:d92f9d21154c	5040
wolfSSL	0:d92f9d21154c	5041	/* n */
wolfSSL	0:d92f9d21154c	5042	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5043	n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5044	if (n == NULL)
wolfSSL	0:d92f9d21154c	5045	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5046	#endif
wolfSSL	0:d92f9d21154c	5047
wolfSSL	0:d92f9d21154c	5048	leadingBit = mp_leading_bit(&key->n);
wolfSSL	0:d92f9d21154c	5049	rawLen = mp_unsigned_bin_size(&key->n) + leadingBit;
wolfSSL	0:d92f9d21154c	5050	n[0] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	5051	nSz = SetLength(rawLen, n + 1) + 1; /* int tag */
wolfSSL	0:d92f9d21154c	5052
wolfSSL	0:d92f9d21154c	5053	if ( (nSz + rawLen) < MAX_RSA_INT_SZ) {
wolfSSL	0:d92f9d21154c	5054	if (leadingBit)
wolfSSL	0:d92f9d21154c	5055	n[nSz] = 0;
wolfSSL	0:d92f9d21154c	5056	err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit);
wolfSSL	0:d92f9d21154c	5057	if (err == MP_OKAY)
wolfSSL	0:d92f9d21154c	5058	nSz += rawLen;
wolfSSL	0:d92f9d21154c	5059	else {
wolfSSL	0:d92f9d21154c	5060	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5061	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5062	#endif
wolfSSL	0:d92f9d21154c	5063	return MP_TO_E;
wolfSSL	0:d92f9d21154c	5064	}
wolfSSL	0:d92f9d21154c	5065	}
wolfSSL	0:d92f9d21154c	5066	else {
wolfSSL	0:d92f9d21154c	5067	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5068	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5069	#endif
wolfSSL	0:d92f9d21154c	5070	return BUFFER_E;
wolfSSL	0:d92f9d21154c	5071	}
wolfSSL	0:d92f9d21154c	5072
wolfSSL	0:d92f9d21154c	5073	/* e */
wolfSSL	0:d92f9d21154c	5074	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5075	e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5076	if (e == NULL) {
wolfSSL	0:d92f9d21154c	5077	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5078	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5079	#endif
wolfSSL	0:d92f9d21154c	5080	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5081	}
wolfSSL	0:d92f9d21154c	5082	#endif
wolfSSL	0:d92f9d21154c	5083
wolfSSL	0:d92f9d21154c	5084	leadingBit = mp_leading_bit(&key->e);
wolfSSL	0:d92f9d21154c	5085	rawLen = mp_unsigned_bin_size(&key->e) + leadingBit;
wolfSSL	0:d92f9d21154c	5086	e[0] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	5087	eSz = SetLength(rawLen, e + 1) + 1; /* int tag */
wolfSSL	0:d92f9d21154c	5088
wolfSSL	0:d92f9d21154c	5089	if ( (eSz + rawLen) < MAX_RSA_E_SZ) {
wolfSSL	0:d92f9d21154c	5090	if (leadingBit)
wolfSSL	0:d92f9d21154c	5091	e[eSz] = 0;
wolfSSL	0:d92f9d21154c	5092	err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit);
wolfSSL	0:d92f9d21154c	5093	if (err == MP_OKAY)
wolfSSL	0:d92f9d21154c	5094	eSz += rawLen;
wolfSSL	0:d92f9d21154c	5095	else {
wolfSSL	0:d92f9d21154c	5096	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5097	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5098	XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5099	#endif
wolfSSL	0:d92f9d21154c	5100	return MP_TO_E;
wolfSSL	0:d92f9d21154c	5101	}
wolfSSL	0:d92f9d21154c	5102	}
wolfSSL	0:d92f9d21154c	5103	else {
wolfSSL	0:d92f9d21154c	5104	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5105	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5106	XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5107	#endif
wolfSSL	0:d92f9d21154c	5108	return BUFFER_E;
wolfSSL	0:d92f9d21154c	5109	}
wolfSSL	0:d92f9d21154c	5110
wolfSSL	0:d92f9d21154c	5111	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5112	algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5113	if (algo == NULL) {
wolfSSL	0:d92f9d21154c	5114	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5115	XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5116	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5117	}
wolfSSL	0:d92f9d21154c	5118	#endif
wolfSSL	0:d92f9d21154c	5119
wolfSSL	0:d92f9d21154c	5120	/* headers */
wolfSSL	0:d92f9d21154c	5121	algoSz = SetAlgoID(RSAk, algo, keyType, 0);
wolfSSL	0:d92f9d21154c	5122	seqSz = SetSequence(nSz + eSz, seq);
wolfSSL	0:d92f9d21154c	5123	lenSz = SetLength(seqSz + nSz + eSz + 1, len);
wolfSSL	0:d92f9d21154c	5124	len[lenSz++] = 0; /* trailing 0 */
wolfSSL	0:d92f9d21154c	5125
wolfSSL	0:d92f9d21154c	5126	/* write */
wolfSSL	0:d92f9d21154c	5127	idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output);
wolfSSL	0:d92f9d21154c	5128	/* 1 is for ASN_BIT_STRING */
wolfSSL	0:d92f9d21154c	5129	/* algo */
wolfSSL	0:d92f9d21154c	5130	XMEMCPY(output + idx, algo, algoSz);
wolfSSL	0:d92f9d21154c	5131	idx += algoSz;
wolfSSL	0:d92f9d21154c	5132	/* bit string */
wolfSSL	0:d92f9d21154c	5133	output[idx++] = ASN_BIT_STRING;
wolfSSL	0:d92f9d21154c	5134	/* length */
wolfSSL	0:d92f9d21154c	5135	XMEMCPY(output + idx, len, lenSz);
wolfSSL	0:d92f9d21154c	5136	idx += lenSz;
wolfSSL	0:d92f9d21154c	5137	/* seq */
wolfSSL	0:d92f9d21154c	5138	XMEMCPY(output + idx, seq, seqSz);
wolfSSL	0:d92f9d21154c	5139	idx += seqSz;
wolfSSL	0:d92f9d21154c	5140	/* n */
wolfSSL	0:d92f9d21154c	5141	XMEMCPY(output + idx, n, nSz);
wolfSSL	0:d92f9d21154c	5142	idx += nSz;
wolfSSL	0:d92f9d21154c	5143	/* e */
wolfSSL	0:d92f9d21154c	5144	XMEMCPY(output + idx, e, eSz);
wolfSSL	0:d92f9d21154c	5145	idx += eSz;
wolfSSL	0:d92f9d21154c	5146
wolfSSL	0:d92f9d21154c	5147	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5148	XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5149	XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5150	XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5151	#endif
wolfSSL	0:d92f9d21154c	5152
wolfSSL	0:d92f9d21154c	5153	return idx;
wolfSSL	0:d92f9d21154c	5154	}
wolfSSL	0:d92f9d21154c	5155
wolfSSL	0:d92f9d21154c	5156
wolfSSL	0:d92f9d21154c	5157	static INLINE byte itob(int number)
wolfSSL	0:d92f9d21154c	5158	{
wolfSSL	0:d92f9d21154c	5159	return (byte)number + 0x30;
wolfSSL	0:d92f9d21154c	5160	}
wolfSSL	0:d92f9d21154c	5161
wolfSSL	0:d92f9d21154c	5162
wolfSSL	0:d92f9d21154c	5163	/* write time to output, format */
wolfSSL	0:d92f9d21154c	5164	static void SetTime(struct tm* date, byte* output)
wolfSSL	0:d92f9d21154c	5165	{
wolfSSL	0:d92f9d21154c	5166	int i = 0;
wolfSSL	0:d92f9d21154c	5167
wolfSSL	0:d92f9d21154c	5168	output[i++] = itob((date->tm_year % 10000) / 1000);
wolfSSL	0:d92f9d21154c	5169	output[i++] = itob((date->tm_year % 1000) / 100);
wolfSSL	0:d92f9d21154c	5170	output[i++] = itob((date->tm_year % 100) / 10);
wolfSSL	0:d92f9d21154c	5171	output[i++] = itob( date->tm_year % 10);
wolfSSL	0:d92f9d21154c	5172
wolfSSL	0:d92f9d21154c	5173	output[i++] = itob(date->tm_mon / 10);
wolfSSL	0:d92f9d21154c	5174	output[i++] = itob(date->tm_mon % 10);
wolfSSL	0:d92f9d21154c	5175
wolfSSL	0:d92f9d21154c	5176	output[i++] = itob(date->tm_mday / 10);
wolfSSL	0:d92f9d21154c	5177	output[i++] = itob(date->tm_mday % 10);
wolfSSL	0:d92f9d21154c	5178
wolfSSL	0:d92f9d21154c	5179	output[i++] = itob(date->tm_hour / 10);
wolfSSL	0:d92f9d21154c	5180	output[i++] = itob(date->tm_hour % 10);
wolfSSL	0:d92f9d21154c	5181
wolfSSL	0:d92f9d21154c	5182	output[i++] = itob(date->tm_min / 10);
wolfSSL	0:d92f9d21154c	5183	output[i++] = itob(date->tm_min % 10);
wolfSSL	0:d92f9d21154c	5184
wolfSSL	0:d92f9d21154c	5185	output[i++] = itob(date->tm_sec / 10);
wolfSSL	0:d92f9d21154c	5186	output[i++] = itob(date->tm_sec % 10);
wolfSSL	0:d92f9d21154c	5187
wolfSSL	0:d92f9d21154c	5188	output[i] = 'Z'; /* Zulu profile */
wolfSSL	0:d92f9d21154c	5189	}
wolfSSL	0:d92f9d21154c	5190
wolfSSL	0:d92f9d21154c	5191
wolfSSL	0:d92f9d21154c	5192	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	5193
wolfSSL	0:d92f9d21154c	5194	/* Copy Dates from cert, return bytes written */
wolfSSL	0:d92f9d21154c	5195	static int CopyValidity(byte* output, Cert* cert)
wolfSSL	0:d92f9d21154c	5196	{
wolfSSL	0:d92f9d21154c	5197	int seqSz;
wolfSSL	0:d92f9d21154c	5198
wolfSSL	0:d92f9d21154c	5199	WOLFSSL_ENTER("CopyValidity");
wolfSSL	0:d92f9d21154c	5200
wolfSSL	0:d92f9d21154c	5201	/* headers and output */
wolfSSL	0:d92f9d21154c	5202	seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
wolfSSL	0:d92f9d21154c	5203	XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
wolfSSL	0:d92f9d21154c	5204	XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
wolfSSL	0:d92f9d21154c	5205	cert->afterDateSz);
wolfSSL	0:d92f9d21154c	5206	return seqSz + cert->beforeDateSz + cert->afterDateSz;
wolfSSL	0:d92f9d21154c	5207	}
wolfSSL	0:d92f9d21154c	5208
wolfSSL	0:d92f9d21154c	5209	#endif
wolfSSL	0:d92f9d21154c	5210
wolfSSL	0:d92f9d21154c	5211
wolfSSL	0:d92f9d21154c	5212	/* for systems where mktime() doesn't normalize fully */
wolfSSL	0:d92f9d21154c	5213	static void RebuildTime(time_t* in, struct tm* out)
wolfSSL	0:d92f9d21154c	5214	{
wolfSSL	0:d92f9d21154c	5215	#ifdef FREESCALE_MQX
wolfSSL	0:d92f9d21154c	5216	out = localtime_r(in, out);
wolfSSL	0:d92f9d21154c	5217	#else
wolfSSL	0:d92f9d21154c	5218	(void)in;
wolfSSL	0:d92f9d21154c	5219	(void)out;
wolfSSL	0:d92f9d21154c	5220	#endif
wolfSSL	0:d92f9d21154c	5221	}
wolfSSL	0:d92f9d21154c	5222
wolfSSL	0:d92f9d21154c	5223
wolfSSL	0:d92f9d21154c	5224	/* Set Date validity from now until now + daysValid */
wolfSSL	0:d92f9d21154c	5225	static int SetValidity(byte* output, int daysValid)
wolfSSL	0:d92f9d21154c	5226	{
wolfSSL	0:d92f9d21154c	5227	byte before[MAX_DATE_SIZE];
wolfSSL	0:d92f9d21154c	5228	byte after[MAX_DATE_SIZE];
wolfSSL	0:d92f9d21154c	5229
wolfSSL	0:d92f9d21154c	5230	int beforeSz;
wolfSSL	0:d92f9d21154c	5231	int afterSz;
wolfSSL	0:d92f9d21154c	5232	int seqSz;
wolfSSL	0:d92f9d21154c	5233
wolfSSL	0:d92f9d21154c	5234	time_t ticks;
wolfSSL	0:d92f9d21154c	5235	time_t normalTime;
wolfSSL	0:d92f9d21154c	5236	struct tm* now;
wolfSSL	0:d92f9d21154c	5237	struct tm* tmpTime = NULL;
wolfSSL	0:d92f9d21154c	5238	struct tm local;
wolfSSL	0:d92f9d21154c	5239
wolfSSL	0:d92f9d21154c	5240	#if defined(FREESCALE_MQX) \|\| defined(TIME_OVERRIDES)
wolfSSL	0:d92f9d21154c	5241	/* for use with gmtime_r */
wolfSSL	0:d92f9d21154c	5242	struct tm tmpTimeStorage;
wolfSSL	0:d92f9d21154c	5243	tmpTime = &tmpTimeStorage;
wolfSSL	0:d92f9d21154c	5244	#else
wolfSSL	0:d92f9d21154c	5245	(void)tmpTime;
wolfSSL	0:d92f9d21154c	5246	#endif
wolfSSL	0:d92f9d21154c	5247
wolfSSL	0:d92f9d21154c	5248	ticks = XTIME(0);
wolfSSL	0:d92f9d21154c	5249	now = XGMTIME(&ticks, tmpTime);
wolfSSL	0:d92f9d21154c	5250
wolfSSL	0:d92f9d21154c	5251	/* before now */
wolfSSL	0:d92f9d21154c	5252	local = *now;
wolfSSL	0:d92f9d21154c	5253	before[0] = ASN_GENERALIZED_TIME;
wolfSSL	0:d92f9d21154c	5254	beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */
wolfSSL	0:d92f9d21154c	5255
wolfSSL	0:d92f9d21154c	5256	/* subtract 1 day for more compliance */
wolfSSL	0:d92f9d21154c	5257	local.tm_mday -= 1;
wolfSSL	0:d92f9d21154c	5258	normalTime = mktime(&local);
wolfSSL	0:d92f9d21154c	5259	RebuildTime(&normalTime, &local);
wolfSSL	0:d92f9d21154c	5260
wolfSSL	0:d92f9d21154c	5261	/* adjust */
wolfSSL	0:d92f9d21154c	5262	local.tm_year += 1900;
wolfSSL	0:d92f9d21154c	5263	local.tm_mon += 1;
wolfSSL	0:d92f9d21154c	5264
wolfSSL	0:d92f9d21154c	5265	SetTime(&local, before + beforeSz);
wolfSSL	0:d92f9d21154c	5266	beforeSz += ASN_GEN_TIME_SZ;
wolfSSL	0:d92f9d21154c	5267
wolfSSL	0:d92f9d21154c	5268	/* after now + daysValid */
wolfSSL	0:d92f9d21154c	5269	local = *now;
wolfSSL	0:d92f9d21154c	5270	after[0] = ASN_GENERALIZED_TIME;
wolfSSL	0:d92f9d21154c	5271	afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */
wolfSSL	0:d92f9d21154c	5272
wolfSSL	0:d92f9d21154c	5273	/* add daysValid */
wolfSSL	0:d92f9d21154c	5274	local.tm_mday += daysValid;
wolfSSL	0:d92f9d21154c	5275	normalTime = mktime(&local);
wolfSSL	0:d92f9d21154c	5276	RebuildTime(&normalTime, &local);
wolfSSL	0:d92f9d21154c	5277
wolfSSL	0:d92f9d21154c	5278	/* adjust */
wolfSSL	0:d92f9d21154c	5279	local.tm_year += 1900;
wolfSSL	0:d92f9d21154c	5280	local.tm_mon += 1;
wolfSSL	0:d92f9d21154c	5281
wolfSSL	0:d92f9d21154c	5282	SetTime(&local, after + afterSz);
wolfSSL	0:d92f9d21154c	5283	afterSz += ASN_GEN_TIME_SZ;
wolfSSL	0:d92f9d21154c	5284
wolfSSL	0:d92f9d21154c	5285	/* headers and output */
wolfSSL	0:d92f9d21154c	5286	seqSz = SetSequence(beforeSz + afterSz, output);
wolfSSL	0:d92f9d21154c	5287	XMEMCPY(output + seqSz, before, beforeSz);
wolfSSL	0:d92f9d21154c	5288	XMEMCPY(output + seqSz + beforeSz, after, afterSz);
wolfSSL	0:d92f9d21154c	5289
wolfSSL	0:d92f9d21154c	5290	return seqSz + beforeSz + afterSz;
wolfSSL	0:d92f9d21154c	5291	}
wolfSSL	0:d92f9d21154c	5292
wolfSSL	0:d92f9d21154c	5293
wolfSSL	0:d92f9d21154c	5294	/* ASN Encoded Name field */
wolfSSL	0:d92f9d21154c	5295	typedef struct EncodedName {
wolfSSL	0:d92f9d21154c	5296	int nameLen; /* actual string value length */
wolfSSL	0:d92f9d21154c	5297	int totalLen; /* total encoded length */
wolfSSL	0:d92f9d21154c	5298	int type; /* type of name */
wolfSSL	0:d92f9d21154c	5299	int used; /* are we actually using this one */
wolfSSL	0:d92f9d21154c	5300	byte encoded[CTC_NAME_SIZE * 2]; /* encoding */
wolfSSL	0:d92f9d21154c	5301	} EncodedName;
wolfSSL	0:d92f9d21154c	5302
wolfSSL	0:d92f9d21154c	5303
wolfSSL	0:d92f9d21154c	5304	/* Get Which Name from index */
wolfSSL	0:d92f9d21154c	5305	static const char* GetOneName(CertName* name, int idx)
wolfSSL	0:d92f9d21154c	5306	{
wolfSSL	0:d92f9d21154c	5307	switch (idx) {
wolfSSL	0:d92f9d21154c	5308	case 0:
wolfSSL	0:d92f9d21154c	5309	return name->country;
wolfSSL	0:d92f9d21154c	5310
wolfSSL	0:d92f9d21154c	5311	case 1:
wolfSSL	0:d92f9d21154c	5312	return name->state;
wolfSSL	0:d92f9d21154c	5313
wolfSSL	0:d92f9d21154c	5314	case 2:
wolfSSL	0:d92f9d21154c	5315	return name->locality;
wolfSSL	0:d92f9d21154c	5316
wolfSSL	0:d92f9d21154c	5317	case 3:
wolfSSL	0:d92f9d21154c	5318	return name->sur;
wolfSSL	0:d92f9d21154c	5319
wolfSSL	0:d92f9d21154c	5320	case 4:
wolfSSL	0:d92f9d21154c	5321	return name->org;
wolfSSL	0:d92f9d21154c	5322
wolfSSL	0:d92f9d21154c	5323	case 5:
wolfSSL	0:d92f9d21154c	5324	return name->unit;
wolfSSL	0:d92f9d21154c	5325
wolfSSL	0:d92f9d21154c	5326	case 6:
wolfSSL	0:d92f9d21154c	5327	return name->commonName;
wolfSSL	0:d92f9d21154c	5328
wolfSSL	0:d92f9d21154c	5329	case 7:
wolfSSL	0:d92f9d21154c	5330	return name->email;
wolfSSL	0:d92f9d21154c	5331
wolfSSL	0:d92f9d21154c	5332	default:
wolfSSL	0:d92f9d21154c	5333	return 0;
wolfSSL	0:d92f9d21154c	5334	}
wolfSSL	0:d92f9d21154c	5335	}
wolfSSL	0:d92f9d21154c	5336
wolfSSL	0:d92f9d21154c	5337
wolfSSL	0:d92f9d21154c	5338	/* Get Which Name Encoding from index */
wolfSSL	0:d92f9d21154c	5339	static char GetNameType(CertName* name, int idx)
wolfSSL	0:d92f9d21154c	5340	{
wolfSSL	0:d92f9d21154c	5341	switch (idx) {
wolfSSL	0:d92f9d21154c	5342	case 0:
wolfSSL	0:d92f9d21154c	5343	return name->countryEnc;
wolfSSL	0:d92f9d21154c	5344
wolfSSL	0:d92f9d21154c	5345	case 1:
wolfSSL	0:d92f9d21154c	5346	return name->stateEnc;
wolfSSL	0:d92f9d21154c	5347
wolfSSL	0:d92f9d21154c	5348	case 2:
wolfSSL	0:d92f9d21154c	5349	return name->localityEnc;
wolfSSL	0:d92f9d21154c	5350
wolfSSL	0:d92f9d21154c	5351	case 3:
wolfSSL	0:d92f9d21154c	5352	return name->surEnc;
wolfSSL	0:d92f9d21154c	5353
wolfSSL	0:d92f9d21154c	5354	case 4:
wolfSSL	0:d92f9d21154c	5355	return name->orgEnc;
wolfSSL	0:d92f9d21154c	5356
wolfSSL	0:d92f9d21154c	5357	case 5:
wolfSSL	0:d92f9d21154c	5358	return name->unitEnc;
wolfSSL	0:d92f9d21154c	5359
wolfSSL	0:d92f9d21154c	5360	case 6:
wolfSSL	0:d92f9d21154c	5361	return name->commonNameEnc;
wolfSSL	0:d92f9d21154c	5362
wolfSSL	0:d92f9d21154c	5363	default:
wolfSSL	0:d92f9d21154c	5364	return 0;
wolfSSL	0:d92f9d21154c	5365	}
wolfSSL	0:d92f9d21154c	5366	}
wolfSSL	0:d92f9d21154c	5367
wolfSSL	0:d92f9d21154c	5368
wolfSSL	0:d92f9d21154c	5369	/* Get ASN Name from index */
wolfSSL	0:d92f9d21154c	5370	static byte GetNameId(int idx)
wolfSSL	0:d92f9d21154c	5371	{
wolfSSL	0:d92f9d21154c	5372	switch (idx) {
wolfSSL	0:d92f9d21154c	5373	case 0:
wolfSSL	0:d92f9d21154c	5374	return ASN_COUNTRY_NAME;
wolfSSL	0:d92f9d21154c	5375
wolfSSL	0:d92f9d21154c	5376	case 1:
wolfSSL	0:d92f9d21154c	5377	return ASN_STATE_NAME;
wolfSSL	0:d92f9d21154c	5378
wolfSSL	0:d92f9d21154c	5379	case 2:
wolfSSL	0:d92f9d21154c	5380	return ASN_LOCALITY_NAME;
wolfSSL	0:d92f9d21154c	5381
wolfSSL	0:d92f9d21154c	5382	case 3:
wolfSSL	0:d92f9d21154c	5383	return ASN_SUR_NAME;
wolfSSL	0:d92f9d21154c	5384
wolfSSL	0:d92f9d21154c	5385	case 4:
wolfSSL	0:d92f9d21154c	5386	return ASN_ORG_NAME;
wolfSSL	0:d92f9d21154c	5387
wolfSSL	0:d92f9d21154c	5388	case 5:
wolfSSL	0:d92f9d21154c	5389	return ASN_ORGUNIT_NAME;
wolfSSL	0:d92f9d21154c	5390
wolfSSL	0:d92f9d21154c	5391	case 6:
wolfSSL	0:d92f9d21154c	5392	return ASN_COMMON_NAME;
wolfSSL	0:d92f9d21154c	5393
wolfSSL	0:d92f9d21154c	5394	case 7:
wolfSSL	0:d92f9d21154c	5395	/* email uses different id type */
wolfSSL	0:d92f9d21154c	5396	return 0;
wolfSSL	0:d92f9d21154c	5397
wolfSSL	0:d92f9d21154c	5398	default:
wolfSSL	0:d92f9d21154c	5399	return 0;
wolfSSL	0:d92f9d21154c	5400	}
wolfSSL	0:d92f9d21154c	5401	}
wolfSSL	0:d92f9d21154c	5402
wolfSSL	0:d92f9d21154c	5403
wolfSSL	0:d92f9d21154c	5404	/* encode all extensions, return total bytes written */
wolfSSL	0:d92f9d21154c	5405	static int SetExtensions(byte* output, const byte* ext, int extSz, int header)
wolfSSL	0:d92f9d21154c	5406	{
wolfSSL	0:d92f9d21154c	5407	byte sequence[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5408	byte len[MAX_LENGTH_SZ];
wolfSSL	0:d92f9d21154c	5409
wolfSSL	0:d92f9d21154c	5410	int sz = 0;
wolfSSL	0:d92f9d21154c	5411	int seqSz = SetSequence(extSz, sequence);
wolfSSL	0:d92f9d21154c	5412
wolfSSL	0:d92f9d21154c	5413	if (header) {
wolfSSL	0:d92f9d21154c	5414	int lenSz = SetLength(seqSz + extSz, len);
wolfSSL	0:d92f9d21154c	5415	output[0] = ASN_EXTENSIONS; /* extensions id */
wolfSSL	0:d92f9d21154c	5416	sz++;
wolfSSL	0:d92f9d21154c	5417	XMEMCPY(&output[sz], len, lenSz); /* length */
wolfSSL	0:d92f9d21154c	5418	sz += lenSz;
wolfSSL	0:d92f9d21154c	5419	}
wolfSSL	0:d92f9d21154c	5420	XMEMCPY(&output[sz], sequence, seqSz); /* sequence */
wolfSSL	0:d92f9d21154c	5421	sz += seqSz;
wolfSSL	0:d92f9d21154c	5422	XMEMCPY(&output[sz], ext, extSz); /* extensions */
wolfSSL	0:d92f9d21154c	5423	sz += extSz;
wolfSSL	0:d92f9d21154c	5424
wolfSSL	0:d92f9d21154c	5425	return sz;
wolfSSL	0:d92f9d21154c	5426	}
wolfSSL	0:d92f9d21154c	5427
wolfSSL	0:d92f9d21154c	5428
wolfSSL	0:d92f9d21154c	5429	/* encode CA basic constraint true, return total bytes written */
wolfSSL	0:d92f9d21154c	5430	static int SetCa(byte* output)
wolfSSL	0:d92f9d21154c	5431	{
wolfSSL	0:d92f9d21154c	5432	static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
wolfSSL	0:d92f9d21154c	5433	0x05, 0x30, 0x03, 0x01, 0x01, 0xff };
wolfSSL	0:d92f9d21154c	5434
wolfSSL	0:d92f9d21154c	5435	XMEMCPY(output, ca, sizeof(ca));
wolfSSL	0:d92f9d21154c	5436
wolfSSL	0:d92f9d21154c	5437	return (int)sizeof(ca);
wolfSSL	0:d92f9d21154c	5438	}
wolfSSL	0:d92f9d21154c	5439
wolfSSL	0:d92f9d21154c	5440
wolfSSL	0:d92f9d21154c	5441	/* encode CertName into output, return total bytes written */
wolfSSL	0:d92f9d21154c	5442	static int SetName(byte* output, CertName* name)
wolfSSL	0:d92f9d21154c	5443	{
wolfSSL	0:d92f9d21154c	5444	int totalBytes = 0, i, idx;
wolfSSL	0:d92f9d21154c	5445	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5446	EncodedName* names = NULL;
wolfSSL	0:d92f9d21154c	5447	#else
wolfSSL	0:d92f9d21154c	5448	EncodedName names[NAME_ENTRIES];
wolfSSL	0:d92f9d21154c	5449	#endif
wolfSSL	0:d92f9d21154c	5450
wolfSSL	0:d92f9d21154c	5451	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5452	names = (EncodedName)XMALLOC(sizeof(EncodedName) NAME_ENTRIES, NULL,
wolfSSL	0:d92f9d21154c	5453	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5454	if (names == NULL)
wolfSSL	0:d92f9d21154c	5455	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5456	#endif
wolfSSL	0:d92f9d21154c	5457
wolfSSL	0:d92f9d21154c	5458	for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL	0:d92f9d21154c	5459	const char* nameStr = GetOneName(name, i);
wolfSSL	0:d92f9d21154c	5460	if (nameStr) {
wolfSSL	0:d92f9d21154c	5461	/* bottom up */
wolfSSL	0:d92f9d21154c	5462	byte firstLen[MAX_LENGTH_SZ];
wolfSSL	0:d92f9d21154c	5463	byte secondLen[MAX_LENGTH_SZ];
wolfSSL	0:d92f9d21154c	5464	byte sequence[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5465	byte set[MAX_SET_SZ];
wolfSSL	0:d92f9d21154c	5466
wolfSSL	0:d92f9d21154c	5467	int email = i == (NAME_ENTRIES - 1) ? 1 : 0;
wolfSSL	0:d92f9d21154c	5468	int strLen = (int)XSTRLEN(nameStr);
wolfSSL	0:d92f9d21154c	5469	int thisLen = strLen;
wolfSSL	0:d92f9d21154c	5470	int firstSz, secondSz, seqSz, setSz;
wolfSSL	0:d92f9d21154c	5471
wolfSSL	0:d92f9d21154c	5472	if (strLen == 0) { /* no user data for this item */
wolfSSL	0:d92f9d21154c	5473	names[i].used = 0;
wolfSSL	0:d92f9d21154c	5474	continue;
wolfSSL	0:d92f9d21154c	5475	}
wolfSSL	0:d92f9d21154c	5476
wolfSSL	0:d92f9d21154c	5477	secondSz = SetLength(strLen, secondLen);
wolfSSL	0:d92f9d21154c	5478	thisLen += secondSz;
wolfSSL	0:d92f9d21154c	5479	if (email) {
wolfSSL	0:d92f9d21154c	5480	thisLen += EMAIL_JOINT_LEN;
wolfSSL	0:d92f9d21154c	5481	thisLen ++; /* id type */
wolfSSL	0:d92f9d21154c	5482	firstSz = SetLength(EMAIL_JOINT_LEN, firstLen);
wolfSSL	0:d92f9d21154c	5483	}
wolfSSL	0:d92f9d21154c	5484	else {
wolfSSL	0:d92f9d21154c	5485	thisLen++; /* str type */
wolfSSL	0:d92f9d21154c	5486	thisLen++; /* id type */
wolfSSL	0:d92f9d21154c	5487	thisLen += JOINT_LEN;
wolfSSL	0:d92f9d21154c	5488	firstSz = SetLength(JOINT_LEN + 1, firstLen);
wolfSSL	0:d92f9d21154c	5489	}
wolfSSL	0:d92f9d21154c	5490	thisLen += firstSz;
wolfSSL	0:d92f9d21154c	5491	thisLen++; /* object id */
wolfSSL	0:d92f9d21154c	5492
wolfSSL	0:d92f9d21154c	5493	seqSz = SetSequence(thisLen, sequence);
wolfSSL	0:d92f9d21154c	5494	thisLen += seqSz;
wolfSSL	0:d92f9d21154c	5495	setSz = SetSet(thisLen, set);
wolfSSL	0:d92f9d21154c	5496	thisLen += setSz;
wolfSSL	0:d92f9d21154c	5497
wolfSSL	0:d92f9d21154c	5498	if (thisLen > (int)sizeof(names[i].encoded)) {
wolfSSL	0:d92f9d21154c	5499	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5500	XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5501	#endif
wolfSSL	0:d92f9d21154c	5502	return BUFFER_E;
wolfSSL	0:d92f9d21154c	5503	}
wolfSSL	0:d92f9d21154c	5504
wolfSSL	0:d92f9d21154c	5505	/* store it */
wolfSSL	0:d92f9d21154c	5506	idx = 0;
wolfSSL	0:d92f9d21154c	5507	/* set */
wolfSSL	0:d92f9d21154c	5508	XMEMCPY(names[i].encoded, set, setSz);
wolfSSL	0:d92f9d21154c	5509	idx += setSz;
wolfSSL	0:d92f9d21154c	5510	/* seq */
wolfSSL	0:d92f9d21154c	5511	XMEMCPY(names[i].encoded + idx, sequence, seqSz);
wolfSSL	0:d92f9d21154c	5512	idx += seqSz;
wolfSSL	0:d92f9d21154c	5513	/* asn object id */
wolfSSL	0:d92f9d21154c	5514	names[i].encoded[idx++] = ASN_OBJECT_ID;
wolfSSL	0:d92f9d21154c	5515	/* first length */
wolfSSL	0:d92f9d21154c	5516	XMEMCPY(names[i].encoded + idx, firstLen, firstSz);
wolfSSL	0:d92f9d21154c	5517	idx += firstSz;
wolfSSL	0:d92f9d21154c	5518	if (email) {
wolfSSL	0:d92f9d21154c	5519	const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
wolfSSL	0:d92f9d21154c	5520	0x01, 0x09, 0x01, 0x16 };
wolfSSL	0:d92f9d21154c	5521	/* email joint id */
wolfSSL	0:d92f9d21154c	5522	XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
wolfSSL	0:d92f9d21154c	5523	idx += (int)sizeof(EMAIL_OID);
wolfSSL	0:d92f9d21154c	5524	}
wolfSSL	0:d92f9d21154c	5525	else {
wolfSSL	0:d92f9d21154c	5526	/* joint id */
wolfSSL	0:d92f9d21154c	5527	byte bType = GetNameId(i);
wolfSSL	0:d92f9d21154c	5528	names[i].encoded[idx++] = 0x55;
wolfSSL	0:d92f9d21154c	5529	names[i].encoded[idx++] = 0x04;
wolfSSL	0:d92f9d21154c	5530	/* id type */
wolfSSL	0:d92f9d21154c	5531	names[i].encoded[idx++] = bType;
wolfSSL	0:d92f9d21154c	5532	/* str type */
wolfSSL	0:d92f9d21154c	5533	names[i].encoded[idx++] = GetNameType(name, i);
wolfSSL	0:d92f9d21154c	5534	}
wolfSSL	0:d92f9d21154c	5535	/* second length */
wolfSSL	0:d92f9d21154c	5536	XMEMCPY(names[i].encoded + idx, secondLen, secondSz);
wolfSSL	0:d92f9d21154c	5537	idx += secondSz;
wolfSSL	0:d92f9d21154c	5538	/* str value */
wolfSSL	0:d92f9d21154c	5539	XMEMCPY(names[i].encoded + idx, nameStr, strLen);
wolfSSL	0:d92f9d21154c	5540	idx += strLen;
wolfSSL	0:d92f9d21154c	5541
wolfSSL	0:d92f9d21154c	5542	totalBytes += idx;
wolfSSL	0:d92f9d21154c	5543	names[i].totalLen = idx;
wolfSSL	0:d92f9d21154c	5544	names[i].used = 1;
wolfSSL	0:d92f9d21154c	5545	}
wolfSSL	0:d92f9d21154c	5546	else
wolfSSL	0:d92f9d21154c	5547	names[i].used = 0;
wolfSSL	0:d92f9d21154c	5548	}
wolfSSL	0:d92f9d21154c	5549
wolfSSL	0:d92f9d21154c	5550	/* header */
wolfSSL	0:d92f9d21154c	5551	idx = SetSequence(totalBytes, output);
wolfSSL	0:d92f9d21154c	5552	totalBytes += idx;
wolfSSL	0:d92f9d21154c	5553	if (totalBytes > ASN_NAME_MAX) {
wolfSSL	0:d92f9d21154c	5554	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5555	XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5556	#endif
wolfSSL	0:d92f9d21154c	5557	return BUFFER_E;
wolfSSL	0:d92f9d21154c	5558	}
wolfSSL	0:d92f9d21154c	5559
wolfSSL	0:d92f9d21154c	5560	for (i = 0; i < NAME_ENTRIES; i++) {
wolfSSL	0:d92f9d21154c	5561	if (names[i].used) {
wolfSSL	0:d92f9d21154c	5562	XMEMCPY(output + idx, names[i].encoded, names[i].totalLen);
wolfSSL	0:d92f9d21154c	5563	idx += names[i].totalLen;
wolfSSL	0:d92f9d21154c	5564	}
wolfSSL	0:d92f9d21154c	5565	}
wolfSSL	0:d92f9d21154c	5566
wolfSSL	0:d92f9d21154c	5567	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5568	XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5569	#endif
wolfSSL	0:d92f9d21154c	5570
wolfSSL	0:d92f9d21154c	5571	return totalBytes;
wolfSSL	0:d92f9d21154c	5572	}
wolfSSL	0:d92f9d21154c	5573
wolfSSL	0:d92f9d21154c	5574	/* encode info from cert into DER encoded format */
wolfSSL	0:d92f9d21154c	5575	static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
wolfSSL	0:d92f9d21154c	5576	RNG* rng, const byte* ntruKey, word16 ntruSz)
wolfSSL	0:d92f9d21154c	5577	{
wolfSSL	0:d92f9d21154c	5578	int ret;
wolfSSL	0:d92f9d21154c	5579
wolfSSL	0:d92f9d21154c	5580	(void)eccKey;
wolfSSL	0:d92f9d21154c	5581	(void)ntruKey;
wolfSSL	0:d92f9d21154c	5582	(void)ntruSz;
wolfSSL	0:d92f9d21154c	5583
wolfSSL	0:d92f9d21154c	5584	/* init */
wolfSSL	0:d92f9d21154c	5585	XMEMSET(der, 0, sizeof(DerCert));
wolfSSL	0:d92f9d21154c	5586
wolfSSL	0:d92f9d21154c	5587	/* version */
wolfSSL	0:d92f9d21154c	5588	der->versionSz = SetMyVersion(cert->version, der->version, TRUE);
wolfSSL	0:d92f9d21154c	5589
wolfSSL	0:d92f9d21154c	5590	/* serial number */
wolfSSL	0:d92f9d21154c	5591	ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE);
wolfSSL	0:d92f9d21154c	5592	if (ret != 0)
wolfSSL	0:d92f9d21154c	5593	return ret;
wolfSSL	0:d92f9d21154c	5594
wolfSSL	0:d92f9d21154c	5595	cert->serial[0] = 0x01; /* ensure positive */
wolfSSL	0:d92f9d21154c	5596	der->serialSz = SetSerial(cert->serial, der->serial);
wolfSSL	0:d92f9d21154c	5597
wolfSSL	0:d92f9d21154c	5598	/* signature algo */
wolfSSL	0:d92f9d21154c	5599	der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, sigType, 0);
wolfSSL	0:d92f9d21154c	5600	if (der->sigAlgoSz == 0)
wolfSSL	0:d92f9d21154c	5601	return ALGO_ID_E;
wolfSSL	0:d92f9d21154c	5602
wolfSSL	0:d92f9d21154c	5603	/* public key */
wolfSSL	0:d92f9d21154c	5604	if (cert->keyType == RSA_KEY) {
wolfSSL	0:d92f9d21154c	5605	if (rsaKey == NULL)
wolfSSL	0:d92f9d21154c	5606	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5607	der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey);
wolfSSL	0:d92f9d21154c	5608	if (der->publicKeySz <= 0)
wolfSSL	0:d92f9d21154c	5609	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5610	}
wolfSSL	0:d92f9d21154c	5611
wolfSSL	0:d92f9d21154c	5612	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	5613	if (cert->keyType == ECC_KEY) {
wolfSSL	0:d92f9d21154c	5614	if (eccKey == NULL)
wolfSSL	0:d92f9d21154c	5615	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5616	der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey);
wolfSSL	0:d92f9d21154c	5617	if (der->publicKeySz <= 0)
wolfSSL	0:d92f9d21154c	5618	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5619	}
wolfSSL	0:d92f9d21154c	5620	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	5621
wolfSSL	0:d92f9d21154c	5622	#ifdef HAVE_NTRU
wolfSSL	0:d92f9d21154c	5623	if (cert->keyType == NTRU_KEY) {
wolfSSL	0:d92f9d21154c	5624	word32 rc;
wolfSSL	0:d92f9d21154c	5625	word16 encodedSz;
wolfSSL	0:d92f9d21154c	5626
wolfSSL	0:d92f9d21154c	5627	rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL	0:d92f9d21154c	5628	ntruKey, &encodedSz, NULL);
wolfSSL	0:d92f9d21154c	5629	if (rc != NTRU_OK)
wolfSSL	0:d92f9d21154c	5630	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5631	if (encodedSz > MAX_PUBLIC_KEY_SZ)
wolfSSL	0:d92f9d21154c	5632	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5633
wolfSSL	0:d92f9d21154c	5634	rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
wolfSSL	0:d92f9d21154c	5635	ntruKey, &encodedSz, der->publicKey);
wolfSSL	0:d92f9d21154c	5636	if (rc != NTRU_OK)
wolfSSL	0:d92f9d21154c	5637	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	5638
wolfSSL	0:d92f9d21154c	5639	der->publicKeySz = encodedSz;
wolfSSL	0:d92f9d21154c	5640	}
wolfSSL	0:d92f9d21154c	5641	#endif /* HAVE_NTRU */
wolfSSL	0:d92f9d21154c	5642
wolfSSL	0:d92f9d21154c	5643	der->validitySz = 0;
wolfSSL	0:d92f9d21154c	5644	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	5645	/* date validity copy ? */
wolfSSL	0:d92f9d21154c	5646	if (cert->beforeDateSz && cert->afterDateSz) {
wolfSSL	0:d92f9d21154c	5647	der->validitySz = CopyValidity(der->validity, cert);
wolfSSL	0:d92f9d21154c	5648	if (der->validitySz == 0)
wolfSSL	0:d92f9d21154c	5649	return DATE_E;
wolfSSL	0:d92f9d21154c	5650	}
wolfSSL	0:d92f9d21154c	5651	#endif
wolfSSL	0:d92f9d21154c	5652
wolfSSL	0:d92f9d21154c	5653	/* date validity */
wolfSSL	0:d92f9d21154c	5654	if (der->validitySz == 0) {
wolfSSL	0:d92f9d21154c	5655	der->validitySz = SetValidity(der->validity, cert->daysValid);
wolfSSL	0:d92f9d21154c	5656	if (der->validitySz == 0)
wolfSSL	0:d92f9d21154c	5657	return DATE_E;
wolfSSL	0:d92f9d21154c	5658	}
wolfSSL	0:d92f9d21154c	5659
wolfSSL	0:d92f9d21154c	5660	/* subject name */
wolfSSL	0:d92f9d21154c	5661	der->subjectSz = SetName(der->subject, &cert->subject);
wolfSSL	0:d92f9d21154c	5662	if (der->subjectSz == 0)
wolfSSL	0:d92f9d21154c	5663	return SUBJECT_E;
wolfSSL	0:d92f9d21154c	5664
wolfSSL	0:d92f9d21154c	5665	/* issuer name */
wolfSSL	0:d92f9d21154c	5666	der->issuerSz = SetName(der->issuer, cert->selfSigned ?
wolfSSL	0:d92f9d21154c	5667	&cert->subject : &cert->issuer);
wolfSSL	0:d92f9d21154c	5668	if (der->issuerSz == 0)
wolfSSL	0:d92f9d21154c	5669	return ISSUER_E;
wolfSSL	0:d92f9d21154c	5670
wolfSSL	0:d92f9d21154c	5671	/* CA */
wolfSSL	0:d92f9d21154c	5672	if (cert->isCA) {
wolfSSL	0:d92f9d21154c	5673	der->caSz = SetCa(der->ca);
wolfSSL	0:d92f9d21154c	5674	if (der->caSz == 0)
wolfSSL	0:d92f9d21154c	5675	return CA_TRUE_E;
wolfSSL	0:d92f9d21154c	5676	}
wolfSSL	0:d92f9d21154c	5677	else
wolfSSL	0:d92f9d21154c	5678	der->caSz = 0;
wolfSSL	0:d92f9d21154c	5679
wolfSSL	0:d92f9d21154c	5680	/* extensions, just CA now */
wolfSSL	0:d92f9d21154c	5681	if (cert->isCA) {
wolfSSL	0:d92f9d21154c	5682	der->extensionsSz = SetExtensions(der->extensions,
wolfSSL	0:d92f9d21154c	5683	der->ca, der->caSz, TRUE);
wolfSSL	0:d92f9d21154c	5684	if (der->extensionsSz == 0)
wolfSSL	0:d92f9d21154c	5685	return EXTENSIONS_E;
wolfSSL	0:d92f9d21154c	5686	}
wolfSSL	0:d92f9d21154c	5687	else
wolfSSL	0:d92f9d21154c	5688	der->extensionsSz = 0;
wolfSSL	0:d92f9d21154c	5689
wolfSSL	0:d92f9d21154c	5690	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	5691	if (der->extensionsSz == 0 && cert->altNamesSz) {
wolfSSL	0:d92f9d21154c	5692	der->extensionsSz = SetExtensions(der->extensions, cert->altNames,
wolfSSL	0:d92f9d21154c	5693	cert->altNamesSz, TRUE);
wolfSSL	0:d92f9d21154c	5694	if (der->extensionsSz == 0)
wolfSSL	0:d92f9d21154c	5695	return EXTENSIONS_E;
wolfSSL	0:d92f9d21154c	5696	}
wolfSSL	0:d92f9d21154c	5697	#endif
wolfSSL	0:d92f9d21154c	5698
wolfSSL	0:d92f9d21154c	5699	der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
wolfSSL	0:d92f9d21154c	5700	der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz +
wolfSSL	0:d92f9d21154c	5701	der->extensionsSz;
wolfSSL	0:d92f9d21154c	5702
wolfSSL	0:d92f9d21154c	5703	return 0;
wolfSSL	0:d92f9d21154c	5704	}
wolfSSL	0:d92f9d21154c	5705
wolfSSL	0:d92f9d21154c	5706
wolfSSL	0:d92f9d21154c	5707	/* write DER encoded cert to buffer, size already checked */
wolfSSL	0:d92f9d21154c	5708	static int WriteCertBody(DerCert* der, byte* buffer)
wolfSSL	0:d92f9d21154c	5709	{
wolfSSL	0:d92f9d21154c	5710	int idx;
wolfSSL	0:d92f9d21154c	5711
wolfSSL	0:d92f9d21154c	5712	/* signed part header */
wolfSSL	0:d92f9d21154c	5713	idx = SetSequence(der->total, buffer);
wolfSSL	0:d92f9d21154c	5714	/* version */
wolfSSL	0:d92f9d21154c	5715	XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL	0:d92f9d21154c	5716	idx += der->versionSz;
wolfSSL	0:d92f9d21154c	5717	/* serial */
wolfSSL	0:d92f9d21154c	5718	XMEMCPY(buffer + idx, der->serial, der->serialSz);
wolfSSL	0:d92f9d21154c	5719	idx += der->serialSz;
wolfSSL	0:d92f9d21154c	5720	/* sig algo */
wolfSSL	0:d92f9d21154c	5721	XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz);
wolfSSL	0:d92f9d21154c	5722	idx += der->sigAlgoSz;
wolfSSL	0:d92f9d21154c	5723	/* issuer */
wolfSSL	0:d92f9d21154c	5724	XMEMCPY(buffer + idx, der->issuer, der->issuerSz);
wolfSSL	0:d92f9d21154c	5725	idx += der->issuerSz;
wolfSSL	0:d92f9d21154c	5726	/* validity */
wolfSSL	0:d92f9d21154c	5727	XMEMCPY(buffer + idx, der->validity, der->validitySz);
wolfSSL	0:d92f9d21154c	5728	idx += der->validitySz;
wolfSSL	0:d92f9d21154c	5729	/* subject */
wolfSSL	0:d92f9d21154c	5730	XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL	0:d92f9d21154c	5731	idx += der->subjectSz;
wolfSSL	0:d92f9d21154c	5732	/* public key */
wolfSSL	0:d92f9d21154c	5733	XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL	0:d92f9d21154c	5734	idx += der->publicKeySz;
wolfSSL	0:d92f9d21154c	5735	if (der->extensionsSz) {
wolfSSL	0:d92f9d21154c	5736	/* extensions */
wolfSSL	0:d92f9d21154c	5737	XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL	0:d92f9d21154c	5738	sizeof(der->extensions)));
wolfSSL	0:d92f9d21154c	5739	idx += der->extensionsSz;
wolfSSL	0:d92f9d21154c	5740	}
wolfSSL	0:d92f9d21154c	5741
wolfSSL	0:d92f9d21154c	5742	return idx;
wolfSSL	0:d92f9d21154c	5743	}
wolfSSL	0:d92f9d21154c	5744
wolfSSL	0:d92f9d21154c	5745
wolfSSL	0:d92f9d21154c	5746	/* Make RSA signature from buffer (sz), write to sig (sigSz) */
wolfSSL	0:d92f9d21154c	5747	static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz,
wolfSSL	0:d92f9d21154c	5748	RsaKey* rsaKey, ecc_key* eccKey, RNG* rng,
wolfSSL	0:d92f9d21154c	5749	int sigAlgoType)
wolfSSL	0:d92f9d21154c	5750	{
wolfSSL	0:d92f9d21154c	5751	int encSigSz, digestSz, typeH = 0, ret = 0;
wolfSSL	0:d92f9d21154c	5752	byte digest[SHA256_DIGEST_SIZE]; /* max size */
wolfSSL	0:d92f9d21154c	5753	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5754	byte* encSig;
wolfSSL	0:d92f9d21154c	5755	#else
wolfSSL	0:d92f9d21154c	5756	byte encSig[MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5757	#endif
wolfSSL	0:d92f9d21154c	5758
wolfSSL	0:d92f9d21154c	5759	(void)digest;
wolfSSL	0:d92f9d21154c	5760	(void)digestSz;
wolfSSL	0:d92f9d21154c	5761	(void)encSig;
wolfSSL	0:d92f9d21154c	5762	(void)encSigSz;
wolfSSL	0:d92f9d21154c	5763	(void)typeH;
wolfSSL	0:d92f9d21154c	5764
wolfSSL	0:d92f9d21154c	5765	(void)buffer;
wolfSSL	0:d92f9d21154c	5766	(void)sz;
wolfSSL	0:d92f9d21154c	5767	(void)sig;
wolfSSL	0:d92f9d21154c	5768	(void)sigSz;
wolfSSL	0:d92f9d21154c	5769	(void)rsaKey;
wolfSSL	0:d92f9d21154c	5770	(void)eccKey;
wolfSSL	0:d92f9d21154c	5771	(void)rng;
wolfSSL	0:d92f9d21154c	5772
wolfSSL	0:d92f9d21154c	5773	switch (sigAlgoType) {
wolfSSL	0:d92f9d21154c	5774	#ifndef NO_MD5
wolfSSL	0:d92f9d21154c	5775	case CTC_MD5wRSA:
wolfSSL	0:d92f9d21154c	5776	if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) {
wolfSSL	0:d92f9d21154c	5777	typeH = MD5h;
wolfSSL	0:d92f9d21154c	5778	digestSz = MD5_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	5779	}
wolfSSL	0:d92f9d21154c	5780	break;
wolfSSL	0:d92f9d21154c	5781	#endif
wolfSSL	0:d92f9d21154c	5782	#ifndef NO_SHA
wolfSSL	0:d92f9d21154c	5783	case CTC_SHAwRSA:
wolfSSL	0:d92f9d21154c	5784	case CTC_SHAwECDSA:
wolfSSL	0:d92f9d21154c	5785	if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) {
wolfSSL	0:d92f9d21154c	5786	typeH = SHAh;
wolfSSL	0:d92f9d21154c	5787	digestSz = SHA_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	5788	}
wolfSSL	0:d92f9d21154c	5789	break;
wolfSSL	0:d92f9d21154c	5790	#endif
wolfSSL	0:d92f9d21154c	5791	#ifndef NO_SHA256
wolfSSL	0:d92f9d21154c	5792	case CTC_SHA256wRSA:
wolfSSL	0:d92f9d21154c	5793	case CTC_SHA256wECDSA:
wolfSSL	0:d92f9d21154c	5794	if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) {
wolfSSL	0:d92f9d21154c	5795	typeH = SHA256h;
wolfSSL	0:d92f9d21154c	5796	digestSz = SHA256_DIGEST_SIZE;
wolfSSL	0:d92f9d21154c	5797	}
wolfSSL	0:d92f9d21154c	5798	break;
wolfSSL	0:d92f9d21154c	5799	#endif
wolfSSL	0:d92f9d21154c	5800	default:
wolfSSL	0:d92f9d21154c	5801	WOLFSSL_MSG("MakeSignautre called with unsupported type");
wolfSSL	0:d92f9d21154c	5802	ret = ALGO_ID_E;
wolfSSL	0:d92f9d21154c	5803	}
wolfSSL	0:d92f9d21154c	5804
wolfSSL	0:d92f9d21154c	5805	if (ret != 0)
wolfSSL	0:d92f9d21154c	5806	return ret;
wolfSSL	0:d92f9d21154c	5807
wolfSSL	0:d92f9d21154c	5808	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5809	encSig = (byte*)XMALLOC(MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
wolfSSL	0:d92f9d21154c	5810	NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5811	if (encSig == NULL)
wolfSSL	0:d92f9d21154c	5812	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5813	#endif
wolfSSL	0:d92f9d21154c	5814
wolfSSL	0:d92f9d21154c	5815	ret = ALGO_ID_E;
wolfSSL	0:d92f9d21154c	5816
wolfSSL	0:d92f9d21154c	5817	#ifndef NO_RSA
wolfSSL	0:d92f9d21154c	5818	if (rsaKey) {
wolfSSL	0:d92f9d21154c	5819	/* signature */
wolfSSL	0:d92f9d21154c	5820	encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH);
wolfSSL	0:d92f9d21154c	5821	ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng);
wolfSSL	0:d92f9d21154c	5822	}
wolfSSL	0:d92f9d21154c	5823	#endif
wolfSSL	0:d92f9d21154c	5824
wolfSSL	0:d92f9d21154c	5825	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	5826	if (!rsaKey && eccKey) {
wolfSSL	0:d92f9d21154c	5827	word32 outSz = sigSz;
wolfSSL	0:d92f9d21154c	5828	ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey);
wolfSSL	0:d92f9d21154c	5829
wolfSSL	0:d92f9d21154c	5830	if (ret == 0)
wolfSSL	0:d92f9d21154c	5831	ret = outSz;
wolfSSL	0:d92f9d21154c	5832	}
wolfSSL	0:d92f9d21154c	5833	#endif
wolfSSL	0:d92f9d21154c	5834
wolfSSL	0:d92f9d21154c	5835	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5836	XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5837	#endif
wolfSSL	0:d92f9d21154c	5838
wolfSSL	0:d92f9d21154c	5839	return ret;
wolfSSL	0:d92f9d21154c	5840	}
wolfSSL	0:d92f9d21154c	5841
wolfSSL	0:d92f9d21154c	5842
wolfSSL	0:d92f9d21154c	5843	/* add signature to end of buffer, size of buffer assumed checked, return
wolfSSL	0:d92f9d21154c	5844	new length */
wolfSSL	0:d92f9d21154c	5845	static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
wolfSSL	0:d92f9d21154c	5846	int sigAlgoType)
wolfSSL	0:d92f9d21154c	5847	{
wolfSSL	0:d92f9d21154c	5848	byte seq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5849	int idx = bodySz, seqSz;
wolfSSL	0:d92f9d21154c	5850
wolfSSL	0:d92f9d21154c	5851	/* algo */
wolfSSL	0:d92f9d21154c	5852	idx += SetAlgoID(sigAlgoType, buffer + idx, sigType, 0);
wolfSSL	0:d92f9d21154c	5853	/* bit string */
wolfSSL	0:d92f9d21154c	5854	buffer[idx++] = ASN_BIT_STRING;
wolfSSL	0:d92f9d21154c	5855	/* length */
wolfSSL	0:d92f9d21154c	5856	idx += SetLength(sigSz + 1, buffer + idx);
wolfSSL	0:d92f9d21154c	5857	buffer[idx++] = 0; /* trailing 0 */
wolfSSL	0:d92f9d21154c	5858	/* signature */
wolfSSL	0:d92f9d21154c	5859	XMEMCPY(buffer + idx, sig, sigSz);
wolfSSL	0:d92f9d21154c	5860	idx += sigSz;
wolfSSL	0:d92f9d21154c	5861
wolfSSL	0:d92f9d21154c	5862	/* make room for overall header */
wolfSSL	0:d92f9d21154c	5863	seqSz = SetSequence(idx, seq);
wolfSSL	0:d92f9d21154c	5864	XMEMMOVE(buffer + seqSz, buffer, idx);
wolfSSL	0:d92f9d21154c	5865	XMEMCPY(buffer, seq, seqSz);
wolfSSL	0:d92f9d21154c	5866
wolfSSL	0:d92f9d21154c	5867	return idx + seqSz;
wolfSSL	0:d92f9d21154c	5868	}
wolfSSL	0:d92f9d21154c	5869
wolfSSL	0:d92f9d21154c	5870
wolfSSL	0:d92f9d21154c	5871	/* Make an x509 Certificate v3 any key type from cert input, write to buffer */
wolfSSL	0:d92f9d21154c	5872	static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL	0:d92f9d21154c	5873	RsaKey* rsaKey, ecc_key* eccKey, RNG* rng,
wolfSSL	0:d92f9d21154c	5874	const byte* ntruKey, word16 ntruSz)
wolfSSL	0:d92f9d21154c	5875	{
wolfSSL	0:d92f9d21154c	5876	int ret;
wolfSSL	0:d92f9d21154c	5877	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5878	DerCert* der;
wolfSSL	0:d92f9d21154c	5879	#else
wolfSSL	0:d92f9d21154c	5880	DerCert der[1];
wolfSSL	0:d92f9d21154c	5881	#endif
wolfSSL	0:d92f9d21154c	5882
wolfSSL	0:d92f9d21154c	5883	cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY);
wolfSSL	0:d92f9d21154c	5884
wolfSSL	0:d92f9d21154c	5885	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5886	der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5887	if (der == NULL)
wolfSSL	0:d92f9d21154c	5888	return MEMORY_E;
wolfSSL	0:d92f9d21154c	5889	#endif
wolfSSL	0:d92f9d21154c	5890
wolfSSL	0:d92f9d21154c	5891	ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz);
wolfSSL	0:d92f9d21154c	5892
wolfSSL	0:d92f9d21154c	5893	if (ret == 0) {
wolfSSL	0:d92f9d21154c	5894	if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL	0:d92f9d21154c	5895	ret = BUFFER_E;
wolfSSL	0:d92f9d21154c	5896	else
wolfSSL	0:d92f9d21154c	5897	ret = cert->bodySz = WriteCertBody(der, derBuffer);
wolfSSL	0:d92f9d21154c	5898	}
wolfSSL	0:d92f9d21154c	5899
wolfSSL	0:d92f9d21154c	5900	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	5901	XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	5902	#endif
wolfSSL	0:d92f9d21154c	5903
wolfSSL	0:d92f9d21154c	5904	return ret;
wolfSSL	0:d92f9d21154c	5905	}
wolfSSL	0:d92f9d21154c	5906
wolfSSL	0:d92f9d21154c	5907
wolfSSL	0:d92f9d21154c	5908	/* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
wolfSSL	0:d92f9d21154c	5909	int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey,
wolfSSL	0:d92f9d21154c	5910	ecc_key* eccKey, RNG* rng)
wolfSSL	0:d92f9d21154c	5911	{
wolfSSL	0:d92f9d21154c	5912	return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0);
wolfSSL	0:d92f9d21154c	5913	}
wolfSSL	0:d92f9d21154c	5914
wolfSSL	0:d92f9d21154c	5915
wolfSSL	0:d92f9d21154c	5916	#ifdef HAVE_NTRU
wolfSSL	0:d92f9d21154c	5917
wolfSSL	0:d92f9d21154c	5918	int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL	0:d92f9d21154c	5919	const byte* ntruKey, word16 keySz, RNG* rng)
wolfSSL	0:d92f9d21154c	5920	{
wolfSSL	0:d92f9d21154c	5921	return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz);
wolfSSL	0:d92f9d21154c	5922	}
wolfSSL	0:d92f9d21154c	5923
wolfSSL	0:d92f9d21154c	5924	#endif /* HAVE_NTRU */
wolfSSL	0:d92f9d21154c	5925
wolfSSL	0:d92f9d21154c	5926
wolfSSL	0:d92f9d21154c	5927	#ifdef WOLFSSL_CERT_REQ
wolfSSL	0:d92f9d21154c	5928
wolfSSL	0:d92f9d21154c	5929	static int SetReqAttrib(byte* output, char* pw, int extSz)
wolfSSL	0:d92f9d21154c	5930	{
wolfSSL	0:d92f9d21154c	5931	static const byte cpOid[] =
wolfSSL	0:d92f9d21154c	5932	{ ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL	0:d92f9d21154c	5933	0x09, 0x07 };
wolfSSL	0:d92f9d21154c	5934	static const byte erOid[] =
wolfSSL	0:d92f9d21154c	5935	{ ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
wolfSSL	0:d92f9d21154c	5936	0x09, 0x0e };
wolfSSL	0:d92f9d21154c	5937
wolfSSL	0:d92f9d21154c	5938	int sz = 0; /* overall size */
wolfSSL	0:d92f9d21154c	5939	int cpSz = 0; /* Challenge Password section size */
wolfSSL	0:d92f9d21154c	5940	int cpSeqSz = 0;
wolfSSL	0:d92f9d21154c	5941	int cpSetSz = 0;
wolfSSL	0:d92f9d21154c	5942	int cpStrSz = 0;
wolfSSL	0:d92f9d21154c	5943	int pwSz = 0;
wolfSSL	0:d92f9d21154c	5944	int erSz = 0; /* Extension Request section size */
wolfSSL	0:d92f9d21154c	5945	int erSeqSz = 0;
wolfSSL	0:d92f9d21154c	5946	int erSetSz = 0;
wolfSSL	0:d92f9d21154c	5947	byte cpSeq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5948	byte cpSet[MAX_SET_SZ];
wolfSSL	0:d92f9d21154c	5949	byte cpStr[MAX_PRSTR_SZ];
wolfSSL	0:d92f9d21154c	5950	byte erSeq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	5951	byte erSet[MAX_SET_SZ];
wolfSSL	0:d92f9d21154c	5952
wolfSSL	0:d92f9d21154c	5953	output[0] = 0xa0;
wolfSSL	0:d92f9d21154c	5954	sz++;
wolfSSL	0:d92f9d21154c	5955
wolfSSL	0:d92f9d21154c	5956	if (pw && pw[0]) {
wolfSSL	0:d92f9d21154c	5957	pwSz = (int)XSTRLEN(pw);
wolfSSL	0:d92f9d21154c	5958	cpStrSz = SetUTF8String(pwSz, cpStr);
wolfSSL	0:d92f9d21154c	5959	cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
wolfSSL	0:d92f9d21154c	5960	cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
wolfSSL	0:d92f9d21154c	5961	cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
wolfSSL	0:d92f9d21154c	5962	}
wolfSSL	0:d92f9d21154c	5963
wolfSSL	0:d92f9d21154c	5964	if (extSz) {
wolfSSL	0:d92f9d21154c	5965	erSetSz = SetSet(extSz, erSet);
wolfSSL	0:d92f9d21154c	5966	erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq);
wolfSSL	0:d92f9d21154c	5967	erSz = extSz + erSetSz + erSeqSz + sizeof(erOid);
wolfSSL	0:d92f9d21154c	5968	}
wolfSSL	0:d92f9d21154c	5969
wolfSSL	0:d92f9d21154c	5970	/* Put the pieces together. */
wolfSSL	0:d92f9d21154c	5971	sz += SetLength(cpSz + erSz, &output[sz]);
wolfSSL	0:d92f9d21154c	5972
wolfSSL	0:d92f9d21154c	5973	if (cpSz) {
wolfSSL	0:d92f9d21154c	5974	XMEMCPY(&output[sz], cpSeq, cpSeqSz);
wolfSSL	0:d92f9d21154c	5975	sz += cpSeqSz;
wolfSSL	0:d92f9d21154c	5976	XMEMCPY(&output[sz], cpOid, sizeof(cpOid));
wolfSSL	0:d92f9d21154c	5977	sz += sizeof(cpOid);
wolfSSL	0:d92f9d21154c	5978	XMEMCPY(&output[sz], cpSet, cpSetSz);
wolfSSL	0:d92f9d21154c	5979	sz += cpSetSz;
wolfSSL	0:d92f9d21154c	5980	XMEMCPY(&output[sz], cpStr, cpStrSz);
wolfSSL	0:d92f9d21154c	5981	sz += cpStrSz;
wolfSSL	0:d92f9d21154c	5982	XMEMCPY(&output[sz], pw, pwSz);
wolfSSL	0:d92f9d21154c	5983	sz += pwSz;
wolfSSL	0:d92f9d21154c	5984	}
wolfSSL	0:d92f9d21154c	5985
wolfSSL	0:d92f9d21154c	5986	if (erSz) {
wolfSSL	0:d92f9d21154c	5987	XMEMCPY(&output[sz], erSeq, erSeqSz);
wolfSSL	0:d92f9d21154c	5988	sz += erSeqSz;
wolfSSL	0:d92f9d21154c	5989	XMEMCPY(&output[sz], erOid, sizeof(erOid));
wolfSSL	0:d92f9d21154c	5990	sz += sizeof(erOid);
wolfSSL	0:d92f9d21154c	5991	XMEMCPY(&output[sz], erSet, erSetSz);
wolfSSL	0:d92f9d21154c	5992	sz += erSetSz;
wolfSSL	0:d92f9d21154c	5993	/* The actual extension data will be tacked onto the output later. */
wolfSSL	0:d92f9d21154c	5994	}
wolfSSL	0:d92f9d21154c	5995
wolfSSL	0:d92f9d21154c	5996	return sz;
wolfSSL	0:d92f9d21154c	5997	}
wolfSSL	0:d92f9d21154c	5998
wolfSSL	0:d92f9d21154c	5999
wolfSSL	0:d92f9d21154c	6000	/* encode info from cert into DER encoded format */
wolfSSL	0:d92f9d21154c	6001	static int EncodeCertReq(Cert* cert, DerCert* der,
wolfSSL	0:d92f9d21154c	6002	RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL	0:d92f9d21154c	6003	{
wolfSSL	0:d92f9d21154c	6004	(void)eccKey;
wolfSSL	0:d92f9d21154c	6005
wolfSSL	0:d92f9d21154c	6006	/* init */
wolfSSL	0:d92f9d21154c	6007	XMEMSET(der, 0, sizeof(DerCert));
wolfSSL	0:d92f9d21154c	6008
wolfSSL	0:d92f9d21154c	6009	/* version */
wolfSSL	0:d92f9d21154c	6010	der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
wolfSSL	0:d92f9d21154c	6011
wolfSSL	0:d92f9d21154c	6012	/* subject name */
wolfSSL	0:d92f9d21154c	6013	der->subjectSz = SetName(der->subject, &cert->subject);
wolfSSL	0:d92f9d21154c	6014	if (der->subjectSz == 0)
wolfSSL	0:d92f9d21154c	6015	return SUBJECT_E;
wolfSSL	0:d92f9d21154c	6016
wolfSSL	0:d92f9d21154c	6017	/* public key */
wolfSSL	0:d92f9d21154c	6018	if (cert->keyType == RSA_KEY) {
wolfSSL	0:d92f9d21154c	6019	if (rsaKey == NULL)
wolfSSL	0:d92f9d21154c	6020	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	6021	der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey);
wolfSSL	0:d92f9d21154c	6022	if (der->publicKeySz <= 0)
wolfSSL	0:d92f9d21154c	6023	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	6024	}
wolfSSL	0:d92f9d21154c	6025
wolfSSL	0:d92f9d21154c	6026	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	6027	if (cert->keyType == ECC_KEY) {
wolfSSL	0:d92f9d21154c	6028	if (eccKey == NULL)
wolfSSL	0:d92f9d21154c	6029	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	6030	der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey);
wolfSSL	0:d92f9d21154c	6031	if (der->publicKeySz <= 0)
wolfSSL	0:d92f9d21154c	6032	return PUBLIC_KEY_E;
wolfSSL	0:d92f9d21154c	6033	}
wolfSSL	0:d92f9d21154c	6034	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	6035
wolfSSL	0:d92f9d21154c	6036	/* CA */
wolfSSL	0:d92f9d21154c	6037	if (cert->isCA) {
wolfSSL	0:d92f9d21154c	6038	der->caSz = SetCa(der->ca);
wolfSSL	0:d92f9d21154c	6039	if (der->caSz == 0)
wolfSSL	0:d92f9d21154c	6040	return CA_TRUE_E;
wolfSSL	0:d92f9d21154c	6041	}
wolfSSL	0:d92f9d21154c	6042	else
wolfSSL	0:d92f9d21154c	6043	der->caSz = 0;
wolfSSL	0:d92f9d21154c	6044
wolfSSL	0:d92f9d21154c	6045	/* extensions, just CA now */
wolfSSL	0:d92f9d21154c	6046	if (cert->isCA) {
wolfSSL	0:d92f9d21154c	6047	der->extensionsSz = SetExtensions(der->extensions,
wolfSSL	0:d92f9d21154c	6048	der->ca, der->caSz, FALSE);
wolfSSL	0:d92f9d21154c	6049	if (der->extensionsSz == 0)
wolfSSL	0:d92f9d21154c	6050	return EXTENSIONS_E;
wolfSSL	0:d92f9d21154c	6051	}
wolfSSL	0:d92f9d21154c	6052	else
wolfSSL	0:d92f9d21154c	6053	der->extensionsSz = 0;
wolfSSL	0:d92f9d21154c	6054
wolfSSL	0:d92f9d21154c	6055	der->attribSz = SetReqAttrib(der->attrib,
wolfSSL	0:d92f9d21154c	6056	cert->challengePw, der->extensionsSz);
wolfSSL	0:d92f9d21154c	6057	if (der->attribSz == 0)
wolfSSL	0:d92f9d21154c	6058	return REQ_ATTRIBUTE_E;
wolfSSL	0:d92f9d21154c	6059
wolfSSL	0:d92f9d21154c	6060	der->total = der->versionSz + der->subjectSz + der->publicKeySz +
wolfSSL	0:d92f9d21154c	6061	der->extensionsSz + der->attribSz;
wolfSSL	0:d92f9d21154c	6062
wolfSSL	0:d92f9d21154c	6063	return 0;
wolfSSL	0:d92f9d21154c	6064	}
wolfSSL	0:d92f9d21154c	6065
wolfSSL	0:d92f9d21154c	6066
wolfSSL	0:d92f9d21154c	6067	/* write DER encoded cert req to buffer, size already checked */
wolfSSL	0:d92f9d21154c	6068	static int WriteCertReqBody(DerCert* der, byte* buffer)
wolfSSL	0:d92f9d21154c	6069	{
wolfSSL	0:d92f9d21154c	6070	int idx;
wolfSSL	0:d92f9d21154c	6071
wolfSSL	0:d92f9d21154c	6072	/* signed part header */
wolfSSL	0:d92f9d21154c	6073	idx = SetSequence(der->total, buffer);
wolfSSL	0:d92f9d21154c	6074	/* version */
wolfSSL	0:d92f9d21154c	6075	XMEMCPY(buffer + idx, der->version, der->versionSz);
wolfSSL	0:d92f9d21154c	6076	idx += der->versionSz;
wolfSSL	0:d92f9d21154c	6077	/* subject */
wolfSSL	0:d92f9d21154c	6078	XMEMCPY(buffer + idx, der->subject, der->subjectSz);
wolfSSL	0:d92f9d21154c	6079	idx += der->subjectSz;
wolfSSL	0:d92f9d21154c	6080	/* public key */
wolfSSL	0:d92f9d21154c	6081	XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
wolfSSL	0:d92f9d21154c	6082	idx += der->publicKeySz;
wolfSSL	0:d92f9d21154c	6083	/* attributes */
wolfSSL	0:d92f9d21154c	6084	XMEMCPY(buffer + idx, der->attrib, der->attribSz);
wolfSSL	0:d92f9d21154c	6085	idx += der->attribSz;
wolfSSL	0:d92f9d21154c	6086	/* extensions */
wolfSSL	0:d92f9d21154c	6087	if (der->extensionsSz) {
wolfSSL	0:d92f9d21154c	6088	XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
wolfSSL	0:d92f9d21154c	6089	sizeof(der->extensions)));
wolfSSL	0:d92f9d21154c	6090	idx += der->extensionsSz;
wolfSSL	0:d92f9d21154c	6091	}
wolfSSL	0:d92f9d21154c	6092
wolfSSL	0:d92f9d21154c	6093	return idx;
wolfSSL	0:d92f9d21154c	6094	}
wolfSSL	0:d92f9d21154c	6095
wolfSSL	0:d92f9d21154c	6096
wolfSSL	0:d92f9d21154c	6097	int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
wolfSSL	0:d92f9d21154c	6098	RsaKey* rsaKey, ecc_key* eccKey)
wolfSSL	0:d92f9d21154c	6099	{
wolfSSL	0:d92f9d21154c	6100	int ret;
wolfSSL	0:d92f9d21154c	6101	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6102	DerCert* der;
wolfSSL	0:d92f9d21154c	6103	#else
wolfSSL	0:d92f9d21154c	6104	DerCert der[1];
wolfSSL	0:d92f9d21154c	6105	#endif
wolfSSL	0:d92f9d21154c	6106
wolfSSL	0:d92f9d21154c	6107	cert->keyType = eccKey ? ECC_KEY : RSA_KEY;
wolfSSL	0:d92f9d21154c	6108
wolfSSL	0:d92f9d21154c	6109	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6110	der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6111	if (der == NULL)
wolfSSL	0:d92f9d21154c	6112	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6113	#endif
wolfSSL	0:d92f9d21154c	6114
wolfSSL	0:d92f9d21154c	6115	ret = EncodeCertReq(cert, der, rsaKey, eccKey);
wolfSSL	0:d92f9d21154c	6116
wolfSSL	0:d92f9d21154c	6117	if (ret == 0) {
wolfSSL	0:d92f9d21154c	6118	if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
wolfSSL	0:d92f9d21154c	6119	ret = BUFFER_E;
wolfSSL	0:d92f9d21154c	6120	else
wolfSSL	0:d92f9d21154c	6121	ret = cert->bodySz = WriteCertReqBody(der, derBuffer);
wolfSSL	0:d92f9d21154c	6122	}
wolfSSL	0:d92f9d21154c	6123
wolfSSL	0:d92f9d21154c	6124	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6125	XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6126	#endif
wolfSSL	0:d92f9d21154c	6127
wolfSSL	0:d92f9d21154c	6128	return ret;
wolfSSL	0:d92f9d21154c	6129	}
wolfSSL	0:d92f9d21154c	6130
wolfSSL	0:d92f9d21154c	6131	#endif /* WOLFSSL_CERT_REQ */
wolfSSL	0:d92f9d21154c	6132
wolfSSL	0:d92f9d21154c	6133
wolfSSL	0:d92f9d21154c	6134	int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
wolfSSL	0:d92f9d21154c	6135	RsaKey* rsaKey, ecc_key* eccKey, RNG* rng)
wolfSSL	0:d92f9d21154c	6136	{
wolfSSL	0:d92f9d21154c	6137	int sigSz;
wolfSSL	0:d92f9d21154c	6138	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6139	byte* sig;
wolfSSL	0:d92f9d21154c	6140	#else
wolfSSL	0:d92f9d21154c	6141	byte sig[MAX_ENCODED_SIG_SZ];
wolfSSL	0:d92f9d21154c	6142	#endif
wolfSSL	0:d92f9d21154c	6143
wolfSSL	0:d92f9d21154c	6144	if (requestSz < 0)
wolfSSL	0:d92f9d21154c	6145	return requestSz;
wolfSSL	0:d92f9d21154c	6146
wolfSSL	0:d92f9d21154c	6147	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6148	sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6149	if (sig == NULL)
wolfSSL	0:d92f9d21154c	6150	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6151	#endif
wolfSSL	0:d92f9d21154c	6152
wolfSSL	0:d92f9d21154c	6153	sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey,
wolfSSL	0:d92f9d21154c	6154	eccKey, rng, sType);
wolfSSL	0:d92f9d21154c	6155
wolfSSL	0:d92f9d21154c	6156	if (sigSz >= 0) {
wolfSSL	0:d92f9d21154c	6157	if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
wolfSSL	0:d92f9d21154c	6158	sigSz = BUFFER_E;
wolfSSL	0:d92f9d21154c	6159	else
wolfSSL	0:d92f9d21154c	6160	sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType);
wolfSSL	0:d92f9d21154c	6161	}
wolfSSL	0:d92f9d21154c	6162
wolfSSL	0:d92f9d21154c	6163	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6164	XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6165	#endif
wolfSSL	0:d92f9d21154c	6166
wolfSSL	0:d92f9d21154c	6167	return sigSz;
wolfSSL	0:d92f9d21154c	6168	}
wolfSSL	0:d92f9d21154c	6169
wolfSSL	0:d92f9d21154c	6170
wolfSSL	0:d92f9d21154c	6171	int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, RsaKey* key, RNG* rng)
wolfSSL	0:d92f9d21154c	6172	{
wolfSSL	0:d92f9d21154c	6173	int ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng);
wolfSSL	0:d92f9d21154c	6174
wolfSSL	0:d92f9d21154c	6175	if (ret < 0)
wolfSSL	0:d92f9d21154c	6176	return ret;
wolfSSL	0:d92f9d21154c	6177
wolfSSL	0:d92f9d21154c	6178	return wc_SignCert(cert->bodySz, cert->sigType, buffer, buffSz, key, NULL,rng);
wolfSSL	0:d92f9d21154c	6179	}
wolfSSL	0:d92f9d21154c	6180
wolfSSL	0:d92f9d21154c	6181
wolfSSL	0:d92f9d21154c	6182	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	6183
wolfSSL	0:d92f9d21154c	6184	/* Set Alt Names from der cert, return 0 on success */
wolfSSL	0:d92f9d21154c	6185	static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6186	{
wolfSSL	0:d92f9d21154c	6187	int ret;
wolfSSL	0:d92f9d21154c	6188	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6189	DecodedCert* decoded;
wolfSSL	0:d92f9d21154c	6190	#else
wolfSSL	0:d92f9d21154c	6191	DecodedCert decoded[1];
wolfSSL	0:d92f9d21154c	6192	#endif
wolfSSL	0:d92f9d21154c	6193
wolfSSL	0:d92f9d21154c	6194	if (derSz < 0)
wolfSSL	0:d92f9d21154c	6195	return derSz;
wolfSSL	0:d92f9d21154c	6196
wolfSSL	0:d92f9d21154c	6197	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6198	decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL	0:d92f9d21154c	6199	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6200	if (decoded == NULL)
wolfSSL	0:d92f9d21154c	6201	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6202	#endif
wolfSSL	0:d92f9d21154c	6203
wolfSSL	0:d92f9d21154c	6204	InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL	0:d92f9d21154c	6205	ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL	0:d92f9d21154c	6206
wolfSSL	0:d92f9d21154c	6207	if (ret < 0) {
wolfSSL	0:d92f9d21154c	6208	WOLFSSL_MSG("ParseCertRelative error");
wolfSSL	0:d92f9d21154c	6209	}
wolfSSL	0:d92f9d21154c	6210	else if (decoded->extensions) {
wolfSSL	0:d92f9d21154c	6211	byte b;
wolfSSL	0:d92f9d21154c	6212	int length;
wolfSSL	0:d92f9d21154c	6213	word32 maxExtensionsIdx;
wolfSSL	0:d92f9d21154c	6214
wolfSSL	0:d92f9d21154c	6215	decoded->srcIdx = decoded->extensionsIdx;
wolfSSL	0:d92f9d21154c	6216	b = decoded->source[decoded->srcIdx++];
wolfSSL	0:d92f9d21154c	6217
wolfSSL	0:d92f9d21154c	6218	if (b != ASN_EXTENSIONS) {
wolfSSL	0:d92f9d21154c	6219	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6220	}
wolfSSL	0:d92f9d21154c	6221	else if (GetLength(decoded->source, &decoded->srcIdx, &length,
wolfSSL	0:d92f9d21154c	6222	decoded->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	6223	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6224	}
wolfSSL	0:d92f9d21154c	6225	else if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL	0:d92f9d21154c	6226	decoded->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	6227	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6228	}
wolfSSL	0:d92f9d21154c	6229	else {
wolfSSL	0:d92f9d21154c	6230	maxExtensionsIdx = decoded->srcIdx + length;
wolfSSL	0:d92f9d21154c	6231
wolfSSL	0:d92f9d21154c	6232	while (decoded->srcIdx < maxExtensionsIdx) {
wolfSSL	0:d92f9d21154c	6233	word32 oid;
wolfSSL	0:d92f9d21154c	6234	word32 startIdx = decoded->srcIdx;
wolfSSL	0:d92f9d21154c	6235	word32 tmpIdx;
wolfSSL	0:d92f9d21154c	6236
wolfSSL	0:d92f9d21154c	6237	if (GetSequence(decoded->source, &decoded->srcIdx, &length,
wolfSSL	0:d92f9d21154c	6238	decoded->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	6239	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6240	break;
wolfSSL	0:d92f9d21154c	6241	}
wolfSSL	0:d92f9d21154c	6242
wolfSSL	0:d92f9d21154c	6243	tmpIdx = decoded->srcIdx;
wolfSSL	0:d92f9d21154c	6244	decoded->srcIdx = startIdx;
wolfSSL	0:d92f9d21154c	6245
wolfSSL	0:d92f9d21154c	6246	if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
wolfSSL	0:d92f9d21154c	6247	decoded->maxIdx) < 0) {
wolfSSL	0:d92f9d21154c	6248	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6249	break;
wolfSSL	0:d92f9d21154c	6250	}
wolfSSL	0:d92f9d21154c	6251
wolfSSL	0:d92f9d21154c	6252	if (oid == ALT_NAMES_OID) {
wolfSSL	0:d92f9d21154c	6253	cert->altNamesSz = length + (tmpIdx - startIdx);
wolfSSL	0:d92f9d21154c	6254
wolfSSL	0:d92f9d21154c	6255	if (cert->altNamesSz < (int)sizeof(cert->altNames))
wolfSSL	0:d92f9d21154c	6256	XMEMCPY(cert->altNames, &decoded->source[startIdx],
wolfSSL	0:d92f9d21154c	6257	cert->altNamesSz);
wolfSSL	0:d92f9d21154c	6258	else {
wolfSSL	0:d92f9d21154c	6259	cert->altNamesSz = 0;
wolfSSL	0:d92f9d21154c	6260	WOLFSSL_MSG("AltNames extensions too big");
wolfSSL	0:d92f9d21154c	6261	ret = ALT_NAME_E;
wolfSSL	0:d92f9d21154c	6262	break;
wolfSSL	0:d92f9d21154c	6263	}
wolfSSL	0:d92f9d21154c	6264	}
wolfSSL	0:d92f9d21154c	6265	decoded->srcIdx = tmpIdx + length;
wolfSSL	0:d92f9d21154c	6266	}
wolfSSL	0:d92f9d21154c	6267	}
wolfSSL	0:d92f9d21154c	6268	}
wolfSSL	0:d92f9d21154c	6269
wolfSSL	0:d92f9d21154c	6270	FreeDecodedCert(decoded);
wolfSSL	0:d92f9d21154c	6271	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6272	XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6273	#endif
wolfSSL	0:d92f9d21154c	6274
wolfSSL	0:d92f9d21154c	6275	return ret < 0 ? ret : 0;
wolfSSL	0:d92f9d21154c	6276	}
wolfSSL	0:d92f9d21154c	6277
wolfSSL	0:d92f9d21154c	6278
wolfSSL	0:d92f9d21154c	6279	/* Set Dates from der cert, return 0 on success */
wolfSSL	0:d92f9d21154c	6280	static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6281	{
wolfSSL	0:d92f9d21154c	6282	int ret;
wolfSSL	0:d92f9d21154c	6283	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6284	DecodedCert* decoded;
wolfSSL	0:d92f9d21154c	6285	#else
wolfSSL	0:d92f9d21154c	6286	DecodedCert decoded[1];
wolfSSL	0:d92f9d21154c	6287	#endif
wolfSSL	0:d92f9d21154c	6288
wolfSSL	0:d92f9d21154c	6289	WOLFSSL_ENTER("SetDatesFromCert");
wolfSSL	0:d92f9d21154c	6290	if (derSz < 0)
wolfSSL	0:d92f9d21154c	6291	return derSz;
wolfSSL	0:d92f9d21154c	6292
wolfSSL	0:d92f9d21154c	6293	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6294	decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL	0:d92f9d21154c	6295	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6296	if (decoded == NULL)
wolfSSL	0:d92f9d21154c	6297	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6298	#endif
wolfSSL	0:d92f9d21154c	6299
wolfSSL	0:d92f9d21154c	6300	InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL	0:d92f9d21154c	6301	ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL	0:d92f9d21154c	6302
wolfSSL	0:d92f9d21154c	6303	if (ret < 0) {
wolfSSL	0:d92f9d21154c	6304	WOLFSSL_MSG("ParseCertRelative error");
wolfSSL	0:d92f9d21154c	6305	}
wolfSSL	0:d92f9d21154c	6306	else if (decoded->beforeDate == NULL \|\| decoded->afterDate == NULL) {
wolfSSL	0:d92f9d21154c	6307	WOLFSSL_MSG("Couldn't extract dates");
wolfSSL	0:d92f9d21154c	6308	ret = -1;
wolfSSL	0:d92f9d21154c	6309	}
wolfSSL	0:d92f9d21154c	6310	else if (decoded->beforeDateLen > MAX_DATE_SIZE \|\|
wolfSSL	0:d92f9d21154c	6311	decoded->afterDateLen > MAX_DATE_SIZE) {
wolfSSL	0:d92f9d21154c	6312	WOLFSSL_MSG("Bad date size");
wolfSSL	0:d92f9d21154c	6313	ret = -1;
wolfSSL	0:d92f9d21154c	6314	}
wolfSSL	0:d92f9d21154c	6315	else {
wolfSSL	0:d92f9d21154c	6316	XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen);
wolfSSL	0:d92f9d21154c	6317	XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen);
wolfSSL	0:d92f9d21154c	6318
wolfSSL	0:d92f9d21154c	6319	cert->beforeDateSz = decoded->beforeDateLen;
wolfSSL	0:d92f9d21154c	6320	cert->afterDateSz = decoded->afterDateLen;
wolfSSL	0:d92f9d21154c	6321	}
wolfSSL	0:d92f9d21154c	6322
wolfSSL	0:d92f9d21154c	6323	FreeDecodedCert(decoded);
wolfSSL	0:d92f9d21154c	6324
wolfSSL	0:d92f9d21154c	6325	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6326	XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6327	#endif
wolfSSL	0:d92f9d21154c	6328
wolfSSL	0:d92f9d21154c	6329	return ret < 0 ? ret : 0;
wolfSSL	0:d92f9d21154c	6330	}
wolfSSL	0:d92f9d21154c	6331
wolfSSL	0:d92f9d21154c	6332
wolfSSL	0:d92f9d21154c	6333	#endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
wolfSSL	0:d92f9d21154c	6334
wolfSSL	0:d92f9d21154c	6335
wolfSSL	0:d92f9d21154c	6336	/* Set cn name from der buffer, return 0 on success */
wolfSSL	0:d92f9d21154c	6337	static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6338	{
wolfSSL	0:d92f9d21154c	6339	int ret, sz;
wolfSSL	0:d92f9d21154c	6340	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6341	DecodedCert* decoded;
wolfSSL	0:d92f9d21154c	6342	#else
wolfSSL	0:d92f9d21154c	6343	DecodedCert decoded[1];
wolfSSL	0:d92f9d21154c	6344	#endif
wolfSSL	0:d92f9d21154c	6345
wolfSSL	0:d92f9d21154c	6346	if (derSz < 0)
wolfSSL	0:d92f9d21154c	6347	return derSz;
wolfSSL	0:d92f9d21154c	6348
wolfSSL	0:d92f9d21154c	6349	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6350	decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
wolfSSL	0:d92f9d21154c	6351	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6352	if (decoded == NULL)
wolfSSL	0:d92f9d21154c	6353	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6354	#endif
wolfSSL	0:d92f9d21154c	6355
wolfSSL	0:d92f9d21154c	6356	InitDecodedCert(decoded, (byte*)der, derSz, 0);
wolfSSL	0:d92f9d21154c	6357	ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
wolfSSL	0:d92f9d21154c	6358
wolfSSL	0:d92f9d21154c	6359	if (ret < 0) {
wolfSSL	0:d92f9d21154c	6360	WOLFSSL_MSG("ParseCertRelative error");
wolfSSL	0:d92f9d21154c	6361	}
wolfSSL	0:d92f9d21154c	6362	else {
wolfSSL	0:d92f9d21154c	6363	if (decoded->subjectCN) {
wolfSSL	0:d92f9d21154c	6364	sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
wolfSSL	0:d92f9d21154c	6365	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6366	strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6367	cn->commonName[sz] = 0;
wolfSSL	0:d92f9d21154c	6368	cn->commonNameEnc = decoded->subjectCNEnc;
wolfSSL	0:d92f9d21154c	6369	}
wolfSSL	0:d92f9d21154c	6370	if (decoded->subjectC) {
wolfSSL	0:d92f9d21154c	6371	sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
wolfSSL	0:d92f9d21154c	6372	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6373	strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6374	cn->country[sz] = 0;
wolfSSL	0:d92f9d21154c	6375	cn->countryEnc = decoded->subjectCEnc;
wolfSSL	0:d92f9d21154c	6376	}
wolfSSL	0:d92f9d21154c	6377	if (decoded->subjectST) {
wolfSSL	0:d92f9d21154c	6378	sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
wolfSSL	0:d92f9d21154c	6379	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6380	strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6381	cn->state[sz] = 0;
wolfSSL	0:d92f9d21154c	6382	cn->stateEnc = decoded->subjectSTEnc;
wolfSSL	0:d92f9d21154c	6383	}
wolfSSL	0:d92f9d21154c	6384	if (decoded->subjectL) {
wolfSSL	0:d92f9d21154c	6385	sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
wolfSSL	0:d92f9d21154c	6386	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6387	strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6388	cn->locality[sz] = 0;
wolfSSL	0:d92f9d21154c	6389	cn->localityEnc = decoded->subjectLEnc;
wolfSSL	0:d92f9d21154c	6390	}
wolfSSL	0:d92f9d21154c	6391	if (decoded->subjectO) {
wolfSSL	0:d92f9d21154c	6392	sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
wolfSSL	0:d92f9d21154c	6393	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6394	strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6395	cn->org[sz] = 0;
wolfSSL	0:d92f9d21154c	6396	cn->orgEnc = decoded->subjectOEnc;
wolfSSL	0:d92f9d21154c	6397	}
wolfSSL	0:d92f9d21154c	6398	if (decoded->subjectOU) {
wolfSSL	0:d92f9d21154c	6399	sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
wolfSSL	0:d92f9d21154c	6400	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6401	strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6402	cn->unit[sz] = 0;
wolfSSL	0:d92f9d21154c	6403	cn->unitEnc = decoded->subjectOUEnc;
wolfSSL	0:d92f9d21154c	6404	}
wolfSSL	0:d92f9d21154c	6405	if (decoded->subjectSN) {
wolfSSL	0:d92f9d21154c	6406	sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
wolfSSL	0:d92f9d21154c	6407	: CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6408	strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6409	cn->sur[sz] = 0;
wolfSSL	0:d92f9d21154c	6410	cn->surEnc = decoded->subjectSNEnc;
wolfSSL	0:d92f9d21154c	6411	}
wolfSSL	0:d92f9d21154c	6412	if (decoded->subjectEmail) {
wolfSSL	0:d92f9d21154c	6413	sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
wolfSSL	0:d92f9d21154c	6414	? decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
wolfSSL	0:d92f9d21154c	6415	strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE);
wolfSSL	0:d92f9d21154c	6416	cn->email[sz] = 0;
wolfSSL	0:d92f9d21154c	6417	}
wolfSSL	0:d92f9d21154c	6418	}
wolfSSL	0:d92f9d21154c	6419
wolfSSL	0:d92f9d21154c	6420	FreeDecodedCert(decoded);
wolfSSL	0:d92f9d21154c	6421
wolfSSL	0:d92f9d21154c	6422	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6423	XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6424	#endif
wolfSSL	0:d92f9d21154c	6425
wolfSSL	0:d92f9d21154c	6426	return ret < 0 ? ret : 0;
wolfSSL	0:d92f9d21154c	6427	}
wolfSSL	0:d92f9d21154c	6428
wolfSSL	0:d92f9d21154c	6429
wolfSSL	0:d92f9d21154c	6430	#ifndef NO_FILESYSTEM
wolfSSL	0:d92f9d21154c	6431
wolfSSL	0:d92f9d21154c	6432	/* Set cert issuer from issuerFile in PEM */
wolfSSL	0:d92f9d21154c	6433	int wc_SetIssuer(Cert* cert, const char* issuerFile)
wolfSSL	0:d92f9d21154c	6434	{
wolfSSL	0:d92f9d21154c	6435	int ret;
wolfSSL	0:d92f9d21154c	6436	int derSz;
wolfSSL	0:d92f9d21154c	6437	byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6438
wolfSSL	0:d92f9d21154c	6439	if (der == NULL) {
wolfSSL	0:d92f9d21154c	6440	WOLFSSL_MSG("wc_SetIssuer OOF Problem");
wolfSSL	0:d92f9d21154c	6441	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6442	}
wolfSSL	0:d92f9d21154c	6443	derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF);
wolfSSL	0:d92f9d21154c	6444	cert->selfSigned = 0;
wolfSSL	0:d92f9d21154c	6445	ret = SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL	0:d92f9d21154c	6446	XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6447
wolfSSL	0:d92f9d21154c	6448	return ret;
wolfSSL	0:d92f9d21154c	6449	}
wolfSSL	0:d92f9d21154c	6450
wolfSSL	0:d92f9d21154c	6451
wolfSSL	0:d92f9d21154c	6452	/* Set cert subject from subjectFile in PEM */
wolfSSL	0:d92f9d21154c	6453	int wc_SetSubject(Cert* cert, const char* subjectFile)
wolfSSL	0:d92f9d21154c	6454	{
wolfSSL	0:d92f9d21154c	6455	int ret;
wolfSSL	0:d92f9d21154c	6456	int derSz;
wolfSSL	0:d92f9d21154c	6457	byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6458
wolfSSL	0:d92f9d21154c	6459	if (der == NULL) {
wolfSSL	0:d92f9d21154c	6460	WOLFSSL_MSG("wc_SetSubject OOF Problem");
wolfSSL	0:d92f9d21154c	6461	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6462	}
wolfSSL	0:d92f9d21154c	6463	derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF);
wolfSSL	0:d92f9d21154c	6464	ret = SetNameFromCert(&cert->subject, der, derSz);
wolfSSL	0:d92f9d21154c	6465	XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6466
wolfSSL	0:d92f9d21154c	6467	return ret;
wolfSSL	0:d92f9d21154c	6468	}
wolfSSL	0:d92f9d21154c	6469
wolfSSL	0:d92f9d21154c	6470
wolfSSL	0:d92f9d21154c	6471	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	6472
wolfSSL	0:d92f9d21154c	6473	/* Set atl names from file in PEM */
wolfSSL	0:d92f9d21154c	6474	int wc_SetAltNames(Cert* cert, const char* file)
wolfSSL	0:d92f9d21154c	6475	{
wolfSSL	0:d92f9d21154c	6476	int ret;
wolfSSL	0:d92f9d21154c	6477	int derSz;
wolfSSL	0:d92f9d21154c	6478	byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6479
wolfSSL	0:d92f9d21154c	6480	if (der == NULL) {
wolfSSL	0:d92f9d21154c	6481	WOLFSSL_MSG("wc_SetAltNames OOF Problem");
wolfSSL	0:d92f9d21154c	6482	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6483	}
wolfSSL	0:d92f9d21154c	6484	derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
wolfSSL	0:d92f9d21154c	6485	ret = SetAltNamesFromCert(cert, der, derSz);
wolfSSL	0:d92f9d21154c	6486	XFREE(der, NULL, DYNAMIC_TYPE_CERT);
wolfSSL	0:d92f9d21154c	6487
wolfSSL	0:d92f9d21154c	6488	return ret;
wolfSSL	0:d92f9d21154c	6489	}
wolfSSL	0:d92f9d21154c	6490
wolfSSL	0:d92f9d21154c	6491	#endif /* WOLFSSL_ALT_NAMES */
wolfSSL	0:d92f9d21154c	6492
wolfSSL	0:d92f9d21154c	6493	#endif /* NO_FILESYSTEM */
wolfSSL	0:d92f9d21154c	6494
wolfSSL	0:d92f9d21154c	6495	/* Set cert issuer from DER buffer */
wolfSSL	0:d92f9d21154c	6496	int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6497	{
wolfSSL	0:d92f9d21154c	6498	cert->selfSigned = 0;
wolfSSL	0:d92f9d21154c	6499	return SetNameFromCert(&cert->issuer, der, derSz);
wolfSSL	0:d92f9d21154c	6500	}
wolfSSL	0:d92f9d21154c	6501
wolfSSL	0:d92f9d21154c	6502
wolfSSL	0:d92f9d21154c	6503	/* Set cert subject from DER buffer */
wolfSSL	0:d92f9d21154c	6504	int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6505	{
wolfSSL	0:d92f9d21154c	6506	return SetNameFromCert(&cert->subject, der, derSz);
wolfSSL	0:d92f9d21154c	6507	}
wolfSSL	0:d92f9d21154c	6508
wolfSSL	0:d92f9d21154c	6509
wolfSSL	0:d92f9d21154c	6510	#ifdef WOLFSSL_ALT_NAMES
wolfSSL	0:d92f9d21154c	6511
wolfSSL	0:d92f9d21154c	6512	/* Set cert alt names from DER buffer */
wolfSSL	0:d92f9d21154c	6513	int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6514	{
wolfSSL	0:d92f9d21154c	6515	return SetAltNamesFromCert(cert, der, derSz);
wolfSSL	0:d92f9d21154c	6516	}
wolfSSL	0:d92f9d21154c	6517
wolfSSL	0:d92f9d21154c	6518	/* Set cert dates from DER buffer */
wolfSSL	0:d92f9d21154c	6519	int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
wolfSSL	0:d92f9d21154c	6520	{
wolfSSL	0:d92f9d21154c	6521	return SetDatesFromCert(cert, der, derSz);
wolfSSL	0:d92f9d21154c	6522	}
wolfSSL	0:d92f9d21154c	6523
wolfSSL	0:d92f9d21154c	6524	#endif /* WOLFSSL_ALT_NAMES */
wolfSSL	0:d92f9d21154c	6525
wolfSSL	0:d92f9d21154c	6526	#endif /* WOLFSSL_CERT_GEN */
wolfSSL	0:d92f9d21154c	6527
wolfSSL	0:d92f9d21154c	6528
wolfSSL	0:d92f9d21154c	6529	#ifdef HAVE_ECC
wolfSSL	0:d92f9d21154c	6530
wolfSSL	0:d92f9d21154c	6531	/* Der Encode r & s ints into out, outLen is (in/out) size */
wolfSSL	0:d92f9d21154c	6532	int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
wolfSSL	0:d92f9d21154c	6533	{
wolfSSL	0:d92f9d21154c	6534	word32 idx = 0;
wolfSSL	0:d92f9d21154c	6535	word32 rSz; /* encoding size */
wolfSSL	0:d92f9d21154c	6536	word32 sSz;
wolfSSL	0:d92f9d21154c	6537	word32 headerSz = 4; /* 2ASN_TAG + 2LEN(ENUM) */
wolfSSL	0:d92f9d21154c	6538
wolfSSL	0:d92f9d21154c	6539	/* If the leading bit on the INTEGER is a 1, add a leading zero */
wolfSSL	0:d92f9d21154c	6540	int rLeadingZero = mp_leading_bit(r);
wolfSSL	0:d92f9d21154c	6541	int sLeadingZero = mp_leading_bit(s);
wolfSSL	0:d92f9d21154c	6542	int rLen = mp_unsigned_bin_size(r); /* big int size */
wolfSSL	0:d92f9d21154c	6543	int sLen = mp_unsigned_bin_size(s);
wolfSSL	0:d92f9d21154c	6544	int err;
wolfSSL	0:d92f9d21154c	6545
wolfSSL	0:d92f9d21154c	6546	if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
wolfSSL	0:d92f9d21154c	6547	headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
wolfSSL	0:d92f9d21154c	6548	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	6549
wolfSSL	0:d92f9d21154c	6550	idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out);
wolfSSL	0:d92f9d21154c	6551
wolfSSL	0:d92f9d21154c	6552	/* store r */
wolfSSL	0:d92f9d21154c	6553	out[idx++] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	6554	rSz = SetLength(rLen + rLeadingZero, &out[idx]);
wolfSSL	0:d92f9d21154c	6555	idx += rSz;
wolfSSL	0:d92f9d21154c	6556	if (rLeadingZero)
wolfSSL	0:d92f9d21154c	6557	out[idx++] = 0;
wolfSSL	0:d92f9d21154c	6558	err = mp_to_unsigned_bin(r, &out[idx]);
wolfSSL	0:d92f9d21154c	6559	if (err != MP_OKAY) return err;
wolfSSL	0:d92f9d21154c	6560	idx += rLen;
wolfSSL	0:d92f9d21154c	6561
wolfSSL	0:d92f9d21154c	6562	/* store s */
wolfSSL	0:d92f9d21154c	6563	out[idx++] = ASN_INTEGER;
wolfSSL	0:d92f9d21154c	6564	sSz = SetLength(sLen + sLeadingZero, &out[idx]);
wolfSSL	0:d92f9d21154c	6565	idx += sSz;
wolfSSL	0:d92f9d21154c	6566	if (sLeadingZero)
wolfSSL	0:d92f9d21154c	6567	out[idx++] = 0;
wolfSSL	0:d92f9d21154c	6568	err = mp_to_unsigned_bin(s, &out[idx]);
wolfSSL	0:d92f9d21154c	6569	if (err != MP_OKAY) return err;
wolfSSL	0:d92f9d21154c	6570	idx += sLen;
wolfSSL	0:d92f9d21154c	6571
wolfSSL	0:d92f9d21154c	6572	*outLen = idx;
wolfSSL	0:d92f9d21154c	6573
wolfSSL	0:d92f9d21154c	6574	return 0;
wolfSSL	0:d92f9d21154c	6575	}
wolfSSL	0:d92f9d21154c	6576
wolfSSL	0:d92f9d21154c	6577
wolfSSL	0:d92f9d21154c	6578	/* Der Decode ECC-DSA Signautre, r & s stored as big ints */
wolfSSL	0:d92f9d21154c	6579	int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
wolfSSL	0:d92f9d21154c	6580	{
wolfSSL	0:d92f9d21154c	6581	word32 idx = 0;
wolfSSL	0:d92f9d21154c	6582	int len = 0;
wolfSSL	0:d92f9d21154c	6583
wolfSSL	0:d92f9d21154c	6584	if (GetSequence(sig, &idx, &len, sigLen) < 0)
wolfSSL	0:d92f9d21154c	6585	return ASN_ECC_KEY_E;
wolfSSL	0:d92f9d21154c	6586
wolfSSL	0:d92f9d21154c	6587	if ((word32)len > (sigLen - idx))
wolfSSL	0:d92f9d21154c	6588	return ASN_ECC_KEY_E;
wolfSSL	0:d92f9d21154c	6589
wolfSSL	0:d92f9d21154c	6590	if (GetInt(r, sig, &idx, sigLen) < 0)
wolfSSL	0:d92f9d21154c	6591	return ASN_ECC_KEY_E;
wolfSSL	0:d92f9d21154c	6592
wolfSSL	0:d92f9d21154c	6593	if (GetInt(s, sig, &idx, sigLen) < 0)
wolfSSL	0:d92f9d21154c	6594	return ASN_ECC_KEY_E;
wolfSSL	0:d92f9d21154c	6595
wolfSSL	0:d92f9d21154c	6596	return 0;
wolfSSL	0:d92f9d21154c	6597	}
wolfSSL	0:d92f9d21154c	6598
wolfSSL	0:d92f9d21154c	6599
wolfSSL	0:d92f9d21154c	6600	int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
wolfSSL	0:d92f9d21154c	6601	word32 inSz)
wolfSSL	0:d92f9d21154c	6602	{
wolfSSL	0:d92f9d21154c	6603	word32 oid = 0;
wolfSSL	0:d92f9d21154c	6604	int version, length;
wolfSSL	0:d92f9d21154c	6605	int privSz, pubSz;
wolfSSL	0:d92f9d21154c	6606	byte b;
wolfSSL	0:d92f9d21154c	6607	int ret = 0;
wolfSSL	0:d92f9d21154c	6608	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6609	byte* priv;
wolfSSL	0:d92f9d21154c	6610	byte* pub;
wolfSSL	0:d92f9d21154c	6611	#else
wolfSSL	0:d92f9d21154c	6612	byte priv[ECC_MAXSIZE];
wolfSSL	0:d92f9d21154c	6613	byte pub[ECC_MAXSIZE * 2 + 1]; /* public key has two parts plus header */
wolfSSL	0:d92f9d21154c	6614	#endif
wolfSSL	0:d92f9d21154c	6615
wolfSSL	0:d92f9d21154c	6616	if (input == NULL \|\| inOutIdx == NULL \|\| key == NULL \|\| inSz == 0)
wolfSSL	0:d92f9d21154c	6617	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	6618
wolfSSL	0:d92f9d21154c	6619	if (GetSequence(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	6620	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6621
wolfSSL	0:d92f9d21154c	6622	if (GetMyVersion(input, inOutIdx, &version) < 0)
wolfSSL	0:d92f9d21154c	6623	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6624
wolfSSL	0:d92f9d21154c	6625	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6626	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6627
wolfSSL	0:d92f9d21154c	6628	/* priv type */
wolfSSL	0:d92f9d21154c	6629	if (b != 4 && b != 6 && b != 7)
wolfSSL	0:d92f9d21154c	6630	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6631
wolfSSL	0:d92f9d21154c	6632	if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	6633	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6634
wolfSSL	0:d92f9d21154c	6635	if (length > ECC_MAXSIZE)
wolfSSL	0:d92f9d21154c	6636	return BUFFER_E;
wolfSSL	0:d92f9d21154c	6637
wolfSSL	0:d92f9d21154c	6638	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6639	priv = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6640	if (priv == NULL)
wolfSSL	0:d92f9d21154c	6641	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6642
wolfSSL	0:d92f9d21154c	6643	pub = (byte)XMALLOC(ECC_MAXSIZE 2 + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6644	if (pub == NULL) {
wolfSSL	0:d92f9d21154c	6645	XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6646	return MEMORY_E;
wolfSSL	0:d92f9d21154c	6647	}
wolfSSL	0:d92f9d21154c	6648	#endif
wolfSSL	0:d92f9d21154c	6649
wolfSSL	0:d92f9d21154c	6650	/* priv key */
wolfSSL	0:d92f9d21154c	6651	privSz = length;
wolfSSL	0:d92f9d21154c	6652	XMEMCPY(priv, &input[*inOutIdx], privSz);
wolfSSL	0:d92f9d21154c	6653	*inOutIdx += length;
wolfSSL	0:d92f9d21154c	6654
wolfSSL	0:d92f9d21154c	6655	/* prefix 0, may have */
wolfSSL	0:d92f9d21154c	6656	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6657	if (b == ECC_PREFIX_0) {
wolfSSL	0:d92f9d21154c	6658	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6659
wolfSSL	0:d92f9d21154c	6660	if (GetLength(input, inOutIdx, &length, inSz) < 0)
wolfSSL	0:d92f9d21154c	6661	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6662	else {
wolfSSL	0:d92f9d21154c	6663	/* object id */
wolfSSL	0:d92f9d21154c	6664	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6665	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6666
wolfSSL	0:d92f9d21154c	6667	if (b != ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	6668	ret = ASN_OBJECT_ID_E;
wolfSSL	0:d92f9d21154c	6669	}
wolfSSL	0:d92f9d21154c	6670	else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL	0:d92f9d21154c	6671	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6672	}
wolfSSL	0:d92f9d21154c	6673	else {
wolfSSL	0:d92f9d21154c	6674	while(length--) {
wolfSSL	0:d92f9d21154c	6675	oid += input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6676	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6677	}
wolfSSL	0:d92f9d21154c	6678	if (CheckCurve(oid) < 0)
wolfSSL	0:d92f9d21154c	6679	ret = ECC_CURVE_OID_E;
wolfSSL	0:d92f9d21154c	6680	}
wolfSSL	0:d92f9d21154c	6681	}
wolfSSL	0:d92f9d21154c	6682	}
wolfSSL	0:d92f9d21154c	6683
wolfSSL	0:d92f9d21154c	6684	if (ret == 0) {
wolfSSL	0:d92f9d21154c	6685	/* prefix 1 */
wolfSSL	0:d92f9d21154c	6686	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6687	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6688
wolfSSL	0:d92f9d21154c	6689	if (b != ECC_PREFIX_1) {
wolfSSL	0:d92f9d21154c	6690	ret = ASN_ECC_KEY_E;
wolfSSL	0:d92f9d21154c	6691	}
wolfSSL	0:d92f9d21154c	6692	else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL	0:d92f9d21154c	6693	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6694	}
wolfSSL	0:d92f9d21154c	6695	else {
wolfSSL	0:d92f9d21154c	6696	/* key header */
wolfSSL	0:d92f9d21154c	6697	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6698	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6699
wolfSSL	0:d92f9d21154c	6700	if (b != ASN_BIT_STRING) {
wolfSSL	0:d92f9d21154c	6701	ret = ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	6702	}
wolfSSL	0:d92f9d21154c	6703	else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
wolfSSL	0:d92f9d21154c	6704	ret = ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6705	}
wolfSSL	0:d92f9d21154c	6706	else {
wolfSSL	0:d92f9d21154c	6707	b = input[*inOutIdx];
wolfSSL	0:d92f9d21154c	6708	*inOutIdx += 1;
wolfSSL	0:d92f9d21154c	6709
wolfSSL	0:d92f9d21154c	6710	if (b != 0x00) {
wolfSSL	0:d92f9d21154c	6711	ret = ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	6712	}
wolfSSL	0:d92f9d21154c	6713	else {
wolfSSL	0:d92f9d21154c	6714	/* pub key */
wolfSSL	0:d92f9d21154c	6715	pubSz = length - 1; /* null prefix */
wolfSSL	0:d92f9d21154c	6716	if (pubSz < (ECC_MAXSIZE*2 + 1)) {
wolfSSL	0:d92f9d21154c	6717	XMEMCPY(pub, &input[*inOutIdx], pubSz);
wolfSSL	0:d92f9d21154c	6718	*inOutIdx += length;
wolfSSL	0:d92f9d21154c	6719	ret = wc_ecc_import_private_key(priv, privSz, pub, pubSz,
wolfSSL	0:d92f9d21154c	6720	key);
wolfSSL	0:d92f9d21154c	6721	} else
wolfSSL	0:d92f9d21154c	6722	ret = BUFFER_E;
wolfSSL	0:d92f9d21154c	6723	}
wolfSSL	0:d92f9d21154c	6724	}
wolfSSL	0:d92f9d21154c	6725	}
wolfSSL	0:d92f9d21154c	6726	}
wolfSSL	0:d92f9d21154c	6727
wolfSSL	0:d92f9d21154c	6728	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	0:d92f9d21154c	6729	XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6730	XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	0:d92f9d21154c	6731	#endif
wolfSSL	0:d92f9d21154c	6732
wolfSSL	0:d92f9d21154c	6733	return ret;
wolfSSL	0:d92f9d21154c	6734	}
wolfSSL	0:d92f9d21154c	6735
wolfSSL	0:d92f9d21154c	6736
wolfSSL	0:d92f9d21154c	6737	#ifdef WOLFSSL_KEY_GEN
wolfSSL	0:d92f9d21154c	6738
wolfSSL	0:d92f9d21154c	6739	/* Write a Private ecc key to DER format, length on success else < 0 */
wolfSSL	0:d92f9d21154c	6740	int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
wolfSSL	0:d92f9d21154c	6741	{
wolfSSL	0:d92f9d21154c	6742	byte curve[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	6743	byte ver[MAX_VERSION_SZ];
wolfSSL	0:d92f9d21154c	6744	byte seq[MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	6745	int ret;
wolfSSL	0:d92f9d21154c	6746	int curveSz;
wolfSSL	0:d92f9d21154c	6747	int verSz;
wolfSSL	0:d92f9d21154c	6748	int privHdrSz = ASN_ECC_HEADER_SZ;
wolfSSL	0:d92f9d21154c	6749	int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ;
wolfSSL	0:d92f9d21154c	6750	int curveHdrSz = ASN_ECC_CONTEXT_SZ;
wolfSSL	0:d92f9d21154c	6751	word32 seqSz;
wolfSSL	0:d92f9d21154c	6752	word32 idx = 0;
wolfSSL	0:d92f9d21154c	6753	word32 pubSz = ECC_BUFSIZE;
wolfSSL	0:d92f9d21154c	6754	word32 privSz;
wolfSSL	0:d92f9d21154c	6755	word32 totalSz;
wolfSSL	0:d92f9d21154c	6756
wolfSSL	0:d92f9d21154c	6757	if (key == NULL \|\| output == NULL \|\| inLen == 0)
wolfSSL	0:d92f9d21154c	6758	return BAD_FUNC_ARG;
wolfSSL	0:d92f9d21154c	6759
wolfSSL	0:d92f9d21154c	6760	ret = wc_ecc_export_x963(key, NULL, &pubSz);
wolfSSL	0:d92f9d21154c	6761	if (ret != LENGTH_ONLY_E) {
wolfSSL	0:d92f9d21154c	6762	return ret;
wolfSSL	0:d92f9d21154c	6763	}
wolfSSL	0:d92f9d21154c	6764	curveSz = SetCurve(key, curve);
wolfSSL	0:d92f9d21154c	6765	if (curveSz < 0) {
wolfSSL	0:d92f9d21154c	6766	return curveSz;
wolfSSL	0:d92f9d21154c	6767	}
wolfSSL	0:d92f9d21154c	6768
wolfSSL	0:d92f9d21154c	6769	privSz = key->dp->size;
wolfSSL	0:d92f9d21154c	6770
wolfSSL	0:d92f9d21154c	6771	verSz = SetMyVersion(1, ver, FALSE);
wolfSSL	0:d92f9d21154c	6772	if (verSz < 0) {
wolfSSL	0:d92f9d21154c	6773	return verSz;
wolfSSL	0:d92f9d21154c	6774	}
wolfSSL	0:d92f9d21154c	6775
wolfSSL	0:d92f9d21154c	6776	totalSz = verSz + privSz + privHdrSz + curveSz + curveHdrSz +
wolfSSL	0:d92f9d21154c	6777	pubSz + pubHdrSz + 1; /* plus null byte b4 public */
wolfSSL	0:d92f9d21154c	6778	seqSz = SetSequence(totalSz, seq);
wolfSSL	0:d92f9d21154c	6779	totalSz += seqSz;
wolfSSL	0:d92f9d21154c	6780
wolfSSL	0:d92f9d21154c	6781	if (totalSz > inLen) {
wolfSSL	0:d92f9d21154c	6782	return BUFFER_E;
wolfSSL	0:d92f9d21154c	6783	}
wolfSSL	0:d92f9d21154c	6784
wolfSSL	0:d92f9d21154c	6785	/* write it out */
wolfSSL	0:d92f9d21154c	6786	/* seq */
wolfSSL	0:d92f9d21154c	6787	XMEMCPY(output + idx, seq, seqSz);
wolfSSL	0:d92f9d21154c	6788	idx += seqSz;
wolfSSL	0:d92f9d21154c	6789
wolfSSL	0:d92f9d21154c	6790	/* ver */
wolfSSL	0:d92f9d21154c	6791	XMEMCPY(output + idx, ver, verSz);
wolfSSL	0:d92f9d21154c	6792	idx += verSz;
wolfSSL	0:d92f9d21154c	6793
wolfSSL	0:d92f9d21154c	6794	/* private */
wolfSSL	0:d92f9d21154c	6795	output[idx++] = ASN_OCTET_STRING;
wolfSSL	0:d92f9d21154c	6796	output[idx++] = (byte)privSz;
wolfSSL	0:d92f9d21154c	6797	ret = wc_ecc_export_private_only(key, output + idx, &privSz);
wolfSSL	0:d92f9d21154c	6798	if (ret < 0) {
wolfSSL	0:d92f9d21154c	6799	return ret;
wolfSSL	0:d92f9d21154c	6800	}
wolfSSL	0:d92f9d21154c	6801	idx += privSz;
wolfSSL	0:d92f9d21154c	6802
wolfSSL	0:d92f9d21154c	6803	/* curve */
wolfSSL	0:d92f9d21154c	6804	output[idx++] = ECC_PREFIX_0;
wolfSSL	0:d92f9d21154c	6805	output[idx++] = (byte)curveSz;
wolfSSL	0:d92f9d21154c	6806	XMEMCPY(output + idx, curve, curveSz);
wolfSSL	0:d92f9d21154c	6807	idx += curveSz;
wolfSSL	0:d92f9d21154c	6808
wolfSSL	0:d92f9d21154c	6809	/* public */
wolfSSL	0:d92f9d21154c	6810	output[idx++] = ECC_PREFIX_1;
wolfSSL	0:d92f9d21154c	6811	output[idx++] = (byte)pubSz + ASN_ECC_CONTEXT_SZ + 1; /* plus null byte */
wolfSSL	0:d92f9d21154c	6812	output[idx++] = ASN_BIT_STRING;
wolfSSL	0:d92f9d21154c	6813	output[idx++] = (byte)pubSz + 1; /* plus null byte */
wolfSSL	0:d92f9d21154c	6814	output[idx++] = (byte)0; /* null byte */
wolfSSL	0:d92f9d21154c	6815	ret = wc_ecc_export_x963(key, output + idx, &pubSz);
wolfSSL	0:d92f9d21154c	6816	if (ret != 0) {
wolfSSL	0:d92f9d21154c	6817	return ret;
wolfSSL	0:d92f9d21154c	6818	}
wolfSSL	0:d92f9d21154c	6819	/* idx += pubSz if do more later */
wolfSSL	0:d92f9d21154c	6820
wolfSSL	0:d92f9d21154c	6821	return totalSz;
wolfSSL	0:d92f9d21154c	6822	}
wolfSSL	0:d92f9d21154c	6823
wolfSSL	0:d92f9d21154c	6824	#endif /* WOLFSSL_KEY_GEN */
wolfSSL	0:d92f9d21154c	6825
wolfSSL	0:d92f9d21154c	6826	#endif /* HAVE_ECC */
wolfSSL	0:d92f9d21154c	6827
wolfSSL	0:d92f9d21154c	6828
wolfSSL	0:d92f9d21154c	6829	#if defined(HAVE_OCSP) \|\| defined(HAVE_CRL)
wolfSSL	0:d92f9d21154c	6830
wolfSSL	0:d92f9d21154c	6831	/* Get raw Date only, no processing, 0 on success */
wolfSSL	0:d92f9d21154c	6832	static int GetBasicDate(const byte* source, word32* idx, byte* date,
wolfSSL	0:d92f9d21154c	6833	byte* format, int maxIdx)
wolfSSL	0:d92f9d21154c	6834	{
wolfSSL	0:d92f9d21154c	6835	int length;
wolfSSL	0:d92f9d21154c	6836
wolfSSL	0:d92f9d21154c	6837	WOLFSSL_ENTER("GetBasicDate");
wolfSSL	0:d92f9d21154c	6838
wolfSSL	0:d92f9d21154c	6839	format = source[idx];
wolfSSL	0:d92f9d21154c	6840	*idx += 1;
wolfSSL	0:d92f9d21154c	6841	if (format != ASN_UTC_TIME && format != ASN_GENERALIZED_TIME)
wolfSSL	0:d92f9d21154c	6842	return ASN_TIME_E;
wolfSSL	0:d92f9d21154c	6843
wolfSSL	0:d92f9d21154c	6844	if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	6845	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6846
wolfSSL	0:d92f9d21154c	6847	if (length > MAX_DATE_SIZE \|\| length < MIN_DATE_SIZE)
wolfSSL	0:d92f9d21154c	6848	return ASN_DATE_SZ_E;
wolfSSL	0:d92f9d21154c	6849
wolfSSL	0:d92f9d21154c	6850	XMEMCPY(date, &source[*idx], length);
wolfSSL	0:d92f9d21154c	6851	*idx += length;
wolfSSL	0:d92f9d21154c	6852
wolfSSL	0:d92f9d21154c	6853	return 0;
wolfSSL	0:d92f9d21154c	6854	}
wolfSSL	0:d92f9d21154c	6855
wolfSSL	0:d92f9d21154c	6856	#endif
wolfSSL	0:d92f9d21154c	6857
wolfSSL	0:d92f9d21154c	6858
wolfSSL	0:d92f9d21154c	6859	#ifdef HAVE_OCSP
wolfSSL	0:d92f9d21154c	6860
wolfSSL	0:d92f9d21154c	6861	static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
wolfSSL	0:d92f9d21154c	6862	{
wolfSSL	0:d92f9d21154c	6863	word32 idx = *inOutIdx;
wolfSSL	0:d92f9d21154c	6864	word32 len;
wolfSSL	0:d92f9d21154c	6865
wolfSSL	0:d92f9d21154c	6866	WOLFSSL_ENTER("GetEnumerated");
wolfSSL	0:d92f9d21154c	6867
wolfSSL	0:d92f9d21154c	6868	*value = 0;
wolfSSL	0:d92f9d21154c	6869
wolfSSL	0:d92f9d21154c	6870	if (input[idx++] != ASN_ENUMERATED)
wolfSSL	0:d92f9d21154c	6871	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6872
wolfSSL	0:d92f9d21154c	6873	len = input[idx++];
wolfSSL	0:d92f9d21154c	6874	if (len > 4)
wolfSSL	0:d92f9d21154c	6875	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6876
wolfSSL	0:d92f9d21154c	6877	while (len--) {
wolfSSL	0:d92f9d21154c	6878	value = value << 8 \| input[idx++];
wolfSSL	0:d92f9d21154c	6879	}
wolfSSL	0:d92f9d21154c	6880
wolfSSL	0:d92f9d21154c	6881	*inOutIdx = idx;
wolfSSL	0:d92f9d21154c	6882
wolfSSL	0:d92f9d21154c	6883	return *value;
wolfSSL	0:d92f9d21154c	6884	}
wolfSSL	0:d92f9d21154c	6885
wolfSSL	0:d92f9d21154c	6886
wolfSSL	0:d92f9d21154c	6887	static int DecodeSingleResponse(byte* source,
wolfSSL	0:d92f9d21154c	6888	word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL	0:d92f9d21154c	6889	{
wolfSSL	0:d92f9d21154c	6890	word32 idx = *ioIndex, prevIndex, oid;
wolfSSL	0:d92f9d21154c	6891	int length, wrapperSz;
wolfSSL	0:d92f9d21154c	6892	CertStatus* cs = resp->status;
wolfSSL	0:d92f9d21154c	6893
wolfSSL	0:d92f9d21154c	6894	WOLFSSL_ENTER("DecodeSingleResponse");
wolfSSL	0:d92f9d21154c	6895
wolfSSL	0:d92f9d21154c	6896	/* Outer wrapper of the SEQUENCE OF Single Responses. */
wolfSSL	0:d92f9d21154c	6897	if (GetSequence(source, &idx, &wrapperSz, size) < 0)
wolfSSL	0:d92f9d21154c	6898	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6899
wolfSSL	0:d92f9d21154c	6900	prevIndex = idx;
wolfSSL	0:d92f9d21154c	6901
wolfSSL	0:d92f9d21154c	6902	/* When making a request, we only request one status on one certificate
wolfSSL	0:d92f9d21154c	6903	* at a time. There should only be one SingleResponse */
wolfSSL	0:d92f9d21154c	6904
wolfSSL	0:d92f9d21154c	6905	/* Wrapper around the Single Response */
wolfSSL	0:d92f9d21154c	6906	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6907	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6908
wolfSSL	0:d92f9d21154c	6909	/* Wrapper around the CertID */
wolfSSL	0:d92f9d21154c	6910	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6911	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6912	/* Skip the hash algorithm */
wolfSSL	0:d92f9d21154c	6913	if (GetAlgoId(source, &idx, &oid, size) < 0)
wolfSSL	0:d92f9d21154c	6914	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6915	/* Save reference to the hash of CN */
wolfSSL	0:d92f9d21154c	6916	if (source[idx++] != ASN_OCTET_STRING)
wolfSSL	0:d92f9d21154c	6917	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6918	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6919	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6920	resp->issuerHash = source + idx;
wolfSSL	0:d92f9d21154c	6921	idx += length;
wolfSSL	0:d92f9d21154c	6922	/* Save reference to the hash of the issuer public key */
wolfSSL	0:d92f9d21154c	6923	if (source[idx++] != ASN_OCTET_STRING)
wolfSSL	0:d92f9d21154c	6924	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6925	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6926	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6927	resp->issuerKeyHash = source + idx;
wolfSSL	0:d92f9d21154c	6928	idx += length;
wolfSSL	0:d92f9d21154c	6929
wolfSSL	0:d92f9d21154c	6930	/* Read the serial number, it is handled as a string, not as a
wolfSSL	0:d92f9d21154c	6931	* proper number. Just XMEMCPY the data over, rather than load it
wolfSSL	0:d92f9d21154c	6932	* as an mp_int. */
wolfSSL	0:d92f9d21154c	6933	if (source[idx++] != ASN_INTEGER)
wolfSSL	0:d92f9d21154c	6934	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6935	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6936	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6937	if (length <= EXTERNAL_SERIAL_SIZE)
wolfSSL	0:d92f9d21154c	6938	{
wolfSSL	0:d92f9d21154c	6939	if (source[idx] == 0)
wolfSSL	0:d92f9d21154c	6940	{
wolfSSL	0:d92f9d21154c	6941	idx++;
wolfSSL	0:d92f9d21154c	6942	length--;
wolfSSL	0:d92f9d21154c	6943	}
wolfSSL	0:d92f9d21154c	6944	XMEMCPY(cs->serial, source + idx, length);
wolfSSL	0:d92f9d21154c	6945	cs->serialSz = length;
wolfSSL	0:d92f9d21154c	6946	}
wolfSSL	0:d92f9d21154c	6947	else
wolfSSL	0:d92f9d21154c	6948	{
wolfSSL	0:d92f9d21154c	6949	return ASN_GETINT_E;
wolfSSL	0:d92f9d21154c	6950	}
wolfSSL	0:d92f9d21154c	6951	idx += length;
wolfSSL	0:d92f9d21154c	6952
wolfSSL	0:d92f9d21154c	6953	/* CertStatus */
wolfSSL	0:d92f9d21154c	6954	switch (source[idx++])
wolfSSL	0:d92f9d21154c	6955	{
wolfSSL	0:d92f9d21154c	6956	case (ASN_CONTEXT_SPECIFIC \| CERT_GOOD):
wolfSSL	0:d92f9d21154c	6957	cs->status = CERT_GOOD;
wolfSSL	0:d92f9d21154c	6958	idx++;
wolfSSL	0:d92f9d21154c	6959	break;
wolfSSL	0:d92f9d21154c	6960	case (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| CERT_REVOKED):
wolfSSL	0:d92f9d21154c	6961	cs->status = CERT_REVOKED;
wolfSSL	0:d92f9d21154c	6962	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6963	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6964	idx += length;
wolfSSL	0:d92f9d21154c	6965	break;
wolfSSL	0:d92f9d21154c	6966	case (ASN_CONTEXT_SPECIFIC \| CERT_UNKNOWN):
wolfSSL	0:d92f9d21154c	6967	cs->status = CERT_UNKNOWN;
wolfSSL	0:d92f9d21154c	6968	idx++;
wolfSSL	0:d92f9d21154c	6969	break;
wolfSSL	0:d92f9d21154c	6970	default:
wolfSSL	0:d92f9d21154c	6971	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6972	}
wolfSSL	0:d92f9d21154c	6973
wolfSSL	0:d92f9d21154c	6974	if (GetBasicDate(source, &idx, cs->thisDate,
wolfSSL	0:d92f9d21154c	6975	&cs->thisDateFormat, size) < 0)
wolfSSL	0:d92f9d21154c	6976	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6977	if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
wolfSSL	0:d92f9d21154c	6978	return ASN_BEFORE_DATE_E;
wolfSSL	0:d92f9d21154c	6979
wolfSSL	0:d92f9d21154c	6980	/* The following items are optional. Only check for them if there is more
wolfSSL	0:d92f9d21154c	6981	* unprocessed data in the singleResponse wrapper. */
wolfSSL	0:d92f9d21154c	6982
wolfSSL	0:d92f9d21154c	6983	if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL	0:d92f9d21154c	6984	(source[idx] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 0)))
wolfSSL	0:d92f9d21154c	6985	{
wolfSSL	0:d92f9d21154c	6986	idx++;
wolfSSL	0:d92f9d21154c	6987	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6988	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6989	if (GetBasicDate(source, &idx, cs->nextDate,
wolfSSL	0:d92f9d21154c	6990	&cs->nextDateFormat, size) < 0)
wolfSSL	0:d92f9d21154c	6991	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6992	}
wolfSSL	0:d92f9d21154c	6993	if (((int)(idx - prevIndex) < wrapperSz) &&
wolfSSL	0:d92f9d21154c	6994	(source[idx] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 1)))
wolfSSL	0:d92f9d21154c	6995	{
wolfSSL	0:d92f9d21154c	6996	idx++;
wolfSSL	0:d92f9d21154c	6997	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	6998	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	6999	idx += length;
wolfSSL	0:d92f9d21154c	7000	}
wolfSSL	0:d92f9d21154c	7001
wolfSSL	0:d92f9d21154c	7002	*ioIndex = idx;
wolfSSL	0:d92f9d21154c	7003
wolfSSL	0:d92f9d21154c	7004	return 0;
wolfSSL	0:d92f9d21154c	7005	}
wolfSSL	0:d92f9d21154c	7006
wolfSSL	0:d92f9d21154c	7007	static int DecodeOcspRespExtensions(byte* source,
wolfSSL	0:d92f9d21154c	7008	word32* ioIndex, OcspResponse* resp, word32 sz)
wolfSSL	0:d92f9d21154c	7009	{
wolfSSL	0:d92f9d21154c	7010	word32 idx = *ioIndex;
wolfSSL	0:d92f9d21154c	7011	int length;
wolfSSL	0:d92f9d21154c	7012	int ext_bound; /* boundary index for the sequence of extensions */
wolfSSL	0:d92f9d21154c	7013	word32 oid;
wolfSSL	0:d92f9d21154c	7014
wolfSSL	0:d92f9d21154c	7015	WOLFSSL_ENTER("DecodeOcspRespExtensions");
wolfSSL	0:d92f9d21154c	7016
wolfSSL	0:d92f9d21154c	7017	if (source[idx++] != (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 1))
wolfSSL	0:d92f9d21154c	7018	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7019
wolfSSL	0:d92f9d21154c	7020	if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7021
wolfSSL	0:d92f9d21154c	7022	if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7023
wolfSSL	0:d92f9d21154c	7024	ext_bound = idx + length;
wolfSSL	0:d92f9d21154c	7025
wolfSSL	0:d92f9d21154c	7026	while (idx < (word32)ext_bound) {
wolfSSL	0:d92f9d21154c	7027	if (GetSequence(source, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	7028	WOLFSSL_MSG("\tfail: should be a SEQUENCE");
wolfSSL	0:d92f9d21154c	7029	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7030	}
wolfSSL	0:d92f9d21154c	7031
wolfSSL	0:d92f9d21154c	7032	oid = 0;
wolfSSL	0:d92f9d21154c	7033	if (GetObjectId(source, &idx, &oid, sz) < 0) {
wolfSSL	0:d92f9d21154c	7034	WOLFSSL_MSG("\tfail: OBJECT ID");
wolfSSL	0:d92f9d21154c	7035	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7036	}
wolfSSL	0:d92f9d21154c	7037
wolfSSL	0:d92f9d21154c	7038	/* check for critical flag */
wolfSSL	0:d92f9d21154c	7039	if (source[idx] == ASN_BOOLEAN) {
wolfSSL	0:d92f9d21154c	7040	WOLFSSL_MSG("\tfound optional critical flag, moving past");
wolfSSL	0:d92f9d21154c	7041	idx += (ASN_BOOL_SIZE + 1);
wolfSSL	0:d92f9d21154c	7042	}
wolfSSL	0:d92f9d21154c	7043
wolfSSL	0:d92f9d21154c	7044	/* process the extension based on the OID */
wolfSSL	0:d92f9d21154c	7045	if (source[idx++] != ASN_OCTET_STRING) {
wolfSSL	0:d92f9d21154c	7046	WOLFSSL_MSG("\tfail: should be an OCTET STRING");
wolfSSL	0:d92f9d21154c	7047	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7048	}
wolfSSL	0:d92f9d21154c	7049
wolfSSL	0:d92f9d21154c	7050	if (GetLength(source, &idx, &length, sz) < 0) {
wolfSSL	0:d92f9d21154c	7051	WOLFSSL_MSG("\tfail: extension data length");
wolfSSL	0:d92f9d21154c	7052	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7053	}
wolfSSL	0:d92f9d21154c	7054
wolfSSL	0:d92f9d21154c	7055	if (oid == OCSP_NONCE_OID) {
wolfSSL	0:d92f9d21154c	7056	resp->nonce = source + idx;
wolfSSL	0:d92f9d21154c	7057	resp->nonceSz = length;
wolfSSL	0:d92f9d21154c	7058	}
wolfSSL	0:d92f9d21154c	7059
wolfSSL	0:d92f9d21154c	7060	idx += length;
wolfSSL	0:d92f9d21154c	7061	}
wolfSSL	0:d92f9d21154c	7062
wolfSSL	0:d92f9d21154c	7063	*ioIndex = idx;
wolfSSL	0:d92f9d21154c	7064	return 0;
wolfSSL	0:d92f9d21154c	7065	}
wolfSSL	0:d92f9d21154c	7066
wolfSSL	0:d92f9d21154c	7067
wolfSSL	0:d92f9d21154c	7068	static int DecodeResponseData(byte* source,
wolfSSL	0:d92f9d21154c	7069	word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL	0:d92f9d21154c	7070	{
wolfSSL	0:d92f9d21154c	7071	word32 idx = *ioIndex, prev_idx;
wolfSSL	0:d92f9d21154c	7072	int length;
wolfSSL	0:d92f9d21154c	7073	int version;
wolfSSL	0:d92f9d21154c	7074	word32 responderId = 0;
wolfSSL	0:d92f9d21154c	7075
wolfSSL	0:d92f9d21154c	7076	WOLFSSL_ENTER("DecodeResponseData");
wolfSSL	0:d92f9d21154c	7077
wolfSSL	0:d92f9d21154c	7078	resp->response = source + idx;
wolfSSL	0:d92f9d21154c	7079	prev_idx = idx;
wolfSSL	0:d92f9d21154c	7080	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7081	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7082	resp->responseSz = length + idx - prev_idx;
wolfSSL	0:d92f9d21154c	7083
wolfSSL	0:d92f9d21154c	7084	/* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
wolfSSL	0:d92f9d21154c	7085	* item isn't an EXPLICIT[0], then set version to zero and move
wolfSSL	0:d92f9d21154c	7086	* onto the next item.
wolfSSL	0:d92f9d21154c	7087	*/
wolfSSL	0:d92f9d21154c	7088	if (source[idx] == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED))
wolfSSL	0:d92f9d21154c	7089	{
wolfSSL	0:d92f9d21154c	7090	idx += 2; /* Eat the value and length */
wolfSSL	0:d92f9d21154c	7091	if (GetMyVersion(source, &idx, &version) < 0)
wolfSSL	0:d92f9d21154c	7092	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7093	} else
wolfSSL	0:d92f9d21154c	7094	version = 0;
wolfSSL	0:d92f9d21154c	7095
wolfSSL	0:d92f9d21154c	7096	responderId = source[idx++];
wolfSSL	0:d92f9d21154c	7097	if ((responderId == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| 1)) \|\|
wolfSSL	0:d92f9d21154c	7098	(responderId == (ASN_CONTEXT_SPECIFIC \| ASN_CONSTRUCTED \| 2)))
wolfSSL	0:d92f9d21154c	7099	{
wolfSSL	0:d92f9d21154c	7100	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7101	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7102	idx += length;
wolfSSL	0:d92f9d21154c	7103	}
wolfSSL	0:d92f9d21154c	7104	else
wolfSSL	0:d92f9d21154c	7105	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7106
wolfSSL	0:d92f9d21154c	7107	/* save pointer to the producedAt time */
wolfSSL	0:d92f9d21154c	7108	if (GetBasicDate(source, &idx, resp->producedDate,
wolfSSL	0:d92f9d21154c	7109	&resp->producedDateFormat, size) < 0)
wolfSSL	0:d92f9d21154c	7110	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7111
wolfSSL	0:d92f9d21154c	7112	if (DecodeSingleResponse(source, &idx, resp, size) < 0)
wolfSSL	0:d92f9d21154c	7113	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7114
wolfSSL	0:d92f9d21154c	7115	if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
wolfSSL	0:d92f9d21154c	7116	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7117
wolfSSL	0:d92f9d21154c	7118	*ioIndex = idx;
wolfSSL	0:d92f9d21154c	7119	return 0;
wolfSSL	0:d92f9d21154c	7120	}
wolfSSL	0:d92f9d21154c	7121
wolfSSL	0:d92f9d21154c	7122
wolfSSL	0:d92f9d21154c	7123	static int DecodeCerts(byte* source,
wolfSSL	0:d92f9d21154c	7124	word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL	0:d92f9d21154c	7125	{
wolfSSL	0:d92f9d21154c	7126	word32 idx = *ioIndex;
wolfSSL	0:d92f9d21154c	7127
wolfSSL	0:d92f9d21154c	7128	WOLFSSL_ENTER("DecodeCerts");
wolfSSL	0:d92f9d21154c	7129
wolfSSL	0:d92f9d21154c	7130	if (source[idx++] == (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC))
wolfSSL	0:d92f9d21154c	7131	{
wolfSSL	0:d92f9d21154c	7132	int length;
wolfSSL	0:d92f9d21154c	7133
wolfSSL	0:d92f9d21154c	7134	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7135	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7136
wolfSSL	0:d92f9d21154c	7137	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7138	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7139
wolfSSL	0:d92f9d21154c	7140	resp->cert = source + idx;
wolfSSL	0:d92f9d21154c	7141	resp->certSz = length;
wolfSSL	0:d92f9d21154c	7142
wolfSSL	0:d92f9d21154c	7143	idx += length;
wolfSSL	0:d92f9d21154c	7144	}
wolfSSL	0:d92f9d21154c	7145	*ioIndex = idx;
wolfSSL	0:d92f9d21154c	7146	return 0;
wolfSSL	0:d92f9d21154c	7147	}
wolfSSL	0:d92f9d21154c	7148
wolfSSL	0:d92f9d21154c	7149	static int DecodeBasicOcspResponse(byte* source,
wolfSSL	0:d92f9d21154c	7150	word32* ioIndex, OcspResponse* resp, word32 size)
wolfSSL	0:d92f9d21154c	7151	{
wolfSSL	0:d92f9d21154c	7152	int length;
wolfSSL	0:d92f9d21154c	7153	word32 idx = *ioIndex;
wolfSSL	0:d92f9d21154c	7154	word32 end_index;
wolfSSL	0:d92f9d21154c	7155
wolfSSL	0:d92f9d21154c	7156	WOLFSSL_ENTER("DecodeBasicOcspResponse");
wolfSSL	0:d92f9d21154c	7157
wolfSSL	0:d92f9d21154c	7158	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7159	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7160
wolfSSL	0:d92f9d21154c	7161	if (idx + length > size)
wolfSSL	0:d92f9d21154c	7162	return ASN_INPUT_E;
wolfSSL	0:d92f9d21154c	7163	end_index = idx + length;
wolfSSL	0:d92f9d21154c	7164
wolfSSL	0:d92f9d21154c	7165	if (DecodeResponseData(source, &idx, resp, size) < 0)
wolfSSL	0:d92f9d21154c	7166	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7167
wolfSSL	0:d92f9d21154c	7168	/* Get the signature algorithm */
wolfSSL	0:d92f9d21154c	7169	if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0)
wolfSSL	0:d92f9d21154c	7170	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7171
wolfSSL	0:d92f9d21154c	7172	/* Obtain pointer to the start of the signature, and save the size */
wolfSSL	0:d92f9d21154c	7173	if (source[idx++] == ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	7174	{
wolfSSL	0:d92f9d21154c	7175	int sigLength = 0;
wolfSSL	0:d92f9d21154c	7176	if (GetLength(source, &idx, &sigLength, size) < 0)
wolfSSL	0:d92f9d21154c	7177	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7178	resp->sigSz = sigLength;
wolfSSL	0:d92f9d21154c	7179	resp->sig = source + idx;
wolfSSL	0:d92f9d21154c	7180	idx += sigLength;
wolfSSL	0:d92f9d21154c	7181	}
wolfSSL	0:d92f9d21154c	7182
wolfSSL	0:d92f9d21154c	7183	/*
wolfSSL	0:d92f9d21154c	7184	* Check the length of the BasicOcspResponse against the current index to
wolfSSL	0:d92f9d21154c	7185	* see if there are certificates, they are optional.
wolfSSL	0:d92f9d21154c	7186	*/
wolfSSL	0:d92f9d21154c	7187	if (idx < end_index)
wolfSSL	0:d92f9d21154c	7188	{
wolfSSL	0:d92f9d21154c	7189	DecodedCert cert;
wolfSSL	0:d92f9d21154c	7190	int ret;
wolfSSL	0:d92f9d21154c	7191
wolfSSL	0:d92f9d21154c	7192	if (DecodeCerts(source, &idx, resp, size) < 0)
wolfSSL	0:d92f9d21154c	7193	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7194
wolfSSL	0:d92f9d21154c	7195	InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
wolfSSL	0:d92f9d21154c	7196	ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0);
wolfSSL	0:d92f9d21154c	7197	if (ret < 0)
wolfSSL	0:d92f9d21154c	7198	return ret;
wolfSSL	0:d92f9d21154c	7199
wolfSSL	0:d92f9d21154c	7200	ret = ConfirmSignature(resp->response, resp->responseSz,
wolfSSL	0:d92f9d21154c	7201	cert.publicKey, cert.pubKeySize, cert.keyOID,
wolfSSL	0:d92f9d21154c	7202	resp->sig, resp->sigSz, resp->sigOID, NULL);
wolfSSL	0:d92f9d21154c	7203	FreeDecodedCert(&cert);
wolfSSL	0:d92f9d21154c	7204
wolfSSL	0:d92f9d21154c	7205	if (ret == 0)
wolfSSL	0:d92f9d21154c	7206	{
wolfSSL	0:d92f9d21154c	7207	WOLFSSL_MSG("\tOCSP Confirm signature failed");
wolfSSL	0:d92f9d21154c	7208	return ASN_OCSP_CONFIRM_E;
wolfSSL	0:d92f9d21154c	7209	}
wolfSSL	0:d92f9d21154c	7210	}
wolfSSL	0:d92f9d21154c	7211
wolfSSL	0:d92f9d21154c	7212	*ioIndex = idx;
wolfSSL	0:d92f9d21154c	7213	return 0;
wolfSSL	0:d92f9d21154c	7214	}
wolfSSL	0:d92f9d21154c	7215
wolfSSL	0:d92f9d21154c	7216
wolfSSL	0:d92f9d21154c	7217	void InitOcspResponse(OcspResponse* resp, CertStatus* status,
wolfSSL	0:d92f9d21154c	7218	byte* source, word32 inSz)
wolfSSL	0:d92f9d21154c	7219	{
wolfSSL	0:d92f9d21154c	7220	WOLFSSL_ENTER("InitOcspResponse");
wolfSSL	0:d92f9d21154c	7221
wolfSSL	0:d92f9d21154c	7222	resp->responseStatus = -1;
wolfSSL	0:d92f9d21154c	7223	resp->response = NULL;
wolfSSL	0:d92f9d21154c	7224	resp->responseSz = 0;
wolfSSL	0:d92f9d21154c	7225	resp->producedDateFormat = 0;
wolfSSL	0:d92f9d21154c	7226	resp->issuerHash = NULL;
wolfSSL	0:d92f9d21154c	7227	resp->issuerKeyHash = NULL;
wolfSSL	0:d92f9d21154c	7228	resp->sig = NULL;
wolfSSL	0:d92f9d21154c	7229	resp->sigSz = 0;
wolfSSL	0:d92f9d21154c	7230	resp->sigOID = 0;
wolfSSL	0:d92f9d21154c	7231	resp->status = status;
wolfSSL	0:d92f9d21154c	7232	resp->nonce = NULL;
wolfSSL	0:d92f9d21154c	7233	resp->nonceSz = 0;
wolfSSL	0:d92f9d21154c	7234	resp->source = source;
wolfSSL	0:d92f9d21154c	7235	resp->maxIdx = inSz;
wolfSSL	0:d92f9d21154c	7236	}
wolfSSL	0:d92f9d21154c	7237
wolfSSL	0:d92f9d21154c	7238
wolfSSL	0:d92f9d21154c	7239	int OcspResponseDecode(OcspResponse* resp)
wolfSSL	0:d92f9d21154c	7240	{
wolfSSL	0:d92f9d21154c	7241	int length = 0;
wolfSSL	0:d92f9d21154c	7242	word32 idx = 0;
wolfSSL	0:d92f9d21154c	7243	byte* source = resp->source;
wolfSSL	0:d92f9d21154c	7244	word32 size = resp->maxIdx;
wolfSSL	0:d92f9d21154c	7245	word32 oid;
wolfSSL	0:d92f9d21154c	7246
wolfSSL	0:d92f9d21154c	7247	WOLFSSL_ENTER("OcspResponseDecode");
wolfSSL	0:d92f9d21154c	7248
wolfSSL	0:d92f9d21154c	7249	/* peel the outer SEQUENCE wrapper */
wolfSSL	0:d92f9d21154c	7250	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7251	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7252
wolfSSL	0:d92f9d21154c	7253	/* First get the responseStatus, an ENUMERATED */
wolfSSL	0:d92f9d21154c	7254	if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
wolfSSL	0:d92f9d21154c	7255	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7256
wolfSSL	0:d92f9d21154c	7257	if (resp->responseStatus != OCSP_SUCCESSFUL)
wolfSSL	0:d92f9d21154c	7258	return 0;
wolfSSL	0:d92f9d21154c	7259
wolfSSL	0:d92f9d21154c	7260	/* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
wolfSSL	0:d92f9d21154c	7261	if (idx >= size)
wolfSSL	0:d92f9d21154c	7262	return ASN_INPUT_E;
wolfSSL	0:d92f9d21154c	7263	if (source[idx++] != (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC))
wolfSSL	0:d92f9d21154c	7264	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7265	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7266	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7267
wolfSSL	0:d92f9d21154c	7268	/* Get the responseBytes SEQUENCE */
wolfSSL	0:d92f9d21154c	7269	if (GetSequence(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7270	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7271
wolfSSL	0:d92f9d21154c	7272	/* Check ObjectID for the resposeBytes */
wolfSSL	0:d92f9d21154c	7273	if (GetObjectId(source, &idx, &oid, size) < 0)
wolfSSL	0:d92f9d21154c	7274	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7275	if (oid != OCSP_BASIC_OID)
wolfSSL	0:d92f9d21154c	7276	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7277	if (source[idx++] != ASN_OCTET_STRING)
wolfSSL	0:d92f9d21154c	7278	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7279
wolfSSL	0:d92f9d21154c	7280	if (GetLength(source, &idx, &length, size) < 0)
wolfSSL	0:d92f9d21154c	7281	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7282
wolfSSL	0:d92f9d21154c	7283	if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
wolfSSL	0:d92f9d21154c	7284	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7285
wolfSSL	0:d92f9d21154c	7286	return 0;
wolfSSL	0:d92f9d21154c	7287	}
wolfSSL	0:d92f9d21154c	7288
wolfSSL	0:d92f9d21154c	7289
wolfSSL	0:d92f9d21154c	7290	static word32 SetOcspReqExtensions(word32 extSz, byte* output,
wolfSSL	0:d92f9d21154c	7291	const byte* nonce, word32 nonceSz)
wolfSSL	0:d92f9d21154c	7292	{
wolfSSL	0:d92f9d21154c	7293	static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
wolfSSL	0:d92f9d21154c	7294	0x30, 0x01, 0x02 };
wolfSSL	0:d92f9d21154c	7295	byte seqArray[5][MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	7296	word32 seqSz[5], totalSz;
wolfSSL	0:d92f9d21154c	7297
wolfSSL	0:d92f9d21154c	7298	WOLFSSL_ENTER("SetOcspReqExtensions");
wolfSSL	0:d92f9d21154c	7299
wolfSSL	0:d92f9d21154c	7300	if (nonce == NULL \|\| nonceSz == 0) return 0;
wolfSSL	0:d92f9d21154c	7301
wolfSSL	0:d92f9d21154c	7302	seqArray[0][0] = ASN_OCTET_STRING;
wolfSSL	0:d92f9d21154c	7303	seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]);
wolfSSL	0:d92f9d21154c	7304
wolfSSL	0:d92f9d21154c	7305	seqArray[1][0] = ASN_OBJECT_ID;
wolfSSL	0:d92f9d21154c	7306	seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]);
wolfSSL	0:d92f9d21154c	7307
wolfSSL	0:d92f9d21154c	7308	totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId);
wolfSSL	0:d92f9d21154c	7309
wolfSSL	0:d92f9d21154c	7310	seqSz[2] = SetSequence(totalSz, seqArray[2]);
wolfSSL	0:d92f9d21154c	7311	totalSz += seqSz[2];
wolfSSL	0:d92f9d21154c	7312
wolfSSL	0:d92f9d21154c	7313	seqSz[3] = SetSequence(totalSz, seqArray[3]);
wolfSSL	0:d92f9d21154c	7314	totalSz += seqSz[3];
wolfSSL	0:d92f9d21154c	7315
wolfSSL	0:d92f9d21154c	7316	seqArray[4][0] = (ASN_CONSTRUCTED \| ASN_CONTEXT_SPECIFIC \| 2);
wolfSSL	0:d92f9d21154c	7317	seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]);
wolfSSL	0:d92f9d21154c	7318	totalSz += seqSz[4];
wolfSSL	0:d92f9d21154c	7319
wolfSSL	0:d92f9d21154c	7320	if (totalSz < extSz)
wolfSSL	0:d92f9d21154c	7321	{
wolfSSL	0:d92f9d21154c	7322	totalSz = 0;
wolfSSL	0:d92f9d21154c	7323	XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
wolfSSL	0:d92f9d21154c	7324	totalSz += seqSz[4];
wolfSSL	0:d92f9d21154c	7325	XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
wolfSSL	0:d92f9d21154c	7326	totalSz += seqSz[3];
wolfSSL	0:d92f9d21154c	7327	XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
wolfSSL	0:d92f9d21154c	7328	totalSz += seqSz[2];
wolfSSL	0:d92f9d21154c	7329	XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
wolfSSL	0:d92f9d21154c	7330	totalSz += seqSz[1];
wolfSSL	0:d92f9d21154c	7331	XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
wolfSSL	0:d92f9d21154c	7332	totalSz += (word32)sizeof(NonceObjId);
wolfSSL	0:d92f9d21154c	7333	XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
wolfSSL	0:d92f9d21154c	7334	totalSz += seqSz[0];
wolfSSL	0:d92f9d21154c	7335	XMEMCPY(output + totalSz, nonce, nonceSz);
wolfSSL	0:d92f9d21154c	7336	totalSz += nonceSz;
wolfSSL	0:d92f9d21154c	7337	}
wolfSSL	0:d92f9d21154c	7338
wolfSSL	0:d92f9d21154c	7339	return totalSz;
wolfSSL	0:d92f9d21154c	7340	}
wolfSSL	0:d92f9d21154c	7341
wolfSSL	0:d92f9d21154c	7342
wolfSSL	0:d92f9d21154c	7343	int EncodeOcspRequest(OcspRequest* req)
wolfSSL	0:d92f9d21154c	7344	{
wolfSSL	0:d92f9d21154c	7345	byte seqArray[5][MAX_SEQ_SZ];
wolfSSL	0:d92f9d21154c	7346	/* The ASN.1 of the OCSP Request is an onion of sequences */
wolfSSL	0:d92f9d21154c	7347	byte algoArray[MAX_ALGO_SZ];
wolfSSL	0:d92f9d21154c	7348	byte issuerArray[MAX_ENCODED_DIG_SZ];
wolfSSL	0:d92f9d21154c	7349	byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
wolfSSL	0:d92f9d21154c	7350	byte snArray[MAX_SN_SZ];
wolfSSL	0:d92f9d21154c	7351	byte extArray[MAX_OCSP_EXT_SZ];
wolfSSL	0:d92f9d21154c	7352	byte* output = req->dest;
wolfSSL	0:d92f9d21154c	7353	word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
wolfSSL	0:d92f9d21154c	7354	int i;
wolfSSL	0:d92f9d21154c	7355
wolfSSL	0:d92f9d21154c	7356	WOLFSSL_ENTER("EncodeOcspRequest");
wolfSSL	0:d92f9d21154c	7357
wolfSSL	0:d92f9d21154c	7358	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	7359	algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0);
wolfSSL	0:d92f9d21154c	7360	#else
wolfSSL	0:d92f9d21154c	7361	algoSz = SetAlgoID(SHAh, algoArray, hashType, 0);
wolfSSL	0:d92f9d21154c	7362	#endif
wolfSSL	0:d92f9d21154c	7363
wolfSSL	0:d92f9d21154c	7364	req->issuerHash = req->cert->issuerHash;
wolfSSL	0:d92f9d21154c	7365	issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray);
wolfSSL	0:d92f9d21154c	7366
wolfSSL	0:d92f9d21154c	7367	req->issuerKeyHash = req->cert->issuerKeyHash;
wolfSSL	0:d92f9d21154c	7368	issuerKeySz = SetDigest(req->cert->issuerKeyHash,
wolfSSL	0:d92f9d21154c	7369	KEYID_SIZE, issuerKeyArray);
wolfSSL	0:d92f9d21154c	7370
wolfSSL	0:d92f9d21154c	7371	req->serial = req->cert->serial;
wolfSSL	0:d92f9d21154c	7372	req->serialSz = req->cert->serialSz;
wolfSSL	0:d92f9d21154c	7373	snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray);
wolfSSL	0:d92f9d21154c	7374
wolfSSL	0:d92f9d21154c	7375	extSz = 0;
wolfSSL	0:d92f9d21154c	7376	if (req->useNonce) {
wolfSSL	0:d92f9d21154c	7377	RNG rng;
wolfSSL	0:d92f9d21154c	7378	if (wc_InitRng(&rng) != 0) {
wolfSSL	0:d92f9d21154c	7379	WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
wolfSSL	0:d92f9d21154c	7380	} else {
wolfSSL	0:d92f9d21154c	7381	if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
wolfSSL	0:d92f9d21154c	7382	WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
wolfSSL	0:d92f9d21154c	7383	else {
wolfSSL	0:d92f9d21154c	7384	req->nonceSz = MAX_OCSP_NONCE_SZ;
wolfSSL	0:d92f9d21154c	7385	extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray,
wolfSSL	0:d92f9d21154c	7386	req->nonce, req->nonceSz);
wolfSSL	0:d92f9d21154c	7387	}
wolfSSL	0:d92f9d21154c	7388	wc_FreeRng(&rng);
wolfSSL	0:d92f9d21154c	7389	}
wolfSSL	0:d92f9d21154c	7390	}
wolfSSL	0:d92f9d21154c	7391
wolfSSL	0:d92f9d21154c	7392	totalSz = algoSz + issuerSz + issuerKeySz + snSz;
wolfSSL	0:d92f9d21154c	7393
wolfSSL	0:d92f9d21154c	7394	for (i = 4; i >= 0; i--) {
wolfSSL	0:d92f9d21154c	7395	seqSz[i] = SetSequence(totalSz, seqArray[i]);
wolfSSL	0:d92f9d21154c	7396	totalSz += seqSz[i];
wolfSSL	0:d92f9d21154c	7397	if (i == 2) totalSz += extSz;
wolfSSL	0:d92f9d21154c	7398	}
wolfSSL	0:d92f9d21154c	7399	totalSz = 0;
wolfSSL	0:d92f9d21154c	7400	for (i = 0; i < 5; i++) {
wolfSSL	0:d92f9d21154c	7401	XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
wolfSSL	0:d92f9d21154c	7402	totalSz += seqSz[i];
wolfSSL	0:d92f9d21154c	7403	}
wolfSSL	0:d92f9d21154c	7404	XMEMCPY(output + totalSz, algoArray, algoSz);
wolfSSL	0:d92f9d21154c	7405	totalSz += algoSz;
wolfSSL	0:d92f9d21154c	7406	XMEMCPY(output + totalSz, issuerArray, issuerSz);
wolfSSL	0:d92f9d21154c	7407	totalSz += issuerSz;
wolfSSL	0:d92f9d21154c	7408	XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
wolfSSL	0:d92f9d21154c	7409	totalSz += issuerKeySz;
wolfSSL	0:d92f9d21154c	7410	XMEMCPY(output + totalSz, snArray, snSz);
wolfSSL	0:d92f9d21154c	7411	totalSz += snSz;
wolfSSL	0:d92f9d21154c	7412	if (extSz != 0) {
wolfSSL	0:d92f9d21154c	7413	XMEMCPY(output + totalSz, extArray, extSz);
wolfSSL	0:d92f9d21154c	7414	totalSz += extSz;
wolfSSL	0:d92f9d21154c	7415	}
wolfSSL	0:d92f9d21154c	7416
wolfSSL	0:d92f9d21154c	7417	return totalSz;
wolfSSL	0:d92f9d21154c	7418	}
wolfSSL	0:d92f9d21154c	7419
wolfSSL	0:d92f9d21154c	7420
wolfSSL	0:d92f9d21154c	7421	void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
wolfSSL	0:d92f9d21154c	7422	byte* dest, word32 destSz)
wolfSSL	0:d92f9d21154c	7423	{
wolfSSL	0:d92f9d21154c	7424	WOLFSSL_ENTER("InitOcspRequest");
wolfSSL	0:d92f9d21154c	7425
wolfSSL	0:d92f9d21154c	7426	req->cert = cert;
wolfSSL	0:d92f9d21154c	7427	req->useNonce = useNonce;
wolfSSL	0:d92f9d21154c	7428	req->nonceSz = 0;
wolfSSL	0:d92f9d21154c	7429	req->issuerHash = NULL;
wolfSSL	0:d92f9d21154c	7430	req->issuerKeyHash = NULL;
wolfSSL	0:d92f9d21154c	7431	req->serial = NULL;
wolfSSL	0:d92f9d21154c	7432	req->dest = dest;
wolfSSL	0:d92f9d21154c	7433	req->destSz = destSz;
wolfSSL	0:d92f9d21154c	7434	}
wolfSSL	0:d92f9d21154c	7435
wolfSSL	0:d92f9d21154c	7436
wolfSSL	0:d92f9d21154c	7437	int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
wolfSSL	0:d92f9d21154c	7438	{
wolfSSL	0:d92f9d21154c	7439	int cmp;
wolfSSL	0:d92f9d21154c	7440
wolfSSL	0:d92f9d21154c	7441	WOLFSSL_ENTER("CompareOcspReqResp");
wolfSSL	0:d92f9d21154c	7442
wolfSSL	0:d92f9d21154c	7443	if (req == NULL)
wolfSSL	0:d92f9d21154c	7444	{
wolfSSL	0:d92f9d21154c	7445	WOLFSSL_MSG("\tReq missing");
wolfSSL	0:d92f9d21154c	7446	return -1;
wolfSSL	0:d92f9d21154c	7447	}
wolfSSL	0:d92f9d21154c	7448
wolfSSL	0:d92f9d21154c	7449	if (resp == NULL)
wolfSSL	0:d92f9d21154c	7450	{
wolfSSL	0:d92f9d21154c	7451	WOLFSSL_MSG("\tResp missing");
wolfSSL	0:d92f9d21154c	7452	return 1;
wolfSSL	0:d92f9d21154c	7453	}
wolfSSL	0:d92f9d21154c	7454
wolfSSL	0:d92f9d21154c	7455	/* Nonces are not critical. The responder may not necessarily add
wolfSSL	0:d92f9d21154c	7456	* the nonce to the response. */
wolfSSL	0:d92f9d21154c	7457	if (req->useNonce && resp->nonceSz != 0) {
wolfSSL	0:d92f9d21154c	7458	cmp = req->nonceSz - resp->nonceSz;
wolfSSL	0:d92f9d21154c	7459	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7460	{
wolfSSL	0:d92f9d21154c	7461	WOLFSSL_MSG("\tnonceSz mismatch");
wolfSSL	0:d92f9d21154c	7462	return cmp;
wolfSSL	0:d92f9d21154c	7463	}
wolfSSL	0:d92f9d21154c	7464
wolfSSL	0:d92f9d21154c	7465	cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
wolfSSL	0:d92f9d21154c	7466	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7467	{
wolfSSL	0:d92f9d21154c	7468	WOLFSSL_MSG("\tnonce mismatch");
wolfSSL	0:d92f9d21154c	7469	return cmp;
wolfSSL	0:d92f9d21154c	7470	}
wolfSSL	0:d92f9d21154c	7471	}
wolfSSL	0:d92f9d21154c	7472
wolfSSL	0:d92f9d21154c	7473	cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
wolfSSL	0:d92f9d21154c	7474	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7475	{
wolfSSL	0:d92f9d21154c	7476	WOLFSSL_MSG("\tissuerHash mismatch");
wolfSSL	0:d92f9d21154c	7477	return cmp;
wolfSSL	0:d92f9d21154c	7478	}
wolfSSL	0:d92f9d21154c	7479
wolfSSL	0:d92f9d21154c	7480	cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
wolfSSL	0:d92f9d21154c	7481	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7482	{
wolfSSL	0:d92f9d21154c	7483	WOLFSSL_MSG("\tissuerKeyHash mismatch");
wolfSSL	0:d92f9d21154c	7484	return cmp;
wolfSSL	0:d92f9d21154c	7485	}
wolfSSL	0:d92f9d21154c	7486
wolfSSL	0:d92f9d21154c	7487	cmp = req->serialSz - resp->status->serialSz;
wolfSSL	0:d92f9d21154c	7488	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7489	{
wolfSSL	0:d92f9d21154c	7490	WOLFSSL_MSG("\tserialSz mismatch");
wolfSSL	0:d92f9d21154c	7491	return cmp;
wolfSSL	0:d92f9d21154c	7492	}
wolfSSL	0:d92f9d21154c	7493
wolfSSL	0:d92f9d21154c	7494	cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz);
wolfSSL	0:d92f9d21154c	7495	if (cmp != 0)
wolfSSL	0:d92f9d21154c	7496	{
wolfSSL	0:d92f9d21154c	7497	WOLFSSL_MSG("\tserial mismatch");
wolfSSL	0:d92f9d21154c	7498	return cmp;
wolfSSL	0:d92f9d21154c	7499	}
wolfSSL	0:d92f9d21154c	7500
wolfSSL	0:d92f9d21154c	7501	return 0;
wolfSSL	0:d92f9d21154c	7502	}
wolfSSL	0:d92f9d21154c	7503
wolfSSL	0:d92f9d21154c	7504	#endif
wolfSSL	0:d92f9d21154c	7505
wolfSSL	0:d92f9d21154c	7506
wolfSSL	0:d92f9d21154c	7507	/* store SHA hash of NAME */
wolfSSL	0:d92f9d21154c	7508	WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
wolfSSL	0:d92f9d21154c	7509	int maxIdx)
wolfSSL	0:d92f9d21154c	7510	{
wolfSSL	0:d92f9d21154c	7511	int length; /* length of all distinguished names */
wolfSSL	0:d92f9d21154c	7512	int ret;
wolfSSL	0:d92f9d21154c	7513	word32 dummy;
wolfSSL	0:d92f9d21154c	7514
wolfSSL	0:d92f9d21154c	7515	WOLFSSL_ENTER("GetNameHash");
wolfSSL	0:d92f9d21154c	7516
wolfSSL	0:d92f9d21154c	7517	if (source[*idx] == ASN_OBJECT_ID) {
wolfSSL	0:d92f9d21154c	7518	WOLFSSL_MSG("Trying optional prefix...");
wolfSSL	0:d92f9d21154c	7519
wolfSSL	0:d92f9d21154c	7520	if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7521	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7522
wolfSSL	0:d92f9d21154c	7523	*idx += length;
wolfSSL	0:d92f9d21154c	7524	WOLFSSL_MSG("Got optional prefix");
wolfSSL	0:d92f9d21154c	7525	}
wolfSSL	0:d92f9d21154c	7526
wolfSSL	0:d92f9d21154c	7527	/* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be
wolfSSL	0:d92f9d21154c	7528	* calculated over the entire DER encoding of the Name field, including
wolfSSL	0:d92f9d21154c	7529	* the tag and length. */
wolfSSL	0:d92f9d21154c	7530	dummy = *idx;
wolfSSL	0:d92f9d21154c	7531	if (GetSequence(source, idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7532	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7533
wolfSSL	0:d92f9d21154c	7534	#ifdef NO_SHA
wolfSSL	0:d92f9d21154c	7535	ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash);
wolfSSL	0:d92f9d21154c	7536	#else
wolfSSL	0:d92f9d21154c	7537	ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash);
wolfSSL	0:d92f9d21154c	7538	#endif
wolfSSL	0:d92f9d21154c	7539
wolfSSL	0:d92f9d21154c	7540	*idx += length;
wolfSSL	0:d92f9d21154c	7541
wolfSSL	0:d92f9d21154c	7542	return ret;
wolfSSL	0:d92f9d21154c	7543	}
wolfSSL	0:d92f9d21154c	7544
wolfSSL	0:d92f9d21154c	7545
wolfSSL	0:d92f9d21154c	7546	#ifdef HAVE_CRL
wolfSSL	0:d92f9d21154c	7547
wolfSSL	0:d92f9d21154c	7548	/* initialize decoded CRL */
wolfSSL	0:d92f9d21154c	7549	void InitDecodedCRL(DecodedCRL* dcrl)
wolfSSL	0:d92f9d21154c	7550	{
wolfSSL	0:d92f9d21154c	7551	WOLFSSL_MSG("InitDecodedCRL");
wolfSSL	0:d92f9d21154c	7552
wolfSSL	0:d92f9d21154c	7553	dcrl->certBegin = 0;
wolfSSL	0:d92f9d21154c	7554	dcrl->sigIndex = 0;
wolfSSL	0:d92f9d21154c	7555	dcrl->sigLength = 0;
wolfSSL	0:d92f9d21154c	7556	dcrl->signatureOID = 0;
wolfSSL	0:d92f9d21154c	7557	dcrl->certs = NULL;
wolfSSL	0:d92f9d21154c	7558	dcrl->totalCerts = 0;
wolfSSL	0:d92f9d21154c	7559	}
wolfSSL	0:d92f9d21154c	7560
wolfSSL	0:d92f9d21154c	7561
wolfSSL	0:d92f9d21154c	7562	/* free decoded CRL resources */
wolfSSL	0:d92f9d21154c	7563	void FreeDecodedCRL(DecodedCRL* dcrl)
wolfSSL	0:d92f9d21154c	7564	{
wolfSSL	0:d92f9d21154c	7565	RevokedCert* tmp = dcrl->certs;
wolfSSL	0:d92f9d21154c	7566
wolfSSL	0:d92f9d21154c	7567	WOLFSSL_MSG("FreeDecodedCRL");
wolfSSL	0:d92f9d21154c	7568
wolfSSL	0:d92f9d21154c	7569	while(tmp) {
wolfSSL	0:d92f9d21154c	7570	RevokedCert* next = tmp->next;
wolfSSL	0:d92f9d21154c	7571	XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
wolfSSL	0:d92f9d21154c	7572	tmp = next;
wolfSSL	0:d92f9d21154c	7573	}
wolfSSL	0:d92f9d21154c	7574	}
wolfSSL	0:d92f9d21154c	7575
wolfSSL	0:d92f9d21154c	7576
wolfSSL	0:d92f9d21154c	7577	/* Get Revoked Cert list, 0 on success */
wolfSSL	0:d92f9d21154c	7578	static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
wolfSSL	0:d92f9d21154c	7579	int maxIdx)
wolfSSL	0:d92f9d21154c	7580	{
wolfSSL	0:d92f9d21154c	7581	int len;
wolfSSL	0:d92f9d21154c	7582	word32 end;
wolfSSL	0:d92f9d21154c	7583	byte b;
wolfSSL	0:d92f9d21154c	7584	RevokedCert* rc;
wolfSSL	0:d92f9d21154c	7585
wolfSSL	0:d92f9d21154c	7586	WOLFSSL_ENTER("GetRevoked");
wolfSSL	0:d92f9d21154c	7587
wolfSSL	0:d92f9d21154c	7588	if (GetSequence(buff, idx, &len, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7589	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7590
wolfSSL	0:d92f9d21154c	7591	end = *idx + len;
wolfSSL	0:d92f9d21154c	7592
wolfSSL	0:d92f9d21154c	7593	/* get serial number */
wolfSSL	0:d92f9d21154c	7594	b = buff[*idx];
wolfSSL	0:d92f9d21154c	7595	*idx += 1;
wolfSSL	0:d92f9d21154c	7596
wolfSSL	0:d92f9d21154c	7597	if (b != ASN_INTEGER) {
wolfSSL	0:d92f9d21154c	7598	WOLFSSL_MSG("Expecting Integer");
wolfSSL	0:d92f9d21154c	7599	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7600	}
wolfSSL	0:d92f9d21154c	7601
wolfSSL	0:d92f9d21154c	7602	if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7603	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7604
wolfSSL	0:d92f9d21154c	7605	if (len > EXTERNAL_SERIAL_SIZE) {
wolfSSL	0:d92f9d21154c	7606	WOLFSSL_MSG("Serial Size too big");
wolfSSL	0:d92f9d21154c	7607	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7608	}
wolfSSL	0:d92f9d21154c	7609
wolfSSL	0:d92f9d21154c	7610	rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
wolfSSL	0:d92f9d21154c	7611	if (rc == NULL) {
wolfSSL	0:d92f9d21154c	7612	WOLFSSL_MSG("Alloc Revoked Cert failed");
wolfSSL	0:d92f9d21154c	7613	return MEMORY_E;
wolfSSL	0:d92f9d21154c	7614	}
wolfSSL	0:d92f9d21154c	7615
wolfSSL	0:d92f9d21154c	7616	XMEMCPY(rc->serialNumber, &buff[*idx], len);
wolfSSL	0:d92f9d21154c	7617	rc->serialSz = len;
wolfSSL	0:d92f9d21154c	7618
wolfSSL	0:d92f9d21154c	7619	/* add to list */
wolfSSL	0:d92f9d21154c	7620	rc->next = dcrl->certs;
wolfSSL	0:d92f9d21154c	7621	dcrl->certs = rc;
wolfSSL	0:d92f9d21154c	7622	dcrl->totalCerts++;
wolfSSL	0:d92f9d21154c	7623
wolfSSL	0:d92f9d21154c	7624	*idx += len;
wolfSSL	0:d92f9d21154c	7625
wolfSSL	0:d92f9d21154c	7626	/* get date */
wolfSSL	0:d92f9d21154c	7627	b = buff[*idx];
wolfSSL	0:d92f9d21154c	7628	*idx += 1;
wolfSSL	0:d92f9d21154c	7629
wolfSSL	0:d92f9d21154c	7630	if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
wolfSSL	0:d92f9d21154c	7631	WOLFSSL_MSG("Expecting Date");
wolfSSL	0:d92f9d21154c	7632	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7633	}
wolfSSL	0:d92f9d21154c	7634
wolfSSL	0:d92f9d21154c	7635	if (GetLength(buff, idx, &len, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7636	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7637
wolfSSL	0:d92f9d21154c	7638	/* skip for now */
wolfSSL	0:d92f9d21154c	7639	*idx += len;
wolfSSL	0:d92f9d21154c	7640
wolfSSL	0:d92f9d21154c	7641	if (idx != end) / skip extensions */
wolfSSL	0:d92f9d21154c	7642	*idx = end;
wolfSSL	0:d92f9d21154c	7643
wolfSSL	0:d92f9d21154c	7644	return 0;
wolfSSL	0:d92f9d21154c	7645	}
wolfSSL	0:d92f9d21154c	7646
wolfSSL	0:d92f9d21154c	7647
wolfSSL	0:d92f9d21154c	7648	/* Get CRL Signature, 0 on success */
wolfSSL	0:d92f9d21154c	7649	static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
wolfSSL	0:d92f9d21154c	7650	int maxIdx)
wolfSSL	0:d92f9d21154c	7651	{
wolfSSL	0:d92f9d21154c	7652	int length;
wolfSSL	0:d92f9d21154c	7653	byte b;
wolfSSL	0:d92f9d21154c	7654
wolfSSL	0:d92f9d21154c	7655	WOLFSSL_ENTER("GetCRL_Signature");
wolfSSL	0:d92f9d21154c	7656
wolfSSL	0:d92f9d21154c	7657	b = source[*idx];
wolfSSL	0:d92f9d21154c	7658	*idx += 1;
wolfSSL	0:d92f9d21154c	7659	if (b != ASN_BIT_STRING)
wolfSSL	0:d92f9d21154c	7660	return ASN_BITSTR_E;
wolfSSL	0:d92f9d21154c	7661
wolfSSL	0:d92f9d21154c	7662	if (GetLength(source, idx, &length, maxIdx) < 0)
wolfSSL	0:d92f9d21154c	7663	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7664
wolfSSL	0:d92f9d21154c	7665	dcrl->sigLength = length;
wolfSSL	0:d92f9d21154c	7666
wolfSSL	0:d92f9d21154c	7667	b = source[*idx];
wolfSSL	0:d92f9d21154c	7668	*idx += 1;
wolfSSL	0:d92f9d21154c	7669	if (b != 0x00)
wolfSSL	0:d92f9d21154c	7670	return ASN_EXPECT_0_E;
wolfSSL	0:d92f9d21154c	7671
wolfSSL	0:d92f9d21154c	7672	dcrl->sigLength--;
wolfSSL	0:d92f9d21154c	7673	dcrl->signature = (byte)&source[idx];
wolfSSL	0:d92f9d21154c	7674
wolfSSL	0:d92f9d21154c	7675	*idx += dcrl->sigLength;
wolfSSL	0:d92f9d21154c	7676
wolfSSL	0:d92f9d21154c	7677	return 0;
wolfSSL	0:d92f9d21154c	7678	}
wolfSSL	0:d92f9d21154c	7679
wolfSSL	0:d92f9d21154c	7680
wolfSSL	0:d92f9d21154c	7681	/* prase crl buffer into decoded state, 0 on success */
wolfSSL	0:d92f9d21154c	7682	int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
wolfSSL	0:d92f9d21154c	7683	{
wolfSSL	0:d92f9d21154c	7684	int version, len;
wolfSSL	0:d92f9d21154c	7685	word32 oid, idx = 0;
wolfSSL	0:d92f9d21154c	7686	Signer* ca = NULL;
wolfSSL	0:d92f9d21154c	7687
wolfSSL	0:d92f9d21154c	7688	WOLFSSL_MSG("ParseCRL");
wolfSSL	0:d92f9d21154c	7689
wolfSSL	0:d92f9d21154c	7690	/* raw crl hash */
wolfSSL	0:d92f9d21154c	7691	/* hash here if needed for optimized comparisons
wolfSSL	0:d92f9d21154c	7692	* Sha sha;
wolfSSL	0:d92f9d21154c	7693	* wc_InitSha(&sha);
wolfSSL	0:d92f9d21154c	7694	* wc_ShaUpdate(&sha, buff, sz);
wolfSSL	0:d92f9d21154c	7695	* wc_ShaFinal(&sha, dcrl->crlHash); */
wolfSSL	0:d92f9d21154c	7696
wolfSSL	0:d92f9d21154c	7697	if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL	0:d92f9d21154c	7698	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7699
wolfSSL	0:d92f9d21154c	7700	dcrl->certBegin = idx;
wolfSSL	0:d92f9d21154c	7701
wolfSSL	0:d92f9d21154c	7702	if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL	0:d92f9d21154c	7703	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7704	dcrl->sigIndex = len + idx;
wolfSSL	0:d92f9d21154c	7705
wolfSSL	0:d92f9d21154c	7706	/* may have version */
wolfSSL	0:d92f9d21154c	7707	if (buff[idx] == ASN_INTEGER) {
wolfSSL	0:d92f9d21154c	7708	if (GetMyVersion(buff, &idx, &version) < 0)
wolfSSL	0:d92f9d21154c	7709	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7710	}
wolfSSL	0:d92f9d21154c	7711
wolfSSL	0:d92f9d21154c	7712	if (GetAlgoId(buff, &idx, &oid, sz) < 0)
wolfSSL	0:d92f9d21154c	7713	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7714
wolfSSL	0:d92f9d21154c	7715	if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
wolfSSL	0:d92f9d21154c	7716	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7717
wolfSSL	0:d92f9d21154c	7718	if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
wolfSSL	0:d92f9d21154c	7719	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7720
wolfSSL	0:d92f9d21154c	7721	if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
wolfSSL	0:d92f9d21154c	7722	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7723
wolfSSL	0:d92f9d21154c	7724	if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
wolfSSL	0:d92f9d21154c	7725	WOLFSSL_MSG("CRL after date is no longer valid");
wolfSSL	0:d92f9d21154c	7726	return ASN_AFTER_DATE_E;
wolfSSL	0:d92f9d21154c	7727	}
wolfSSL	0:d92f9d21154c	7728
wolfSSL	0:d92f9d21154c	7729	if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
wolfSSL	0:d92f9d21154c	7730	if (GetSequence(buff, &idx, &len, sz) < 0)
wolfSSL	0:d92f9d21154c	7731	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7732
wolfSSL	0:d92f9d21154c	7733	len += idx;
wolfSSL	0:d92f9d21154c	7734
wolfSSL	0:d92f9d21154c	7735	while (idx < (word32)len) {
wolfSSL	0:d92f9d21154c	7736	if (GetRevoked(buff, &idx, dcrl, sz) < 0)
wolfSSL	0:d92f9d21154c	7737	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7738	}
wolfSSL	0:d92f9d21154c	7739	}
wolfSSL	0:d92f9d21154c	7740
wolfSSL	0:d92f9d21154c	7741	if (idx != dcrl->sigIndex)
wolfSSL	0:d92f9d21154c	7742	idx = dcrl->sigIndex; /* skip extensions */
wolfSSL	0:d92f9d21154c	7743
wolfSSL	0:d92f9d21154c	7744	if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0)
wolfSSL	0:d92f9d21154c	7745	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7746
wolfSSL	0:d92f9d21154c	7747	if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
wolfSSL	0:d92f9d21154c	7748	return ASN_PARSE_E;
wolfSSL	0:d92f9d21154c	7749
wolfSSL	0:d92f9d21154c	7750	/* openssl doesn't add skid by default for CRLs cause firefox chokes
wolfSSL	0:d92f9d21154c	7751	we're not assuming it's available yet */
wolfSSL	0:d92f9d21154c	7752	#if !defined(NO_SKID) && defined(CRL_SKID_READY)
wolfSSL	0:d92f9d21154c	7753	if (dcrl->extAuthKeyIdSet)
wolfSSL	0:d92f9d21154c	7754	ca = GetCA(cm, dcrl->extAuthKeyId);
wolfSSL	0:d92f9d21154c	7755	if (ca == NULL)
wolfSSL	0:d92f9d21154c	7756	ca = GetCAByName(cm, dcrl->issuerHash);
wolfSSL	0:d92f9d21154c	7757	#else /* NO_SKID */
wolfSSL	0:d92f9d21154c	7758	ca = GetCA(cm, dcrl->issuerHash);
wolfSSL	0:d92f9d21154c	7759	#endif /* NO_SKID */
wolfSSL	0:d92f9d21154c	7760	WOLFSSL_MSG("About to verify CRL signature");
wolfSSL	0:d92f9d21154c	7761
wolfSSL	0:d92f9d21154c	7762	if (ca) {
wolfSSL	0:d92f9d21154c	7763	WOLFSSL_MSG("Found CRL issuer CA");
wolfSSL	0:d92f9d21154c	7764	/* try to confirm/verify signature */
wolfSSL	0:d92f9d21154c	7765	#ifndef IGNORE_KEY_EXTENSIONS
wolfSSL	0:d92f9d21154c	7766	if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
wolfSSL	0:d92f9d21154c	7767	WOLFSSL_MSG("CA cannot sign CRLs");
wolfSSL	0:d92f9d21154c	7768	return ASN_CRL_NO_SIGNER_E;
wolfSSL	0:d92f9d21154c	7769	}
wolfSSL	0:d92f9d21154c	7770	#endif /* IGNORE_KEY_EXTENSIONS */
wolfSSL	0:d92f9d21154c	7771	if (!ConfirmSignature(buff + dcrl->certBegin,
wolfSSL	0:d92f9d21154c	7772	dcrl->sigIndex - dcrl->certBegin,
wolfSSL	0:d92f9d21154c	7773	ca->publicKey, ca->pubKeySize, ca->keyOID,
wolfSSL	0:d92f9d21154c	7774	dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
wolfSSL	0:d92f9d21154c	7775	WOLFSSL_MSG("CRL Confirm signature failed");
wolfSSL	0:d92f9d21154c	7776	return ASN_CRL_CONFIRM_E;
wolfSSL	0:d92f9d21154c	7777	}
wolfSSL	0:d92f9d21154c	7778	}
wolfSSL	0:d92f9d21154c	7779	else {
wolfSSL	0:d92f9d21154c	7780	WOLFSSL_MSG("Did NOT find CRL issuer CA");
wolfSSL	0:d92f9d21154c	7781	return ASN_CRL_NO_SIGNER_E;
wolfSSL	0:d92f9d21154c	7782	}
wolfSSL	0:d92f9d21154c	7783
wolfSSL	0:d92f9d21154c	7784	return 0;
wolfSSL	0:d92f9d21154c	7785	}
wolfSSL	0:d92f9d21154c	7786
wolfSSL	0:d92f9d21154c	7787	#endif /* HAVE_CRL */
wolfSSL	0:d92f9d21154c	7788	#endif
wolfSSL	0:d92f9d21154c	7789
wolfSSL	0:d92f9d21154c	7790	#ifdef WOLFSSL_SEP
wolfSSL	0:d92f9d21154c	7791
wolfSSL	0:d92f9d21154c	7792
wolfSSL	0:d92f9d21154c	7793
wolfSSL	0:d92f9d21154c	7794	#endif /* WOLFSSL_SEP */
wolfSSL	0:d92f9d21154c	7795
wolfSSL	0:d92f9d21154c	7796

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	26 Jun 2015
Imports:	673
Forks:	0
Commits:	18
Dependents:	29
Dependencies:	0
Followers:	21

wolfcrypt/src/asn.c@0:d92f9d21154c, 2015-06-26 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning