wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/asn.c@13:f67a6c6013ca, 2017-08-22 (annotated)
- Committer:
- wolfSSL
- Date:
- Tue Aug 22 10:48:22 2017 +0000
- Revision:
- 13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 13:f67a6c6013ca | 1 | /* asn.c |
wolfSSL | 13:f67a6c6013ca | 2 | * |
wolfSSL | 13:f67a6c6013ca | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
wolfSSL | 13:f67a6c6013ca | 4 | * |
wolfSSL | 13:f67a6c6013ca | 5 | * This file is part of wolfSSL. |
wolfSSL | 13:f67a6c6013ca | 6 | * |
wolfSSL | 13:f67a6c6013ca | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 13:f67a6c6013ca | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 13:f67a6c6013ca | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 13:f67a6c6013ca | 10 | * (at your option) any later version. |
wolfSSL | 13:f67a6c6013ca | 11 | * |
wolfSSL | 13:f67a6c6013ca | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 13:f67a6c6013ca | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 13:f67a6c6013ca | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 13:f67a6c6013ca | 15 | * GNU General Public License for more details. |
wolfSSL | 13:f67a6c6013ca | 16 | * |
wolfSSL | 13:f67a6c6013ca | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 13:f67a6c6013ca | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 13:f67a6c6013ca | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 13:f67a6c6013ca | 20 | */ |
wolfSSL | 13:f67a6c6013ca | 21 | |
wolfSSL | 13:f67a6c6013ca | 22 | |
wolfSSL | 13:f67a6c6013ca | 23 | #ifdef HAVE_CONFIG_H |
wolfSSL | 13:f67a6c6013ca | 24 | #include <config.h> |
wolfSSL | 13:f67a6c6013ca | 25 | #endif |
wolfSSL | 13:f67a6c6013ca | 26 | |
wolfSSL | 13:f67a6c6013ca | 27 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 13:f67a6c6013ca | 28 | |
wolfSSL | 13:f67a6c6013ca | 29 | /* |
wolfSSL | 13:f67a6c6013ca | 30 | ASN Options: |
wolfSSL | 13:f67a6c6013ca | 31 | * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC |
wolfSSL | 13:f67a6c6013ca | 32 | or wishing to save space. |
wolfSSL | 13:f67a6c6013ca | 33 | * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks. |
wolfSSL | 13:f67a6c6013ca | 34 | * ASN_DUMP_OID: Allows dump of OID information for debugging. |
wolfSSL | 13:f67a6c6013ca | 35 | * RSA_DECODE_EXTRA: Decodes extra information in RSA public key. |
wolfSSL | 13:f67a6c6013ca | 36 | * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. |
wolfSSL | 13:f67a6c6013ca | 37 | * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer |
wolfSSL | 13:f67a6c6013ca | 38 | must still be trusted) |
wolfSSL | 13:f67a6c6013ca | 39 | * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert |
wolfSSL | 13:f67a6c6013ca | 40 | chain is not loaded. This only matches on subject and public key and |
wolfSSL | 13:f67a6c6013ca | 41 | does not perform a PKI validation, so it is not a secure solution. |
wolfSSL | 13:f67a6c6013ca | 42 | Only enabled for OCSP. |
wolfSSL | 13:f67a6c6013ca | 43 | * WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to |
wolfSSL | 13:f67a6c6013ca | 44 | disable checking of OCSP subject hash with issuer hash. |
wolfSSL | 13:f67a6c6013ca | 45 | */ |
wolfSSL | 13:f67a6c6013ca | 46 | |
wolfSSL | 13:f67a6c6013ca | 47 | #ifndef NO_ASN |
wolfSSL | 13:f67a6c6013ca | 48 | |
wolfSSL | 13:f67a6c6013ca | 49 | #ifdef HAVE_RTP_SYS |
wolfSSL | 13:f67a6c6013ca | 50 | #include "os.h" /* dc_rtc_api needs */ |
wolfSSL | 13:f67a6c6013ca | 51 | #include "dc_rtc_api.h" /* to get current time */ |
wolfSSL | 13:f67a6c6013ca | 52 | #endif |
wolfSSL | 13:f67a6c6013ca | 53 | |
wolfSSL | 13:f67a6c6013ca | 54 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 13:f67a6c6013ca | 55 | #include <wolfssl/wolfcrypt/coding.h> |
wolfSSL | 13:f67a6c6013ca | 56 | #include <wolfssl/wolfcrypt/md2.h> |
wolfSSL | 13:f67a6c6013ca | 57 | #include <wolfssl/wolfcrypt/hmac.h> |
wolfSSL | 13:f67a6c6013ca | 58 | #include <wolfssl/wolfcrypt/error-crypt.h> |
wolfSSL | 13:f67a6c6013ca | 59 | #include <wolfssl/wolfcrypt/pwdbased.h> |
wolfSSL | 13:f67a6c6013ca | 60 | #include <wolfssl/wolfcrypt/des3.h> |
wolfSSL | 13:f67a6c6013ca | 61 | #include <wolfssl/wolfcrypt/logging.h> |
wolfSSL | 13:f67a6c6013ca | 62 | |
wolfSSL | 13:f67a6c6013ca | 63 | #include <wolfssl/wolfcrypt/random.h> |
wolfSSL | 13:f67a6c6013ca | 64 | #include <wolfssl/wolfcrypt/hash.h> |
wolfSSL | 13:f67a6c6013ca | 65 | #ifdef NO_INLINE |
wolfSSL | 13:f67a6c6013ca | 66 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 13:f67a6c6013ca | 67 | #else |
wolfSSL | 13:f67a6c6013ca | 68 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 13:f67a6c6013ca | 69 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 13:f67a6c6013ca | 70 | #endif |
wolfSSL | 13:f67a6c6013ca | 71 | |
wolfSSL | 13:f67a6c6013ca | 72 | #ifndef NO_RC4 |
wolfSSL | 13:f67a6c6013ca | 73 | #include <wolfssl/wolfcrypt/arc4.h> |
wolfSSL | 13:f67a6c6013ca | 74 | #endif |
wolfSSL | 13:f67a6c6013ca | 75 | |
wolfSSL | 13:f67a6c6013ca | 76 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 77 | #include "libntruencrypt/ntru_crypto.h" |
wolfSSL | 13:f67a6c6013ca | 78 | #endif |
wolfSSL | 13:f67a6c6013ca | 79 | |
wolfSSL | 13:f67a6c6013ca | 80 | #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) |
wolfSSL | 13:f67a6c6013ca | 81 | #include <wolfssl/wolfcrypt/sha512.h> |
wolfSSL | 13:f67a6c6013ca | 82 | #endif |
wolfSSL | 13:f67a6c6013ca | 83 | |
wolfSSL | 13:f67a6c6013ca | 84 | #ifndef NO_SHA256 |
wolfSSL | 13:f67a6c6013ca | 85 | #include <wolfssl/wolfcrypt/sha256.h> |
wolfSSL | 13:f67a6c6013ca | 86 | #endif |
wolfSSL | 13:f67a6c6013ca | 87 | |
wolfSSL | 13:f67a6c6013ca | 88 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 89 | #include <wolfssl/wolfcrypt/ecc.h> |
wolfSSL | 13:f67a6c6013ca | 90 | #endif |
wolfSSL | 13:f67a6c6013ca | 91 | |
wolfSSL | 13:f67a6c6013ca | 92 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 93 | #include <wolfssl/wolfcrypt/ed25519.h> |
wolfSSL | 13:f67a6c6013ca | 94 | #endif |
wolfSSL | 13:f67a6c6013ca | 95 | |
wolfSSL | 13:f67a6c6013ca | 96 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 97 | #include <wolfssl/wolfcrypt/rsa.h> |
wolfSSL | 13:f67a6c6013ca | 98 | #endif |
wolfSSL | 13:f67a6c6013ca | 99 | |
wolfSSL | 13:f67a6c6013ca | 100 | #ifdef WOLFSSL_DEBUG_ENCODING |
wolfSSL | 13:f67a6c6013ca | 101 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 13:f67a6c6013ca | 102 | #if MQX_USE_IO_OLD |
wolfSSL | 13:f67a6c6013ca | 103 | #include <fio.h> |
wolfSSL | 13:f67a6c6013ca | 104 | #else |
wolfSSL | 13:f67a6c6013ca | 105 | #include <nio.h> |
wolfSSL | 13:f67a6c6013ca | 106 | #endif |
wolfSSL | 13:f67a6c6013ca | 107 | #else |
wolfSSL | 13:f67a6c6013ca | 108 | #include <stdio.h> |
wolfSSL | 13:f67a6c6013ca | 109 | #endif |
wolfSSL | 13:f67a6c6013ca | 110 | #endif |
wolfSSL | 13:f67a6c6013ca | 111 | |
wolfSSL | 13:f67a6c6013ca | 112 | #ifdef _MSC_VER |
wolfSSL | 13:f67a6c6013ca | 113 | /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */ |
wolfSSL | 13:f67a6c6013ca | 114 | #pragma warning(disable: 4996) |
wolfSSL | 13:f67a6c6013ca | 115 | #endif |
wolfSSL | 13:f67a6c6013ca | 116 | |
wolfSSL | 13:f67a6c6013ca | 117 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } |
wolfSSL | 13:f67a6c6013ca | 118 | |
wolfSSL | 13:f67a6c6013ca | 119 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 120 | #if defined(USER_TIME) |
wolfSSL | 13:f67a6c6013ca | 121 | /* Use our gmtime and time_t/struct tm types. |
wolfSSL | 13:f67a6c6013ca | 122 | Only needs seconds since EPOCH using XTIME function. |
wolfSSL | 13:f67a6c6013ca | 123 | time_t XTIME(time_t * timer) {} |
wolfSSL | 13:f67a6c6013ca | 124 | */ |
wolfSSL | 13:f67a6c6013ca | 125 | #define WOLFSSL_GMTIME |
wolfSSL | 13:f67a6c6013ca | 126 | #define USE_WOLF_TM |
wolfSSL | 13:f67a6c6013ca | 127 | #define USE_WOLF_TIME_T |
wolfSSL | 13:f67a6c6013ca | 128 | |
wolfSSL | 13:f67a6c6013ca | 129 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 13:f67a6c6013ca | 130 | /* Override XTIME() and XGMTIME() functionality. |
wolfSSL | 13:f67a6c6013ca | 131 | Requires user to provide these functions: |
wolfSSL | 13:f67a6c6013ca | 132 | time_t XTIME(time_t * timer) {} |
wolfSSL | 13:f67a6c6013ca | 133 | struct tm* XGMTIME(const time_t* timer, struct tm* tmp) {} |
wolfSSL | 13:f67a6c6013ca | 134 | */ |
wolfSSL | 13:f67a6c6013ca | 135 | #ifndef HAVE_TIME_T_TYPE |
wolfSSL | 13:f67a6c6013ca | 136 | #define USE_WOLF_TIME_T |
wolfSSL | 13:f67a6c6013ca | 137 | #endif |
wolfSSL | 13:f67a6c6013ca | 138 | #ifndef HAVE_TM_TYPE |
wolfSSL | 13:f67a6c6013ca | 139 | #define USE_WOLF_TM |
wolfSSL | 13:f67a6c6013ca | 140 | #endif |
wolfSSL | 13:f67a6c6013ca | 141 | #define NEED_TMP_TIME |
wolfSSL | 13:f67a6c6013ca | 142 | |
wolfSSL | 13:f67a6c6013ca | 143 | #elif defined(HAVE_RTP_SYS) |
wolfSSL | 13:f67a6c6013ca | 144 | /* uses parital <time.h> structures */ |
wolfSSL | 13:f67a6c6013ca | 145 | #define XTIME(tl) (0) |
wolfSSL | 13:f67a6c6013ca | 146 | #define XGMTIME(c, t) rtpsys_gmtime((c)) |
wolfSSL | 13:f67a6c6013ca | 147 | |
wolfSSL | 13:f67a6c6013ca | 148 | #elif defined(MICRIUM) |
wolfSSL | 13:f67a6c6013ca | 149 | #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) |
wolfSSL | 13:f67a6c6013ca | 150 | #define XVALIDATE_DATE(d, f, t) NetSecure_ValidateDateHandler((d), (f), (t)) |
wolfSSL | 13:f67a6c6013ca | 151 | #else |
wolfSSL | 13:f67a6c6013ca | 152 | #define XVALIDATE_DATE(d, f, t) (0) |
wolfSSL | 13:f67a6c6013ca | 153 | #endif |
wolfSSL | 13:f67a6c6013ca | 154 | #define NO_TIME_H |
wolfSSL | 13:f67a6c6013ca | 155 | /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */ |
wolfSSL | 13:f67a6c6013ca | 156 | |
wolfSSL | 13:f67a6c6013ca | 157 | #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 13:f67a6c6013ca | 158 | #include <time.h> |
wolfSSL | 13:f67a6c6013ca | 159 | #define XTIME(t1) pic32_time((t1)) |
wolfSSL | 13:f67a6c6013ca | 160 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 13:f67a6c6013ca | 161 | |
wolfSSL | 13:f67a6c6013ca | 162 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 13:f67a6c6013ca | 163 | #define XTIME(t1) mqx_time((t1)) |
wolfSSL | 13:f67a6c6013ca | 164 | #define HAVE_GMTIME_R |
wolfSSL | 13:f67a6c6013ca | 165 | |
wolfSSL | 13:f67a6c6013ca | 166 | #elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) |
wolfSSL | 13:f67a6c6013ca | 167 | #include <time.h> |
wolfSSL | 13:f67a6c6013ca | 168 | #ifndef XTIME |
wolfSSL | 13:f67a6c6013ca | 169 | /*extern time_t ksdk_time(time_t* timer);*/ |
wolfSSL | 13:f67a6c6013ca | 170 | #define XTIME(t1) ksdk_time((t1)) |
wolfSSL | 13:f67a6c6013ca | 171 | #endif |
wolfSSL | 13:f67a6c6013ca | 172 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 13:f67a6c6013ca | 173 | |
wolfSSL | 13:f67a6c6013ca | 174 | #elif defined(WOLFSSL_ATMEL) |
wolfSSL | 13:f67a6c6013ca | 175 | #define XTIME(t1) atmel_get_curr_time_and_date((t1)) |
wolfSSL | 13:f67a6c6013ca | 176 | #define WOLFSSL_GMTIME |
wolfSSL | 13:f67a6c6013ca | 177 | #define USE_WOLF_TM |
wolfSSL | 13:f67a6c6013ca | 178 | #define USE_WOLF_TIME_T |
wolfSSL | 13:f67a6c6013ca | 179 | |
wolfSSL | 13:f67a6c6013ca | 180 | #elif defined(IDIRECT_DEV_TIME) |
wolfSSL | 13:f67a6c6013ca | 181 | /*Gets the timestamp from cloak software owned by VT iDirect |
wolfSSL | 13:f67a6c6013ca | 182 | in place of time() from <time.h> */ |
wolfSSL | 13:f67a6c6013ca | 183 | #include <time.h> |
wolfSSL | 13:f67a6c6013ca | 184 | #define XTIME(t1) idirect_time((t1)) |
wolfSSL | 13:f67a6c6013ca | 185 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 13:f67a6c6013ca | 186 | |
wolfSSL | 13:f67a6c6013ca | 187 | #elif defined(_WIN32_WCE) |
wolfSSL | 13:f67a6c6013ca | 188 | #include <windows.h> |
wolfSSL | 13:f67a6c6013ca | 189 | #define XTIME(t1) windows_time((t1)) |
wolfSSL | 13:f67a6c6013ca | 190 | #define WOLFSSL_GMTIME |
wolfSSL | 13:f67a6c6013ca | 191 | #else |
wolfSSL | 13:f67a6c6013ca | 192 | |
wolfSSL | 13:f67a6c6013ca | 193 | /* default */ |
wolfSSL | 13:f67a6c6013ca | 194 | /* uses complete <time.h> facility */ |
wolfSSL | 13:f67a6c6013ca | 195 | #include <time.h> |
wolfSSL | 13:f67a6c6013ca | 196 | #endif |
wolfSSL | 13:f67a6c6013ca | 197 | |
wolfSSL | 13:f67a6c6013ca | 198 | |
wolfSSL | 13:f67a6c6013ca | 199 | /* Map default time functions */ |
wolfSSL | 13:f67a6c6013ca | 200 | #if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME) |
wolfSSL | 13:f67a6c6013ca | 201 | #define XTIME(tl) time((tl)) |
wolfSSL | 13:f67a6c6013ca | 202 | #endif |
wolfSSL | 13:f67a6c6013ca | 203 | #if !defined(XGMTIME) && !defined(TIME_OVERRIDES) |
wolfSSL | 13:f67a6c6013ca | 204 | #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R) |
wolfSSL | 13:f67a6c6013ca | 205 | #define XGMTIME(c, t) gmtime((c)) |
wolfSSL | 13:f67a6c6013ca | 206 | #else |
wolfSSL | 13:f67a6c6013ca | 207 | #define XGMTIME(c, t) gmtime_r((c), (t)) |
wolfSSL | 13:f67a6c6013ca | 208 | #define NEED_TMP_TIME |
wolfSSL | 13:f67a6c6013ca | 209 | #endif |
wolfSSL | 13:f67a6c6013ca | 210 | #endif |
wolfSSL | 13:f67a6c6013ca | 211 | #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE) |
wolfSSL | 13:f67a6c6013ca | 212 | #define USE_WOLF_VALIDDATE |
wolfSSL | 13:f67a6c6013ca | 213 | #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) |
wolfSSL | 13:f67a6c6013ca | 214 | #endif |
wolfSSL | 13:f67a6c6013ca | 215 | |
wolfSSL | 13:f67a6c6013ca | 216 | /* wolf struct tm and time_t */ |
wolfSSL | 13:f67a6c6013ca | 217 | #if defined(USE_WOLF_TM) |
wolfSSL | 13:f67a6c6013ca | 218 | struct tm { |
wolfSSL | 13:f67a6c6013ca | 219 | int tm_sec; /* seconds after the minute [0-60] */ |
wolfSSL | 13:f67a6c6013ca | 220 | int tm_min; /* minutes after the hour [0-59] */ |
wolfSSL | 13:f67a6c6013ca | 221 | int tm_hour; /* hours since midnight [0-23] */ |
wolfSSL | 13:f67a6c6013ca | 222 | int tm_mday; /* day of the month [1-31] */ |
wolfSSL | 13:f67a6c6013ca | 223 | int tm_mon; /* months since January [0-11] */ |
wolfSSL | 13:f67a6c6013ca | 224 | int tm_year; /* years since 1900 */ |
wolfSSL | 13:f67a6c6013ca | 225 | int tm_wday; /* days since Sunday [0-6] */ |
wolfSSL | 13:f67a6c6013ca | 226 | int tm_yday; /* days since January 1 [0-365] */ |
wolfSSL | 13:f67a6c6013ca | 227 | int tm_isdst; /* Daylight Savings Time flag */ |
wolfSSL | 13:f67a6c6013ca | 228 | long tm_gmtoff; /* offset from CUT in seconds */ |
wolfSSL | 13:f67a6c6013ca | 229 | char *tm_zone; /* timezone abbreviation */ |
wolfSSL | 13:f67a6c6013ca | 230 | }; |
wolfSSL | 13:f67a6c6013ca | 231 | #endif /* USE_WOLF_TM */ |
wolfSSL | 13:f67a6c6013ca | 232 | #if defined(USE_WOLF_TIME_T) |
wolfSSL | 13:f67a6c6013ca | 233 | typedef long time_t; |
wolfSSL | 13:f67a6c6013ca | 234 | #endif |
wolfSSL | 13:f67a6c6013ca | 235 | |
wolfSSL | 13:f67a6c6013ca | 236 | /* forward declarations */ |
wolfSSL | 13:f67a6c6013ca | 237 | #if defined(USER_TIME) |
wolfSSL | 13:f67a6c6013ca | 238 | struct tm* gmtime(const time_t* timer); |
wolfSSL | 13:f67a6c6013ca | 239 | extern time_t XTIME(time_t * timer); |
wolfSSL | 13:f67a6c6013ca | 240 | |
wolfSSL | 13:f67a6c6013ca | 241 | #ifdef STACK_TRAP |
wolfSSL | 13:f67a6c6013ca | 242 | /* for stack trap tracking, don't call os gmtime on OS X/linux, |
wolfSSL | 13:f67a6c6013ca | 243 | uses a lot of stack spce */ |
wolfSSL | 13:f67a6c6013ca | 244 | extern time_t time(time_t * timer); |
wolfSSL | 13:f67a6c6013ca | 245 | #define XTIME(tl) time((tl)) |
wolfSSL | 13:f67a6c6013ca | 246 | #endif /* STACK_TRAP */ |
wolfSSL | 13:f67a6c6013ca | 247 | |
wolfSSL | 13:f67a6c6013ca | 248 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 13:f67a6c6013ca | 249 | extern time_t XTIME(time_t * timer); |
wolfSSL | 13:f67a6c6013ca | 250 | extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp); |
wolfSSL | 13:f67a6c6013ca | 251 | #elif defined(WOLFSSL_GMTIME) |
wolfSSL | 13:f67a6c6013ca | 252 | struct tm* gmtime(const time_t* timer); |
wolfSSL | 13:f67a6c6013ca | 253 | #endif |
wolfSSL | 13:f67a6c6013ca | 254 | |
wolfSSL | 13:f67a6c6013ca | 255 | |
wolfSSL | 13:f67a6c6013ca | 256 | #if defined(_WIN32_WCE) |
wolfSSL | 13:f67a6c6013ca | 257 | time_t windows_time(time_t* timer) |
wolfSSL | 13:f67a6c6013ca | 258 | { |
wolfSSL | 13:f67a6c6013ca | 259 | SYSTEMTIME sysTime; |
wolfSSL | 13:f67a6c6013ca | 260 | FILETIME fTime; |
wolfSSL | 13:f67a6c6013ca | 261 | ULARGE_INTEGER intTime; |
wolfSSL | 13:f67a6c6013ca | 262 | time_t localTime; |
wolfSSL | 13:f67a6c6013ca | 263 | |
wolfSSL | 13:f67a6c6013ca | 264 | if (timer == NULL) |
wolfSSL | 13:f67a6c6013ca | 265 | timer = &localTime; |
wolfSSL | 13:f67a6c6013ca | 266 | |
wolfSSL | 13:f67a6c6013ca | 267 | GetSystemTime(&sysTime); |
wolfSSL | 13:f67a6c6013ca | 268 | SystemTimeToFileTime(&sysTime, &fTime); |
wolfSSL | 13:f67a6c6013ca | 269 | |
wolfSSL | 13:f67a6c6013ca | 270 | XMEMCPY(&intTime, &fTime, sizeof(FILETIME)); |
wolfSSL | 13:f67a6c6013ca | 271 | /* subtract EPOCH */ |
wolfSSL | 13:f67a6c6013ca | 272 | intTime.QuadPart -= 0x19db1ded53e8000; |
wolfSSL | 13:f67a6c6013ca | 273 | /* to secs */ |
wolfSSL | 13:f67a6c6013ca | 274 | intTime.QuadPart /= 10000000; |
wolfSSL | 13:f67a6c6013ca | 275 | *timer = (time_t)intTime.QuadPart; |
wolfSSL | 13:f67a6c6013ca | 276 | |
wolfSSL | 13:f67a6c6013ca | 277 | return *timer; |
wolfSSL | 13:f67a6c6013ca | 278 | } |
wolfSSL | 13:f67a6c6013ca | 279 | #endif /* _WIN32_WCE */ |
wolfSSL | 13:f67a6c6013ca | 280 | |
wolfSSL | 13:f67a6c6013ca | 281 | #if defined(WOLFSSL_GMTIME) |
wolfSSL | 13:f67a6c6013ca | 282 | struct tm* gmtime(const time_t* timer) |
wolfSSL | 13:f67a6c6013ca | 283 | { |
wolfSSL | 13:f67a6c6013ca | 284 | #define YEAR0 1900 |
wolfSSL | 13:f67a6c6013ca | 285 | #define EPOCH_YEAR 1970 |
wolfSSL | 13:f67a6c6013ca | 286 | #define SECS_DAY (24L * 60L * 60L) |
wolfSSL | 13:f67a6c6013ca | 287 | #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400))) |
wolfSSL | 13:f67a6c6013ca | 288 | #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365) |
wolfSSL | 13:f67a6c6013ca | 289 | |
wolfSSL | 13:f67a6c6013ca | 290 | static const int _ytab[2][12] = |
wolfSSL | 13:f67a6c6013ca | 291 | { |
wolfSSL | 13:f67a6c6013ca | 292 | {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}, |
wolfSSL | 13:f67a6c6013ca | 293 | {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31} |
wolfSSL | 13:f67a6c6013ca | 294 | }; |
wolfSSL | 13:f67a6c6013ca | 295 | |
wolfSSL | 13:f67a6c6013ca | 296 | static struct tm st_time; |
wolfSSL | 13:f67a6c6013ca | 297 | struct tm* ret = &st_time; |
wolfSSL | 13:f67a6c6013ca | 298 | time_t secs = *timer; |
wolfSSL | 13:f67a6c6013ca | 299 | unsigned long dayclock, dayno; |
wolfSSL | 13:f67a6c6013ca | 300 | int year = EPOCH_YEAR; |
wolfSSL | 13:f67a6c6013ca | 301 | |
wolfSSL | 13:f67a6c6013ca | 302 | dayclock = (unsigned long)secs % SECS_DAY; |
wolfSSL | 13:f67a6c6013ca | 303 | dayno = (unsigned long)secs / SECS_DAY; |
wolfSSL | 13:f67a6c6013ca | 304 | |
wolfSSL | 13:f67a6c6013ca | 305 | ret->tm_sec = (int) dayclock % 60; |
wolfSSL | 13:f67a6c6013ca | 306 | ret->tm_min = (int)(dayclock % 3600) / 60; |
wolfSSL | 13:f67a6c6013ca | 307 | ret->tm_hour = (int) dayclock / 3600; |
wolfSSL | 13:f67a6c6013ca | 308 | ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */ |
wolfSSL | 13:f67a6c6013ca | 309 | |
wolfSSL | 13:f67a6c6013ca | 310 | while(dayno >= (unsigned long)YEARSIZE(year)) { |
wolfSSL | 13:f67a6c6013ca | 311 | dayno -= YEARSIZE(year); |
wolfSSL | 13:f67a6c6013ca | 312 | year++; |
wolfSSL | 13:f67a6c6013ca | 313 | } |
wolfSSL | 13:f67a6c6013ca | 314 | |
wolfSSL | 13:f67a6c6013ca | 315 | ret->tm_year = year - YEAR0; |
wolfSSL | 13:f67a6c6013ca | 316 | ret->tm_yday = (int)dayno; |
wolfSSL | 13:f67a6c6013ca | 317 | ret->tm_mon = 0; |
wolfSSL | 13:f67a6c6013ca | 318 | |
wolfSSL | 13:f67a6c6013ca | 319 | while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) { |
wolfSSL | 13:f67a6c6013ca | 320 | dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon]; |
wolfSSL | 13:f67a6c6013ca | 321 | ret->tm_mon++; |
wolfSSL | 13:f67a6c6013ca | 322 | } |
wolfSSL | 13:f67a6c6013ca | 323 | |
wolfSSL | 13:f67a6c6013ca | 324 | ret->tm_mday = (int)++dayno; |
wolfSSL | 13:f67a6c6013ca | 325 | ret->tm_isdst = 0; |
wolfSSL | 13:f67a6c6013ca | 326 | |
wolfSSL | 13:f67a6c6013ca | 327 | return ret; |
wolfSSL | 13:f67a6c6013ca | 328 | } |
wolfSSL | 13:f67a6c6013ca | 329 | #endif /* WOLFSSL_GMTIME */ |
wolfSSL | 13:f67a6c6013ca | 330 | |
wolfSSL | 13:f67a6c6013ca | 331 | |
wolfSSL | 13:f67a6c6013ca | 332 | #if defined(HAVE_RTP_SYS) |
wolfSSL | 13:f67a6c6013ca | 333 | #define YEAR0 1900 |
wolfSSL | 13:f67a6c6013ca | 334 | |
wolfSSL | 13:f67a6c6013ca | 335 | struct tm* rtpsys_gmtime(const time_t* timer) /* has a gmtime() but hangs */ |
wolfSSL | 13:f67a6c6013ca | 336 | { |
wolfSSL | 13:f67a6c6013ca | 337 | static struct tm st_time; |
wolfSSL | 13:f67a6c6013ca | 338 | struct tm* ret = &st_time; |
wolfSSL | 13:f67a6c6013ca | 339 | |
wolfSSL | 13:f67a6c6013ca | 340 | DC_RTC_CALENDAR cal; |
wolfSSL | 13:f67a6c6013ca | 341 | dc_rtc_time_get(&cal, TRUE); |
wolfSSL | 13:f67a6c6013ca | 342 | |
wolfSSL | 13:f67a6c6013ca | 343 | ret->tm_year = cal.year - YEAR0; /* gm starts at 1900 */ |
wolfSSL | 13:f67a6c6013ca | 344 | ret->tm_mon = cal.month - 1; /* gm starts at 0 */ |
wolfSSL | 13:f67a6c6013ca | 345 | ret->tm_mday = cal.day; |
wolfSSL | 13:f67a6c6013ca | 346 | ret->tm_hour = cal.hour; |
wolfSSL | 13:f67a6c6013ca | 347 | ret->tm_min = cal.minute; |
wolfSSL | 13:f67a6c6013ca | 348 | ret->tm_sec = cal.second; |
wolfSSL | 13:f67a6c6013ca | 349 | |
wolfSSL | 13:f67a6c6013ca | 350 | return ret; |
wolfSSL | 13:f67a6c6013ca | 351 | } |
wolfSSL | 13:f67a6c6013ca | 352 | |
wolfSSL | 13:f67a6c6013ca | 353 | #endif /* HAVE_RTP_SYS */ |
wolfSSL | 13:f67a6c6013ca | 354 | |
wolfSSL | 13:f67a6c6013ca | 355 | |
wolfSSL | 13:f67a6c6013ca | 356 | #if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP) |
wolfSSL | 13:f67a6c6013ca | 357 | |
wolfSSL | 13:f67a6c6013ca | 358 | /* |
wolfSSL | 13:f67a6c6013ca | 359 | * time() is just a stub in Microchip libraries. We need our own |
wolfSSL | 13:f67a6c6013ca | 360 | * implementation. Use SNTP client to get seconds since epoch. |
wolfSSL | 13:f67a6c6013ca | 361 | */ |
wolfSSL | 13:f67a6c6013ca | 362 | time_t pic32_time(time_t* timer) |
wolfSSL | 13:f67a6c6013ca | 363 | { |
wolfSSL | 13:f67a6c6013ca | 364 | #ifdef MICROCHIP_TCPIP_V5 |
wolfSSL | 13:f67a6c6013ca | 365 | DWORD sec = 0; |
wolfSSL | 13:f67a6c6013ca | 366 | #else |
wolfSSL | 13:f67a6c6013ca | 367 | uint32_t sec = 0; |
wolfSSL | 13:f67a6c6013ca | 368 | #endif |
wolfSSL | 13:f67a6c6013ca | 369 | time_t localTime; |
wolfSSL | 13:f67a6c6013ca | 370 | |
wolfSSL | 13:f67a6c6013ca | 371 | if (timer == NULL) |
wolfSSL | 13:f67a6c6013ca | 372 | timer = &localTime; |
wolfSSL | 13:f67a6c6013ca | 373 | |
wolfSSL | 13:f67a6c6013ca | 374 | #ifdef MICROCHIP_MPLAB_HARMONY |
wolfSSL | 13:f67a6c6013ca | 375 | sec = TCPIP_SNTP_UTCSecondsGet(); |
wolfSSL | 13:f67a6c6013ca | 376 | #else |
wolfSSL | 13:f67a6c6013ca | 377 | sec = SNTPGetUTCSeconds(); |
wolfSSL | 13:f67a6c6013ca | 378 | #endif |
wolfSSL | 13:f67a6c6013ca | 379 | *timer = (time_t) sec; |
wolfSSL | 13:f67a6c6013ca | 380 | |
wolfSSL | 13:f67a6c6013ca | 381 | return *timer; |
wolfSSL | 13:f67a6c6013ca | 382 | } |
wolfSSL | 13:f67a6c6013ca | 383 | |
wolfSSL | 13:f67a6c6013ca | 384 | #endif /* MICROCHIP_TCPIP || MICROCHIP_TCPIP_V5 */ |
wolfSSL | 13:f67a6c6013ca | 385 | |
wolfSSL | 13:f67a6c6013ca | 386 | |
wolfSSL | 13:f67a6c6013ca | 387 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 13:f67a6c6013ca | 388 | |
wolfSSL | 13:f67a6c6013ca | 389 | time_t mqx_time(time_t* timer) |
wolfSSL | 13:f67a6c6013ca | 390 | { |
wolfSSL | 13:f67a6c6013ca | 391 | time_t localTime; |
wolfSSL | 13:f67a6c6013ca | 392 | TIME_STRUCT time_s; |
wolfSSL | 13:f67a6c6013ca | 393 | |
wolfSSL | 13:f67a6c6013ca | 394 | if (timer == NULL) |
wolfSSL | 13:f67a6c6013ca | 395 | timer = &localTime; |
wolfSSL | 13:f67a6c6013ca | 396 | |
wolfSSL | 13:f67a6c6013ca | 397 | _time_get(&time_s); |
wolfSSL | 13:f67a6c6013ca | 398 | *timer = (time_t) time_s.SECONDS; |
wolfSSL | 13:f67a6c6013ca | 399 | |
wolfSSL | 13:f67a6c6013ca | 400 | return *timer; |
wolfSSL | 13:f67a6c6013ca | 401 | } |
wolfSSL | 13:f67a6c6013ca | 402 | |
wolfSSL | 13:f67a6c6013ca | 403 | #endif /* FREESCALE_MQX || FREESCALE_KSDK_MQX */ |
wolfSSL | 13:f67a6c6013ca | 404 | |
wolfSSL | 13:f67a6c6013ca | 405 | |
wolfSSL | 13:f67a6c6013ca | 406 | #if defined(WOLFSSL_TIRTOS) |
wolfSSL | 13:f67a6c6013ca | 407 | |
wolfSSL | 13:f67a6c6013ca | 408 | time_t XTIME(time_t * timer) |
wolfSSL | 13:f67a6c6013ca | 409 | { |
wolfSSL | 13:f67a6c6013ca | 410 | time_t sec = 0; |
wolfSSL | 13:f67a6c6013ca | 411 | |
wolfSSL | 13:f67a6c6013ca | 412 | sec = (time_t) Seconds_get(); |
wolfSSL | 13:f67a6c6013ca | 413 | |
wolfSSL | 13:f67a6c6013ca | 414 | if (timer != NULL) |
wolfSSL | 13:f67a6c6013ca | 415 | *timer = sec; |
wolfSSL | 13:f67a6c6013ca | 416 | |
wolfSSL | 13:f67a6c6013ca | 417 | return sec; |
wolfSSL | 13:f67a6c6013ca | 418 | } |
wolfSSL | 13:f67a6c6013ca | 419 | |
wolfSSL | 13:f67a6c6013ca | 420 | #endif /* WOLFSSL_TIRTOS */ |
wolfSSL | 13:f67a6c6013ca | 421 | |
wolfSSL | 13:f67a6c6013ca | 422 | |
wolfSSL | 13:f67a6c6013ca | 423 | #if defined(WOLFSSL_XILINX) |
wolfSSL | 13:f67a6c6013ca | 424 | #include "xrtcpsu.h" |
wolfSSL | 13:f67a6c6013ca | 425 | |
wolfSSL | 13:f67a6c6013ca | 426 | time_t XTIME(time_t * timer) |
wolfSSL | 13:f67a6c6013ca | 427 | { |
wolfSSL | 13:f67a6c6013ca | 428 | time_t sec = 0; |
wolfSSL | 13:f67a6c6013ca | 429 | XRtcPsu_Config* con; |
wolfSSL | 13:f67a6c6013ca | 430 | XRtcPsu rtc; |
wolfSSL | 13:f67a6c6013ca | 431 | |
wolfSSL | 13:f67a6c6013ca | 432 | con = XRtcPsu_LookupConfig(XPAR_XRTCPSU_0_DEVICE_ID); |
wolfSSL | 13:f67a6c6013ca | 433 | if (con != NULL) { |
wolfSSL | 13:f67a6c6013ca | 434 | if (XRtcPsu_CfgInitialize(&rtc, con, con->BaseAddr) == XST_SUCCESS) { |
wolfSSL | 13:f67a6c6013ca | 435 | sec = (time_t)XRtcPsu_GetCurrentTime(&rtc); |
wolfSSL | 13:f67a6c6013ca | 436 | } |
wolfSSL | 13:f67a6c6013ca | 437 | else { |
wolfSSL | 13:f67a6c6013ca | 438 | WOLFSSL_MSG("Unable to initialize RTC"); |
wolfSSL | 13:f67a6c6013ca | 439 | } |
wolfSSL | 13:f67a6c6013ca | 440 | } |
wolfSSL | 13:f67a6c6013ca | 441 | |
wolfSSL | 13:f67a6c6013ca | 442 | if (timer != NULL) |
wolfSSL | 13:f67a6c6013ca | 443 | *timer = sec; |
wolfSSL | 13:f67a6c6013ca | 444 | |
wolfSSL | 13:f67a6c6013ca | 445 | return sec; |
wolfSSL | 13:f67a6c6013ca | 446 | } |
wolfSSL | 13:f67a6c6013ca | 447 | |
wolfSSL | 13:f67a6c6013ca | 448 | #endif /* WOLFSSL_TIRTOS */ |
wolfSSL | 13:f67a6c6013ca | 449 | |
wolfSSL | 13:f67a6c6013ca | 450 | |
wolfSSL | 13:f67a6c6013ca | 451 | static INLINE word32 btoi(byte b) |
wolfSSL | 13:f67a6c6013ca | 452 | { |
wolfSSL | 13:f67a6c6013ca | 453 | return (word32)(b - 0x30); |
wolfSSL | 13:f67a6c6013ca | 454 | } |
wolfSSL | 13:f67a6c6013ca | 455 | |
wolfSSL | 13:f67a6c6013ca | 456 | |
wolfSSL | 13:f67a6c6013ca | 457 | /* two byte date/time, add to value */ |
wolfSSL | 13:f67a6c6013ca | 458 | static INLINE void GetTime(int* value, const byte* date, int* idx) |
wolfSSL | 13:f67a6c6013ca | 459 | { |
wolfSSL | 13:f67a6c6013ca | 460 | int i = *idx; |
wolfSSL | 13:f67a6c6013ca | 461 | |
wolfSSL | 13:f67a6c6013ca | 462 | *value += btoi(date[i++]) * 10; |
wolfSSL | 13:f67a6c6013ca | 463 | *value += btoi(date[i++]); |
wolfSSL | 13:f67a6c6013ca | 464 | |
wolfSSL | 13:f67a6c6013ca | 465 | *idx = i; |
wolfSSL | 13:f67a6c6013ca | 466 | } |
wolfSSL | 13:f67a6c6013ca | 467 | |
wolfSSL | 13:f67a6c6013ca | 468 | |
wolfSSL | 13:f67a6c6013ca | 469 | #if defined(MICRIUM) |
wolfSSL | 13:f67a6c6013ca | 470 | |
wolfSSL | 13:f67a6c6013ca | 471 | CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format, |
wolfSSL | 13:f67a6c6013ca | 472 | CPU_INT08U dateType) |
wolfSSL | 13:f67a6c6013ca | 473 | { |
wolfSSL | 13:f67a6c6013ca | 474 | CPU_BOOLEAN rtn_code; |
wolfSSL | 13:f67a6c6013ca | 475 | CPU_INT32S i; |
wolfSSL | 13:f67a6c6013ca | 476 | CPU_INT32S val; |
wolfSSL | 13:f67a6c6013ca | 477 | CPU_INT16U year; |
wolfSSL | 13:f67a6c6013ca | 478 | CPU_INT08U month; |
wolfSSL | 13:f67a6c6013ca | 479 | CPU_INT16U day; |
wolfSSL | 13:f67a6c6013ca | 480 | CPU_INT08U hour; |
wolfSSL | 13:f67a6c6013ca | 481 | CPU_INT08U min; |
wolfSSL | 13:f67a6c6013ca | 482 | CPU_INT08U sec; |
wolfSSL | 13:f67a6c6013ca | 483 | |
wolfSSL | 13:f67a6c6013ca | 484 | i = 0; |
wolfSSL | 13:f67a6c6013ca | 485 | year = 0u; |
wolfSSL | 13:f67a6c6013ca | 486 | |
wolfSSL | 13:f67a6c6013ca | 487 | if (format == ASN_UTC_TIME) { |
wolfSSL | 13:f67a6c6013ca | 488 | if (btoi(date[0]) >= 5) |
wolfSSL | 13:f67a6c6013ca | 489 | year = 1900; |
wolfSSL | 13:f67a6c6013ca | 490 | else |
wolfSSL | 13:f67a6c6013ca | 491 | year = 2000; |
wolfSSL | 13:f67a6c6013ca | 492 | } |
wolfSSL | 13:f67a6c6013ca | 493 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 13:f67a6c6013ca | 494 | year += btoi(date[i++]) * 1000; |
wolfSSL | 13:f67a6c6013ca | 495 | year += btoi(date[i++]) * 100; |
wolfSSL | 13:f67a6c6013ca | 496 | } |
wolfSSL | 13:f67a6c6013ca | 497 | |
wolfSSL | 13:f67a6c6013ca | 498 | val = year; |
wolfSSL | 13:f67a6c6013ca | 499 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 500 | year = (CPU_INT16U)val; |
wolfSSL | 13:f67a6c6013ca | 501 | |
wolfSSL | 13:f67a6c6013ca | 502 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 503 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 504 | month = (CPU_INT08U)val; |
wolfSSL | 13:f67a6c6013ca | 505 | |
wolfSSL | 13:f67a6c6013ca | 506 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 507 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 508 | day = (CPU_INT16U)val; |
wolfSSL | 13:f67a6c6013ca | 509 | |
wolfSSL | 13:f67a6c6013ca | 510 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 511 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 512 | hour = (CPU_INT08U)val; |
wolfSSL | 13:f67a6c6013ca | 513 | |
wolfSSL | 13:f67a6c6013ca | 514 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 515 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 516 | min = (CPU_INT08U)val; |
wolfSSL | 13:f67a6c6013ca | 517 | |
wolfSSL | 13:f67a6c6013ca | 518 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 519 | GetTime(&val, date, &i); |
wolfSSL | 13:f67a6c6013ca | 520 | sec = (CPU_INT08U)val; |
wolfSSL | 13:f67a6c6013ca | 521 | |
wolfSSL | 13:f67a6c6013ca | 522 | return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType); |
wolfSSL | 13:f67a6c6013ca | 523 | } |
wolfSSL | 13:f67a6c6013ca | 524 | |
wolfSSL | 13:f67a6c6013ca | 525 | #endif /* MICRIUM */ |
wolfSSL | 13:f67a6c6013ca | 526 | |
wolfSSL | 13:f67a6c6013ca | 527 | |
wolfSSL | 13:f67a6c6013ca | 528 | #if defined(IDIRECT_DEV_TIME) |
wolfSSL | 13:f67a6c6013ca | 529 | |
wolfSSL | 13:f67a6c6013ca | 530 | extern time_t getTimestamp(); |
wolfSSL | 13:f67a6c6013ca | 531 | |
wolfSSL | 13:f67a6c6013ca | 532 | time_t idirect_time(time_t * timer) |
wolfSSL | 13:f67a6c6013ca | 533 | { |
wolfSSL | 13:f67a6c6013ca | 534 | time_t sec = getTimestamp(); |
wolfSSL | 13:f67a6c6013ca | 535 | |
wolfSSL | 13:f67a6c6013ca | 536 | if (timer != NULL) |
wolfSSL | 13:f67a6c6013ca | 537 | *timer = sec; |
wolfSSL | 13:f67a6c6013ca | 538 | |
wolfSSL | 13:f67a6c6013ca | 539 | return sec; |
wolfSSL | 13:f67a6c6013ca | 540 | } |
wolfSSL | 13:f67a6c6013ca | 541 | |
wolfSSL | 13:f67a6c6013ca | 542 | #endif /* IDIRECT_DEV_TIME */ |
wolfSSL | 13:f67a6c6013ca | 543 | |
wolfSSL | 13:f67a6c6013ca | 544 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 13:f67a6c6013ca | 545 | |
wolfSSL | 13:f67a6c6013ca | 546 | |
wolfSSL | 13:f67a6c6013ca | 547 | WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 548 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 549 | { |
wolfSSL | 13:f67a6c6013ca | 550 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 551 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 552 | byte b; |
wolfSSL | 13:f67a6c6013ca | 553 | |
wolfSSL | 13:f67a6c6013ca | 554 | *len = 0; /* default length */ |
wolfSSL | 13:f67a6c6013ca | 555 | |
wolfSSL | 13:f67a6c6013ca | 556 | if ((idx + 1) > maxIdx) { /* for first read */ |
wolfSSL | 13:f67a6c6013ca | 557 | WOLFSSL_MSG("GetLength bad index on input"); |
wolfSSL | 13:f67a6c6013ca | 558 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 559 | } |
wolfSSL | 13:f67a6c6013ca | 560 | |
wolfSSL | 13:f67a6c6013ca | 561 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 562 | if (b >= ASN_LONG_LENGTH) { |
wolfSSL | 13:f67a6c6013ca | 563 | word32 bytes = b & 0x7F; |
wolfSSL | 13:f67a6c6013ca | 564 | |
wolfSSL | 13:f67a6c6013ca | 565 | if ((idx + bytes) > maxIdx) { /* for reading bytes */ |
wolfSSL | 13:f67a6c6013ca | 566 | WOLFSSL_MSG("GetLength bad long length"); |
wolfSSL | 13:f67a6c6013ca | 567 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 568 | } |
wolfSSL | 13:f67a6c6013ca | 569 | |
wolfSSL | 13:f67a6c6013ca | 570 | while (bytes--) { |
wolfSSL | 13:f67a6c6013ca | 571 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 572 | length = (length << 8) | b; |
wolfSSL | 13:f67a6c6013ca | 573 | } |
wolfSSL | 13:f67a6c6013ca | 574 | } |
wolfSSL | 13:f67a6c6013ca | 575 | else |
wolfSSL | 13:f67a6c6013ca | 576 | length = b; |
wolfSSL | 13:f67a6c6013ca | 577 | |
wolfSSL | 13:f67a6c6013ca | 578 | if ((idx + length) > maxIdx) { /* for user of length */ |
wolfSSL | 13:f67a6c6013ca | 579 | WOLFSSL_MSG("GetLength value exceeds buffer length"); |
wolfSSL | 13:f67a6c6013ca | 580 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 581 | } |
wolfSSL | 13:f67a6c6013ca | 582 | |
wolfSSL | 13:f67a6c6013ca | 583 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 584 | if (length > 0) |
wolfSSL | 13:f67a6c6013ca | 585 | *len = length; |
wolfSSL | 13:f67a6c6013ca | 586 | |
wolfSSL | 13:f67a6c6013ca | 587 | return length; |
wolfSSL | 13:f67a6c6013ca | 588 | } |
wolfSSL | 13:f67a6c6013ca | 589 | |
wolfSSL | 13:f67a6c6013ca | 590 | |
wolfSSL | 13:f67a6c6013ca | 591 | /* Get the DER/BER encoding of an ASN.1 header. |
wolfSSL | 13:f67a6c6013ca | 592 | * |
wolfSSL | 13:f67a6c6013ca | 593 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 594 | * tag ASN.1 tag value expected in header. |
wolfSSL | 13:f67a6c6013ca | 595 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 596 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 13:f67a6c6013ca | 597 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 598 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 599 | * ASN_PARSE_E when the expected tag is not found or length is invalid. |
wolfSSL | 13:f67a6c6013ca | 600 | * Otherwise, the number of bytes in the ASN.1 data. |
wolfSSL | 13:f67a6c6013ca | 601 | */ |
wolfSSL | 13:f67a6c6013ca | 602 | static int GetASNHeader(const byte* input, byte tag, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 603 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 604 | { |
wolfSSL | 13:f67a6c6013ca | 605 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 606 | byte b; |
wolfSSL | 13:f67a6c6013ca | 607 | int length; |
wolfSSL | 13:f67a6c6013ca | 608 | |
wolfSSL | 13:f67a6c6013ca | 609 | if ((idx + 1) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 610 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 611 | |
wolfSSL | 13:f67a6c6013ca | 612 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 613 | if (b != tag) |
wolfSSL | 13:f67a6c6013ca | 614 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 615 | |
wolfSSL | 13:f67a6c6013ca | 616 | if (GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 617 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 618 | |
wolfSSL | 13:f67a6c6013ca | 619 | *len = length; |
wolfSSL | 13:f67a6c6013ca | 620 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 621 | return length; |
wolfSSL | 13:f67a6c6013ca | 622 | } |
wolfSSL | 13:f67a6c6013ca | 623 | |
wolfSSL | 13:f67a6c6013ca | 624 | WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 625 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 626 | { |
wolfSSL | 13:f67a6c6013ca | 627 | return GetASNHeader(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 13:f67a6c6013ca | 628 | maxIdx); |
wolfSSL | 13:f67a6c6013ca | 629 | } |
wolfSSL | 13:f67a6c6013ca | 630 | |
wolfSSL | 13:f67a6c6013ca | 631 | |
wolfSSL | 13:f67a6c6013ca | 632 | WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 633 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 634 | { |
wolfSSL | 13:f67a6c6013ca | 635 | return GetASNHeader(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len, |
wolfSSL | 13:f67a6c6013ca | 636 | maxIdx); |
wolfSSL | 13:f67a6c6013ca | 637 | } |
wolfSSL | 13:f67a6c6013ca | 638 | |
wolfSSL | 13:f67a6c6013ca | 639 | /* Get the DER/BER encoded ASN.1 NULL element. |
wolfSSL | 13:f67a6c6013ca | 640 | * Ensure that the all fields are as expected and move index past the element. |
wolfSSL | 13:f67a6c6013ca | 641 | * |
wolfSSL | 13:f67a6c6013ca | 642 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 643 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 644 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 645 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 646 | * ASN_TAG_NULL_E when the NULL tag is not found. |
wolfSSL | 13:f67a6c6013ca | 647 | * ASN_EXPECT_0_E when the length is not zero. |
wolfSSL | 13:f67a6c6013ca | 648 | * Otherwise, 0 to indicate success. |
wolfSSL | 13:f67a6c6013ca | 649 | */ |
wolfSSL | 13:f67a6c6013ca | 650 | static int GetASNNull(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 651 | { |
wolfSSL | 13:f67a6c6013ca | 652 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 653 | byte b; |
wolfSSL | 13:f67a6c6013ca | 654 | |
wolfSSL | 13:f67a6c6013ca | 655 | if ((idx + 2) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 656 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 657 | |
wolfSSL | 13:f67a6c6013ca | 658 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 659 | if (b != ASN_TAG_NULL) |
wolfSSL | 13:f67a6c6013ca | 660 | return ASN_TAG_NULL_E; |
wolfSSL | 13:f67a6c6013ca | 661 | |
wolfSSL | 13:f67a6c6013ca | 662 | if (input[idx++] != 0) |
wolfSSL | 13:f67a6c6013ca | 663 | return ASN_EXPECT_0_E; |
wolfSSL | 13:f67a6c6013ca | 664 | |
wolfSSL | 13:f67a6c6013ca | 665 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 666 | return 0; |
wolfSSL | 13:f67a6c6013ca | 667 | } |
wolfSSL | 13:f67a6c6013ca | 668 | |
wolfSSL | 13:f67a6c6013ca | 669 | /* Set the DER/BER encoding of the ASN.1 NULL element. |
wolfSSL | 13:f67a6c6013ca | 670 | * |
wolfSSL | 13:f67a6c6013ca | 671 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 672 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 673 | */ |
wolfSSL | 13:f67a6c6013ca | 674 | static int SetASNNull(byte* output) |
wolfSSL | 13:f67a6c6013ca | 675 | { |
wolfSSL | 13:f67a6c6013ca | 676 | output[0] = ASN_TAG_NULL; |
wolfSSL | 13:f67a6c6013ca | 677 | output[1] = 0; |
wolfSSL | 13:f67a6c6013ca | 678 | |
wolfSSL | 13:f67a6c6013ca | 679 | return 2; |
wolfSSL | 13:f67a6c6013ca | 680 | } |
wolfSSL | 13:f67a6c6013ca | 681 | |
wolfSSL | 13:f67a6c6013ca | 682 | /* Get the DER/BER encoding of an ASN.1 BOOLEAN. |
wolfSSL | 13:f67a6c6013ca | 683 | * |
wolfSSL | 13:f67a6c6013ca | 684 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 685 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 686 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 687 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 688 | * ASN_PARSE_E when the BOOLEAN tag is not found or length is not 1. |
wolfSSL | 13:f67a6c6013ca | 689 | * Otherwise, 0 to indicate the value was false and 1 to indicate true. |
wolfSSL | 13:f67a6c6013ca | 690 | */ |
wolfSSL | 13:f67a6c6013ca | 691 | static int GetBoolean(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 692 | { |
wolfSSL | 13:f67a6c6013ca | 693 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 694 | byte b; |
wolfSSL | 13:f67a6c6013ca | 695 | |
wolfSSL | 13:f67a6c6013ca | 696 | if ((idx + 3) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 697 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 698 | |
wolfSSL | 13:f67a6c6013ca | 699 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 700 | if (b != ASN_BOOLEAN) |
wolfSSL | 13:f67a6c6013ca | 701 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 702 | |
wolfSSL | 13:f67a6c6013ca | 703 | if (input[idx++] != 1) |
wolfSSL | 13:f67a6c6013ca | 704 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 705 | |
wolfSSL | 13:f67a6c6013ca | 706 | b = input[idx++] != 0; |
wolfSSL | 13:f67a6c6013ca | 707 | |
wolfSSL | 13:f67a6c6013ca | 708 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 709 | return b; |
wolfSSL | 13:f67a6c6013ca | 710 | } |
wolfSSL | 13:f67a6c6013ca | 711 | |
wolfSSL | 13:f67a6c6013ca | 712 | #ifdef ASN1_SET_BOOLEAN |
wolfSSL | 13:f67a6c6013ca | 713 | /* Set the DER/BER encoding of the ASN.1 NULL element. |
wolfSSL | 13:f67a6c6013ca | 714 | * Note: Function not required as yet. |
wolfSSL | 13:f67a6c6013ca | 715 | * |
wolfSSL | 13:f67a6c6013ca | 716 | * val Boolean value to encode. |
wolfSSL | 13:f67a6c6013ca | 717 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 718 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 719 | */ |
wolfSSL | 13:f67a6c6013ca | 720 | static int SetBoolean(int val, byte* output) |
wolfSSL | 13:f67a6c6013ca | 721 | { |
wolfSSL | 13:f67a6c6013ca | 722 | output[0] = ASN_BOOLEAN; |
wolfSSL | 13:f67a6c6013ca | 723 | output[1] = 1; |
wolfSSL | 13:f67a6c6013ca | 724 | output[2] = val ? -1 : 0; |
wolfSSL | 13:f67a6c6013ca | 725 | |
wolfSSL | 13:f67a6c6013ca | 726 | return 3; |
wolfSSL | 13:f67a6c6013ca | 727 | } |
wolfSSL | 13:f67a6c6013ca | 728 | #endif |
wolfSSL | 13:f67a6c6013ca | 729 | |
wolfSSL | 13:f67a6c6013ca | 730 | /* Get the DER/BER encoding of an ASN.1 OCTET_STRING header. |
wolfSSL | 13:f67a6c6013ca | 731 | * |
wolfSSL | 13:f67a6c6013ca | 732 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 733 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 734 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 13:f67a6c6013ca | 735 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 736 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 737 | * ASN_PARSE_E when the OCTET_STRING tag is not found or length is |
wolfSSL | 13:f67a6c6013ca | 738 | * invalid. |
wolfSSL | 13:f67a6c6013ca | 739 | * Otherwise, the number of bytes in the ASN.1 data. |
wolfSSL | 13:f67a6c6013ca | 740 | */ |
wolfSSL | 13:f67a6c6013ca | 741 | static int GetOctetString(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 742 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 743 | { |
wolfSSL | 13:f67a6c6013ca | 744 | return GetASNHeader(input, ASN_OCTET_STRING, inOutIdx, len, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 745 | } |
wolfSSL | 13:f67a6c6013ca | 746 | |
wolfSSL | 13:f67a6c6013ca | 747 | /* Get the DER/BER encoding of an ASN.1 INTEGER header. |
wolfSSL | 13:f67a6c6013ca | 748 | * Removes the leading zero byte when found. |
wolfSSL | 13:f67a6c6013ca | 749 | * |
wolfSSL | 13:f67a6c6013ca | 750 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 751 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 752 | * len The number of bytes in the ASN.1 data (excluding any leading zero). |
wolfSSL | 13:f67a6c6013ca | 753 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 754 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 755 | * ASN_PARSE_E when the INTEGER tag is not found, length is invalid, |
wolfSSL | 13:f67a6c6013ca | 756 | * or invalid use of or missing leading zero. |
wolfSSL | 13:f67a6c6013ca | 757 | * Otherwise, 0 to indicate success. |
wolfSSL | 13:f67a6c6013ca | 758 | */ |
wolfSSL | 13:f67a6c6013ca | 759 | static int GetASNInt(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 760 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 761 | { |
wolfSSL | 13:f67a6c6013ca | 762 | int ret; |
wolfSSL | 13:f67a6c6013ca | 763 | |
wolfSSL | 13:f67a6c6013ca | 764 | ret = GetASNHeader(input, ASN_INTEGER, inOutIdx, len, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 765 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 766 | return ret; |
wolfSSL | 13:f67a6c6013ca | 767 | |
wolfSSL | 13:f67a6c6013ca | 768 | if (*len > 0) { |
wolfSSL | 13:f67a6c6013ca | 769 | /* remove leading zero, unless there is only one 0x00 byte */ |
wolfSSL | 13:f67a6c6013ca | 770 | if ((input[*inOutIdx] == 0x00) && (*len > 1)) { |
wolfSSL | 13:f67a6c6013ca | 771 | (*inOutIdx)++; |
wolfSSL | 13:f67a6c6013ca | 772 | (*len)--; |
wolfSSL | 13:f67a6c6013ca | 773 | |
wolfSSL | 13:f67a6c6013ca | 774 | if (*len > 0 && (input[*inOutIdx] & 0x80) == 0) |
wolfSSL | 13:f67a6c6013ca | 775 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 776 | } |
wolfSSL | 13:f67a6c6013ca | 777 | else if ((input[*inOutIdx] & 0x80) == 0x80) |
wolfSSL | 13:f67a6c6013ca | 778 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 779 | } |
wolfSSL | 13:f67a6c6013ca | 780 | |
wolfSSL | 13:f67a6c6013ca | 781 | return 0; |
wolfSSL | 13:f67a6c6013ca | 782 | } |
wolfSSL | 13:f67a6c6013ca | 783 | |
wolfSSL | 13:f67a6c6013ca | 784 | /* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than |
wolfSSL | 13:f67a6c6013ca | 785 | * 7 bits. |
wolfSSL | 13:f67a6c6013ca | 786 | * |
wolfSSL | 13:f67a6c6013ca | 787 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 788 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 789 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 790 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 791 | * ASN_PARSE_E when the INTEGER tag is not found or length is invalid. |
wolfSSL | 13:f67a6c6013ca | 792 | * Otherwise, the 7-bit value. |
wolfSSL | 13:f67a6c6013ca | 793 | */ |
wolfSSL | 13:f67a6c6013ca | 794 | static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 795 | { |
wolfSSL | 13:f67a6c6013ca | 796 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 797 | byte b; |
wolfSSL | 13:f67a6c6013ca | 798 | |
wolfSSL | 13:f67a6c6013ca | 799 | if ((idx + 3) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 800 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 801 | |
wolfSSL | 13:f67a6c6013ca | 802 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 13:f67a6c6013ca | 803 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 804 | if (input[idx++] != 1) |
wolfSSL | 13:f67a6c6013ca | 805 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 806 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 807 | |
wolfSSL | 13:f67a6c6013ca | 808 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 809 | return b; |
wolfSSL | 13:f67a6c6013ca | 810 | } |
wolfSSL | 13:f67a6c6013ca | 811 | |
wolfSSL | 13:f67a6c6013ca | 812 | #if !defined(NO_DSA) || defined(HAVE_ECC) || (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))) |
wolfSSL | 13:f67a6c6013ca | 813 | /* Set the DER/BER encoding of the ASN.1 INTEGER header. |
wolfSSL | 13:f67a6c6013ca | 814 | * |
wolfSSL | 13:f67a6c6013ca | 815 | * len Length of data to encode. |
wolfSSL | 13:f67a6c6013ca | 816 | * firstByte First byte of data, most significant byte of integer, to encode. |
wolfSSL | 13:f67a6c6013ca | 817 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 818 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 819 | */ |
wolfSSL | 13:f67a6c6013ca | 820 | static int SetASNInt(int len, byte firstByte, byte* output) |
wolfSSL | 13:f67a6c6013ca | 821 | { |
wolfSSL | 13:f67a6c6013ca | 822 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 823 | |
wolfSSL | 13:f67a6c6013ca | 824 | output[idx++] = ASN_INTEGER; |
wolfSSL | 13:f67a6c6013ca | 825 | if (firstByte & 0x80) |
wolfSSL | 13:f67a6c6013ca | 826 | len++; |
wolfSSL | 13:f67a6c6013ca | 827 | idx += SetLength(len, output + idx); |
wolfSSL | 13:f67a6c6013ca | 828 | if (firstByte & 0x80) |
wolfSSL | 13:f67a6c6013ca | 829 | output[idx++] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 830 | |
wolfSSL | 13:f67a6c6013ca | 831 | return idx; |
wolfSSL | 13:f67a6c6013ca | 832 | } |
wolfSSL | 13:f67a6c6013ca | 833 | #endif |
wolfSSL | 13:f67a6c6013ca | 834 | |
wolfSSL | 13:f67a6c6013ca | 835 | #if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)) |
wolfSSL | 13:f67a6c6013ca | 836 | /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int. |
wolfSSL | 13:f67a6c6013ca | 837 | * The number is assumed to be positive. |
wolfSSL | 13:f67a6c6013ca | 838 | * |
wolfSSL | 13:f67a6c6013ca | 839 | * n Multi-precision integer to encode. |
wolfSSL | 13:f67a6c6013ca | 840 | * maxSz Maximum size of the encoded integer. |
wolfSSL | 13:f67a6c6013ca | 841 | * A negative value indicates no check of length requested. |
wolfSSL | 13:f67a6c6013ca | 842 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 843 | * returns BUFFER_E when the data is too long for the buffer. |
wolfSSL | 13:f67a6c6013ca | 844 | * MP_TO_E when encoding the integer fails. |
wolfSSL | 13:f67a6c6013ca | 845 | * Otherwise, the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 846 | */ |
wolfSSL | 13:f67a6c6013ca | 847 | static int SetASNIntMP(mp_int* n, int maxSz, byte* output) |
wolfSSL | 13:f67a6c6013ca | 848 | { |
wolfSSL | 13:f67a6c6013ca | 849 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 850 | int leadingBit; |
wolfSSL | 13:f67a6c6013ca | 851 | int length; |
wolfSSL | 13:f67a6c6013ca | 852 | int err; |
wolfSSL | 13:f67a6c6013ca | 853 | |
wolfSSL | 13:f67a6c6013ca | 854 | leadingBit = mp_leading_bit(n); |
wolfSSL | 13:f67a6c6013ca | 855 | length = mp_unsigned_bin_size(n); |
wolfSSL | 13:f67a6c6013ca | 856 | idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output); |
wolfSSL | 13:f67a6c6013ca | 857 | if (maxSz >= 0 && (idx + length) > maxSz) |
wolfSSL | 13:f67a6c6013ca | 858 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 859 | |
wolfSSL | 13:f67a6c6013ca | 860 | err = mp_to_unsigned_bin(n, output + idx); |
wolfSSL | 13:f67a6c6013ca | 861 | if (err != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 862 | return MP_TO_E; |
wolfSSL | 13:f67a6c6013ca | 863 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 864 | |
wolfSSL | 13:f67a6c6013ca | 865 | return idx; |
wolfSSL | 13:f67a6c6013ca | 866 | } |
wolfSSL | 13:f67a6c6013ca | 867 | #endif |
wolfSSL | 13:f67a6c6013ca | 868 | |
wolfSSL | 13:f67a6c6013ca | 869 | #if !defined(NO_RSA) && defined(HAVE_USER_RSA) && defined(WOLFSSL_CERT_GEN) |
wolfSSL | 13:f67a6c6013ca | 870 | /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int from |
wolfSSL | 13:f67a6c6013ca | 871 | * an RSA key. |
wolfSSL | 13:f67a6c6013ca | 872 | * The number is assumed to be positive. |
wolfSSL | 13:f67a6c6013ca | 873 | * |
wolfSSL | 13:f67a6c6013ca | 874 | * n Multi-precision integer to encode. |
wolfSSL | 13:f67a6c6013ca | 875 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 876 | * returns BUFFER_E when the data is too long for the buffer. |
wolfSSL | 13:f67a6c6013ca | 877 | * MP_TO_E when encoding the integer fails. |
wolfSSL | 13:f67a6c6013ca | 878 | * Otherwise, the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 879 | */ |
wolfSSL | 13:f67a6c6013ca | 880 | static int SetASNIntRSA(mp_int* n, byte* output) |
wolfSSL | 13:f67a6c6013ca | 881 | { |
wolfSSL | 13:f67a6c6013ca | 882 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 883 | int leadingBit; |
wolfSSL | 13:f67a6c6013ca | 884 | int length; |
wolfSSL | 13:f67a6c6013ca | 885 | int err; |
wolfSSL | 13:f67a6c6013ca | 886 | |
wolfSSL | 13:f67a6c6013ca | 887 | leadingBit = wc_Rsa_leading_bit(n); |
wolfSSL | 13:f67a6c6013ca | 888 | length = wc_Rsa_unsigned_bin_size(n); |
wolfSSL | 13:f67a6c6013ca | 889 | idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output); |
wolfSSL | 13:f67a6c6013ca | 890 | if ((idx + length) > MAX_RSA_INT_SZ) |
wolfSSL | 13:f67a6c6013ca | 891 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 892 | |
wolfSSL | 13:f67a6c6013ca | 893 | err = wc_Rsa_to_unsigned_bin(n, output + idx, length); |
wolfSSL | 13:f67a6c6013ca | 894 | if (err != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 895 | return MP_TO_E; |
wolfSSL | 13:f67a6c6013ca | 896 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 897 | |
wolfSSL | 13:f67a6c6013ca | 898 | return idx; |
wolfSSL | 13:f67a6c6013ca | 899 | } |
wolfSSL | 13:f67a6c6013ca | 900 | #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN && |
wolfSSL | 13:f67a6c6013ca | 901 | !HAVE_USER_RSA))) */ |
wolfSSL | 13:f67a6c6013ca | 902 | |
wolfSSL | 13:f67a6c6013ca | 903 | /* Windows header clash for WinCE using GetVersion */ |
wolfSSL | 13:f67a6c6013ca | 904 | WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, |
wolfSSL | 13:f67a6c6013ca | 905 | int* version, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 906 | { |
wolfSSL | 13:f67a6c6013ca | 907 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 908 | |
wolfSSL | 13:f67a6c6013ca | 909 | if ((idx + MIN_VERSION_SZ) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 910 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 911 | |
wolfSSL | 13:f67a6c6013ca | 912 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 13:f67a6c6013ca | 913 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 914 | |
wolfSSL | 13:f67a6c6013ca | 915 | if (input[idx++] != 0x01) |
wolfSSL | 13:f67a6c6013ca | 916 | return ASN_VERSION_E; |
wolfSSL | 13:f67a6c6013ca | 917 | |
wolfSSL | 13:f67a6c6013ca | 918 | *version = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 919 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 920 | |
wolfSSL | 13:f67a6c6013ca | 921 | return *version; |
wolfSSL | 13:f67a6c6013ca | 922 | } |
wolfSSL | 13:f67a6c6013ca | 923 | |
wolfSSL | 13:f67a6c6013ca | 924 | |
wolfSSL | 13:f67a6c6013ca | 925 | #ifndef NO_PWDBASED |
wolfSSL | 13:f67a6c6013ca | 926 | /* Get small count integer, 32 bits or less */ |
wolfSSL | 13:f67a6c6013ca | 927 | int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 928 | { |
wolfSSL | 13:f67a6c6013ca | 929 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 930 | word32 len; |
wolfSSL | 13:f67a6c6013ca | 931 | |
wolfSSL | 13:f67a6c6013ca | 932 | *number = 0; |
wolfSSL | 13:f67a6c6013ca | 933 | |
wolfSSL | 13:f67a6c6013ca | 934 | /* check for type and length bytes */ |
wolfSSL | 13:f67a6c6013ca | 935 | if ((idx + 2) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 936 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 937 | |
wolfSSL | 13:f67a6c6013ca | 938 | if (input[idx++] != ASN_INTEGER) |
wolfSSL | 13:f67a6c6013ca | 939 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 940 | |
wolfSSL | 13:f67a6c6013ca | 941 | len = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 942 | if (len > 4) |
wolfSSL | 13:f67a6c6013ca | 943 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 944 | |
wolfSSL | 13:f67a6c6013ca | 945 | if (len + idx > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 946 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 947 | |
wolfSSL | 13:f67a6c6013ca | 948 | while (len--) { |
wolfSSL | 13:f67a6c6013ca | 949 | *number = *number << 8 | input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 950 | } |
wolfSSL | 13:f67a6c6013ca | 951 | |
wolfSSL | 13:f67a6c6013ca | 952 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 953 | |
wolfSSL | 13:f67a6c6013ca | 954 | return *number; |
wolfSSL | 13:f67a6c6013ca | 955 | } |
wolfSSL | 13:f67a6c6013ca | 956 | #endif /* !NO_PWDBASED */ |
wolfSSL | 13:f67a6c6013ca | 957 | |
wolfSSL | 13:f67a6c6013ca | 958 | /* May not have one, not an error */ |
wolfSSL | 13:f67a6c6013ca | 959 | static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version, |
wolfSSL | 13:f67a6c6013ca | 960 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 961 | { |
wolfSSL | 13:f67a6c6013ca | 962 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 963 | |
wolfSSL | 13:f67a6c6013ca | 964 | WOLFSSL_ENTER("GetExplicitVersion"); |
wolfSSL | 13:f67a6c6013ca | 965 | |
wolfSSL | 13:f67a6c6013ca | 966 | if ((idx + 1) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 967 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 968 | |
wolfSSL | 13:f67a6c6013ca | 969 | if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 13:f67a6c6013ca | 970 | *inOutIdx = ++idx; /* skip header */ |
wolfSSL | 13:f67a6c6013ca | 971 | return GetMyVersion(input, inOutIdx, version, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 972 | } |
wolfSSL | 13:f67a6c6013ca | 973 | |
wolfSSL | 13:f67a6c6013ca | 974 | /* go back as is */ |
wolfSSL | 13:f67a6c6013ca | 975 | *version = 0; |
wolfSSL | 13:f67a6c6013ca | 976 | |
wolfSSL | 13:f67a6c6013ca | 977 | return 0; |
wolfSSL | 13:f67a6c6013ca | 978 | } |
wolfSSL | 13:f67a6c6013ca | 979 | |
wolfSSL | 13:f67a6c6013ca | 980 | int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 981 | { |
wolfSSL | 13:f67a6c6013ca | 982 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 983 | int ret; |
wolfSSL | 13:f67a6c6013ca | 984 | int length; |
wolfSSL | 13:f67a6c6013ca | 985 | |
wolfSSL | 13:f67a6c6013ca | 986 | ret = GetASNInt(input, &idx, &length, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 987 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 988 | return ret; |
wolfSSL | 13:f67a6c6013ca | 989 | |
wolfSSL | 13:f67a6c6013ca | 990 | if (mp_init(mpi) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 991 | return MP_INIT_E; |
wolfSSL | 13:f67a6c6013ca | 992 | |
wolfSSL | 13:f67a6c6013ca | 993 | if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) { |
wolfSSL | 13:f67a6c6013ca | 994 | mp_clear(mpi); |
wolfSSL | 13:f67a6c6013ca | 995 | return ASN_GETINT_E; |
wolfSSL | 13:f67a6c6013ca | 996 | } |
wolfSSL | 13:f67a6c6013ca | 997 | |
wolfSSL | 13:f67a6c6013ca | 998 | #ifdef HAVE_WOLF_BIGINT |
wolfSSL | 13:f67a6c6013ca | 999 | if (wc_bigint_from_unsigned_bin(&mpi->raw, input + idx, length) != 0) { |
wolfSSL | 13:f67a6c6013ca | 1000 | mp_clear(mpi); |
wolfSSL | 13:f67a6c6013ca | 1001 | return ASN_GETINT_E; |
wolfSSL | 13:f67a6c6013ca | 1002 | } |
wolfSSL | 13:f67a6c6013ca | 1003 | #endif /* HAVE_WOLF_BIGINT */ |
wolfSSL | 13:f67a6c6013ca | 1004 | |
wolfSSL | 13:f67a6c6013ca | 1005 | *inOutIdx = idx + length; |
wolfSSL | 13:f67a6c6013ca | 1006 | |
wolfSSL | 13:f67a6c6013ca | 1007 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1008 | } |
wolfSSL | 13:f67a6c6013ca | 1009 | |
wolfSSL | 13:f67a6c6013ca | 1010 | static int CheckBitString(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 1011 | word32 maxIdx, int zeroBits, byte* unusedBits) |
wolfSSL | 13:f67a6c6013ca | 1012 | { |
wolfSSL | 13:f67a6c6013ca | 1013 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1014 | int length; |
wolfSSL | 13:f67a6c6013ca | 1015 | byte b; |
wolfSSL | 13:f67a6c6013ca | 1016 | |
wolfSSL | 13:f67a6c6013ca | 1017 | if ((idx + 1) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1018 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1019 | |
wolfSSL | 13:f67a6c6013ca | 1020 | if (input[idx++] != ASN_BIT_STRING) |
wolfSSL | 13:f67a6c6013ca | 1021 | return ASN_BITSTR_E; |
wolfSSL | 13:f67a6c6013ca | 1022 | |
wolfSSL | 13:f67a6c6013ca | 1023 | if (GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 1024 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1025 | |
wolfSSL | 13:f67a6c6013ca | 1026 | /* extra sanity check that length is greater than 0 */ |
wolfSSL | 13:f67a6c6013ca | 1027 | if (length <= 0) { |
wolfSSL | 13:f67a6c6013ca | 1028 | WOLFSSL_MSG("Error length was 0 in CheckBitString"); |
wolfSSL | 13:f67a6c6013ca | 1029 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1030 | } |
wolfSSL | 13:f67a6c6013ca | 1031 | |
wolfSSL | 13:f67a6c6013ca | 1032 | if (idx + 1 > maxIdx) { |
wolfSSL | 13:f67a6c6013ca | 1033 | WOLFSSL_MSG("Attempted buffer read larger than input buffer"); |
wolfSSL | 13:f67a6c6013ca | 1034 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1035 | } |
wolfSSL | 13:f67a6c6013ca | 1036 | |
wolfSSL | 13:f67a6c6013ca | 1037 | b = input[idx]; |
wolfSSL | 13:f67a6c6013ca | 1038 | if (zeroBits && b != 0x00) |
wolfSSL | 13:f67a6c6013ca | 1039 | return ASN_EXPECT_0_E; |
wolfSSL | 13:f67a6c6013ca | 1040 | if (b >= 0x08) |
wolfSSL | 13:f67a6c6013ca | 1041 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1042 | if (b != 0) { |
wolfSSL | 13:f67a6c6013ca | 1043 | if ((byte)(input[idx + length - 1] << (8 - b)) != 0) |
wolfSSL | 13:f67a6c6013ca | 1044 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1045 | } |
wolfSSL | 13:f67a6c6013ca | 1046 | idx++; |
wolfSSL | 13:f67a6c6013ca | 1047 | length--; /* length has been checked for greater than 0 */ |
wolfSSL | 13:f67a6c6013ca | 1048 | |
wolfSSL | 13:f67a6c6013ca | 1049 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1050 | if (len != NULL) |
wolfSSL | 13:f67a6c6013ca | 1051 | *len = length; |
wolfSSL | 13:f67a6c6013ca | 1052 | if (unusedBits != NULL) |
wolfSSL | 13:f67a6c6013ca | 1053 | *unusedBits = b; |
wolfSSL | 13:f67a6c6013ca | 1054 | |
wolfSSL | 13:f67a6c6013ca | 1055 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1056 | } |
wolfSSL | 13:f67a6c6013ca | 1057 | |
wolfSSL | 13:f67a6c6013ca | 1058 | #if (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 13:f67a6c6013ca | 1059 | (defined(WOLFSSL_KEY_GEN) && \ |
wolfSSL | 13:f67a6c6013ca | 1060 | !defined(HAVE_USER_RSA)))) || \ |
wolfSSL | 13:f67a6c6013ca | 1061 | (defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 13:f67a6c6013ca | 1062 | defined(WOLFSSL_KEY_GEN))) |
wolfSSL | 13:f67a6c6013ca | 1063 | /* Set the DER/BER encoding of the ASN.1 BIT_STRING header. |
wolfSSL | 13:f67a6c6013ca | 1064 | * |
wolfSSL | 13:f67a6c6013ca | 1065 | * len Length of data to encode. |
wolfSSL | 13:f67a6c6013ca | 1066 | * unusedBits The number of unused bits in the last byte of data. |
wolfSSL | 13:f67a6c6013ca | 1067 | * That is, the number of least significant zero bits before a one. |
wolfSSL | 13:f67a6c6013ca | 1068 | * The last byte is the most-significant non-zero byte of a number. |
wolfSSL | 13:f67a6c6013ca | 1069 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 1070 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 1071 | */ |
wolfSSL | 13:f67a6c6013ca | 1072 | static word32 SetBitString(word32 len, byte unusedBits, byte* output) |
wolfSSL | 13:f67a6c6013ca | 1073 | { |
wolfSSL | 13:f67a6c6013ca | 1074 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 1075 | |
wolfSSL | 13:f67a6c6013ca | 1076 | output[idx++] = ASN_BIT_STRING; |
wolfSSL | 13:f67a6c6013ca | 1077 | idx += SetLength(len + 1, output + idx); |
wolfSSL | 13:f67a6c6013ca | 1078 | output[idx++] = unusedBits; |
wolfSSL | 13:f67a6c6013ca | 1079 | |
wolfSSL | 13:f67a6c6013ca | 1080 | return idx; |
wolfSSL | 13:f67a6c6013ca | 1081 | } |
wolfSSL | 13:f67a6c6013ca | 1082 | |
wolfSSL | 13:f67a6c6013ca | 1083 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 1084 | /* Set the DER/BER encoding of the ASN.1 BIT_STRING with a 16-bit value. |
wolfSSL | 13:f67a6c6013ca | 1085 | * |
wolfSSL | 13:f67a6c6013ca | 1086 | * val 16-bit value to encode. |
wolfSSL | 13:f67a6c6013ca | 1087 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 1088 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 1089 | */ |
wolfSSL | 13:f67a6c6013ca | 1090 | static word32 SetBitString16Bit(word16 val, byte* output) |
wolfSSL | 13:f67a6c6013ca | 1091 | { |
wolfSSL | 13:f67a6c6013ca | 1092 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 1093 | int len; |
wolfSSL | 13:f67a6c6013ca | 1094 | byte lastByte; |
wolfSSL | 13:f67a6c6013ca | 1095 | byte unusedBits = 0; |
wolfSSL | 13:f67a6c6013ca | 1096 | |
wolfSSL | 13:f67a6c6013ca | 1097 | if ((val >> 8) != 0) { |
wolfSSL | 13:f67a6c6013ca | 1098 | len = 2; |
wolfSSL | 13:f67a6c6013ca | 1099 | lastByte = (byte)(val >> 8); |
wolfSSL | 13:f67a6c6013ca | 1100 | } |
wolfSSL | 13:f67a6c6013ca | 1101 | else { |
wolfSSL | 13:f67a6c6013ca | 1102 | len = 1; |
wolfSSL | 13:f67a6c6013ca | 1103 | lastByte = (byte)val; |
wolfSSL | 13:f67a6c6013ca | 1104 | } |
wolfSSL | 13:f67a6c6013ca | 1105 | |
wolfSSL | 13:f67a6c6013ca | 1106 | while (((lastByte >> unusedBits) & 0x01) == 0x00) |
wolfSSL | 13:f67a6c6013ca | 1107 | unusedBits++; |
wolfSSL | 13:f67a6c6013ca | 1108 | |
wolfSSL | 13:f67a6c6013ca | 1109 | idx = SetBitString(len, unusedBits, output); |
wolfSSL | 13:f67a6c6013ca | 1110 | output[idx++] = (byte)val; |
wolfSSL | 13:f67a6c6013ca | 1111 | output[idx++] = (byte)(val >> 8); |
wolfSSL | 13:f67a6c6013ca | 1112 | |
wolfSSL | 13:f67a6c6013ca | 1113 | return idx; |
wolfSSL | 13:f67a6c6013ca | 1114 | } |
wolfSSL | 13:f67a6c6013ca | 1115 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 1116 | #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN && |
wolfSSL | 13:f67a6c6013ca | 1117 | !HAVE_USER_RSA)) */ |
wolfSSL | 13:f67a6c6013ca | 1118 | |
wolfSSL | 13:f67a6c6013ca | 1119 | |
wolfSSL | 13:f67a6c6013ca | 1120 | |
wolfSSL | 13:f67a6c6013ca | 1121 | /* hashType */ |
wolfSSL | 13:f67a6c6013ca | 1122 | static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2}; |
wolfSSL | 13:f67a6c6013ca | 1123 | static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5}; |
wolfSSL | 13:f67a6c6013ca | 1124 | static const byte hashSha1hOid[] = {43, 14, 3, 2, 26}; |
wolfSSL | 13:f67a6c6013ca | 1125 | static const byte hashSha224hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 4}; |
wolfSSL | 13:f67a6c6013ca | 1126 | static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1}; |
wolfSSL | 13:f67a6c6013ca | 1127 | static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2}; |
wolfSSL | 13:f67a6c6013ca | 1128 | static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3}; |
wolfSSL | 13:f67a6c6013ca | 1129 | |
wolfSSL | 13:f67a6c6013ca | 1130 | /* sigType */ |
wolfSSL | 13:f67a6c6013ca | 1131 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 1132 | static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3}; |
wolfSSL | 13:f67a6c6013ca | 1133 | #endif /* NO_DSA */ |
wolfSSL | 13:f67a6c6013ca | 1134 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 1135 | static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2}; |
wolfSSL | 13:f67a6c6013ca | 1136 | static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4}; |
wolfSSL | 13:f67a6c6013ca | 1137 | static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5}; |
wolfSSL | 13:f67a6c6013ca | 1138 | static const byte sigSha224wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,14}; |
wolfSSL | 13:f67a6c6013ca | 1139 | static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11}; |
wolfSSL | 13:f67a6c6013ca | 1140 | static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12}; |
wolfSSL | 13:f67a6c6013ca | 1141 | static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13}; |
wolfSSL | 13:f67a6c6013ca | 1142 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1143 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1144 | static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1}; |
wolfSSL | 13:f67a6c6013ca | 1145 | static const byte sigSha224wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 1}; |
wolfSSL | 13:f67a6c6013ca | 1146 | static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2}; |
wolfSSL | 13:f67a6c6013ca | 1147 | static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3}; |
wolfSSL | 13:f67a6c6013ca | 1148 | static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4}; |
wolfSSL | 13:f67a6c6013ca | 1149 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1150 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 1151 | static const byte sigEd25519Oid[] = {43, 101, 112}; |
wolfSSL | 13:f67a6c6013ca | 1152 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 1153 | |
wolfSSL | 13:f67a6c6013ca | 1154 | /* keyType */ |
wolfSSL | 13:f67a6c6013ca | 1155 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 1156 | static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1}; |
wolfSSL | 13:f67a6c6013ca | 1157 | #endif /* NO_DSA */ |
wolfSSL | 13:f67a6c6013ca | 1158 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 1159 | static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; |
wolfSSL | 13:f67a6c6013ca | 1160 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1161 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 1162 | static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1}; |
wolfSSL | 13:f67a6c6013ca | 1163 | #endif /* HAVE_NTRU */ |
wolfSSL | 13:f67a6c6013ca | 1164 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1165 | static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; |
wolfSSL | 13:f67a6c6013ca | 1166 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1167 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 1168 | static const byte keyEd25519Oid[] = {43, 101, 112}; |
wolfSSL | 13:f67a6c6013ca | 1169 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 1170 | |
wolfSSL | 13:f67a6c6013ca | 1171 | /* curveType */ |
wolfSSL | 13:f67a6c6013ca | 1172 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1173 | /* See "ecc_sets" table in ecc.c */ |
wolfSSL | 13:f67a6c6013ca | 1174 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1175 | |
wolfSSL | 13:f67a6c6013ca | 1176 | /* blkType */ |
wolfSSL | 13:f67a6c6013ca | 1177 | static const byte blkAes128CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 2}; |
wolfSSL | 13:f67a6c6013ca | 1178 | static const byte blkAes192CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 22}; |
wolfSSL | 13:f67a6c6013ca | 1179 | static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42}; |
wolfSSL | 13:f67a6c6013ca | 1180 | static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7}; |
wolfSSL | 13:f67a6c6013ca | 1181 | static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7}; |
wolfSSL | 13:f67a6c6013ca | 1182 | |
wolfSSL | 13:f67a6c6013ca | 1183 | /* keyWrapType */ |
wolfSSL | 13:f67a6c6013ca | 1184 | static const byte wrapAes128Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 5}; |
wolfSSL | 13:f67a6c6013ca | 1185 | static const byte wrapAes192Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 25}; |
wolfSSL | 13:f67a6c6013ca | 1186 | static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45}; |
wolfSSL | 13:f67a6c6013ca | 1187 | |
wolfSSL | 13:f67a6c6013ca | 1188 | /* cmsKeyAgreeType */ |
wolfSSL | 13:f67a6c6013ca | 1189 | static const byte dhSinglePass_stdDH_sha1kdf_Oid[] = |
wolfSSL | 13:f67a6c6013ca | 1190 | {43, 129, 5, 16, 134, 72, 63, 0, 2}; |
wolfSSL | 13:f67a6c6013ca | 1191 | static const byte dhSinglePass_stdDH_sha224kdf_Oid[] = {43, 129, 4, 1, 11, 0}; |
wolfSSL | 13:f67a6c6013ca | 1192 | static const byte dhSinglePass_stdDH_sha256kdf_Oid[] = {43, 129, 4, 1, 11, 1}; |
wolfSSL | 13:f67a6c6013ca | 1193 | static const byte dhSinglePass_stdDH_sha384kdf_Oid[] = {43, 129, 4, 1, 11, 2}; |
wolfSSL | 13:f67a6c6013ca | 1194 | static const byte dhSinglePass_stdDH_sha512kdf_Oid[] = {43, 129, 4, 1, 11, 3}; |
wolfSSL | 13:f67a6c6013ca | 1195 | |
wolfSSL | 13:f67a6c6013ca | 1196 | /* ocspType */ |
wolfSSL | 13:f67a6c6013ca | 1197 | #ifdef HAVE_OCSP |
wolfSSL | 13:f67a6c6013ca | 1198 | static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1}; |
wolfSSL | 13:f67a6c6013ca | 1199 | static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2}; |
wolfSSL | 13:f67a6c6013ca | 1200 | #endif /* HAVE_OCSP */ |
wolfSSL | 13:f67a6c6013ca | 1201 | |
wolfSSL | 13:f67a6c6013ca | 1202 | /* certExtType */ |
wolfSSL | 13:f67a6c6013ca | 1203 | static const byte extBasicCaOid[] = {85, 29, 19}; |
wolfSSL | 13:f67a6c6013ca | 1204 | static const byte extAltNamesOid[] = {85, 29, 17}; |
wolfSSL | 13:f67a6c6013ca | 1205 | static const byte extCrlDistOid[] = {85, 29, 31}; |
wolfSSL | 13:f67a6c6013ca | 1206 | static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1}; |
wolfSSL | 13:f67a6c6013ca | 1207 | static const byte extAuthKeyOid[] = {85, 29, 35}; |
wolfSSL | 13:f67a6c6013ca | 1208 | static const byte extSubjKeyOid[] = {85, 29, 14}; |
wolfSSL | 13:f67a6c6013ca | 1209 | static const byte extCertPolicyOid[] = {85, 29, 32}; |
wolfSSL | 13:f67a6c6013ca | 1210 | static const byte extKeyUsageOid[] = {85, 29, 15}; |
wolfSSL | 13:f67a6c6013ca | 1211 | static const byte extInhibitAnyOid[] = {85, 29, 54}; |
wolfSSL | 13:f67a6c6013ca | 1212 | static const byte extExtKeyUsageOid[] = {85, 29, 37}; |
wolfSSL | 13:f67a6c6013ca | 1213 | static const byte extNameConsOid[] = {85, 29, 30}; |
wolfSSL | 13:f67a6c6013ca | 1214 | |
wolfSSL | 13:f67a6c6013ca | 1215 | /* certAuthInfoType */ |
wolfSSL | 13:f67a6c6013ca | 1216 | static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; |
wolfSSL | 13:f67a6c6013ca | 1217 | static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; |
wolfSSL | 13:f67a6c6013ca | 1218 | |
wolfSSL | 13:f67a6c6013ca | 1219 | /* certPolicyType */ |
wolfSSL | 13:f67a6c6013ca | 1220 | static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; |
wolfSSL | 13:f67a6c6013ca | 1221 | |
wolfSSL | 13:f67a6c6013ca | 1222 | /* certKeyUseType */ |
wolfSSL | 13:f67a6c6013ca | 1223 | static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4}; |
wolfSSL | 13:f67a6c6013ca | 1224 | |
wolfSSL | 13:f67a6c6013ca | 1225 | /* certKeyUseType */ |
wolfSSL | 13:f67a6c6013ca | 1226 | static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0}; |
wolfSSL | 13:f67a6c6013ca | 1227 | static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1}; |
wolfSSL | 13:f67a6c6013ca | 1228 | static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2}; |
wolfSSL | 13:f67a6c6013ca | 1229 | static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; |
wolfSSL | 13:f67a6c6013ca | 1230 | |
wolfSSL | 13:f67a6c6013ca | 1231 | /* kdfType */ |
wolfSSL | 13:f67a6c6013ca | 1232 | static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12}; |
wolfSSL | 13:f67a6c6013ca | 1233 | |
wolfSSL | 13:f67a6c6013ca | 1234 | static const byte* OidFromId(word32 id, word32 type, word32* oidSz) |
wolfSSL | 13:f67a6c6013ca | 1235 | { |
wolfSSL | 13:f67a6c6013ca | 1236 | const byte* oid = NULL; |
wolfSSL | 13:f67a6c6013ca | 1237 | |
wolfSSL | 13:f67a6c6013ca | 1238 | *oidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 1239 | |
wolfSSL | 13:f67a6c6013ca | 1240 | switch (type) { |
wolfSSL | 13:f67a6c6013ca | 1241 | |
wolfSSL | 13:f67a6c6013ca | 1242 | case oidHashType: |
wolfSSL | 13:f67a6c6013ca | 1243 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1244 | case MD2h: |
wolfSSL | 13:f67a6c6013ca | 1245 | oid = hashMd2hOid; |
wolfSSL | 13:f67a6c6013ca | 1246 | *oidSz = sizeof(hashMd2hOid); |
wolfSSL | 13:f67a6c6013ca | 1247 | break; |
wolfSSL | 13:f67a6c6013ca | 1248 | case MD5h: |
wolfSSL | 13:f67a6c6013ca | 1249 | oid = hashMd5hOid; |
wolfSSL | 13:f67a6c6013ca | 1250 | *oidSz = sizeof(hashMd5hOid); |
wolfSSL | 13:f67a6c6013ca | 1251 | break; |
wolfSSL | 13:f67a6c6013ca | 1252 | case SHAh: |
wolfSSL | 13:f67a6c6013ca | 1253 | oid = hashSha1hOid; |
wolfSSL | 13:f67a6c6013ca | 1254 | *oidSz = sizeof(hashSha1hOid); |
wolfSSL | 13:f67a6c6013ca | 1255 | break; |
wolfSSL | 13:f67a6c6013ca | 1256 | case SHA224h: |
wolfSSL | 13:f67a6c6013ca | 1257 | oid = hashSha224hOid; |
wolfSSL | 13:f67a6c6013ca | 1258 | *oidSz = sizeof(hashSha224hOid); |
wolfSSL | 13:f67a6c6013ca | 1259 | break; |
wolfSSL | 13:f67a6c6013ca | 1260 | case SHA256h: |
wolfSSL | 13:f67a6c6013ca | 1261 | oid = hashSha256hOid; |
wolfSSL | 13:f67a6c6013ca | 1262 | *oidSz = sizeof(hashSha256hOid); |
wolfSSL | 13:f67a6c6013ca | 1263 | break; |
wolfSSL | 13:f67a6c6013ca | 1264 | case SHA384h: |
wolfSSL | 13:f67a6c6013ca | 1265 | oid = hashSha384hOid; |
wolfSSL | 13:f67a6c6013ca | 1266 | *oidSz = sizeof(hashSha384hOid); |
wolfSSL | 13:f67a6c6013ca | 1267 | break; |
wolfSSL | 13:f67a6c6013ca | 1268 | case SHA512h: |
wolfSSL | 13:f67a6c6013ca | 1269 | oid = hashSha512hOid; |
wolfSSL | 13:f67a6c6013ca | 1270 | *oidSz = sizeof(hashSha512hOid); |
wolfSSL | 13:f67a6c6013ca | 1271 | break; |
wolfSSL | 13:f67a6c6013ca | 1272 | } |
wolfSSL | 13:f67a6c6013ca | 1273 | break; |
wolfSSL | 13:f67a6c6013ca | 1274 | |
wolfSSL | 13:f67a6c6013ca | 1275 | case oidSigType: |
wolfSSL | 13:f67a6c6013ca | 1276 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1277 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 1278 | case CTC_SHAwDSA: |
wolfSSL | 13:f67a6c6013ca | 1279 | oid = sigSha1wDsaOid; |
wolfSSL | 13:f67a6c6013ca | 1280 | *oidSz = sizeof(sigSha1wDsaOid); |
wolfSSL | 13:f67a6c6013ca | 1281 | break; |
wolfSSL | 13:f67a6c6013ca | 1282 | #endif /* NO_DSA */ |
wolfSSL | 13:f67a6c6013ca | 1283 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 1284 | case CTC_MD2wRSA: |
wolfSSL | 13:f67a6c6013ca | 1285 | oid = sigMd2wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1286 | *oidSz = sizeof(sigMd2wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1287 | break; |
wolfSSL | 13:f67a6c6013ca | 1288 | case CTC_MD5wRSA: |
wolfSSL | 13:f67a6c6013ca | 1289 | oid = sigMd5wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1290 | *oidSz = sizeof(sigMd5wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1291 | break; |
wolfSSL | 13:f67a6c6013ca | 1292 | case CTC_SHAwRSA: |
wolfSSL | 13:f67a6c6013ca | 1293 | oid = sigSha1wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1294 | *oidSz = sizeof(sigSha1wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1295 | break; |
wolfSSL | 13:f67a6c6013ca | 1296 | case CTC_SHA224wRSA: |
wolfSSL | 13:f67a6c6013ca | 1297 | oid = sigSha224wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1298 | *oidSz = sizeof(sigSha224wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1299 | break; |
wolfSSL | 13:f67a6c6013ca | 1300 | case CTC_SHA256wRSA: |
wolfSSL | 13:f67a6c6013ca | 1301 | oid = sigSha256wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1302 | *oidSz = sizeof(sigSha256wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1303 | break; |
wolfSSL | 13:f67a6c6013ca | 1304 | case CTC_SHA384wRSA: |
wolfSSL | 13:f67a6c6013ca | 1305 | oid = sigSha384wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1306 | *oidSz = sizeof(sigSha384wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1307 | break; |
wolfSSL | 13:f67a6c6013ca | 1308 | case CTC_SHA512wRSA: |
wolfSSL | 13:f67a6c6013ca | 1309 | oid = sigSha512wRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1310 | *oidSz = sizeof(sigSha512wRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1311 | break; |
wolfSSL | 13:f67a6c6013ca | 1312 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1313 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1314 | case CTC_SHAwECDSA: |
wolfSSL | 13:f67a6c6013ca | 1315 | oid = sigSha1wEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1316 | *oidSz = sizeof(sigSha1wEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1317 | break; |
wolfSSL | 13:f67a6c6013ca | 1318 | case CTC_SHA224wECDSA: |
wolfSSL | 13:f67a6c6013ca | 1319 | oid = sigSha224wEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1320 | *oidSz = sizeof(sigSha224wEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1321 | break; |
wolfSSL | 13:f67a6c6013ca | 1322 | case CTC_SHA256wECDSA: |
wolfSSL | 13:f67a6c6013ca | 1323 | oid = sigSha256wEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1324 | *oidSz = sizeof(sigSha256wEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1325 | break; |
wolfSSL | 13:f67a6c6013ca | 1326 | case CTC_SHA384wECDSA: |
wolfSSL | 13:f67a6c6013ca | 1327 | oid = sigSha384wEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1328 | *oidSz = sizeof(sigSha384wEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1329 | break; |
wolfSSL | 13:f67a6c6013ca | 1330 | case CTC_SHA512wECDSA: |
wolfSSL | 13:f67a6c6013ca | 1331 | oid = sigSha512wEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1332 | *oidSz = sizeof(sigSha512wEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1333 | break; |
wolfSSL | 13:f67a6c6013ca | 1334 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1335 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 1336 | case CTC_ED25519: |
wolfSSL | 13:f67a6c6013ca | 1337 | oid = sigEd25519Oid; |
wolfSSL | 13:f67a6c6013ca | 1338 | *oidSz = sizeof(sigEd25519Oid); |
wolfSSL | 13:f67a6c6013ca | 1339 | break; |
wolfSSL | 13:f67a6c6013ca | 1340 | #endif |
wolfSSL | 13:f67a6c6013ca | 1341 | default: |
wolfSSL | 13:f67a6c6013ca | 1342 | break; |
wolfSSL | 13:f67a6c6013ca | 1343 | } |
wolfSSL | 13:f67a6c6013ca | 1344 | break; |
wolfSSL | 13:f67a6c6013ca | 1345 | |
wolfSSL | 13:f67a6c6013ca | 1346 | case oidKeyType: |
wolfSSL | 13:f67a6c6013ca | 1347 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1348 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 1349 | case DSAk: |
wolfSSL | 13:f67a6c6013ca | 1350 | oid = keyDsaOid; |
wolfSSL | 13:f67a6c6013ca | 1351 | *oidSz = sizeof(keyDsaOid); |
wolfSSL | 13:f67a6c6013ca | 1352 | break; |
wolfSSL | 13:f67a6c6013ca | 1353 | #endif /* NO_DSA */ |
wolfSSL | 13:f67a6c6013ca | 1354 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 1355 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 1356 | oid = keyRsaOid; |
wolfSSL | 13:f67a6c6013ca | 1357 | *oidSz = sizeof(keyRsaOid); |
wolfSSL | 13:f67a6c6013ca | 1358 | break; |
wolfSSL | 13:f67a6c6013ca | 1359 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1360 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 1361 | case NTRUk: |
wolfSSL | 13:f67a6c6013ca | 1362 | oid = keyNtruOid; |
wolfSSL | 13:f67a6c6013ca | 1363 | *oidSz = sizeof(keyNtruOid); |
wolfSSL | 13:f67a6c6013ca | 1364 | break; |
wolfSSL | 13:f67a6c6013ca | 1365 | #endif /* HAVE_NTRU */ |
wolfSSL | 13:f67a6c6013ca | 1366 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1367 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 1368 | oid = keyEcdsaOid; |
wolfSSL | 13:f67a6c6013ca | 1369 | *oidSz = sizeof(keyEcdsaOid); |
wolfSSL | 13:f67a6c6013ca | 1370 | break; |
wolfSSL | 13:f67a6c6013ca | 1371 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1372 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 1373 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 1374 | oid = keyEd25519Oid; |
wolfSSL | 13:f67a6c6013ca | 1375 | *oidSz = sizeof(keyEd25519Oid); |
wolfSSL | 13:f67a6c6013ca | 1376 | break; |
wolfSSL | 13:f67a6c6013ca | 1377 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 1378 | default: |
wolfSSL | 13:f67a6c6013ca | 1379 | break; |
wolfSSL | 13:f67a6c6013ca | 1380 | } |
wolfSSL | 13:f67a6c6013ca | 1381 | break; |
wolfSSL | 13:f67a6c6013ca | 1382 | |
wolfSSL | 13:f67a6c6013ca | 1383 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 1384 | case oidCurveType: |
wolfSSL | 13:f67a6c6013ca | 1385 | if (wc_ecc_get_oid(id, &oid, oidSz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 1386 | WOLFSSL_MSG("ECC OID not found"); |
wolfSSL | 13:f67a6c6013ca | 1387 | } |
wolfSSL | 13:f67a6c6013ca | 1388 | break; |
wolfSSL | 13:f67a6c6013ca | 1389 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 1390 | |
wolfSSL | 13:f67a6c6013ca | 1391 | case oidBlkType: |
wolfSSL | 13:f67a6c6013ca | 1392 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1393 | case AES128CBCb: |
wolfSSL | 13:f67a6c6013ca | 1394 | oid = blkAes128CbcOid; |
wolfSSL | 13:f67a6c6013ca | 1395 | *oidSz = sizeof(blkAes128CbcOid); |
wolfSSL | 13:f67a6c6013ca | 1396 | break; |
wolfSSL | 13:f67a6c6013ca | 1397 | case AES192CBCb: |
wolfSSL | 13:f67a6c6013ca | 1398 | oid = blkAes192CbcOid; |
wolfSSL | 13:f67a6c6013ca | 1399 | *oidSz = sizeof(blkAes192CbcOid); |
wolfSSL | 13:f67a6c6013ca | 1400 | break; |
wolfSSL | 13:f67a6c6013ca | 1401 | case AES256CBCb: |
wolfSSL | 13:f67a6c6013ca | 1402 | oid = blkAes256CbcOid; |
wolfSSL | 13:f67a6c6013ca | 1403 | *oidSz = sizeof(blkAes256CbcOid); |
wolfSSL | 13:f67a6c6013ca | 1404 | break; |
wolfSSL | 13:f67a6c6013ca | 1405 | case DESb: |
wolfSSL | 13:f67a6c6013ca | 1406 | oid = blkDesCbcOid; |
wolfSSL | 13:f67a6c6013ca | 1407 | *oidSz = sizeof(blkDesCbcOid); |
wolfSSL | 13:f67a6c6013ca | 1408 | break; |
wolfSSL | 13:f67a6c6013ca | 1409 | case DES3b: |
wolfSSL | 13:f67a6c6013ca | 1410 | oid = blkDes3CbcOid; |
wolfSSL | 13:f67a6c6013ca | 1411 | *oidSz = sizeof(blkDes3CbcOid); |
wolfSSL | 13:f67a6c6013ca | 1412 | break; |
wolfSSL | 13:f67a6c6013ca | 1413 | } |
wolfSSL | 13:f67a6c6013ca | 1414 | break; |
wolfSSL | 13:f67a6c6013ca | 1415 | |
wolfSSL | 13:f67a6c6013ca | 1416 | #ifdef HAVE_OCSP |
wolfSSL | 13:f67a6c6013ca | 1417 | case oidOcspType: |
wolfSSL | 13:f67a6c6013ca | 1418 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1419 | case OCSP_BASIC_OID: |
wolfSSL | 13:f67a6c6013ca | 1420 | oid = ocspBasicOid; |
wolfSSL | 13:f67a6c6013ca | 1421 | *oidSz = sizeof(ocspBasicOid); |
wolfSSL | 13:f67a6c6013ca | 1422 | break; |
wolfSSL | 13:f67a6c6013ca | 1423 | case OCSP_NONCE_OID: |
wolfSSL | 13:f67a6c6013ca | 1424 | oid = ocspNonceOid; |
wolfSSL | 13:f67a6c6013ca | 1425 | *oidSz = sizeof(ocspNonceOid); |
wolfSSL | 13:f67a6c6013ca | 1426 | break; |
wolfSSL | 13:f67a6c6013ca | 1427 | } |
wolfSSL | 13:f67a6c6013ca | 1428 | break; |
wolfSSL | 13:f67a6c6013ca | 1429 | #endif /* HAVE_OCSP */ |
wolfSSL | 13:f67a6c6013ca | 1430 | |
wolfSSL | 13:f67a6c6013ca | 1431 | case oidCertExtType: |
wolfSSL | 13:f67a6c6013ca | 1432 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1433 | case BASIC_CA_OID: |
wolfSSL | 13:f67a6c6013ca | 1434 | oid = extBasicCaOid; |
wolfSSL | 13:f67a6c6013ca | 1435 | *oidSz = sizeof(extBasicCaOid); |
wolfSSL | 13:f67a6c6013ca | 1436 | break; |
wolfSSL | 13:f67a6c6013ca | 1437 | case ALT_NAMES_OID: |
wolfSSL | 13:f67a6c6013ca | 1438 | oid = extAltNamesOid; |
wolfSSL | 13:f67a6c6013ca | 1439 | *oidSz = sizeof(extAltNamesOid); |
wolfSSL | 13:f67a6c6013ca | 1440 | break; |
wolfSSL | 13:f67a6c6013ca | 1441 | case CRL_DIST_OID: |
wolfSSL | 13:f67a6c6013ca | 1442 | oid = extCrlDistOid; |
wolfSSL | 13:f67a6c6013ca | 1443 | *oidSz = sizeof(extCrlDistOid); |
wolfSSL | 13:f67a6c6013ca | 1444 | break; |
wolfSSL | 13:f67a6c6013ca | 1445 | case AUTH_INFO_OID: |
wolfSSL | 13:f67a6c6013ca | 1446 | oid = extAuthInfoOid; |
wolfSSL | 13:f67a6c6013ca | 1447 | *oidSz = sizeof(extAuthInfoOid); |
wolfSSL | 13:f67a6c6013ca | 1448 | break; |
wolfSSL | 13:f67a6c6013ca | 1449 | case AUTH_KEY_OID: |
wolfSSL | 13:f67a6c6013ca | 1450 | oid = extAuthKeyOid; |
wolfSSL | 13:f67a6c6013ca | 1451 | *oidSz = sizeof(extAuthKeyOid); |
wolfSSL | 13:f67a6c6013ca | 1452 | break; |
wolfSSL | 13:f67a6c6013ca | 1453 | case SUBJ_KEY_OID: |
wolfSSL | 13:f67a6c6013ca | 1454 | oid = extSubjKeyOid; |
wolfSSL | 13:f67a6c6013ca | 1455 | *oidSz = sizeof(extSubjKeyOid); |
wolfSSL | 13:f67a6c6013ca | 1456 | break; |
wolfSSL | 13:f67a6c6013ca | 1457 | case CERT_POLICY_OID: |
wolfSSL | 13:f67a6c6013ca | 1458 | oid = extCertPolicyOid; |
wolfSSL | 13:f67a6c6013ca | 1459 | *oidSz = sizeof(extCertPolicyOid); |
wolfSSL | 13:f67a6c6013ca | 1460 | break; |
wolfSSL | 13:f67a6c6013ca | 1461 | case KEY_USAGE_OID: |
wolfSSL | 13:f67a6c6013ca | 1462 | oid = extKeyUsageOid; |
wolfSSL | 13:f67a6c6013ca | 1463 | *oidSz = sizeof(extKeyUsageOid); |
wolfSSL | 13:f67a6c6013ca | 1464 | break; |
wolfSSL | 13:f67a6c6013ca | 1465 | case INHIBIT_ANY_OID: |
wolfSSL | 13:f67a6c6013ca | 1466 | oid = extInhibitAnyOid; |
wolfSSL | 13:f67a6c6013ca | 1467 | *oidSz = sizeof(extInhibitAnyOid); |
wolfSSL | 13:f67a6c6013ca | 1468 | break; |
wolfSSL | 13:f67a6c6013ca | 1469 | case EXT_KEY_USAGE_OID: |
wolfSSL | 13:f67a6c6013ca | 1470 | oid = extExtKeyUsageOid; |
wolfSSL | 13:f67a6c6013ca | 1471 | *oidSz = sizeof(extExtKeyUsageOid); |
wolfSSL | 13:f67a6c6013ca | 1472 | break; |
wolfSSL | 13:f67a6c6013ca | 1473 | case NAME_CONS_OID: |
wolfSSL | 13:f67a6c6013ca | 1474 | oid = extNameConsOid; |
wolfSSL | 13:f67a6c6013ca | 1475 | *oidSz = sizeof(extNameConsOid); |
wolfSSL | 13:f67a6c6013ca | 1476 | break; |
wolfSSL | 13:f67a6c6013ca | 1477 | } |
wolfSSL | 13:f67a6c6013ca | 1478 | break; |
wolfSSL | 13:f67a6c6013ca | 1479 | |
wolfSSL | 13:f67a6c6013ca | 1480 | case oidCertAuthInfoType: |
wolfSSL | 13:f67a6c6013ca | 1481 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1482 | case AIA_OCSP_OID: |
wolfSSL | 13:f67a6c6013ca | 1483 | oid = extAuthInfoOcspOid; |
wolfSSL | 13:f67a6c6013ca | 1484 | *oidSz = sizeof(extAuthInfoOcspOid); |
wolfSSL | 13:f67a6c6013ca | 1485 | break; |
wolfSSL | 13:f67a6c6013ca | 1486 | case AIA_CA_ISSUER_OID: |
wolfSSL | 13:f67a6c6013ca | 1487 | oid = extAuthInfoCaIssuerOid; |
wolfSSL | 13:f67a6c6013ca | 1488 | *oidSz = sizeof(extAuthInfoCaIssuerOid); |
wolfSSL | 13:f67a6c6013ca | 1489 | break; |
wolfSSL | 13:f67a6c6013ca | 1490 | } |
wolfSSL | 13:f67a6c6013ca | 1491 | break; |
wolfSSL | 13:f67a6c6013ca | 1492 | |
wolfSSL | 13:f67a6c6013ca | 1493 | case oidCertPolicyType: |
wolfSSL | 13:f67a6c6013ca | 1494 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1495 | case CP_ANY_OID: |
wolfSSL | 13:f67a6c6013ca | 1496 | oid = extCertPolicyAnyOid; |
wolfSSL | 13:f67a6c6013ca | 1497 | *oidSz = sizeof(extCertPolicyAnyOid); |
wolfSSL | 13:f67a6c6013ca | 1498 | break; |
wolfSSL | 13:f67a6c6013ca | 1499 | } |
wolfSSL | 13:f67a6c6013ca | 1500 | break; |
wolfSSL | 13:f67a6c6013ca | 1501 | |
wolfSSL | 13:f67a6c6013ca | 1502 | case oidCertAltNameType: |
wolfSSL | 13:f67a6c6013ca | 1503 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1504 | case HW_NAME_OID: |
wolfSSL | 13:f67a6c6013ca | 1505 | oid = extAltNamesHwNameOid; |
wolfSSL | 13:f67a6c6013ca | 1506 | *oidSz = sizeof(extAltNamesHwNameOid); |
wolfSSL | 13:f67a6c6013ca | 1507 | break; |
wolfSSL | 13:f67a6c6013ca | 1508 | } |
wolfSSL | 13:f67a6c6013ca | 1509 | break; |
wolfSSL | 13:f67a6c6013ca | 1510 | |
wolfSSL | 13:f67a6c6013ca | 1511 | case oidCertKeyUseType: |
wolfSSL | 13:f67a6c6013ca | 1512 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1513 | case EKU_ANY_OID: |
wolfSSL | 13:f67a6c6013ca | 1514 | oid = extExtKeyUsageAnyOid; |
wolfSSL | 13:f67a6c6013ca | 1515 | *oidSz = sizeof(extExtKeyUsageAnyOid); |
wolfSSL | 13:f67a6c6013ca | 1516 | break; |
wolfSSL | 13:f67a6c6013ca | 1517 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 13:f67a6c6013ca | 1518 | oid = extExtKeyUsageServerAuthOid; |
wolfSSL | 13:f67a6c6013ca | 1519 | *oidSz = sizeof(extExtKeyUsageServerAuthOid); |
wolfSSL | 13:f67a6c6013ca | 1520 | break; |
wolfSSL | 13:f67a6c6013ca | 1521 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 13:f67a6c6013ca | 1522 | oid = extExtKeyUsageClientAuthOid; |
wolfSSL | 13:f67a6c6013ca | 1523 | *oidSz = sizeof(extExtKeyUsageClientAuthOid); |
wolfSSL | 13:f67a6c6013ca | 1524 | break; |
wolfSSL | 13:f67a6c6013ca | 1525 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 13:f67a6c6013ca | 1526 | oid = extExtKeyUsageOcspSignOid; |
wolfSSL | 13:f67a6c6013ca | 1527 | *oidSz = sizeof(extExtKeyUsageOcspSignOid); |
wolfSSL | 13:f67a6c6013ca | 1528 | break; |
wolfSSL | 13:f67a6c6013ca | 1529 | } |
wolfSSL | 13:f67a6c6013ca | 1530 | break; |
wolfSSL | 13:f67a6c6013ca | 1531 | |
wolfSSL | 13:f67a6c6013ca | 1532 | case oidKdfType: |
wolfSSL | 13:f67a6c6013ca | 1533 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1534 | case PBKDF2_OID: |
wolfSSL | 13:f67a6c6013ca | 1535 | oid = pbkdf2Oid; |
wolfSSL | 13:f67a6c6013ca | 1536 | *oidSz = sizeof(pbkdf2Oid); |
wolfSSL | 13:f67a6c6013ca | 1537 | break; |
wolfSSL | 13:f67a6c6013ca | 1538 | } |
wolfSSL | 13:f67a6c6013ca | 1539 | break; |
wolfSSL | 13:f67a6c6013ca | 1540 | |
wolfSSL | 13:f67a6c6013ca | 1541 | case oidKeyWrapType: |
wolfSSL | 13:f67a6c6013ca | 1542 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1543 | case AES128_WRAP: |
wolfSSL | 13:f67a6c6013ca | 1544 | oid = wrapAes128Oid; |
wolfSSL | 13:f67a6c6013ca | 1545 | *oidSz = sizeof(wrapAes128Oid); |
wolfSSL | 13:f67a6c6013ca | 1546 | break; |
wolfSSL | 13:f67a6c6013ca | 1547 | case AES192_WRAP: |
wolfSSL | 13:f67a6c6013ca | 1548 | oid = wrapAes192Oid; |
wolfSSL | 13:f67a6c6013ca | 1549 | *oidSz = sizeof(wrapAes192Oid); |
wolfSSL | 13:f67a6c6013ca | 1550 | break; |
wolfSSL | 13:f67a6c6013ca | 1551 | case AES256_WRAP: |
wolfSSL | 13:f67a6c6013ca | 1552 | oid = wrapAes256Oid; |
wolfSSL | 13:f67a6c6013ca | 1553 | *oidSz = sizeof(wrapAes256Oid); |
wolfSSL | 13:f67a6c6013ca | 1554 | break; |
wolfSSL | 13:f67a6c6013ca | 1555 | } |
wolfSSL | 13:f67a6c6013ca | 1556 | break; |
wolfSSL | 13:f67a6c6013ca | 1557 | |
wolfSSL | 13:f67a6c6013ca | 1558 | case oidCmsKeyAgreeType: |
wolfSSL | 13:f67a6c6013ca | 1559 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 1560 | case dhSinglePass_stdDH_sha1kdf_scheme: |
wolfSSL | 13:f67a6c6013ca | 1561 | oid = dhSinglePass_stdDH_sha1kdf_Oid; |
wolfSSL | 13:f67a6c6013ca | 1562 | *oidSz = sizeof(dhSinglePass_stdDH_sha1kdf_Oid); |
wolfSSL | 13:f67a6c6013ca | 1563 | break; |
wolfSSL | 13:f67a6c6013ca | 1564 | case dhSinglePass_stdDH_sha224kdf_scheme: |
wolfSSL | 13:f67a6c6013ca | 1565 | oid = dhSinglePass_stdDH_sha224kdf_Oid; |
wolfSSL | 13:f67a6c6013ca | 1566 | *oidSz = sizeof(dhSinglePass_stdDH_sha224kdf_Oid); |
wolfSSL | 13:f67a6c6013ca | 1567 | break; |
wolfSSL | 13:f67a6c6013ca | 1568 | case dhSinglePass_stdDH_sha256kdf_scheme: |
wolfSSL | 13:f67a6c6013ca | 1569 | oid = dhSinglePass_stdDH_sha256kdf_Oid; |
wolfSSL | 13:f67a6c6013ca | 1570 | *oidSz = sizeof(dhSinglePass_stdDH_sha256kdf_Oid); |
wolfSSL | 13:f67a6c6013ca | 1571 | break; |
wolfSSL | 13:f67a6c6013ca | 1572 | case dhSinglePass_stdDH_sha384kdf_scheme: |
wolfSSL | 13:f67a6c6013ca | 1573 | oid = dhSinglePass_stdDH_sha384kdf_Oid; |
wolfSSL | 13:f67a6c6013ca | 1574 | *oidSz = sizeof(dhSinglePass_stdDH_sha384kdf_Oid); |
wolfSSL | 13:f67a6c6013ca | 1575 | break; |
wolfSSL | 13:f67a6c6013ca | 1576 | case dhSinglePass_stdDH_sha512kdf_scheme: |
wolfSSL | 13:f67a6c6013ca | 1577 | oid = dhSinglePass_stdDH_sha512kdf_Oid; |
wolfSSL | 13:f67a6c6013ca | 1578 | *oidSz = sizeof(dhSinglePass_stdDH_sha512kdf_Oid); |
wolfSSL | 13:f67a6c6013ca | 1579 | break; |
wolfSSL | 13:f67a6c6013ca | 1580 | } |
wolfSSL | 13:f67a6c6013ca | 1581 | break; |
wolfSSL | 13:f67a6c6013ca | 1582 | |
wolfSSL | 13:f67a6c6013ca | 1583 | case oidIgnoreType: |
wolfSSL | 13:f67a6c6013ca | 1584 | default: |
wolfSSL | 13:f67a6c6013ca | 1585 | break; |
wolfSSL | 13:f67a6c6013ca | 1586 | } |
wolfSSL | 13:f67a6c6013ca | 1587 | |
wolfSSL | 13:f67a6c6013ca | 1588 | return oid; |
wolfSSL | 13:f67a6c6013ca | 1589 | } |
wolfSSL | 13:f67a6c6013ca | 1590 | |
wolfSSL | 13:f67a6c6013ca | 1591 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 13:f67a6c6013ca | 1592 | int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz) |
wolfSSL | 13:f67a6c6013ca | 1593 | { |
wolfSSL | 13:f67a6c6013ca | 1594 | int i, x, len; |
wolfSSL | 13:f67a6c6013ca | 1595 | word32 d, t; |
wolfSSL | 13:f67a6c6013ca | 1596 | |
wolfSSL | 13:f67a6c6013ca | 1597 | /* check args */ |
wolfSSL | 13:f67a6c6013ca | 1598 | if (in == NULL || outSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1599 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1600 | } |
wolfSSL | 13:f67a6c6013ca | 1601 | |
wolfSSL | 13:f67a6c6013ca | 1602 | /* compute length of encoded OID */ |
wolfSSL | 13:f67a6c6013ca | 1603 | d = (in[0] * 40) + in[1]; |
wolfSSL | 13:f67a6c6013ca | 1604 | len = 0; |
wolfSSL | 13:f67a6c6013ca | 1605 | for (i = 1; i < (int)inSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 1606 | x = 0; |
wolfSSL | 13:f67a6c6013ca | 1607 | t = d; |
wolfSSL | 13:f67a6c6013ca | 1608 | while (t) { |
wolfSSL | 13:f67a6c6013ca | 1609 | x++; |
wolfSSL | 13:f67a6c6013ca | 1610 | t >>= 1; |
wolfSSL | 13:f67a6c6013ca | 1611 | } |
wolfSSL | 13:f67a6c6013ca | 1612 | len += (x / 7) + ((x % 7) ? 1 : 0) + (d == 0 ? 1 : 0); |
wolfSSL | 13:f67a6c6013ca | 1613 | |
wolfSSL | 13:f67a6c6013ca | 1614 | if (i < (int)inSz - 1) { |
wolfSSL | 13:f67a6c6013ca | 1615 | d = in[i + 1]; |
wolfSSL | 13:f67a6c6013ca | 1616 | } |
wolfSSL | 13:f67a6c6013ca | 1617 | } |
wolfSSL | 13:f67a6c6013ca | 1618 | |
wolfSSL | 13:f67a6c6013ca | 1619 | if (out) { |
wolfSSL | 13:f67a6c6013ca | 1620 | /* verify length */ |
wolfSSL | 13:f67a6c6013ca | 1621 | if ((int)*outSz < len) { |
wolfSSL | 13:f67a6c6013ca | 1622 | return BUFFER_E; /* buffer provided is not large enough */ |
wolfSSL | 13:f67a6c6013ca | 1623 | } |
wolfSSL | 13:f67a6c6013ca | 1624 | |
wolfSSL | 13:f67a6c6013ca | 1625 | /* calc first byte */ |
wolfSSL | 13:f67a6c6013ca | 1626 | d = (in[0] * 40) + in[1]; |
wolfSSL | 13:f67a6c6013ca | 1627 | |
wolfSSL | 13:f67a6c6013ca | 1628 | /* encode bytes */ |
wolfSSL | 13:f67a6c6013ca | 1629 | x = 0; |
wolfSSL | 13:f67a6c6013ca | 1630 | for (i = 1; i < (int)inSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 1631 | if (d) { |
wolfSSL | 13:f67a6c6013ca | 1632 | int y = x, z; |
wolfSSL | 13:f67a6c6013ca | 1633 | byte mask = 0; |
wolfSSL | 13:f67a6c6013ca | 1634 | while (d) { |
wolfSSL | 13:f67a6c6013ca | 1635 | out[x++] = (byte)((d & 0x7F) | mask); |
wolfSSL | 13:f67a6c6013ca | 1636 | d >>= 7; |
wolfSSL | 13:f67a6c6013ca | 1637 | mask |= 0x80; /* upper bit is set on all but the last byte */ |
wolfSSL | 13:f67a6c6013ca | 1638 | } |
wolfSSL | 13:f67a6c6013ca | 1639 | /* now swap bytes y...x-1 */ |
wolfSSL | 13:f67a6c6013ca | 1640 | z = x - 1; |
wolfSSL | 13:f67a6c6013ca | 1641 | while (y < z) { |
wolfSSL | 13:f67a6c6013ca | 1642 | mask = out[y]; |
wolfSSL | 13:f67a6c6013ca | 1643 | out[y] = out[z]; |
wolfSSL | 13:f67a6c6013ca | 1644 | out[z] = mask; |
wolfSSL | 13:f67a6c6013ca | 1645 | ++y; |
wolfSSL | 13:f67a6c6013ca | 1646 | --z; |
wolfSSL | 13:f67a6c6013ca | 1647 | } |
wolfSSL | 13:f67a6c6013ca | 1648 | } |
wolfSSL | 13:f67a6c6013ca | 1649 | else { |
wolfSSL | 13:f67a6c6013ca | 1650 | out[x++] = 0x00; /* zero value */ |
wolfSSL | 13:f67a6c6013ca | 1651 | } |
wolfSSL | 13:f67a6c6013ca | 1652 | |
wolfSSL | 13:f67a6c6013ca | 1653 | /* next word */ |
wolfSSL | 13:f67a6c6013ca | 1654 | if (i < (int)inSz - 1) { |
wolfSSL | 13:f67a6c6013ca | 1655 | d = in[i + 1]; |
wolfSSL | 13:f67a6c6013ca | 1656 | } |
wolfSSL | 13:f67a6c6013ca | 1657 | } |
wolfSSL | 13:f67a6c6013ca | 1658 | } |
wolfSSL | 13:f67a6c6013ca | 1659 | |
wolfSSL | 13:f67a6c6013ca | 1660 | /* return length */ |
wolfSSL | 13:f67a6c6013ca | 1661 | *outSz = len; |
wolfSSL | 13:f67a6c6013ca | 1662 | |
wolfSSL | 13:f67a6c6013ca | 1663 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1664 | } |
wolfSSL | 13:f67a6c6013ca | 1665 | #endif /* HAVE_OID_ENCODING */ |
wolfSSL | 13:f67a6c6013ca | 1666 | |
wolfSSL | 13:f67a6c6013ca | 1667 | #ifdef HAVE_OID_DECODING |
wolfSSL | 13:f67a6c6013ca | 1668 | int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz) |
wolfSSL | 13:f67a6c6013ca | 1669 | { |
wolfSSL | 13:f67a6c6013ca | 1670 | int x = 0, y = 0; |
wolfSSL | 13:f67a6c6013ca | 1671 | word32 t = 0; |
wolfSSL | 13:f67a6c6013ca | 1672 | |
wolfSSL | 13:f67a6c6013ca | 1673 | /* check args */ |
wolfSSL | 13:f67a6c6013ca | 1674 | if (in == NULL || outSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1675 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1676 | } |
wolfSSL | 13:f67a6c6013ca | 1677 | |
wolfSSL | 13:f67a6c6013ca | 1678 | /* decode bytes */ |
wolfSSL | 13:f67a6c6013ca | 1679 | while (inSz--) { |
wolfSSL | 13:f67a6c6013ca | 1680 | t = (t << 7) | (in[x] & 0x7F); |
wolfSSL | 13:f67a6c6013ca | 1681 | if (!(in[x] & 0x80)) { |
wolfSSL | 13:f67a6c6013ca | 1682 | if (y >= (int)*outSz) { |
wolfSSL | 13:f67a6c6013ca | 1683 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1684 | } |
wolfSSL | 13:f67a6c6013ca | 1685 | if (y == 0) { |
wolfSSL | 13:f67a6c6013ca | 1686 | out[0] = (t / 40); |
wolfSSL | 13:f67a6c6013ca | 1687 | out[1] = (t % 40); |
wolfSSL | 13:f67a6c6013ca | 1688 | y = 2; |
wolfSSL | 13:f67a6c6013ca | 1689 | } |
wolfSSL | 13:f67a6c6013ca | 1690 | else { |
wolfSSL | 13:f67a6c6013ca | 1691 | out[y++] = t; |
wolfSSL | 13:f67a6c6013ca | 1692 | } |
wolfSSL | 13:f67a6c6013ca | 1693 | t = 0; /* reset tmp */ |
wolfSSL | 13:f67a6c6013ca | 1694 | } |
wolfSSL | 13:f67a6c6013ca | 1695 | x++; |
wolfSSL | 13:f67a6c6013ca | 1696 | } |
wolfSSL | 13:f67a6c6013ca | 1697 | |
wolfSSL | 13:f67a6c6013ca | 1698 | /* return length */ |
wolfSSL | 13:f67a6c6013ca | 1699 | *outSz = y; |
wolfSSL | 13:f67a6c6013ca | 1700 | |
wolfSSL | 13:f67a6c6013ca | 1701 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1702 | } |
wolfSSL | 13:f67a6c6013ca | 1703 | #endif /* HAVE_OID_DECODING */ |
wolfSSL | 13:f67a6c6013ca | 1704 | |
wolfSSL | 13:f67a6c6013ca | 1705 | /* Get the DER/BER encoding of an ASN.1 OBJECT_ID header. |
wolfSSL | 13:f67a6c6013ca | 1706 | * |
wolfSSL | 13:f67a6c6013ca | 1707 | * input Buffer holding DER/BER encoded data. |
wolfSSL | 13:f67a6c6013ca | 1708 | * inOutIdx Current index into buffer to parse. |
wolfSSL | 13:f67a6c6013ca | 1709 | * len The number of bytes in the ASN.1 data. |
wolfSSL | 13:f67a6c6013ca | 1710 | * maxIdx Length of data in buffer. |
wolfSSL | 13:f67a6c6013ca | 1711 | * returns BUFFER_E when there is not enough data to parse. |
wolfSSL | 13:f67a6c6013ca | 1712 | * ASN_OBJECt_ID_E when the OBJECT_ID tag is not found. |
wolfSSL | 13:f67a6c6013ca | 1713 | * ASN_PARSE_E when length is invalid. |
wolfSSL | 13:f67a6c6013ca | 1714 | * Otherwise, 0 to indicate success. |
wolfSSL | 13:f67a6c6013ca | 1715 | */ |
wolfSSL | 13:f67a6c6013ca | 1716 | static int GetASNObjectId(const byte* input, word32* inOutIdx, int* len, |
wolfSSL | 13:f67a6c6013ca | 1717 | word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1718 | { |
wolfSSL | 13:f67a6c6013ca | 1719 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1720 | byte b; |
wolfSSL | 13:f67a6c6013ca | 1721 | int length; |
wolfSSL | 13:f67a6c6013ca | 1722 | |
wolfSSL | 13:f67a6c6013ca | 1723 | if ((idx + 1) > maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1724 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1725 | |
wolfSSL | 13:f67a6c6013ca | 1726 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 1727 | if (b != ASN_OBJECT_ID) |
wolfSSL | 13:f67a6c6013ca | 1728 | return ASN_OBJECT_ID_E; |
wolfSSL | 13:f67a6c6013ca | 1729 | |
wolfSSL | 13:f67a6c6013ca | 1730 | if (GetLength(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 1731 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1732 | |
wolfSSL | 13:f67a6c6013ca | 1733 | *len = length; |
wolfSSL | 13:f67a6c6013ca | 1734 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1735 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1736 | } |
wolfSSL | 13:f67a6c6013ca | 1737 | |
wolfSSL | 13:f67a6c6013ca | 1738 | /* Set the DER/BER encoding of the ASN.1 OBJECT_ID header. |
wolfSSL | 13:f67a6c6013ca | 1739 | * |
wolfSSL | 13:f67a6c6013ca | 1740 | * len Length of the OBJECT_ID data. |
wolfSSL | 13:f67a6c6013ca | 1741 | * output Buffer to write into. |
wolfSSL | 13:f67a6c6013ca | 1742 | * returns the number of bytes added to the buffer. |
wolfSSL | 13:f67a6c6013ca | 1743 | */ |
wolfSSL | 13:f67a6c6013ca | 1744 | static int SetObjectId(int len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 1745 | { |
wolfSSL | 13:f67a6c6013ca | 1746 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 1747 | |
wolfSSL | 13:f67a6c6013ca | 1748 | output[idx++] = ASN_OBJECT_ID; |
wolfSSL | 13:f67a6c6013ca | 1749 | idx += SetLength(len, output + idx); |
wolfSSL | 13:f67a6c6013ca | 1750 | |
wolfSSL | 13:f67a6c6013ca | 1751 | return idx; |
wolfSSL | 13:f67a6c6013ca | 1752 | } |
wolfSSL | 13:f67a6c6013ca | 1753 | |
wolfSSL | 13:f67a6c6013ca | 1754 | int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 13:f67a6c6013ca | 1755 | word32 oidType, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1756 | { |
wolfSSL | 13:f67a6c6013ca | 1757 | int ret = 0, length; |
wolfSSL | 13:f67a6c6013ca | 1758 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1759 | #ifndef NO_VERIFY_OID |
wolfSSL | 13:f67a6c6013ca | 1760 | word32 actualOidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 1761 | const byte* actualOid; |
wolfSSL | 13:f67a6c6013ca | 1762 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 13:f67a6c6013ca | 1763 | |
wolfSSL | 13:f67a6c6013ca | 1764 | (void)oidType; |
wolfSSL | 13:f67a6c6013ca | 1765 | WOLFSSL_ENTER("GetObjectId()"); |
wolfSSL | 13:f67a6c6013ca | 1766 | *oid = 0; |
wolfSSL | 13:f67a6c6013ca | 1767 | |
wolfSSL | 13:f67a6c6013ca | 1768 | ret = GetASNObjectId(input, &idx, &length, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 1769 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 1770 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1771 | |
wolfSSL | 13:f67a6c6013ca | 1772 | #ifndef NO_VERIFY_OID |
wolfSSL | 13:f67a6c6013ca | 1773 | actualOid = &input[idx]; |
wolfSSL | 13:f67a6c6013ca | 1774 | if (length > 0) |
wolfSSL | 13:f67a6c6013ca | 1775 | actualOidSz = (word32)length; |
wolfSSL | 13:f67a6c6013ca | 1776 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 13:f67a6c6013ca | 1777 | |
wolfSSL | 13:f67a6c6013ca | 1778 | while (length--) { |
wolfSSL | 13:f67a6c6013ca | 1779 | /* odd HC08 compiler behavior here when input[idx++] */ |
wolfSSL | 13:f67a6c6013ca | 1780 | *oid += (word32)input[idx]; |
wolfSSL | 13:f67a6c6013ca | 1781 | idx++; |
wolfSSL | 13:f67a6c6013ca | 1782 | } |
wolfSSL | 13:f67a6c6013ca | 1783 | /* just sum it up for now */ |
wolfSSL | 13:f67a6c6013ca | 1784 | |
wolfSSL | 13:f67a6c6013ca | 1785 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1786 | |
wolfSSL | 13:f67a6c6013ca | 1787 | #ifndef NO_VERIFY_OID |
wolfSSL | 13:f67a6c6013ca | 1788 | { |
wolfSSL | 13:f67a6c6013ca | 1789 | const byte* checkOid = NULL; |
wolfSSL | 13:f67a6c6013ca | 1790 | word32 checkOidSz; |
wolfSSL | 13:f67a6c6013ca | 1791 | #ifdef ASN_DUMP_OID |
wolfSSL | 13:f67a6c6013ca | 1792 | int i; |
wolfSSL | 13:f67a6c6013ca | 1793 | #endif |
wolfSSL | 13:f67a6c6013ca | 1794 | |
wolfSSL | 13:f67a6c6013ca | 1795 | if (oidType != oidIgnoreType) { |
wolfSSL | 13:f67a6c6013ca | 1796 | checkOid = OidFromId(*oid, oidType, &checkOidSz); |
wolfSSL | 13:f67a6c6013ca | 1797 | |
wolfSSL | 13:f67a6c6013ca | 1798 | #ifdef ASN_DUMP_OID |
wolfSSL | 13:f67a6c6013ca | 1799 | /* support for dumping OID information */ |
wolfSSL | 13:f67a6c6013ca | 1800 | printf("OID (Type %d, Sz %d, Sum %d): ", oidType, actualOidSz, *oid); |
wolfSSL | 13:f67a6c6013ca | 1801 | for (i=0; i<actualOidSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 1802 | printf("%d, ", actualOid[i]); |
wolfSSL | 13:f67a6c6013ca | 1803 | } |
wolfSSL | 13:f67a6c6013ca | 1804 | printf("\n"); |
wolfSSL | 13:f67a6c6013ca | 1805 | #ifdef HAVE_OID_DECODING |
wolfSSL | 13:f67a6c6013ca | 1806 | { |
wolfSSL | 13:f67a6c6013ca | 1807 | word16 decOid[16]; |
wolfSSL | 13:f67a6c6013ca | 1808 | word32 decOidSz = sizeof(decOid); |
wolfSSL | 13:f67a6c6013ca | 1809 | ret = DecodeObjectId(actualOid, actualOidSz, decOid, &decOidSz); |
wolfSSL | 13:f67a6c6013ca | 1810 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 1811 | printf(" Decoded (Sz %d): ", decOidSz); |
wolfSSL | 13:f67a6c6013ca | 1812 | for (i=0; i<decOidSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 1813 | printf("%d.", decOid[i]); |
wolfSSL | 13:f67a6c6013ca | 1814 | } |
wolfSSL | 13:f67a6c6013ca | 1815 | printf("\n"); |
wolfSSL | 13:f67a6c6013ca | 1816 | } |
wolfSSL | 13:f67a6c6013ca | 1817 | else { |
wolfSSL | 13:f67a6c6013ca | 1818 | printf("DecodeObjectId failed: %d\n", ret); |
wolfSSL | 13:f67a6c6013ca | 1819 | } |
wolfSSL | 13:f67a6c6013ca | 1820 | } |
wolfSSL | 13:f67a6c6013ca | 1821 | #endif /* HAVE_OID_DECODING */ |
wolfSSL | 13:f67a6c6013ca | 1822 | #endif /* ASN_DUMP_OID */ |
wolfSSL | 13:f67a6c6013ca | 1823 | |
wolfSSL | 13:f67a6c6013ca | 1824 | if (checkOid != NULL && |
wolfSSL | 13:f67a6c6013ca | 1825 | (checkOidSz != actualOidSz || |
wolfSSL | 13:f67a6c6013ca | 1826 | XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) { |
wolfSSL | 13:f67a6c6013ca | 1827 | WOLFSSL_MSG("OID Check Failed"); |
wolfSSL | 13:f67a6c6013ca | 1828 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 13:f67a6c6013ca | 1829 | } |
wolfSSL | 13:f67a6c6013ca | 1830 | } |
wolfSSL | 13:f67a6c6013ca | 1831 | } |
wolfSSL | 13:f67a6c6013ca | 1832 | #endif /* NO_VERIFY_OID */ |
wolfSSL | 13:f67a6c6013ca | 1833 | |
wolfSSL | 13:f67a6c6013ca | 1834 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1835 | } |
wolfSSL | 13:f67a6c6013ca | 1836 | |
wolfSSL | 13:f67a6c6013ca | 1837 | static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1838 | { |
wolfSSL | 13:f67a6c6013ca | 1839 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1840 | int length; |
wolfSSL | 13:f67a6c6013ca | 1841 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1842 | |
wolfSSL | 13:f67a6c6013ca | 1843 | ret = GetASNObjectId(input, &idx, &length, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 1844 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 1845 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1846 | |
wolfSSL | 13:f67a6c6013ca | 1847 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 1848 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1849 | |
wolfSSL | 13:f67a6c6013ca | 1850 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1851 | } |
wolfSSL | 13:f67a6c6013ca | 1852 | |
wolfSSL | 13:f67a6c6013ca | 1853 | WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, |
wolfSSL | 13:f67a6c6013ca | 1854 | word32 oidType, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 1855 | { |
wolfSSL | 13:f67a6c6013ca | 1856 | int length; |
wolfSSL | 13:f67a6c6013ca | 1857 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1858 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1859 | *oid = 0; |
wolfSSL | 13:f67a6c6013ca | 1860 | |
wolfSSL | 13:f67a6c6013ca | 1861 | WOLFSSL_ENTER("GetAlgoId"); |
wolfSSL | 13:f67a6c6013ca | 1862 | |
wolfSSL | 13:f67a6c6013ca | 1863 | if (GetSequence(input, &idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 1864 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1865 | |
wolfSSL | 13:f67a6c6013ca | 1866 | if (GetObjectId(input, &idx, oid, oidType, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 1867 | return ASN_OBJECT_ID_E; |
wolfSSL | 13:f67a6c6013ca | 1868 | |
wolfSSL | 13:f67a6c6013ca | 1869 | /* could have NULL tag and 0 terminator, but may not */ |
wolfSSL | 13:f67a6c6013ca | 1870 | if (input[idx] == ASN_TAG_NULL) { |
wolfSSL | 13:f67a6c6013ca | 1871 | ret = GetASNNull(input, &idx, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 1872 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 1873 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1874 | } |
wolfSSL | 13:f67a6c6013ca | 1875 | |
wolfSSL | 13:f67a6c6013ca | 1876 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1877 | |
wolfSSL | 13:f67a6c6013ca | 1878 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1879 | } |
wolfSSL | 13:f67a6c6013ca | 1880 | |
wolfSSL | 13:f67a6c6013ca | 1881 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 1882 | |
wolfSSL | 13:f67a6c6013ca | 1883 | #ifndef HAVE_USER_RSA |
wolfSSL | 13:f67a6c6013ca | 1884 | int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 1885 | word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 1886 | { |
wolfSSL | 13:f67a6c6013ca | 1887 | int version, length; |
wolfSSL | 13:f67a6c6013ca | 1888 | |
wolfSSL | 13:f67a6c6013ca | 1889 | if (inOutIdx == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1890 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1891 | } |
wolfSSL | 13:f67a6c6013ca | 1892 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1893 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1894 | |
wolfSSL | 13:f67a6c6013ca | 1895 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1896 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1897 | |
wolfSSL | 13:f67a6c6013ca | 1898 | key->type = RSA_PRIVATE; |
wolfSSL | 13:f67a6c6013ca | 1899 | |
wolfSSL | 13:f67a6c6013ca | 1900 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1901 | GetInt(&key->e, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1902 | GetInt(&key->d, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1903 | GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1904 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1905 | GetInt(&key->dP, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1906 | GetInt(&key->dQ, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 1907 | GetInt(&key->u, input, inOutIdx, inSz) < 0 ) return ASN_RSA_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 1908 | |
wolfSSL | 13:f67a6c6013ca | 1909 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 1910 | if (wc_InitRsaHw(key) != 0) { |
wolfSSL | 13:f67a6c6013ca | 1911 | return BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1912 | } |
wolfSSL | 13:f67a6c6013ca | 1913 | #endif |
wolfSSL | 13:f67a6c6013ca | 1914 | |
wolfSSL | 13:f67a6c6013ca | 1915 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1916 | } |
wolfSSL | 13:f67a6c6013ca | 1917 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1918 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1919 | |
wolfSSL | 13:f67a6c6013ca | 1920 | /* Remove PKCS8 header, place inOutIdx at beginning of traditional, |
wolfSSL | 13:f67a6c6013ca | 1921 | * return traditional length on success, negative on error */ |
wolfSSL | 13:f67a6c6013ca | 1922 | int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz) |
wolfSSL | 13:f67a6c6013ca | 1923 | { |
wolfSSL | 13:f67a6c6013ca | 1924 | word32 idx, oid; |
wolfSSL | 13:f67a6c6013ca | 1925 | int version, length; |
wolfSSL | 13:f67a6c6013ca | 1926 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1927 | |
wolfSSL | 13:f67a6c6013ca | 1928 | if (input == NULL || inOutIdx == NULL) |
wolfSSL | 13:f67a6c6013ca | 1929 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1930 | |
wolfSSL | 13:f67a6c6013ca | 1931 | idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 1932 | |
wolfSSL | 13:f67a6c6013ca | 1933 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1934 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1935 | |
wolfSSL | 13:f67a6c6013ca | 1936 | if (GetMyVersion(input, &idx, &version, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1937 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1938 | |
wolfSSL | 13:f67a6c6013ca | 1939 | if (GetAlgoId(input, &idx, &oid, oidKeyType, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1940 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1941 | |
wolfSSL | 13:f67a6c6013ca | 1942 | if (input[idx] == ASN_OBJECT_ID) { |
wolfSSL | 13:f67a6c6013ca | 1943 | if (SkipObjectId(input, &idx, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 1944 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 1945 | } |
wolfSSL | 13:f67a6c6013ca | 1946 | |
wolfSSL | 13:f67a6c6013ca | 1947 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 1948 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 1949 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1950 | |
wolfSSL | 13:f67a6c6013ca | 1951 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 1952 | |
wolfSSL | 13:f67a6c6013ca | 1953 | return length; |
wolfSSL | 13:f67a6c6013ca | 1954 | } |
wolfSSL | 13:f67a6c6013ca | 1955 | |
wolfSSL | 13:f67a6c6013ca | 1956 | /* Remove PKCS8 header, move beginning of traditional to beginning of input */ |
wolfSSL | 13:f67a6c6013ca | 1957 | int ToTraditional(byte* input, word32 sz) |
wolfSSL | 13:f67a6c6013ca | 1958 | { |
wolfSSL | 13:f67a6c6013ca | 1959 | word32 inOutIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 1960 | int length; |
wolfSSL | 13:f67a6c6013ca | 1961 | |
wolfSSL | 13:f67a6c6013ca | 1962 | if (input == NULL) |
wolfSSL | 13:f67a6c6013ca | 1963 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1964 | |
wolfSSL | 13:f67a6c6013ca | 1965 | length = ToTraditionalInline(input, &inOutIdx, sz); |
wolfSSL | 13:f67a6c6013ca | 1966 | if (length < 0) |
wolfSSL | 13:f67a6c6013ca | 1967 | return length; |
wolfSSL | 13:f67a6c6013ca | 1968 | |
wolfSSL | 13:f67a6c6013ca | 1969 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 13:f67a6c6013ca | 1970 | |
wolfSSL | 13:f67a6c6013ca | 1971 | return length; |
wolfSSL | 13:f67a6c6013ca | 1972 | } |
wolfSSL | 13:f67a6c6013ca | 1973 | |
wolfSSL | 13:f67a6c6013ca | 1974 | |
wolfSSL | 13:f67a6c6013ca | 1975 | /* find beginning of traditional key inside PKCS#8 unencrypted buffer |
wolfSSL | 13:f67a6c6013ca | 1976 | * return traditional length on success, with inOutIdx at beginning of |
wolfSSL | 13:f67a6c6013ca | 1977 | * traditional |
wolfSSL | 13:f67a6c6013ca | 1978 | * return negative on failure/error */ |
wolfSSL | 13:f67a6c6013ca | 1979 | int wc_GetPkcs8TraditionalOffset(byte* input, word32* inOutIdx, word32 sz) |
wolfSSL | 13:f67a6c6013ca | 1980 | { |
wolfSSL | 13:f67a6c6013ca | 1981 | int length; |
wolfSSL | 13:f67a6c6013ca | 1982 | |
wolfSSL | 13:f67a6c6013ca | 1983 | if (input == NULL || inOutIdx == NULL || (*inOutIdx > sz)) |
wolfSSL | 13:f67a6c6013ca | 1984 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1985 | |
wolfSSL | 13:f67a6c6013ca | 1986 | length = ToTraditionalInline(input, inOutIdx, sz); |
wolfSSL | 13:f67a6c6013ca | 1987 | |
wolfSSL | 13:f67a6c6013ca | 1988 | return length; |
wolfSSL | 13:f67a6c6013ca | 1989 | } |
wolfSSL | 13:f67a6c6013ca | 1990 | |
wolfSSL | 13:f67a6c6013ca | 1991 | |
wolfSSL | 13:f67a6c6013ca | 1992 | /* PKCS#8 from RFC 5208 |
wolfSSL | 13:f67a6c6013ca | 1993 | * This function takes in a DER key and converts it to PKCS#8 format. Used |
wolfSSL | 13:f67a6c6013ca | 1994 | * in creating PKCS#12 shrouded key bags. |
wolfSSL | 13:f67a6c6013ca | 1995 | * Reverse of ToTraditional |
wolfSSL | 13:f67a6c6013ca | 1996 | * |
wolfSSL | 13:f67a6c6013ca | 1997 | * PrivateKeyInfo ::= SEQUENCE { |
wolfSSL | 13:f67a6c6013ca | 1998 | * version Version, |
wolfSSL | 13:f67a6c6013ca | 1999 | * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, |
wolfSSL | 13:f67a6c6013ca | 2000 | * privateKey PrivateKey, |
wolfSSL | 13:f67a6c6013ca | 2001 | * attributes optional |
wolfSSL | 13:f67a6c6013ca | 2002 | * } |
wolfSSL | 13:f67a6c6013ca | 2003 | * Version ::= INTEGER |
wolfSSL | 13:f67a6c6013ca | 2004 | * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier |
wolfSSL | 13:f67a6c6013ca | 2005 | * PrivateKey ::= OCTET STRING |
wolfSSL | 13:f67a6c6013ca | 2006 | * |
wolfSSL | 13:f67a6c6013ca | 2007 | * out buffer to place result in |
wolfSSL | 13:f67a6c6013ca | 2008 | * outSz size of out buffer |
wolfSSL | 13:f67a6c6013ca | 2009 | * key buffer with DER key |
wolfSSL | 13:f67a6c6013ca | 2010 | * keySz size of key buffer |
wolfSSL | 13:f67a6c6013ca | 2011 | * algoID algorithm ID i.e. RSAk |
wolfSSL | 13:f67a6c6013ca | 2012 | * curveOID ECC curve oid if used. Should be NULL for RSA keys. |
wolfSSL | 13:f67a6c6013ca | 2013 | * oidSz size of curve oid. Is set to 0 if curveOID is NULL. |
wolfSSL | 13:f67a6c6013ca | 2014 | * |
wolfSSL | 13:f67a6c6013ca | 2015 | * Returns the size of PKCS#8 placed into out. In error cases returns negative |
wolfSSL | 13:f67a6c6013ca | 2016 | * values. |
wolfSSL | 13:f67a6c6013ca | 2017 | */ |
wolfSSL | 13:f67a6c6013ca | 2018 | int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, |
wolfSSL | 13:f67a6c6013ca | 2019 | int algoID, const byte* curveOID, word32 oidSz) |
wolfSSL | 13:f67a6c6013ca | 2020 | { |
wolfSSL | 13:f67a6c6013ca | 2021 | word32 keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2022 | word32 tmpSz = 0; |
wolfSSL | 13:f67a6c6013ca | 2023 | word32 sz; |
wolfSSL | 13:f67a6c6013ca | 2024 | |
wolfSSL | 13:f67a6c6013ca | 2025 | |
wolfSSL | 13:f67a6c6013ca | 2026 | /* If out is NULL then return the max size needed |
wolfSSL | 13:f67a6c6013ca | 2027 | * + 2 for ASN_OBJECT_ID and ASN_OCTET_STRING tags */ |
wolfSSL | 13:f67a6c6013ca | 2028 | if (out == NULL && outSz != NULL) { |
wolfSSL | 13:f67a6c6013ca | 2029 | *outSz = keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 13:f67a6c6013ca | 2030 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2; |
wolfSSL | 13:f67a6c6013ca | 2031 | |
wolfSSL | 13:f67a6c6013ca | 2032 | if (curveOID != NULL) |
wolfSSL | 13:f67a6c6013ca | 2033 | *outSz += oidSz + MAX_LENGTH_SZ + 1; |
wolfSSL | 13:f67a6c6013ca | 2034 | |
wolfSSL | 13:f67a6c6013ca | 2035 | WOLFSSL_MSG("Checking size of PKCS8"); |
wolfSSL | 13:f67a6c6013ca | 2036 | |
wolfSSL | 13:f67a6c6013ca | 2037 | return LENGTH_ONLY_E; |
wolfSSL | 13:f67a6c6013ca | 2038 | } |
wolfSSL | 13:f67a6c6013ca | 2039 | |
wolfSSL | 13:f67a6c6013ca | 2040 | WOLFSSL_ENTER("wc_CreatePKCS8Key()"); |
wolfSSL | 13:f67a6c6013ca | 2041 | |
wolfSSL | 13:f67a6c6013ca | 2042 | if (key == NULL || out == NULL || outSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2043 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2044 | } |
wolfSSL | 13:f67a6c6013ca | 2045 | |
wolfSSL | 13:f67a6c6013ca | 2046 | /* check the buffer has enough room for largest possible size */ |
wolfSSL | 13:f67a6c6013ca | 2047 | if (curveOID != NULL) { |
wolfSSL | 13:f67a6c6013ca | 2048 | if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 13:f67a6c6013ca | 2049 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 3 + oidSz + MAX_LENGTH_SZ)) |
wolfSSL | 13:f67a6c6013ca | 2050 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 2051 | } |
wolfSSL | 13:f67a6c6013ca | 2052 | else { |
wolfSSL | 13:f67a6c6013ca | 2053 | oidSz = 0; /* with no curveOID oid size must be 0 */ |
wolfSSL | 13:f67a6c6013ca | 2054 | if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ |
wolfSSL | 13:f67a6c6013ca | 2055 | + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2)) |
wolfSSL | 13:f67a6c6013ca | 2056 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 2057 | } |
wolfSSL | 13:f67a6c6013ca | 2058 | |
wolfSSL | 13:f67a6c6013ca | 2059 | /* PrivateKeyInfo ::= SEQUENCE */ |
wolfSSL | 13:f67a6c6013ca | 2060 | keyIdx += MAX_SEQ_SZ; /* save room for sequence */ |
wolfSSL | 13:f67a6c6013ca | 2061 | |
wolfSSL | 13:f67a6c6013ca | 2062 | /* version Version |
wolfSSL | 13:f67a6c6013ca | 2063 | * no header information just INTEGER */ |
wolfSSL | 13:f67a6c6013ca | 2064 | sz = SetMyVersion(PKCS8v0, out + keyIdx, 0); |
wolfSSL | 13:f67a6c6013ca | 2065 | tmpSz += sz; keyIdx += sz; |
wolfSSL | 13:f67a6c6013ca | 2066 | |
wolfSSL | 13:f67a6c6013ca | 2067 | /* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier */ |
wolfSSL | 13:f67a6c6013ca | 2068 | sz = 0; /* set sz to 0 and get privateKey oid buffer size needed */ |
wolfSSL | 13:f67a6c6013ca | 2069 | if (curveOID != NULL && oidSz > 0) { |
wolfSSL | 13:f67a6c6013ca | 2070 | byte buf[MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 2071 | sz = SetLength(oidSz, buf); |
wolfSSL | 13:f67a6c6013ca | 2072 | sz += 1; /* plus one for ASN object id */ |
wolfSSL | 13:f67a6c6013ca | 2073 | } |
wolfSSL | 13:f67a6c6013ca | 2074 | sz = SetAlgoID(algoID, out + keyIdx, oidKeyType, oidSz + sz); |
wolfSSL | 13:f67a6c6013ca | 2075 | tmpSz += sz; keyIdx += sz; |
wolfSSL | 13:f67a6c6013ca | 2076 | |
wolfSSL | 13:f67a6c6013ca | 2077 | /* privateKey PrivateKey * |
wolfSSL | 13:f67a6c6013ca | 2078 | * pkcs8 ecc uses slightly different format. Places curve oid in |
wolfSSL | 13:f67a6c6013ca | 2079 | * buffer */ |
wolfSSL | 13:f67a6c6013ca | 2080 | if (curveOID != NULL && oidSz > 0) { |
wolfSSL | 13:f67a6c6013ca | 2081 | sz = SetObjectId(oidSz, out + keyIdx); |
wolfSSL | 13:f67a6c6013ca | 2082 | keyIdx += sz; tmpSz += sz; |
wolfSSL | 13:f67a6c6013ca | 2083 | XMEMCPY(out + keyIdx, curveOID, oidSz); |
wolfSSL | 13:f67a6c6013ca | 2084 | keyIdx += oidSz; tmpSz += oidSz; |
wolfSSL | 13:f67a6c6013ca | 2085 | } |
wolfSSL | 13:f67a6c6013ca | 2086 | |
wolfSSL | 13:f67a6c6013ca | 2087 | sz = SetOctetString(keySz, out + keyIdx); |
wolfSSL | 13:f67a6c6013ca | 2088 | keyIdx += sz; tmpSz += sz; |
wolfSSL | 13:f67a6c6013ca | 2089 | XMEMCPY(out + keyIdx, key, keySz); |
wolfSSL | 13:f67a6c6013ca | 2090 | tmpSz += keySz; |
wolfSSL | 13:f67a6c6013ca | 2091 | |
wolfSSL | 13:f67a6c6013ca | 2092 | /* attributes optional |
wolfSSL | 13:f67a6c6013ca | 2093 | * No attributes currently added */ |
wolfSSL | 13:f67a6c6013ca | 2094 | |
wolfSSL | 13:f67a6c6013ca | 2095 | /* rewind and add sequence */ |
wolfSSL | 13:f67a6c6013ca | 2096 | sz = SetSequence(tmpSz, out); |
wolfSSL | 13:f67a6c6013ca | 2097 | XMEMMOVE(out + sz, out + MAX_SEQ_SZ, tmpSz); |
wolfSSL | 13:f67a6c6013ca | 2098 | |
wolfSSL | 13:f67a6c6013ca | 2099 | return tmpSz + sz; |
wolfSSL | 13:f67a6c6013ca | 2100 | } |
wolfSSL | 13:f67a6c6013ca | 2101 | |
wolfSSL | 13:f67a6c6013ca | 2102 | |
wolfSSL | 13:f67a6c6013ca | 2103 | /* check that the private key is a pair for the public key in certificate |
wolfSSL | 13:f67a6c6013ca | 2104 | * return 1 (true) on match |
wolfSSL | 13:f67a6c6013ca | 2105 | * return 0 or negative value on failure/error |
wolfSSL | 13:f67a6c6013ca | 2106 | * |
wolfSSL | 13:f67a6c6013ca | 2107 | * key : buffer holding DER fromat key |
wolfSSL | 13:f67a6c6013ca | 2108 | * keySz : size of key buffer |
wolfSSL | 13:f67a6c6013ca | 2109 | * der : a initialized and parsed DecodedCert holding a certificate */ |
wolfSSL | 13:f67a6c6013ca | 2110 | int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) |
wolfSSL | 13:f67a6c6013ca | 2111 | { |
wolfSSL | 13:f67a6c6013ca | 2112 | int ret; |
wolfSSL | 13:f67a6c6013ca | 2113 | |
wolfSSL | 13:f67a6c6013ca | 2114 | if (key == NULL || der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2115 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2116 | } |
wolfSSL | 13:f67a6c6013ca | 2117 | |
wolfSSL | 13:f67a6c6013ca | 2118 | #if !defined(NO_RSA) |
wolfSSL | 13:f67a6c6013ca | 2119 | /* test if RSA key */ |
wolfSSL | 13:f67a6c6013ca | 2120 | if (der->keyOID == RSAk) { |
wolfSSL | 13:f67a6c6013ca | 2121 | RsaKey a, b; |
wolfSSL | 13:f67a6c6013ca | 2122 | word32 keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2123 | |
wolfSSL | 13:f67a6c6013ca | 2124 | if ((ret = wc_InitRsaKey(&a, NULL)) < 0) |
wolfSSL | 13:f67a6c6013ca | 2125 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2126 | if ((ret = wc_InitRsaKey(&b, NULL)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2127 | wc_FreeRsaKey(&a); |
wolfSSL | 13:f67a6c6013ca | 2128 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2129 | } |
wolfSSL | 13:f67a6c6013ca | 2130 | if ((ret = wc_RsaPrivateKeyDecode(key, &keyIdx, &a, keySz)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2131 | WOLFSSL_MSG("Checking RSA key pair"); |
wolfSSL | 13:f67a6c6013ca | 2132 | keyIdx = 0; /* reset to 0 for parsing public key */ |
wolfSSL | 13:f67a6c6013ca | 2133 | |
wolfSSL | 13:f67a6c6013ca | 2134 | if ((ret = wc_RsaPublicKeyDecode(der->publicKey, &keyIdx, &b, |
wolfSSL | 13:f67a6c6013ca | 2135 | der->pubKeySize)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2136 | /* limit for user RSA crypto because of RsaKey |
wolfSSL | 13:f67a6c6013ca | 2137 | * dereference. */ |
wolfSSL | 13:f67a6c6013ca | 2138 | #if defined(HAVE_USER_RSA) |
wolfSSL | 13:f67a6c6013ca | 2139 | WOLFSSL_MSG("Cannot verify RSA pair with user RSA"); |
wolfSSL | 13:f67a6c6013ca | 2140 | ret = 1; /* return first RSA cert as match */ |
wolfSSL | 13:f67a6c6013ca | 2141 | #else |
wolfSSL | 13:f67a6c6013ca | 2142 | /* both keys extracted successfully now check n and e |
wolfSSL | 13:f67a6c6013ca | 2143 | * values are the same. This is dereferencing RsaKey */ |
wolfSSL | 13:f67a6c6013ca | 2144 | if (mp_cmp(&(a.n), &(b.n)) != MP_EQ || |
wolfSSL | 13:f67a6c6013ca | 2145 | mp_cmp(&(a.e), &(b.e)) != MP_EQ) { |
wolfSSL | 13:f67a6c6013ca | 2146 | ret = MP_CMP_E; |
wolfSSL | 13:f67a6c6013ca | 2147 | } |
wolfSSL | 13:f67a6c6013ca | 2148 | else |
wolfSSL | 13:f67a6c6013ca | 2149 | ret = 1; |
wolfSSL | 13:f67a6c6013ca | 2150 | #endif |
wolfSSL | 13:f67a6c6013ca | 2151 | } |
wolfSSL | 13:f67a6c6013ca | 2152 | } |
wolfSSL | 13:f67a6c6013ca | 2153 | wc_FreeRsaKey(&b); |
wolfSSL | 13:f67a6c6013ca | 2154 | wc_FreeRsaKey(&a); |
wolfSSL | 13:f67a6c6013ca | 2155 | } |
wolfSSL | 13:f67a6c6013ca | 2156 | else |
wolfSSL | 13:f67a6c6013ca | 2157 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 2158 | |
wolfSSL | 13:f67a6c6013ca | 2159 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 2160 | if (der->keyOID == ECDSAk) { |
wolfSSL | 13:f67a6c6013ca | 2161 | word32 keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2162 | ecc_key key_pair; |
wolfSSL | 13:f67a6c6013ca | 2163 | |
wolfSSL | 13:f67a6c6013ca | 2164 | if ((ret = wc_ecc_init(&key_pair)) < 0) |
wolfSSL | 13:f67a6c6013ca | 2165 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2166 | if ((ret = wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, |
wolfSSL | 13:f67a6c6013ca | 2167 | keySz)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2168 | WOLFSSL_MSG("Checking ECC key pair"); |
wolfSSL | 13:f67a6c6013ca | 2169 | keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2170 | if ((ret = wc_ecc_import_x963(der->publicKey, der->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 2171 | &key_pair)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2172 | /* public and private extracted successfuly no check if is |
wolfSSL | 13:f67a6c6013ca | 2173 | * a pair and also do sanity checks on key. wc_ecc_check_key |
wolfSSL | 13:f67a6c6013ca | 2174 | * checks that private * base generator equals pubkey */ |
wolfSSL | 13:f67a6c6013ca | 2175 | if ((ret = wc_ecc_check_key(&key_pair)) == 0) |
wolfSSL | 13:f67a6c6013ca | 2176 | ret = 1; |
wolfSSL | 13:f67a6c6013ca | 2177 | } |
wolfSSL | 13:f67a6c6013ca | 2178 | } |
wolfSSL | 13:f67a6c6013ca | 2179 | wc_ecc_free(&key_pair); |
wolfSSL | 13:f67a6c6013ca | 2180 | } |
wolfSSL | 13:f67a6c6013ca | 2181 | else |
wolfSSL | 13:f67a6c6013ca | 2182 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 2183 | |
wolfSSL | 13:f67a6c6013ca | 2184 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 2185 | if (der->keyOID == ED25519k) { |
wolfSSL | 13:f67a6c6013ca | 2186 | word32 keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2187 | ed25519_key key_pair; |
wolfSSL | 13:f67a6c6013ca | 2188 | |
wolfSSL | 13:f67a6c6013ca | 2189 | if ((ret = wc_ed25519_init(&key_pair)) < 0) |
wolfSSL | 13:f67a6c6013ca | 2190 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2191 | if ((ret = wc_Ed25519PrivateKeyDecode(key, &keyIdx, &key_pair, |
wolfSSL | 13:f67a6c6013ca | 2192 | keySz)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2193 | WOLFSSL_MSG("Checking ED25519 key pair"); |
wolfSSL | 13:f67a6c6013ca | 2194 | keyIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2195 | if ((ret = wc_ed25519_import_public(der->publicKey, der->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 2196 | &key_pair)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2197 | /* public and private extracted successfuly no check if is |
wolfSSL | 13:f67a6c6013ca | 2198 | * a pair and also do sanity checks on key. wc_ecc_check_key |
wolfSSL | 13:f67a6c6013ca | 2199 | * checks that private * base generator equals pubkey */ |
wolfSSL | 13:f67a6c6013ca | 2200 | if ((ret = wc_ed25519_check_key(&key_pair)) == 0) |
wolfSSL | 13:f67a6c6013ca | 2201 | ret = 1; |
wolfSSL | 13:f67a6c6013ca | 2202 | } |
wolfSSL | 13:f67a6c6013ca | 2203 | } |
wolfSSL | 13:f67a6c6013ca | 2204 | wc_ed25519_free(&key_pair); |
wolfSSL | 13:f67a6c6013ca | 2205 | } |
wolfSSL | 13:f67a6c6013ca | 2206 | else |
wolfSSL | 13:f67a6c6013ca | 2207 | #endif |
wolfSSL | 13:f67a6c6013ca | 2208 | { |
wolfSSL | 13:f67a6c6013ca | 2209 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 2210 | } |
wolfSSL | 13:f67a6c6013ca | 2211 | |
wolfSSL | 13:f67a6c6013ca | 2212 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2213 | } |
wolfSSL | 13:f67a6c6013ca | 2214 | |
wolfSSL | 13:f67a6c6013ca | 2215 | #ifndef NO_PWDBASED |
wolfSSL | 13:f67a6c6013ca | 2216 | |
wolfSSL | 13:f67a6c6013ca | 2217 | /* Check To see if PKCS version algo is supported, set id if it is return 0 |
wolfSSL | 13:f67a6c6013ca | 2218 | < 0 on error */ |
wolfSSL | 13:f67a6c6013ca | 2219 | static int CheckAlgo(int first, int second, int* id, int* version) |
wolfSSL | 13:f67a6c6013ca | 2220 | { |
wolfSSL | 13:f67a6c6013ca | 2221 | *id = ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2222 | *version = PKCS5; /* default */ |
wolfSSL | 13:f67a6c6013ca | 2223 | |
wolfSSL | 13:f67a6c6013ca | 2224 | if (first == 1) { |
wolfSSL | 13:f67a6c6013ca | 2225 | switch (second) { |
wolfSSL | 13:f67a6c6013ca | 2226 | case 1: |
wolfSSL | 13:f67a6c6013ca | 2227 | *id = PBE_SHA1_RC4_128; |
wolfSSL | 13:f67a6c6013ca | 2228 | *version = PKCS12v1; |
wolfSSL | 13:f67a6c6013ca | 2229 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2230 | case 3: |
wolfSSL | 13:f67a6c6013ca | 2231 | *id = PBE_SHA1_DES3; |
wolfSSL | 13:f67a6c6013ca | 2232 | *version = PKCS12v1; |
wolfSSL | 13:f67a6c6013ca | 2233 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2234 | default: |
wolfSSL | 13:f67a6c6013ca | 2235 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2236 | } |
wolfSSL | 13:f67a6c6013ca | 2237 | } |
wolfSSL | 13:f67a6c6013ca | 2238 | |
wolfSSL | 13:f67a6c6013ca | 2239 | if (first != PKCS5) |
wolfSSL | 13:f67a6c6013ca | 2240 | return ASN_INPUT_E; /* VERSION ERROR */ |
wolfSSL | 13:f67a6c6013ca | 2241 | |
wolfSSL | 13:f67a6c6013ca | 2242 | if (second == PBES2) { |
wolfSSL | 13:f67a6c6013ca | 2243 | *version = PKCS5v2; |
wolfSSL | 13:f67a6c6013ca | 2244 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2245 | } |
wolfSSL | 13:f67a6c6013ca | 2246 | |
wolfSSL | 13:f67a6c6013ca | 2247 | switch (second) { |
wolfSSL | 13:f67a6c6013ca | 2248 | case 3: /* see RFC 2898 for ids */ |
wolfSSL | 13:f67a6c6013ca | 2249 | *id = PBE_MD5_DES; |
wolfSSL | 13:f67a6c6013ca | 2250 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2251 | case 10: |
wolfSSL | 13:f67a6c6013ca | 2252 | *id = PBE_SHA1_DES; |
wolfSSL | 13:f67a6c6013ca | 2253 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2254 | default: |
wolfSSL | 13:f67a6c6013ca | 2255 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2256 | |
wolfSSL | 13:f67a6c6013ca | 2257 | } |
wolfSSL | 13:f67a6c6013ca | 2258 | } |
wolfSSL | 13:f67a6c6013ca | 2259 | |
wolfSSL | 13:f67a6c6013ca | 2260 | |
wolfSSL | 13:f67a6c6013ca | 2261 | /* Check To see if PKCS v2 algo is supported, set id if it is return 0 |
wolfSSL | 13:f67a6c6013ca | 2262 | < 0 on error */ |
wolfSSL | 13:f67a6c6013ca | 2263 | static int CheckAlgoV2(int oid, int* id) |
wolfSSL | 13:f67a6c6013ca | 2264 | { |
wolfSSL | 13:f67a6c6013ca | 2265 | switch (oid) { |
wolfSSL | 13:f67a6c6013ca | 2266 | case 69: |
wolfSSL | 13:f67a6c6013ca | 2267 | *id = PBE_SHA1_DES; |
wolfSSL | 13:f67a6c6013ca | 2268 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2269 | case 652: |
wolfSSL | 13:f67a6c6013ca | 2270 | *id = PBE_SHA1_DES3; |
wolfSSL | 13:f67a6c6013ca | 2271 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2272 | default: |
wolfSSL | 13:f67a6c6013ca | 2273 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2274 | |
wolfSSL | 13:f67a6c6013ca | 2275 | } |
wolfSSL | 13:f67a6c6013ca | 2276 | } |
wolfSSL | 13:f67a6c6013ca | 2277 | |
wolfSSL | 13:f67a6c6013ca | 2278 | |
wolfSSL | 13:f67a6c6013ca | 2279 | /* Decrypt input in place from parameters based on id */ |
wolfSSL | 13:f67a6c6013ca | 2280 | static int DecryptKey(const char* password, int passwordSz, byte* salt, |
wolfSSL | 13:f67a6c6013ca | 2281 | int saltSz, int iterations, int id, byte* input, |
wolfSSL | 13:f67a6c6013ca | 2282 | int length, int version, byte* cbcIv) |
wolfSSL | 13:f67a6c6013ca | 2283 | { |
wolfSSL | 13:f67a6c6013ca | 2284 | int typeH; |
wolfSSL | 13:f67a6c6013ca | 2285 | int derivedLen; |
wolfSSL | 13:f67a6c6013ca | 2286 | int decryptionType; |
wolfSSL | 13:f67a6c6013ca | 2287 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 2288 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2289 | byte* key; |
wolfSSL | 13:f67a6c6013ca | 2290 | #else |
wolfSSL | 13:f67a6c6013ca | 2291 | byte key[MAX_KEY_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 2292 | #endif |
wolfSSL | 13:f67a6c6013ca | 2293 | |
wolfSSL | 13:f67a6c6013ca | 2294 | (void)input; |
wolfSSL | 13:f67a6c6013ca | 2295 | (void)length; |
wolfSSL | 13:f67a6c6013ca | 2296 | |
wolfSSL | 13:f67a6c6013ca | 2297 | switch (id) { |
wolfSSL | 13:f67a6c6013ca | 2298 | case PBE_MD5_DES: |
wolfSSL | 13:f67a6c6013ca | 2299 | typeH = MD5; |
wolfSSL | 13:f67a6c6013ca | 2300 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 13:f67a6c6013ca | 2301 | decryptionType = DES_TYPE; |
wolfSSL | 13:f67a6c6013ca | 2302 | break; |
wolfSSL | 13:f67a6c6013ca | 2303 | |
wolfSSL | 13:f67a6c6013ca | 2304 | case PBE_SHA1_DES: |
wolfSSL | 13:f67a6c6013ca | 2305 | typeH = SHA; |
wolfSSL | 13:f67a6c6013ca | 2306 | derivedLen = 16; /* may need iv for v1.5 */ |
wolfSSL | 13:f67a6c6013ca | 2307 | decryptionType = DES_TYPE; |
wolfSSL | 13:f67a6c6013ca | 2308 | break; |
wolfSSL | 13:f67a6c6013ca | 2309 | |
wolfSSL | 13:f67a6c6013ca | 2310 | case PBE_SHA1_DES3: |
wolfSSL | 13:f67a6c6013ca | 2311 | typeH = SHA; |
wolfSSL | 13:f67a6c6013ca | 2312 | derivedLen = 32; /* may need iv for v1.5 */ |
wolfSSL | 13:f67a6c6013ca | 2313 | decryptionType = DES3_TYPE; |
wolfSSL | 13:f67a6c6013ca | 2314 | break; |
wolfSSL | 13:f67a6c6013ca | 2315 | |
wolfSSL | 13:f67a6c6013ca | 2316 | case PBE_SHA1_RC4_128: |
wolfSSL | 13:f67a6c6013ca | 2317 | typeH = SHA; |
wolfSSL | 13:f67a6c6013ca | 2318 | derivedLen = 16; |
wolfSSL | 13:f67a6c6013ca | 2319 | decryptionType = RC4_TYPE; |
wolfSSL | 13:f67a6c6013ca | 2320 | break; |
wolfSSL | 13:f67a6c6013ca | 2321 | |
wolfSSL | 13:f67a6c6013ca | 2322 | default: |
wolfSSL | 13:f67a6c6013ca | 2323 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2324 | } |
wolfSSL | 13:f67a6c6013ca | 2325 | |
wolfSSL | 13:f67a6c6013ca | 2326 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2327 | key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2328 | if (key == NULL) |
wolfSSL | 13:f67a6c6013ca | 2329 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 2330 | #endif |
wolfSSL | 13:f67a6c6013ca | 2331 | |
wolfSSL | 13:f67a6c6013ca | 2332 | if (version == PKCS5v2) |
wolfSSL | 13:f67a6c6013ca | 2333 | ret = wc_PBKDF2(key, (byte*)password, passwordSz, |
wolfSSL | 13:f67a6c6013ca | 2334 | salt, saltSz, iterations, derivedLen, typeH); |
wolfSSL | 13:f67a6c6013ca | 2335 | #ifndef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 2336 | else if (version == PKCS5) |
wolfSSL | 13:f67a6c6013ca | 2337 | ret = wc_PBKDF1(key, (byte*)password, passwordSz, |
wolfSSL | 13:f67a6c6013ca | 2338 | salt, saltSz, iterations, derivedLen, typeH); |
wolfSSL | 13:f67a6c6013ca | 2339 | #endif |
wolfSSL | 13:f67a6c6013ca | 2340 | else if (version == PKCS12v1) { |
wolfSSL | 13:f67a6c6013ca | 2341 | int i, idx = 0; |
wolfSSL | 13:f67a6c6013ca | 2342 | byte unicodePasswd[MAX_UNICODE_SZ]; |
wolfSSL | 13:f67a6c6013ca | 2343 | |
wolfSSL | 13:f67a6c6013ca | 2344 | if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) { |
wolfSSL | 13:f67a6c6013ca | 2345 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2346 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2347 | #endif |
wolfSSL | 13:f67a6c6013ca | 2348 | return UNICODE_SIZE_E; |
wolfSSL | 13:f67a6c6013ca | 2349 | } |
wolfSSL | 13:f67a6c6013ca | 2350 | |
wolfSSL | 13:f67a6c6013ca | 2351 | for (i = 0; i < passwordSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 2352 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 2353 | unicodePasswd[idx++] = (byte)password[i]; |
wolfSSL | 13:f67a6c6013ca | 2354 | } |
wolfSSL | 13:f67a6c6013ca | 2355 | /* add trailing NULL */ |
wolfSSL | 13:f67a6c6013ca | 2356 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 2357 | unicodePasswd[idx++] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 2358 | |
wolfSSL | 13:f67a6c6013ca | 2359 | ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 13:f67a6c6013ca | 2360 | iterations, derivedLen, typeH, 1); |
wolfSSL | 13:f67a6c6013ca | 2361 | if (decryptionType != RC4_TYPE) |
wolfSSL | 13:f67a6c6013ca | 2362 | ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, |
wolfSSL | 13:f67a6c6013ca | 2363 | iterations, 8, typeH, 2); |
wolfSSL | 13:f67a6c6013ca | 2364 | } |
wolfSSL | 13:f67a6c6013ca | 2365 | else { |
wolfSSL | 13:f67a6c6013ca | 2366 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2367 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2368 | #endif |
wolfSSL | 13:f67a6c6013ca | 2369 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2370 | } |
wolfSSL | 13:f67a6c6013ca | 2371 | |
wolfSSL | 13:f67a6c6013ca | 2372 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 2373 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2374 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2375 | #endif |
wolfSSL | 13:f67a6c6013ca | 2376 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2377 | } |
wolfSSL | 13:f67a6c6013ca | 2378 | |
wolfSSL | 13:f67a6c6013ca | 2379 | switch (decryptionType) { |
wolfSSL | 13:f67a6c6013ca | 2380 | #ifndef NO_DES3 |
wolfSSL | 13:f67a6c6013ca | 2381 | case DES_TYPE: |
wolfSSL | 13:f67a6c6013ca | 2382 | { |
wolfSSL | 13:f67a6c6013ca | 2383 | Des dec; |
wolfSSL | 13:f67a6c6013ca | 2384 | byte* desIv = key + 8; |
wolfSSL | 13:f67a6c6013ca | 2385 | |
wolfSSL | 13:f67a6c6013ca | 2386 | if (version == PKCS5v2 || version == PKCS12v1) |
wolfSSL | 13:f67a6c6013ca | 2387 | desIv = cbcIv; |
wolfSSL | 13:f67a6c6013ca | 2388 | |
wolfSSL | 13:f67a6c6013ca | 2389 | ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 13:f67a6c6013ca | 2390 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 2391 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2392 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2393 | #endif |
wolfSSL | 13:f67a6c6013ca | 2394 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2395 | } |
wolfSSL | 13:f67a6c6013ca | 2396 | |
wolfSSL | 13:f67a6c6013ca | 2397 | wc_Des_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 13:f67a6c6013ca | 2398 | break; |
wolfSSL | 13:f67a6c6013ca | 2399 | } |
wolfSSL | 13:f67a6c6013ca | 2400 | |
wolfSSL | 13:f67a6c6013ca | 2401 | case DES3_TYPE: |
wolfSSL | 13:f67a6c6013ca | 2402 | { |
wolfSSL | 13:f67a6c6013ca | 2403 | Des3 dec; |
wolfSSL | 13:f67a6c6013ca | 2404 | byte* desIv = key + 24; |
wolfSSL | 13:f67a6c6013ca | 2405 | |
wolfSSL | 13:f67a6c6013ca | 2406 | if (version == PKCS5v2 || version == PKCS12v1) |
wolfSSL | 13:f67a6c6013ca | 2407 | desIv = cbcIv; |
wolfSSL | 13:f67a6c6013ca | 2408 | ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION); |
wolfSSL | 13:f67a6c6013ca | 2409 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 2410 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2411 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2412 | #endif |
wolfSSL | 13:f67a6c6013ca | 2413 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2414 | } |
wolfSSL | 13:f67a6c6013ca | 2415 | ret = wc_Des3_CbcDecrypt(&dec, input, input, length); |
wolfSSL | 13:f67a6c6013ca | 2416 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 2417 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2418 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2419 | #endif |
wolfSSL | 13:f67a6c6013ca | 2420 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2421 | } |
wolfSSL | 13:f67a6c6013ca | 2422 | break; |
wolfSSL | 13:f67a6c6013ca | 2423 | } |
wolfSSL | 13:f67a6c6013ca | 2424 | #endif |
wolfSSL | 13:f67a6c6013ca | 2425 | #ifndef NO_RC4 |
wolfSSL | 13:f67a6c6013ca | 2426 | case RC4_TYPE: |
wolfSSL | 13:f67a6c6013ca | 2427 | { |
wolfSSL | 13:f67a6c6013ca | 2428 | Arc4 dec; |
wolfSSL | 13:f67a6c6013ca | 2429 | |
wolfSSL | 13:f67a6c6013ca | 2430 | wc_Arc4SetKey(&dec, key, derivedLen); |
wolfSSL | 13:f67a6c6013ca | 2431 | wc_Arc4Process(&dec, input, input, length); |
wolfSSL | 13:f67a6c6013ca | 2432 | break; |
wolfSSL | 13:f67a6c6013ca | 2433 | } |
wolfSSL | 13:f67a6c6013ca | 2434 | #endif |
wolfSSL | 13:f67a6c6013ca | 2435 | |
wolfSSL | 13:f67a6c6013ca | 2436 | default: |
wolfSSL | 13:f67a6c6013ca | 2437 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2438 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2439 | #endif |
wolfSSL | 13:f67a6c6013ca | 2440 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 2441 | } |
wolfSSL | 13:f67a6c6013ca | 2442 | |
wolfSSL | 13:f67a6c6013ca | 2443 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2444 | XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2445 | #endif |
wolfSSL | 13:f67a6c6013ca | 2446 | |
wolfSSL | 13:f67a6c6013ca | 2447 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2448 | } |
wolfSSL | 13:f67a6c6013ca | 2449 | |
wolfSSL | 13:f67a6c6013ca | 2450 | |
wolfSSL | 13:f67a6c6013ca | 2451 | int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, |
wolfSSL | 13:f67a6c6013ca | 2452 | int* algoID, void* heap) |
wolfSSL | 13:f67a6c6013ca | 2453 | { |
wolfSSL | 13:f67a6c6013ca | 2454 | word32 tmpIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2455 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 2456 | ecc_key ecc; |
wolfSSL | 13:f67a6c6013ca | 2457 | #endif |
wolfSSL | 13:f67a6c6013ca | 2458 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 2459 | RsaKey rsa; |
wolfSSL | 13:f67a6c6013ca | 2460 | #endif |
wolfSSL | 13:f67a6c6013ca | 2461 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 2462 | ed25519_key ed25519; |
wolfSSL | 13:f67a6c6013ca | 2463 | #endif |
wolfSSL | 13:f67a6c6013ca | 2464 | |
wolfSSL | 13:f67a6c6013ca | 2465 | if (algoID == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2466 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2467 | } |
wolfSSL | 13:f67a6c6013ca | 2468 | *algoID = 0; |
wolfSSL | 13:f67a6c6013ca | 2469 | |
wolfSSL | 13:f67a6c6013ca | 2470 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 2471 | if (wc_InitRsaKey(&rsa, heap) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2472 | if (wc_RsaPrivateKeyDecode(key, &tmpIdx, &rsa, keySz) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2473 | *algoID = RSAk; |
wolfSSL | 13:f67a6c6013ca | 2474 | } |
wolfSSL | 13:f67a6c6013ca | 2475 | else { |
wolfSSL | 13:f67a6c6013ca | 2476 | WOLFSSL_MSG("Not RSA DER key"); |
wolfSSL | 13:f67a6c6013ca | 2477 | } |
wolfSSL | 13:f67a6c6013ca | 2478 | wc_FreeRsaKey(&rsa); |
wolfSSL | 13:f67a6c6013ca | 2479 | } |
wolfSSL | 13:f67a6c6013ca | 2480 | else { |
wolfSSL | 13:f67a6c6013ca | 2481 | WOLFSSL_MSG("GetKeyOID wc_InitRsaKey failed"); |
wolfSSL | 13:f67a6c6013ca | 2482 | } |
wolfSSL | 13:f67a6c6013ca | 2483 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 2484 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 2485 | if (*algoID != RSAk) { |
wolfSSL | 13:f67a6c6013ca | 2486 | tmpIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 2487 | if (wc_ecc_init_ex(&ecc, heap, INVALID_DEVID) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2488 | if (wc_EccPrivateKeyDecode(key, &tmpIdx, &ecc, keySz) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2489 | *algoID = ECDSAk; |
wolfSSL | 13:f67a6c6013ca | 2490 | |
wolfSSL | 13:f67a6c6013ca | 2491 | /* sanity check on arguments */ |
wolfSSL | 13:f67a6c6013ca | 2492 | if (curveOID == NULL || oidSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2493 | WOLFSSL_MSG("Error getting ECC curve OID"); |
wolfSSL | 13:f67a6c6013ca | 2494 | wc_ecc_free(&ecc); |
wolfSSL | 13:f67a6c6013ca | 2495 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2496 | } |
wolfSSL | 13:f67a6c6013ca | 2497 | |
wolfSSL | 13:f67a6c6013ca | 2498 | /* now find oid */ |
wolfSSL | 13:f67a6c6013ca | 2499 | if (wc_ecc_get_oid(ecc.dp->oidSum, curveOID, oidSz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2500 | WOLFSSL_MSG("Error getting ECC curve OID"); |
wolfSSL | 13:f67a6c6013ca | 2501 | wc_ecc_free(&ecc); |
wolfSSL | 13:f67a6c6013ca | 2502 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2503 | } |
wolfSSL | 13:f67a6c6013ca | 2504 | } |
wolfSSL | 13:f67a6c6013ca | 2505 | else { |
wolfSSL | 13:f67a6c6013ca | 2506 | WOLFSSL_MSG("Not ECC DER key either"); |
wolfSSL | 13:f67a6c6013ca | 2507 | } |
wolfSSL | 13:f67a6c6013ca | 2508 | wc_ecc_free(&ecc); |
wolfSSL | 13:f67a6c6013ca | 2509 | } |
wolfSSL | 13:f67a6c6013ca | 2510 | else { |
wolfSSL | 13:f67a6c6013ca | 2511 | WOLFSSL_MSG("GetKeyOID wc_ecc_init_ex failed"); |
wolfSSL | 13:f67a6c6013ca | 2512 | } |
wolfSSL | 13:f67a6c6013ca | 2513 | } |
wolfSSL | 13:f67a6c6013ca | 2514 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 2515 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 2516 | if (*algoID != RSAk && *algoID != ECDSAk) { |
wolfSSL | 13:f67a6c6013ca | 2517 | if (wc_ed25519_init(&ed25519) == 0) { |
wolfSSL | 13:f67a6c6013ca | 2518 | if (wc_Ed25519PrivateKeyDecode(key, &tmpIdx, &ed25519, keySz) |
wolfSSL | 13:f67a6c6013ca | 2519 | == 0) { |
wolfSSL | 13:f67a6c6013ca | 2520 | *algoID = ED25519k; |
wolfSSL | 13:f67a6c6013ca | 2521 | } |
wolfSSL | 13:f67a6c6013ca | 2522 | else { |
wolfSSL | 13:f67a6c6013ca | 2523 | WOLFSSL_MSG("Not ED25519 DER key"); |
wolfSSL | 13:f67a6c6013ca | 2524 | } |
wolfSSL | 13:f67a6c6013ca | 2525 | wc_ed25519_free(&ed25519); |
wolfSSL | 13:f67a6c6013ca | 2526 | } |
wolfSSL | 13:f67a6c6013ca | 2527 | else { |
wolfSSL | 13:f67a6c6013ca | 2528 | WOLFSSL_MSG("GetKeyOID wc_ed25519_init failed"); |
wolfSSL | 13:f67a6c6013ca | 2529 | } |
wolfSSL | 13:f67a6c6013ca | 2530 | } |
wolfSSL | 13:f67a6c6013ca | 2531 | #endif |
wolfSSL | 13:f67a6c6013ca | 2532 | |
wolfSSL | 13:f67a6c6013ca | 2533 | /* if flag is not set then is neither RSA or ECC key that could be |
wolfSSL | 13:f67a6c6013ca | 2534 | * found */ |
wolfSSL | 13:f67a6c6013ca | 2535 | if (*algoID == 0) { |
wolfSSL | 13:f67a6c6013ca | 2536 | WOLFSSL_MSG("Bad key DER or compile options"); |
wolfSSL | 13:f67a6c6013ca | 2537 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2538 | } |
wolfSSL | 13:f67a6c6013ca | 2539 | |
wolfSSL | 13:f67a6c6013ca | 2540 | (void)curveOID; |
wolfSSL | 13:f67a6c6013ca | 2541 | (void)oidSz; |
wolfSSL | 13:f67a6c6013ca | 2542 | |
wolfSSL | 13:f67a6c6013ca | 2543 | return 1; |
wolfSSL | 13:f67a6c6013ca | 2544 | } |
wolfSSL | 13:f67a6c6013ca | 2545 | |
wolfSSL | 13:f67a6c6013ca | 2546 | |
wolfSSL | 13:f67a6c6013ca | 2547 | /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning |
wolfSSL | 13:f67a6c6013ca | 2548 | of input */ |
wolfSSL | 13:f67a6c6013ca | 2549 | int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) |
wolfSSL | 13:f67a6c6013ca | 2550 | { |
wolfSSL | 13:f67a6c6013ca | 2551 | word32 inOutIdx = 0, oid; |
wolfSSL | 13:f67a6c6013ca | 2552 | int ret = 0, first, second, length = 0, version, saltSz, id; |
wolfSSL | 13:f67a6c6013ca | 2553 | int iterations = 0; |
wolfSSL | 13:f67a6c6013ca | 2554 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2555 | byte* salt = NULL; |
wolfSSL | 13:f67a6c6013ca | 2556 | byte* cbcIv = NULL; |
wolfSSL | 13:f67a6c6013ca | 2557 | #else |
wolfSSL | 13:f67a6c6013ca | 2558 | byte salt[MAX_SALT_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 2559 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 2560 | #endif |
wolfSSL | 13:f67a6c6013ca | 2561 | |
wolfSSL | 13:f67a6c6013ca | 2562 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2563 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2564 | } |
wolfSSL | 13:f67a6c6013ca | 2565 | |
wolfSSL | 13:f67a6c6013ca | 2566 | if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2567 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2568 | } |
wolfSSL | 13:f67a6c6013ca | 2569 | |
wolfSSL | 13:f67a6c6013ca | 2570 | first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */ |
wolfSSL | 13:f67a6c6013ca | 2571 | second = input[inOutIdx - 1]; /* version.algo, algo id last byte */ |
wolfSSL | 13:f67a6c6013ca | 2572 | |
wolfSSL | 13:f67a6c6013ca | 2573 | if (CheckAlgo(first, second, &id, &version) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2574 | ERROR_OUT(ASN_INPUT_E, exit_tte); /* Algo ID error */ |
wolfSSL | 13:f67a6c6013ca | 2575 | } |
wolfSSL | 13:f67a6c6013ca | 2576 | |
wolfSSL | 13:f67a6c6013ca | 2577 | if (version == PKCS5v2) { |
wolfSSL | 13:f67a6c6013ca | 2578 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2579 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2580 | } |
wolfSSL | 13:f67a6c6013ca | 2581 | |
wolfSSL | 13:f67a6c6013ca | 2582 | if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2583 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2584 | } |
wolfSSL | 13:f67a6c6013ca | 2585 | |
wolfSSL | 13:f67a6c6013ca | 2586 | if (oid != PBKDF2_OID) { |
wolfSSL | 13:f67a6c6013ca | 2587 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2588 | } |
wolfSSL | 13:f67a6c6013ca | 2589 | } |
wolfSSL | 13:f67a6c6013ca | 2590 | |
wolfSSL | 13:f67a6c6013ca | 2591 | if (GetSequence(input, &inOutIdx, &length, sz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 2592 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2593 | } |
wolfSSL | 13:f67a6c6013ca | 2594 | |
wolfSSL | 13:f67a6c6013ca | 2595 | ret = GetOctetString(input, &inOutIdx, &saltSz, sz); |
wolfSSL | 13:f67a6c6013ca | 2596 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 2597 | goto exit_tte; |
wolfSSL | 13:f67a6c6013ca | 2598 | |
wolfSSL | 13:f67a6c6013ca | 2599 | if (saltSz > MAX_SALT_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 2600 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2601 | } |
wolfSSL | 13:f67a6c6013ca | 2602 | |
wolfSSL | 13:f67a6c6013ca | 2603 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2604 | salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2605 | if (salt == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2606 | ERROR_OUT(MEMORY_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2607 | } |
wolfSSL | 13:f67a6c6013ca | 2608 | #endif |
wolfSSL | 13:f67a6c6013ca | 2609 | |
wolfSSL | 13:f67a6c6013ca | 2610 | XMEMCPY(salt, &input[inOutIdx], saltSz); |
wolfSSL | 13:f67a6c6013ca | 2611 | inOutIdx += saltSz; |
wolfSSL | 13:f67a6c6013ca | 2612 | |
wolfSSL | 13:f67a6c6013ca | 2613 | if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2614 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2615 | } |
wolfSSL | 13:f67a6c6013ca | 2616 | |
wolfSSL | 13:f67a6c6013ca | 2617 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2618 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2619 | if (cbcIv == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2620 | ERROR_OUT(MEMORY_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2621 | } |
wolfSSL | 13:f67a6c6013ca | 2622 | #endif |
wolfSSL | 13:f67a6c6013ca | 2623 | |
wolfSSL | 13:f67a6c6013ca | 2624 | if (version == PKCS5v2) { |
wolfSSL | 13:f67a6c6013ca | 2625 | /* get encryption algo */ |
wolfSSL | 13:f67a6c6013ca | 2626 | /* JOHN: New type. Need a little more research. */ |
wolfSSL | 13:f67a6c6013ca | 2627 | if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2628 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2629 | } |
wolfSSL | 13:f67a6c6013ca | 2630 | |
wolfSSL | 13:f67a6c6013ca | 2631 | if (CheckAlgoV2(oid, &id) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2632 | ERROR_OUT(ASN_PARSE_E, exit_tte); /* PKCS v2 algo id error */ |
wolfSSL | 13:f67a6c6013ca | 2633 | } |
wolfSSL | 13:f67a6c6013ca | 2634 | |
wolfSSL | 13:f67a6c6013ca | 2635 | ret = GetOctetString(input, &inOutIdx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 2636 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 2637 | goto exit_tte; |
wolfSSL | 13:f67a6c6013ca | 2638 | |
wolfSSL | 13:f67a6c6013ca | 2639 | if (length > MAX_IV_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 2640 | ERROR_OUT(ASN_PARSE_E, exit_tte); |
wolfSSL | 13:f67a6c6013ca | 2641 | } |
wolfSSL | 13:f67a6c6013ca | 2642 | |
wolfSSL | 13:f67a6c6013ca | 2643 | XMEMCPY(cbcIv, &input[inOutIdx], length); |
wolfSSL | 13:f67a6c6013ca | 2644 | inOutIdx += length; |
wolfSSL | 13:f67a6c6013ca | 2645 | } |
wolfSSL | 13:f67a6c6013ca | 2646 | |
wolfSSL | 13:f67a6c6013ca | 2647 | ret = GetOctetString(input, &inOutIdx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 2648 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 2649 | goto exit_tte; |
wolfSSL | 13:f67a6c6013ca | 2650 | |
wolfSSL | 13:f67a6c6013ca | 2651 | ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id, |
wolfSSL | 13:f67a6c6013ca | 2652 | input + inOutIdx, length, version, cbcIv); |
wolfSSL | 13:f67a6c6013ca | 2653 | |
wolfSSL | 13:f67a6c6013ca | 2654 | exit_tte: |
wolfSSL | 13:f67a6c6013ca | 2655 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2656 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2657 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2658 | #endif |
wolfSSL | 13:f67a6c6013ca | 2659 | |
wolfSSL | 13:f67a6c6013ca | 2660 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 2661 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 13:f67a6c6013ca | 2662 | ret = ToTraditional(input, length); |
wolfSSL | 13:f67a6c6013ca | 2663 | } |
wolfSSL | 13:f67a6c6013ca | 2664 | |
wolfSSL | 13:f67a6c6013ca | 2665 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2666 | } |
wolfSSL | 13:f67a6c6013ca | 2667 | |
wolfSSL | 13:f67a6c6013ca | 2668 | /* decrypt PKCS */ |
wolfSSL | 13:f67a6c6013ca | 2669 | int DecryptContent(byte* input, word32 sz,const char* password,int passwordSz) |
wolfSSL | 13:f67a6c6013ca | 2670 | { |
wolfSSL | 13:f67a6c6013ca | 2671 | word32 inOutIdx = 0, oid; |
wolfSSL | 13:f67a6c6013ca | 2672 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 2673 | int first, second, length = 0, version, saltSz, id; |
wolfSSL | 13:f67a6c6013ca | 2674 | int iterations = 0; |
wolfSSL | 13:f67a6c6013ca | 2675 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2676 | byte* salt = NULL; |
wolfSSL | 13:f67a6c6013ca | 2677 | byte* cbcIv = NULL; |
wolfSSL | 13:f67a6c6013ca | 2678 | #else |
wolfSSL | 13:f67a6c6013ca | 2679 | byte salt[MAX_SALT_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 2680 | byte cbcIv[MAX_IV_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 2681 | #endif |
wolfSSL | 13:f67a6c6013ca | 2682 | |
wolfSSL | 13:f67a6c6013ca | 2683 | if (GetAlgoId(input, &inOutIdx, &oid, oidSigType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2684 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2685 | } |
wolfSSL | 13:f67a6c6013ca | 2686 | |
wolfSSL | 13:f67a6c6013ca | 2687 | first = input[inOutIdx - 2]; /* PKCS version always 2nd to last byte */ |
wolfSSL | 13:f67a6c6013ca | 2688 | second = input[inOutIdx - 1]; /* version.algo, algo id last byte */ |
wolfSSL | 13:f67a6c6013ca | 2689 | |
wolfSSL | 13:f67a6c6013ca | 2690 | if (CheckAlgo(first, second, &id, &version) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2691 | ERROR_OUT(ASN_INPUT_E, exit_dc); /* Algo ID error */ |
wolfSSL | 13:f67a6c6013ca | 2692 | } |
wolfSSL | 13:f67a6c6013ca | 2693 | |
wolfSSL | 13:f67a6c6013ca | 2694 | if (version == PKCS5v2) { |
wolfSSL | 13:f67a6c6013ca | 2695 | if (GetSequence(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2696 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2697 | } |
wolfSSL | 13:f67a6c6013ca | 2698 | |
wolfSSL | 13:f67a6c6013ca | 2699 | if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2700 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2701 | } |
wolfSSL | 13:f67a6c6013ca | 2702 | |
wolfSSL | 13:f67a6c6013ca | 2703 | if (oid != PBKDF2_OID) { |
wolfSSL | 13:f67a6c6013ca | 2704 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2705 | } |
wolfSSL | 13:f67a6c6013ca | 2706 | } |
wolfSSL | 13:f67a6c6013ca | 2707 | |
wolfSSL | 13:f67a6c6013ca | 2708 | if (GetSequence(input, &inOutIdx, &length, sz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 2709 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2710 | } |
wolfSSL | 13:f67a6c6013ca | 2711 | |
wolfSSL | 13:f67a6c6013ca | 2712 | ret = GetOctetString(input, &inOutIdx, &saltSz, sz); |
wolfSSL | 13:f67a6c6013ca | 2713 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 2714 | goto exit_dc; |
wolfSSL | 13:f67a6c6013ca | 2715 | |
wolfSSL | 13:f67a6c6013ca | 2716 | if (saltSz > MAX_SALT_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 2717 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2718 | } |
wolfSSL | 13:f67a6c6013ca | 2719 | |
wolfSSL | 13:f67a6c6013ca | 2720 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2721 | salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2722 | if (salt == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2723 | ERROR_OUT(MEMORY_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2724 | } |
wolfSSL | 13:f67a6c6013ca | 2725 | #endif |
wolfSSL | 13:f67a6c6013ca | 2726 | |
wolfSSL | 13:f67a6c6013ca | 2727 | XMEMCPY(salt, &input[inOutIdx], saltSz); |
wolfSSL | 13:f67a6c6013ca | 2728 | inOutIdx += saltSz; |
wolfSSL | 13:f67a6c6013ca | 2729 | |
wolfSSL | 13:f67a6c6013ca | 2730 | if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2731 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2732 | } |
wolfSSL | 13:f67a6c6013ca | 2733 | |
wolfSSL | 13:f67a6c6013ca | 2734 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2735 | cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2736 | if (cbcIv == NULL) { |
wolfSSL | 13:f67a6c6013ca | 2737 | ERROR_OUT(MEMORY_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2738 | } |
wolfSSL | 13:f67a6c6013ca | 2739 | #endif |
wolfSSL | 13:f67a6c6013ca | 2740 | |
wolfSSL | 13:f67a6c6013ca | 2741 | if (version == PKCS5v2) { |
wolfSSL | 13:f67a6c6013ca | 2742 | /* get encryption algo */ |
wolfSSL | 13:f67a6c6013ca | 2743 | /* JOHN: New type. Need a little more research. */ |
wolfSSL | 13:f67a6c6013ca | 2744 | if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2745 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2746 | } |
wolfSSL | 13:f67a6c6013ca | 2747 | |
wolfSSL | 13:f67a6c6013ca | 2748 | if (CheckAlgoV2(oid, &id) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2749 | ERROR_OUT(ASN_PARSE_E, exit_dc); /* PKCS v2 algo id error */ |
wolfSSL | 13:f67a6c6013ca | 2750 | } |
wolfSSL | 13:f67a6c6013ca | 2751 | |
wolfSSL | 13:f67a6c6013ca | 2752 | ret = GetOctetString(input, &inOutIdx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 2753 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 2754 | goto exit_dc; |
wolfSSL | 13:f67a6c6013ca | 2755 | |
wolfSSL | 13:f67a6c6013ca | 2756 | XMEMCPY(cbcIv, &input[inOutIdx], length); |
wolfSSL | 13:f67a6c6013ca | 2757 | inOutIdx += length; |
wolfSSL | 13:f67a6c6013ca | 2758 | } |
wolfSSL | 13:f67a6c6013ca | 2759 | |
wolfSSL | 13:f67a6c6013ca | 2760 | if (input[inOutIdx++] != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 13:f67a6c6013ca | 2761 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2762 | } |
wolfSSL | 13:f67a6c6013ca | 2763 | |
wolfSSL | 13:f67a6c6013ca | 2764 | if (GetLength(input, &inOutIdx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2765 | ERROR_OUT(ASN_PARSE_E, exit_dc); |
wolfSSL | 13:f67a6c6013ca | 2766 | } |
wolfSSL | 13:f67a6c6013ca | 2767 | |
wolfSSL | 13:f67a6c6013ca | 2768 | ret = DecryptKey(password, passwordSz, salt, saltSz, iterations, id, |
wolfSSL | 13:f67a6c6013ca | 2769 | input + inOutIdx, length, version, cbcIv); |
wolfSSL | 13:f67a6c6013ca | 2770 | |
wolfSSL | 13:f67a6c6013ca | 2771 | exit_dc: |
wolfSSL | 13:f67a6c6013ca | 2772 | |
wolfSSL | 13:f67a6c6013ca | 2773 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 2774 | XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2775 | XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 2776 | #endif |
wolfSSL | 13:f67a6c6013ca | 2777 | |
wolfSSL | 13:f67a6c6013ca | 2778 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 2779 | XMEMMOVE(input, input + inOutIdx, length); |
wolfSSL | 13:f67a6c6013ca | 2780 | ret = length; |
wolfSSL | 13:f67a6c6013ca | 2781 | } |
wolfSSL | 13:f67a6c6013ca | 2782 | |
wolfSSL | 13:f67a6c6013ca | 2783 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2784 | } |
wolfSSL | 13:f67a6c6013ca | 2785 | #endif /* NO_PWDBASED */ |
wolfSSL | 13:f67a6c6013ca | 2786 | |
wolfSSL | 13:f67a6c6013ca | 2787 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 2788 | |
wolfSSL | 13:f67a6c6013ca | 2789 | #ifndef HAVE_USER_RSA |
wolfSSL | 13:f67a6c6013ca | 2790 | int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 2791 | word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 2792 | { |
wolfSSL | 13:f67a6c6013ca | 2793 | int length; |
wolfSSL | 13:f67a6c6013ca | 2794 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 13:f67a6c6013ca | 2795 | byte b; |
wolfSSL | 13:f67a6c6013ca | 2796 | #endif |
wolfSSL | 13:f67a6c6013ca | 2797 | int ret; |
wolfSSL | 13:f67a6c6013ca | 2798 | |
wolfSSL | 13:f67a6c6013ca | 2799 | if (input == NULL || inOutIdx == NULL || key == NULL) |
wolfSSL | 13:f67a6c6013ca | 2800 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2801 | |
wolfSSL | 13:f67a6c6013ca | 2802 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2803 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2804 | |
wolfSSL | 13:f67a6c6013ca | 2805 | key->type = RSA_PUBLIC; |
wolfSSL | 13:f67a6c6013ca | 2806 | |
wolfSSL | 13:f67a6c6013ca | 2807 | #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) |
wolfSSL | 13:f67a6c6013ca | 2808 | if ((*inOutIdx + 1) > inSz) |
wolfSSL | 13:f67a6c6013ca | 2809 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 2810 | |
wolfSSL | 13:f67a6c6013ca | 2811 | b = input[*inOutIdx]; |
wolfSSL | 13:f67a6c6013ca | 2812 | if (b != ASN_INTEGER) { |
wolfSSL | 13:f67a6c6013ca | 2813 | /* not from decoded cert, will have algo id, skip past */ |
wolfSSL | 13:f67a6c6013ca | 2814 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2815 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2816 | |
wolfSSL | 13:f67a6c6013ca | 2817 | if (SkipObjectId(input, inOutIdx, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2818 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2819 | |
wolfSSL | 13:f67a6c6013ca | 2820 | /* Option NULL ASN.1 tag */ |
wolfSSL | 13:f67a6c6013ca | 2821 | if (input[*inOutIdx] == ASN_TAG_NULL) { |
wolfSSL | 13:f67a6c6013ca | 2822 | ret = GetASNNull(input, inOutIdx, inSz); |
wolfSSL | 13:f67a6c6013ca | 2823 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 2824 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2825 | } |
wolfSSL | 13:f67a6c6013ca | 2826 | |
wolfSSL | 13:f67a6c6013ca | 2827 | /* should have bit tag length and seq next */ |
wolfSSL | 13:f67a6c6013ca | 2828 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 2829 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 2830 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2831 | |
wolfSSL | 13:f67a6c6013ca | 2832 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2833 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2834 | } |
wolfSSL | 13:f67a6c6013ca | 2835 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 2836 | |
wolfSSL | 13:f67a6c6013ca | 2837 | if (GetInt(&key->n, input, inOutIdx, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2838 | return ASN_RSA_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 2839 | if (GetInt(&key->e, input, inOutIdx, inSz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2840 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 2841 | return ASN_RSA_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 2842 | } |
wolfSSL | 13:f67a6c6013ca | 2843 | |
wolfSSL | 13:f67a6c6013ca | 2844 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2845 | } |
wolfSSL | 13:f67a6c6013ca | 2846 | |
wolfSSL | 13:f67a6c6013ca | 2847 | /* import RSA public key elements (n, e) into RsaKey structure (key) */ |
wolfSSL | 13:f67a6c6013ca | 2848 | int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, |
wolfSSL | 13:f67a6c6013ca | 2849 | word32 eSz, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 2850 | { |
wolfSSL | 13:f67a6c6013ca | 2851 | if (n == NULL || e == NULL || key == NULL) |
wolfSSL | 13:f67a6c6013ca | 2852 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 2853 | |
wolfSSL | 13:f67a6c6013ca | 2854 | key->type = RSA_PUBLIC; |
wolfSSL | 13:f67a6c6013ca | 2855 | |
wolfSSL | 13:f67a6c6013ca | 2856 | if (mp_init(&key->n) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 2857 | return MP_INIT_E; |
wolfSSL | 13:f67a6c6013ca | 2858 | |
wolfSSL | 13:f67a6c6013ca | 2859 | if (mp_read_unsigned_bin(&key->n, n, nSz) != 0) { |
wolfSSL | 13:f67a6c6013ca | 2860 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 2861 | return ASN_GETINT_E; |
wolfSSL | 13:f67a6c6013ca | 2862 | } |
wolfSSL | 13:f67a6c6013ca | 2863 | |
wolfSSL | 13:f67a6c6013ca | 2864 | if (mp_init(&key->e) != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 2865 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 2866 | return MP_INIT_E; |
wolfSSL | 13:f67a6c6013ca | 2867 | } |
wolfSSL | 13:f67a6c6013ca | 2868 | |
wolfSSL | 13:f67a6c6013ca | 2869 | if (mp_read_unsigned_bin(&key->e, e, eSz) != 0) { |
wolfSSL | 13:f67a6c6013ca | 2870 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 2871 | mp_clear(&key->e); |
wolfSSL | 13:f67a6c6013ca | 2872 | return ASN_GETINT_E; |
wolfSSL | 13:f67a6c6013ca | 2873 | } |
wolfSSL | 13:f67a6c6013ca | 2874 | |
wolfSSL | 13:f67a6c6013ca | 2875 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2876 | } |
wolfSSL | 13:f67a6c6013ca | 2877 | #endif /* HAVE_USER_RSA */ |
wolfSSL | 13:f67a6c6013ca | 2878 | #endif |
wolfSSL | 13:f67a6c6013ca | 2879 | |
wolfSSL | 13:f67a6c6013ca | 2880 | #ifndef NO_DH |
wolfSSL | 13:f67a6c6013ca | 2881 | |
wolfSSL | 13:f67a6c6013ca | 2882 | int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 2883 | { |
wolfSSL | 13:f67a6c6013ca | 2884 | int length; |
wolfSSL | 13:f67a6c6013ca | 2885 | |
wolfSSL | 13:f67a6c6013ca | 2886 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2887 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2888 | |
wolfSSL | 13:f67a6c6013ca | 2889 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2890 | GetInt(&key->g, input, inOutIdx, inSz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 2891 | return ASN_DH_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 2892 | } |
wolfSSL | 13:f67a6c6013ca | 2893 | |
wolfSSL | 13:f67a6c6013ca | 2894 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2895 | } |
wolfSSL | 13:f67a6c6013ca | 2896 | |
wolfSSL | 13:f67a6c6013ca | 2897 | |
wolfSSL | 13:f67a6c6013ca | 2898 | int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, |
wolfSSL | 13:f67a6c6013ca | 2899 | byte* g, word32* gInOutSz) |
wolfSSL | 13:f67a6c6013ca | 2900 | { |
wolfSSL | 13:f67a6c6013ca | 2901 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 2902 | int ret; |
wolfSSL | 13:f67a6c6013ca | 2903 | int length; |
wolfSSL | 13:f67a6c6013ca | 2904 | |
wolfSSL | 13:f67a6c6013ca | 2905 | if (GetSequence(input, &idx, &length, inSz) <= 0) |
wolfSSL | 13:f67a6c6013ca | 2906 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2907 | |
wolfSSL | 13:f67a6c6013ca | 2908 | ret = GetASNInt(input, &idx, &length, inSz); |
wolfSSL | 13:f67a6c6013ca | 2909 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 2910 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2911 | |
wolfSSL | 13:f67a6c6013ca | 2912 | if (length <= (int)*pInOutSz) { |
wolfSSL | 13:f67a6c6013ca | 2913 | XMEMCPY(p, &input[idx], length); |
wolfSSL | 13:f67a6c6013ca | 2914 | *pInOutSz = length; |
wolfSSL | 13:f67a6c6013ca | 2915 | } |
wolfSSL | 13:f67a6c6013ca | 2916 | else { |
wolfSSL | 13:f67a6c6013ca | 2917 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 2918 | } |
wolfSSL | 13:f67a6c6013ca | 2919 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 2920 | |
wolfSSL | 13:f67a6c6013ca | 2921 | ret = GetASNInt(input, &idx, &length, inSz); |
wolfSSL | 13:f67a6c6013ca | 2922 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 2923 | return ret; |
wolfSSL | 13:f67a6c6013ca | 2924 | |
wolfSSL | 13:f67a6c6013ca | 2925 | if (length <= (int)*gInOutSz) { |
wolfSSL | 13:f67a6c6013ca | 2926 | XMEMCPY(g, &input[idx], length); |
wolfSSL | 13:f67a6c6013ca | 2927 | *gInOutSz = length; |
wolfSSL | 13:f67a6c6013ca | 2928 | } |
wolfSSL | 13:f67a6c6013ca | 2929 | else { |
wolfSSL | 13:f67a6c6013ca | 2930 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 2931 | } |
wolfSSL | 13:f67a6c6013ca | 2932 | |
wolfSSL | 13:f67a6c6013ca | 2933 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2934 | } |
wolfSSL | 13:f67a6c6013ca | 2935 | |
wolfSSL | 13:f67a6c6013ca | 2936 | #endif /* NO_DH */ |
wolfSSL | 13:f67a6c6013ca | 2937 | |
wolfSSL | 13:f67a6c6013ca | 2938 | |
wolfSSL | 13:f67a6c6013ca | 2939 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 2940 | |
wolfSSL | 13:f67a6c6013ca | 2941 | int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 2942 | word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 2943 | { |
wolfSSL | 13:f67a6c6013ca | 2944 | int length; |
wolfSSL | 13:f67a6c6013ca | 2945 | |
wolfSSL | 13:f67a6c6013ca | 2946 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2947 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2948 | |
wolfSSL | 13:f67a6c6013ca | 2949 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2950 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2951 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2952 | GetInt(&key->y, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 13:f67a6c6013ca | 2953 | return ASN_DH_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 2954 | |
wolfSSL | 13:f67a6c6013ca | 2955 | key->type = DSA_PUBLIC; |
wolfSSL | 13:f67a6c6013ca | 2956 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2957 | } |
wolfSSL | 13:f67a6c6013ca | 2958 | |
wolfSSL | 13:f67a6c6013ca | 2959 | |
wolfSSL | 13:f67a6c6013ca | 2960 | int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 2961 | word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 2962 | { |
wolfSSL | 13:f67a6c6013ca | 2963 | int length, version; |
wolfSSL | 13:f67a6c6013ca | 2964 | |
wolfSSL | 13:f67a6c6013ca | 2965 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2966 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2967 | |
wolfSSL | 13:f67a6c6013ca | 2968 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 2969 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 2970 | |
wolfSSL | 13:f67a6c6013ca | 2971 | if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2972 | GetInt(&key->q, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2973 | GetInt(&key->g, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2974 | GetInt(&key->y, input, inOutIdx, inSz) < 0 || |
wolfSSL | 13:f67a6c6013ca | 2975 | GetInt(&key->x, input, inOutIdx, inSz) < 0 ) |
wolfSSL | 13:f67a6c6013ca | 2976 | return ASN_DH_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 2977 | |
wolfSSL | 13:f67a6c6013ca | 2978 | key->type = DSA_PRIVATE; |
wolfSSL | 13:f67a6c6013ca | 2979 | return 0; |
wolfSSL | 13:f67a6c6013ca | 2980 | } |
wolfSSL | 13:f67a6c6013ca | 2981 | |
wolfSSL | 13:f67a6c6013ca | 2982 | static mp_int* GetDsaInt(DsaKey* key, int idx) |
wolfSSL | 13:f67a6c6013ca | 2983 | { |
wolfSSL | 13:f67a6c6013ca | 2984 | if (idx == 0) |
wolfSSL | 13:f67a6c6013ca | 2985 | return &key->p; |
wolfSSL | 13:f67a6c6013ca | 2986 | if (idx == 1) |
wolfSSL | 13:f67a6c6013ca | 2987 | return &key->q; |
wolfSSL | 13:f67a6c6013ca | 2988 | if (idx == 2) |
wolfSSL | 13:f67a6c6013ca | 2989 | return &key->g; |
wolfSSL | 13:f67a6c6013ca | 2990 | if (idx == 3) |
wolfSSL | 13:f67a6c6013ca | 2991 | return &key->y; |
wolfSSL | 13:f67a6c6013ca | 2992 | if (idx == 4) |
wolfSSL | 13:f67a6c6013ca | 2993 | return &key->x; |
wolfSSL | 13:f67a6c6013ca | 2994 | |
wolfSSL | 13:f67a6c6013ca | 2995 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 2996 | } |
wolfSSL | 13:f67a6c6013ca | 2997 | |
wolfSSL | 13:f67a6c6013ca | 2998 | /* Release Tmp DSA resources */ |
wolfSSL | 13:f67a6c6013ca | 2999 | static INLINE void FreeTmpDsas(byte** tmps, void* heap) |
wolfSSL | 13:f67a6c6013ca | 3000 | { |
wolfSSL | 13:f67a6c6013ca | 3001 | int i; |
wolfSSL | 13:f67a6c6013ca | 3002 | |
wolfSSL | 13:f67a6c6013ca | 3003 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 13:f67a6c6013ca | 3004 | XFREE(tmps[i], heap, DYNAMIC_TYPE_DSA); |
wolfSSL | 13:f67a6c6013ca | 3005 | |
wolfSSL | 13:f67a6c6013ca | 3006 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 3007 | } |
wolfSSL | 13:f67a6c6013ca | 3008 | |
wolfSSL | 13:f67a6c6013ca | 3009 | /* Convert DsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 13:f67a6c6013ca | 3010 | written */ |
wolfSSL | 13:f67a6c6013ca | 3011 | int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 3012 | { |
wolfSSL | 13:f67a6c6013ca | 3013 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 13:f67a6c6013ca | 3014 | word32 sizes[DSA_INTS]; |
wolfSSL | 13:f67a6c6013ca | 3015 | int i, j, outLen, ret = 0, mpSz; |
wolfSSL | 13:f67a6c6013ca | 3016 | |
wolfSSL | 13:f67a6c6013ca | 3017 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 3018 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 13:f67a6c6013ca | 3019 | byte* tmps[DSA_INTS]; |
wolfSSL | 13:f67a6c6013ca | 3020 | |
wolfSSL | 13:f67a6c6013ca | 3021 | if (!key || !output) |
wolfSSL | 13:f67a6c6013ca | 3022 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 3023 | |
wolfSSL | 13:f67a6c6013ca | 3024 | if (key->type != DSA_PRIVATE) |
wolfSSL | 13:f67a6c6013ca | 3025 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 3026 | |
wolfSSL | 13:f67a6c6013ca | 3027 | for (i = 0; i < DSA_INTS; i++) |
wolfSSL | 13:f67a6c6013ca | 3028 | tmps[i] = NULL; |
wolfSSL | 13:f67a6c6013ca | 3029 | |
wolfSSL | 13:f67a6c6013ca | 3030 | /* write all big ints from key to DER tmps */ |
wolfSSL | 13:f67a6c6013ca | 3031 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 13:f67a6c6013ca | 3032 | mp_int* keyInt = GetDsaInt(key, i); |
wolfSSL | 13:f67a6c6013ca | 3033 | |
wolfSSL | 13:f67a6c6013ca | 3034 | rawLen = mp_unsigned_bin_size(keyInt) + 1; |
wolfSSL | 13:f67a6c6013ca | 3035 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 13:f67a6c6013ca | 3036 | DYNAMIC_TYPE_DSA); |
wolfSSL | 13:f67a6c6013ca | 3037 | if (tmps[i] == NULL) { |
wolfSSL | 13:f67a6c6013ca | 3038 | ret = MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3039 | break; |
wolfSSL | 13:f67a6c6013ca | 3040 | } |
wolfSSL | 13:f67a6c6013ca | 3041 | |
wolfSSL | 13:f67a6c6013ca | 3042 | mpSz = SetASNIntMP(keyInt, -1, tmps[i]); |
wolfSSL | 13:f67a6c6013ca | 3043 | if (mpSz < 0) { |
wolfSSL | 13:f67a6c6013ca | 3044 | ret = mpSz; |
wolfSSL | 13:f67a6c6013ca | 3045 | break; |
wolfSSL | 13:f67a6c6013ca | 3046 | } |
wolfSSL | 13:f67a6c6013ca | 3047 | intTotalLen += (sizes[i] = mpSz); |
wolfSSL | 13:f67a6c6013ca | 3048 | } |
wolfSSL | 13:f67a6c6013ca | 3049 | |
wolfSSL | 13:f67a6c6013ca | 3050 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 3051 | FreeTmpDsas(tmps, key->heap); |
wolfSSL | 13:f67a6c6013ca | 3052 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3053 | } |
wolfSSL | 13:f67a6c6013ca | 3054 | |
wolfSSL | 13:f67a6c6013ca | 3055 | /* make headers */ |
wolfSSL | 13:f67a6c6013ca | 3056 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 13:f67a6c6013ca | 3057 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 13:f67a6c6013ca | 3058 | |
wolfSSL | 13:f67a6c6013ca | 3059 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 13:f67a6c6013ca | 3060 | if (outLen > (int)inLen) |
wolfSSL | 13:f67a6c6013ca | 3061 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 3062 | |
wolfSSL | 13:f67a6c6013ca | 3063 | /* write to output */ |
wolfSSL | 13:f67a6c6013ca | 3064 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 3065 | j = seqSz; |
wolfSSL | 13:f67a6c6013ca | 3066 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 13:f67a6c6013ca | 3067 | j += verSz; |
wolfSSL | 13:f67a6c6013ca | 3068 | |
wolfSSL | 13:f67a6c6013ca | 3069 | for (i = 0; i < DSA_INTS; i++) { |
wolfSSL | 13:f67a6c6013ca | 3070 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 13:f67a6c6013ca | 3071 | j += sizes[i]; |
wolfSSL | 13:f67a6c6013ca | 3072 | } |
wolfSSL | 13:f67a6c6013ca | 3073 | FreeTmpDsas(tmps, key->heap); |
wolfSSL | 13:f67a6c6013ca | 3074 | |
wolfSSL | 13:f67a6c6013ca | 3075 | return outLen; |
wolfSSL | 13:f67a6c6013ca | 3076 | } |
wolfSSL | 13:f67a6c6013ca | 3077 | |
wolfSSL | 13:f67a6c6013ca | 3078 | #endif /* NO_DSA */ |
wolfSSL | 13:f67a6c6013ca | 3079 | |
wolfSSL | 13:f67a6c6013ca | 3080 | |
wolfSSL | 13:f67a6c6013ca | 3081 | void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) |
wolfSSL | 13:f67a6c6013ca | 3082 | { |
wolfSSL | 13:f67a6c6013ca | 3083 | if (cert != NULL) { |
wolfSSL | 13:f67a6c6013ca | 3084 | XMEMSET(cert, 0, sizeof(DecodedCert)); |
wolfSSL | 13:f67a6c6013ca | 3085 | |
wolfSSL | 13:f67a6c6013ca | 3086 | cert->subjectCNEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3087 | cert->issuer[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 3088 | cert->subject[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 3089 | cert->source = source; /* don't own */ |
wolfSSL | 13:f67a6c6013ca | 3090 | cert->maxIdx = inSz; /* can't go over this index */ |
wolfSSL | 13:f67a6c6013ca | 3091 | cert->heap = heap; |
wolfSSL | 13:f67a6c6013ca | 3092 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3093 | cert->subjectSNEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3094 | cert->subjectCEnc = CTC_PRINTABLE; |
wolfSSL | 13:f67a6c6013ca | 3095 | cert->subjectLEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3096 | cert->subjectSTEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3097 | cert->subjectOEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3098 | cert->subjectOUEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 3099 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3100 | |
wolfSSL | 13:f67a6c6013ca | 3101 | InitSignatureCtx(&cert->sigCtx, heap, INVALID_DEVID); |
wolfSSL | 13:f67a6c6013ca | 3102 | } |
wolfSSL | 13:f67a6c6013ca | 3103 | } |
wolfSSL | 13:f67a6c6013ca | 3104 | |
wolfSSL | 13:f67a6c6013ca | 3105 | |
wolfSSL | 13:f67a6c6013ca | 3106 | void FreeAltNames(DNS_entry* altNames, void* heap) |
wolfSSL | 13:f67a6c6013ca | 3107 | { |
wolfSSL | 13:f67a6c6013ca | 3108 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 3109 | |
wolfSSL | 13:f67a6c6013ca | 3110 | while (altNames) { |
wolfSSL | 13:f67a6c6013ca | 3111 | DNS_entry* tmp = altNames->next; |
wolfSSL | 13:f67a6c6013ca | 3112 | |
wolfSSL | 13:f67a6c6013ca | 3113 | XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3114 | XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3115 | altNames = tmp; |
wolfSSL | 13:f67a6c6013ca | 3116 | } |
wolfSSL | 13:f67a6c6013ca | 3117 | } |
wolfSSL | 13:f67a6c6013ca | 3118 | |
wolfSSL | 13:f67a6c6013ca | 3119 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 3120 | |
wolfSSL | 13:f67a6c6013ca | 3121 | void FreeNameSubtrees(Base_entry* names, void* heap) |
wolfSSL | 13:f67a6c6013ca | 3122 | { |
wolfSSL | 13:f67a6c6013ca | 3123 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 3124 | |
wolfSSL | 13:f67a6c6013ca | 3125 | while (names) { |
wolfSSL | 13:f67a6c6013ca | 3126 | Base_entry* tmp = names->next; |
wolfSSL | 13:f67a6c6013ca | 3127 | |
wolfSSL | 13:f67a6c6013ca | 3128 | XFREE(names->name, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3129 | XFREE(names, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3130 | names = tmp; |
wolfSSL | 13:f67a6c6013ca | 3131 | } |
wolfSSL | 13:f67a6c6013ca | 3132 | } |
wolfSSL | 13:f67a6c6013ca | 3133 | |
wolfSSL | 13:f67a6c6013ca | 3134 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 3135 | |
wolfSSL | 13:f67a6c6013ca | 3136 | void FreeDecodedCert(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 3137 | { |
wolfSSL | 13:f67a6c6013ca | 3138 | if (cert->subjectCNStored == 1) |
wolfSSL | 13:f67a6c6013ca | 3139 | XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 13:f67a6c6013ca | 3140 | if (cert->pubKeyStored == 1) |
wolfSSL | 13:f67a6c6013ca | 3141 | XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 3142 | if (cert->weOwnAltNames && cert->altNames) |
wolfSSL | 13:f67a6c6013ca | 3143 | FreeAltNames(cert->altNames, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 3144 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 3145 | if (cert->altEmailNames) |
wolfSSL | 13:f67a6c6013ca | 3146 | FreeAltNames(cert->altEmailNames, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 3147 | if (cert->permittedNames) |
wolfSSL | 13:f67a6c6013ca | 3148 | FreeNameSubtrees(cert->permittedNames, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 3149 | if (cert->excludedNames) |
wolfSSL | 13:f67a6c6013ca | 3150 | FreeNameSubtrees(cert->excludedNames, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 3151 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 3152 | #ifdef WOLFSSL_SEP |
wolfSSL | 13:f67a6c6013ca | 3153 | XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 3154 | XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 3155 | XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 3156 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 13:f67a6c6013ca | 3157 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3158 | if (cert->issuerName.fullName != NULL) |
wolfSSL | 13:f67a6c6013ca | 3159 | XFREE(cert->issuerName.fullName, cert->heap, DYNAMIC_TYPE_X509); |
wolfSSL | 13:f67a6c6013ca | 3160 | if (cert->subjectName.fullName != NULL) |
wolfSSL | 13:f67a6c6013ca | 3161 | XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509); |
wolfSSL | 13:f67a6c6013ca | 3162 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3163 | FreeSignatureCtx(&cert->sigCtx); |
wolfSSL | 13:f67a6c6013ca | 3164 | } |
wolfSSL | 13:f67a6c6013ca | 3165 | |
wolfSSL | 13:f67a6c6013ca | 3166 | static int GetCertHeader(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 3167 | { |
wolfSSL | 13:f67a6c6013ca | 3168 | int ret = 0, len; |
wolfSSL | 13:f67a6c6013ca | 3169 | |
wolfSSL | 13:f67a6c6013ca | 3170 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3171 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3172 | |
wolfSSL | 13:f67a6c6013ca | 3173 | cert->certBegin = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3174 | |
wolfSSL | 13:f67a6c6013ca | 3175 | if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3176 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3177 | cert->sigIndex = len + cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3178 | |
wolfSSL | 13:f67a6c6013ca | 3179 | if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version, |
wolfSSL | 13:f67a6c6013ca | 3180 | cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3181 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3182 | |
wolfSSL | 13:f67a6c6013ca | 3183 | if (GetSerialNumber(cert->source, &cert->srcIdx, cert->serial, |
wolfSSL | 13:f67a6c6013ca | 3184 | &cert->serialSz, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3185 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3186 | |
wolfSSL | 13:f67a6c6013ca | 3187 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3188 | } |
wolfSSL | 13:f67a6c6013ca | 3189 | |
wolfSSL | 13:f67a6c6013ca | 3190 | #if !defined(NO_RSA) |
wolfSSL | 13:f67a6c6013ca | 3191 | /* Store Rsa Key, may save later, Dsa could use in future */ |
wolfSSL | 13:f67a6c6013ca | 3192 | static int StoreRsaKey(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 3193 | { |
wolfSSL | 13:f67a6c6013ca | 3194 | int length; |
wolfSSL | 13:f67a6c6013ca | 3195 | word32 recvd = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3196 | |
wolfSSL | 13:f67a6c6013ca | 3197 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3198 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3199 | |
wolfSSL | 13:f67a6c6013ca | 3200 | recvd = cert->srcIdx - recvd; |
wolfSSL | 13:f67a6c6013ca | 3201 | length += recvd; |
wolfSSL | 13:f67a6c6013ca | 3202 | |
wolfSSL | 13:f67a6c6013ca | 3203 | while (recvd--) |
wolfSSL | 13:f67a6c6013ca | 3204 | cert->srcIdx--; |
wolfSSL | 13:f67a6c6013ca | 3205 | |
wolfSSL | 13:f67a6c6013ca | 3206 | cert->pubKeySize = length; |
wolfSSL | 13:f67a6c6013ca | 3207 | cert->publicKey = cert->source + cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3208 | cert->srcIdx += length; |
wolfSSL | 13:f67a6c6013ca | 3209 | |
wolfSSL | 13:f67a6c6013ca | 3210 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3211 | } |
wolfSSL | 13:f67a6c6013ca | 3212 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 3213 | |
wolfSSL | 13:f67a6c6013ca | 3214 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 3215 | |
wolfSSL | 13:f67a6c6013ca | 3216 | /* return 0 on success if the ECC curve oid sum is supported */ |
wolfSSL | 13:f67a6c6013ca | 3217 | static int CheckCurve(word32 oid) |
wolfSSL | 13:f67a6c6013ca | 3218 | { |
wolfSSL | 13:f67a6c6013ca | 3219 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 3220 | word32 oidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 3221 | |
wolfSSL | 13:f67a6c6013ca | 3222 | ret = wc_ecc_get_oid(oid, NULL, &oidSz); |
wolfSSL | 13:f67a6c6013ca | 3223 | if (ret < 0 || oidSz <= 0) { |
wolfSSL | 13:f67a6c6013ca | 3224 | WOLFSSL_MSG("CheckCurve not found"); |
wolfSSL | 13:f67a6c6013ca | 3225 | ret = ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 3226 | } |
wolfSSL | 13:f67a6c6013ca | 3227 | |
wolfSSL | 13:f67a6c6013ca | 3228 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3229 | } |
wolfSSL | 13:f67a6c6013ca | 3230 | |
wolfSSL | 13:f67a6c6013ca | 3231 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 3232 | |
wolfSSL | 13:f67a6c6013ca | 3233 | static int GetKey(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 3234 | { |
wolfSSL | 13:f67a6c6013ca | 3235 | int length; |
wolfSSL | 13:f67a6c6013ca | 3236 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 3237 | int tmpIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3238 | #endif |
wolfSSL | 13:f67a6c6013ca | 3239 | |
wolfSSL | 13:f67a6c6013ca | 3240 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3241 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3242 | |
wolfSSL | 13:f67a6c6013ca | 3243 | if (GetAlgoId(cert->source, &cert->srcIdx, |
wolfSSL | 13:f67a6c6013ca | 3244 | &cert->keyOID, oidKeyType, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3245 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3246 | |
wolfSSL | 13:f67a6c6013ca | 3247 | switch (cert->keyOID) { |
wolfSSL | 13:f67a6c6013ca | 3248 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 3249 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 3250 | { |
wolfSSL | 13:f67a6c6013ca | 3251 | int ret; |
wolfSSL | 13:f67a6c6013ca | 3252 | ret = CheckBitString(cert->source, &cert->srcIdx, NULL, |
wolfSSL | 13:f67a6c6013ca | 3253 | cert->maxIdx, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 3254 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 3255 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3256 | |
wolfSSL | 13:f67a6c6013ca | 3257 | return StoreRsaKey(cert); |
wolfSSL | 13:f67a6c6013ca | 3258 | } |
wolfSSL | 13:f67a6c6013ca | 3259 | |
wolfSSL | 13:f67a6c6013ca | 3260 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 3261 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 3262 | case NTRUk: |
wolfSSL | 13:f67a6c6013ca | 3263 | { |
wolfSSL | 13:f67a6c6013ca | 3264 | const byte* key = &cert->source[tmpIdx]; |
wolfSSL | 13:f67a6c6013ca | 3265 | byte* next = (byte*)key; |
wolfSSL | 13:f67a6c6013ca | 3266 | word16 keyLen; |
wolfSSL | 13:f67a6c6013ca | 3267 | word32 rc; |
wolfSSL | 13:f67a6c6013ca | 3268 | word32 remaining = cert->maxIdx - cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3269 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3270 | byte* keyBlob = NULL; |
wolfSSL | 13:f67a6c6013ca | 3271 | #else |
wolfSSL | 13:f67a6c6013ca | 3272 | byte keyBlob[MAX_NTRU_KEY_SZ]; |
wolfSSL | 13:f67a6c6013ca | 3273 | #endif |
wolfSSL | 13:f67a6c6013ca | 3274 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 13:f67a6c6013ca | 3275 | &keyLen, NULL, &next, &remaining); |
wolfSSL | 13:f67a6c6013ca | 3276 | if (rc != NTRU_OK) |
wolfSSL | 13:f67a6c6013ca | 3277 | return ASN_NTRU_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 3278 | if (keyLen > MAX_NTRU_KEY_SZ) |
wolfSSL | 13:f67a6c6013ca | 3279 | return ASN_NTRU_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 3280 | |
wolfSSL | 13:f67a6c6013ca | 3281 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3282 | keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL, |
wolfSSL | 13:f67a6c6013ca | 3283 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 3284 | if (keyBlob == NULL) |
wolfSSL | 13:f67a6c6013ca | 3285 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3286 | #endif |
wolfSSL | 13:f67a6c6013ca | 3287 | |
wolfSSL | 13:f67a6c6013ca | 3288 | rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, |
wolfSSL | 13:f67a6c6013ca | 3289 | &keyLen, keyBlob, &next, &remaining); |
wolfSSL | 13:f67a6c6013ca | 3290 | if (rc != NTRU_OK) { |
wolfSSL | 13:f67a6c6013ca | 3291 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3292 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 3293 | #endif |
wolfSSL | 13:f67a6c6013ca | 3294 | return ASN_NTRU_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 3295 | } |
wolfSSL | 13:f67a6c6013ca | 3296 | |
wolfSSL | 13:f67a6c6013ca | 3297 | if ( (next - key) < 0) { |
wolfSSL | 13:f67a6c6013ca | 3298 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3299 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 3300 | #endif |
wolfSSL | 13:f67a6c6013ca | 3301 | return ASN_NTRU_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 3302 | } |
wolfSSL | 13:f67a6c6013ca | 3303 | |
wolfSSL | 13:f67a6c6013ca | 3304 | cert->srcIdx = tmpIdx + (int)(next - key); |
wolfSSL | 13:f67a6c6013ca | 3305 | |
wolfSSL | 13:f67a6c6013ca | 3306 | cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 3307 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 3308 | if (cert->publicKey == NULL) { |
wolfSSL | 13:f67a6c6013ca | 3309 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3310 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 3311 | #endif |
wolfSSL | 13:f67a6c6013ca | 3312 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3313 | } |
wolfSSL | 13:f67a6c6013ca | 3314 | XMEMCPY(cert->publicKey, keyBlob, keyLen); |
wolfSSL | 13:f67a6c6013ca | 3315 | cert->pubKeyStored = 1; |
wolfSSL | 13:f67a6c6013ca | 3316 | cert->pubKeySize = keyLen; |
wolfSSL | 13:f67a6c6013ca | 3317 | |
wolfSSL | 13:f67a6c6013ca | 3318 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 3319 | XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 3320 | #endif |
wolfSSL | 13:f67a6c6013ca | 3321 | |
wolfSSL | 13:f67a6c6013ca | 3322 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3323 | } |
wolfSSL | 13:f67a6c6013ca | 3324 | #endif /* HAVE_NTRU */ |
wolfSSL | 13:f67a6c6013ca | 3325 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 3326 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 3327 | { |
wolfSSL | 13:f67a6c6013ca | 3328 | int ret; |
wolfSSL | 13:f67a6c6013ca | 3329 | |
wolfSSL | 13:f67a6c6013ca | 3330 | if (GetObjectId(cert->source, &cert->srcIdx, |
wolfSSL | 13:f67a6c6013ca | 3331 | &cert->pkCurveOID, oidCurveType, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3332 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3333 | |
wolfSSL | 13:f67a6c6013ca | 3334 | if (CheckCurve(cert->pkCurveOID) < 0) |
wolfSSL | 13:f67a6c6013ca | 3335 | return ECC_CURVE_OID_E; |
wolfSSL | 13:f67a6c6013ca | 3336 | |
wolfSSL | 13:f67a6c6013ca | 3337 | /* key header */ |
wolfSSL | 13:f67a6c6013ca | 3338 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 13:f67a6c6013ca | 3339 | cert->maxIdx, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 3340 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 3341 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3342 | |
wolfSSL | 13:f67a6c6013ca | 3343 | cert->publicKey = (byte*)XMALLOC(length, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 3344 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 3345 | if (cert->publicKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 3346 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3347 | XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 13:f67a6c6013ca | 3348 | cert->pubKeyStored = 1; |
wolfSSL | 13:f67a6c6013ca | 3349 | cert->pubKeySize = length; |
wolfSSL | 13:f67a6c6013ca | 3350 | |
wolfSSL | 13:f67a6c6013ca | 3351 | cert->srcIdx += length; |
wolfSSL | 13:f67a6c6013ca | 3352 | |
wolfSSL | 13:f67a6c6013ca | 3353 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3354 | } |
wolfSSL | 13:f67a6c6013ca | 3355 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 3356 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 3357 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 3358 | { |
wolfSSL | 13:f67a6c6013ca | 3359 | int ret; |
wolfSSL | 13:f67a6c6013ca | 3360 | |
wolfSSL | 13:f67a6c6013ca | 3361 | cert->pkCurveOID = ED25519k; |
wolfSSL | 13:f67a6c6013ca | 3362 | |
wolfSSL | 13:f67a6c6013ca | 3363 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, |
wolfSSL | 13:f67a6c6013ca | 3364 | cert->maxIdx, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 3365 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 3366 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3367 | |
wolfSSL | 13:f67a6c6013ca | 3368 | cert->publicKey = (byte*) XMALLOC(length, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 3369 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 3370 | if (cert->publicKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 3371 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3372 | XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length); |
wolfSSL | 13:f67a6c6013ca | 3373 | cert->pubKeyStored = 1; |
wolfSSL | 13:f67a6c6013ca | 3374 | cert->pubKeySize = length; |
wolfSSL | 13:f67a6c6013ca | 3375 | |
wolfSSL | 13:f67a6c6013ca | 3376 | cert->srcIdx += length; |
wolfSSL | 13:f67a6c6013ca | 3377 | |
wolfSSL | 13:f67a6c6013ca | 3378 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3379 | } |
wolfSSL | 13:f67a6c6013ca | 3380 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 3381 | default: |
wolfSSL | 13:f67a6c6013ca | 3382 | return ASN_UNKNOWN_OID_E; |
wolfSSL | 13:f67a6c6013ca | 3383 | } |
wolfSSL | 13:f67a6c6013ca | 3384 | } |
wolfSSL | 13:f67a6c6013ca | 3385 | |
wolfSSL | 13:f67a6c6013ca | 3386 | /* process NAME, either issuer or subject */ |
wolfSSL | 13:f67a6c6013ca | 3387 | static int GetName(DecodedCert* cert, int nameType) |
wolfSSL | 13:f67a6c6013ca | 3388 | { |
wolfSSL | 13:f67a6c6013ca | 3389 | int length; /* length of all distinguished names */ |
wolfSSL | 13:f67a6c6013ca | 3390 | int dummy; |
wolfSSL | 13:f67a6c6013ca | 3391 | int ret; |
wolfSSL | 13:f67a6c6013ca | 3392 | char* full; |
wolfSSL | 13:f67a6c6013ca | 3393 | byte* hash; |
wolfSSL | 13:f67a6c6013ca | 3394 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 3395 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3396 | DecodedName* dName = |
wolfSSL | 13:f67a6c6013ca | 3397 | (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName; |
wolfSSL | 13:f67a6c6013ca | 3398 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3399 | |
wolfSSL | 13:f67a6c6013ca | 3400 | WOLFSSL_MSG("Getting Cert Name"); |
wolfSSL | 13:f67a6c6013ca | 3401 | |
wolfSSL | 13:f67a6c6013ca | 3402 | if (nameType == ISSUER) { |
wolfSSL | 13:f67a6c6013ca | 3403 | full = cert->issuer; |
wolfSSL | 13:f67a6c6013ca | 3404 | hash = cert->issuerHash; |
wolfSSL | 13:f67a6c6013ca | 3405 | } |
wolfSSL | 13:f67a6c6013ca | 3406 | else { |
wolfSSL | 13:f67a6c6013ca | 3407 | full = cert->subject; |
wolfSSL | 13:f67a6c6013ca | 3408 | hash = cert->subjectHash; |
wolfSSL | 13:f67a6c6013ca | 3409 | } |
wolfSSL | 13:f67a6c6013ca | 3410 | |
wolfSSL | 13:f67a6c6013ca | 3411 | if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { |
wolfSSL | 13:f67a6c6013ca | 3412 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 13:f67a6c6013ca | 3413 | |
wolfSSL | 13:f67a6c6013ca | 3414 | if (SkipObjectId(cert->source, &cert->srcIdx, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3415 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3416 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 13:f67a6c6013ca | 3417 | } |
wolfSSL | 13:f67a6c6013ca | 3418 | |
wolfSSL | 13:f67a6c6013ca | 3419 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 13:f67a6c6013ca | 3420 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 13:f67a6c6013ca | 3421 | * the tag and length. */ |
wolfSSL | 13:f67a6c6013ca | 3422 | idx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3423 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3424 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3425 | |
wolfSSL | 13:f67a6c6013ca | 3426 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 3427 | ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 13:f67a6c6013ca | 3428 | #else |
wolfSSL | 13:f67a6c6013ca | 3429 | ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash); |
wolfSSL | 13:f67a6c6013ca | 3430 | #endif |
wolfSSL | 13:f67a6c6013ca | 3431 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 3432 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3433 | |
wolfSSL | 13:f67a6c6013ca | 3434 | length += cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3435 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 3436 | |
wolfSSL | 13:f67a6c6013ca | 3437 | #ifdef HAVE_PKCS7 |
wolfSSL | 13:f67a6c6013ca | 3438 | /* store pointer to raw issuer */ |
wolfSSL | 13:f67a6c6013ca | 3439 | if (nameType == ISSUER) { |
wolfSSL | 13:f67a6c6013ca | 3440 | cert->issuerRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3441 | cert->issuerRawLen = length - cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3442 | } |
wolfSSL | 13:f67a6c6013ca | 3443 | #endif |
wolfSSL | 13:f67a6c6013ca | 3444 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 3445 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3446 | cert->subjectRaw = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3447 | cert->subjectRawLen = length - cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3448 | } |
wolfSSL | 13:f67a6c6013ca | 3449 | #endif |
wolfSSL | 13:f67a6c6013ca | 3450 | |
wolfSSL | 13:f67a6c6013ca | 3451 | while (cert->srcIdx < (word32)length) { |
wolfSSL | 13:f67a6c6013ca | 3452 | byte b; |
wolfSSL | 13:f67a6c6013ca | 3453 | byte joint[2]; |
wolfSSL | 13:f67a6c6013ca | 3454 | byte tooBig = FALSE; |
wolfSSL | 13:f67a6c6013ca | 3455 | int oidSz; |
wolfSSL | 13:f67a6c6013ca | 3456 | |
wolfSSL | 13:f67a6c6013ca | 3457 | if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 3458 | WOLFSSL_MSG("Cert name lacks set header, trying sequence"); |
wolfSSL | 13:f67a6c6013ca | 3459 | } |
wolfSSL | 13:f67a6c6013ca | 3460 | |
wolfSSL | 13:f67a6c6013ca | 3461 | if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) <= 0) |
wolfSSL | 13:f67a6c6013ca | 3462 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3463 | |
wolfSSL | 13:f67a6c6013ca | 3464 | ret = GetASNObjectId(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx); |
wolfSSL | 13:f67a6c6013ca | 3465 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 3466 | return ret; |
wolfSSL | 13:f67a6c6013ca | 3467 | |
wolfSSL | 13:f67a6c6013ca | 3468 | /* make sure there is room for joint */ |
wolfSSL | 13:f67a6c6013ca | 3469 | if ((cert->srcIdx + sizeof(joint)) > cert->maxIdx) |
wolfSSL | 13:f67a6c6013ca | 3470 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3471 | |
wolfSSL | 13:f67a6c6013ca | 3472 | XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint)); |
wolfSSL | 13:f67a6c6013ca | 3473 | |
wolfSSL | 13:f67a6c6013ca | 3474 | /* v1 name types */ |
wolfSSL | 13:f67a6c6013ca | 3475 | if (joint[0] == 0x55 && joint[1] == 0x04) { |
wolfSSL | 13:f67a6c6013ca | 3476 | byte id; |
wolfSSL | 13:f67a6c6013ca | 3477 | byte copy = FALSE; |
wolfSSL | 13:f67a6c6013ca | 3478 | int strLen; |
wolfSSL | 13:f67a6c6013ca | 3479 | |
wolfSSL | 13:f67a6c6013ca | 3480 | cert->srcIdx += 2; |
wolfSSL | 13:f67a6c6013ca | 3481 | id = cert->source[cert->srcIdx++]; |
wolfSSL | 13:f67a6c6013ca | 3482 | b = cert->source[cert->srcIdx++]; /* encoding */ |
wolfSSL | 13:f67a6c6013ca | 3483 | |
wolfSSL | 13:f67a6c6013ca | 3484 | if (GetLength(cert->source, &cert->srcIdx, &strLen, |
wolfSSL | 13:f67a6c6013ca | 3485 | cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3486 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3487 | |
wolfSSL | 13:f67a6c6013ca | 3488 | if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 13:f67a6c6013ca | 3489 | /* include biggest pre fix header too 4 = "/serialNumber=" */ |
wolfSSL | 13:f67a6c6013ca | 3490 | WOLFSSL_MSG("ASN Name too big, skipping"); |
wolfSSL | 13:f67a6c6013ca | 3491 | tooBig = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3492 | } |
wolfSSL | 13:f67a6c6013ca | 3493 | |
wolfSSL | 13:f67a6c6013ca | 3494 | if (id == ASN_COMMON_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3495 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3496 | cert->subjectCN = (char *)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3497 | cert->subjectCNLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3498 | cert->subjectCNEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3499 | } |
wolfSSL | 13:f67a6c6013ca | 3500 | |
wolfSSL | 13:f67a6c6013ca | 3501 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3502 | XMEMCPY(&full[idx], "/CN=", 4); |
wolfSSL | 13:f67a6c6013ca | 3503 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3504 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3505 | } |
wolfSSL | 13:f67a6c6013ca | 3506 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3507 | dName->cnIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3508 | dName->cnLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3509 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3510 | } |
wolfSSL | 13:f67a6c6013ca | 3511 | else if (id == ASN_SUR_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3512 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3513 | XMEMCPY(&full[idx], "/SN=", 4); |
wolfSSL | 13:f67a6c6013ca | 3514 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3515 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3516 | } |
wolfSSL | 13:f67a6c6013ca | 3517 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3518 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3519 | cert->subjectSN = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3520 | cert->subjectSNLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3521 | cert->subjectSNEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3522 | } |
wolfSSL | 13:f67a6c6013ca | 3523 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3524 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3525 | dName->snIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3526 | dName->snLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3527 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3528 | } |
wolfSSL | 13:f67a6c6013ca | 3529 | else if (id == ASN_COUNTRY_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3530 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3531 | XMEMCPY(&full[idx], "/C=", 3); |
wolfSSL | 13:f67a6c6013ca | 3532 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3533 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3534 | } |
wolfSSL | 13:f67a6c6013ca | 3535 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3536 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3537 | cert->subjectC = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3538 | cert->subjectCLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3539 | cert->subjectCEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3540 | } |
wolfSSL | 13:f67a6c6013ca | 3541 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3542 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3543 | dName->cIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3544 | dName->cLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3545 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3546 | } |
wolfSSL | 13:f67a6c6013ca | 3547 | else if (id == ASN_LOCALITY_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3548 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3549 | XMEMCPY(&full[idx], "/L=", 3); |
wolfSSL | 13:f67a6c6013ca | 3550 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3551 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3552 | } |
wolfSSL | 13:f67a6c6013ca | 3553 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3554 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3555 | cert->subjectL = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3556 | cert->subjectLLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3557 | cert->subjectLEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3558 | } |
wolfSSL | 13:f67a6c6013ca | 3559 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3560 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3561 | dName->lIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3562 | dName->lLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3563 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3564 | } |
wolfSSL | 13:f67a6c6013ca | 3565 | else if (id == ASN_STATE_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3566 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3567 | XMEMCPY(&full[idx], "/ST=", 4); |
wolfSSL | 13:f67a6c6013ca | 3568 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3569 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3570 | } |
wolfSSL | 13:f67a6c6013ca | 3571 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3572 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3573 | cert->subjectST = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3574 | cert->subjectSTLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3575 | cert->subjectSTEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3576 | } |
wolfSSL | 13:f67a6c6013ca | 3577 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3578 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3579 | dName->stIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3580 | dName->stLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3581 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3582 | } |
wolfSSL | 13:f67a6c6013ca | 3583 | else if (id == ASN_ORG_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3584 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3585 | XMEMCPY(&full[idx], "/O=", 3); |
wolfSSL | 13:f67a6c6013ca | 3586 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3587 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3588 | } |
wolfSSL | 13:f67a6c6013ca | 3589 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3590 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3591 | cert->subjectO = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3592 | cert->subjectOLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3593 | cert->subjectOEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3594 | } |
wolfSSL | 13:f67a6c6013ca | 3595 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3596 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3597 | dName->oIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3598 | dName->oLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3599 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3600 | } |
wolfSSL | 13:f67a6c6013ca | 3601 | else if (id == ASN_ORGUNIT_NAME) { |
wolfSSL | 13:f67a6c6013ca | 3602 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3603 | XMEMCPY(&full[idx], "/OU=", 4); |
wolfSSL | 13:f67a6c6013ca | 3604 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3605 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3606 | } |
wolfSSL | 13:f67a6c6013ca | 3607 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3608 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3609 | cert->subjectOU = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3610 | cert->subjectOULen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3611 | cert->subjectOUEnc = b; |
wolfSSL | 13:f67a6c6013ca | 3612 | } |
wolfSSL | 13:f67a6c6013ca | 3613 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3614 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3615 | dName->ouIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3616 | dName->ouLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3617 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3618 | } |
wolfSSL | 13:f67a6c6013ca | 3619 | else if (id == ASN_SERIAL_NUMBER) { |
wolfSSL | 13:f67a6c6013ca | 3620 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3621 | XMEMCPY(&full[idx], "/serialNumber=", 14); |
wolfSSL | 13:f67a6c6013ca | 3622 | idx += 14; |
wolfSSL | 13:f67a6c6013ca | 3623 | copy = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3624 | } |
wolfSSL | 13:f67a6c6013ca | 3625 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3626 | dName->snIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3627 | dName->snLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 3628 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3629 | } |
wolfSSL | 13:f67a6c6013ca | 3630 | |
wolfSSL | 13:f67a6c6013ca | 3631 | if (copy && !tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3632 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); |
wolfSSL | 13:f67a6c6013ca | 3633 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 3634 | } |
wolfSSL | 13:f67a6c6013ca | 3635 | |
wolfSSL | 13:f67a6c6013ca | 3636 | cert->srcIdx += strLen; |
wolfSSL | 13:f67a6c6013ca | 3637 | } |
wolfSSL | 13:f67a6c6013ca | 3638 | else { |
wolfSSL | 13:f67a6c6013ca | 3639 | /* skip */ |
wolfSSL | 13:f67a6c6013ca | 3640 | byte email = FALSE; |
wolfSSL | 13:f67a6c6013ca | 3641 | byte uid = FALSE; |
wolfSSL | 13:f67a6c6013ca | 3642 | int adv; |
wolfSSL | 13:f67a6c6013ca | 3643 | |
wolfSSL | 13:f67a6c6013ca | 3644 | if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */ |
wolfSSL | 13:f67a6c6013ca | 3645 | email = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3646 | |
wolfSSL | 13:f67a6c6013ca | 3647 | if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */ |
wolfSSL | 13:f67a6c6013ca | 3648 | uid = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3649 | |
wolfSSL | 13:f67a6c6013ca | 3650 | cert->srcIdx += oidSz + 1; |
wolfSSL | 13:f67a6c6013ca | 3651 | |
wolfSSL | 13:f67a6c6013ca | 3652 | if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 3653 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 3654 | |
wolfSSL | 13:f67a6c6013ca | 3655 | if (adv > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 13:f67a6c6013ca | 3656 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 13:f67a6c6013ca | 3657 | tooBig = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3658 | } |
wolfSSL | 13:f67a6c6013ca | 3659 | |
wolfSSL | 13:f67a6c6013ca | 3660 | if (email) { |
wolfSSL | 13:f67a6c6013ca | 3661 | if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 13:f67a6c6013ca | 3662 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 13:f67a6c6013ca | 3663 | tooBig = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3664 | } |
wolfSSL | 13:f67a6c6013ca | 3665 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3666 | XMEMCPY(&full[idx], "/emailAddress=", 14); |
wolfSSL | 13:f67a6c6013ca | 3667 | idx += 14; |
wolfSSL | 13:f67a6c6013ca | 3668 | } |
wolfSSL | 13:f67a6c6013ca | 3669 | |
wolfSSL | 13:f67a6c6013ca | 3670 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 3671 | if (nameType == SUBJECT) { |
wolfSSL | 13:f67a6c6013ca | 3672 | cert->subjectEmail = (char*)&cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 3673 | cert->subjectEmailLen = adv; |
wolfSSL | 13:f67a6c6013ca | 3674 | } |
wolfSSL | 13:f67a6c6013ca | 3675 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 3676 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3677 | dName->emailIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3678 | dName->emailLen = adv; |
wolfSSL | 13:f67a6c6013ca | 3679 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3680 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 3681 | { |
wolfSSL | 13:f67a6c6013ca | 3682 | DNS_entry* emailName = NULL; |
wolfSSL | 13:f67a6c6013ca | 3683 | |
wolfSSL | 13:f67a6c6013ca | 3684 | emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), |
wolfSSL | 13:f67a6c6013ca | 3685 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3686 | if (emailName == NULL) { |
wolfSSL | 13:f67a6c6013ca | 3687 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 3688 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3689 | } |
wolfSSL | 13:f67a6c6013ca | 3690 | emailName->name = (char*)XMALLOC(adv + 1, |
wolfSSL | 13:f67a6c6013ca | 3691 | cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3692 | if (emailName->name == NULL) { |
wolfSSL | 13:f67a6c6013ca | 3693 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 3694 | XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 3695 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 3696 | } |
wolfSSL | 13:f67a6c6013ca | 3697 | XMEMCPY(emailName->name, |
wolfSSL | 13:f67a6c6013ca | 3698 | &cert->source[cert->srcIdx], adv); |
wolfSSL | 13:f67a6c6013ca | 3699 | emailName->name[adv] = 0; |
wolfSSL | 13:f67a6c6013ca | 3700 | |
wolfSSL | 13:f67a6c6013ca | 3701 | emailName->next = cert->altEmailNames; |
wolfSSL | 13:f67a6c6013ca | 3702 | cert->altEmailNames = emailName; |
wolfSSL | 13:f67a6c6013ca | 3703 | } |
wolfSSL | 13:f67a6c6013ca | 3704 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 3705 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3706 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 13:f67a6c6013ca | 3707 | idx += adv; |
wolfSSL | 13:f67a6c6013ca | 3708 | } |
wolfSSL | 13:f67a6c6013ca | 3709 | } |
wolfSSL | 13:f67a6c6013ca | 3710 | |
wolfSSL | 13:f67a6c6013ca | 3711 | if (uid) { |
wolfSSL | 13:f67a6c6013ca | 3712 | if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) { |
wolfSSL | 13:f67a6c6013ca | 3713 | WOLFSSL_MSG("ASN name too big, skipping"); |
wolfSSL | 13:f67a6c6013ca | 3714 | tooBig = TRUE; |
wolfSSL | 13:f67a6c6013ca | 3715 | } |
wolfSSL | 13:f67a6c6013ca | 3716 | if (!tooBig) { |
wolfSSL | 13:f67a6c6013ca | 3717 | XMEMCPY(&full[idx], "/UID=", 5); |
wolfSSL | 13:f67a6c6013ca | 3718 | idx += 5; |
wolfSSL | 13:f67a6c6013ca | 3719 | |
wolfSSL | 13:f67a6c6013ca | 3720 | XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); |
wolfSSL | 13:f67a6c6013ca | 3721 | idx += adv; |
wolfSSL | 13:f67a6c6013ca | 3722 | } |
wolfSSL | 13:f67a6c6013ca | 3723 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3724 | dName->uidIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 3725 | dName->uidLen = adv; |
wolfSSL | 13:f67a6c6013ca | 3726 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3727 | } |
wolfSSL | 13:f67a6c6013ca | 3728 | |
wolfSSL | 13:f67a6c6013ca | 3729 | cert->srcIdx += adv; |
wolfSSL | 13:f67a6c6013ca | 3730 | } |
wolfSSL | 13:f67a6c6013ca | 3731 | } |
wolfSSL | 13:f67a6c6013ca | 3732 | full[idx++] = 0; |
wolfSSL | 13:f67a6c6013ca | 3733 | |
wolfSSL | 13:f67a6c6013ca | 3734 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 3735 | { |
wolfSSL | 13:f67a6c6013ca | 3736 | int totalLen = 0; |
wolfSSL | 13:f67a6c6013ca | 3737 | |
wolfSSL | 13:f67a6c6013ca | 3738 | if (dName->cnLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3739 | totalLen += dName->cnLen + 4; |
wolfSSL | 13:f67a6c6013ca | 3740 | if (dName->snLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3741 | totalLen += dName->snLen + 4; |
wolfSSL | 13:f67a6c6013ca | 3742 | if (dName->cLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3743 | totalLen += dName->cLen + 3; |
wolfSSL | 13:f67a6c6013ca | 3744 | if (dName->lLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3745 | totalLen += dName->lLen + 3; |
wolfSSL | 13:f67a6c6013ca | 3746 | if (dName->stLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3747 | totalLen += dName->stLen + 4; |
wolfSSL | 13:f67a6c6013ca | 3748 | if (dName->oLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3749 | totalLen += dName->oLen + 3; |
wolfSSL | 13:f67a6c6013ca | 3750 | if (dName->ouLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3751 | totalLen += dName->ouLen + 4; |
wolfSSL | 13:f67a6c6013ca | 3752 | if (dName->emailLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3753 | totalLen += dName->emailLen + 14; |
wolfSSL | 13:f67a6c6013ca | 3754 | if (dName->uidLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3755 | totalLen += dName->uidLen + 5; |
wolfSSL | 13:f67a6c6013ca | 3756 | if (dName->serialLen != 0) |
wolfSSL | 13:f67a6c6013ca | 3757 | totalLen += dName->serialLen + 14; |
wolfSSL | 13:f67a6c6013ca | 3758 | |
wolfSSL | 13:f67a6c6013ca | 3759 | dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 3760 | DYNAMIC_TYPE_X509); |
wolfSSL | 13:f67a6c6013ca | 3761 | if (dName->fullName != NULL) { |
wolfSSL | 13:f67a6c6013ca | 3762 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 3763 | |
wolfSSL | 13:f67a6c6013ca | 3764 | if (dName->cnLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3765 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3766 | XMEMCPY(&dName->fullName[idx], "/CN=", 4); |
wolfSSL | 13:f67a6c6013ca | 3767 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3768 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3769 | &cert->source[dName->cnIdx], dName->cnLen); |
wolfSSL | 13:f67a6c6013ca | 3770 | dName->cnIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3771 | idx += dName->cnLen; |
wolfSSL | 13:f67a6c6013ca | 3772 | } |
wolfSSL | 13:f67a6c6013ca | 3773 | if (dName->snLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3774 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3775 | XMEMCPY(&dName->fullName[idx], "/SN=", 4); |
wolfSSL | 13:f67a6c6013ca | 3776 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3777 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3778 | &cert->source[dName->snIdx], dName->snLen); |
wolfSSL | 13:f67a6c6013ca | 3779 | dName->snIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3780 | idx += dName->snLen; |
wolfSSL | 13:f67a6c6013ca | 3781 | } |
wolfSSL | 13:f67a6c6013ca | 3782 | if (dName->cLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3783 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3784 | XMEMCPY(&dName->fullName[idx], "/C=", 3); |
wolfSSL | 13:f67a6c6013ca | 3785 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3786 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3787 | &cert->source[dName->cIdx], dName->cLen); |
wolfSSL | 13:f67a6c6013ca | 3788 | dName->cIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3789 | idx += dName->cLen; |
wolfSSL | 13:f67a6c6013ca | 3790 | } |
wolfSSL | 13:f67a6c6013ca | 3791 | if (dName->lLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3792 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3793 | XMEMCPY(&dName->fullName[idx], "/L=", 3); |
wolfSSL | 13:f67a6c6013ca | 3794 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3795 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3796 | &cert->source[dName->lIdx], dName->lLen); |
wolfSSL | 13:f67a6c6013ca | 3797 | dName->lIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3798 | idx += dName->lLen; |
wolfSSL | 13:f67a6c6013ca | 3799 | } |
wolfSSL | 13:f67a6c6013ca | 3800 | if (dName->stLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3801 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3802 | XMEMCPY(&dName->fullName[idx], "/ST=", 4); |
wolfSSL | 13:f67a6c6013ca | 3803 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3804 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3805 | &cert->source[dName->stIdx], dName->stLen); |
wolfSSL | 13:f67a6c6013ca | 3806 | dName->stIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3807 | idx += dName->stLen; |
wolfSSL | 13:f67a6c6013ca | 3808 | } |
wolfSSL | 13:f67a6c6013ca | 3809 | if (dName->oLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3810 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3811 | XMEMCPY(&dName->fullName[idx], "/O=", 3); |
wolfSSL | 13:f67a6c6013ca | 3812 | idx += 3; |
wolfSSL | 13:f67a6c6013ca | 3813 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3814 | &cert->source[dName->oIdx], dName->oLen); |
wolfSSL | 13:f67a6c6013ca | 3815 | dName->oIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3816 | idx += dName->oLen; |
wolfSSL | 13:f67a6c6013ca | 3817 | } |
wolfSSL | 13:f67a6c6013ca | 3818 | if (dName->ouLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3819 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3820 | XMEMCPY(&dName->fullName[idx], "/OU=", 4); |
wolfSSL | 13:f67a6c6013ca | 3821 | idx += 4; |
wolfSSL | 13:f67a6c6013ca | 3822 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3823 | &cert->source[dName->ouIdx], dName->ouLen); |
wolfSSL | 13:f67a6c6013ca | 3824 | dName->ouIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3825 | idx += dName->ouLen; |
wolfSSL | 13:f67a6c6013ca | 3826 | } |
wolfSSL | 13:f67a6c6013ca | 3827 | if (dName->emailLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3828 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3829 | XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14); |
wolfSSL | 13:f67a6c6013ca | 3830 | idx += 14; |
wolfSSL | 13:f67a6c6013ca | 3831 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3832 | &cert->source[dName->emailIdx], dName->emailLen); |
wolfSSL | 13:f67a6c6013ca | 3833 | dName->emailIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3834 | idx += dName->emailLen; |
wolfSSL | 13:f67a6c6013ca | 3835 | } |
wolfSSL | 13:f67a6c6013ca | 3836 | if (dName->uidLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3837 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3838 | XMEMCPY(&dName->fullName[idx], "/UID=", 5); |
wolfSSL | 13:f67a6c6013ca | 3839 | idx += 5; |
wolfSSL | 13:f67a6c6013ca | 3840 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3841 | &cert->source[dName->uidIdx], dName->uidLen); |
wolfSSL | 13:f67a6c6013ca | 3842 | dName->uidIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3843 | idx += dName->uidLen; |
wolfSSL | 13:f67a6c6013ca | 3844 | } |
wolfSSL | 13:f67a6c6013ca | 3845 | if (dName->serialLen != 0) { |
wolfSSL | 13:f67a6c6013ca | 3846 | dName->entryCount++; |
wolfSSL | 13:f67a6c6013ca | 3847 | XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14); |
wolfSSL | 13:f67a6c6013ca | 3848 | idx += 14; |
wolfSSL | 13:f67a6c6013ca | 3849 | XMEMCPY(&dName->fullName[idx], |
wolfSSL | 13:f67a6c6013ca | 3850 | &cert->source[dName->serialIdx], dName->serialLen); |
wolfSSL | 13:f67a6c6013ca | 3851 | dName->serialIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 3852 | idx += dName->serialLen; |
wolfSSL | 13:f67a6c6013ca | 3853 | } |
wolfSSL | 13:f67a6c6013ca | 3854 | dName->fullName[idx] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 3855 | dName->fullNameLen = totalLen; |
wolfSSL | 13:f67a6c6013ca | 3856 | } |
wolfSSL | 13:f67a6c6013ca | 3857 | } |
wolfSSL | 13:f67a6c6013ca | 3858 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 3859 | |
wolfSSL | 13:f67a6c6013ca | 3860 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3861 | } |
wolfSSL | 13:f67a6c6013ca | 3862 | |
wolfSSL | 13:f67a6c6013ca | 3863 | |
wolfSSL | 13:f67a6c6013ca | 3864 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 3865 | #if !defined(NO_TIME_H) && defined(USE_WOLF_VALIDDATE) |
wolfSSL | 13:f67a6c6013ca | 3866 | |
wolfSSL | 13:f67a6c6013ca | 3867 | /* to the second */ |
wolfSSL | 13:f67a6c6013ca | 3868 | static int DateGreaterThan(const struct tm* a, const struct tm* b) |
wolfSSL | 13:f67a6c6013ca | 3869 | { |
wolfSSL | 13:f67a6c6013ca | 3870 | if (a->tm_year > b->tm_year) |
wolfSSL | 13:f67a6c6013ca | 3871 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3872 | |
wolfSSL | 13:f67a6c6013ca | 3873 | if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon) |
wolfSSL | 13:f67a6c6013ca | 3874 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3875 | |
wolfSSL | 13:f67a6c6013ca | 3876 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 13:f67a6c6013ca | 3877 | a->tm_mday > b->tm_mday) |
wolfSSL | 13:f67a6c6013ca | 3878 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3879 | |
wolfSSL | 13:f67a6c6013ca | 3880 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 13:f67a6c6013ca | 3881 | a->tm_mday == b->tm_mday && a->tm_hour > b->tm_hour) |
wolfSSL | 13:f67a6c6013ca | 3882 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3883 | |
wolfSSL | 13:f67a6c6013ca | 3884 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 13:f67a6c6013ca | 3885 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 13:f67a6c6013ca | 3886 | a->tm_min > b->tm_min) |
wolfSSL | 13:f67a6c6013ca | 3887 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3888 | |
wolfSSL | 13:f67a6c6013ca | 3889 | if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon && |
wolfSSL | 13:f67a6c6013ca | 3890 | a->tm_mday == b->tm_mday && a->tm_hour == b->tm_hour && |
wolfSSL | 13:f67a6c6013ca | 3891 | a->tm_min == b->tm_min && a->tm_sec > b->tm_sec) |
wolfSSL | 13:f67a6c6013ca | 3892 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3893 | |
wolfSSL | 13:f67a6c6013ca | 3894 | return 0; /* false */ |
wolfSSL | 13:f67a6c6013ca | 3895 | } |
wolfSSL | 13:f67a6c6013ca | 3896 | |
wolfSSL | 13:f67a6c6013ca | 3897 | |
wolfSSL | 13:f67a6c6013ca | 3898 | static INLINE int DateLessThan(const struct tm* a, const struct tm* b) |
wolfSSL | 13:f67a6c6013ca | 3899 | { |
wolfSSL | 13:f67a6c6013ca | 3900 | return DateGreaterThan(b,a); |
wolfSSL | 13:f67a6c6013ca | 3901 | } |
wolfSSL | 13:f67a6c6013ca | 3902 | |
wolfSSL | 13:f67a6c6013ca | 3903 | |
wolfSSL | 13:f67a6c6013ca | 3904 | #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 13:f67a6c6013ca | 3905 | int GetTimeString(byte* date, int format, char* buf, int len) |
wolfSSL | 13:f67a6c6013ca | 3906 | { |
wolfSSL | 13:f67a6c6013ca | 3907 | struct tm t; |
wolfSSL | 13:f67a6c6013ca | 3908 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 3909 | |
wolfSSL | 13:f67a6c6013ca | 3910 | if (!ExtractDate(date, format, &t, &idx)) { |
wolfSSL | 13:f67a6c6013ca | 3911 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3912 | } |
wolfSSL | 13:f67a6c6013ca | 3913 | |
wolfSSL | 13:f67a6c6013ca | 3914 | if (date[idx] != 'Z') { |
wolfSSL | 13:f67a6c6013ca | 3915 | WOLFSSL_MSG("UTCtime, not Zulu") ; |
wolfSSL | 13:f67a6c6013ca | 3916 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3917 | } |
wolfSSL | 13:f67a6c6013ca | 3918 | |
wolfSSL | 13:f67a6c6013ca | 3919 | /* place month in buffer */ |
wolfSSL | 13:f67a6c6013ca | 3920 | buf[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 3921 | switch(t.tm_mon) { |
wolfSSL | 13:f67a6c6013ca | 3922 | case 0: XSTRNCAT(buf, "Jan ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3923 | case 1: XSTRNCAT(buf, "Feb ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3924 | case 2: XSTRNCAT(buf, "Mar ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3925 | case 3: XSTRNCAT(buf, "Apr ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3926 | case 4: XSTRNCAT(buf, "May ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3927 | case 5: XSTRNCAT(buf, "Jun ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3928 | case 6: XSTRNCAT(buf, "Jul ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3929 | case 7: XSTRNCAT(buf, "Aug ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3930 | case 8: XSTRNCAT(buf, "Sep ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3931 | case 9: XSTRNCAT(buf, "Oct ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3932 | case 10: XSTRNCAT(buf, "Nov ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3933 | case 11: XSTRNCAT(buf, "Dec ", 4); break; |
wolfSSL | 13:f67a6c6013ca | 3934 | default: |
wolfSSL | 13:f67a6c6013ca | 3935 | return 0; |
wolfSSL | 13:f67a6c6013ca | 3936 | |
wolfSSL | 13:f67a6c6013ca | 3937 | } |
wolfSSL | 13:f67a6c6013ca | 3938 | idx = 4; /* use idx now for char buffer */ |
wolfSSL | 13:f67a6c6013ca | 3939 | buf[idx] = ' '; |
wolfSSL | 13:f67a6c6013ca | 3940 | |
wolfSSL | 13:f67a6c6013ca | 3941 | XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT", |
wolfSSL | 13:f67a6c6013ca | 3942 | t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900); |
wolfSSL | 13:f67a6c6013ca | 3943 | |
wolfSSL | 13:f67a6c6013ca | 3944 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3945 | } |
wolfSSL | 13:f67a6c6013ca | 3946 | #endif /* WOLFSSL_MYSQL_COMPATIBLE */ |
wolfSSL | 13:f67a6c6013ca | 3947 | |
wolfSSL | 13:f67a6c6013ca | 3948 | int ExtractDate(const unsigned char* date, unsigned char format, |
wolfSSL | 13:f67a6c6013ca | 3949 | struct tm* certTime, int* idx) |
wolfSSL | 13:f67a6c6013ca | 3950 | { |
wolfSSL | 13:f67a6c6013ca | 3951 | XMEMSET(certTime, 0, sizeof(struct tm)); |
wolfSSL | 13:f67a6c6013ca | 3952 | |
wolfSSL | 13:f67a6c6013ca | 3953 | if (format == ASN_UTC_TIME) { |
wolfSSL | 13:f67a6c6013ca | 3954 | if (btoi(date[0]) >= 5) |
wolfSSL | 13:f67a6c6013ca | 3955 | certTime->tm_year = 1900; |
wolfSSL | 13:f67a6c6013ca | 3956 | else |
wolfSSL | 13:f67a6c6013ca | 3957 | certTime->tm_year = 2000; |
wolfSSL | 13:f67a6c6013ca | 3958 | } |
wolfSSL | 13:f67a6c6013ca | 3959 | else { /* format == GENERALIZED_TIME */ |
wolfSSL | 13:f67a6c6013ca | 3960 | certTime->tm_year += btoi(date[*idx]) * 1000; *idx = *idx + 1; |
wolfSSL | 13:f67a6c6013ca | 3961 | certTime->tm_year += btoi(date[*idx]) * 100; *idx = *idx + 1; |
wolfSSL | 13:f67a6c6013ca | 3962 | } |
wolfSSL | 13:f67a6c6013ca | 3963 | |
wolfSSL | 13:f67a6c6013ca | 3964 | /* adjust tm_year, tm_mon */ |
wolfSSL | 13:f67a6c6013ca | 3965 | GetTime((int*)&certTime->tm_year, date, idx); certTime->tm_year -= 1900; |
wolfSSL | 13:f67a6c6013ca | 3966 | GetTime((int*)&certTime->tm_mon, date, idx); certTime->tm_mon -= 1; |
wolfSSL | 13:f67a6c6013ca | 3967 | GetTime((int*)&certTime->tm_mday, date, idx); |
wolfSSL | 13:f67a6c6013ca | 3968 | GetTime((int*)&certTime->tm_hour, date, idx); |
wolfSSL | 13:f67a6c6013ca | 3969 | GetTime((int*)&certTime->tm_min, date, idx); |
wolfSSL | 13:f67a6c6013ca | 3970 | GetTime((int*)&certTime->tm_sec, date, idx); |
wolfSSL | 13:f67a6c6013ca | 3971 | |
wolfSSL | 13:f67a6c6013ca | 3972 | return 1; |
wolfSSL | 13:f67a6c6013ca | 3973 | } |
wolfSSL | 13:f67a6c6013ca | 3974 | |
wolfSSL | 13:f67a6c6013ca | 3975 | |
wolfSSL | 13:f67a6c6013ca | 3976 | /* like atoi but only use first byte */ |
wolfSSL | 13:f67a6c6013ca | 3977 | /* Make sure before and after dates are valid */ |
wolfSSL | 13:f67a6c6013ca | 3978 | int ValidateDate(const byte* date, byte format, int dateType) |
wolfSSL | 13:f67a6c6013ca | 3979 | { |
wolfSSL | 13:f67a6c6013ca | 3980 | time_t ltime; |
wolfSSL | 13:f67a6c6013ca | 3981 | struct tm certTime; |
wolfSSL | 13:f67a6c6013ca | 3982 | struct tm* localTime; |
wolfSSL | 13:f67a6c6013ca | 3983 | struct tm* tmpTime = NULL; |
wolfSSL | 13:f67a6c6013ca | 3984 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 3985 | int timeDiff = 0 ; |
wolfSSL | 13:f67a6c6013ca | 3986 | int diffHH = 0 ; int diffMM = 0 ; |
wolfSSL | 13:f67a6c6013ca | 3987 | int diffSign = 0 ; |
wolfSSL | 13:f67a6c6013ca | 3988 | |
wolfSSL | 13:f67a6c6013ca | 3989 | #if defined(NEED_TMP_TIME) |
wolfSSL | 13:f67a6c6013ca | 3990 | struct tm tmpTimeStorage; |
wolfSSL | 13:f67a6c6013ca | 3991 | tmpTime = &tmpTimeStorage; |
wolfSSL | 13:f67a6c6013ca | 3992 | #else |
wolfSSL | 13:f67a6c6013ca | 3993 | (void)tmpTime; |
wolfSSL | 13:f67a6c6013ca | 3994 | #endif |
wolfSSL | 13:f67a6c6013ca | 3995 | |
wolfSSL | 13:f67a6c6013ca | 3996 | ltime = XTIME(0); |
wolfSSL | 13:f67a6c6013ca | 3997 | |
wolfSSL | 13:f67a6c6013ca | 3998 | #ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW |
wolfSSL | 13:f67a6c6013ca | 3999 | if (dateType == BEFORE) { |
wolfSSL | 13:f67a6c6013ca | 4000 | WOLFSSL_MSG("Skewing local time for before date check"); |
wolfSSL | 13:f67a6c6013ca | 4001 | ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW; |
wolfSSL | 13:f67a6c6013ca | 4002 | } |
wolfSSL | 13:f67a6c6013ca | 4003 | #endif |
wolfSSL | 13:f67a6c6013ca | 4004 | |
wolfSSL | 13:f67a6c6013ca | 4005 | #ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW |
wolfSSL | 13:f67a6c6013ca | 4006 | if (dateType == AFTER) { |
wolfSSL | 13:f67a6c6013ca | 4007 | WOLFSSL_MSG("Skewing local time for after date check"); |
wolfSSL | 13:f67a6c6013ca | 4008 | ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW; |
wolfSSL | 13:f67a6c6013ca | 4009 | } |
wolfSSL | 13:f67a6c6013ca | 4010 | #endif |
wolfSSL | 13:f67a6c6013ca | 4011 | |
wolfSSL | 13:f67a6c6013ca | 4012 | if (!ExtractDate(date, format, &certTime, &i)) { |
wolfSSL | 13:f67a6c6013ca | 4013 | WOLFSSL_MSG("Error extracting the date"); |
wolfSSL | 13:f67a6c6013ca | 4014 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4015 | } |
wolfSSL | 13:f67a6c6013ca | 4016 | |
wolfSSL | 13:f67a6c6013ca | 4017 | if ((date[i] == '+') || (date[i] == '-')) { |
wolfSSL | 13:f67a6c6013ca | 4018 | WOLFSSL_MSG("Using time differential, not Zulu") ; |
wolfSSL | 13:f67a6c6013ca | 4019 | diffSign = date[i++] == '+' ? 1 : -1 ; |
wolfSSL | 13:f67a6c6013ca | 4020 | GetTime(&diffHH, date, &i); |
wolfSSL | 13:f67a6c6013ca | 4021 | GetTime(&diffMM, date, &i); |
wolfSSL | 13:f67a6c6013ca | 4022 | timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ; |
wolfSSL | 13:f67a6c6013ca | 4023 | } else if (date[i] != 'Z') { |
wolfSSL | 13:f67a6c6013ca | 4024 | WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ; |
wolfSSL | 13:f67a6c6013ca | 4025 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4026 | } |
wolfSSL | 13:f67a6c6013ca | 4027 | |
wolfSSL | 13:f67a6c6013ca | 4028 | ltime -= (time_t)timeDiff ; |
wolfSSL | 13:f67a6c6013ca | 4029 | localTime = XGMTIME(<ime, tmpTime); |
wolfSSL | 13:f67a6c6013ca | 4030 | |
wolfSSL | 13:f67a6c6013ca | 4031 | if (localTime == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4032 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 13:f67a6c6013ca | 4033 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4034 | } |
wolfSSL | 13:f67a6c6013ca | 4035 | |
wolfSSL | 13:f67a6c6013ca | 4036 | if (dateType == BEFORE) { |
wolfSSL | 13:f67a6c6013ca | 4037 | if (DateLessThan(localTime, &certTime)) { |
wolfSSL | 13:f67a6c6013ca | 4038 | WOLFSSL_MSG("Date BEFORE check failed"); |
wolfSSL | 13:f67a6c6013ca | 4039 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4040 | } |
wolfSSL | 13:f67a6c6013ca | 4041 | } |
wolfSSL | 13:f67a6c6013ca | 4042 | else { /* dateType == AFTER */ |
wolfSSL | 13:f67a6c6013ca | 4043 | if (DateGreaterThan(localTime, &certTime)) { |
wolfSSL | 13:f67a6c6013ca | 4044 | WOLFSSL_MSG("Date AFTER check failed"); |
wolfSSL | 13:f67a6c6013ca | 4045 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4046 | } |
wolfSSL | 13:f67a6c6013ca | 4047 | } |
wolfSSL | 13:f67a6c6013ca | 4048 | |
wolfSSL | 13:f67a6c6013ca | 4049 | return 1; |
wolfSSL | 13:f67a6c6013ca | 4050 | } |
wolfSSL | 13:f67a6c6013ca | 4051 | #endif /* !NO_TIME_H && USE_WOLF_VALIDDATE */ |
wolfSSL | 13:f67a6c6013ca | 4052 | |
wolfSSL | 13:f67a6c6013ca | 4053 | int wc_GetTime(void* timePtr, word32 timeSize) |
wolfSSL | 13:f67a6c6013ca | 4054 | { |
wolfSSL | 13:f67a6c6013ca | 4055 | time_t* ltime = (time_t*)timePtr; |
wolfSSL | 13:f67a6c6013ca | 4056 | |
wolfSSL | 13:f67a6c6013ca | 4057 | if (timePtr == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4058 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 4059 | } |
wolfSSL | 13:f67a6c6013ca | 4060 | |
wolfSSL | 13:f67a6c6013ca | 4061 | if ((word32)sizeof(time_t) > timeSize) { |
wolfSSL | 13:f67a6c6013ca | 4062 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 4063 | } |
wolfSSL | 13:f67a6c6013ca | 4064 | |
wolfSSL | 13:f67a6c6013ca | 4065 | *ltime = XTIME(0); |
wolfSSL | 13:f67a6c6013ca | 4066 | |
wolfSSL | 13:f67a6c6013ca | 4067 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4068 | } |
wolfSSL | 13:f67a6c6013ca | 4069 | |
wolfSSL | 13:f67a6c6013ca | 4070 | #endif /* !NO_ASN_TIME */ |
wolfSSL | 13:f67a6c6013ca | 4071 | |
wolfSSL | 13:f67a6c6013ca | 4072 | static int GetDate(DecodedCert* cert, int dateType) |
wolfSSL | 13:f67a6c6013ca | 4073 | { |
wolfSSL | 13:f67a6c6013ca | 4074 | int length; |
wolfSSL | 13:f67a6c6013ca | 4075 | byte date[MAX_DATE_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 4076 | byte b; |
wolfSSL | 13:f67a6c6013ca | 4077 | word32 startIdx = 0; |
wolfSSL | 13:f67a6c6013ca | 4078 | |
wolfSSL | 13:f67a6c6013ca | 4079 | XMEMSET(date, 0, MAX_DATE_SIZE); |
wolfSSL | 13:f67a6c6013ca | 4080 | |
wolfSSL | 13:f67a6c6013ca | 4081 | if (dateType == BEFORE) |
wolfSSL | 13:f67a6c6013ca | 4082 | cert->beforeDate = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 4083 | else |
wolfSSL | 13:f67a6c6013ca | 4084 | cert->afterDate = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 4085 | startIdx = cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 4086 | |
wolfSSL | 13:f67a6c6013ca | 4087 | b = cert->source[cert->srcIdx++]; |
wolfSSL | 13:f67a6c6013ca | 4088 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) |
wolfSSL | 13:f67a6c6013ca | 4089 | return ASN_TIME_E; |
wolfSSL | 13:f67a6c6013ca | 4090 | |
wolfSSL | 13:f67a6c6013ca | 4091 | if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 4092 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 4093 | |
wolfSSL | 13:f67a6c6013ca | 4094 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 13:f67a6c6013ca | 4095 | return ASN_DATE_SZ_E; |
wolfSSL | 13:f67a6c6013ca | 4096 | |
wolfSSL | 13:f67a6c6013ca | 4097 | XMEMCPY(date, &cert->source[cert->srcIdx], length); |
wolfSSL | 13:f67a6c6013ca | 4098 | cert->srcIdx += length; |
wolfSSL | 13:f67a6c6013ca | 4099 | |
wolfSSL | 13:f67a6c6013ca | 4100 | if (dateType == BEFORE) |
wolfSSL | 13:f67a6c6013ca | 4101 | cert->beforeDateLen = cert->srcIdx - startIdx; |
wolfSSL | 13:f67a6c6013ca | 4102 | else |
wolfSSL | 13:f67a6c6013ca | 4103 | cert->afterDateLen = cert->srcIdx - startIdx; |
wolfSSL | 13:f67a6c6013ca | 4104 | |
wolfSSL | 13:f67a6c6013ca | 4105 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 4106 | if (!XVALIDATE_DATE(date, b, dateType)) { |
wolfSSL | 13:f67a6c6013ca | 4107 | if (dateType == BEFORE) |
wolfSSL | 13:f67a6c6013ca | 4108 | return ASN_BEFORE_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 4109 | else |
wolfSSL | 13:f67a6c6013ca | 4110 | return ASN_AFTER_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 4111 | } |
wolfSSL | 13:f67a6c6013ca | 4112 | #endif |
wolfSSL | 13:f67a6c6013ca | 4113 | |
wolfSSL | 13:f67a6c6013ca | 4114 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4115 | } |
wolfSSL | 13:f67a6c6013ca | 4116 | |
wolfSSL | 13:f67a6c6013ca | 4117 | static int GetValidity(DecodedCert* cert, int verify) |
wolfSSL | 13:f67a6c6013ca | 4118 | { |
wolfSSL | 13:f67a6c6013ca | 4119 | int length; |
wolfSSL | 13:f67a6c6013ca | 4120 | int badDate = 0; |
wolfSSL | 13:f67a6c6013ca | 4121 | |
wolfSSL | 13:f67a6c6013ca | 4122 | if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 4123 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 4124 | |
wolfSSL | 13:f67a6c6013ca | 4125 | if (GetDate(cert, BEFORE) < 0 && verify != NO_VERIFY) |
wolfSSL | 13:f67a6c6013ca | 4126 | badDate = ASN_BEFORE_DATE_E; /* continue parsing */ |
wolfSSL | 13:f67a6c6013ca | 4127 | |
wolfSSL | 13:f67a6c6013ca | 4128 | if (GetDate(cert, AFTER) < 0 && verify != NO_VERIFY) |
wolfSSL | 13:f67a6c6013ca | 4129 | return ASN_AFTER_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 4130 | |
wolfSSL | 13:f67a6c6013ca | 4131 | if (badDate != 0) |
wolfSSL | 13:f67a6c6013ca | 4132 | return badDate; |
wolfSSL | 13:f67a6c6013ca | 4133 | |
wolfSSL | 13:f67a6c6013ca | 4134 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4135 | } |
wolfSSL | 13:f67a6c6013ca | 4136 | |
wolfSSL | 13:f67a6c6013ca | 4137 | |
wolfSSL | 13:f67a6c6013ca | 4138 | int DecodeToKey(DecodedCert* cert, int verify) |
wolfSSL | 13:f67a6c6013ca | 4139 | { |
wolfSSL | 13:f67a6c6013ca | 4140 | int badDate = 0; |
wolfSSL | 13:f67a6c6013ca | 4141 | int ret; |
wolfSSL | 13:f67a6c6013ca | 4142 | |
wolfSSL | 13:f67a6c6013ca | 4143 | if ( (ret = GetCertHeader(cert)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4144 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4145 | |
wolfSSL | 13:f67a6c6013ca | 4146 | WOLFSSL_MSG("Got Cert Header"); |
wolfSSL | 13:f67a6c6013ca | 4147 | |
wolfSSL | 13:f67a6c6013ca | 4148 | if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, |
wolfSSL | 13:f67a6c6013ca | 4149 | oidSigType, cert->maxIdx)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4150 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4151 | |
wolfSSL | 13:f67a6c6013ca | 4152 | WOLFSSL_MSG("Got Algo ID"); |
wolfSSL | 13:f67a6c6013ca | 4153 | |
wolfSSL | 13:f67a6c6013ca | 4154 | if ( (ret = GetName(cert, ISSUER)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4155 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4156 | |
wolfSSL | 13:f67a6c6013ca | 4157 | if ( (ret = GetValidity(cert, verify)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4158 | badDate = ret; |
wolfSSL | 13:f67a6c6013ca | 4159 | |
wolfSSL | 13:f67a6c6013ca | 4160 | if ( (ret = GetName(cert, SUBJECT)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4161 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4162 | |
wolfSSL | 13:f67a6c6013ca | 4163 | WOLFSSL_MSG("Got Subject Name"); |
wolfSSL | 13:f67a6c6013ca | 4164 | |
wolfSSL | 13:f67a6c6013ca | 4165 | if ( (ret = GetKey(cert)) < 0) |
wolfSSL | 13:f67a6c6013ca | 4166 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4167 | |
wolfSSL | 13:f67a6c6013ca | 4168 | WOLFSSL_MSG("Got Key"); |
wolfSSL | 13:f67a6c6013ca | 4169 | |
wolfSSL | 13:f67a6c6013ca | 4170 | if (badDate != 0) |
wolfSSL | 13:f67a6c6013ca | 4171 | return badDate; |
wolfSSL | 13:f67a6c6013ca | 4172 | |
wolfSSL | 13:f67a6c6013ca | 4173 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4174 | } |
wolfSSL | 13:f67a6c6013ca | 4175 | |
wolfSSL | 13:f67a6c6013ca | 4176 | static int GetSignature(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 4177 | { |
wolfSSL | 13:f67a6c6013ca | 4178 | int length; |
wolfSSL | 13:f67a6c6013ca | 4179 | int ret; |
wolfSSL | 13:f67a6c6013ca | 4180 | ret = CheckBitString(cert->source, &cert->srcIdx, &length, cert->maxIdx, 1, |
wolfSSL | 13:f67a6c6013ca | 4181 | NULL); |
wolfSSL | 13:f67a6c6013ca | 4182 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 4183 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4184 | |
wolfSSL | 13:f67a6c6013ca | 4185 | cert->sigLength = length; |
wolfSSL | 13:f67a6c6013ca | 4186 | cert->signature = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 4187 | cert->srcIdx += cert->sigLength; |
wolfSSL | 13:f67a6c6013ca | 4188 | |
wolfSSL | 13:f67a6c6013ca | 4189 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4190 | } |
wolfSSL | 13:f67a6c6013ca | 4191 | |
wolfSSL | 13:f67a6c6013ca | 4192 | static word32 SetOctetString8Bit(word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4193 | { |
wolfSSL | 13:f67a6c6013ca | 4194 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 13:f67a6c6013ca | 4195 | output[1] = (byte)len; |
wolfSSL | 13:f67a6c6013ca | 4196 | return 2; |
wolfSSL | 13:f67a6c6013ca | 4197 | } |
wolfSSL | 13:f67a6c6013ca | 4198 | |
wolfSSL | 13:f67a6c6013ca | 4199 | static word32 SetDigest(const byte* digest, word32 digSz, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4200 | { |
wolfSSL | 13:f67a6c6013ca | 4201 | word32 idx = SetOctetString8Bit(digSz, output); |
wolfSSL | 13:f67a6c6013ca | 4202 | XMEMCPY(&output[idx], digest, digSz); |
wolfSSL | 13:f67a6c6013ca | 4203 | |
wolfSSL | 13:f67a6c6013ca | 4204 | return idx + digSz; |
wolfSSL | 13:f67a6c6013ca | 4205 | } |
wolfSSL | 13:f67a6c6013ca | 4206 | |
wolfSSL | 13:f67a6c6013ca | 4207 | |
wolfSSL | 13:f67a6c6013ca | 4208 | static word32 BytePrecision(word32 value) |
wolfSSL | 13:f67a6c6013ca | 4209 | { |
wolfSSL | 13:f67a6c6013ca | 4210 | word32 i; |
wolfSSL | 13:f67a6c6013ca | 4211 | for (i = sizeof(value); i; --i) |
wolfSSL | 13:f67a6c6013ca | 4212 | if (value >> ((i - 1) * WOLFSSL_BIT_SIZE)) |
wolfSSL | 13:f67a6c6013ca | 4213 | break; |
wolfSSL | 13:f67a6c6013ca | 4214 | |
wolfSSL | 13:f67a6c6013ca | 4215 | return i; |
wolfSSL | 13:f67a6c6013ca | 4216 | } |
wolfSSL | 13:f67a6c6013ca | 4217 | |
wolfSSL | 13:f67a6c6013ca | 4218 | |
wolfSSL | 13:f67a6c6013ca | 4219 | WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4220 | { |
wolfSSL | 13:f67a6c6013ca | 4221 | word32 i = 0, j; |
wolfSSL | 13:f67a6c6013ca | 4222 | |
wolfSSL | 13:f67a6c6013ca | 4223 | if (length < ASN_LONG_LENGTH) |
wolfSSL | 13:f67a6c6013ca | 4224 | output[i++] = (byte)length; |
wolfSSL | 13:f67a6c6013ca | 4225 | else { |
wolfSSL | 13:f67a6c6013ca | 4226 | output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); |
wolfSSL | 13:f67a6c6013ca | 4227 | |
wolfSSL | 13:f67a6c6013ca | 4228 | for (j = BytePrecision(length); j; --j) { |
wolfSSL | 13:f67a6c6013ca | 4229 | output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE)); |
wolfSSL | 13:f67a6c6013ca | 4230 | i++; |
wolfSSL | 13:f67a6c6013ca | 4231 | } |
wolfSSL | 13:f67a6c6013ca | 4232 | } |
wolfSSL | 13:f67a6c6013ca | 4233 | |
wolfSSL | 13:f67a6c6013ca | 4234 | return i; |
wolfSSL | 13:f67a6c6013ca | 4235 | } |
wolfSSL | 13:f67a6c6013ca | 4236 | |
wolfSSL | 13:f67a6c6013ca | 4237 | |
wolfSSL | 13:f67a6c6013ca | 4238 | WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4239 | { |
wolfSSL | 13:f67a6c6013ca | 4240 | output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED; |
wolfSSL | 13:f67a6c6013ca | 4241 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 4242 | } |
wolfSSL | 13:f67a6c6013ca | 4243 | |
wolfSSL | 13:f67a6c6013ca | 4244 | WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4245 | { |
wolfSSL | 13:f67a6c6013ca | 4246 | output[0] = ASN_OCTET_STRING; |
wolfSSL | 13:f67a6c6013ca | 4247 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 4248 | } |
wolfSSL | 13:f67a6c6013ca | 4249 | |
wolfSSL | 13:f67a6c6013ca | 4250 | /* Write a set header to output */ |
wolfSSL | 13:f67a6c6013ca | 4251 | WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4252 | { |
wolfSSL | 13:f67a6c6013ca | 4253 | output[0] = ASN_SET | ASN_CONSTRUCTED; |
wolfSSL | 13:f67a6c6013ca | 4254 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 4255 | } |
wolfSSL | 13:f67a6c6013ca | 4256 | |
wolfSSL | 13:f67a6c6013ca | 4257 | WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4258 | { |
wolfSSL | 13:f67a6c6013ca | 4259 | |
wolfSSL | 13:f67a6c6013ca | 4260 | output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0) |
wolfSSL | 13:f67a6c6013ca | 4261 | | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 13:f67a6c6013ca | 4262 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 4263 | } |
wolfSSL | 13:f67a6c6013ca | 4264 | |
wolfSSL | 13:f67a6c6013ca | 4265 | WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4266 | { |
wolfSSL | 13:f67a6c6013ca | 4267 | output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number; |
wolfSSL | 13:f67a6c6013ca | 4268 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 4269 | } |
wolfSSL | 13:f67a6c6013ca | 4270 | |
wolfSSL | 13:f67a6c6013ca | 4271 | |
wolfSSL | 13:f67a6c6013ca | 4272 | #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 13:f67a6c6013ca | 4273 | |
wolfSSL | 13:f67a6c6013ca | 4274 | static int SetCurve(ecc_key* key, byte* output) |
wolfSSL | 13:f67a6c6013ca | 4275 | { |
wolfSSL | 13:f67a6c6013ca | 4276 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 13:f67a6c6013ca | 4277 | int ret; |
wolfSSL | 13:f67a6c6013ca | 4278 | #endif |
wolfSSL | 13:f67a6c6013ca | 4279 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 4280 | word32 oidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 4281 | |
wolfSSL | 13:f67a6c6013ca | 4282 | /* validate key */ |
wolfSSL | 13:f67a6c6013ca | 4283 | if (key == NULL || key->dp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4284 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 4285 | } |
wolfSSL | 13:f67a6c6013ca | 4286 | |
wolfSSL | 13:f67a6c6013ca | 4287 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 13:f67a6c6013ca | 4288 | ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, NULL, &oidSz); |
wolfSSL | 13:f67a6c6013ca | 4289 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 4290 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4291 | } |
wolfSSL | 13:f67a6c6013ca | 4292 | #else |
wolfSSL | 13:f67a6c6013ca | 4293 | oidSz = key->dp->oidSz; |
wolfSSL | 13:f67a6c6013ca | 4294 | #endif |
wolfSSL | 13:f67a6c6013ca | 4295 | |
wolfSSL | 13:f67a6c6013ca | 4296 | idx += SetObjectId(oidSz, output); |
wolfSSL | 13:f67a6c6013ca | 4297 | |
wolfSSL | 13:f67a6c6013ca | 4298 | #ifdef HAVE_OID_ENCODING |
wolfSSL | 13:f67a6c6013ca | 4299 | ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz); |
wolfSSL | 13:f67a6c6013ca | 4300 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 4301 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4302 | } |
wolfSSL | 13:f67a6c6013ca | 4303 | #else |
wolfSSL | 13:f67a6c6013ca | 4304 | XMEMCPY(output+idx, key->dp->oid, oidSz); |
wolfSSL | 13:f67a6c6013ca | 4305 | #endif |
wolfSSL | 13:f67a6c6013ca | 4306 | idx += oidSz; |
wolfSSL | 13:f67a6c6013ca | 4307 | |
wolfSSL | 13:f67a6c6013ca | 4308 | return idx; |
wolfSSL | 13:f67a6c6013ca | 4309 | } |
wolfSSL | 13:f67a6c6013ca | 4310 | |
wolfSSL | 13:f67a6c6013ca | 4311 | #endif /* HAVE_ECC && WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 4312 | |
wolfSSL | 13:f67a6c6013ca | 4313 | |
wolfSSL | 13:f67a6c6013ca | 4314 | static INLINE int IsSigAlgoECDSA(int algoOID) |
wolfSSL | 13:f67a6c6013ca | 4315 | { |
wolfSSL | 13:f67a6c6013ca | 4316 | /* ECDSA sigAlgo must not have ASN1 NULL parameters */ |
wolfSSL | 13:f67a6c6013ca | 4317 | if (algoOID == CTC_SHAwECDSA || algoOID == CTC_SHA256wECDSA || |
wolfSSL | 13:f67a6c6013ca | 4318 | algoOID == CTC_SHA384wECDSA || algoOID == CTC_SHA512wECDSA) { |
wolfSSL | 13:f67a6c6013ca | 4319 | return 1; |
wolfSSL | 13:f67a6c6013ca | 4320 | } |
wolfSSL | 13:f67a6c6013ca | 4321 | |
wolfSSL | 13:f67a6c6013ca | 4322 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4323 | } |
wolfSSL | 13:f67a6c6013ca | 4324 | |
wolfSSL | 13:f67a6c6013ca | 4325 | WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) |
wolfSSL | 13:f67a6c6013ca | 4326 | { |
wolfSSL | 13:f67a6c6013ca | 4327 | word32 tagSz, idSz, seqSz, algoSz = 0; |
wolfSSL | 13:f67a6c6013ca | 4328 | const byte* algoName = 0; |
wolfSSL | 13:f67a6c6013ca | 4329 | byte ID_Length[1 + MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 4330 | byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ |
wolfSSL | 13:f67a6c6013ca | 4331 | |
wolfSSL | 13:f67a6c6013ca | 4332 | tagSz = (type == oidHashType || |
wolfSSL | 13:f67a6c6013ca | 4333 | (type == oidSigType && !IsSigAlgoECDSA(algoOID) && |
wolfSSL | 13:f67a6c6013ca | 4334 | algoOID != ED25519k) || |
wolfSSL | 13:f67a6c6013ca | 4335 | (type == oidKeyType && algoOID == RSAk)) ? 2 : 0; |
wolfSSL | 13:f67a6c6013ca | 4336 | |
wolfSSL | 13:f67a6c6013ca | 4337 | algoName = OidFromId(algoOID, type, &algoSz); |
wolfSSL | 13:f67a6c6013ca | 4338 | |
wolfSSL | 13:f67a6c6013ca | 4339 | if (algoName == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4340 | WOLFSSL_MSG("Unknown Algorithm"); |
wolfSSL | 13:f67a6c6013ca | 4341 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4342 | } |
wolfSSL | 13:f67a6c6013ca | 4343 | |
wolfSSL | 13:f67a6c6013ca | 4344 | idSz = SetObjectId(algoSz, ID_Length); |
wolfSSL | 13:f67a6c6013ca | 4345 | seqSz = SetSequence(idSz + algoSz + tagSz + curveSz, seqArray); |
wolfSSL | 13:f67a6c6013ca | 4346 | |
wolfSSL | 13:f67a6c6013ca | 4347 | XMEMCPY(output, seqArray, seqSz); |
wolfSSL | 13:f67a6c6013ca | 4348 | XMEMCPY(output + seqSz, ID_Length, idSz); |
wolfSSL | 13:f67a6c6013ca | 4349 | XMEMCPY(output + seqSz + idSz, algoName, algoSz); |
wolfSSL | 13:f67a6c6013ca | 4350 | if (tagSz == 2) |
wolfSSL | 13:f67a6c6013ca | 4351 | SetASNNull(&output[seqSz + idSz + algoSz]); |
wolfSSL | 13:f67a6c6013ca | 4352 | |
wolfSSL | 13:f67a6c6013ca | 4353 | return seqSz + idSz + algoSz + tagSz; |
wolfSSL | 13:f67a6c6013ca | 4354 | |
wolfSSL | 13:f67a6c6013ca | 4355 | } |
wolfSSL | 13:f67a6c6013ca | 4356 | |
wolfSSL | 13:f67a6c6013ca | 4357 | |
wolfSSL | 13:f67a6c6013ca | 4358 | word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz, |
wolfSSL | 13:f67a6c6013ca | 4359 | int hashOID) |
wolfSSL | 13:f67a6c6013ca | 4360 | { |
wolfSSL | 13:f67a6c6013ca | 4361 | byte digArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 13:f67a6c6013ca | 4362 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 4363 | byte seqArray[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 4364 | word32 encDigSz, algoSz, seqSz; |
wolfSSL | 13:f67a6c6013ca | 4365 | |
wolfSSL | 13:f67a6c6013ca | 4366 | encDigSz = SetDigest(digest, digSz, digArray); |
wolfSSL | 13:f67a6c6013ca | 4367 | algoSz = SetAlgoID(hashOID, algoArray, oidHashType, 0); |
wolfSSL | 13:f67a6c6013ca | 4368 | seqSz = SetSequence(encDigSz + algoSz, seqArray); |
wolfSSL | 13:f67a6c6013ca | 4369 | |
wolfSSL | 13:f67a6c6013ca | 4370 | XMEMCPY(out, seqArray, seqSz); |
wolfSSL | 13:f67a6c6013ca | 4371 | XMEMCPY(out + seqSz, algoArray, algoSz); |
wolfSSL | 13:f67a6c6013ca | 4372 | XMEMCPY(out + seqSz + algoSz, digArray, encDigSz); |
wolfSSL | 13:f67a6c6013ca | 4373 | |
wolfSSL | 13:f67a6c6013ca | 4374 | return encDigSz + algoSz + seqSz; |
wolfSSL | 13:f67a6c6013ca | 4375 | } |
wolfSSL | 13:f67a6c6013ca | 4376 | |
wolfSSL | 13:f67a6c6013ca | 4377 | |
wolfSSL | 13:f67a6c6013ca | 4378 | int wc_GetCTC_HashOID(int type) |
wolfSSL | 13:f67a6c6013ca | 4379 | { |
wolfSSL | 13:f67a6c6013ca | 4380 | switch (type) { |
wolfSSL | 13:f67a6c6013ca | 4381 | #ifdef WOLFSSL_MD2 |
wolfSSL | 13:f67a6c6013ca | 4382 | case MD2: |
wolfSSL | 13:f67a6c6013ca | 4383 | return MD2h; |
wolfSSL | 13:f67a6c6013ca | 4384 | #endif |
wolfSSL | 13:f67a6c6013ca | 4385 | #ifndef NO_MD5 |
wolfSSL | 13:f67a6c6013ca | 4386 | case MD5: |
wolfSSL | 13:f67a6c6013ca | 4387 | return MD5h; |
wolfSSL | 13:f67a6c6013ca | 4388 | #endif |
wolfSSL | 13:f67a6c6013ca | 4389 | #ifndef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 4390 | case SHA: |
wolfSSL | 13:f67a6c6013ca | 4391 | return SHAh; |
wolfSSL | 13:f67a6c6013ca | 4392 | #endif |
wolfSSL | 13:f67a6c6013ca | 4393 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 13:f67a6c6013ca | 4394 | case SHA224: |
wolfSSL | 13:f67a6c6013ca | 4395 | return SHA224h; |
wolfSSL | 13:f67a6c6013ca | 4396 | #endif |
wolfSSL | 13:f67a6c6013ca | 4397 | #ifndef NO_SHA256 |
wolfSSL | 13:f67a6c6013ca | 4398 | case SHA256: |
wolfSSL | 13:f67a6c6013ca | 4399 | return SHA256h; |
wolfSSL | 13:f67a6c6013ca | 4400 | #endif |
wolfSSL | 13:f67a6c6013ca | 4401 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 13:f67a6c6013ca | 4402 | case SHA384: |
wolfSSL | 13:f67a6c6013ca | 4403 | return SHA384h; |
wolfSSL | 13:f67a6c6013ca | 4404 | #endif |
wolfSSL | 13:f67a6c6013ca | 4405 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 13:f67a6c6013ca | 4406 | case SHA512: |
wolfSSL | 13:f67a6c6013ca | 4407 | return SHA512h; |
wolfSSL | 13:f67a6c6013ca | 4408 | #endif |
wolfSSL | 13:f67a6c6013ca | 4409 | default: |
wolfSSL | 13:f67a6c6013ca | 4410 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4411 | }; |
wolfSSL | 13:f67a6c6013ca | 4412 | } |
wolfSSL | 13:f67a6c6013ca | 4413 | |
wolfSSL | 13:f67a6c6013ca | 4414 | void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId) |
wolfSSL | 13:f67a6c6013ca | 4415 | { |
wolfSSL | 13:f67a6c6013ca | 4416 | if (sigCtx) { |
wolfSSL | 13:f67a6c6013ca | 4417 | XMEMSET(sigCtx, 0, sizeof(SignatureCtx)); |
wolfSSL | 13:f67a6c6013ca | 4418 | sigCtx->devId = devId; |
wolfSSL | 13:f67a6c6013ca | 4419 | sigCtx->heap = heap; |
wolfSSL | 13:f67a6c6013ca | 4420 | } |
wolfSSL | 13:f67a6c6013ca | 4421 | } |
wolfSSL | 13:f67a6c6013ca | 4422 | |
wolfSSL | 13:f67a6c6013ca | 4423 | void FreeSignatureCtx(SignatureCtx* sigCtx) |
wolfSSL | 13:f67a6c6013ca | 4424 | { |
wolfSSL | 13:f67a6c6013ca | 4425 | if (sigCtx == NULL) |
wolfSSL | 13:f67a6c6013ca | 4426 | return; |
wolfSSL | 13:f67a6c6013ca | 4427 | |
wolfSSL | 13:f67a6c6013ca | 4428 | if (sigCtx->digest) { |
wolfSSL | 13:f67a6c6013ca | 4429 | XFREE(sigCtx->digest, sigCtx->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 13:f67a6c6013ca | 4430 | sigCtx->digest = NULL; |
wolfSSL | 13:f67a6c6013ca | 4431 | } |
wolfSSL | 13:f67a6c6013ca | 4432 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 4433 | if (sigCtx->plain) { |
wolfSSL | 13:f67a6c6013ca | 4434 | XFREE(sigCtx->plain, sigCtx->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 13:f67a6c6013ca | 4435 | sigCtx->plain = NULL; |
wolfSSL | 13:f67a6c6013ca | 4436 | } |
wolfSSL | 13:f67a6c6013ca | 4437 | #endif |
wolfSSL | 13:f67a6c6013ca | 4438 | if (sigCtx->key.ptr) { |
wolfSSL | 13:f67a6c6013ca | 4439 | switch (sigCtx->keyOID) { |
wolfSSL | 13:f67a6c6013ca | 4440 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 4441 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 4442 | wc_FreeRsaKey(sigCtx->key.rsa); |
wolfSSL | 13:f67a6c6013ca | 4443 | XFREE(sigCtx->key.ptr, sigCtx->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 4444 | break; |
wolfSSL | 13:f67a6c6013ca | 4445 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 4446 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 4447 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 4448 | wc_ecc_free(sigCtx->key.ecc); |
wolfSSL | 13:f67a6c6013ca | 4449 | XFREE(sigCtx->key.ecc, sigCtx->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 13:f67a6c6013ca | 4450 | break; |
wolfSSL | 13:f67a6c6013ca | 4451 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 4452 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 4453 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 4454 | wc_ed25519_free(sigCtx->key.ed25519); |
wolfSSL | 13:f67a6c6013ca | 4455 | XFREE(sigCtx->key.ed25519, sigCtx->heap, DYNAMIC_TYPE_ED25519); |
wolfSSL | 13:f67a6c6013ca | 4456 | break; |
wolfSSL | 13:f67a6c6013ca | 4457 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 4458 | default: |
wolfSSL | 13:f67a6c6013ca | 4459 | break; |
wolfSSL | 13:f67a6c6013ca | 4460 | } /* switch (keyOID) */ |
wolfSSL | 13:f67a6c6013ca | 4461 | sigCtx->key.ptr = NULL; |
wolfSSL | 13:f67a6c6013ca | 4462 | } |
wolfSSL | 13:f67a6c6013ca | 4463 | |
wolfSSL | 13:f67a6c6013ca | 4464 | /* reset state, we are done */ |
wolfSSL | 13:f67a6c6013ca | 4465 | sigCtx->state = SIG_STATE_BEGIN; |
wolfSSL | 13:f67a6c6013ca | 4466 | } |
wolfSSL | 13:f67a6c6013ca | 4467 | |
wolfSSL | 13:f67a6c6013ca | 4468 | static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, |
wolfSSL | 13:f67a6c6013ca | 4469 | byte* digest, int* typeH, int* digestSz, int verify) |
wolfSSL | 13:f67a6c6013ca | 4470 | { |
wolfSSL | 13:f67a6c6013ca | 4471 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 4472 | |
wolfSSL | 13:f67a6c6013ca | 4473 | (void)verify; |
wolfSSL | 13:f67a6c6013ca | 4474 | |
wolfSSL | 13:f67a6c6013ca | 4475 | switch (sigOID) { |
wolfSSL | 13:f67a6c6013ca | 4476 | #if defined(WOLFSSL_MD2) |
wolfSSL | 13:f67a6c6013ca | 4477 | case CTC_MD2wRSA: |
wolfSSL | 13:f67a6c6013ca | 4478 | if (!verify) { |
wolfSSL | 13:f67a6c6013ca | 4479 | ret = HASH_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 4480 | WOLFSSL_MSG("MD2 not supported for signing"); |
wolfSSL | 13:f67a6c6013ca | 4481 | } |
wolfSSL | 13:f67a6c6013ca | 4482 | else if ((ret = wc_Md2Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4483 | *typeH = MD2h; |
wolfSSL | 13:f67a6c6013ca | 4484 | *digestSz = MD2_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4485 | } |
wolfSSL | 13:f67a6c6013ca | 4486 | break; |
wolfSSL | 13:f67a6c6013ca | 4487 | #endif |
wolfSSL | 13:f67a6c6013ca | 4488 | #ifndef NO_MD5 |
wolfSSL | 13:f67a6c6013ca | 4489 | case CTC_MD5wRSA: |
wolfSSL | 13:f67a6c6013ca | 4490 | if ((ret = wc_Md5Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4491 | *typeH = MD5h; |
wolfSSL | 13:f67a6c6013ca | 4492 | *digestSz = MD5_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4493 | } |
wolfSSL | 13:f67a6c6013ca | 4494 | break; |
wolfSSL | 13:f67a6c6013ca | 4495 | #endif |
wolfSSL | 13:f67a6c6013ca | 4496 | #ifndef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 4497 | case CTC_SHAwRSA: |
wolfSSL | 13:f67a6c6013ca | 4498 | case CTC_SHAwDSA: |
wolfSSL | 13:f67a6c6013ca | 4499 | case CTC_SHAwECDSA: |
wolfSSL | 13:f67a6c6013ca | 4500 | if ((ret = wc_ShaHash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4501 | *typeH = SHAh; |
wolfSSL | 13:f67a6c6013ca | 4502 | *digestSz = SHA_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4503 | } |
wolfSSL | 13:f67a6c6013ca | 4504 | break; |
wolfSSL | 13:f67a6c6013ca | 4505 | #endif |
wolfSSL | 13:f67a6c6013ca | 4506 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 13:f67a6c6013ca | 4507 | case CTC_SHA224wRSA: |
wolfSSL | 13:f67a6c6013ca | 4508 | case CTC_SHA224wECDSA: |
wolfSSL | 13:f67a6c6013ca | 4509 | if ((ret = wc_Sha224Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4510 | *typeH = SHA224h; |
wolfSSL | 13:f67a6c6013ca | 4511 | *digestSz = SHA224_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4512 | } |
wolfSSL | 13:f67a6c6013ca | 4513 | break; |
wolfSSL | 13:f67a6c6013ca | 4514 | #endif |
wolfSSL | 13:f67a6c6013ca | 4515 | #ifndef NO_SHA256 |
wolfSSL | 13:f67a6c6013ca | 4516 | case CTC_SHA256wRSA: |
wolfSSL | 13:f67a6c6013ca | 4517 | case CTC_SHA256wECDSA: |
wolfSSL | 13:f67a6c6013ca | 4518 | if ((ret = wc_Sha256Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4519 | *typeH = SHA256h; |
wolfSSL | 13:f67a6c6013ca | 4520 | *digestSz = SHA256_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4521 | } |
wolfSSL | 13:f67a6c6013ca | 4522 | break; |
wolfSSL | 13:f67a6c6013ca | 4523 | #endif |
wolfSSL | 13:f67a6c6013ca | 4524 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 13:f67a6c6013ca | 4525 | case CTC_SHA384wRSA: |
wolfSSL | 13:f67a6c6013ca | 4526 | case CTC_SHA384wECDSA: |
wolfSSL | 13:f67a6c6013ca | 4527 | if ((ret = wc_Sha384Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4528 | *typeH = SHA384h; |
wolfSSL | 13:f67a6c6013ca | 4529 | *digestSz = SHA384_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4530 | } |
wolfSSL | 13:f67a6c6013ca | 4531 | break; |
wolfSSL | 13:f67a6c6013ca | 4532 | #endif |
wolfSSL | 13:f67a6c6013ca | 4533 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 13:f67a6c6013ca | 4534 | case CTC_SHA512wRSA: |
wolfSSL | 13:f67a6c6013ca | 4535 | case CTC_SHA512wECDSA: |
wolfSSL | 13:f67a6c6013ca | 4536 | if ((ret = wc_Sha512Hash(buf, bufSz, digest)) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4537 | *typeH = SHA512h; |
wolfSSL | 13:f67a6c6013ca | 4538 | *digestSz = SHA512_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 4539 | } |
wolfSSL | 13:f67a6c6013ca | 4540 | break; |
wolfSSL | 13:f67a6c6013ca | 4541 | #endif |
wolfSSL | 13:f67a6c6013ca | 4542 | case CTC_ED25519: |
wolfSSL | 13:f67a6c6013ca | 4543 | /* Hashes done in signing operation. |
wolfSSL | 13:f67a6c6013ca | 4544 | * Two dependent hashes with prefixes performed. |
wolfSSL | 13:f67a6c6013ca | 4545 | */ |
wolfSSL | 13:f67a6c6013ca | 4546 | break; |
wolfSSL | 13:f67a6c6013ca | 4547 | default: |
wolfSSL | 13:f67a6c6013ca | 4548 | ret = HASH_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 4549 | WOLFSSL_MSG("Hash for Signature has unsupported type"); |
wolfSSL | 13:f67a6c6013ca | 4550 | } |
wolfSSL | 13:f67a6c6013ca | 4551 | |
wolfSSL | 13:f67a6c6013ca | 4552 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4553 | } |
wolfSSL | 13:f67a6c6013ca | 4554 | |
wolfSSL | 13:f67a6c6013ca | 4555 | /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ |
wolfSSL | 13:f67a6c6013ca | 4556 | static int ConfirmSignature(SignatureCtx* sigCtx, |
wolfSSL | 13:f67a6c6013ca | 4557 | const byte* buf, word32 bufSz, |
wolfSSL | 13:f67a6c6013ca | 4558 | const byte* key, word32 keySz, word32 keyOID, |
wolfSSL | 13:f67a6c6013ca | 4559 | const byte* sig, word32 sigSz, word32 sigOID) |
wolfSSL | 13:f67a6c6013ca | 4560 | { |
wolfSSL | 13:f67a6c6013ca | 4561 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 4562 | |
wolfSSL | 13:f67a6c6013ca | 4563 | if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL || |
wolfSSL | 13:f67a6c6013ca | 4564 | keySz == 0 || sig == NULL || sigSz == 0) { |
wolfSSL | 13:f67a6c6013ca | 4565 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 4566 | } |
wolfSSL | 13:f67a6c6013ca | 4567 | |
wolfSSL | 13:f67a6c6013ca | 4568 | (void)key; |
wolfSSL | 13:f67a6c6013ca | 4569 | (void)keySz; |
wolfSSL | 13:f67a6c6013ca | 4570 | (void)sig; |
wolfSSL | 13:f67a6c6013ca | 4571 | (void)sigSz; |
wolfSSL | 13:f67a6c6013ca | 4572 | |
wolfSSL | 13:f67a6c6013ca | 4573 | WOLFSSL_ENTER("ConfirmSignature"); |
wolfSSL | 13:f67a6c6013ca | 4574 | |
wolfSSL | 13:f67a6c6013ca | 4575 | switch (sigCtx->state) { |
wolfSSL | 13:f67a6c6013ca | 4576 | case SIG_STATE_BEGIN: |
wolfSSL | 13:f67a6c6013ca | 4577 | { |
wolfSSL | 13:f67a6c6013ca | 4578 | sigCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, sigCtx->heap, |
wolfSSL | 13:f67a6c6013ca | 4579 | DYNAMIC_TYPE_DIGEST); |
wolfSSL | 13:f67a6c6013ca | 4580 | if (sigCtx->digest == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4581 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4582 | } |
wolfSSL | 13:f67a6c6013ca | 4583 | |
wolfSSL | 13:f67a6c6013ca | 4584 | sigCtx->state = SIG_STATE_HASH; |
wolfSSL | 13:f67a6c6013ca | 4585 | } /* SIG_STATE_BEGIN */ |
wolfSSL | 13:f67a6c6013ca | 4586 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 4587 | |
wolfSSL | 13:f67a6c6013ca | 4588 | case SIG_STATE_HASH: |
wolfSSL | 13:f67a6c6013ca | 4589 | { |
wolfSSL | 13:f67a6c6013ca | 4590 | ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, |
wolfSSL | 13:f67a6c6013ca | 4591 | &sigCtx->typeH, &sigCtx->digestSz, 1); |
wolfSSL | 13:f67a6c6013ca | 4592 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 4593 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4594 | } |
wolfSSL | 13:f67a6c6013ca | 4595 | |
wolfSSL | 13:f67a6c6013ca | 4596 | sigCtx->state = SIG_STATE_KEY; |
wolfSSL | 13:f67a6c6013ca | 4597 | } /* SIG_STATE_HASH */ |
wolfSSL | 13:f67a6c6013ca | 4598 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 4599 | |
wolfSSL | 13:f67a6c6013ca | 4600 | case SIG_STATE_KEY: |
wolfSSL | 13:f67a6c6013ca | 4601 | { |
wolfSSL | 13:f67a6c6013ca | 4602 | sigCtx->keyOID = keyOID; |
wolfSSL | 13:f67a6c6013ca | 4603 | |
wolfSSL | 13:f67a6c6013ca | 4604 | switch (keyOID) { |
wolfSSL | 13:f67a6c6013ca | 4605 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 4606 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 4607 | { |
wolfSSL | 13:f67a6c6013ca | 4608 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 4609 | |
wolfSSL | 13:f67a6c6013ca | 4610 | sigCtx->key.rsa = (RsaKey*)XMALLOC(sizeof(RsaKey), |
wolfSSL | 13:f67a6c6013ca | 4611 | sigCtx->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 4612 | sigCtx->plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, |
wolfSSL | 13:f67a6c6013ca | 4613 | sigCtx->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 13:f67a6c6013ca | 4614 | if (sigCtx->key.rsa == NULL || sigCtx->plain == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4615 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4616 | } |
wolfSSL | 13:f67a6c6013ca | 4617 | |
wolfSSL | 13:f67a6c6013ca | 4618 | if ((ret = wc_InitRsaKey_ex(sigCtx->key.rsa, sigCtx->heap, |
wolfSSL | 13:f67a6c6013ca | 4619 | sigCtx->devId)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 4620 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4621 | } |
wolfSSL | 13:f67a6c6013ca | 4622 | |
wolfSSL | 13:f67a6c6013ca | 4623 | if (sigSz > MAX_ENCODED_SIG_SZ) { |
wolfSSL | 13:f67a6c6013ca | 4624 | WOLFSSL_MSG("Verify Signature is too big"); |
wolfSSL | 13:f67a6c6013ca | 4625 | ERROR_OUT(BUFFER_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4626 | } |
wolfSSL | 13:f67a6c6013ca | 4627 | |
wolfSSL | 13:f67a6c6013ca | 4628 | if ((ret = wc_RsaPublicKeyDecode(key, &idx, sigCtx->key.rsa, |
wolfSSL | 13:f67a6c6013ca | 4629 | keySz)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 4630 | WOLFSSL_MSG("ASN Key decode error RSA"); |
wolfSSL | 13:f67a6c6013ca | 4631 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4632 | } |
wolfSSL | 13:f67a6c6013ca | 4633 | |
wolfSSL | 13:f67a6c6013ca | 4634 | XMEMCPY(sigCtx->plain, sig, sigSz); |
wolfSSL | 13:f67a6c6013ca | 4635 | sigCtx->out = NULL; |
wolfSSL | 13:f67a6c6013ca | 4636 | break; |
wolfSSL | 13:f67a6c6013ca | 4637 | } |
wolfSSL | 13:f67a6c6013ca | 4638 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 4639 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 4640 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 4641 | { |
wolfSSL | 13:f67a6c6013ca | 4642 | sigCtx->verify = 0; |
wolfSSL | 13:f67a6c6013ca | 4643 | sigCtx->key.ecc = (ecc_key*)XMALLOC(sizeof(ecc_key), |
wolfSSL | 13:f67a6c6013ca | 4644 | sigCtx->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 13:f67a6c6013ca | 4645 | if (sigCtx->key.ecc == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4646 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4647 | } |
wolfSSL | 13:f67a6c6013ca | 4648 | |
wolfSSL | 13:f67a6c6013ca | 4649 | if ((ret = wc_ecc_init_ex(sigCtx->key.ecc, sigCtx->heap, |
wolfSSL | 13:f67a6c6013ca | 4650 | sigCtx->devId)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 4651 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4652 | } |
wolfSSL | 13:f67a6c6013ca | 4653 | if ((ret = wc_ecc_import_x963(key, keySz, |
wolfSSL | 13:f67a6c6013ca | 4654 | sigCtx->key.ecc)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 4655 | WOLFSSL_MSG("ASN Key import error ECC"); |
wolfSSL | 13:f67a6c6013ca | 4656 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4657 | } |
wolfSSL | 13:f67a6c6013ca | 4658 | break; |
wolfSSL | 13:f67a6c6013ca | 4659 | } |
wolfSSL | 13:f67a6c6013ca | 4660 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 4661 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 4662 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 4663 | { |
wolfSSL | 13:f67a6c6013ca | 4664 | sigCtx->verify = 0; |
wolfSSL | 13:f67a6c6013ca | 4665 | sigCtx->key.ed25519 = (ed25519_key*)XMALLOC( |
wolfSSL | 13:f67a6c6013ca | 4666 | sizeof(ed25519_key), sigCtx->heap, |
wolfSSL | 13:f67a6c6013ca | 4667 | DYNAMIC_TYPE_ED25519); |
wolfSSL | 13:f67a6c6013ca | 4668 | if (sigCtx->key.ed25519 == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4669 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4670 | } |
wolfSSL | 13:f67a6c6013ca | 4671 | |
wolfSSL | 13:f67a6c6013ca | 4672 | if ((ret = wc_ed25519_init(sigCtx->key.ed25519)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 4673 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4674 | } |
wolfSSL | 13:f67a6c6013ca | 4675 | if ((ret = wc_ed25519_import_public(key, keySz, |
wolfSSL | 13:f67a6c6013ca | 4676 | sigCtx->key.ed25519)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 4677 | WOLFSSL_MSG("ASN Key import error ED25519"); |
wolfSSL | 13:f67a6c6013ca | 4678 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4679 | } |
wolfSSL | 13:f67a6c6013ca | 4680 | break; |
wolfSSL | 13:f67a6c6013ca | 4681 | } |
wolfSSL | 13:f67a6c6013ca | 4682 | #endif |
wolfSSL | 13:f67a6c6013ca | 4683 | default: |
wolfSSL | 13:f67a6c6013ca | 4684 | WOLFSSL_MSG("Verify Key type unknown"); |
wolfSSL | 13:f67a6c6013ca | 4685 | ret = ASN_UNKNOWN_OID_E; |
wolfSSL | 13:f67a6c6013ca | 4686 | break; |
wolfSSL | 13:f67a6c6013ca | 4687 | } /* switch (keyOID) */ |
wolfSSL | 13:f67a6c6013ca | 4688 | |
wolfSSL | 13:f67a6c6013ca | 4689 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 4690 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4691 | } |
wolfSSL | 13:f67a6c6013ca | 4692 | |
wolfSSL | 13:f67a6c6013ca | 4693 | sigCtx->state = SIG_STATE_DO; |
wolfSSL | 13:f67a6c6013ca | 4694 | } /* SIG_STATE_KEY */ |
wolfSSL | 13:f67a6c6013ca | 4695 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 4696 | |
wolfSSL | 13:f67a6c6013ca | 4697 | case SIG_STATE_DO: |
wolfSSL | 13:f67a6c6013ca | 4698 | { |
wolfSSL | 13:f67a6c6013ca | 4699 | switch (keyOID) { |
wolfSSL | 13:f67a6c6013ca | 4700 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 4701 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 4702 | { |
wolfSSL | 13:f67a6c6013ca | 4703 | ret = wc_RsaSSL_VerifyInline(sigCtx->plain, sigSz, |
wolfSSL | 13:f67a6c6013ca | 4704 | &sigCtx->out, sigCtx->key.rsa); |
wolfSSL | 13:f67a6c6013ca | 4705 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 4706 | if (ret == WC_PENDING_E) |
wolfSSL | 13:f67a6c6013ca | 4707 | sigCtx->asyncDev = &sigCtx->key.rsa->asyncDev; |
wolfSSL | 13:f67a6c6013ca | 4708 | #endif |
wolfSSL | 13:f67a6c6013ca | 4709 | break; |
wolfSSL | 13:f67a6c6013ca | 4710 | } |
wolfSSL | 13:f67a6c6013ca | 4711 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 4712 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 4713 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 4714 | { |
wolfSSL | 13:f67a6c6013ca | 4715 | ret = wc_ecc_verify_hash(sig, sigSz, sigCtx->digest, |
wolfSSL | 13:f67a6c6013ca | 4716 | sigCtx->digestSz, &sigCtx->verify, sigCtx->key.ecc); |
wolfSSL | 13:f67a6c6013ca | 4717 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 4718 | if (ret == WC_PENDING_E) |
wolfSSL | 13:f67a6c6013ca | 4719 | sigCtx->asyncDev = &sigCtx->key.ecc->asyncDev; |
wolfSSL | 13:f67a6c6013ca | 4720 | #endif |
wolfSSL | 13:f67a6c6013ca | 4721 | break; |
wolfSSL | 13:f67a6c6013ca | 4722 | } |
wolfSSL | 13:f67a6c6013ca | 4723 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 4724 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 4725 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 4726 | { |
wolfSSL | 13:f67a6c6013ca | 4727 | ret = wc_ed25519_verify_msg(sig, sigSz, buf, bufSz, |
wolfSSL | 13:f67a6c6013ca | 4728 | &sigCtx->verify, sigCtx->key.ed25519); |
wolfSSL | 13:f67a6c6013ca | 4729 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 4730 | if (ret == WC_PENDING_E) |
wolfSSL | 13:f67a6c6013ca | 4731 | sigCtx->asyncDev = &sigCtx->key.ecc->asyncDev; |
wolfSSL | 13:f67a6c6013ca | 4732 | #endif |
wolfSSL | 13:f67a6c6013ca | 4733 | break; |
wolfSSL | 13:f67a6c6013ca | 4734 | } |
wolfSSL | 13:f67a6c6013ca | 4735 | #endif |
wolfSSL | 13:f67a6c6013ca | 4736 | default: |
wolfSSL | 13:f67a6c6013ca | 4737 | break; |
wolfSSL | 13:f67a6c6013ca | 4738 | } /* switch (keyOID) */ |
wolfSSL | 13:f67a6c6013ca | 4739 | |
wolfSSL | 13:f67a6c6013ca | 4740 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 4741 | /* treat all non async RSA errors as ASN_SIG_CONFIRM_E */ |
wolfSSL | 13:f67a6c6013ca | 4742 | if (ret != WC_PENDING_E) |
wolfSSL | 13:f67a6c6013ca | 4743 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 4744 | goto exit_cs; |
wolfSSL | 13:f67a6c6013ca | 4745 | } |
wolfSSL | 13:f67a6c6013ca | 4746 | |
wolfSSL | 13:f67a6c6013ca | 4747 | sigCtx->state = SIG_STATE_CHECK; |
wolfSSL | 13:f67a6c6013ca | 4748 | } /* SIG_STATE_DO */ |
wolfSSL | 13:f67a6c6013ca | 4749 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 4750 | |
wolfSSL | 13:f67a6c6013ca | 4751 | case SIG_STATE_CHECK: |
wolfSSL | 13:f67a6c6013ca | 4752 | { |
wolfSSL | 13:f67a6c6013ca | 4753 | switch (keyOID) { |
wolfSSL | 13:f67a6c6013ca | 4754 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 4755 | case RSAk: |
wolfSSL | 13:f67a6c6013ca | 4756 | { |
wolfSSL | 13:f67a6c6013ca | 4757 | int encodedSigSz, verifySz; |
wolfSSL | 13:f67a6c6013ca | 4758 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 4759 | byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, |
wolfSSL | 13:f67a6c6013ca | 4760 | sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 4761 | if (encodedSig == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4762 | ERROR_OUT(MEMORY_E, exit_cs); |
wolfSSL | 13:f67a6c6013ca | 4763 | } |
wolfSSL | 13:f67a6c6013ca | 4764 | #else |
wolfSSL | 13:f67a6c6013ca | 4765 | byte encodedSig[MAX_ENCODED_SIG_SZ]; |
wolfSSL | 13:f67a6c6013ca | 4766 | #endif |
wolfSSL | 13:f67a6c6013ca | 4767 | |
wolfSSL | 13:f67a6c6013ca | 4768 | verifySz = ret; |
wolfSSL | 13:f67a6c6013ca | 4769 | |
wolfSSL | 13:f67a6c6013ca | 4770 | /* make sure we're right justified */ |
wolfSSL | 13:f67a6c6013ca | 4771 | encodedSigSz = wc_EncodeSignature(encodedSig, |
wolfSSL | 13:f67a6c6013ca | 4772 | sigCtx->digest, sigCtx->digestSz, sigCtx->typeH); |
wolfSSL | 13:f67a6c6013ca | 4773 | if (encodedSigSz == verifySz && |
wolfSSL | 13:f67a6c6013ca | 4774 | XMEMCMP(sigCtx->out, encodedSig, encodedSigSz) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4775 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 4776 | } |
wolfSSL | 13:f67a6c6013ca | 4777 | else { |
wolfSSL | 13:f67a6c6013ca | 4778 | WOLFSSL_MSG("RSA SSL verify match encode error"); |
wolfSSL | 13:f67a6c6013ca | 4779 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 4780 | } |
wolfSSL | 13:f67a6c6013ca | 4781 | |
wolfSSL | 13:f67a6c6013ca | 4782 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 4783 | XFREE(encodedSig, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 4784 | #endif |
wolfSSL | 13:f67a6c6013ca | 4785 | break; |
wolfSSL | 13:f67a6c6013ca | 4786 | } |
wolfSSL | 13:f67a6c6013ca | 4787 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 4788 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 4789 | case ECDSAk: |
wolfSSL | 13:f67a6c6013ca | 4790 | { |
wolfSSL | 13:f67a6c6013ca | 4791 | if (sigCtx->verify == 1) { |
wolfSSL | 13:f67a6c6013ca | 4792 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 4793 | } |
wolfSSL | 13:f67a6c6013ca | 4794 | else { |
wolfSSL | 13:f67a6c6013ca | 4795 | WOLFSSL_MSG("ECC Verify didn't match"); |
wolfSSL | 13:f67a6c6013ca | 4796 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 4797 | } |
wolfSSL | 13:f67a6c6013ca | 4798 | break; |
wolfSSL | 13:f67a6c6013ca | 4799 | } |
wolfSSL | 13:f67a6c6013ca | 4800 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 4801 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 4802 | case ED25519k: |
wolfSSL | 13:f67a6c6013ca | 4803 | { |
wolfSSL | 13:f67a6c6013ca | 4804 | if (sigCtx->verify == 1) { |
wolfSSL | 13:f67a6c6013ca | 4805 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 4806 | } |
wolfSSL | 13:f67a6c6013ca | 4807 | else { |
wolfSSL | 13:f67a6c6013ca | 4808 | WOLFSSL_MSG("ED25519 Verify didn't match"); |
wolfSSL | 13:f67a6c6013ca | 4809 | ret = ASN_SIG_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 4810 | } |
wolfSSL | 13:f67a6c6013ca | 4811 | break; |
wolfSSL | 13:f67a6c6013ca | 4812 | } |
wolfSSL | 13:f67a6c6013ca | 4813 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 4814 | default: |
wolfSSL | 13:f67a6c6013ca | 4815 | break; |
wolfSSL | 13:f67a6c6013ca | 4816 | } /* switch (keyOID) */ |
wolfSSL | 13:f67a6c6013ca | 4817 | |
wolfSSL | 13:f67a6c6013ca | 4818 | break; |
wolfSSL | 13:f67a6c6013ca | 4819 | } /* SIG_STATE_CHECK */ |
wolfSSL | 13:f67a6c6013ca | 4820 | } /* switch (sigCtx->state) */ |
wolfSSL | 13:f67a6c6013ca | 4821 | |
wolfSSL | 13:f67a6c6013ca | 4822 | exit_cs: |
wolfSSL | 13:f67a6c6013ca | 4823 | |
wolfSSL | 13:f67a6c6013ca | 4824 | WOLFSSL_LEAVE("ConfirmSignature", ret); |
wolfSSL | 13:f67a6c6013ca | 4825 | |
wolfSSL | 13:f67a6c6013ca | 4826 | if (ret != WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 4827 | FreeSignatureCtx(sigCtx); |
wolfSSL | 13:f67a6c6013ca | 4828 | } |
wolfSSL | 13:f67a6c6013ca | 4829 | |
wolfSSL | 13:f67a6c6013ca | 4830 | return ret; |
wolfSSL | 13:f67a6c6013ca | 4831 | } |
wolfSSL | 13:f67a6c6013ca | 4832 | |
wolfSSL | 13:f67a6c6013ca | 4833 | |
wolfSSL | 13:f67a6c6013ca | 4834 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 4835 | |
wolfSSL | 13:f67a6c6013ca | 4836 | static int MatchBaseName(int type, const char* name, int nameSz, |
wolfSSL | 13:f67a6c6013ca | 4837 | const char* base, int baseSz) |
wolfSSL | 13:f67a6c6013ca | 4838 | { |
wolfSSL | 13:f67a6c6013ca | 4839 | if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 || |
wolfSSL | 13:f67a6c6013ca | 4840 | name[0] == '.' || nameSz < baseSz || |
wolfSSL | 13:f67a6c6013ca | 4841 | (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE)) |
wolfSSL | 13:f67a6c6013ca | 4842 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4843 | |
wolfSSL | 13:f67a6c6013ca | 4844 | /* If an email type, handle special cases where the base is only |
wolfSSL | 13:f67a6c6013ca | 4845 | * a domain, or is an email address itself. */ |
wolfSSL | 13:f67a6c6013ca | 4846 | if (type == ASN_RFC822_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 4847 | const char* p = NULL; |
wolfSSL | 13:f67a6c6013ca | 4848 | int count = 0; |
wolfSSL | 13:f67a6c6013ca | 4849 | |
wolfSSL | 13:f67a6c6013ca | 4850 | if (base[0] != '.') { |
wolfSSL | 13:f67a6c6013ca | 4851 | p = base; |
wolfSSL | 13:f67a6c6013ca | 4852 | count = 0; |
wolfSSL | 13:f67a6c6013ca | 4853 | |
wolfSSL | 13:f67a6c6013ca | 4854 | /* find the '@' in the base */ |
wolfSSL | 13:f67a6c6013ca | 4855 | while (*p != '@' && count < baseSz) { |
wolfSSL | 13:f67a6c6013ca | 4856 | count++; |
wolfSSL | 13:f67a6c6013ca | 4857 | p++; |
wolfSSL | 13:f67a6c6013ca | 4858 | } |
wolfSSL | 13:f67a6c6013ca | 4859 | |
wolfSSL | 13:f67a6c6013ca | 4860 | /* No '@' in base, reset p to NULL */ |
wolfSSL | 13:f67a6c6013ca | 4861 | if (count >= baseSz) |
wolfSSL | 13:f67a6c6013ca | 4862 | p = NULL; |
wolfSSL | 13:f67a6c6013ca | 4863 | } |
wolfSSL | 13:f67a6c6013ca | 4864 | |
wolfSSL | 13:f67a6c6013ca | 4865 | if (p == NULL) { |
wolfSSL | 13:f67a6c6013ca | 4866 | /* Base isn't an email address, it is a domain name, |
wolfSSL | 13:f67a6c6013ca | 4867 | * wind the name forward one character past its '@'. */ |
wolfSSL | 13:f67a6c6013ca | 4868 | p = name; |
wolfSSL | 13:f67a6c6013ca | 4869 | count = 0; |
wolfSSL | 13:f67a6c6013ca | 4870 | while (*p != '@' && count < baseSz) { |
wolfSSL | 13:f67a6c6013ca | 4871 | count++; |
wolfSSL | 13:f67a6c6013ca | 4872 | p++; |
wolfSSL | 13:f67a6c6013ca | 4873 | } |
wolfSSL | 13:f67a6c6013ca | 4874 | |
wolfSSL | 13:f67a6c6013ca | 4875 | if (count < baseSz && *p == '@') { |
wolfSSL | 13:f67a6c6013ca | 4876 | name = p + 1; |
wolfSSL | 13:f67a6c6013ca | 4877 | nameSz -= count + 1; |
wolfSSL | 13:f67a6c6013ca | 4878 | } |
wolfSSL | 13:f67a6c6013ca | 4879 | } |
wolfSSL | 13:f67a6c6013ca | 4880 | } |
wolfSSL | 13:f67a6c6013ca | 4881 | |
wolfSSL | 13:f67a6c6013ca | 4882 | if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') { |
wolfSSL | 13:f67a6c6013ca | 4883 | int szAdjust = nameSz - baseSz; |
wolfSSL | 13:f67a6c6013ca | 4884 | name += szAdjust; |
wolfSSL | 13:f67a6c6013ca | 4885 | nameSz -= szAdjust; |
wolfSSL | 13:f67a6c6013ca | 4886 | } |
wolfSSL | 13:f67a6c6013ca | 4887 | |
wolfSSL | 13:f67a6c6013ca | 4888 | while (nameSz > 0) { |
wolfSSL | 13:f67a6c6013ca | 4889 | if (XTOLOWER((unsigned char)*name++) != |
wolfSSL | 13:f67a6c6013ca | 4890 | XTOLOWER((unsigned char)*base++)) |
wolfSSL | 13:f67a6c6013ca | 4891 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4892 | nameSz--; |
wolfSSL | 13:f67a6c6013ca | 4893 | } |
wolfSSL | 13:f67a6c6013ca | 4894 | |
wolfSSL | 13:f67a6c6013ca | 4895 | return 1; |
wolfSSL | 13:f67a6c6013ca | 4896 | } |
wolfSSL | 13:f67a6c6013ca | 4897 | |
wolfSSL | 13:f67a6c6013ca | 4898 | |
wolfSSL | 13:f67a6c6013ca | 4899 | static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 4900 | { |
wolfSSL | 13:f67a6c6013ca | 4901 | if (signer == NULL || cert == NULL) |
wolfSSL | 13:f67a6c6013ca | 4902 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4903 | |
wolfSSL | 13:f67a6c6013ca | 4904 | /* Check against the excluded list */ |
wolfSSL | 13:f67a6c6013ca | 4905 | if (signer->excludedNames) { |
wolfSSL | 13:f67a6c6013ca | 4906 | Base_entry* base = signer->excludedNames; |
wolfSSL | 13:f67a6c6013ca | 4907 | |
wolfSSL | 13:f67a6c6013ca | 4908 | while (base != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4909 | switch (base->type) { |
wolfSSL | 13:f67a6c6013ca | 4910 | case ASN_DNS_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4911 | { |
wolfSSL | 13:f67a6c6013ca | 4912 | DNS_entry* name = cert->altNames; |
wolfSSL | 13:f67a6c6013ca | 4913 | while (name != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4914 | if (MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 13:f67a6c6013ca | 4915 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 13:f67a6c6013ca | 4916 | base->name, base->nameSz)) { |
wolfSSL | 13:f67a6c6013ca | 4917 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4918 | } |
wolfSSL | 13:f67a6c6013ca | 4919 | name = name->next; |
wolfSSL | 13:f67a6c6013ca | 4920 | } |
wolfSSL | 13:f67a6c6013ca | 4921 | break; |
wolfSSL | 13:f67a6c6013ca | 4922 | } |
wolfSSL | 13:f67a6c6013ca | 4923 | case ASN_RFC822_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4924 | { |
wolfSSL | 13:f67a6c6013ca | 4925 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 13:f67a6c6013ca | 4926 | while (name != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4927 | if (MatchBaseName(ASN_RFC822_TYPE, |
wolfSSL | 13:f67a6c6013ca | 4928 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 13:f67a6c6013ca | 4929 | base->name, base->nameSz)) { |
wolfSSL | 13:f67a6c6013ca | 4930 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4931 | } |
wolfSSL | 13:f67a6c6013ca | 4932 | name = name->next; |
wolfSSL | 13:f67a6c6013ca | 4933 | } |
wolfSSL | 13:f67a6c6013ca | 4934 | break; |
wolfSSL | 13:f67a6c6013ca | 4935 | } |
wolfSSL | 13:f67a6c6013ca | 4936 | case ASN_DIR_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4937 | { |
wolfSSL | 13:f67a6c6013ca | 4938 | /* allow permitted dirName smaller than actual subject */ |
wolfSSL | 13:f67a6c6013ca | 4939 | if (cert->subjectRawLen >= base->nameSz && |
wolfSSL | 13:f67a6c6013ca | 4940 | XMEMCMP(cert->subjectRaw, base->name, |
wolfSSL | 13:f67a6c6013ca | 4941 | base->nameSz) == 0) { |
wolfSSL | 13:f67a6c6013ca | 4942 | return 0; |
wolfSSL | 13:f67a6c6013ca | 4943 | } |
wolfSSL | 13:f67a6c6013ca | 4944 | break; |
wolfSSL | 13:f67a6c6013ca | 4945 | } |
wolfSSL | 13:f67a6c6013ca | 4946 | }; /* switch */ |
wolfSSL | 13:f67a6c6013ca | 4947 | base = base->next; |
wolfSSL | 13:f67a6c6013ca | 4948 | } |
wolfSSL | 13:f67a6c6013ca | 4949 | } |
wolfSSL | 13:f67a6c6013ca | 4950 | |
wolfSSL | 13:f67a6c6013ca | 4951 | /* Check against the permitted list */ |
wolfSSL | 13:f67a6c6013ca | 4952 | if (signer->permittedNames != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4953 | int needDns = 0; |
wolfSSL | 13:f67a6c6013ca | 4954 | int matchDns = 0; |
wolfSSL | 13:f67a6c6013ca | 4955 | int needEmail = 0; |
wolfSSL | 13:f67a6c6013ca | 4956 | int matchEmail = 0; |
wolfSSL | 13:f67a6c6013ca | 4957 | int needDir = 0; |
wolfSSL | 13:f67a6c6013ca | 4958 | int matchDir = 0; |
wolfSSL | 13:f67a6c6013ca | 4959 | Base_entry* base = signer->permittedNames; |
wolfSSL | 13:f67a6c6013ca | 4960 | |
wolfSSL | 13:f67a6c6013ca | 4961 | while (base != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4962 | switch (base->type) { |
wolfSSL | 13:f67a6c6013ca | 4963 | case ASN_DNS_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4964 | { |
wolfSSL | 13:f67a6c6013ca | 4965 | DNS_entry* name = cert->altNames; |
wolfSSL | 13:f67a6c6013ca | 4966 | |
wolfSSL | 13:f67a6c6013ca | 4967 | if (name != NULL) |
wolfSSL | 13:f67a6c6013ca | 4968 | needDns = 1; |
wolfSSL | 13:f67a6c6013ca | 4969 | |
wolfSSL | 13:f67a6c6013ca | 4970 | while (name != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4971 | matchDns = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 13:f67a6c6013ca | 4972 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 13:f67a6c6013ca | 4973 | base->name, base->nameSz); |
wolfSSL | 13:f67a6c6013ca | 4974 | name = name->next; |
wolfSSL | 13:f67a6c6013ca | 4975 | } |
wolfSSL | 13:f67a6c6013ca | 4976 | break; |
wolfSSL | 13:f67a6c6013ca | 4977 | } |
wolfSSL | 13:f67a6c6013ca | 4978 | case ASN_RFC822_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4979 | { |
wolfSSL | 13:f67a6c6013ca | 4980 | DNS_entry* name = cert->altEmailNames; |
wolfSSL | 13:f67a6c6013ca | 4981 | |
wolfSSL | 13:f67a6c6013ca | 4982 | if (name != NULL) |
wolfSSL | 13:f67a6c6013ca | 4983 | needEmail = 1; |
wolfSSL | 13:f67a6c6013ca | 4984 | |
wolfSSL | 13:f67a6c6013ca | 4985 | while (name != NULL) { |
wolfSSL | 13:f67a6c6013ca | 4986 | matchEmail = MatchBaseName(ASN_DNS_TYPE, |
wolfSSL | 13:f67a6c6013ca | 4987 | name->name, (int)XSTRLEN(name->name), |
wolfSSL | 13:f67a6c6013ca | 4988 | base->name, base->nameSz); |
wolfSSL | 13:f67a6c6013ca | 4989 | name = name->next; |
wolfSSL | 13:f67a6c6013ca | 4990 | } |
wolfSSL | 13:f67a6c6013ca | 4991 | break; |
wolfSSL | 13:f67a6c6013ca | 4992 | } |
wolfSSL | 13:f67a6c6013ca | 4993 | case ASN_DIR_TYPE: |
wolfSSL | 13:f67a6c6013ca | 4994 | { |
wolfSSL | 13:f67a6c6013ca | 4995 | /* allow permitted dirName smaller than actual subject */ |
wolfSSL | 13:f67a6c6013ca | 4996 | needDir = 1; |
wolfSSL | 13:f67a6c6013ca | 4997 | if (cert->subjectRaw != NULL && |
wolfSSL | 13:f67a6c6013ca | 4998 | cert->subjectRawLen >= base->nameSz && |
wolfSSL | 13:f67a6c6013ca | 4999 | XMEMCMP(cert->subjectRaw, base->name, |
wolfSSL | 13:f67a6c6013ca | 5000 | base->nameSz) == 0) { |
wolfSSL | 13:f67a6c6013ca | 5001 | matchDir = 1; |
wolfSSL | 13:f67a6c6013ca | 5002 | } |
wolfSSL | 13:f67a6c6013ca | 5003 | break; |
wolfSSL | 13:f67a6c6013ca | 5004 | } |
wolfSSL | 13:f67a6c6013ca | 5005 | } /* switch */ |
wolfSSL | 13:f67a6c6013ca | 5006 | base = base->next; |
wolfSSL | 13:f67a6c6013ca | 5007 | } |
wolfSSL | 13:f67a6c6013ca | 5008 | |
wolfSSL | 13:f67a6c6013ca | 5009 | if ((needDns && !matchDns) || |
wolfSSL | 13:f67a6c6013ca | 5010 | (needEmail && !matchEmail) || |
wolfSSL | 13:f67a6c6013ca | 5011 | (needDir && !matchDir)) { |
wolfSSL | 13:f67a6c6013ca | 5012 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5013 | } |
wolfSSL | 13:f67a6c6013ca | 5014 | } |
wolfSSL | 13:f67a6c6013ca | 5015 | |
wolfSSL | 13:f67a6c6013ca | 5016 | return 1; |
wolfSSL | 13:f67a6c6013ca | 5017 | } |
wolfSSL | 13:f67a6c6013ca | 5018 | |
wolfSSL | 13:f67a6c6013ca | 5019 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 5020 | |
wolfSSL | 13:f67a6c6013ca | 5021 | static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5022 | { |
wolfSSL | 13:f67a6c6013ca | 5023 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5024 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 5025 | |
wolfSSL | 13:f67a6c6013ca | 5026 | WOLFSSL_ENTER("DecodeAltNames"); |
wolfSSL | 13:f67a6c6013ca | 5027 | |
wolfSSL | 13:f67a6c6013ca | 5028 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5029 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 13:f67a6c6013ca | 5030 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5031 | } |
wolfSSL | 13:f67a6c6013ca | 5032 | |
wolfSSL | 13:f67a6c6013ca | 5033 | cert->weOwnAltNames = 1; |
wolfSSL | 13:f67a6c6013ca | 5034 | |
wolfSSL | 13:f67a6c6013ca | 5035 | while (length > 0) { |
wolfSSL | 13:f67a6c6013ca | 5036 | byte b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 5037 | |
wolfSSL | 13:f67a6c6013ca | 5038 | length--; |
wolfSSL | 13:f67a6c6013ca | 5039 | |
wolfSSL | 13:f67a6c6013ca | 5040 | /* Save DNS Type names in the altNames list. */ |
wolfSSL | 13:f67a6c6013ca | 5041 | /* Save Other Type names in the cert's OidMap */ |
wolfSSL | 13:f67a6c6013ca | 5042 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) { |
wolfSSL | 13:f67a6c6013ca | 5043 | DNS_entry* dnsEntry; |
wolfSSL | 13:f67a6c6013ca | 5044 | int strLen; |
wolfSSL | 13:f67a6c6013ca | 5045 | word32 lenStartIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5046 | |
wolfSSL | 13:f67a6c6013ca | 5047 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5048 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 13:f67a6c6013ca | 5049 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5050 | } |
wolfSSL | 13:f67a6c6013ca | 5051 | length -= (idx - lenStartIdx); |
wolfSSL | 13:f67a6c6013ca | 5052 | |
wolfSSL | 13:f67a6c6013ca | 5053 | dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5054 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5055 | if (dnsEntry == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5056 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5057 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5058 | } |
wolfSSL | 13:f67a6c6013ca | 5059 | |
wolfSSL | 13:f67a6c6013ca | 5060 | dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5061 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5062 | if (dnsEntry->name == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5063 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5064 | XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5065 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5066 | } |
wolfSSL | 13:f67a6c6013ca | 5067 | |
wolfSSL | 13:f67a6c6013ca | 5068 | XMEMCPY(dnsEntry->name, &input[idx], strLen); |
wolfSSL | 13:f67a6c6013ca | 5069 | dnsEntry->name[strLen] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 5070 | |
wolfSSL | 13:f67a6c6013ca | 5071 | dnsEntry->next = cert->altNames; |
wolfSSL | 13:f67a6c6013ca | 5072 | cert->altNames = dnsEntry; |
wolfSSL | 13:f67a6c6013ca | 5073 | |
wolfSSL | 13:f67a6c6013ca | 5074 | length -= strLen; |
wolfSSL | 13:f67a6c6013ca | 5075 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 5076 | } |
wolfSSL | 13:f67a6c6013ca | 5077 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 5078 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) { |
wolfSSL | 13:f67a6c6013ca | 5079 | DNS_entry* emailEntry; |
wolfSSL | 13:f67a6c6013ca | 5080 | int strLen; |
wolfSSL | 13:f67a6c6013ca | 5081 | word32 lenStartIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5082 | |
wolfSSL | 13:f67a6c6013ca | 5083 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5084 | WOLFSSL_MSG("\tfail: str length"); |
wolfSSL | 13:f67a6c6013ca | 5085 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5086 | } |
wolfSSL | 13:f67a6c6013ca | 5087 | length -= (idx - lenStartIdx); |
wolfSSL | 13:f67a6c6013ca | 5088 | |
wolfSSL | 13:f67a6c6013ca | 5089 | emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5090 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5091 | if (emailEntry == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5092 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5093 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5094 | } |
wolfSSL | 13:f67a6c6013ca | 5095 | |
wolfSSL | 13:f67a6c6013ca | 5096 | emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5097 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5098 | if (emailEntry->name == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5099 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5100 | XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5101 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5102 | } |
wolfSSL | 13:f67a6c6013ca | 5103 | |
wolfSSL | 13:f67a6c6013ca | 5104 | XMEMCPY(emailEntry->name, &input[idx], strLen); |
wolfSSL | 13:f67a6c6013ca | 5105 | emailEntry->name[strLen] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 5106 | |
wolfSSL | 13:f67a6c6013ca | 5107 | emailEntry->next = cert->altEmailNames; |
wolfSSL | 13:f67a6c6013ca | 5108 | cert->altEmailNames = emailEntry; |
wolfSSL | 13:f67a6c6013ca | 5109 | |
wolfSSL | 13:f67a6c6013ca | 5110 | length -= strLen; |
wolfSSL | 13:f67a6c6013ca | 5111 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 5112 | } |
wolfSSL | 13:f67a6c6013ca | 5113 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 5114 | #ifdef WOLFSSL_SEP |
wolfSSL | 13:f67a6c6013ca | 5115 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) |
wolfSSL | 13:f67a6c6013ca | 5116 | { |
wolfSSL | 13:f67a6c6013ca | 5117 | int strLen; |
wolfSSL | 13:f67a6c6013ca | 5118 | word32 lenStartIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5119 | word32 oid = 0; |
wolfSSL | 13:f67a6c6013ca | 5120 | int ret; |
wolfSSL | 13:f67a6c6013ca | 5121 | |
wolfSSL | 13:f67a6c6013ca | 5122 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5123 | WOLFSSL_MSG("\tfail: other name length"); |
wolfSSL | 13:f67a6c6013ca | 5124 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5125 | } |
wolfSSL | 13:f67a6c6013ca | 5126 | /* Consume the rest of this sequence. */ |
wolfSSL | 13:f67a6c6013ca | 5127 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 13:f67a6c6013ca | 5128 | |
wolfSSL | 13:f67a6c6013ca | 5129 | if (GetObjectId(input, &idx, &oid, oidCertAltNameType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5130 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 13:f67a6c6013ca | 5131 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5132 | } |
wolfSSL | 13:f67a6c6013ca | 5133 | |
wolfSSL | 13:f67a6c6013ca | 5134 | if (oid != HW_NAME_OID) { |
wolfSSL | 13:f67a6c6013ca | 5135 | WOLFSSL_MSG("\tincorrect OID"); |
wolfSSL | 13:f67a6c6013ca | 5136 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5137 | } |
wolfSSL | 13:f67a6c6013ca | 5138 | |
wolfSSL | 13:f67a6c6013ca | 5139 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { |
wolfSSL | 13:f67a6c6013ca | 5140 | WOLFSSL_MSG("\twrong type"); |
wolfSSL | 13:f67a6c6013ca | 5141 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5142 | } |
wolfSSL | 13:f67a6c6013ca | 5143 | |
wolfSSL | 13:f67a6c6013ca | 5144 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5145 | WOLFSSL_MSG("\tfail: str len"); |
wolfSSL | 13:f67a6c6013ca | 5146 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5147 | } |
wolfSSL | 13:f67a6c6013ca | 5148 | |
wolfSSL | 13:f67a6c6013ca | 5149 | if (GetSequence(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5150 | WOLFSSL_MSG("\tBad Sequence"); |
wolfSSL | 13:f67a6c6013ca | 5151 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5152 | } |
wolfSSL | 13:f67a6c6013ca | 5153 | |
wolfSSL | 13:f67a6c6013ca | 5154 | ret = GetASNObjectId(input, &idx, &strLen, sz); |
wolfSSL | 13:f67a6c6013ca | 5155 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 5156 | WOLFSSL_MSG("\tbad OID"); |
wolfSSL | 13:f67a6c6013ca | 5157 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5158 | } |
wolfSSL | 13:f67a6c6013ca | 5159 | |
wolfSSL | 13:f67a6c6013ca | 5160 | cert->hwType = (byte*)XMALLOC(strLen, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5161 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 5162 | if (cert->hwType == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5163 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5164 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5165 | } |
wolfSSL | 13:f67a6c6013ca | 5166 | |
wolfSSL | 13:f67a6c6013ca | 5167 | XMEMCPY(cert->hwType, &input[idx], strLen); |
wolfSSL | 13:f67a6c6013ca | 5168 | cert->hwTypeSz = strLen; |
wolfSSL | 13:f67a6c6013ca | 5169 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 5170 | |
wolfSSL | 13:f67a6c6013ca | 5171 | ret = GetOctetString(input, &idx, &strLen, sz); |
wolfSSL | 13:f67a6c6013ca | 5172 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 5173 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5174 | |
wolfSSL | 13:f67a6c6013ca | 5175 | cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5176 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 5177 | if (cert->hwSerialNum == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5178 | WOLFSSL_MSG("\tOut of Memory"); |
wolfSSL | 13:f67a6c6013ca | 5179 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5180 | } |
wolfSSL | 13:f67a6c6013ca | 5181 | |
wolfSSL | 13:f67a6c6013ca | 5182 | XMEMCPY(cert->hwSerialNum, &input[idx], strLen); |
wolfSSL | 13:f67a6c6013ca | 5183 | cert->hwSerialNum[strLen] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 5184 | cert->hwSerialNumSz = strLen; |
wolfSSL | 13:f67a6c6013ca | 5185 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 5186 | } |
wolfSSL | 13:f67a6c6013ca | 5187 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 13:f67a6c6013ca | 5188 | else { |
wolfSSL | 13:f67a6c6013ca | 5189 | int strLen; |
wolfSSL | 13:f67a6c6013ca | 5190 | word32 lenStartIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5191 | |
wolfSSL | 13:f67a6c6013ca | 5192 | WOLFSSL_MSG("\tUnsupported name type, skipping"); |
wolfSSL | 13:f67a6c6013ca | 5193 | |
wolfSSL | 13:f67a6c6013ca | 5194 | if (GetLength(input, &idx, &strLen, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5195 | WOLFSSL_MSG("\tfail: unsupported name length"); |
wolfSSL | 13:f67a6c6013ca | 5196 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5197 | } |
wolfSSL | 13:f67a6c6013ca | 5198 | length -= (strLen + idx - lenStartIdx); |
wolfSSL | 13:f67a6c6013ca | 5199 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 5200 | } |
wolfSSL | 13:f67a6c6013ca | 5201 | } |
wolfSSL | 13:f67a6c6013ca | 5202 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5203 | } |
wolfSSL | 13:f67a6c6013ca | 5204 | |
wolfSSL | 13:f67a6c6013ca | 5205 | static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5206 | { |
wolfSSL | 13:f67a6c6013ca | 5207 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5208 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 5209 | int ret; |
wolfSSL | 13:f67a6c6013ca | 5210 | |
wolfSSL | 13:f67a6c6013ca | 5211 | WOLFSSL_ENTER("DecodeBasicCaConstraint"); |
wolfSSL | 13:f67a6c6013ca | 5212 | |
wolfSSL | 13:f67a6c6013ca | 5213 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5214 | WOLFSSL_MSG("\tfail: bad SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5215 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5216 | } |
wolfSSL | 13:f67a6c6013ca | 5217 | |
wolfSSL | 13:f67a6c6013ca | 5218 | if (length == 0) |
wolfSSL | 13:f67a6c6013ca | 5219 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5220 | |
wolfSSL | 13:f67a6c6013ca | 5221 | /* If the basic ca constraint is false, this extension may be named, but |
wolfSSL | 13:f67a6c6013ca | 5222 | * left empty. So, if the length is 0, just return. */ |
wolfSSL | 13:f67a6c6013ca | 5223 | |
wolfSSL | 13:f67a6c6013ca | 5224 | ret = GetBoolean(input, &idx, sz); |
wolfSSL | 13:f67a6c6013ca | 5225 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 5226 | WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN"); |
wolfSSL | 13:f67a6c6013ca | 5227 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5228 | } |
wolfSSL | 13:f67a6c6013ca | 5229 | |
wolfSSL | 13:f67a6c6013ca | 5230 | cert->isCA = (byte)ret; |
wolfSSL | 13:f67a6c6013ca | 5231 | |
wolfSSL | 13:f67a6c6013ca | 5232 | /* If there isn't any more data, return. */ |
wolfSSL | 13:f67a6c6013ca | 5233 | if (idx >= (word32)sz) |
wolfSSL | 13:f67a6c6013ca | 5234 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5235 | |
wolfSSL | 13:f67a6c6013ca | 5236 | ret = GetInteger7Bit(input, &idx, sz); |
wolfSSL | 13:f67a6c6013ca | 5237 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 5238 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5239 | |
wolfSSL | 13:f67a6c6013ca | 5240 | cert->pathLength = (byte)ret; |
wolfSSL | 13:f67a6c6013ca | 5241 | cert->pathLengthSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5242 | |
wolfSSL | 13:f67a6c6013ca | 5243 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5244 | } |
wolfSSL | 13:f67a6c6013ca | 5245 | |
wolfSSL | 13:f67a6c6013ca | 5246 | |
wolfSSL | 13:f67a6c6013ca | 5247 | #define CRLDP_FULL_NAME 0 |
wolfSSL | 13:f67a6c6013ca | 5248 | /* From RFC3280 SS4.2.1.14, Distribution Point Name*/ |
wolfSSL | 13:f67a6c6013ca | 5249 | #define GENERALNAME_URI 6 |
wolfSSL | 13:f67a6c6013ca | 5250 | /* From RFC3280 SS4.2.1.7, GeneralName */ |
wolfSSL | 13:f67a6c6013ca | 5251 | |
wolfSSL | 13:f67a6c6013ca | 5252 | static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5253 | { |
wolfSSL | 13:f67a6c6013ca | 5254 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5255 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 5256 | |
wolfSSL | 13:f67a6c6013ca | 5257 | WOLFSSL_ENTER("DecodeCrlDist"); |
wolfSSL | 13:f67a6c6013ca | 5258 | |
wolfSSL | 13:f67a6c6013ca | 5259 | /* Unwrap the list of Distribution Points*/ |
wolfSSL | 13:f67a6c6013ca | 5260 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5261 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5262 | |
wolfSSL | 13:f67a6c6013ca | 5263 | /* Unwrap a single Distribution Point */ |
wolfSSL | 13:f67a6c6013ca | 5264 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5265 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5266 | |
wolfSSL | 13:f67a6c6013ca | 5267 | /* The Distribution Point has three explicit optional members |
wolfSSL | 13:f67a6c6013ca | 5268 | * First check for a DistributionPointName |
wolfSSL | 13:f67a6c6013ca | 5269 | */ |
wolfSSL | 13:f67a6c6013ca | 5270 | if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) |
wolfSSL | 13:f67a6c6013ca | 5271 | { |
wolfSSL | 13:f67a6c6013ca | 5272 | idx++; |
wolfSSL | 13:f67a6c6013ca | 5273 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5274 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5275 | |
wolfSSL | 13:f67a6c6013ca | 5276 | if (input[idx] == |
wolfSSL | 13:f67a6c6013ca | 5277 | (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME)) |
wolfSSL | 13:f67a6c6013ca | 5278 | { |
wolfSSL | 13:f67a6c6013ca | 5279 | idx++; |
wolfSSL | 13:f67a6c6013ca | 5280 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5281 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5282 | |
wolfSSL | 13:f67a6c6013ca | 5283 | if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) |
wolfSSL | 13:f67a6c6013ca | 5284 | { |
wolfSSL | 13:f67a6c6013ca | 5285 | idx++; |
wolfSSL | 13:f67a6c6013ca | 5286 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5287 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5288 | |
wolfSSL | 13:f67a6c6013ca | 5289 | cert->extCrlInfoSz = length; |
wolfSSL | 13:f67a6c6013ca | 5290 | cert->extCrlInfo = input + idx; |
wolfSSL | 13:f67a6c6013ca | 5291 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5292 | } |
wolfSSL | 13:f67a6c6013ca | 5293 | else |
wolfSSL | 13:f67a6c6013ca | 5294 | /* This isn't a URI, skip it. */ |
wolfSSL | 13:f67a6c6013ca | 5295 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5296 | } |
wolfSSL | 13:f67a6c6013ca | 5297 | else { |
wolfSSL | 13:f67a6c6013ca | 5298 | /* This isn't a FULLNAME, skip it. */ |
wolfSSL | 13:f67a6c6013ca | 5299 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5300 | } |
wolfSSL | 13:f67a6c6013ca | 5301 | } |
wolfSSL | 13:f67a6c6013ca | 5302 | |
wolfSSL | 13:f67a6c6013ca | 5303 | /* Check for reasonFlags */ |
wolfSSL | 13:f67a6c6013ca | 5304 | if (idx < (word32)sz && |
wolfSSL | 13:f67a6c6013ca | 5305 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 13:f67a6c6013ca | 5306 | { |
wolfSSL | 13:f67a6c6013ca | 5307 | idx++; |
wolfSSL | 13:f67a6c6013ca | 5308 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5309 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5310 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5311 | } |
wolfSSL | 13:f67a6c6013ca | 5312 | |
wolfSSL | 13:f67a6c6013ca | 5313 | /* Check for cRLIssuer */ |
wolfSSL | 13:f67a6c6013ca | 5314 | if (idx < (word32)sz && |
wolfSSL | 13:f67a6c6013ca | 5315 | input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2)) |
wolfSSL | 13:f67a6c6013ca | 5316 | { |
wolfSSL | 13:f67a6c6013ca | 5317 | idx++; |
wolfSSL | 13:f67a6c6013ca | 5318 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5319 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5320 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5321 | } |
wolfSSL | 13:f67a6c6013ca | 5322 | |
wolfSSL | 13:f67a6c6013ca | 5323 | if (idx < (word32)sz) |
wolfSSL | 13:f67a6c6013ca | 5324 | { |
wolfSSL | 13:f67a6c6013ca | 5325 | WOLFSSL_MSG("\tThere are more CRL Distribution Point records, " |
wolfSSL | 13:f67a6c6013ca | 5326 | "but we only use the first one."); |
wolfSSL | 13:f67a6c6013ca | 5327 | } |
wolfSSL | 13:f67a6c6013ca | 5328 | |
wolfSSL | 13:f67a6c6013ca | 5329 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5330 | } |
wolfSSL | 13:f67a6c6013ca | 5331 | |
wolfSSL | 13:f67a6c6013ca | 5332 | |
wolfSSL | 13:f67a6c6013ca | 5333 | static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5334 | /* |
wolfSSL | 13:f67a6c6013ca | 5335 | * Read the first of the Authority Information Access records. If there are |
wolfSSL | 13:f67a6c6013ca | 5336 | * any issues, return without saving the record. |
wolfSSL | 13:f67a6c6013ca | 5337 | */ |
wolfSSL | 13:f67a6c6013ca | 5338 | { |
wolfSSL | 13:f67a6c6013ca | 5339 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5340 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 5341 | byte b; |
wolfSSL | 13:f67a6c6013ca | 5342 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 5343 | |
wolfSSL | 13:f67a6c6013ca | 5344 | WOLFSSL_ENTER("DecodeAuthInfo"); |
wolfSSL | 13:f67a6c6013ca | 5345 | |
wolfSSL | 13:f67a6c6013ca | 5346 | /* Unwrap the list of AIAs */ |
wolfSSL | 13:f67a6c6013ca | 5347 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5348 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5349 | |
wolfSSL | 13:f67a6c6013ca | 5350 | while (idx < (word32)sz) { |
wolfSSL | 13:f67a6c6013ca | 5351 | /* Unwrap a single AIA */ |
wolfSSL | 13:f67a6c6013ca | 5352 | if (GetSequence(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5353 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5354 | |
wolfSSL | 13:f67a6c6013ca | 5355 | oid = 0; |
wolfSSL | 13:f67a6c6013ca | 5356 | if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5357 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5358 | |
wolfSSL | 13:f67a6c6013ca | 5359 | |
wolfSSL | 13:f67a6c6013ca | 5360 | /* Only supporting URIs right now. */ |
wolfSSL | 13:f67a6c6013ca | 5361 | b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 5362 | if (GetLength(input, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5363 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5364 | |
wolfSSL | 13:f67a6c6013ca | 5365 | if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) && |
wolfSSL | 13:f67a6c6013ca | 5366 | oid == AIA_OCSP_OID) |
wolfSSL | 13:f67a6c6013ca | 5367 | { |
wolfSSL | 13:f67a6c6013ca | 5368 | cert->extAuthInfoSz = length; |
wolfSSL | 13:f67a6c6013ca | 5369 | cert->extAuthInfo = input + idx; |
wolfSSL | 13:f67a6c6013ca | 5370 | break; |
wolfSSL | 13:f67a6c6013ca | 5371 | } |
wolfSSL | 13:f67a6c6013ca | 5372 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5373 | } |
wolfSSL | 13:f67a6c6013ca | 5374 | |
wolfSSL | 13:f67a6c6013ca | 5375 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5376 | } |
wolfSSL | 13:f67a6c6013ca | 5377 | |
wolfSSL | 13:f67a6c6013ca | 5378 | |
wolfSSL | 13:f67a6c6013ca | 5379 | static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5380 | { |
wolfSSL | 13:f67a6c6013ca | 5381 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5382 | int length = 0, ret = 0; |
wolfSSL | 13:f67a6c6013ca | 5383 | |
wolfSSL | 13:f67a6c6013ca | 5384 | WOLFSSL_ENTER("DecodeAuthKeyId"); |
wolfSSL | 13:f67a6c6013ca | 5385 | |
wolfSSL | 13:f67a6c6013ca | 5386 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5387 | WOLFSSL_MSG("\tfail: should be a SEQUENCE\n"); |
wolfSSL | 13:f67a6c6013ca | 5388 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5389 | } |
wolfSSL | 13:f67a6c6013ca | 5390 | |
wolfSSL | 13:f67a6c6013ca | 5391 | if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) { |
wolfSSL | 13:f67a6c6013ca | 5392 | WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n"); |
wolfSSL | 13:f67a6c6013ca | 5393 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5394 | } |
wolfSSL | 13:f67a6c6013ca | 5395 | |
wolfSSL | 13:f67a6c6013ca | 5396 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 5397 | WOLFSSL_MSG("\tfail: extension data length"); |
wolfSSL | 13:f67a6c6013ca | 5398 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5399 | } |
wolfSSL | 13:f67a6c6013ca | 5400 | |
wolfSSL | 13:f67a6c6013ca | 5401 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5402 | cert->extAuthKeyIdSrc = &input[idx]; |
wolfSSL | 13:f67a6c6013ca | 5403 | cert->extAuthKeyIdSz = length; |
wolfSSL | 13:f67a6c6013ca | 5404 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 5405 | |
wolfSSL | 13:f67a6c6013ca | 5406 | if (length == KEYID_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 5407 | XMEMCPY(cert->extAuthKeyId, input + idx, length); |
wolfSSL | 13:f67a6c6013ca | 5408 | } |
wolfSSL | 13:f67a6c6013ca | 5409 | else { |
wolfSSL | 13:f67a6c6013ca | 5410 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 5411 | ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 13:f67a6c6013ca | 5412 | #else |
wolfSSL | 13:f67a6c6013ca | 5413 | ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId); |
wolfSSL | 13:f67a6c6013ca | 5414 | #endif |
wolfSSL | 13:f67a6c6013ca | 5415 | } |
wolfSSL | 13:f67a6c6013ca | 5416 | |
wolfSSL | 13:f67a6c6013ca | 5417 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5418 | } |
wolfSSL | 13:f67a6c6013ca | 5419 | |
wolfSSL | 13:f67a6c6013ca | 5420 | |
wolfSSL | 13:f67a6c6013ca | 5421 | static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5422 | { |
wolfSSL | 13:f67a6c6013ca | 5423 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5424 | int length = 0, ret = 0; |
wolfSSL | 13:f67a6c6013ca | 5425 | |
wolfSSL | 13:f67a6c6013ca | 5426 | WOLFSSL_ENTER("DecodeSubjKeyId"); |
wolfSSL | 13:f67a6c6013ca | 5427 | |
wolfSSL | 13:f67a6c6013ca | 5428 | if (sz <= 0) |
wolfSSL | 13:f67a6c6013ca | 5429 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5430 | |
wolfSSL | 13:f67a6c6013ca | 5431 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 5432 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 5433 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5434 | |
wolfSSL | 13:f67a6c6013ca | 5435 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5436 | cert->extSubjKeyIdSrc = &input[idx]; |
wolfSSL | 13:f67a6c6013ca | 5437 | cert->extSubjKeyIdSz = length; |
wolfSSL | 13:f67a6c6013ca | 5438 | #endif /* OPENSSL_EXTRA */ |
wolfSSL | 13:f67a6c6013ca | 5439 | |
wolfSSL | 13:f67a6c6013ca | 5440 | if (length == SIGNER_DIGEST_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 5441 | XMEMCPY(cert->extSubjKeyId, input + idx, length); |
wolfSSL | 13:f67a6c6013ca | 5442 | } |
wolfSSL | 13:f67a6c6013ca | 5443 | else { |
wolfSSL | 13:f67a6c6013ca | 5444 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 5445 | ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 13:f67a6c6013ca | 5446 | #else |
wolfSSL | 13:f67a6c6013ca | 5447 | ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId); |
wolfSSL | 13:f67a6c6013ca | 5448 | #endif |
wolfSSL | 13:f67a6c6013ca | 5449 | } |
wolfSSL | 13:f67a6c6013ca | 5450 | |
wolfSSL | 13:f67a6c6013ca | 5451 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5452 | } |
wolfSSL | 13:f67a6c6013ca | 5453 | |
wolfSSL | 13:f67a6c6013ca | 5454 | |
wolfSSL | 13:f67a6c6013ca | 5455 | static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5456 | { |
wolfSSL | 13:f67a6c6013ca | 5457 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5458 | int length; |
wolfSSL | 13:f67a6c6013ca | 5459 | int ret; |
wolfSSL | 13:f67a6c6013ca | 5460 | WOLFSSL_ENTER("DecodeKeyUsage"); |
wolfSSL | 13:f67a6c6013ca | 5461 | |
wolfSSL | 13:f67a6c6013ca | 5462 | ret = CheckBitString(input, &idx, &length, sz, 0, NULL); |
wolfSSL | 13:f67a6c6013ca | 5463 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 5464 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5465 | |
wolfSSL | 13:f67a6c6013ca | 5466 | cert->extKeyUsage = (word16)(input[idx]); |
wolfSSL | 13:f67a6c6013ca | 5467 | if (length == 2) |
wolfSSL | 13:f67a6c6013ca | 5468 | cert->extKeyUsage |= (word16)(input[idx+1] << 8); |
wolfSSL | 13:f67a6c6013ca | 5469 | |
wolfSSL | 13:f67a6c6013ca | 5470 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5471 | } |
wolfSSL | 13:f67a6c6013ca | 5472 | |
wolfSSL | 13:f67a6c6013ca | 5473 | |
wolfSSL | 13:f67a6c6013ca | 5474 | static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5475 | { |
wolfSSL | 13:f67a6c6013ca | 5476 | word32 idx = 0, oid; |
wolfSSL | 13:f67a6c6013ca | 5477 | int length; |
wolfSSL | 13:f67a6c6013ca | 5478 | |
wolfSSL | 13:f67a6c6013ca | 5479 | WOLFSSL_ENTER("DecodeExtKeyUsage"); |
wolfSSL | 13:f67a6c6013ca | 5480 | |
wolfSSL | 13:f67a6c6013ca | 5481 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5482 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5483 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5484 | } |
wolfSSL | 13:f67a6c6013ca | 5485 | |
wolfSSL | 13:f67a6c6013ca | 5486 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5487 | cert->extExtKeyUsageSrc = input + idx; |
wolfSSL | 13:f67a6c6013ca | 5488 | cert->extExtKeyUsageSz = length; |
wolfSSL | 13:f67a6c6013ca | 5489 | #endif |
wolfSSL | 13:f67a6c6013ca | 5490 | |
wolfSSL | 13:f67a6c6013ca | 5491 | while (idx < (word32)sz) { |
wolfSSL | 13:f67a6c6013ca | 5492 | if (GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 5493 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5494 | |
wolfSSL | 13:f67a6c6013ca | 5495 | switch (oid) { |
wolfSSL | 13:f67a6c6013ca | 5496 | case EKU_ANY_OID: |
wolfSSL | 13:f67a6c6013ca | 5497 | cert->extExtKeyUsage |= EXTKEYUSE_ANY; |
wolfSSL | 13:f67a6c6013ca | 5498 | break; |
wolfSSL | 13:f67a6c6013ca | 5499 | case EKU_SERVER_AUTH_OID: |
wolfSSL | 13:f67a6c6013ca | 5500 | cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH; |
wolfSSL | 13:f67a6c6013ca | 5501 | break; |
wolfSSL | 13:f67a6c6013ca | 5502 | case EKU_CLIENT_AUTH_OID: |
wolfSSL | 13:f67a6c6013ca | 5503 | cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH; |
wolfSSL | 13:f67a6c6013ca | 5504 | break; |
wolfSSL | 13:f67a6c6013ca | 5505 | case EKU_OCSP_SIGN_OID: |
wolfSSL | 13:f67a6c6013ca | 5506 | cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; |
wolfSSL | 13:f67a6c6013ca | 5507 | break; |
wolfSSL | 13:f67a6c6013ca | 5508 | } |
wolfSSL | 13:f67a6c6013ca | 5509 | |
wolfSSL | 13:f67a6c6013ca | 5510 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5511 | cert->extExtKeyUsageCount++; |
wolfSSL | 13:f67a6c6013ca | 5512 | #endif |
wolfSSL | 13:f67a6c6013ca | 5513 | } |
wolfSSL | 13:f67a6c6013ca | 5514 | |
wolfSSL | 13:f67a6c6013ca | 5515 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5516 | } |
wolfSSL | 13:f67a6c6013ca | 5517 | |
wolfSSL | 13:f67a6c6013ca | 5518 | |
wolfSSL | 13:f67a6c6013ca | 5519 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 5520 | #define ASN_TYPE_MASK 0xF |
wolfSSL | 13:f67a6c6013ca | 5521 | static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) |
wolfSSL | 13:f67a6c6013ca | 5522 | { |
wolfSSL | 13:f67a6c6013ca | 5523 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5524 | |
wolfSSL | 13:f67a6c6013ca | 5525 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 5526 | |
wolfSSL | 13:f67a6c6013ca | 5527 | while (idx < (word32)sz) { |
wolfSSL | 13:f67a6c6013ca | 5528 | int seqLength, strLength; |
wolfSSL | 13:f67a6c6013ca | 5529 | word32 nameIdx; |
wolfSSL | 13:f67a6c6013ca | 5530 | byte b, bType; |
wolfSSL | 13:f67a6c6013ca | 5531 | |
wolfSSL | 13:f67a6c6013ca | 5532 | if (GetSequence(input, &idx, &seqLength, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5533 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5534 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5535 | } |
wolfSSL | 13:f67a6c6013ca | 5536 | nameIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5537 | b = input[nameIdx++]; |
wolfSSL | 13:f67a6c6013ca | 5538 | |
wolfSSL | 13:f67a6c6013ca | 5539 | if (GetLength(input, &nameIdx, &strLength, sz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 5540 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 13:f67a6c6013ca | 5541 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5542 | } |
wolfSSL | 13:f67a6c6013ca | 5543 | |
wolfSSL | 13:f67a6c6013ca | 5544 | /* Get type, LSB 4-bits */ |
wolfSSL | 13:f67a6c6013ca | 5545 | bType = (b & ASN_TYPE_MASK); |
wolfSSL | 13:f67a6c6013ca | 5546 | |
wolfSSL | 13:f67a6c6013ca | 5547 | if (bType == ASN_DNS_TYPE || bType == ASN_RFC822_TYPE || |
wolfSSL | 13:f67a6c6013ca | 5548 | bType == ASN_DIR_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 5549 | Base_entry* entry; |
wolfSSL | 13:f67a6c6013ca | 5550 | |
wolfSSL | 13:f67a6c6013ca | 5551 | /* if constructed has leading sequence */ |
wolfSSL | 13:f67a6c6013ca | 5552 | if (b & ASN_CONSTRUCTED) { |
wolfSSL | 13:f67a6c6013ca | 5553 | if (GetSequence(input, &nameIdx, &strLength, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5554 | WOLFSSL_MSG("\tfail: constructed be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5555 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5556 | } |
wolfSSL | 13:f67a6c6013ca | 5557 | } |
wolfSSL | 13:f67a6c6013ca | 5558 | |
wolfSSL | 13:f67a6c6013ca | 5559 | entry = (Base_entry*)XMALLOC(sizeof(Base_entry), heap, |
wolfSSL | 13:f67a6c6013ca | 5560 | DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5561 | if (entry == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5562 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 13:f67a6c6013ca | 5563 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5564 | } |
wolfSSL | 13:f67a6c6013ca | 5565 | |
wolfSSL | 13:f67a6c6013ca | 5566 | entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5567 | if (entry->name == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5568 | WOLFSSL_MSG("allocate error"); |
wolfSSL | 13:f67a6c6013ca | 5569 | XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME); |
wolfSSL | 13:f67a6c6013ca | 5570 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5571 | } |
wolfSSL | 13:f67a6c6013ca | 5572 | |
wolfSSL | 13:f67a6c6013ca | 5573 | XMEMCPY(entry->name, &input[nameIdx], strLength); |
wolfSSL | 13:f67a6c6013ca | 5574 | entry->nameSz = strLength; |
wolfSSL | 13:f67a6c6013ca | 5575 | entry->type = bType; |
wolfSSL | 13:f67a6c6013ca | 5576 | |
wolfSSL | 13:f67a6c6013ca | 5577 | entry->next = *head; |
wolfSSL | 13:f67a6c6013ca | 5578 | *head = entry; |
wolfSSL | 13:f67a6c6013ca | 5579 | } |
wolfSSL | 13:f67a6c6013ca | 5580 | |
wolfSSL | 13:f67a6c6013ca | 5581 | idx += seqLength; |
wolfSSL | 13:f67a6c6013ca | 5582 | } |
wolfSSL | 13:f67a6c6013ca | 5583 | |
wolfSSL | 13:f67a6c6013ca | 5584 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5585 | } |
wolfSSL | 13:f67a6c6013ca | 5586 | |
wolfSSL | 13:f67a6c6013ca | 5587 | |
wolfSSL | 13:f67a6c6013ca | 5588 | static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5589 | { |
wolfSSL | 13:f67a6c6013ca | 5590 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5591 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 5592 | |
wolfSSL | 13:f67a6c6013ca | 5593 | WOLFSSL_ENTER("DecodeNameConstraints"); |
wolfSSL | 13:f67a6c6013ca | 5594 | |
wolfSSL | 13:f67a6c6013ca | 5595 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5596 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5597 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5598 | } |
wolfSSL | 13:f67a6c6013ca | 5599 | |
wolfSSL | 13:f67a6c6013ca | 5600 | while (idx < (word32)sz) { |
wolfSSL | 13:f67a6c6013ca | 5601 | byte b = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 5602 | Base_entry** subtree = NULL; |
wolfSSL | 13:f67a6c6013ca | 5603 | |
wolfSSL | 13:f67a6c6013ca | 5604 | if (GetLength(input, &idx, &length, sz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 5605 | WOLFSSL_MSG("\tinvalid length"); |
wolfSSL | 13:f67a6c6013ca | 5606 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5607 | } |
wolfSSL | 13:f67a6c6013ca | 5608 | |
wolfSSL | 13:f67a6c6013ca | 5609 | if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) |
wolfSSL | 13:f67a6c6013ca | 5610 | subtree = &cert->permittedNames; |
wolfSSL | 13:f67a6c6013ca | 5611 | else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) |
wolfSSL | 13:f67a6c6013ca | 5612 | subtree = &cert->excludedNames; |
wolfSSL | 13:f67a6c6013ca | 5613 | else { |
wolfSSL | 13:f67a6c6013ca | 5614 | WOLFSSL_MSG("\tinvalid subtree"); |
wolfSSL | 13:f67a6c6013ca | 5615 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5616 | } |
wolfSSL | 13:f67a6c6013ca | 5617 | |
wolfSSL | 13:f67a6c6013ca | 5618 | DecodeSubtree(input + idx, length, subtree, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 5619 | |
wolfSSL | 13:f67a6c6013ca | 5620 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 5621 | } |
wolfSSL | 13:f67a6c6013ca | 5622 | |
wolfSSL | 13:f67a6c6013ca | 5623 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5624 | } |
wolfSSL | 13:f67a6c6013ca | 5625 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 5626 | |
wolfSSL | 13:f67a6c6013ca | 5627 | |
wolfSSL | 13:f67a6c6013ca | 5628 | #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP) |
wolfSSL | 13:f67a6c6013ca | 5629 | |
wolfSSL | 13:f67a6c6013ca | 5630 | static int Word32ToString(char* d, word32 number) |
wolfSSL | 13:f67a6c6013ca | 5631 | { |
wolfSSL | 13:f67a6c6013ca | 5632 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 5633 | |
wolfSSL | 13:f67a6c6013ca | 5634 | if (d != NULL) { |
wolfSSL | 13:f67a6c6013ca | 5635 | word32 order = 1000000000; |
wolfSSL | 13:f67a6c6013ca | 5636 | word32 digit; |
wolfSSL | 13:f67a6c6013ca | 5637 | |
wolfSSL | 13:f67a6c6013ca | 5638 | if (number == 0) { |
wolfSSL | 13:f67a6c6013ca | 5639 | d[i++] = '0'; |
wolfSSL | 13:f67a6c6013ca | 5640 | } |
wolfSSL | 13:f67a6c6013ca | 5641 | else { |
wolfSSL | 13:f67a6c6013ca | 5642 | while (order) { |
wolfSSL | 13:f67a6c6013ca | 5643 | digit = number / order; |
wolfSSL | 13:f67a6c6013ca | 5644 | if (i > 0 || digit != 0) { |
wolfSSL | 13:f67a6c6013ca | 5645 | d[i++] = (char)digit + '0'; |
wolfSSL | 13:f67a6c6013ca | 5646 | } |
wolfSSL | 13:f67a6c6013ca | 5647 | if (digit != 0) |
wolfSSL | 13:f67a6c6013ca | 5648 | number %= digit * order; |
wolfSSL | 13:f67a6c6013ca | 5649 | if (order > 1) |
wolfSSL | 13:f67a6c6013ca | 5650 | order /= 10; |
wolfSSL | 13:f67a6c6013ca | 5651 | else |
wolfSSL | 13:f67a6c6013ca | 5652 | order = 0; |
wolfSSL | 13:f67a6c6013ca | 5653 | } |
wolfSSL | 13:f67a6c6013ca | 5654 | } |
wolfSSL | 13:f67a6c6013ca | 5655 | d[i] = 0; |
wolfSSL | 13:f67a6c6013ca | 5656 | } |
wolfSSL | 13:f67a6c6013ca | 5657 | |
wolfSSL | 13:f67a6c6013ca | 5658 | return i; |
wolfSSL | 13:f67a6c6013ca | 5659 | } |
wolfSSL | 13:f67a6c6013ca | 5660 | |
wolfSSL | 13:f67a6c6013ca | 5661 | |
wolfSSL | 13:f67a6c6013ca | 5662 | /* Decode ITU-T X.690 OID format to a string representation |
wolfSSL | 13:f67a6c6013ca | 5663 | * return string length */ |
wolfSSL | 13:f67a6c6013ca | 5664 | static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 5665 | { |
wolfSSL | 13:f67a6c6013ca | 5666 | word32 val, idx = 0, nb_bytes; |
wolfSSL | 13:f67a6c6013ca | 5667 | size_t w_bytes = 0; |
wolfSSL | 13:f67a6c6013ca | 5668 | |
wolfSSL | 13:f67a6c6013ca | 5669 | if (out == NULL || in == NULL || outSz < 4 || inSz < 2) |
wolfSSL | 13:f67a6c6013ca | 5670 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 5671 | |
wolfSSL | 13:f67a6c6013ca | 5672 | /* first two byte must be interpreted as : 40 * int1 + int2 */ |
wolfSSL | 13:f67a6c6013ca | 5673 | val = (word16)in[idx++]; |
wolfSSL | 13:f67a6c6013ca | 5674 | |
wolfSSL | 13:f67a6c6013ca | 5675 | w_bytes = Word32ToString(out, val / 40); |
wolfSSL | 13:f67a6c6013ca | 5676 | out[w_bytes++] = '.'; |
wolfSSL | 13:f67a6c6013ca | 5677 | w_bytes += Word32ToString(out+w_bytes, val % 40); |
wolfSSL | 13:f67a6c6013ca | 5678 | |
wolfSSL | 13:f67a6c6013ca | 5679 | while (idx < inSz) { |
wolfSSL | 13:f67a6c6013ca | 5680 | /* init value */ |
wolfSSL | 13:f67a6c6013ca | 5681 | val = 0; |
wolfSSL | 13:f67a6c6013ca | 5682 | nb_bytes = 0; |
wolfSSL | 13:f67a6c6013ca | 5683 | |
wolfSSL | 13:f67a6c6013ca | 5684 | /* check that output size is ok */ |
wolfSSL | 13:f67a6c6013ca | 5685 | if (w_bytes > (outSz - 3)) |
wolfSSL | 13:f67a6c6013ca | 5686 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 5687 | |
wolfSSL | 13:f67a6c6013ca | 5688 | /* first bit is used to set if value is coded on 1 or multiple bytes */ |
wolfSSL | 13:f67a6c6013ca | 5689 | while ((in[idx+nb_bytes] & 0x80)) |
wolfSSL | 13:f67a6c6013ca | 5690 | nb_bytes++; |
wolfSSL | 13:f67a6c6013ca | 5691 | |
wolfSSL | 13:f67a6c6013ca | 5692 | if (!nb_bytes) |
wolfSSL | 13:f67a6c6013ca | 5693 | val = (word32)(in[idx++] & 0x7f); |
wolfSSL | 13:f67a6c6013ca | 5694 | else { |
wolfSSL | 13:f67a6c6013ca | 5695 | word32 base = 1, tmp = nb_bytes; |
wolfSSL | 13:f67a6c6013ca | 5696 | |
wolfSSL | 13:f67a6c6013ca | 5697 | while (tmp != 0) { |
wolfSSL | 13:f67a6c6013ca | 5698 | val += (word32)(in[idx+tmp] & 0x7f) * base; |
wolfSSL | 13:f67a6c6013ca | 5699 | base *= 128; |
wolfSSL | 13:f67a6c6013ca | 5700 | tmp--; |
wolfSSL | 13:f67a6c6013ca | 5701 | } |
wolfSSL | 13:f67a6c6013ca | 5702 | val += (word32)(in[idx++] & 0x7f) * base; |
wolfSSL | 13:f67a6c6013ca | 5703 | |
wolfSSL | 13:f67a6c6013ca | 5704 | idx += nb_bytes; |
wolfSSL | 13:f67a6c6013ca | 5705 | } |
wolfSSL | 13:f67a6c6013ca | 5706 | |
wolfSSL | 13:f67a6c6013ca | 5707 | out[w_bytes++] = '.'; |
wolfSSL | 13:f67a6c6013ca | 5708 | w_bytes += Word32ToString(out+w_bytes, val); |
wolfSSL | 13:f67a6c6013ca | 5709 | } |
wolfSSL | 13:f67a6c6013ca | 5710 | |
wolfSSL | 13:f67a6c6013ca | 5711 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5712 | } |
wolfSSL | 13:f67a6c6013ca | 5713 | #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */ |
wolfSSL | 13:f67a6c6013ca | 5714 | |
wolfSSL | 13:f67a6c6013ca | 5715 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 13:f67a6c6013ca | 5716 | /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */ |
wolfSSL | 13:f67a6c6013ca | 5717 | static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5718 | { |
wolfSSL | 13:f67a6c6013ca | 5719 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5720 | word32 oldIdx; |
wolfSSL | 13:f67a6c6013ca | 5721 | int ret; |
wolfSSL | 13:f67a6c6013ca | 5722 | int total_length = 0, policy_length = 0, length = 0; |
wolfSSL | 13:f67a6c6013ca | 5723 | #if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \ |
wolfSSL | 13:f67a6c6013ca | 5724 | !defined(WOLFSSL_DUP_CERTPOL) |
wolfSSL | 13:f67a6c6013ca | 5725 | int i; |
wolfSSL | 13:f67a6c6013ca | 5726 | #endif |
wolfSSL | 13:f67a6c6013ca | 5727 | |
wolfSSL | 13:f67a6c6013ca | 5728 | WOLFSSL_ENTER("DecodeCertPolicy"); |
wolfSSL | 13:f67a6c6013ca | 5729 | |
wolfSSL | 13:f67a6c6013ca | 5730 | if (GetSequence(input, &idx, &total_length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5731 | WOLFSSL_MSG("\tGet CertPolicy total seq failed"); |
wolfSSL | 13:f67a6c6013ca | 5732 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5733 | } |
wolfSSL | 13:f67a6c6013ca | 5734 | |
wolfSSL | 13:f67a6c6013ca | 5735 | /* Validate total length */ |
wolfSSL | 13:f67a6c6013ca | 5736 | if (total_length > (sz - (int)idx)) { |
wolfSSL | 13:f67a6c6013ca | 5737 | WOLFSSL_MSG("\tCertPolicy length mismatch"); |
wolfSSL | 13:f67a6c6013ca | 5738 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5739 | } |
wolfSSL | 13:f67a6c6013ca | 5740 | |
wolfSSL | 13:f67a6c6013ca | 5741 | /* Unwrap certificatePolicies */ |
wolfSSL | 13:f67a6c6013ca | 5742 | do { |
wolfSSL | 13:f67a6c6013ca | 5743 | if (GetSequence(input, &idx, &policy_length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5744 | WOLFSSL_MSG("\tGet CertPolicy seq failed"); |
wolfSSL | 13:f67a6c6013ca | 5745 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5746 | } |
wolfSSL | 13:f67a6c6013ca | 5747 | |
wolfSSL | 13:f67a6c6013ca | 5748 | oldIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 5749 | ret = GetASNObjectId(input, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 5750 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 5751 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5752 | policy_length -= idx - oldIdx; |
wolfSSL | 13:f67a6c6013ca | 5753 | |
wolfSSL | 13:f67a6c6013ca | 5754 | if (length > 0) { |
wolfSSL | 13:f67a6c6013ca | 5755 | /* Verify length won't overrun buffer */ |
wolfSSL | 13:f67a6c6013ca | 5756 | if (length > (sz - (int)idx)) { |
wolfSSL | 13:f67a6c6013ca | 5757 | WOLFSSL_MSG("\tCertPolicy length exceeds input buffer"); |
wolfSSL | 13:f67a6c6013ca | 5758 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5759 | } |
wolfSSL | 13:f67a6c6013ca | 5760 | |
wolfSSL | 13:f67a6c6013ca | 5761 | #if defined(WOLFSSL_SEP) |
wolfSSL | 13:f67a6c6013ca | 5762 | cert->deviceType = (byte*)XMALLOC(length, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 5763 | DYNAMIC_TYPE_X509_EXT); |
wolfSSL | 13:f67a6c6013ca | 5764 | if (cert->deviceType == NULL) { |
wolfSSL | 13:f67a6c6013ca | 5765 | WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); |
wolfSSL | 13:f67a6c6013ca | 5766 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 5767 | } |
wolfSSL | 13:f67a6c6013ca | 5768 | cert->deviceTypeSz = length; |
wolfSSL | 13:f67a6c6013ca | 5769 | XMEMCPY(cert->deviceType, input + idx, length); |
wolfSSL | 13:f67a6c6013ca | 5770 | break; |
wolfSSL | 13:f67a6c6013ca | 5771 | #elif defined(WOLFSSL_CERT_EXT) |
wolfSSL | 13:f67a6c6013ca | 5772 | /* decode cert policy */ |
wolfSSL | 13:f67a6c6013ca | 5773 | if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], |
wolfSSL | 13:f67a6c6013ca | 5774 | MAX_CERTPOL_SZ, input + idx, length) != 0) { |
wolfSSL | 13:f67a6c6013ca | 5775 | WOLFSSL_MSG("\tCouldn't decode CertPolicy"); |
wolfSSL | 13:f67a6c6013ca | 5776 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5777 | } |
wolfSSL | 13:f67a6c6013ca | 5778 | #ifndef WOLFSSL_DUP_CERTPOL |
wolfSSL | 13:f67a6c6013ca | 5779 | /* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST |
wolfSSL | 13:f67a6c6013ca | 5780 | * NOT appear more than once in a certificate policies |
wolfSSL | 13:f67a6c6013ca | 5781 | * extension". This is a sanity check for duplicates. |
wolfSSL | 13:f67a6c6013ca | 5782 | * extCertPolicies should only have OID values, additional |
wolfSSL | 13:f67a6c6013ca | 5783 | * qualifiers need to be stored in a seperate array. */ |
wolfSSL | 13:f67a6c6013ca | 5784 | for (i = 0; i < cert->extCertPoliciesNb; i++) { |
wolfSSL | 13:f67a6c6013ca | 5785 | if (XMEMCMP(cert->extCertPolicies[i], |
wolfSSL | 13:f67a6c6013ca | 5786 | cert->extCertPolicies[cert->extCertPoliciesNb], |
wolfSSL | 13:f67a6c6013ca | 5787 | MAX_CERTPOL_SZ) == 0) { |
wolfSSL | 13:f67a6c6013ca | 5788 | WOLFSSL_MSG("Duplicate policy OIDs not allowed"); |
wolfSSL | 13:f67a6c6013ca | 5789 | WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted"); |
wolfSSL | 13:f67a6c6013ca | 5790 | return CERTPOLICIES_E; |
wolfSSL | 13:f67a6c6013ca | 5791 | } |
wolfSSL | 13:f67a6c6013ca | 5792 | } |
wolfSSL | 13:f67a6c6013ca | 5793 | #endif /* !WOLFSSL_DUP_CERTPOL */ |
wolfSSL | 13:f67a6c6013ca | 5794 | cert->extCertPoliciesNb++; |
wolfSSL | 13:f67a6c6013ca | 5795 | #else |
wolfSSL | 13:f67a6c6013ca | 5796 | WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0); |
wolfSSL | 13:f67a6c6013ca | 5797 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5798 | #endif |
wolfSSL | 13:f67a6c6013ca | 5799 | } |
wolfSSL | 13:f67a6c6013ca | 5800 | idx += policy_length; |
wolfSSL | 13:f67a6c6013ca | 5801 | } while((int)idx < total_length |
wolfSSL | 13:f67a6c6013ca | 5802 | #if defined(WOLFSSL_CERT_EXT) |
wolfSSL | 13:f67a6c6013ca | 5803 | && cert->extCertPoliciesNb < MAX_CERTPOL_NB |
wolfSSL | 13:f67a6c6013ca | 5804 | #endif |
wolfSSL | 13:f67a6c6013ca | 5805 | ); |
wolfSSL | 13:f67a6c6013ca | 5806 | |
wolfSSL | 13:f67a6c6013ca | 5807 | WOLFSSL_LEAVE("DecodeCertPolicy", 0); |
wolfSSL | 13:f67a6c6013ca | 5808 | return 0; |
wolfSSL | 13:f67a6c6013ca | 5809 | } |
wolfSSL | 13:f67a6c6013ca | 5810 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 13:f67a6c6013ca | 5811 | |
wolfSSL | 13:f67a6c6013ca | 5812 | static int DecodeCertExtensions(DecodedCert* cert) |
wolfSSL | 13:f67a6c6013ca | 5813 | /* |
wolfSSL | 13:f67a6c6013ca | 5814 | * Processing the Certificate Extensions. This does not modify the current |
wolfSSL | 13:f67a6c6013ca | 5815 | * index. It is works starting with the recorded extensions pointer. |
wolfSSL | 13:f67a6c6013ca | 5816 | */ |
wolfSSL | 13:f67a6c6013ca | 5817 | { |
wolfSSL | 13:f67a6c6013ca | 5818 | int ret; |
wolfSSL | 13:f67a6c6013ca | 5819 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 5820 | int sz = cert->extensionsSz; |
wolfSSL | 13:f67a6c6013ca | 5821 | byte* input = cert->extensions; |
wolfSSL | 13:f67a6c6013ca | 5822 | int length; |
wolfSSL | 13:f67a6c6013ca | 5823 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 5824 | byte critical = 0; |
wolfSSL | 13:f67a6c6013ca | 5825 | byte criticalFail = 0; |
wolfSSL | 13:f67a6c6013ca | 5826 | |
wolfSSL | 13:f67a6c6013ca | 5827 | WOLFSSL_ENTER("DecodeCertExtensions"); |
wolfSSL | 13:f67a6c6013ca | 5828 | |
wolfSSL | 13:f67a6c6013ca | 5829 | if (input == NULL || sz == 0) |
wolfSSL | 13:f67a6c6013ca | 5830 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 5831 | |
wolfSSL | 13:f67a6c6013ca | 5832 | if (input[idx++] != ASN_EXTENSIONS) { |
wolfSSL | 13:f67a6c6013ca | 5833 | WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); |
wolfSSL | 13:f67a6c6013ca | 5834 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5835 | } |
wolfSSL | 13:f67a6c6013ca | 5836 | |
wolfSSL | 13:f67a6c6013ca | 5837 | if (GetLength(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5838 | WOLFSSL_MSG("\tfail: invalid length"); |
wolfSSL | 13:f67a6c6013ca | 5839 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5840 | } |
wolfSSL | 13:f67a6c6013ca | 5841 | |
wolfSSL | 13:f67a6c6013ca | 5842 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5843 | WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); |
wolfSSL | 13:f67a6c6013ca | 5844 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5845 | } |
wolfSSL | 13:f67a6c6013ca | 5846 | |
wolfSSL | 13:f67a6c6013ca | 5847 | while (idx < (word32)sz) { |
wolfSSL | 13:f67a6c6013ca | 5848 | if (GetSequence(input, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5849 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 5850 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5851 | } |
wolfSSL | 13:f67a6c6013ca | 5852 | |
wolfSSL | 13:f67a6c6013ca | 5853 | oid = 0; |
wolfSSL | 13:f67a6c6013ca | 5854 | if ((ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5855 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 13:f67a6c6013ca | 5856 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5857 | } |
wolfSSL | 13:f67a6c6013ca | 5858 | |
wolfSSL | 13:f67a6c6013ca | 5859 | /* check for critical flag */ |
wolfSSL | 13:f67a6c6013ca | 5860 | critical = 0; |
wolfSSL | 13:f67a6c6013ca | 5861 | if (input[idx] == ASN_BOOLEAN) { |
wolfSSL | 13:f67a6c6013ca | 5862 | ret = GetBoolean(input, &idx, sz); |
wolfSSL | 13:f67a6c6013ca | 5863 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 5864 | WOLFSSL_MSG("\tfail: critical boolean"); |
wolfSSL | 13:f67a6c6013ca | 5865 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5866 | } |
wolfSSL | 13:f67a6c6013ca | 5867 | |
wolfSSL | 13:f67a6c6013ca | 5868 | critical = (byte)ret; |
wolfSSL | 13:f67a6c6013ca | 5869 | } |
wolfSSL | 13:f67a6c6013ca | 5870 | |
wolfSSL | 13:f67a6c6013ca | 5871 | /* process the extension based on the OID */ |
wolfSSL | 13:f67a6c6013ca | 5872 | ret = GetOctetString(input, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 5873 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 5874 | WOLFSSL_MSG("\tfail: bad OCTET STRING"); |
wolfSSL | 13:f67a6c6013ca | 5875 | return ret; |
wolfSSL | 13:f67a6c6013ca | 5876 | } |
wolfSSL | 13:f67a6c6013ca | 5877 | |
wolfSSL | 13:f67a6c6013ca | 5878 | switch (oid) { |
wolfSSL | 13:f67a6c6013ca | 5879 | case BASIC_CA_OID: |
wolfSSL | 13:f67a6c6013ca | 5880 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5881 | cert->extBasicConstSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5882 | cert->extBasicConstCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5883 | #endif |
wolfSSL | 13:f67a6c6013ca | 5884 | if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5885 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5886 | break; |
wolfSSL | 13:f67a6c6013ca | 5887 | |
wolfSSL | 13:f67a6c6013ca | 5888 | case CRL_DIST_OID: |
wolfSSL | 13:f67a6c6013ca | 5889 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5890 | cert->extCRLdistSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5891 | cert->extCRLdistCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5892 | #endif |
wolfSSL | 13:f67a6c6013ca | 5893 | if (DecodeCrlDist(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5894 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5895 | break; |
wolfSSL | 13:f67a6c6013ca | 5896 | |
wolfSSL | 13:f67a6c6013ca | 5897 | case AUTH_INFO_OID: |
wolfSSL | 13:f67a6c6013ca | 5898 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5899 | cert->extAuthInfoSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5900 | cert->extAuthInfoCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5901 | #endif |
wolfSSL | 13:f67a6c6013ca | 5902 | if (DecodeAuthInfo(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5903 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5904 | break; |
wolfSSL | 13:f67a6c6013ca | 5905 | |
wolfSSL | 13:f67a6c6013ca | 5906 | case ALT_NAMES_OID: |
wolfSSL | 13:f67a6c6013ca | 5907 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5908 | cert->extSubjAltNameSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5909 | cert->extSubjAltNameCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5910 | #endif |
wolfSSL | 13:f67a6c6013ca | 5911 | if (DecodeAltNames(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5912 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5913 | break; |
wolfSSL | 13:f67a6c6013ca | 5914 | |
wolfSSL | 13:f67a6c6013ca | 5915 | case AUTH_KEY_OID: |
wolfSSL | 13:f67a6c6013ca | 5916 | cert->extAuthKeyIdSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5917 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5918 | cert->extAuthKeyIdCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5919 | #endif |
wolfSSL | 13:f67a6c6013ca | 5920 | if (DecodeAuthKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5921 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5922 | break; |
wolfSSL | 13:f67a6c6013ca | 5923 | |
wolfSSL | 13:f67a6c6013ca | 5924 | case SUBJ_KEY_OID: |
wolfSSL | 13:f67a6c6013ca | 5925 | cert->extSubjKeyIdSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5926 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5927 | cert->extSubjKeyIdCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5928 | #endif |
wolfSSL | 13:f67a6c6013ca | 5929 | #ifndef WOLFSSL_ALLOW_CRIT_SKID |
wolfSSL | 13:f67a6c6013ca | 5930 | /* This check is added due to RFC 5280 section 4.2.1.2 |
wolfSSL | 13:f67a6c6013ca | 5931 | * stating that conforming CA's must mark this extension |
wolfSSL | 13:f67a6c6013ca | 5932 | * as non-critical. When parsing extensions check that |
wolfSSL | 13:f67a6c6013ca | 5933 | * certificate was made in compliance with this. */ |
wolfSSL | 13:f67a6c6013ca | 5934 | if (critical) { |
wolfSSL | 13:f67a6c6013ca | 5935 | WOLFSSL_MSG("Critical Subject Key ID is not allowed"); |
wolfSSL | 13:f67a6c6013ca | 5936 | WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted"); |
wolfSSL | 13:f67a6c6013ca | 5937 | return ASN_CRIT_EXT_E; |
wolfSSL | 13:f67a6c6013ca | 5938 | } |
wolfSSL | 13:f67a6c6013ca | 5939 | #endif |
wolfSSL | 13:f67a6c6013ca | 5940 | |
wolfSSL | 13:f67a6c6013ca | 5941 | if (DecodeSubjKeyId(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5942 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5943 | break; |
wolfSSL | 13:f67a6c6013ca | 5944 | |
wolfSSL | 13:f67a6c6013ca | 5945 | case CERT_POLICY_OID: |
wolfSSL | 13:f67a6c6013ca | 5946 | #ifdef WOLFSSL_SEP |
wolfSSL | 13:f67a6c6013ca | 5947 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5948 | cert->extCertPolicySet = 1; |
wolfSSL | 13:f67a6c6013ca | 5949 | cert->extCertPolicyCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5950 | #endif |
wolfSSL | 13:f67a6c6013ca | 5951 | #endif |
wolfSSL | 13:f67a6c6013ca | 5952 | #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) |
wolfSSL | 13:f67a6c6013ca | 5953 | if (DecodeCertPolicy(&input[idx], length, cert) < 0) { |
wolfSSL | 13:f67a6c6013ca | 5954 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5955 | } |
wolfSSL | 13:f67a6c6013ca | 5956 | #else |
wolfSSL | 13:f67a6c6013ca | 5957 | WOLFSSL_MSG("Certificate Policy extension not supported yet."); |
wolfSSL | 13:f67a6c6013ca | 5958 | #endif |
wolfSSL | 13:f67a6c6013ca | 5959 | break; |
wolfSSL | 13:f67a6c6013ca | 5960 | |
wolfSSL | 13:f67a6c6013ca | 5961 | case KEY_USAGE_OID: |
wolfSSL | 13:f67a6c6013ca | 5962 | cert->extKeyUsageSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5963 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5964 | cert->extKeyUsageCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5965 | #endif |
wolfSSL | 13:f67a6c6013ca | 5966 | if (DecodeKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5967 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5968 | break; |
wolfSSL | 13:f67a6c6013ca | 5969 | |
wolfSSL | 13:f67a6c6013ca | 5970 | case EXT_KEY_USAGE_OID: |
wolfSSL | 13:f67a6c6013ca | 5971 | cert->extExtKeyUsageSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5972 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5973 | cert->extExtKeyUsageCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5974 | #endif |
wolfSSL | 13:f67a6c6013ca | 5975 | if (DecodeExtKeyUsage(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5976 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5977 | break; |
wolfSSL | 13:f67a6c6013ca | 5978 | |
wolfSSL | 13:f67a6c6013ca | 5979 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 5980 | case NAME_CONS_OID: |
wolfSSL | 13:f67a6c6013ca | 5981 | cert->extNameConstraintSet = 1; |
wolfSSL | 13:f67a6c6013ca | 5982 | #ifdef OPENSSL_EXTRA |
wolfSSL | 13:f67a6c6013ca | 5983 | cert->extNameConstraintCrit = critical; |
wolfSSL | 13:f67a6c6013ca | 5984 | #endif |
wolfSSL | 13:f67a6c6013ca | 5985 | if (DecodeNameConstraints(&input[idx], length, cert) < 0) |
wolfSSL | 13:f67a6c6013ca | 5986 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 5987 | break; |
wolfSSL | 13:f67a6c6013ca | 5988 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 5989 | |
wolfSSL | 13:f67a6c6013ca | 5990 | case INHIBIT_ANY_OID: |
wolfSSL | 13:f67a6c6013ca | 5991 | WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); |
wolfSSL | 13:f67a6c6013ca | 5992 | break; |
wolfSSL | 13:f67a6c6013ca | 5993 | |
wolfSSL | 13:f67a6c6013ca | 5994 | default: |
wolfSSL | 13:f67a6c6013ca | 5995 | /* While it is a failure to not support critical extensions, |
wolfSSL | 13:f67a6c6013ca | 5996 | * still parse the certificate ignoring the unsupported |
wolfSSL | 13:f67a6c6013ca | 5997 | * extension to allow caller to accept it with the verify |
wolfSSL | 13:f67a6c6013ca | 5998 | * callback. */ |
wolfSSL | 13:f67a6c6013ca | 5999 | if (critical) |
wolfSSL | 13:f67a6c6013ca | 6000 | criticalFail = 1; |
wolfSSL | 13:f67a6c6013ca | 6001 | break; |
wolfSSL | 13:f67a6c6013ca | 6002 | } |
wolfSSL | 13:f67a6c6013ca | 6003 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 6004 | } |
wolfSSL | 13:f67a6c6013ca | 6005 | |
wolfSSL | 13:f67a6c6013ca | 6006 | return criticalFail ? ASN_CRIT_EXT_E : 0; |
wolfSSL | 13:f67a6c6013ca | 6007 | } |
wolfSSL | 13:f67a6c6013ca | 6008 | |
wolfSSL | 13:f67a6c6013ca | 6009 | int ParseCert(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 13:f67a6c6013ca | 6010 | { |
wolfSSL | 13:f67a6c6013ca | 6011 | int ret; |
wolfSSL | 13:f67a6c6013ca | 6012 | char* ptr; |
wolfSSL | 13:f67a6c6013ca | 6013 | |
wolfSSL | 13:f67a6c6013ca | 6014 | ret = ParseCertRelative(cert, type, verify, cm); |
wolfSSL | 13:f67a6c6013ca | 6015 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 6016 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6017 | |
wolfSSL | 13:f67a6c6013ca | 6018 | if (cert->subjectCNLen > 0) { |
wolfSSL | 13:f67a6c6013ca | 6019 | ptr = (char*) XMALLOC(cert->subjectCNLen + 1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 6020 | DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 13:f67a6c6013ca | 6021 | if (ptr == NULL) |
wolfSSL | 13:f67a6c6013ca | 6022 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6023 | XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen); |
wolfSSL | 13:f67a6c6013ca | 6024 | ptr[cert->subjectCNLen] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6025 | cert->subjectCN = ptr; |
wolfSSL | 13:f67a6c6013ca | 6026 | cert->subjectCNStored = 1; |
wolfSSL | 13:f67a6c6013ca | 6027 | } |
wolfSSL | 13:f67a6c6013ca | 6028 | |
wolfSSL | 13:f67a6c6013ca | 6029 | if (cert->keyOID == RSAk && |
wolfSSL | 13:f67a6c6013ca | 6030 | cert->publicKey != NULL && cert->pubKeySize > 0) { |
wolfSSL | 13:f67a6c6013ca | 6031 | ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 6032 | DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 6033 | if (ptr == NULL) |
wolfSSL | 13:f67a6c6013ca | 6034 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6035 | XMEMCPY(ptr, cert->publicKey, cert->pubKeySize); |
wolfSSL | 13:f67a6c6013ca | 6036 | cert->publicKey = (byte *)ptr; |
wolfSSL | 13:f67a6c6013ca | 6037 | cert->pubKeyStored = 1; |
wolfSSL | 13:f67a6c6013ca | 6038 | } |
wolfSSL | 13:f67a6c6013ca | 6039 | |
wolfSSL | 13:f67a6c6013ca | 6040 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6041 | } |
wolfSSL | 13:f67a6c6013ca | 6042 | |
wolfSSL | 13:f67a6c6013ca | 6043 | /* from SSL proper, for locking can't do find here anymore */ |
wolfSSL | 13:f67a6c6013ca | 6044 | #ifdef __cplusplus |
wolfSSL | 13:f67a6c6013ca | 6045 | extern "C" { |
wolfSSL | 13:f67a6c6013ca | 6046 | #endif |
wolfSSL | 13:f67a6c6013ca | 6047 | WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash); |
wolfSSL | 13:f67a6c6013ca | 6048 | #ifndef NO_SKID |
wolfSSL | 13:f67a6c6013ca | 6049 | WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash); |
wolfSSL | 13:f67a6c6013ca | 6050 | #endif |
wolfSSL | 13:f67a6c6013ca | 6051 | #ifdef __cplusplus |
wolfSSL | 13:f67a6c6013ca | 6052 | } |
wolfSSL | 13:f67a6c6013ca | 6053 | #endif |
wolfSSL | 13:f67a6c6013ca | 6054 | |
wolfSSL | 13:f67a6c6013ca | 6055 | |
wolfSSL | 13:f67a6c6013ca | 6056 | #if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS) |
wolfSSL | 13:f67a6c6013ca | 6057 | |
wolfSSL | 13:f67a6c6013ca | 6058 | /* dummy functions, not using wolfSSL so don't need actual ones */ |
wolfSSL | 13:f67a6c6013ca | 6059 | Signer* GetCA(void* signers, byte* hash) |
wolfSSL | 13:f67a6c6013ca | 6060 | { |
wolfSSL | 13:f67a6c6013ca | 6061 | (void)hash; |
wolfSSL | 13:f67a6c6013ca | 6062 | |
wolfSSL | 13:f67a6c6013ca | 6063 | return (Signer*)signers; |
wolfSSL | 13:f67a6c6013ca | 6064 | } |
wolfSSL | 13:f67a6c6013ca | 6065 | |
wolfSSL | 13:f67a6c6013ca | 6066 | #ifndef NO_SKID |
wolfSSL | 13:f67a6c6013ca | 6067 | Signer* GetCAByName(void* signers, byte* hash) |
wolfSSL | 13:f67a6c6013ca | 6068 | { |
wolfSSL | 13:f67a6c6013ca | 6069 | (void)hash; |
wolfSSL | 13:f67a6c6013ca | 6070 | |
wolfSSL | 13:f67a6c6013ca | 6071 | return (Signer*)signers; |
wolfSSL | 13:f67a6c6013ca | 6072 | } |
wolfSSL | 13:f67a6c6013ca | 6073 | #endif /* NO_SKID */ |
wolfSSL | 13:f67a6c6013ca | 6074 | |
wolfSSL | 13:f67a6c6013ca | 6075 | #endif /* WOLFCRYPT_ONLY || NO_CERTS */ |
wolfSSL | 13:f67a6c6013ca | 6076 | |
wolfSSL | 13:f67a6c6013ca | 6077 | int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) |
wolfSSL | 13:f67a6c6013ca | 6078 | { |
wolfSSL | 13:f67a6c6013ca | 6079 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 6080 | int badDate = 0; |
wolfSSL | 13:f67a6c6013ca | 6081 | int criticalExt = 0; |
wolfSSL | 13:f67a6c6013ca | 6082 | word32 confirmOID; |
wolfSSL | 13:f67a6c6013ca | 6083 | |
wolfSSL | 13:f67a6c6013ca | 6084 | if (cert == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6085 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6086 | } |
wolfSSL | 13:f67a6c6013ca | 6087 | |
wolfSSL | 13:f67a6c6013ca | 6088 | if (cert->sigCtx.state == SIG_STATE_BEGIN) { |
wolfSSL | 13:f67a6c6013ca | 6089 | if ((ret = DecodeToKey(cert, verify)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 6090 | if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) |
wolfSSL | 13:f67a6c6013ca | 6091 | badDate = ret; |
wolfSSL | 13:f67a6c6013ca | 6092 | else |
wolfSSL | 13:f67a6c6013ca | 6093 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6094 | } |
wolfSSL | 13:f67a6c6013ca | 6095 | |
wolfSSL | 13:f67a6c6013ca | 6096 | WOLFSSL_MSG("Parsed Past Key"); |
wolfSSL | 13:f67a6c6013ca | 6097 | |
wolfSSL | 13:f67a6c6013ca | 6098 | if (cert->srcIdx < cert->sigIndex) { |
wolfSSL | 13:f67a6c6013ca | 6099 | #ifndef ALLOW_V1_EXTENSIONS |
wolfSSL | 13:f67a6c6013ca | 6100 | if (cert->version < 2) { |
wolfSSL | 13:f67a6c6013ca | 6101 | WOLFSSL_MSG("\tv1 and v2 certs not allowed extensions"); |
wolfSSL | 13:f67a6c6013ca | 6102 | return ASN_VERSION_E; |
wolfSSL | 13:f67a6c6013ca | 6103 | } |
wolfSSL | 13:f67a6c6013ca | 6104 | #endif |
wolfSSL | 13:f67a6c6013ca | 6105 | |
wolfSSL | 13:f67a6c6013ca | 6106 | /* save extensions */ |
wolfSSL | 13:f67a6c6013ca | 6107 | cert->extensions = &cert->source[cert->srcIdx]; |
wolfSSL | 13:f67a6c6013ca | 6108 | cert->extensionsSz = cert->sigIndex - cert->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 6109 | cert->extensionsIdx = cert->srcIdx; /* for potential later use */ |
wolfSSL | 13:f67a6c6013ca | 6110 | |
wolfSSL | 13:f67a6c6013ca | 6111 | if ((ret = DecodeCertExtensions(cert)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 6112 | if (ret == ASN_CRIT_EXT_E) |
wolfSSL | 13:f67a6c6013ca | 6113 | criticalExt = ret; |
wolfSSL | 13:f67a6c6013ca | 6114 | else |
wolfSSL | 13:f67a6c6013ca | 6115 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6116 | } |
wolfSSL | 13:f67a6c6013ca | 6117 | |
wolfSSL | 13:f67a6c6013ca | 6118 | /* advance past extensions */ |
wolfSSL | 13:f67a6c6013ca | 6119 | cert->srcIdx = cert->sigIndex; |
wolfSSL | 13:f67a6c6013ca | 6120 | } |
wolfSSL | 13:f67a6c6013ca | 6121 | |
wolfSSL | 13:f67a6c6013ca | 6122 | if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID, |
wolfSSL | 13:f67a6c6013ca | 6123 | oidSigType, cert->maxIdx)) < 0) |
wolfSSL | 13:f67a6c6013ca | 6124 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6125 | |
wolfSSL | 13:f67a6c6013ca | 6126 | if ((ret = GetSignature(cert)) < 0) |
wolfSSL | 13:f67a6c6013ca | 6127 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6128 | |
wolfSSL | 13:f67a6c6013ca | 6129 | if (confirmOID != cert->signatureOID) |
wolfSSL | 13:f67a6c6013ca | 6130 | return ASN_SIG_OID_E; |
wolfSSL | 13:f67a6c6013ca | 6131 | |
wolfSSL | 13:f67a6c6013ca | 6132 | #ifndef NO_SKID |
wolfSSL | 13:f67a6c6013ca | 6133 | if (cert->extSubjKeyIdSet == 0 && cert->publicKey != NULL && |
wolfSSL | 13:f67a6c6013ca | 6134 | cert->pubKeySize > 0) { |
wolfSSL | 13:f67a6c6013ca | 6135 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 6136 | ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 6137 | cert->extSubjKeyId); |
wolfSSL | 13:f67a6c6013ca | 6138 | #else |
wolfSSL | 13:f67a6c6013ca | 6139 | ret = wc_ShaHash(cert->publicKey, cert->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 6140 | cert->extSubjKeyId); |
wolfSSL | 13:f67a6c6013ca | 6141 | #endif /* NO_SHA */ |
wolfSSL | 13:f67a6c6013ca | 6142 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 6143 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6144 | } |
wolfSSL | 13:f67a6c6013ca | 6145 | #endif /* !NO_SKID */ |
wolfSSL | 13:f67a6c6013ca | 6146 | |
wolfSSL | 13:f67a6c6013ca | 6147 | if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6148 | cert->ca = NULL; |
wolfSSL | 13:f67a6c6013ca | 6149 | #ifndef NO_SKID |
wolfSSL | 13:f67a6c6013ca | 6150 | if (cert->extAuthKeyIdSet) |
wolfSSL | 13:f67a6c6013ca | 6151 | cert->ca = GetCA(cm, cert->extAuthKeyId); |
wolfSSL | 13:f67a6c6013ca | 6152 | if (cert->ca == NULL) |
wolfSSL | 13:f67a6c6013ca | 6153 | cert->ca = GetCAByName(cm, cert->issuerHash); |
wolfSSL | 13:f67a6c6013ca | 6154 | |
wolfSSL | 13:f67a6c6013ca | 6155 | /* alternate lookup method using subject and match on public key */ |
wolfSSL | 13:f67a6c6013ca | 6156 | #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY |
wolfSSL | 13:f67a6c6013ca | 6157 | if (cert->ca == NULL && verify == VERIFY_OCSP) { |
wolfSSL | 13:f67a6c6013ca | 6158 | if (cert->extSubjKeyIdSet) { |
wolfSSL | 13:f67a6c6013ca | 6159 | cert->ca = GetCA(cm, cert->extSubjKeyId); |
wolfSSL | 13:f67a6c6013ca | 6160 | } |
wolfSSL | 13:f67a6c6013ca | 6161 | if (cert->ca == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6162 | cert->ca = GetCAByName(cm, cert->subjectHash); |
wolfSSL | 13:f67a6c6013ca | 6163 | } |
wolfSSL | 13:f67a6c6013ca | 6164 | if (cert->ca) { |
wolfSSL | 13:f67a6c6013ca | 6165 | if ((cert->ca->pubKeySize == cert->pubKeySize) && |
wolfSSL | 13:f67a6c6013ca | 6166 | (XMEMCMP(cert->ca->publicKey, cert->publicKey, |
wolfSSL | 13:f67a6c6013ca | 6167 | cert->ca->pubKeySize) == 0)) { |
wolfSSL | 13:f67a6c6013ca | 6168 | ret = 0; /* success */ |
wolfSSL | 13:f67a6c6013ca | 6169 | goto exit_pcr; |
wolfSSL | 13:f67a6c6013ca | 6170 | } |
wolfSSL | 13:f67a6c6013ca | 6171 | } |
wolfSSL | 13:f67a6c6013ca | 6172 | } |
wolfSSL | 13:f67a6c6013ca | 6173 | #endif /* WOLFSSL_NO_TRUSTED_CERTS_VERIFY */ |
wolfSSL | 13:f67a6c6013ca | 6174 | #else |
wolfSSL | 13:f67a6c6013ca | 6175 | cert->ca = GetCA(cm, cert->issuerHash); |
wolfSSL | 13:f67a6c6013ca | 6176 | #endif /* !NO_SKID */ |
wolfSSL | 13:f67a6c6013ca | 6177 | |
wolfSSL | 13:f67a6c6013ca | 6178 | WOLFSSL_MSG("About to verify certificate signature"); |
wolfSSL | 13:f67a6c6013ca | 6179 | if (cert->ca) { |
wolfSSL | 13:f67a6c6013ca | 6180 | if (cert->isCA) { |
wolfSSL | 13:f67a6c6013ca | 6181 | if (cert->ca->pathLengthSet) { |
wolfSSL | 13:f67a6c6013ca | 6182 | if (cert->ca->pathLength == 0) { |
wolfSSL | 13:f67a6c6013ca | 6183 | WOLFSSL_MSG("CA with path length 0 signing a CA"); |
wolfSSL | 13:f67a6c6013ca | 6184 | return ASN_PATHLEN_INV_E; |
wolfSSL | 13:f67a6c6013ca | 6185 | } |
wolfSSL | 13:f67a6c6013ca | 6186 | if (cert->pathLengthSet && |
wolfSSL | 13:f67a6c6013ca | 6187 | cert->pathLength >= cert->ca->pathLength) { |
wolfSSL | 13:f67a6c6013ca | 6188 | |
wolfSSL | 13:f67a6c6013ca | 6189 | WOLFSSL_MSG("CA signing CA with longer path length"); |
wolfSSL | 13:f67a6c6013ca | 6190 | return ASN_PATHLEN_INV_E; |
wolfSSL | 13:f67a6c6013ca | 6191 | } |
wolfSSL | 13:f67a6c6013ca | 6192 | } |
wolfSSL | 13:f67a6c6013ca | 6193 | } |
wolfSSL | 13:f67a6c6013ca | 6194 | |
wolfSSL | 13:f67a6c6013ca | 6195 | #ifdef HAVE_OCSP |
wolfSSL | 13:f67a6c6013ca | 6196 | /* Need the CA's public key hash for OCSP */ |
wolfSSL | 13:f67a6c6013ca | 6197 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 6198 | ret = wc_Sha256Hash(cert->ca->publicKey, cert->ca->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 6199 | cert->issuerKeyHash); |
wolfSSL | 13:f67a6c6013ca | 6200 | #else |
wolfSSL | 13:f67a6c6013ca | 6201 | ret = wc_ShaHash(cert->ca->publicKey, cert->ca->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 6202 | cert->issuerKeyHash); |
wolfSSL | 13:f67a6c6013ca | 6203 | #endif /* NO_SHA */ |
wolfSSL | 13:f67a6c6013ca | 6204 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 6205 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6206 | #endif /* HAVE_OCSP */ |
wolfSSL | 13:f67a6c6013ca | 6207 | } |
wolfSSL | 13:f67a6c6013ca | 6208 | } |
wolfSSL | 13:f67a6c6013ca | 6209 | } |
wolfSSL | 13:f67a6c6013ca | 6210 | |
wolfSSL | 13:f67a6c6013ca | 6211 | if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6212 | if (cert->ca) { |
wolfSSL | 13:f67a6c6013ca | 6213 | if (verify == VERIFY || verify == VERIFY_OCSP) { |
wolfSSL | 13:f67a6c6013ca | 6214 | /* try to confirm/verify signature */ |
wolfSSL | 13:f67a6c6013ca | 6215 | if ((ret = ConfirmSignature(&cert->sigCtx, |
wolfSSL | 13:f67a6c6013ca | 6216 | cert->source + cert->certBegin, |
wolfSSL | 13:f67a6c6013ca | 6217 | cert->sigIndex - cert->certBegin, |
wolfSSL | 13:f67a6c6013ca | 6218 | cert->ca->publicKey, cert->ca->pubKeySize, |
wolfSSL | 13:f67a6c6013ca | 6219 | cert->ca->keyOID, cert->signature, |
wolfSSL | 13:f67a6c6013ca | 6220 | cert->sigLength, cert->signatureOID)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 6221 | if (ret != WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 6222 | WOLFSSL_MSG("Confirm signature failed"); |
wolfSSL | 13:f67a6c6013ca | 6223 | } |
wolfSSL | 13:f67a6c6013ca | 6224 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6225 | } |
wolfSSL | 13:f67a6c6013ca | 6226 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 6227 | /* check that this cert's name is permitted by the signer's |
wolfSSL | 13:f67a6c6013ca | 6228 | * name constraints */ |
wolfSSL | 13:f67a6c6013ca | 6229 | if (!ConfirmNameConstraints(cert->ca, cert)) { |
wolfSSL | 13:f67a6c6013ca | 6230 | WOLFSSL_MSG("Confirm name constraint failed"); |
wolfSSL | 13:f67a6c6013ca | 6231 | return ASN_NAME_INVALID_E; |
wolfSSL | 13:f67a6c6013ca | 6232 | } |
wolfSSL | 13:f67a6c6013ca | 6233 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 6234 | } |
wolfSSL | 13:f67a6c6013ca | 6235 | } |
wolfSSL | 13:f67a6c6013ca | 6236 | else { |
wolfSSL | 13:f67a6c6013ca | 6237 | /* no signer */ |
wolfSSL | 13:f67a6c6013ca | 6238 | WOLFSSL_MSG("No CA signer to verify with"); |
wolfSSL | 13:f67a6c6013ca | 6239 | return ASN_NO_SIGNER_E; |
wolfSSL | 13:f67a6c6013ca | 6240 | } |
wolfSSL | 13:f67a6c6013ca | 6241 | } |
wolfSSL | 13:f67a6c6013ca | 6242 | |
wolfSSL | 13:f67a6c6013ca | 6243 | #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY |
wolfSSL | 13:f67a6c6013ca | 6244 | exit_pcr: |
wolfSSL | 13:f67a6c6013ca | 6245 | #endif |
wolfSSL | 13:f67a6c6013ca | 6246 | |
wolfSSL | 13:f67a6c6013ca | 6247 | if (badDate != 0) |
wolfSSL | 13:f67a6c6013ca | 6248 | return badDate; |
wolfSSL | 13:f67a6c6013ca | 6249 | |
wolfSSL | 13:f67a6c6013ca | 6250 | if (criticalExt != 0) |
wolfSSL | 13:f67a6c6013ca | 6251 | return criticalExt; |
wolfSSL | 13:f67a6c6013ca | 6252 | |
wolfSSL | 13:f67a6c6013ca | 6253 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6254 | } |
wolfSSL | 13:f67a6c6013ca | 6255 | |
wolfSSL | 13:f67a6c6013ca | 6256 | /* Create and init an new signer */ |
wolfSSL | 13:f67a6c6013ca | 6257 | Signer* MakeSigner(void* heap) |
wolfSSL | 13:f67a6c6013ca | 6258 | { |
wolfSSL | 13:f67a6c6013ca | 6259 | Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap, |
wolfSSL | 13:f67a6c6013ca | 6260 | DYNAMIC_TYPE_SIGNER); |
wolfSSL | 13:f67a6c6013ca | 6261 | if (signer) { |
wolfSSL | 13:f67a6c6013ca | 6262 | signer->pubKeySize = 0; |
wolfSSL | 13:f67a6c6013ca | 6263 | signer->keyOID = 0; |
wolfSSL | 13:f67a6c6013ca | 6264 | signer->publicKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 6265 | signer->nameLen = 0; |
wolfSSL | 13:f67a6c6013ca | 6266 | signer->name = NULL; |
wolfSSL | 13:f67a6c6013ca | 6267 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 6268 | signer->permittedNames = NULL; |
wolfSSL | 13:f67a6c6013ca | 6269 | signer->excludedNames = NULL; |
wolfSSL | 13:f67a6c6013ca | 6270 | #endif /* IGNORE_NAME_CONSTRAINTS */ |
wolfSSL | 13:f67a6c6013ca | 6271 | signer->pathLengthSet = 0; |
wolfSSL | 13:f67a6c6013ca | 6272 | signer->pathLength = 0; |
wolfSSL | 13:f67a6c6013ca | 6273 | signer->next = NULL; |
wolfSSL | 13:f67a6c6013ca | 6274 | } |
wolfSSL | 13:f67a6c6013ca | 6275 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 6276 | |
wolfSSL | 13:f67a6c6013ca | 6277 | return signer; |
wolfSSL | 13:f67a6c6013ca | 6278 | } |
wolfSSL | 13:f67a6c6013ca | 6279 | |
wolfSSL | 13:f67a6c6013ca | 6280 | |
wolfSSL | 13:f67a6c6013ca | 6281 | /* Free an individual signer */ |
wolfSSL | 13:f67a6c6013ca | 6282 | void FreeSigner(Signer* signer, void* heap) |
wolfSSL | 13:f67a6c6013ca | 6283 | { |
wolfSSL | 13:f67a6c6013ca | 6284 | XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 13:f67a6c6013ca | 6285 | XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
wolfSSL | 13:f67a6c6013ca | 6286 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 6287 | if (signer->permittedNames) |
wolfSSL | 13:f67a6c6013ca | 6288 | FreeNameSubtrees(signer->permittedNames, heap); |
wolfSSL | 13:f67a6c6013ca | 6289 | if (signer->excludedNames) |
wolfSSL | 13:f67a6c6013ca | 6290 | FreeNameSubtrees(signer->excludedNames, heap); |
wolfSSL | 13:f67a6c6013ca | 6291 | #endif |
wolfSSL | 13:f67a6c6013ca | 6292 | XFREE(signer, heap, DYNAMIC_TYPE_SIGNER); |
wolfSSL | 13:f67a6c6013ca | 6293 | |
wolfSSL | 13:f67a6c6013ca | 6294 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 6295 | } |
wolfSSL | 13:f67a6c6013ca | 6296 | |
wolfSSL | 13:f67a6c6013ca | 6297 | |
wolfSSL | 13:f67a6c6013ca | 6298 | /* Free the whole singer table with number of rows */ |
wolfSSL | 13:f67a6c6013ca | 6299 | void FreeSignerTable(Signer** table, int rows, void* heap) |
wolfSSL | 13:f67a6c6013ca | 6300 | { |
wolfSSL | 13:f67a6c6013ca | 6301 | int i; |
wolfSSL | 13:f67a6c6013ca | 6302 | |
wolfSSL | 13:f67a6c6013ca | 6303 | for (i = 0; i < rows; i++) { |
wolfSSL | 13:f67a6c6013ca | 6304 | Signer* signer = table[i]; |
wolfSSL | 13:f67a6c6013ca | 6305 | while (signer) { |
wolfSSL | 13:f67a6c6013ca | 6306 | Signer* next = signer->next; |
wolfSSL | 13:f67a6c6013ca | 6307 | FreeSigner(signer, heap); |
wolfSSL | 13:f67a6c6013ca | 6308 | signer = next; |
wolfSSL | 13:f67a6c6013ca | 6309 | } |
wolfSSL | 13:f67a6c6013ca | 6310 | table[i] = NULL; |
wolfSSL | 13:f67a6c6013ca | 6311 | } |
wolfSSL | 13:f67a6c6013ca | 6312 | } |
wolfSSL | 13:f67a6c6013ca | 6313 | |
wolfSSL | 13:f67a6c6013ca | 6314 | #ifdef WOLFSSL_TRUST_PEER_CERT |
wolfSSL | 13:f67a6c6013ca | 6315 | /* Free an individual trusted peer cert */ |
wolfSSL | 13:f67a6c6013ca | 6316 | void FreeTrustedPeer(TrustedPeerCert* tp, void* heap) |
wolfSSL | 13:f67a6c6013ca | 6317 | { |
wolfSSL | 13:f67a6c6013ca | 6318 | if (tp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6319 | return; |
wolfSSL | 13:f67a6c6013ca | 6320 | } |
wolfSSL | 13:f67a6c6013ca | 6321 | |
wolfSSL | 13:f67a6c6013ca | 6322 | if (tp->name) { |
wolfSSL | 13:f67a6c6013ca | 6323 | XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN); |
wolfSSL | 13:f67a6c6013ca | 6324 | } |
wolfSSL | 13:f67a6c6013ca | 6325 | |
wolfSSL | 13:f67a6c6013ca | 6326 | if (tp->sig) { |
wolfSSL | 13:f67a6c6013ca | 6327 | XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 13:f67a6c6013ca | 6328 | } |
wolfSSL | 13:f67a6c6013ca | 6329 | #ifndef IGNORE_NAME_CONSTRAINTS |
wolfSSL | 13:f67a6c6013ca | 6330 | if (tp->permittedNames) |
wolfSSL | 13:f67a6c6013ca | 6331 | FreeNameSubtrees(tp->permittedNames, heap); |
wolfSSL | 13:f67a6c6013ca | 6332 | if (tp->excludedNames) |
wolfSSL | 13:f67a6c6013ca | 6333 | FreeNameSubtrees(tp->excludedNames, heap); |
wolfSSL | 13:f67a6c6013ca | 6334 | #endif |
wolfSSL | 13:f67a6c6013ca | 6335 | XFREE(tp, heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 6336 | |
wolfSSL | 13:f67a6c6013ca | 6337 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 6338 | } |
wolfSSL | 13:f67a6c6013ca | 6339 | |
wolfSSL | 13:f67a6c6013ca | 6340 | /* Free the whole Trusted Peer linked list */ |
wolfSSL | 13:f67a6c6013ca | 6341 | void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap) |
wolfSSL | 13:f67a6c6013ca | 6342 | { |
wolfSSL | 13:f67a6c6013ca | 6343 | int i; |
wolfSSL | 13:f67a6c6013ca | 6344 | |
wolfSSL | 13:f67a6c6013ca | 6345 | for (i = 0; i < rows; i++) { |
wolfSSL | 13:f67a6c6013ca | 6346 | TrustedPeerCert* tp = table[i]; |
wolfSSL | 13:f67a6c6013ca | 6347 | while (tp) { |
wolfSSL | 13:f67a6c6013ca | 6348 | TrustedPeerCert* next = tp->next; |
wolfSSL | 13:f67a6c6013ca | 6349 | FreeTrustedPeer(tp, heap); |
wolfSSL | 13:f67a6c6013ca | 6350 | tp = next; |
wolfSSL | 13:f67a6c6013ca | 6351 | } |
wolfSSL | 13:f67a6c6013ca | 6352 | table[i] = NULL; |
wolfSSL | 13:f67a6c6013ca | 6353 | } |
wolfSSL | 13:f67a6c6013ca | 6354 | } |
wolfSSL | 13:f67a6c6013ca | 6355 | #endif /* WOLFSSL_TRUST_PEER_CERT */ |
wolfSSL | 13:f67a6c6013ca | 6356 | |
wolfSSL | 13:f67a6c6013ca | 6357 | WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header) |
wolfSSL | 13:f67a6c6013ca | 6358 | { |
wolfSSL | 13:f67a6c6013ca | 6359 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 6360 | |
wolfSSL | 13:f67a6c6013ca | 6361 | if (output == NULL) |
wolfSSL | 13:f67a6c6013ca | 6362 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6363 | |
wolfSSL | 13:f67a6c6013ca | 6364 | if (header) { |
wolfSSL | 13:f67a6c6013ca | 6365 | output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED; |
wolfSSL | 13:f67a6c6013ca | 6366 | output[i++] = 3; |
wolfSSL | 13:f67a6c6013ca | 6367 | } |
wolfSSL | 13:f67a6c6013ca | 6368 | output[i++] = ASN_INTEGER; |
wolfSSL | 13:f67a6c6013ca | 6369 | output[i++] = 0x01; |
wolfSSL | 13:f67a6c6013ca | 6370 | output[i++] = (byte)version; |
wolfSSL | 13:f67a6c6013ca | 6371 | |
wolfSSL | 13:f67a6c6013ca | 6372 | return i; |
wolfSSL | 13:f67a6c6013ca | 6373 | } |
wolfSSL | 13:f67a6c6013ca | 6374 | |
wolfSSL | 13:f67a6c6013ca | 6375 | |
wolfSSL | 13:f67a6c6013ca | 6376 | WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) |
wolfSSL | 13:f67a6c6013ca | 6377 | { |
wolfSSL | 13:f67a6c6013ca | 6378 | int result = 0; |
wolfSSL | 13:f67a6c6013ca | 6379 | |
wolfSSL | 13:f67a6c6013ca | 6380 | WOLFSSL_ENTER("SetSerialNumber"); |
wolfSSL | 13:f67a6c6013ca | 6381 | |
wolfSSL | 13:f67a6c6013ca | 6382 | if (sn == NULL || output == NULL) |
wolfSSL | 13:f67a6c6013ca | 6383 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6384 | |
wolfSSL | 13:f67a6c6013ca | 6385 | if (snSz <= EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 6386 | output[0] = ASN_INTEGER; |
wolfSSL | 13:f67a6c6013ca | 6387 | /* The serial number is always positive. When encoding the |
wolfSSL | 13:f67a6c6013ca | 6388 | * INTEGER, if the MSB is 1, add a padding zero to keep the |
wolfSSL | 13:f67a6c6013ca | 6389 | * number positive. */ |
wolfSSL | 13:f67a6c6013ca | 6390 | if (sn[0] & 0x80) { |
wolfSSL | 13:f67a6c6013ca | 6391 | output[1] = (byte)snSz + 1; |
wolfSSL | 13:f67a6c6013ca | 6392 | output[2] = 0; |
wolfSSL | 13:f67a6c6013ca | 6393 | XMEMCPY(&output[3], sn, snSz); |
wolfSSL | 13:f67a6c6013ca | 6394 | result = snSz + 3; |
wolfSSL | 13:f67a6c6013ca | 6395 | } |
wolfSSL | 13:f67a6c6013ca | 6396 | else { |
wolfSSL | 13:f67a6c6013ca | 6397 | output[1] = (byte)snSz; |
wolfSSL | 13:f67a6c6013ca | 6398 | XMEMCPY(&output[2], sn, snSz); |
wolfSSL | 13:f67a6c6013ca | 6399 | result = snSz + 2; |
wolfSSL | 13:f67a6c6013ca | 6400 | } |
wolfSSL | 13:f67a6c6013ca | 6401 | } |
wolfSSL | 13:f67a6c6013ca | 6402 | return result; |
wolfSSL | 13:f67a6c6013ca | 6403 | } |
wolfSSL | 13:f67a6c6013ca | 6404 | |
wolfSSL | 13:f67a6c6013ca | 6405 | WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx, |
wolfSSL | 13:f67a6c6013ca | 6406 | byte* serial, int* serialSz, word32 maxIdx) |
wolfSSL | 13:f67a6c6013ca | 6407 | { |
wolfSSL | 13:f67a6c6013ca | 6408 | int result = 0; |
wolfSSL | 13:f67a6c6013ca | 6409 | int ret; |
wolfSSL | 13:f67a6c6013ca | 6410 | |
wolfSSL | 13:f67a6c6013ca | 6411 | WOLFSSL_ENTER("GetSerialNumber"); |
wolfSSL | 13:f67a6c6013ca | 6412 | |
wolfSSL | 13:f67a6c6013ca | 6413 | if (serial == NULL || input == NULL || serialSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6414 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6415 | } |
wolfSSL | 13:f67a6c6013ca | 6416 | |
wolfSSL | 13:f67a6c6013ca | 6417 | /* First byte is ASN type */ |
wolfSSL | 13:f67a6c6013ca | 6418 | if ((*inOutIdx+1) > maxIdx) { |
wolfSSL | 13:f67a6c6013ca | 6419 | WOLFSSL_MSG("Bad idx first"); |
wolfSSL | 13:f67a6c6013ca | 6420 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 6421 | } |
wolfSSL | 13:f67a6c6013ca | 6422 | |
wolfSSL | 13:f67a6c6013ca | 6423 | ret = GetASNInt(input, inOutIdx, serialSz, maxIdx); |
wolfSSL | 13:f67a6c6013ca | 6424 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 6425 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6426 | |
wolfSSL | 13:f67a6c6013ca | 6427 | if (*serialSz > EXTERNAL_SERIAL_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 6428 | WOLFSSL_MSG("Serial size bad"); |
wolfSSL | 13:f67a6c6013ca | 6429 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 6430 | } |
wolfSSL | 13:f67a6c6013ca | 6431 | |
wolfSSL | 13:f67a6c6013ca | 6432 | /* return serial */ |
wolfSSL | 13:f67a6c6013ca | 6433 | XMEMCPY(serial, &input[*inOutIdx], *serialSz); |
wolfSSL | 13:f67a6c6013ca | 6434 | *inOutIdx += *serialSz; |
wolfSSL | 13:f67a6c6013ca | 6435 | |
wolfSSL | 13:f67a6c6013ca | 6436 | return result; |
wolfSSL | 13:f67a6c6013ca | 6437 | } |
wolfSSL | 13:f67a6c6013ca | 6438 | |
wolfSSL | 13:f67a6c6013ca | 6439 | |
wolfSSL | 13:f67a6c6013ca | 6440 | |
wolfSSL | 13:f67a6c6013ca | 6441 | const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; |
wolfSSL | 13:f67a6c6013ca | 6442 | const char* END_CERT = "-----END CERTIFICATE-----"; |
wolfSSL | 13:f67a6c6013ca | 6443 | const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; |
wolfSSL | 13:f67a6c6013ca | 6444 | const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; |
wolfSSL | 13:f67a6c6013ca | 6445 | const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; |
wolfSSL | 13:f67a6c6013ca | 6446 | const char* END_DH_PARAM = "-----END DH PARAMETERS-----"; |
wolfSSL | 13:f67a6c6013ca | 6447 | const char* BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; |
wolfSSL | 13:f67a6c6013ca | 6448 | const char* END_DSA_PARAM = "-----END DSA PARAMETERS-----"; |
wolfSSL | 13:f67a6c6013ca | 6449 | const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; |
wolfSSL | 13:f67a6c6013ca | 6450 | const char* END_X509_CRL = "-----END X509 CRL-----"; |
wolfSSL | 13:f67a6c6013ca | 6451 | const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6452 | const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6453 | const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6454 | const char* END_PRIV_KEY = "-----END PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6455 | const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6456 | const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6457 | const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6458 | const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6459 | const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6460 | const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6461 | const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6462 | const char* END_PUB_KEY = "-----END PUBLIC KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6463 | const char* BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6464 | const char* END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; |
wolfSSL | 13:f67a6c6013ca | 6465 | |
wolfSSL | 13:f67a6c6013ca | 6466 | #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) |
wolfSSL | 13:f67a6c6013ca | 6467 | |
wolfSSL | 13:f67a6c6013ca | 6468 | /* Used for compatibility API */ |
wolfSSL | 13:f67a6c6013ca | 6469 | int wc_DerToPem(const byte* der, word32 derSz, |
wolfSSL | 13:f67a6c6013ca | 6470 | byte* output, word32 outSz, int type) |
wolfSSL | 13:f67a6c6013ca | 6471 | { |
wolfSSL | 13:f67a6c6013ca | 6472 | return wc_DerToPemEx(der, derSz, output, outSz, NULL, type); |
wolfSSL | 13:f67a6c6013ca | 6473 | } |
wolfSSL | 13:f67a6c6013ca | 6474 | |
wolfSSL | 13:f67a6c6013ca | 6475 | /* convert der buffer to pem into output, can't do inplace, der and output |
wolfSSL | 13:f67a6c6013ca | 6476 | need to be different */ |
wolfSSL | 13:f67a6c6013ca | 6477 | int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, |
wolfSSL | 13:f67a6c6013ca | 6478 | byte *cipher_info, int type) |
wolfSSL | 13:f67a6c6013ca | 6479 | { |
wolfSSL | 13:f67a6c6013ca | 6480 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6481 | char* header = NULL; |
wolfSSL | 13:f67a6c6013ca | 6482 | char* footer = NULL; |
wolfSSL | 13:f67a6c6013ca | 6483 | #else |
wolfSSL | 13:f67a6c6013ca | 6484 | char header[40 + HEADER_ENCRYPTED_KEY_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 6485 | char footer[40]; |
wolfSSL | 13:f67a6c6013ca | 6486 | #endif |
wolfSSL | 13:f67a6c6013ca | 6487 | |
wolfSSL | 13:f67a6c6013ca | 6488 | int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE; |
wolfSSL | 13:f67a6c6013ca | 6489 | int footerLen = 40; |
wolfSSL | 13:f67a6c6013ca | 6490 | int i; |
wolfSSL | 13:f67a6c6013ca | 6491 | int err; |
wolfSSL | 13:f67a6c6013ca | 6492 | int outLen; /* return length or error */ |
wolfSSL | 13:f67a6c6013ca | 6493 | |
wolfSSL | 13:f67a6c6013ca | 6494 | if (der == output) /* no in place conversion */ |
wolfSSL | 13:f67a6c6013ca | 6495 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6496 | |
wolfSSL | 13:f67a6c6013ca | 6497 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6498 | header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6499 | if (header == NULL) |
wolfSSL | 13:f67a6c6013ca | 6500 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6501 | |
wolfSSL | 13:f67a6c6013ca | 6502 | footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6503 | if (footer == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6504 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6505 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6506 | } |
wolfSSL | 13:f67a6c6013ca | 6507 | #endif |
wolfSSL | 13:f67a6c6013ca | 6508 | if (type == CERT_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6509 | XSTRNCPY(header, BEGIN_CERT, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6510 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6511 | |
wolfSSL | 13:f67a6c6013ca | 6512 | XSTRNCPY(footer, END_CERT, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6513 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6514 | } |
wolfSSL | 13:f67a6c6013ca | 6515 | else if (type == PRIVATEKEY_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6516 | XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6517 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6518 | |
wolfSSL | 13:f67a6c6013ca | 6519 | XSTRNCPY(footer, END_RSA_PRIV, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6520 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6521 | } |
wolfSSL | 13:f67a6c6013ca | 6522 | #ifndef NO_DSA |
wolfSSL | 13:f67a6c6013ca | 6523 | else if (type == DSA_PRIVATEKEY_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6524 | XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6525 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6526 | |
wolfSSL | 13:f67a6c6013ca | 6527 | XSTRNCPY(footer, END_DSA_PRIV, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6528 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6529 | } |
wolfSSL | 13:f67a6c6013ca | 6530 | #endif |
wolfSSL | 13:f67a6c6013ca | 6531 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 6532 | else if (type == ECC_PRIVATEKEY_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6533 | XSTRNCPY(header, BEGIN_EC_PRIV, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6534 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6535 | |
wolfSSL | 13:f67a6c6013ca | 6536 | XSTRNCPY(footer, END_EC_PRIV, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6537 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6538 | } |
wolfSSL | 13:f67a6c6013ca | 6539 | #endif |
wolfSSL | 13:f67a6c6013ca | 6540 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 6541 | else if (type == EDDSA_PRIVATEKEY_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 6542 | XSTRNCPY(header, BEGIN_EDDSA_PRIV, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6543 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6544 | |
wolfSSL | 13:f67a6c6013ca | 6545 | XSTRNCPY(footer, END_EDDSA_PRIV, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6546 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6547 | } |
wolfSSL | 13:f67a6c6013ca | 6548 | #endif |
wolfSSL | 13:f67a6c6013ca | 6549 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 6550 | else if (type == CERTREQ_TYPE) |
wolfSSL | 13:f67a6c6013ca | 6551 | { |
wolfSSL | 13:f67a6c6013ca | 6552 | XSTRNCPY(header, BEGIN_CERT_REQ, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6553 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6554 | |
wolfSSL | 13:f67a6c6013ca | 6555 | XSTRNCPY(footer, END_CERT_REQ, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6556 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6557 | } |
wolfSSL | 13:f67a6c6013ca | 6558 | #endif |
wolfSSL | 13:f67a6c6013ca | 6559 | #ifdef HAVE_CRL |
wolfSSL | 13:f67a6c6013ca | 6560 | else if (type == CRL_TYPE) |
wolfSSL | 13:f67a6c6013ca | 6561 | { |
wolfSSL | 13:f67a6c6013ca | 6562 | XSTRNCPY(header, BEGIN_X509_CRL, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6563 | XSTRNCAT(header, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6564 | |
wolfSSL | 13:f67a6c6013ca | 6565 | XSTRNCPY(footer, END_X509_CRL, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6566 | XSTRNCAT(footer, "\n", 1); |
wolfSSL | 13:f67a6c6013ca | 6567 | } |
wolfSSL | 13:f67a6c6013ca | 6568 | #endif |
wolfSSL | 13:f67a6c6013ca | 6569 | else { |
wolfSSL | 13:f67a6c6013ca | 6570 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6571 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6572 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6573 | #endif |
wolfSSL | 13:f67a6c6013ca | 6574 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6575 | } |
wolfSSL | 13:f67a6c6013ca | 6576 | |
wolfSSL | 13:f67a6c6013ca | 6577 | /* extra header information for encrypted key */ |
wolfSSL | 13:f67a6c6013ca | 6578 | if (cipher_info != NULL) { |
wolfSSL | 13:f67a6c6013ca | 6579 | size_t cipherInfoStrLen = XSTRLEN((char*)cipher_info); |
wolfSSL | 13:f67a6c6013ca | 6580 | if (cipherInfoStrLen > HEADER_ENCRYPTED_KEY_SIZE - (23+10+2)) |
wolfSSL | 13:f67a6c6013ca | 6581 | cipherInfoStrLen = HEADER_ENCRYPTED_KEY_SIZE - (23+10+2); |
wolfSSL | 13:f67a6c6013ca | 6582 | |
wolfSSL | 13:f67a6c6013ca | 6583 | XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23); |
wolfSSL | 13:f67a6c6013ca | 6584 | XSTRNCAT(header, "DEK-Info: ", 10); |
wolfSSL | 13:f67a6c6013ca | 6585 | XSTRNCAT(header, (char*)cipher_info, cipherInfoStrLen); |
wolfSSL | 13:f67a6c6013ca | 6586 | XSTRNCAT(header, "\n\n", 2); |
wolfSSL | 13:f67a6c6013ca | 6587 | } |
wolfSSL | 13:f67a6c6013ca | 6588 | |
wolfSSL | 13:f67a6c6013ca | 6589 | headerLen = (int)XSTRLEN(header); |
wolfSSL | 13:f67a6c6013ca | 6590 | footerLen = (int)XSTRLEN(footer); |
wolfSSL | 13:f67a6c6013ca | 6591 | |
wolfSSL | 13:f67a6c6013ca | 6592 | /* if null output and 0 size passed in then return size needed */ |
wolfSSL | 13:f67a6c6013ca | 6593 | if (!output && outSz == 0) { |
wolfSSL | 13:f67a6c6013ca | 6594 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6595 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6596 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6597 | #endif |
wolfSSL | 13:f67a6c6013ca | 6598 | outLen = 0; |
wolfSSL | 13:f67a6c6013ca | 6599 | if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen)) |
wolfSSL | 13:f67a6c6013ca | 6600 | != LENGTH_ONLY_E) { |
wolfSSL | 13:f67a6c6013ca | 6601 | return err; |
wolfSSL | 13:f67a6c6013ca | 6602 | } |
wolfSSL | 13:f67a6c6013ca | 6603 | return headerLen + footerLen + outLen; |
wolfSSL | 13:f67a6c6013ca | 6604 | } |
wolfSSL | 13:f67a6c6013ca | 6605 | |
wolfSSL | 13:f67a6c6013ca | 6606 | if (!der || !output) { |
wolfSSL | 13:f67a6c6013ca | 6607 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6608 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6609 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6610 | #endif |
wolfSSL | 13:f67a6c6013ca | 6611 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6612 | } |
wolfSSL | 13:f67a6c6013ca | 6613 | |
wolfSSL | 13:f67a6c6013ca | 6614 | /* don't even try if outSz too short */ |
wolfSSL | 13:f67a6c6013ca | 6615 | if (outSz < headerLen + footerLen + derSz) { |
wolfSSL | 13:f67a6c6013ca | 6616 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6617 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6618 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6619 | #endif |
wolfSSL | 13:f67a6c6013ca | 6620 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6621 | } |
wolfSSL | 13:f67a6c6013ca | 6622 | |
wolfSSL | 13:f67a6c6013ca | 6623 | /* header */ |
wolfSSL | 13:f67a6c6013ca | 6624 | XMEMCPY(output, header, headerLen); |
wolfSSL | 13:f67a6c6013ca | 6625 | i = headerLen; |
wolfSSL | 13:f67a6c6013ca | 6626 | |
wolfSSL | 13:f67a6c6013ca | 6627 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6628 | XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6629 | #endif |
wolfSSL | 13:f67a6c6013ca | 6630 | |
wolfSSL | 13:f67a6c6013ca | 6631 | /* body */ |
wolfSSL | 13:f67a6c6013ca | 6632 | outLen = outSz - (headerLen + footerLen); /* input to Base64_Encode */ |
wolfSSL | 13:f67a6c6013ca | 6633 | if ( (err = Base64_Encode(der, derSz, output + i, (word32*)&outLen)) < 0) { |
wolfSSL | 13:f67a6c6013ca | 6634 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6635 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6636 | #endif |
wolfSSL | 13:f67a6c6013ca | 6637 | return err; |
wolfSSL | 13:f67a6c6013ca | 6638 | } |
wolfSSL | 13:f67a6c6013ca | 6639 | i += outLen; |
wolfSSL | 13:f67a6c6013ca | 6640 | |
wolfSSL | 13:f67a6c6013ca | 6641 | /* footer */ |
wolfSSL | 13:f67a6c6013ca | 6642 | if ( (i + footerLen) > (int)outSz) { |
wolfSSL | 13:f67a6c6013ca | 6643 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6644 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6645 | #endif |
wolfSSL | 13:f67a6c6013ca | 6646 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6647 | } |
wolfSSL | 13:f67a6c6013ca | 6648 | XMEMCPY(output + i, footer, footerLen); |
wolfSSL | 13:f67a6c6013ca | 6649 | |
wolfSSL | 13:f67a6c6013ca | 6650 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6651 | XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6652 | #endif |
wolfSSL | 13:f67a6c6013ca | 6653 | |
wolfSSL | 13:f67a6c6013ca | 6654 | return outLen + headerLen + footerLen; |
wolfSSL | 13:f67a6c6013ca | 6655 | } |
wolfSSL | 13:f67a6c6013ca | 6656 | |
wolfSSL | 13:f67a6c6013ca | 6657 | #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 6658 | |
wolfSSL | 13:f67a6c6013ca | 6659 | #if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))) |
wolfSSL | 13:f67a6c6013ca | 6660 | /* USER RSA ifdef portions used instead of refactor in consideration for |
wolfSSL | 13:f67a6c6013ca | 6661 | possible fips build */ |
wolfSSL | 13:f67a6c6013ca | 6662 | /* Write a public RSA key to output */ |
wolfSSL | 13:f67a6c6013ca | 6663 | static int SetRsaPublicKey(byte* output, RsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 6664 | int outLen, int with_header) |
wolfSSL | 13:f67a6c6013ca | 6665 | { |
wolfSSL | 13:f67a6c6013ca | 6666 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6667 | byte* n = NULL; |
wolfSSL | 13:f67a6c6013ca | 6668 | byte* e = NULL; |
wolfSSL | 13:f67a6c6013ca | 6669 | #else |
wolfSSL | 13:f67a6c6013ca | 6670 | byte n[MAX_RSA_INT_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6671 | byte e[MAX_RSA_E_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6672 | #endif |
wolfSSL | 13:f67a6c6013ca | 6673 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6674 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 13:f67a6c6013ca | 6675 | int nSz; |
wolfSSL | 13:f67a6c6013ca | 6676 | int eSz; |
wolfSSL | 13:f67a6c6013ca | 6677 | int seqSz; |
wolfSSL | 13:f67a6c6013ca | 6678 | int bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 6679 | int idx; |
wolfSSL | 13:f67a6c6013ca | 6680 | |
wolfSSL | 13:f67a6c6013ca | 6681 | if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) |
wolfSSL | 13:f67a6c6013ca | 6682 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6683 | |
wolfSSL | 13:f67a6c6013ca | 6684 | /* n */ |
wolfSSL | 13:f67a6c6013ca | 6685 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6686 | n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6687 | if (n == NULL) |
wolfSSL | 13:f67a6c6013ca | 6688 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6689 | #endif |
wolfSSL | 13:f67a6c6013ca | 6690 | |
wolfSSL | 13:f67a6c6013ca | 6691 | #ifdef HAVE_USER_RSA |
wolfSSL | 13:f67a6c6013ca | 6692 | nSz = SetASNIntRSA(key->n, n); |
wolfSSL | 13:f67a6c6013ca | 6693 | #else |
wolfSSL | 13:f67a6c6013ca | 6694 | nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, n); |
wolfSSL | 13:f67a6c6013ca | 6695 | #endif |
wolfSSL | 13:f67a6c6013ca | 6696 | if (nSz < 0) { |
wolfSSL | 13:f67a6c6013ca | 6697 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6698 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6699 | #endif |
wolfSSL | 13:f67a6c6013ca | 6700 | return nSz; |
wolfSSL | 13:f67a6c6013ca | 6701 | } |
wolfSSL | 13:f67a6c6013ca | 6702 | |
wolfSSL | 13:f67a6c6013ca | 6703 | /* e */ |
wolfSSL | 13:f67a6c6013ca | 6704 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6705 | e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6706 | if (e == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6707 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6708 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6709 | #endif |
wolfSSL | 13:f67a6c6013ca | 6710 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6711 | } |
wolfSSL | 13:f67a6c6013ca | 6712 | #endif |
wolfSSL | 13:f67a6c6013ca | 6713 | |
wolfSSL | 13:f67a6c6013ca | 6714 | #ifdef HAVE_USER_RSA |
wolfSSL | 13:f67a6c6013ca | 6715 | eSz = SetASNIntRSA(key->e, e); |
wolfSSL | 13:f67a6c6013ca | 6716 | #else |
wolfSSL | 13:f67a6c6013ca | 6717 | eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, e); |
wolfSSL | 13:f67a6c6013ca | 6718 | #endif |
wolfSSL | 13:f67a6c6013ca | 6719 | if (eSz < 0) { |
wolfSSL | 13:f67a6c6013ca | 6720 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6721 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6722 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6723 | #endif |
wolfSSL | 13:f67a6c6013ca | 6724 | return eSz; |
wolfSSL | 13:f67a6c6013ca | 6725 | } |
wolfSSL | 13:f67a6c6013ca | 6726 | |
wolfSSL | 13:f67a6c6013ca | 6727 | seqSz = SetSequence(nSz + eSz, seq); |
wolfSSL | 13:f67a6c6013ca | 6728 | |
wolfSSL | 13:f67a6c6013ca | 6729 | /* check output size */ |
wolfSSL | 13:f67a6c6013ca | 6730 | if ( (seqSz + nSz + eSz) > outLen) { |
wolfSSL | 13:f67a6c6013ca | 6731 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6732 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6733 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6734 | #endif |
wolfSSL | 13:f67a6c6013ca | 6735 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 6736 | } |
wolfSSL | 13:f67a6c6013ca | 6737 | |
wolfSSL | 13:f67a6c6013ca | 6738 | /* headers */ |
wolfSSL | 13:f67a6c6013ca | 6739 | if (with_header) { |
wolfSSL | 13:f67a6c6013ca | 6740 | int algoSz; |
wolfSSL | 13:f67a6c6013ca | 6741 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6742 | byte* algo = NULL; |
wolfSSL | 13:f67a6c6013ca | 6743 | |
wolfSSL | 13:f67a6c6013ca | 6744 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6745 | if (algo == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6746 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6747 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6748 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6749 | } |
wolfSSL | 13:f67a6c6013ca | 6750 | #else |
wolfSSL | 13:f67a6c6013ca | 6751 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6752 | #endif |
wolfSSL | 13:f67a6c6013ca | 6753 | algoSz = SetAlgoID(RSAk, algo, oidKeyType, 0); |
wolfSSL | 13:f67a6c6013ca | 6754 | bitStringSz = SetBitString(seqSz + nSz + eSz, 0, bitString); |
wolfSSL | 13:f67a6c6013ca | 6755 | |
wolfSSL | 13:f67a6c6013ca | 6756 | idx = SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, output); |
wolfSSL | 13:f67a6c6013ca | 6757 | |
wolfSSL | 13:f67a6c6013ca | 6758 | /* check output size */ |
wolfSSL | 13:f67a6c6013ca | 6759 | if ( (idx + algoSz + bitStringSz + seqSz + nSz + eSz) > outLen) { |
wolfSSL | 13:f67a6c6013ca | 6760 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6761 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6762 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6763 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6764 | #endif |
wolfSSL | 13:f67a6c6013ca | 6765 | |
wolfSSL | 13:f67a6c6013ca | 6766 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 6767 | } |
wolfSSL | 13:f67a6c6013ca | 6768 | |
wolfSSL | 13:f67a6c6013ca | 6769 | /* algo */ |
wolfSSL | 13:f67a6c6013ca | 6770 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 13:f67a6c6013ca | 6771 | idx += algoSz; |
wolfSSL | 13:f67a6c6013ca | 6772 | /* bit string */ |
wolfSSL | 13:f67a6c6013ca | 6773 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 13:f67a6c6013ca | 6774 | idx += bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 6775 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6776 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6777 | #endif |
wolfSSL | 13:f67a6c6013ca | 6778 | } |
wolfSSL | 13:f67a6c6013ca | 6779 | else |
wolfSSL | 13:f67a6c6013ca | 6780 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 6781 | |
wolfSSL | 13:f67a6c6013ca | 6782 | /* seq */ |
wolfSSL | 13:f67a6c6013ca | 6783 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 6784 | idx += seqSz; |
wolfSSL | 13:f67a6c6013ca | 6785 | /* n */ |
wolfSSL | 13:f67a6c6013ca | 6786 | XMEMCPY(output + idx, n, nSz); |
wolfSSL | 13:f67a6c6013ca | 6787 | idx += nSz; |
wolfSSL | 13:f67a6c6013ca | 6788 | /* e */ |
wolfSSL | 13:f67a6c6013ca | 6789 | XMEMCPY(output + idx, e, eSz); |
wolfSSL | 13:f67a6c6013ca | 6790 | idx += eSz; |
wolfSSL | 13:f67a6c6013ca | 6791 | |
wolfSSL | 13:f67a6c6013ca | 6792 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 6793 | XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6794 | XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 6795 | #endif |
wolfSSL | 13:f67a6c6013ca | 6796 | |
wolfSSL | 13:f67a6c6013ca | 6797 | return idx; |
wolfSSL | 13:f67a6c6013ca | 6798 | } |
wolfSSL | 13:f67a6c6013ca | 6799 | #endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN && |
wolfSSL | 13:f67a6c6013ca | 6800 | !HAVE_USER_RSA))) */ |
wolfSSL | 13:f67a6c6013ca | 6801 | |
wolfSSL | 13:f67a6c6013ca | 6802 | |
wolfSSL | 13:f67a6c6013ca | 6803 | #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) |
wolfSSL | 13:f67a6c6013ca | 6804 | |
wolfSSL | 13:f67a6c6013ca | 6805 | |
wolfSSL | 13:f67a6c6013ca | 6806 | static mp_int* GetRsaInt(RsaKey* key, int idx) |
wolfSSL | 13:f67a6c6013ca | 6807 | { |
wolfSSL | 13:f67a6c6013ca | 6808 | if (idx == 0) |
wolfSSL | 13:f67a6c6013ca | 6809 | return &key->n; |
wolfSSL | 13:f67a6c6013ca | 6810 | if (idx == 1) |
wolfSSL | 13:f67a6c6013ca | 6811 | return &key->e; |
wolfSSL | 13:f67a6c6013ca | 6812 | if (idx == 2) |
wolfSSL | 13:f67a6c6013ca | 6813 | return &key->d; |
wolfSSL | 13:f67a6c6013ca | 6814 | if (idx == 3) |
wolfSSL | 13:f67a6c6013ca | 6815 | return &key->p; |
wolfSSL | 13:f67a6c6013ca | 6816 | if (idx == 4) |
wolfSSL | 13:f67a6c6013ca | 6817 | return &key->q; |
wolfSSL | 13:f67a6c6013ca | 6818 | if (idx == 5) |
wolfSSL | 13:f67a6c6013ca | 6819 | return &key->dP; |
wolfSSL | 13:f67a6c6013ca | 6820 | if (idx == 6) |
wolfSSL | 13:f67a6c6013ca | 6821 | return &key->dQ; |
wolfSSL | 13:f67a6c6013ca | 6822 | if (idx == 7) |
wolfSSL | 13:f67a6c6013ca | 6823 | return &key->u; |
wolfSSL | 13:f67a6c6013ca | 6824 | |
wolfSSL | 13:f67a6c6013ca | 6825 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 6826 | } |
wolfSSL | 13:f67a6c6013ca | 6827 | |
wolfSSL | 13:f67a6c6013ca | 6828 | |
wolfSSL | 13:f67a6c6013ca | 6829 | /* Release Tmp RSA resources */ |
wolfSSL | 13:f67a6c6013ca | 6830 | static INLINE void FreeTmpRsas(byte** tmps, void* heap) |
wolfSSL | 13:f67a6c6013ca | 6831 | { |
wolfSSL | 13:f67a6c6013ca | 6832 | int i; |
wolfSSL | 13:f67a6c6013ca | 6833 | |
wolfSSL | 13:f67a6c6013ca | 6834 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 6835 | |
wolfSSL | 13:f67a6c6013ca | 6836 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 13:f67a6c6013ca | 6837 | XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 6838 | } |
wolfSSL | 13:f67a6c6013ca | 6839 | |
wolfSSL | 13:f67a6c6013ca | 6840 | |
wolfSSL | 13:f67a6c6013ca | 6841 | /* Convert RsaKey key to DER format, write to output (inLen), return bytes |
wolfSSL | 13:f67a6c6013ca | 6842 | written */ |
wolfSSL | 13:f67a6c6013ca | 6843 | int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 6844 | { |
wolfSSL | 13:f67a6c6013ca | 6845 | word32 seqSz, verSz, rawLen, intTotalLen = 0; |
wolfSSL | 13:f67a6c6013ca | 6846 | word32 sizes[RSA_INTS]; |
wolfSSL | 13:f67a6c6013ca | 6847 | int i, j, outLen, ret = 0, mpSz; |
wolfSSL | 13:f67a6c6013ca | 6848 | |
wolfSSL | 13:f67a6c6013ca | 6849 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6850 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 13:f67a6c6013ca | 6851 | byte* tmps[RSA_INTS]; |
wolfSSL | 13:f67a6c6013ca | 6852 | |
wolfSSL | 13:f67a6c6013ca | 6853 | if (!key || !output) |
wolfSSL | 13:f67a6c6013ca | 6854 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6855 | |
wolfSSL | 13:f67a6c6013ca | 6856 | if (key->type != RSA_PRIVATE) |
wolfSSL | 13:f67a6c6013ca | 6857 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6858 | |
wolfSSL | 13:f67a6c6013ca | 6859 | for (i = 0; i < RSA_INTS; i++) |
wolfSSL | 13:f67a6c6013ca | 6860 | tmps[i] = NULL; |
wolfSSL | 13:f67a6c6013ca | 6861 | |
wolfSSL | 13:f67a6c6013ca | 6862 | /* write all big ints from key to DER tmps */ |
wolfSSL | 13:f67a6c6013ca | 6863 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 13:f67a6c6013ca | 6864 | mp_int* keyInt = GetRsaInt(key, i); |
wolfSSL | 13:f67a6c6013ca | 6865 | |
wolfSSL | 13:f67a6c6013ca | 6866 | rawLen = mp_unsigned_bin_size(keyInt) + 1; |
wolfSSL | 13:f67a6c6013ca | 6867 | tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, |
wolfSSL | 13:f67a6c6013ca | 6868 | DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 6869 | if (tmps[i] == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6870 | ret = MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 6871 | break; |
wolfSSL | 13:f67a6c6013ca | 6872 | } |
wolfSSL | 13:f67a6c6013ca | 6873 | |
wolfSSL | 13:f67a6c6013ca | 6874 | mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]); |
wolfSSL | 13:f67a6c6013ca | 6875 | if (mpSz < 0) { |
wolfSSL | 13:f67a6c6013ca | 6876 | ret = mpSz; |
wolfSSL | 13:f67a6c6013ca | 6877 | break; |
wolfSSL | 13:f67a6c6013ca | 6878 | } |
wolfSSL | 13:f67a6c6013ca | 6879 | intTotalLen += (sizes[i] = mpSz); |
wolfSSL | 13:f67a6c6013ca | 6880 | } |
wolfSSL | 13:f67a6c6013ca | 6881 | |
wolfSSL | 13:f67a6c6013ca | 6882 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 6883 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 13:f67a6c6013ca | 6884 | return ret; |
wolfSSL | 13:f67a6c6013ca | 6885 | } |
wolfSSL | 13:f67a6c6013ca | 6886 | |
wolfSSL | 13:f67a6c6013ca | 6887 | /* make headers */ |
wolfSSL | 13:f67a6c6013ca | 6888 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 13:f67a6c6013ca | 6889 | seqSz = SetSequence(verSz + intTotalLen, seq); |
wolfSSL | 13:f67a6c6013ca | 6890 | |
wolfSSL | 13:f67a6c6013ca | 6891 | outLen = seqSz + verSz + intTotalLen; |
wolfSSL | 13:f67a6c6013ca | 6892 | if (outLen > (int)inLen) |
wolfSSL | 13:f67a6c6013ca | 6893 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6894 | |
wolfSSL | 13:f67a6c6013ca | 6895 | /* write to output */ |
wolfSSL | 13:f67a6c6013ca | 6896 | XMEMCPY(output, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 6897 | j = seqSz; |
wolfSSL | 13:f67a6c6013ca | 6898 | XMEMCPY(output + j, ver, verSz); |
wolfSSL | 13:f67a6c6013ca | 6899 | j += verSz; |
wolfSSL | 13:f67a6c6013ca | 6900 | |
wolfSSL | 13:f67a6c6013ca | 6901 | for (i = 0; i < RSA_INTS; i++) { |
wolfSSL | 13:f67a6c6013ca | 6902 | XMEMCPY(output + j, tmps[i], sizes[i]); |
wolfSSL | 13:f67a6c6013ca | 6903 | j += sizes[i]; |
wolfSSL | 13:f67a6c6013ca | 6904 | } |
wolfSSL | 13:f67a6c6013ca | 6905 | FreeTmpRsas(tmps, key->heap); |
wolfSSL | 13:f67a6c6013ca | 6906 | |
wolfSSL | 13:f67a6c6013ca | 6907 | return outLen; |
wolfSSL | 13:f67a6c6013ca | 6908 | } |
wolfSSL | 13:f67a6c6013ca | 6909 | |
wolfSSL | 13:f67a6c6013ca | 6910 | |
wolfSSL | 13:f67a6c6013ca | 6911 | /* Convert Rsa Public key to DER format, write to output (inLen), return bytes |
wolfSSL | 13:f67a6c6013ca | 6912 | written */ |
wolfSSL | 13:f67a6c6013ca | 6913 | int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 6914 | { |
wolfSSL | 13:f67a6c6013ca | 6915 | return SetRsaPublicKey(output, key, inLen, 1); |
wolfSSL | 13:f67a6c6013ca | 6916 | } |
wolfSSL | 13:f67a6c6013ca | 6917 | |
wolfSSL | 13:f67a6c6013ca | 6918 | #endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA */ |
wolfSSL | 13:f67a6c6013ca | 6919 | |
wolfSSL | 13:f67a6c6013ca | 6920 | |
wolfSSL | 13:f67a6c6013ca | 6921 | #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) |
wolfSSL | 13:f67a6c6013ca | 6922 | |
wolfSSL | 13:f67a6c6013ca | 6923 | /* Initialize and Set Certificate defaults: |
wolfSSL | 13:f67a6c6013ca | 6924 | version = 3 (0x2) |
wolfSSL | 13:f67a6c6013ca | 6925 | serial = 0 |
wolfSSL | 13:f67a6c6013ca | 6926 | sigType = SHA_WITH_RSA |
wolfSSL | 13:f67a6c6013ca | 6927 | issuer = blank |
wolfSSL | 13:f67a6c6013ca | 6928 | daysValid = 500 |
wolfSSL | 13:f67a6c6013ca | 6929 | selfSigned = 1 (true) use subject as issuer |
wolfSSL | 13:f67a6c6013ca | 6930 | subject = blank |
wolfSSL | 13:f67a6c6013ca | 6931 | */ |
wolfSSL | 13:f67a6c6013ca | 6932 | int wc_InitCert(Cert* cert) |
wolfSSL | 13:f67a6c6013ca | 6933 | { |
wolfSSL | 13:f67a6c6013ca | 6934 | if (cert == NULL) { |
wolfSSL | 13:f67a6c6013ca | 6935 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 6936 | } |
wolfSSL | 13:f67a6c6013ca | 6937 | |
wolfSSL | 13:f67a6c6013ca | 6938 | cert->version = 2; /* version 3 is hex 2 */ |
wolfSSL | 13:f67a6c6013ca | 6939 | cert->sigType = CTC_SHAwRSA; |
wolfSSL | 13:f67a6c6013ca | 6940 | cert->daysValid = 500; |
wolfSSL | 13:f67a6c6013ca | 6941 | cert->selfSigned = 1; |
wolfSSL | 13:f67a6c6013ca | 6942 | cert->isCA = 0; |
wolfSSL | 13:f67a6c6013ca | 6943 | cert->bodySz = 0; |
wolfSSL | 13:f67a6c6013ca | 6944 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 6945 | cert->altNamesSz = 0; |
wolfSSL | 13:f67a6c6013ca | 6946 | cert->beforeDateSz = 0; |
wolfSSL | 13:f67a6c6013ca | 6947 | cert->afterDateSz = 0; |
wolfSSL | 13:f67a6c6013ca | 6948 | #endif |
wolfSSL | 13:f67a6c6013ca | 6949 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 6950 | cert->skidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 6951 | cert->akidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 6952 | cert->keyUsage = 0; |
wolfSSL | 13:f67a6c6013ca | 6953 | cert->certPoliciesNb = 0; |
wolfSSL | 13:f67a6c6013ca | 6954 | XMEMSET(cert->akid, 0, CTC_MAX_AKID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 6955 | XMEMSET(cert->skid, 0, CTC_MAX_SKID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 6956 | XMEMSET(cert->certPolicies, 0, CTC_MAX_CERTPOL_NB*CTC_MAX_CERTPOL_SZ); |
wolfSSL | 13:f67a6c6013ca | 6957 | #endif |
wolfSSL | 13:f67a6c6013ca | 6958 | cert->keyType = RSA_KEY; |
wolfSSL | 13:f67a6c6013ca | 6959 | XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE); |
wolfSSL | 13:f67a6c6013ca | 6960 | |
wolfSSL | 13:f67a6c6013ca | 6961 | cert->issuer.country[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6962 | cert->issuer.countryEnc = CTC_PRINTABLE; |
wolfSSL | 13:f67a6c6013ca | 6963 | cert->issuer.state[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6964 | cert->issuer.stateEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6965 | cert->issuer.locality[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6966 | cert->issuer.localityEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6967 | cert->issuer.sur[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6968 | cert->issuer.surEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6969 | cert->issuer.org[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6970 | cert->issuer.orgEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6971 | cert->issuer.unit[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6972 | cert->issuer.unitEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6973 | cert->issuer.commonName[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6974 | cert->issuer.commonNameEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6975 | cert->issuer.email[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6976 | |
wolfSSL | 13:f67a6c6013ca | 6977 | cert->subject.country[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6978 | cert->subject.countryEnc = CTC_PRINTABLE; |
wolfSSL | 13:f67a6c6013ca | 6979 | cert->subject.state[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6980 | cert->subject.stateEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6981 | cert->subject.locality[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6982 | cert->subject.localityEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6983 | cert->subject.sur[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6984 | cert->subject.surEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6985 | cert->subject.org[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6986 | cert->subject.orgEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6987 | cert->subject.unit[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6988 | cert->subject.unitEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6989 | cert->subject.commonName[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6990 | cert->subject.commonNameEnc = CTC_UTF8; |
wolfSSL | 13:f67a6c6013ca | 6991 | cert->subject.email[0] = '\0'; |
wolfSSL | 13:f67a6c6013ca | 6992 | |
wolfSSL | 13:f67a6c6013ca | 6993 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 6994 | cert->challengePw[0] ='\0'; |
wolfSSL | 13:f67a6c6013ca | 6995 | #endif |
wolfSSL | 13:f67a6c6013ca | 6996 | #ifdef WOLFSSL_HEAP_TEST |
wolfSSL | 13:f67a6c6013ca | 6997 | cert->heap = (void*)WOLFSSL_HEAP_TEST; |
wolfSSL | 13:f67a6c6013ca | 6998 | #else |
wolfSSL | 13:f67a6c6013ca | 6999 | cert->heap = NULL; |
wolfSSL | 13:f67a6c6013ca | 7000 | #endif |
wolfSSL | 13:f67a6c6013ca | 7001 | |
wolfSSL | 13:f67a6c6013ca | 7002 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7003 | } |
wolfSSL | 13:f67a6c6013ca | 7004 | |
wolfSSL | 13:f67a6c6013ca | 7005 | |
wolfSSL | 13:f67a6c6013ca | 7006 | /* DER encoded x509 Certificate */ |
wolfSSL | 13:f67a6c6013ca | 7007 | typedef struct DerCert { |
wolfSSL | 13:f67a6c6013ca | 7008 | byte size[MAX_LENGTH_SZ]; /* length encoded */ |
wolfSSL | 13:f67a6c6013ca | 7009 | byte version[MAX_VERSION_SZ]; /* version encoded */ |
wolfSSL | 13:f67a6c6013ca | 7010 | byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */ |
wolfSSL | 13:f67a6c6013ca | 7011 | byte sigAlgo[MAX_ALGO_SZ]; /* signature algo encoded */ |
wolfSSL | 13:f67a6c6013ca | 7012 | byte issuer[ASN_NAME_MAX]; /* issuer encoded */ |
wolfSSL | 13:f67a6c6013ca | 7013 | byte subject[ASN_NAME_MAX]; /* subject encoded */ |
wolfSSL | 13:f67a6c6013ca | 7014 | byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */ |
wolfSSL | 13:f67a6c6013ca | 7015 | byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */ |
wolfSSL | 13:f67a6c6013ca | 7016 | byte ca[MAX_CA_SZ]; /* basic constraint CA true size */ |
wolfSSL | 13:f67a6c6013ca | 7017 | byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ |
wolfSSL | 13:f67a6c6013ca | 7018 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 7019 | byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ |
wolfSSL | 13:f67a6c6013ca | 7020 | byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ |
wolfSSL | 13:f67a6c6013ca | 7021 | byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ |
wolfSSL | 13:f67a6c6013ca | 7022 | byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ |
wolfSSL | 13:f67a6c6013ca | 7023 | #endif |
wolfSSL | 13:f67a6c6013ca | 7024 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 7025 | byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ |
wolfSSL | 13:f67a6c6013ca | 7026 | #endif |
wolfSSL | 13:f67a6c6013ca | 7027 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 7028 | byte altNames[CTC_MAX_ALT_SIZE]; /* Alternative Names encoded */ |
wolfSSL | 13:f67a6c6013ca | 7029 | #endif |
wolfSSL | 13:f67a6c6013ca | 7030 | int sizeSz; /* encoded size length */ |
wolfSSL | 13:f67a6c6013ca | 7031 | int versionSz; /* encoded version length */ |
wolfSSL | 13:f67a6c6013ca | 7032 | int serialSz; /* encoded serial length */ |
wolfSSL | 13:f67a6c6013ca | 7033 | int sigAlgoSz; /* encoded sig alog length */ |
wolfSSL | 13:f67a6c6013ca | 7034 | int issuerSz; /* encoded issuer length */ |
wolfSSL | 13:f67a6c6013ca | 7035 | int subjectSz; /* encoded subject length */ |
wolfSSL | 13:f67a6c6013ca | 7036 | int validitySz; /* encoded validity length */ |
wolfSSL | 13:f67a6c6013ca | 7037 | int publicKeySz; /* encoded public key length */ |
wolfSSL | 13:f67a6c6013ca | 7038 | int caSz; /* encoded CA extension length */ |
wolfSSL | 13:f67a6c6013ca | 7039 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 7040 | int skidSz; /* encoded SKID extension length */ |
wolfSSL | 13:f67a6c6013ca | 7041 | int akidSz; /* encoded SKID extension length */ |
wolfSSL | 13:f67a6c6013ca | 7042 | int keyUsageSz; /* encoded KeyUsage extension length */ |
wolfSSL | 13:f67a6c6013ca | 7043 | int certPoliciesSz; /* encoded CertPolicies extension length*/ |
wolfSSL | 13:f67a6c6013ca | 7044 | #endif |
wolfSSL | 13:f67a6c6013ca | 7045 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 7046 | int altNamesSz; /* encoded AltNames extension length */ |
wolfSSL | 13:f67a6c6013ca | 7047 | #endif |
wolfSSL | 13:f67a6c6013ca | 7048 | int extensionsSz; /* encoded extensions total length */ |
wolfSSL | 13:f67a6c6013ca | 7049 | int total; /* total encoded lengths */ |
wolfSSL | 13:f67a6c6013ca | 7050 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 7051 | int attribSz; |
wolfSSL | 13:f67a6c6013ca | 7052 | #endif |
wolfSSL | 13:f67a6c6013ca | 7053 | } DerCert; |
wolfSSL | 13:f67a6c6013ca | 7054 | |
wolfSSL | 13:f67a6c6013ca | 7055 | |
wolfSSL | 13:f67a6c6013ca | 7056 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 7057 | |
wolfSSL | 13:f67a6c6013ca | 7058 | /* Write a set header to output */ |
wolfSSL | 13:f67a6c6013ca | 7059 | static word32 SetUTF8String(word32 len, byte* output) |
wolfSSL | 13:f67a6c6013ca | 7060 | { |
wolfSSL | 13:f67a6c6013ca | 7061 | output[0] = ASN_UTF8STRING; |
wolfSSL | 13:f67a6c6013ca | 7062 | return SetLength(len, output + 1) + 1; |
wolfSSL | 13:f67a6c6013ca | 7063 | } |
wolfSSL | 13:f67a6c6013ca | 7064 | |
wolfSSL | 13:f67a6c6013ca | 7065 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 13:f67a6c6013ca | 7066 | |
wolfSSL | 13:f67a6c6013ca | 7067 | |
wolfSSL | 13:f67a6c6013ca | 7068 | /* Write a serial number to output */ |
wolfSSL | 13:f67a6c6013ca | 7069 | static int SetSerial(const byte* serial, byte* output) |
wolfSSL | 13:f67a6c6013ca | 7070 | { |
wolfSSL | 13:f67a6c6013ca | 7071 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 7072 | |
wolfSSL | 13:f67a6c6013ca | 7073 | output[length++] = ASN_INTEGER; |
wolfSSL | 13:f67a6c6013ca | 7074 | length += SetLength(CTC_SERIAL_SIZE, &output[length]); |
wolfSSL | 13:f67a6c6013ca | 7075 | XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE); |
wolfSSL | 13:f67a6c6013ca | 7076 | |
wolfSSL | 13:f67a6c6013ca | 7077 | return length + CTC_SERIAL_SIZE; |
wolfSSL | 13:f67a6c6013ca | 7078 | } |
wolfSSL | 13:f67a6c6013ca | 7079 | |
wolfSSL | 13:f67a6c6013ca | 7080 | #endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */ |
wolfSSL | 13:f67a6c6013ca | 7081 | #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 13:f67a6c6013ca | 7082 | |
wolfSSL | 13:f67a6c6013ca | 7083 | /* Write a public ECC key to output */ |
wolfSSL | 13:f67a6c6013ca | 7084 | static int SetEccPublicKey(byte* output, ecc_key* key, int with_header) |
wolfSSL | 13:f67a6c6013ca | 7085 | { |
wolfSSL | 13:f67a6c6013ca | 7086 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 13:f67a6c6013ca | 7087 | int algoSz; |
wolfSSL | 13:f67a6c6013ca | 7088 | int curveSz; |
wolfSSL | 13:f67a6c6013ca | 7089 | int bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 7090 | int idx; |
wolfSSL | 13:f67a6c6013ca | 7091 | word32 pubSz = ECC_BUFSIZE; |
wolfSSL | 13:f67a6c6013ca | 7092 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7093 | byte* algo = NULL; |
wolfSSL | 13:f67a6c6013ca | 7094 | byte* curve = NULL; |
wolfSSL | 13:f67a6c6013ca | 7095 | byte* pub = NULL; |
wolfSSL | 13:f67a6c6013ca | 7096 | #else |
wolfSSL | 13:f67a6c6013ca | 7097 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7098 | byte curve[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7099 | byte pub[ECC_BUFSIZE]; |
wolfSSL | 13:f67a6c6013ca | 7100 | #endif |
wolfSSL | 13:f67a6c6013ca | 7101 | |
wolfSSL | 13:f67a6c6013ca | 7102 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7103 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7104 | if (pub == NULL) |
wolfSSL | 13:f67a6c6013ca | 7105 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7106 | #endif |
wolfSSL | 13:f67a6c6013ca | 7107 | |
wolfSSL | 13:f67a6c6013ca | 7108 | int ret = wc_ecc_export_x963(key, pub, &pubSz); |
wolfSSL | 13:f67a6c6013ca | 7109 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 7110 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7111 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7112 | #endif |
wolfSSL | 13:f67a6c6013ca | 7113 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7114 | } |
wolfSSL | 13:f67a6c6013ca | 7115 | |
wolfSSL | 13:f67a6c6013ca | 7116 | /* headers */ |
wolfSSL | 13:f67a6c6013ca | 7117 | if (with_header) { |
wolfSSL | 13:f67a6c6013ca | 7118 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7119 | curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7120 | if (curve == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7121 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7122 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7123 | } |
wolfSSL | 13:f67a6c6013ca | 7124 | #endif |
wolfSSL | 13:f67a6c6013ca | 7125 | curveSz = SetCurve(key, curve); |
wolfSSL | 13:f67a6c6013ca | 7126 | if (curveSz <= 0) { |
wolfSSL | 13:f67a6c6013ca | 7127 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7128 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7129 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7130 | #endif |
wolfSSL | 13:f67a6c6013ca | 7131 | return curveSz; |
wolfSSL | 13:f67a6c6013ca | 7132 | } |
wolfSSL | 13:f67a6c6013ca | 7133 | |
wolfSSL | 13:f67a6c6013ca | 7134 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7135 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7136 | if (algo == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7137 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7138 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7139 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7140 | } |
wolfSSL | 13:f67a6c6013ca | 7141 | #endif |
wolfSSL | 13:f67a6c6013ca | 7142 | algoSz = SetAlgoID(ECDSAk, algo, oidKeyType, curveSz); |
wolfSSL | 13:f67a6c6013ca | 7143 | |
wolfSSL | 13:f67a6c6013ca | 7144 | bitStringSz = SetBitString(pubSz, 0, bitString); |
wolfSSL | 13:f67a6c6013ca | 7145 | |
wolfSSL | 13:f67a6c6013ca | 7146 | idx = SetSequence(pubSz + curveSz + bitStringSz + algoSz, output); |
wolfSSL | 13:f67a6c6013ca | 7147 | /* algo */ |
wolfSSL | 13:f67a6c6013ca | 7148 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 13:f67a6c6013ca | 7149 | idx += algoSz; |
wolfSSL | 13:f67a6c6013ca | 7150 | /* curve */ |
wolfSSL | 13:f67a6c6013ca | 7151 | XMEMCPY(output + idx, curve, curveSz); |
wolfSSL | 13:f67a6c6013ca | 7152 | idx += curveSz; |
wolfSSL | 13:f67a6c6013ca | 7153 | /* bit string */ |
wolfSSL | 13:f67a6c6013ca | 7154 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 13:f67a6c6013ca | 7155 | idx += bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 7156 | } |
wolfSSL | 13:f67a6c6013ca | 7157 | else |
wolfSSL | 13:f67a6c6013ca | 7158 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 7159 | |
wolfSSL | 13:f67a6c6013ca | 7160 | /* pub */ |
wolfSSL | 13:f67a6c6013ca | 7161 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 13:f67a6c6013ca | 7162 | idx += pubSz; |
wolfSSL | 13:f67a6c6013ca | 7163 | |
wolfSSL | 13:f67a6c6013ca | 7164 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7165 | if (with_header) { |
wolfSSL | 13:f67a6c6013ca | 7166 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7167 | XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7168 | } |
wolfSSL | 13:f67a6c6013ca | 7169 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7170 | #endif |
wolfSSL | 13:f67a6c6013ca | 7171 | |
wolfSSL | 13:f67a6c6013ca | 7172 | return idx; |
wolfSSL | 13:f67a6c6013ca | 7173 | } |
wolfSSL | 13:f67a6c6013ca | 7174 | |
wolfSSL | 13:f67a6c6013ca | 7175 | |
wolfSSL | 13:f67a6c6013ca | 7176 | /* returns the size of buffer used, the public ECC key in DER format is stored |
wolfSSL | 13:f67a6c6013ca | 7177 | in output buffer |
wolfSSL | 13:f67a6c6013ca | 7178 | with_AlgCurve is a flag for when to include a header that has the Algorithm |
wolfSSL | 13:f67a6c6013ca | 7179 | and Curve infromation */ |
wolfSSL | 13:f67a6c6013ca | 7180 | int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen, |
wolfSSL | 13:f67a6c6013ca | 7181 | int with_AlgCurve) |
wolfSSL | 13:f67a6c6013ca | 7182 | { |
wolfSSL | 13:f67a6c6013ca | 7183 | word32 infoSz = 0; |
wolfSSL | 13:f67a6c6013ca | 7184 | word32 keySz = 0; |
wolfSSL | 13:f67a6c6013ca | 7185 | int ret; |
wolfSSL | 13:f67a6c6013ca | 7186 | |
wolfSSL | 13:f67a6c6013ca | 7187 | if (output == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7188 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7189 | } |
wolfSSL | 13:f67a6c6013ca | 7190 | |
wolfSSL | 13:f67a6c6013ca | 7191 | if (with_AlgCurve) { |
wolfSSL | 13:f67a6c6013ca | 7192 | /* buffer space for algorithm/curve */ |
wolfSSL | 13:f67a6c6013ca | 7193 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 13:f67a6c6013ca | 7194 | infoSz += 2 * MAX_ALGO_SZ; |
wolfSSL | 13:f67a6c6013ca | 7195 | |
wolfSSL | 13:f67a6c6013ca | 7196 | /* buffer space for public key sequence */ |
wolfSSL | 13:f67a6c6013ca | 7197 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 13:f67a6c6013ca | 7198 | infoSz += TRAILING_ZERO; |
wolfSSL | 13:f67a6c6013ca | 7199 | } |
wolfSSL | 13:f67a6c6013ca | 7200 | |
wolfSSL | 13:f67a6c6013ca | 7201 | if ((ret = wc_ecc_export_x963(key, NULL, &keySz)) != LENGTH_ONLY_E) { |
wolfSSL | 13:f67a6c6013ca | 7202 | WOLFSSL_MSG("Error in getting ECC public key size"); |
wolfSSL | 13:f67a6c6013ca | 7203 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7204 | } |
wolfSSL | 13:f67a6c6013ca | 7205 | |
wolfSSL | 13:f67a6c6013ca | 7206 | if (inLen < keySz + infoSz) { |
wolfSSL | 13:f67a6c6013ca | 7207 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7208 | } |
wolfSSL | 13:f67a6c6013ca | 7209 | |
wolfSSL | 13:f67a6c6013ca | 7210 | return SetEccPublicKey(output, key, with_AlgCurve); |
wolfSSL | 13:f67a6c6013ca | 7211 | } |
wolfSSL | 13:f67a6c6013ca | 7212 | #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ |
wolfSSL | 13:f67a6c6013ca | 7213 | #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \ |
wolfSSL | 13:f67a6c6013ca | 7214 | defined(WOLFSSL_KEY_GEN)) |
wolfSSL | 13:f67a6c6013ca | 7215 | |
wolfSSL | 13:f67a6c6013ca | 7216 | /* Write a public ECC key to output */ |
wolfSSL | 13:f67a6c6013ca | 7217 | static int SetEd25519PublicKey(byte* output, ed25519_key* key, int with_header) |
wolfSSL | 13:f67a6c6013ca | 7218 | { |
wolfSSL | 13:f67a6c6013ca | 7219 | byte bitString[1 + MAX_LENGTH_SZ + 1]; |
wolfSSL | 13:f67a6c6013ca | 7220 | int algoSz; |
wolfSSL | 13:f67a6c6013ca | 7221 | int bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 7222 | int idx; |
wolfSSL | 13:f67a6c6013ca | 7223 | word32 pubSz = ED25519_PUB_KEY_SIZE; |
wolfSSL | 13:f67a6c6013ca | 7224 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7225 | byte* algo = NULL; |
wolfSSL | 13:f67a6c6013ca | 7226 | byte* pub = NULL; |
wolfSSL | 13:f67a6c6013ca | 7227 | #else |
wolfSSL | 13:f67a6c6013ca | 7228 | byte algo[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7229 | byte pub[ED25519_PUB_KEY_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 7230 | #endif |
wolfSSL | 13:f67a6c6013ca | 7231 | |
wolfSSL | 13:f67a6c6013ca | 7232 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7233 | pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7234 | if (pub == NULL) |
wolfSSL | 13:f67a6c6013ca | 7235 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7236 | #endif |
wolfSSL | 13:f67a6c6013ca | 7237 | |
wolfSSL | 13:f67a6c6013ca | 7238 | int ret = wc_ed25519_export_public(key, pub, &pubSz); |
wolfSSL | 13:f67a6c6013ca | 7239 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 7240 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7241 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7242 | #endif |
wolfSSL | 13:f67a6c6013ca | 7243 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7244 | } |
wolfSSL | 13:f67a6c6013ca | 7245 | |
wolfSSL | 13:f67a6c6013ca | 7246 | /* headers */ |
wolfSSL | 13:f67a6c6013ca | 7247 | if (with_header) { |
wolfSSL | 13:f67a6c6013ca | 7248 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7249 | algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7250 | if (algo == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7251 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7252 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7253 | } |
wolfSSL | 13:f67a6c6013ca | 7254 | #endif |
wolfSSL | 13:f67a6c6013ca | 7255 | algoSz = SetAlgoID(ED25519k, algo, oidKeyType, 0); |
wolfSSL | 13:f67a6c6013ca | 7256 | |
wolfSSL | 13:f67a6c6013ca | 7257 | bitStringSz = SetBitString(pubSz, 0, bitString); |
wolfSSL | 13:f67a6c6013ca | 7258 | |
wolfSSL | 13:f67a6c6013ca | 7259 | idx = SetSequence(pubSz + bitStringSz + algoSz, output); |
wolfSSL | 13:f67a6c6013ca | 7260 | /* algo */ |
wolfSSL | 13:f67a6c6013ca | 7261 | XMEMCPY(output + idx, algo, algoSz); |
wolfSSL | 13:f67a6c6013ca | 7262 | idx += algoSz; |
wolfSSL | 13:f67a6c6013ca | 7263 | /* bit string */ |
wolfSSL | 13:f67a6c6013ca | 7264 | XMEMCPY(output + idx, bitString, bitStringSz); |
wolfSSL | 13:f67a6c6013ca | 7265 | idx += bitStringSz; |
wolfSSL | 13:f67a6c6013ca | 7266 | } |
wolfSSL | 13:f67a6c6013ca | 7267 | else |
wolfSSL | 13:f67a6c6013ca | 7268 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 7269 | |
wolfSSL | 13:f67a6c6013ca | 7270 | /* pub */ |
wolfSSL | 13:f67a6c6013ca | 7271 | XMEMCPY(output + idx, pub, pubSz); |
wolfSSL | 13:f67a6c6013ca | 7272 | idx += pubSz; |
wolfSSL | 13:f67a6c6013ca | 7273 | |
wolfSSL | 13:f67a6c6013ca | 7274 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7275 | if (with_header) { |
wolfSSL | 13:f67a6c6013ca | 7276 | XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7277 | } |
wolfSSL | 13:f67a6c6013ca | 7278 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7279 | #endif |
wolfSSL | 13:f67a6c6013ca | 7280 | |
wolfSSL | 13:f67a6c6013ca | 7281 | return idx; |
wolfSSL | 13:f67a6c6013ca | 7282 | } |
wolfSSL | 13:f67a6c6013ca | 7283 | |
wolfSSL | 13:f67a6c6013ca | 7284 | int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen, |
wolfSSL | 13:f67a6c6013ca | 7285 | int withAlg) |
wolfSSL | 13:f67a6c6013ca | 7286 | { |
wolfSSL | 13:f67a6c6013ca | 7287 | word32 infoSz = 0; |
wolfSSL | 13:f67a6c6013ca | 7288 | word32 keySz = 0; |
wolfSSL | 13:f67a6c6013ca | 7289 | int ret; |
wolfSSL | 13:f67a6c6013ca | 7290 | |
wolfSSL | 13:f67a6c6013ca | 7291 | if (output == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7292 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7293 | } |
wolfSSL | 13:f67a6c6013ca | 7294 | |
wolfSSL | 13:f67a6c6013ca | 7295 | if (withAlg) { |
wolfSSL | 13:f67a6c6013ca | 7296 | /* buffer space for algorithm */ |
wolfSSL | 13:f67a6c6013ca | 7297 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 13:f67a6c6013ca | 7298 | infoSz += MAX_ALGO_SZ; |
wolfSSL | 13:f67a6c6013ca | 7299 | |
wolfSSL | 13:f67a6c6013ca | 7300 | /* buffer space for public key sequence */ |
wolfSSL | 13:f67a6c6013ca | 7301 | infoSz += MAX_SEQ_SZ; |
wolfSSL | 13:f67a6c6013ca | 7302 | infoSz += TRAILING_ZERO; |
wolfSSL | 13:f67a6c6013ca | 7303 | } |
wolfSSL | 13:f67a6c6013ca | 7304 | |
wolfSSL | 13:f67a6c6013ca | 7305 | if ((ret = wc_ed25519_export_public(key, output, &keySz)) != BUFFER_E) { |
wolfSSL | 13:f67a6c6013ca | 7306 | WOLFSSL_MSG("Error in getting ECC public key size"); |
wolfSSL | 13:f67a6c6013ca | 7307 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7308 | } |
wolfSSL | 13:f67a6c6013ca | 7309 | |
wolfSSL | 13:f67a6c6013ca | 7310 | if (inLen < keySz + infoSz) { |
wolfSSL | 13:f67a6c6013ca | 7311 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7312 | } |
wolfSSL | 13:f67a6c6013ca | 7313 | |
wolfSSL | 13:f67a6c6013ca | 7314 | return SetEd25519PublicKey(output, key, withAlg); |
wolfSSL | 13:f67a6c6013ca | 7315 | } |
wolfSSL | 13:f67a6c6013ca | 7316 | #endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ |
wolfSSL | 13:f67a6c6013ca | 7317 | #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) |
wolfSSL | 13:f67a6c6013ca | 7318 | |
wolfSSL | 13:f67a6c6013ca | 7319 | static INLINE byte itob(int number) |
wolfSSL | 13:f67a6c6013ca | 7320 | { |
wolfSSL | 13:f67a6c6013ca | 7321 | return (byte)number + 0x30; |
wolfSSL | 13:f67a6c6013ca | 7322 | } |
wolfSSL | 13:f67a6c6013ca | 7323 | |
wolfSSL | 13:f67a6c6013ca | 7324 | |
wolfSSL | 13:f67a6c6013ca | 7325 | /* write time to output, format */ |
wolfSSL | 13:f67a6c6013ca | 7326 | static void SetTime(struct tm* date, byte* output) |
wolfSSL | 13:f67a6c6013ca | 7327 | { |
wolfSSL | 13:f67a6c6013ca | 7328 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 7329 | |
wolfSSL | 13:f67a6c6013ca | 7330 | output[i++] = itob((date->tm_year % 10000) / 1000); |
wolfSSL | 13:f67a6c6013ca | 7331 | output[i++] = itob((date->tm_year % 1000) / 100); |
wolfSSL | 13:f67a6c6013ca | 7332 | output[i++] = itob((date->tm_year % 100) / 10); |
wolfSSL | 13:f67a6c6013ca | 7333 | output[i++] = itob( date->tm_year % 10); |
wolfSSL | 13:f67a6c6013ca | 7334 | |
wolfSSL | 13:f67a6c6013ca | 7335 | output[i++] = itob(date->tm_mon / 10); |
wolfSSL | 13:f67a6c6013ca | 7336 | output[i++] = itob(date->tm_mon % 10); |
wolfSSL | 13:f67a6c6013ca | 7337 | |
wolfSSL | 13:f67a6c6013ca | 7338 | output[i++] = itob(date->tm_mday / 10); |
wolfSSL | 13:f67a6c6013ca | 7339 | output[i++] = itob(date->tm_mday % 10); |
wolfSSL | 13:f67a6c6013ca | 7340 | |
wolfSSL | 13:f67a6c6013ca | 7341 | output[i++] = itob(date->tm_hour / 10); |
wolfSSL | 13:f67a6c6013ca | 7342 | output[i++] = itob(date->tm_hour % 10); |
wolfSSL | 13:f67a6c6013ca | 7343 | |
wolfSSL | 13:f67a6c6013ca | 7344 | output[i++] = itob(date->tm_min / 10); |
wolfSSL | 13:f67a6c6013ca | 7345 | output[i++] = itob(date->tm_min % 10); |
wolfSSL | 13:f67a6c6013ca | 7346 | |
wolfSSL | 13:f67a6c6013ca | 7347 | output[i++] = itob(date->tm_sec / 10); |
wolfSSL | 13:f67a6c6013ca | 7348 | output[i++] = itob(date->tm_sec % 10); |
wolfSSL | 13:f67a6c6013ca | 7349 | |
wolfSSL | 13:f67a6c6013ca | 7350 | output[i] = 'Z'; /* Zulu profile */ |
wolfSSL | 13:f67a6c6013ca | 7351 | } |
wolfSSL | 13:f67a6c6013ca | 7352 | |
wolfSSL | 13:f67a6c6013ca | 7353 | |
wolfSSL | 13:f67a6c6013ca | 7354 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 7355 | |
wolfSSL | 13:f67a6c6013ca | 7356 | /* Copy Dates from cert, return bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7357 | static int CopyValidity(byte* output, Cert* cert) |
wolfSSL | 13:f67a6c6013ca | 7358 | { |
wolfSSL | 13:f67a6c6013ca | 7359 | int seqSz; |
wolfSSL | 13:f67a6c6013ca | 7360 | |
wolfSSL | 13:f67a6c6013ca | 7361 | WOLFSSL_ENTER("CopyValidity"); |
wolfSSL | 13:f67a6c6013ca | 7362 | |
wolfSSL | 13:f67a6c6013ca | 7363 | /* headers and output */ |
wolfSSL | 13:f67a6c6013ca | 7364 | seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output); |
wolfSSL | 13:f67a6c6013ca | 7365 | XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz); |
wolfSSL | 13:f67a6c6013ca | 7366 | XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate, |
wolfSSL | 13:f67a6c6013ca | 7367 | cert->afterDateSz); |
wolfSSL | 13:f67a6c6013ca | 7368 | return seqSz + cert->beforeDateSz + cert->afterDateSz; |
wolfSSL | 13:f67a6c6013ca | 7369 | } |
wolfSSL | 13:f67a6c6013ca | 7370 | |
wolfSSL | 13:f67a6c6013ca | 7371 | #endif |
wolfSSL | 13:f67a6c6013ca | 7372 | |
wolfSSL | 13:f67a6c6013ca | 7373 | |
wolfSSL | 13:f67a6c6013ca | 7374 | /* for systems where mktime() doesn't normalize fully */ |
wolfSSL | 13:f67a6c6013ca | 7375 | static void RebuildTime(time_t* in, struct tm* out) |
wolfSSL | 13:f67a6c6013ca | 7376 | { |
wolfSSL | 13:f67a6c6013ca | 7377 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 13:f67a6c6013ca | 7378 | out = localtime_r(in, out); |
wolfSSL | 13:f67a6c6013ca | 7379 | #else |
wolfSSL | 13:f67a6c6013ca | 7380 | (void)in; |
wolfSSL | 13:f67a6c6013ca | 7381 | (void)out; |
wolfSSL | 13:f67a6c6013ca | 7382 | #endif |
wolfSSL | 13:f67a6c6013ca | 7383 | } |
wolfSSL | 13:f67a6c6013ca | 7384 | |
wolfSSL | 13:f67a6c6013ca | 7385 | |
wolfSSL | 13:f67a6c6013ca | 7386 | /* Set Date validity from now until now + daysValid |
wolfSSL | 13:f67a6c6013ca | 7387 | * return size in bytes written to output, 0 on error */ |
wolfSSL | 13:f67a6c6013ca | 7388 | static int SetValidity(byte* output, int daysValid) |
wolfSSL | 13:f67a6c6013ca | 7389 | { |
wolfSSL | 13:f67a6c6013ca | 7390 | byte before[MAX_DATE_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 7391 | byte after[MAX_DATE_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 7392 | |
wolfSSL | 13:f67a6c6013ca | 7393 | int beforeSz; |
wolfSSL | 13:f67a6c6013ca | 7394 | int afterSz; |
wolfSSL | 13:f67a6c6013ca | 7395 | int seqSz; |
wolfSSL | 13:f67a6c6013ca | 7396 | |
wolfSSL | 13:f67a6c6013ca | 7397 | time_t ticks; |
wolfSSL | 13:f67a6c6013ca | 7398 | time_t normalTime; |
wolfSSL | 13:f67a6c6013ca | 7399 | struct tm* now; |
wolfSSL | 13:f67a6c6013ca | 7400 | struct tm* tmpTime = NULL; |
wolfSSL | 13:f67a6c6013ca | 7401 | struct tm local; |
wolfSSL | 13:f67a6c6013ca | 7402 | |
wolfSSL | 13:f67a6c6013ca | 7403 | #if defined(NEED_TMP_TIME) |
wolfSSL | 13:f67a6c6013ca | 7404 | /* for use with gmtime_r */ |
wolfSSL | 13:f67a6c6013ca | 7405 | struct tm tmpTimeStorage; |
wolfSSL | 13:f67a6c6013ca | 7406 | tmpTime = &tmpTimeStorage; |
wolfSSL | 13:f67a6c6013ca | 7407 | #else |
wolfSSL | 13:f67a6c6013ca | 7408 | (void)tmpTime; |
wolfSSL | 13:f67a6c6013ca | 7409 | #endif |
wolfSSL | 13:f67a6c6013ca | 7410 | |
wolfSSL | 13:f67a6c6013ca | 7411 | ticks = XTIME(0); |
wolfSSL | 13:f67a6c6013ca | 7412 | now = XGMTIME(&ticks, tmpTime); |
wolfSSL | 13:f67a6c6013ca | 7413 | |
wolfSSL | 13:f67a6c6013ca | 7414 | if (now == NULL) { |
wolfSSL | 13:f67a6c6013ca | 7415 | WOLFSSL_MSG("XGMTIME failed"); |
wolfSSL | 13:f67a6c6013ca | 7416 | return 0; /* error */ |
wolfSSL | 13:f67a6c6013ca | 7417 | } |
wolfSSL | 13:f67a6c6013ca | 7418 | |
wolfSSL | 13:f67a6c6013ca | 7419 | /* before now */ |
wolfSSL | 13:f67a6c6013ca | 7420 | local = *now; |
wolfSSL | 13:f67a6c6013ca | 7421 | before[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 13:f67a6c6013ca | 7422 | beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1; /* gen tag */ |
wolfSSL | 13:f67a6c6013ca | 7423 | |
wolfSSL | 13:f67a6c6013ca | 7424 | /* subtract 1 day for more compliance */ |
wolfSSL | 13:f67a6c6013ca | 7425 | local.tm_mday -= 1; |
wolfSSL | 13:f67a6c6013ca | 7426 | normalTime = mktime(&local); |
wolfSSL | 13:f67a6c6013ca | 7427 | RebuildTime(&normalTime, &local); |
wolfSSL | 13:f67a6c6013ca | 7428 | |
wolfSSL | 13:f67a6c6013ca | 7429 | /* adjust */ |
wolfSSL | 13:f67a6c6013ca | 7430 | local.tm_year += 1900; |
wolfSSL | 13:f67a6c6013ca | 7431 | local.tm_mon += 1; |
wolfSSL | 13:f67a6c6013ca | 7432 | |
wolfSSL | 13:f67a6c6013ca | 7433 | SetTime(&local, before + beforeSz); |
wolfSSL | 13:f67a6c6013ca | 7434 | beforeSz += ASN_GEN_TIME_SZ; |
wolfSSL | 13:f67a6c6013ca | 7435 | |
wolfSSL | 13:f67a6c6013ca | 7436 | /* after now + daysValid */ |
wolfSSL | 13:f67a6c6013ca | 7437 | local = *now; |
wolfSSL | 13:f67a6c6013ca | 7438 | after[0] = ASN_GENERALIZED_TIME; |
wolfSSL | 13:f67a6c6013ca | 7439 | afterSz = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1; /* gen tag */ |
wolfSSL | 13:f67a6c6013ca | 7440 | |
wolfSSL | 13:f67a6c6013ca | 7441 | /* add daysValid */ |
wolfSSL | 13:f67a6c6013ca | 7442 | local.tm_mday += daysValid; |
wolfSSL | 13:f67a6c6013ca | 7443 | normalTime = mktime(&local); |
wolfSSL | 13:f67a6c6013ca | 7444 | RebuildTime(&normalTime, &local); |
wolfSSL | 13:f67a6c6013ca | 7445 | |
wolfSSL | 13:f67a6c6013ca | 7446 | /* adjust */ |
wolfSSL | 13:f67a6c6013ca | 7447 | local.tm_year += 1900; |
wolfSSL | 13:f67a6c6013ca | 7448 | local.tm_mon += 1; |
wolfSSL | 13:f67a6c6013ca | 7449 | |
wolfSSL | 13:f67a6c6013ca | 7450 | SetTime(&local, after + afterSz); |
wolfSSL | 13:f67a6c6013ca | 7451 | afterSz += ASN_GEN_TIME_SZ; |
wolfSSL | 13:f67a6c6013ca | 7452 | |
wolfSSL | 13:f67a6c6013ca | 7453 | /* headers and output */ |
wolfSSL | 13:f67a6c6013ca | 7454 | seqSz = SetSequence(beforeSz + afterSz, output); |
wolfSSL | 13:f67a6c6013ca | 7455 | XMEMCPY(output + seqSz, before, beforeSz); |
wolfSSL | 13:f67a6c6013ca | 7456 | XMEMCPY(output + seqSz + beforeSz, after, afterSz); |
wolfSSL | 13:f67a6c6013ca | 7457 | |
wolfSSL | 13:f67a6c6013ca | 7458 | return seqSz + beforeSz + afterSz; |
wolfSSL | 13:f67a6c6013ca | 7459 | } |
wolfSSL | 13:f67a6c6013ca | 7460 | |
wolfSSL | 13:f67a6c6013ca | 7461 | |
wolfSSL | 13:f67a6c6013ca | 7462 | /* ASN Encoded Name field */ |
wolfSSL | 13:f67a6c6013ca | 7463 | typedef struct EncodedName { |
wolfSSL | 13:f67a6c6013ca | 7464 | int nameLen; /* actual string value length */ |
wolfSSL | 13:f67a6c6013ca | 7465 | int totalLen; /* total encoded length */ |
wolfSSL | 13:f67a6c6013ca | 7466 | int type; /* type of name */ |
wolfSSL | 13:f67a6c6013ca | 7467 | int used; /* are we actually using this one */ |
wolfSSL | 13:f67a6c6013ca | 7468 | byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ |
wolfSSL | 13:f67a6c6013ca | 7469 | } EncodedName; |
wolfSSL | 13:f67a6c6013ca | 7470 | |
wolfSSL | 13:f67a6c6013ca | 7471 | |
wolfSSL | 13:f67a6c6013ca | 7472 | /* Get Which Name from index */ |
wolfSSL | 13:f67a6c6013ca | 7473 | static const char* GetOneName(CertName* name, int idx) |
wolfSSL | 13:f67a6c6013ca | 7474 | { |
wolfSSL | 13:f67a6c6013ca | 7475 | switch (idx) { |
wolfSSL | 13:f67a6c6013ca | 7476 | case 0: |
wolfSSL | 13:f67a6c6013ca | 7477 | return name->country; |
wolfSSL | 13:f67a6c6013ca | 7478 | |
wolfSSL | 13:f67a6c6013ca | 7479 | case 1: |
wolfSSL | 13:f67a6c6013ca | 7480 | return name->state; |
wolfSSL | 13:f67a6c6013ca | 7481 | |
wolfSSL | 13:f67a6c6013ca | 7482 | case 2: |
wolfSSL | 13:f67a6c6013ca | 7483 | return name->locality; |
wolfSSL | 13:f67a6c6013ca | 7484 | |
wolfSSL | 13:f67a6c6013ca | 7485 | case 3: |
wolfSSL | 13:f67a6c6013ca | 7486 | return name->sur; |
wolfSSL | 13:f67a6c6013ca | 7487 | |
wolfSSL | 13:f67a6c6013ca | 7488 | case 4: |
wolfSSL | 13:f67a6c6013ca | 7489 | return name->org; |
wolfSSL | 13:f67a6c6013ca | 7490 | |
wolfSSL | 13:f67a6c6013ca | 7491 | case 5: |
wolfSSL | 13:f67a6c6013ca | 7492 | return name->unit; |
wolfSSL | 13:f67a6c6013ca | 7493 | |
wolfSSL | 13:f67a6c6013ca | 7494 | case 6: |
wolfSSL | 13:f67a6c6013ca | 7495 | return name->commonName; |
wolfSSL | 13:f67a6c6013ca | 7496 | |
wolfSSL | 13:f67a6c6013ca | 7497 | case 7: |
wolfSSL | 13:f67a6c6013ca | 7498 | return name->email; |
wolfSSL | 13:f67a6c6013ca | 7499 | |
wolfSSL | 13:f67a6c6013ca | 7500 | default: |
wolfSSL | 13:f67a6c6013ca | 7501 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7502 | } |
wolfSSL | 13:f67a6c6013ca | 7503 | } |
wolfSSL | 13:f67a6c6013ca | 7504 | |
wolfSSL | 13:f67a6c6013ca | 7505 | |
wolfSSL | 13:f67a6c6013ca | 7506 | /* Get Which Name Encoding from index */ |
wolfSSL | 13:f67a6c6013ca | 7507 | static char GetNameType(CertName* name, int idx) |
wolfSSL | 13:f67a6c6013ca | 7508 | { |
wolfSSL | 13:f67a6c6013ca | 7509 | switch (idx) { |
wolfSSL | 13:f67a6c6013ca | 7510 | case 0: |
wolfSSL | 13:f67a6c6013ca | 7511 | return name->countryEnc; |
wolfSSL | 13:f67a6c6013ca | 7512 | |
wolfSSL | 13:f67a6c6013ca | 7513 | case 1: |
wolfSSL | 13:f67a6c6013ca | 7514 | return name->stateEnc; |
wolfSSL | 13:f67a6c6013ca | 7515 | |
wolfSSL | 13:f67a6c6013ca | 7516 | case 2: |
wolfSSL | 13:f67a6c6013ca | 7517 | return name->localityEnc; |
wolfSSL | 13:f67a6c6013ca | 7518 | |
wolfSSL | 13:f67a6c6013ca | 7519 | case 3: |
wolfSSL | 13:f67a6c6013ca | 7520 | return name->surEnc; |
wolfSSL | 13:f67a6c6013ca | 7521 | |
wolfSSL | 13:f67a6c6013ca | 7522 | case 4: |
wolfSSL | 13:f67a6c6013ca | 7523 | return name->orgEnc; |
wolfSSL | 13:f67a6c6013ca | 7524 | |
wolfSSL | 13:f67a6c6013ca | 7525 | case 5: |
wolfSSL | 13:f67a6c6013ca | 7526 | return name->unitEnc; |
wolfSSL | 13:f67a6c6013ca | 7527 | |
wolfSSL | 13:f67a6c6013ca | 7528 | case 6: |
wolfSSL | 13:f67a6c6013ca | 7529 | return name->commonNameEnc; |
wolfSSL | 13:f67a6c6013ca | 7530 | |
wolfSSL | 13:f67a6c6013ca | 7531 | default: |
wolfSSL | 13:f67a6c6013ca | 7532 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7533 | } |
wolfSSL | 13:f67a6c6013ca | 7534 | } |
wolfSSL | 13:f67a6c6013ca | 7535 | |
wolfSSL | 13:f67a6c6013ca | 7536 | |
wolfSSL | 13:f67a6c6013ca | 7537 | /* Get ASN Name from index */ |
wolfSSL | 13:f67a6c6013ca | 7538 | static byte GetNameId(int idx) |
wolfSSL | 13:f67a6c6013ca | 7539 | { |
wolfSSL | 13:f67a6c6013ca | 7540 | switch (idx) { |
wolfSSL | 13:f67a6c6013ca | 7541 | case 0: |
wolfSSL | 13:f67a6c6013ca | 7542 | return ASN_COUNTRY_NAME; |
wolfSSL | 13:f67a6c6013ca | 7543 | |
wolfSSL | 13:f67a6c6013ca | 7544 | case 1: |
wolfSSL | 13:f67a6c6013ca | 7545 | return ASN_STATE_NAME; |
wolfSSL | 13:f67a6c6013ca | 7546 | |
wolfSSL | 13:f67a6c6013ca | 7547 | case 2: |
wolfSSL | 13:f67a6c6013ca | 7548 | return ASN_LOCALITY_NAME; |
wolfSSL | 13:f67a6c6013ca | 7549 | |
wolfSSL | 13:f67a6c6013ca | 7550 | case 3: |
wolfSSL | 13:f67a6c6013ca | 7551 | return ASN_SUR_NAME; |
wolfSSL | 13:f67a6c6013ca | 7552 | |
wolfSSL | 13:f67a6c6013ca | 7553 | case 4: |
wolfSSL | 13:f67a6c6013ca | 7554 | return ASN_ORG_NAME; |
wolfSSL | 13:f67a6c6013ca | 7555 | |
wolfSSL | 13:f67a6c6013ca | 7556 | case 5: |
wolfSSL | 13:f67a6c6013ca | 7557 | return ASN_ORGUNIT_NAME; |
wolfSSL | 13:f67a6c6013ca | 7558 | |
wolfSSL | 13:f67a6c6013ca | 7559 | case 6: |
wolfSSL | 13:f67a6c6013ca | 7560 | return ASN_COMMON_NAME; |
wolfSSL | 13:f67a6c6013ca | 7561 | |
wolfSSL | 13:f67a6c6013ca | 7562 | case 7: |
wolfSSL | 13:f67a6c6013ca | 7563 | /* email uses different id type */ |
wolfSSL | 13:f67a6c6013ca | 7564 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7565 | |
wolfSSL | 13:f67a6c6013ca | 7566 | default: |
wolfSSL | 13:f67a6c6013ca | 7567 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7568 | } |
wolfSSL | 13:f67a6c6013ca | 7569 | } |
wolfSSL | 13:f67a6c6013ca | 7570 | |
wolfSSL | 13:f67a6c6013ca | 7571 | /* |
wolfSSL | 13:f67a6c6013ca | 7572 | Extensions ::= SEQUENCE OF Extension |
wolfSSL | 13:f67a6c6013ca | 7573 | |
wolfSSL | 13:f67a6c6013ca | 7574 | Extension ::= SEQUENCE { |
wolfSSL | 13:f67a6c6013ca | 7575 | extnId OBJECT IDENTIFIER, |
wolfSSL | 13:f67a6c6013ca | 7576 | critical BOOLEAN DEFAULT FALSE, |
wolfSSL | 13:f67a6c6013ca | 7577 | extnValue OCTET STRING } |
wolfSSL | 13:f67a6c6013ca | 7578 | */ |
wolfSSL | 13:f67a6c6013ca | 7579 | |
wolfSSL | 13:f67a6c6013ca | 7580 | /* encode all extensions, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7581 | static int SetExtensions(byte* out, word32 outSz, int *IdxInOut, |
wolfSSL | 13:f67a6c6013ca | 7582 | const byte* ext, int extSz) |
wolfSSL | 13:f67a6c6013ca | 7583 | { |
wolfSSL | 13:f67a6c6013ca | 7584 | if (out == NULL || IdxInOut == NULL || ext == NULL) |
wolfSSL | 13:f67a6c6013ca | 7585 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7586 | |
wolfSSL | 13:f67a6c6013ca | 7587 | if (outSz < (word32)(*IdxInOut+extSz)) |
wolfSSL | 13:f67a6c6013ca | 7588 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7589 | |
wolfSSL | 13:f67a6c6013ca | 7590 | XMEMCPY(&out[*IdxInOut], ext, extSz); /* extensions */ |
wolfSSL | 13:f67a6c6013ca | 7591 | *IdxInOut += extSz; |
wolfSSL | 13:f67a6c6013ca | 7592 | |
wolfSSL | 13:f67a6c6013ca | 7593 | return *IdxInOut; |
wolfSSL | 13:f67a6c6013ca | 7594 | } |
wolfSSL | 13:f67a6c6013ca | 7595 | |
wolfSSL | 13:f67a6c6013ca | 7596 | /* encode extensions header, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7597 | static int SetExtensionsHeader(byte* out, word32 outSz, int extSz) |
wolfSSL | 13:f67a6c6013ca | 7598 | { |
wolfSSL | 13:f67a6c6013ca | 7599 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7600 | byte len[MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7601 | int seqSz, lenSz, idx = 0; |
wolfSSL | 13:f67a6c6013ca | 7602 | |
wolfSSL | 13:f67a6c6013ca | 7603 | if (out == NULL) |
wolfSSL | 13:f67a6c6013ca | 7604 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7605 | |
wolfSSL | 13:f67a6c6013ca | 7606 | if (outSz < 3) |
wolfSSL | 13:f67a6c6013ca | 7607 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7608 | |
wolfSSL | 13:f67a6c6013ca | 7609 | seqSz = SetSequence(extSz, sequence); |
wolfSSL | 13:f67a6c6013ca | 7610 | |
wolfSSL | 13:f67a6c6013ca | 7611 | /* encode extensions length provided */ |
wolfSSL | 13:f67a6c6013ca | 7612 | lenSz = SetLength(extSz+seqSz, len); |
wolfSSL | 13:f67a6c6013ca | 7613 | |
wolfSSL | 13:f67a6c6013ca | 7614 | if (outSz < (word32)(lenSz+seqSz+1)) |
wolfSSL | 13:f67a6c6013ca | 7615 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7616 | |
wolfSSL | 13:f67a6c6013ca | 7617 | out[idx++] = ASN_EXTENSIONS; /* extensions id */ |
wolfSSL | 13:f67a6c6013ca | 7618 | XMEMCPY(&out[idx], len, lenSz); /* length */ |
wolfSSL | 13:f67a6c6013ca | 7619 | idx += lenSz; |
wolfSSL | 13:f67a6c6013ca | 7620 | |
wolfSSL | 13:f67a6c6013ca | 7621 | XMEMCPY(&out[idx], sequence, seqSz); /* sequence */ |
wolfSSL | 13:f67a6c6013ca | 7622 | idx += seqSz; |
wolfSSL | 13:f67a6c6013ca | 7623 | |
wolfSSL | 13:f67a6c6013ca | 7624 | return idx; |
wolfSSL | 13:f67a6c6013ca | 7625 | } |
wolfSSL | 13:f67a6c6013ca | 7626 | |
wolfSSL | 13:f67a6c6013ca | 7627 | |
wolfSSL | 13:f67a6c6013ca | 7628 | /* encode CA basic constraint true, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7629 | static int SetCa(byte* out, word32 outSz) |
wolfSSL | 13:f67a6c6013ca | 7630 | { |
wolfSSL | 13:f67a6c6013ca | 7631 | static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, |
wolfSSL | 13:f67a6c6013ca | 7632 | 0x05, 0x30, 0x03, 0x01, 0x01, 0xff }; |
wolfSSL | 13:f67a6c6013ca | 7633 | |
wolfSSL | 13:f67a6c6013ca | 7634 | if (out == NULL) |
wolfSSL | 13:f67a6c6013ca | 7635 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7636 | |
wolfSSL | 13:f67a6c6013ca | 7637 | if (outSz < sizeof(ca)) |
wolfSSL | 13:f67a6c6013ca | 7638 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7639 | |
wolfSSL | 13:f67a6c6013ca | 7640 | XMEMCPY(out, ca, sizeof(ca)); |
wolfSSL | 13:f67a6c6013ca | 7641 | |
wolfSSL | 13:f67a6c6013ca | 7642 | return (int)sizeof(ca); |
wolfSSL | 13:f67a6c6013ca | 7643 | } |
wolfSSL | 13:f67a6c6013ca | 7644 | |
wolfSSL | 13:f67a6c6013ca | 7645 | |
wolfSSL | 13:f67a6c6013ca | 7646 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 7647 | /* encode OID and associated value, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7648 | static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz, |
wolfSSL | 13:f67a6c6013ca | 7649 | byte *in, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 7650 | { |
wolfSSL | 13:f67a6c6013ca | 7651 | int idx = 0; |
wolfSSL | 13:f67a6c6013ca | 7652 | |
wolfSSL | 13:f67a6c6013ca | 7653 | if (out == NULL || oid == NULL || in == NULL) |
wolfSSL | 13:f67a6c6013ca | 7654 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7655 | |
wolfSSL | 13:f67a6c6013ca | 7656 | if (outSz < 3) |
wolfSSL | 13:f67a6c6013ca | 7657 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7658 | |
wolfSSL | 13:f67a6c6013ca | 7659 | /* sequence, + 1 => byte to put value size */ |
wolfSSL | 13:f67a6c6013ca | 7660 | idx = SetSequence(inSz + oidSz + 1, out); |
wolfSSL | 13:f67a6c6013ca | 7661 | |
wolfSSL | 13:f67a6c6013ca | 7662 | if ((idx + inSz + oidSz + 1) > outSz) |
wolfSSL | 13:f67a6c6013ca | 7663 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7664 | |
wolfSSL | 13:f67a6c6013ca | 7665 | XMEMCPY(out+idx, oid, oidSz); |
wolfSSL | 13:f67a6c6013ca | 7666 | idx += oidSz; |
wolfSSL | 13:f67a6c6013ca | 7667 | out[idx++] = (byte)inSz; |
wolfSSL | 13:f67a6c6013ca | 7668 | XMEMCPY(out+idx, in, inSz); |
wolfSSL | 13:f67a6c6013ca | 7669 | |
wolfSSL | 13:f67a6c6013ca | 7670 | return (idx+inSz); |
wolfSSL | 13:f67a6c6013ca | 7671 | } |
wolfSSL | 13:f67a6c6013ca | 7672 | |
wolfSSL | 13:f67a6c6013ca | 7673 | /* encode Subject Key Identifier, return total bytes written |
wolfSSL | 13:f67a6c6013ca | 7674 | * RFC5280 : non-critical */ |
wolfSSL | 13:f67a6c6013ca | 7675 | static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) |
wolfSSL | 13:f67a6c6013ca | 7676 | { |
wolfSSL | 13:f67a6c6013ca | 7677 | byte skid_len[1 + MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7678 | byte skid_enc_len[MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7679 | int idx = 0, skid_lenSz, skid_enc_lenSz; |
wolfSSL | 13:f67a6c6013ca | 7680 | static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 }; |
wolfSSL | 13:f67a6c6013ca | 7681 | |
wolfSSL | 13:f67a6c6013ca | 7682 | if (output == NULL || input == NULL) |
wolfSSL | 13:f67a6c6013ca | 7683 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7684 | |
wolfSSL | 13:f67a6c6013ca | 7685 | /* Octet String header */ |
wolfSSL | 13:f67a6c6013ca | 7686 | skid_lenSz = SetOctetString(length, skid_len); |
wolfSSL | 13:f67a6c6013ca | 7687 | |
wolfSSL | 13:f67a6c6013ca | 7688 | /* length of encoded value */ |
wolfSSL | 13:f67a6c6013ca | 7689 | skid_enc_lenSz = SetLength(length + skid_lenSz, skid_enc_len); |
wolfSSL | 13:f67a6c6013ca | 7690 | |
wolfSSL | 13:f67a6c6013ca | 7691 | if (outSz < 3) |
wolfSSL | 13:f67a6c6013ca | 7692 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7693 | |
wolfSSL | 13:f67a6c6013ca | 7694 | idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz, |
wolfSSL | 13:f67a6c6013ca | 7695 | output); |
wolfSSL | 13:f67a6c6013ca | 7696 | |
wolfSSL | 13:f67a6c6013ca | 7697 | if ((length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz) > outSz) |
wolfSSL | 13:f67a6c6013ca | 7698 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7699 | |
wolfSSL | 13:f67a6c6013ca | 7700 | /* put oid */ |
wolfSSL | 13:f67a6c6013ca | 7701 | XMEMCPY(output+idx, skid_oid, sizeof(skid_oid)); |
wolfSSL | 13:f67a6c6013ca | 7702 | idx += sizeof(skid_oid); |
wolfSSL | 13:f67a6c6013ca | 7703 | |
wolfSSL | 13:f67a6c6013ca | 7704 | /* put encoded len */ |
wolfSSL | 13:f67a6c6013ca | 7705 | XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz); |
wolfSSL | 13:f67a6c6013ca | 7706 | idx += skid_enc_lenSz; |
wolfSSL | 13:f67a6c6013ca | 7707 | |
wolfSSL | 13:f67a6c6013ca | 7708 | /* put octet header */ |
wolfSSL | 13:f67a6c6013ca | 7709 | XMEMCPY(output+idx, skid_len, skid_lenSz); |
wolfSSL | 13:f67a6c6013ca | 7710 | idx += skid_lenSz; |
wolfSSL | 13:f67a6c6013ca | 7711 | |
wolfSSL | 13:f67a6c6013ca | 7712 | /* put value */ |
wolfSSL | 13:f67a6c6013ca | 7713 | XMEMCPY(output+idx, input, length); |
wolfSSL | 13:f67a6c6013ca | 7714 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 7715 | |
wolfSSL | 13:f67a6c6013ca | 7716 | return idx; |
wolfSSL | 13:f67a6c6013ca | 7717 | } |
wolfSSL | 13:f67a6c6013ca | 7718 | |
wolfSSL | 13:f67a6c6013ca | 7719 | /* encode Authority Key Identifier, return total bytes written |
wolfSSL | 13:f67a6c6013ca | 7720 | * RFC5280 : non-critical */ |
wolfSSL | 13:f67a6c6013ca | 7721 | static int SetAKID(byte* output, word32 outSz, |
wolfSSL | 13:f67a6c6013ca | 7722 | byte *input, word32 length, void* heap) |
wolfSSL | 13:f67a6c6013ca | 7723 | { |
wolfSSL | 13:f67a6c6013ca | 7724 | byte *enc_val; |
wolfSSL | 13:f67a6c6013ca | 7725 | int ret, enc_valSz; |
wolfSSL | 13:f67a6c6013ca | 7726 | static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; |
wolfSSL | 13:f67a6c6013ca | 7727 | static const byte akid_cs[] = { 0x80 }; |
wolfSSL | 13:f67a6c6013ca | 7728 | |
wolfSSL | 13:f67a6c6013ca | 7729 | if (output == NULL || input == NULL) |
wolfSSL | 13:f67a6c6013ca | 7730 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7731 | |
wolfSSL | 13:f67a6c6013ca | 7732 | enc_valSz = length + 3 + sizeof(akid_cs); |
wolfSSL | 13:f67a6c6013ca | 7733 | enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7734 | if (enc_val == NULL) |
wolfSSL | 13:f67a6c6013ca | 7735 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7736 | |
wolfSSL | 13:f67a6c6013ca | 7737 | /* sequence for ContentSpec & value */ |
wolfSSL | 13:f67a6c6013ca | 7738 | ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), |
wolfSSL | 13:f67a6c6013ca | 7739 | input, length); |
wolfSSL | 13:f67a6c6013ca | 7740 | if (ret > 0) { |
wolfSSL | 13:f67a6c6013ca | 7741 | enc_valSz = ret; |
wolfSSL | 13:f67a6c6013ca | 7742 | |
wolfSSL | 13:f67a6c6013ca | 7743 | ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid), |
wolfSSL | 13:f67a6c6013ca | 7744 | enc_val, enc_valSz); |
wolfSSL | 13:f67a6c6013ca | 7745 | } |
wolfSSL | 13:f67a6c6013ca | 7746 | |
wolfSSL | 13:f67a6c6013ca | 7747 | XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7748 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7749 | } |
wolfSSL | 13:f67a6c6013ca | 7750 | |
wolfSSL | 13:f67a6c6013ca | 7751 | /* encode Key Usage, return total bytes written |
wolfSSL | 13:f67a6c6013ca | 7752 | * RFC5280 : critical */ |
wolfSSL | 13:f67a6c6013ca | 7753 | static int SetKeyUsage(byte* output, word32 outSz, word16 input) |
wolfSSL | 13:f67a6c6013ca | 7754 | { |
wolfSSL | 13:f67a6c6013ca | 7755 | byte ku[5]; |
wolfSSL | 13:f67a6c6013ca | 7756 | int idx; |
wolfSSL | 13:f67a6c6013ca | 7757 | static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f, |
wolfSSL | 13:f67a6c6013ca | 7758 | 0x01, 0x01, 0xff, 0x04}; |
wolfSSL | 13:f67a6c6013ca | 7759 | |
wolfSSL | 13:f67a6c6013ca | 7760 | if (output == NULL) |
wolfSSL | 13:f67a6c6013ca | 7761 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7762 | |
wolfSSL | 13:f67a6c6013ca | 7763 | idx = SetBitString16Bit(input, ku); |
wolfSSL | 13:f67a6c6013ca | 7764 | return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid), |
wolfSSL | 13:f67a6c6013ca | 7765 | ku, idx); |
wolfSSL | 13:f67a6c6013ca | 7766 | } |
wolfSSL | 13:f67a6c6013ca | 7767 | |
wolfSSL | 13:f67a6c6013ca | 7768 | /* Encode OID string representation to ITU-T X.690 format */ |
wolfSSL | 13:f67a6c6013ca | 7769 | static int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap) |
wolfSSL | 13:f67a6c6013ca | 7770 | { |
wolfSSL | 13:f67a6c6013ca | 7771 | word32 val, idx = 0, nb_val; |
wolfSSL | 13:f67a6c6013ca | 7772 | char *token, *str, *ptr; |
wolfSSL | 13:f67a6c6013ca | 7773 | word32 len; |
wolfSSL | 13:f67a6c6013ca | 7774 | |
wolfSSL | 13:f67a6c6013ca | 7775 | if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL) |
wolfSSL | 13:f67a6c6013ca | 7776 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7777 | |
wolfSSL | 13:f67a6c6013ca | 7778 | len = (word32)XSTRLEN(in); |
wolfSSL | 13:f67a6c6013ca | 7779 | |
wolfSSL | 13:f67a6c6013ca | 7780 | str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7781 | if (str == NULL) |
wolfSSL | 13:f67a6c6013ca | 7782 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7783 | |
wolfSSL | 13:f67a6c6013ca | 7784 | XSTRNCPY(str, in, len); |
wolfSSL | 13:f67a6c6013ca | 7785 | str[len] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 7786 | |
wolfSSL | 13:f67a6c6013ca | 7787 | nb_val = 0; |
wolfSSL | 13:f67a6c6013ca | 7788 | |
wolfSSL | 13:f67a6c6013ca | 7789 | /* parse value, and set corresponding Policy OID value */ |
wolfSSL | 13:f67a6c6013ca | 7790 | token = XSTRTOK(str, ".", &ptr); |
wolfSSL | 13:f67a6c6013ca | 7791 | while (token != NULL) |
wolfSSL | 13:f67a6c6013ca | 7792 | { |
wolfSSL | 13:f67a6c6013ca | 7793 | val = (word32)atoi(token); |
wolfSSL | 13:f67a6c6013ca | 7794 | |
wolfSSL | 13:f67a6c6013ca | 7795 | if (nb_val == 0) { |
wolfSSL | 13:f67a6c6013ca | 7796 | if (val > 2) { |
wolfSSL | 13:f67a6c6013ca | 7797 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7798 | return ASN_OBJECT_ID_E; |
wolfSSL | 13:f67a6c6013ca | 7799 | } |
wolfSSL | 13:f67a6c6013ca | 7800 | |
wolfSSL | 13:f67a6c6013ca | 7801 | out[idx] = (byte)(40 * val); |
wolfSSL | 13:f67a6c6013ca | 7802 | } |
wolfSSL | 13:f67a6c6013ca | 7803 | else if (nb_val == 1) { |
wolfSSL | 13:f67a6c6013ca | 7804 | if (val > 127) { |
wolfSSL | 13:f67a6c6013ca | 7805 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7806 | return ASN_OBJECT_ID_E; |
wolfSSL | 13:f67a6c6013ca | 7807 | } |
wolfSSL | 13:f67a6c6013ca | 7808 | |
wolfSSL | 13:f67a6c6013ca | 7809 | if (idx > *outSz) { |
wolfSSL | 13:f67a6c6013ca | 7810 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7811 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7812 | } |
wolfSSL | 13:f67a6c6013ca | 7813 | |
wolfSSL | 13:f67a6c6013ca | 7814 | out[idx++] += (byte)val; |
wolfSSL | 13:f67a6c6013ca | 7815 | } |
wolfSSL | 13:f67a6c6013ca | 7816 | else { |
wolfSSL | 13:f67a6c6013ca | 7817 | word32 tb = 0, x; |
wolfSSL | 13:f67a6c6013ca | 7818 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 7819 | byte oid[MAX_OID_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7820 | |
wolfSSL | 13:f67a6c6013ca | 7821 | while (val >= 128) { |
wolfSSL | 13:f67a6c6013ca | 7822 | x = val % 128; |
wolfSSL | 13:f67a6c6013ca | 7823 | val /= 128; |
wolfSSL | 13:f67a6c6013ca | 7824 | oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x); |
wolfSSL | 13:f67a6c6013ca | 7825 | } |
wolfSSL | 13:f67a6c6013ca | 7826 | |
wolfSSL | 13:f67a6c6013ca | 7827 | if ((idx+(word32)i) > *outSz) { |
wolfSSL | 13:f67a6c6013ca | 7828 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7829 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7830 | } |
wolfSSL | 13:f67a6c6013ca | 7831 | |
wolfSSL | 13:f67a6c6013ca | 7832 | oid[i] = (byte) (((tb++) ? 0x80 : 0) | val); |
wolfSSL | 13:f67a6c6013ca | 7833 | |
wolfSSL | 13:f67a6c6013ca | 7834 | /* push value in the right order */ |
wolfSSL | 13:f67a6c6013ca | 7835 | while (i >= 0) |
wolfSSL | 13:f67a6c6013ca | 7836 | out[idx++] = oid[i--]; |
wolfSSL | 13:f67a6c6013ca | 7837 | } |
wolfSSL | 13:f67a6c6013ca | 7838 | |
wolfSSL | 13:f67a6c6013ca | 7839 | token = XSTRTOK(NULL, ".", &ptr); |
wolfSSL | 13:f67a6c6013ca | 7840 | nb_val++; |
wolfSSL | 13:f67a6c6013ca | 7841 | } |
wolfSSL | 13:f67a6c6013ca | 7842 | |
wolfSSL | 13:f67a6c6013ca | 7843 | *outSz = idx; |
wolfSSL | 13:f67a6c6013ca | 7844 | |
wolfSSL | 13:f67a6c6013ca | 7845 | XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7846 | return 0; |
wolfSSL | 13:f67a6c6013ca | 7847 | } |
wolfSSL | 13:f67a6c6013ca | 7848 | |
wolfSSL | 13:f67a6c6013ca | 7849 | /* encode Certificate Policies, return total bytes written |
wolfSSL | 13:f67a6c6013ca | 7850 | * each input value must be ITU-T X.690 formatted : a.b.c... |
wolfSSL | 13:f67a6c6013ca | 7851 | * input must be an array of values with a NULL terminated for the latest |
wolfSSL | 13:f67a6c6013ca | 7852 | * RFC5280 : non-critical */ |
wolfSSL | 13:f67a6c6013ca | 7853 | static int SetCertificatePolicies(byte *output, |
wolfSSL | 13:f67a6c6013ca | 7854 | word32 outputSz, |
wolfSSL | 13:f67a6c6013ca | 7855 | char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ], |
wolfSSL | 13:f67a6c6013ca | 7856 | word16 nb_certpol, |
wolfSSL | 13:f67a6c6013ca | 7857 | void* heap) |
wolfSSL | 13:f67a6c6013ca | 7858 | { |
wolfSSL | 13:f67a6c6013ca | 7859 | byte oid[MAX_OID_SZ], |
wolfSSL | 13:f67a6c6013ca | 7860 | der_oid[MAX_CERTPOL_NB][MAX_OID_SZ], |
wolfSSL | 13:f67a6c6013ca | 7861 | out[MAX_CERTPOL_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7862 | word32 oidSz; |
wolfSSL | 13:f67a6c6013ca | 7863 | word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB]; |
wolfSSL | 13:f67a6c6013ca | 7864 | int ret; |
wolfSSL | 13:f67a6c6013ca | 7865 | |
wolfSSL | 13:f67a6c6013ca | 7866 | static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 }; |
wolfSSL | 13:f67a6c6013ca | 7867 | static const byte oid_oid[] = { 0x06 }; |
wolfSSL | 13:f67a6c6013ca | 7868 | |
wolfSSL | 13:f67a6c6013ca | 7869 | if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB) |
wolfSSL | 13:f67a6c6013ca | 7870 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7871 | |
wolfSSL | 13:f67a6c6013ca | 7872 | for (i = 0; i < nb_certpol; i++) { |
wolfSSL | 13:f67a6c6013ca | 7873 | oidSz = sizeof(oid); |
wolfSSL | 13:f67a6c6013ca | 7874 | XMEMSET(oid, 0, oidSz); |
wolfSSL | 13:f67a6c6013ca | 7875 | |
wolfSSL | 13:f67a6c6013ca | 7876 | ret = EncodePolicyOID(oid, &oidSz, input[i], heap); |
wolfSSL | 13:f67a6c6013ca | 7877 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 7878 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7879 | |
wolfSSL | 13:f67a6c6013ca | 7880 | /* compute sequence value for the oid */ |
wolfSSL | 13:f67a6c6013ca | 7881 | ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid, |
wolfSSL | 13:f67a6c6013ca | 7882 | sizeof(oid_oid), oid, oidSz); |
wolfSSL | 13:f67a6c6013ca | 7883 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 7884 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7885 | else |
wolfSSL | 13:f67a6c6013ca | 7886 | der_oidSz[i] = (word32)ret; |
wolfSSL | 13:f67a6c6013ca | 7887 | } |
wolfSSL | 13:f67a6c6013ca | 7888 | |
wolfSSL | 13:f67a6c6013ca | 7889 | /* concatenate oid, keep two byte for sequence/size of the created value */ |
wolfSSL | 13:f67a6c6013ca | 7890 | for (i = 0, outSz = 2; i < nb_certpol; i++) { |
wolfSSL | 13:f67a6c6013ca | 7891 | XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]); |
wolfSSL | 13:f67a6c6013ca | 7892 | outSz += der_oidSz[i]; |
wolfSSL | 13:f67a6c6013ca | 7893 | } |
wolfSSL | 13:f67a6c6013ca | 7894 | |
wolfSSL | 13:f67a6c6013ca | 7895 | /* add sequence */ |
wolfSSL | 13:f67a6c6013ca | 7896 | ret = SetSequence(outSz-2, out); |
wolfSSL | 13:f67a6c6013ca | 7897 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 7898 | return ret; |
wolfSSL | 13:f67a6c6013ca | 7899 | |
wolfSSL | 13:f67a6c6013ca | 7900 | /* add Policy OID to compute final value */ |
wolfSSL | 13:f67a6c6013ca | 7901 | return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid), |
wolfSSL | 13:f67a6c6013ca | 7902 | out, outSz); |
wolfSSL | 13:f67a6c6013ca | 7903 | } |
wolfSSL | 13:f67a6c6013ca | 7904 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 7905 | |
wolfSSL | 13:f67a6c6013ca | 7906 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 7907 | /* encode Alternative Names, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7908 | static int SetAltNames(byte *out, word32 outSz, byte *input, word32 length) |
wolfSSL | 13:f67a6c6013ca | 7909 | { |
wolfSSL | 13:f67a6c6013ca | 7910 | if (out == NULL || input == NULL) |
wolfSSL | 13:f67a6c6013ca | 7911 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7912 | |
wolfSSL | 13:f67a6c6013ca | 7913 | if (outSz < length) |
wolfSSL | 13:f67a6c6013ca | 7914 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7915 | |
wolfSSL | 13:f67a6c6013ca | 7916 | /* Alternative Names come from certificate or computed by |
wolfSSL | 13:f67a6c6013ca | 7917 | * external function, so already encoded. Just copy value */ |
wolfSSL | 13:f67a6c6013ca | 7918 | XMEMCPY(out, input, length); |
wolfSSL | 13:f67a6c6013ca | 7919 | return length; |
wolfSSL | 13:f67a6c6013ca | 7920 | } |
wolfSSL | 13:f67a6c6013ca | 7921 | #endif /* WOLFSL_ALT_NAMES */ |
wolfSSL | 13:f67a6c6013ca | 7922 | |
wolfSSL | 13:f67a6c6013ca | 7923 | |
wolfSSL | 13:f67a6c6013ca | 7924 | /* encode CertName into output, return total bytes written */ |
wolfSSL | 13:f67a6c6013ca | 7925 | int SetName(byte* output, word32 outputSz, CertName* name) |
wolfSSL | 13:f67a6c6013ca | 7926 | { |
wolfSSL | 13:f67a6c6013ca | 7927 | int totalBytes = 0, i, idx; |
wolfSSL | 13:f67a6c6013ca | 7928 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7929 | EncodedName* names = NULL; |
wolfSSL | 13:f67a6c6013ca | 7930 | #else |
wolfSSL | 13:f67a6c6013ca | 7931 | EncodedName names[NAME_ENTRIES]; |
wolfSSL | 13:f67a6c6013ca | 7932 | #endif |
wolfSSL | 13:f67a6c6013ca | 7933 | |
wolfSSL | 13:f67a6c6013ca | 7934 | if (output == NULL || name == NULL) |
wolfSSL | 13:f67a6c6013ca | 7935 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 7936 | |
wolfSSL | 13:f67a6c6013ca | 7937 | if (outputSz < 3) |
wolfSSL | 13:f67a6c6013ca | 7938 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7939 | |
wolfSSL | 13:f67a6c6013ca | 7940 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7941 | names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL, |
wolfSSL | 13:f67a6c6013ca | 7942 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7943 | if (names == NULL) |
wolfSSL | 13:f67a6c6013ca | 7944 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 7945 | #endif |
wolfSSL | 13:f67a6c6013ca | 7946 | |
wolfSSL | 13:f67a6c6013ca | 7947 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 13:f67a6c6013ca | 7948 | const char* nameStr = GetOneName(name, i); |
wolfSSL | 13:f67a6c6013ca | 7949 | if (nameStr) { |
wolfSSL | 13:f67a6c6013ca | 7950 | /* bottom up */ |
wolfSSL | 13:f67a6c6013ca | 7951 | byte firstLen[1 + MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7952 | byte secondLen[MAX_LENGTH_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7953 | byte sequence[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7954 | byte set[MAX_SET_SZ]; |
wolfSSL | 13:f67a6c6013ca | 7955 | |
wolfSSL | 13:f67a6c6013ca | 7956 | int email = i == (NAME_ENTRIES - 1) ? 1 : 0; |
wolfSSL | 13:f67a6c6013ca | 7957 | int strLen = (int)XSTRLEN(nameStr); |
wolfSSL | 13:f67a6c6013ca | 7958 | int thisLen = strLen; |
wolfSSL | 13:f67a6c6013ca | 7959 | int firstSz, secondSz, seqSz, setSz; |
wolfSSL | 13:f67a6c6013ca | 7960 | |
wolfSSL | 13:f67a6c6013ca | 7961 | if (strLen == 0) { /* no user data for this item */ |
wolfSSL | 13:f67a6c6013ca | 7962 | names[i].used = 0; |
wolfSSL | 13:f67a6c6013ca | 7963 | continue; |
wolfSSL | 13:f67a6c6013ca | 7964 | } |
wolfSSL | 13:f67a6c6013ca | 7965 | |
wolfSSL | 13:f67a6c6013ca | 7966 | /* Restrict country code size */ |
wolfSSL | 13:f67a6c6013ca | 7967 | if (i == 0 && strLen != CTC_COUNTRY_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 7968 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7969 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7970 | #endif |
wolfSSL | 13:f67a6c6013ca | 7971 | return ASN_COUNTRY_SIZE_E; |
wolfSSL | 13:f67a6c6013ca | 7972 | } |
wolfSSL | 13:f67a6c6013ca | 7973 | |
wolfSSL | 13:f67a6c6013ca | 7974 | secondSz = SetLength(strLen, secondLen); |
wolfSSL | 13:f67a6c6013ca | 7975 | thisLen += secondSz; |
wolfSSL | 13:f67a6c6013ca | 7976 | if (email) { |
wolfSSL | 13:f67a6c6013ca | 7977 | thisLen += EMAIL_JOINT_LEN; |
wolfSSL | 13:f67a6c6013ca | 7978 | thisLen ++; /* id type */ |
wolfSSL | 13:f67a6c6013ca | 7979 | firstSz = SetObjectId(EMAIL_JOINT_LEN, firstLen); |
wolfSSL | 13:f67a6c6013ca | 7980 | } |
wolfSSL | 13:f67a6c6013ca | 7981 | else { |
wolfSSL | 13:f67a6c6013ca | 7982 | thisLen++; /* str type */ |
wolfSSL | 13:f67a6c6013ca | 7983 | thisLen++; /* id type */ |
wolfSSL | 13:f67a6c6013ca | 7984 | thisLen += JOINT_LEN; |
wolfSSL | 13:f67a6c6013ca | 7985 | firstSz = SetObjectId(JOINT_LEN + 1, firstLen); |
wolfSSL | 13:f67a6c6013ca | 7986 | } |
wolfSSL | 13:f67a6c6013ca | 7987 | thisLen += firstSz; |
wolfSSL | 13:f67a6c6013ca | 7988 | |
wolfSSL | 13:f67a6c6013ca | 7989 | seqSz = SetSequence(thisLen, sequence); |
wolfSSL | 13:f67a6c6013ca | 7990 | thisLen += seqSz; |
wolfSSL | 13:f67a6c6013ca | 7991 | setSz = SetSet(thisLen, set); |
wolfSSL | 13:f67a6c6013ca | 7992 | thisLen += setSz; |
wolfSSL | 13:f67a6c6013ca | 7993 | |
wolfSSL | 13:f67a6c6013ca | 7994 | if (thisLen > (int)sizeof(names[i].encoded)) { |
wolfSSL | 13:f67a6c6013ca | 7995 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 7996 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 7997 | #endif |
wolfSSL | 13:f67a6c6013ca | 7998 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 7999 | } |
wolfSSL | 13:f67a6c6013ca | 8000 | |
wolfSSL | 13:f67a6c6013ca | 8001 | /* store it */ |
wolfSSL | 13:f67a6c6013ca | 8002 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 8003 | /* set */ |
wolfSSL | 13:f67a6c6013ca | 8004 | XMEMCPY(names[i].encoded, set, setSz); |
wolfSSL | 13:f67a6c6013ca | 8005 | idx += setSz; |
wolfSSL | 13:f67a6c6013ca | 8006 | /* seq */ |
wolfSSL | 13:f67a6c6013ca | 8007 | XMEMCPY(names[i].encoded + idx, sequence, seqSz); |
wolfSSL | 13:f67a6c6013ca | 8008 | idx += seqSz; |
wolfSSL | 13:f67a6c6013ca | 8009 | /* asn object id */ |
wolfSSL | 13:f67a6c6013ca | 8010 | XMEMCPY(names[i].encoded + idx, firstLen, firstSz); |
wolfSSL | 13:f67a6c6013ca | 8011 | idx += firstSz; |
wolfSSL | 13:f67a6c6013ca | 8012 | if (email) { |
wolfSSL | 13:f67a6c6013ca | 8013 | const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
wolfSSL | 13:f67a6c6013ca | 8014 | 0x01, 0x09, 0x01, 0x16 }; |
wolfSSL | 13:f67a6c6013ca | 8015 | /* email joint id */ |
wolfSSL | 13:f67a6c6013ca | 8016 | XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); |
wolfSSL | 13:f67a6c6013ca | 8017 | idx += (int)sizeof(EMAIL_OID); |
wolfSSL | 13:f67a6c6013ca | 8018 | } |
wolfSSL | 13:f67a6c6013ca | 8019 | else { |
wolfSSL | 13:f67a6c6013ca | 8020 | /* joint id */ |
wolfSSL | 13:f67a6c6013ca | 8021 | byte bType = GetNameId(i); |
wolfSSL | 13:f67a6c6013ca | 8022 | names[i].encoded[idx++] = 0x55; |
wolfSSL | 13:f67a6c6013ca | 8023 | names[i].encoded[idx++] = 0x04; |
wolfSSL | 13:f67a6c6013ca | 8024 | /* id type */ |
wolfSSL | 13:f67a6c6013ca | 8025 | names[i].encoded[idx++] = bType; |
wolfSSL | 13:f67a6c6013ca | 8026 | /* str type */ |
wolfSSL | 13:f67a6c6013ca | 8027 | names[i].encoded[idx++] = GetNameType(name, i); |
wolfSSL | 13:f67a6c6013ca | 8028 | } |
wolfSSL | 13:f67a6c6013ca | 8029 | /* second length */ |
wolfSSL | 13:f67a6c6013ca | 8030 | XMEMCPY(names[i].encoded + idx, secondLen, secondSz); |
wolfSSL | 13:f67a6c6013ca | 8031 | idx += secondSz; |
wolfSSL | 13:f67a6c6013ca | 8032 | /* str value */ |
wolfSSL | 13:f67a6c6013ca | 8033 | XMEMCPY(names[i].encoded + idx, nameStr, strLen); |
wolfSSL | 13:f67a6c6013ca | 8034 | idx += strLen; |
wolfSSL | 13:f67a6c6013ca | 8035 | |
wolfSSL | 13:f67a6c6013ca | 8036 | totalBytes += idx; |
wolfSSL | 13:f67a6c6013ca | 8037 | names[i].totalLen = idx; |
wolfSSL | 13:f67a6c6013ca | 8038 | names[i].used = 1; |
wolfSSL | 13:f67a6c6013ca | 8039 | } |
wolfSSL | 13:f67a6c6013ca | 8040 | else |
wolfSSL | 13:f67a6c6013ca | 8041 | names[i].used = 0; |
wolfSSL | 13:f67a6c6013ca | 8042 | } |
wolfSSL | 13:f67a6c6013ca | 8043 | |
wolfSSL | 13:f67a6c6013ca | 8044 | /* header */ |
wolfSSL | 13:f67a6c6013ca | 8045 | idx = SetSequence(totalBytes, output); |
wolfSSL | 13:f67a6c6013ca | 8046 | totalBytes += idx; |
wolfSSL | 13:f67a6c6013ca | 8047 | if (totalBytes > ASN_NAME_MAX) { |
wolfSSL | 13:f67a6c6013ca | 8048 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8049 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8050 | #endif |
wolfSSL | 13:f67a6c6013ca | 8051 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 8052 | } |
wolfSSL | 13:f67a6c6013ca | 8053 | |
wolfSSL | 13:f67a6c6013ca | 8054 | for (i = 0; i < NAME_ENTRIES; i++) { |
wolfSSL | 13:f67a6c6013ca | 8055 | if (names[i].used) { |
wolfSSL | 13:f67a6c6013ca | 8056 | if (outputSz < (word32)(idx+names[i].totalLen)) { |
wolfSSL | 13:f67a6c6013ca | 8057 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8058 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8059 | #endif |
wolfSSL | 13:f67a6c6013ca | 8060 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 8061 | } |
wolfSSL | 13:f67a6c6013ca | 8062 | |
wolfSSL | 13:f67a6c6013ca | 8063 | XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); |
wolfSSL | 13:f67a6c6013ca | 8064 | idx += names[i].totalLen; |
wolfSSL | 13:f67a6c6013ca | 8065 | } |
wolfSSL | 13:f67a6c6013ca | 8066 | } |
wolfSSL | 13:f67a6c6013ca | 8067 | |
wolfSSL | 13:f67a6c6013ca | 8068 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8069 | XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8070 | #endif |
wolfSSL | 13:f67a6c6013ca | 8071 | |
wolfSSL | 13:f67a6c6013ca | 8072 | return totalBytes; |
wolfSSL | 13:f67a6c6013ca | 8073 | } |
wolfSSL | 13:f67a6c6013ca | 8074 | |
wolfSSL | 13:f67a6c6013ca | 8075 | /* encode info from cert into DER encoded format */ |
wolfSSL | 13:f67a6c6013ca | 8076 | static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 13:f67a6c6013ca | 8077 | WC_RNG* rng, const byte* ntruKey, word16 ntruSz, |
wolfSSL | 13:f67a6c6013ca | 8078 | ed25519_key* ed25519Key) |
wolfSSL | 13:f67a6c6013ca | 8079 | { |
wolfSSL | 13:f67a6c6013ca | 8080 | int ret; |
wolfSSL | 13:f67a6c6013ca | 8081 | |
wolfSSL | 13:f67a6c6013ca | 8082 | (void)eccKey; |
wolfSSL | 13:f67a6c6013ca | 8083 | (void)ntruKey; |
wolfSSL | 13:f67a6c6013ca | 8084 | (void)ntruSz; |
wolfSSL | 13:f67a6c6013ca | 8085 | (void)ed25519Key; |
wolfSSL | 13:f67a6c6013ca | 8086 | |
wolfSSL | 13:f67a6c6013ca | 8087 | if (cert == NULL || der == NULL || rng == NULL) |
wolfSSL | 13:f67a6c6013ca | 8088 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 8089 | |
wolfSSL | 13:f67a6c6013ca | 8090 | /* init */ |
wolfSSL | 13:f67a6c6013ca | 8091 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 13:f67a6c6013ca | 8092 | |
wolfSSL | 13:f67a6c6013ca | 8093 | /* version */ |
wolfSSL | 13:f67a6c6013ca | 8094 | der->versionSz = SetMyVersion(cert->version, der->version, TRUE); |
wolfSSL | 13:f67a6c6013ca | 8095 | |
wolfSSL | 13:f67a6c6013ca | 8096 | /* serial number */ |
wolfSSL | 13:f67a6c6013ca | 8097 | ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE); |
wolfSSL | 13:f67a6c6013ca | 8098 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 8099 | return ret; |
wolfSSL | 13:f67a6c6013ca | 8100 | |
wolfSSL | 13:f67a6c6013ca | 8101 | cert->serial[0] = 0x01; /* ensure positive */ |
wolfSSL | 13:f67a6c6013ca | 8102 | der->serialSz = SetSerial(cert->serial, der->serial); |
wolfSSL | 13:f67a6c6013ca | 8103 | |
wolfSSL | 13:f67a6c6013ca | 8104 | /* signature algo */ |
wolfSSL | 13:f67a6c6013ca | 8105 | der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, oidSigType, 0); |
wolfSSL | 13:f67a6c6013ca | 8106 | if (der->sigAlgoSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8107 | return ALGO_ID_E; |
wolfSSL | 13:f67a6c6013ca | 8108 | |
wolfSSL | 13:f67a6c6013ca | 8109 | /* public key */ |
wolfSSL | 13:f67a6c6013ca | 8110 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8111 | if (rsaKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 8112 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8113 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 13:f67a6c6013ca | 8114 | sizeof(der->publicKey), 1); |
wolfSSL | 13:f67a6c6013ca | 8115 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8116 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8117 | } |
wolfSSL | 13:f67a6c6013ca | 8118 | |
wolfSSL | 13:f67a6c6013ca | 8119 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 8120 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8121 | if (eccKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 8122 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8123 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 13:f67a6c6013ca | 8124 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8125 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8126 | } |
wolfSSL | 13:f67a6c6013ca | 8127 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 8128 | |
wolfSSL | 13:f67a6c6013ca | 8129 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 8130 | if (cert->keyType == ED25519_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8131 | if (ed25519Key == NULL) |
wolfSSL | 13:f67a6c6013ca | 8132 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8133 | der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); |
wolfSSL | 13:f67a6c6013ca | 8134 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8135 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8136 | } |
wolfSSL | 13:f67a6c6013ca | 8137 | #endif |
wolfSSL | 13:f67a6c6013ca | 8138 | |
wolfSSL | 13:f67a6c6013ca | 8139 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 8140 | if (cert->keyType == NTRU_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8141 | word32 rc; |
wolfSSL | 13:f67a6c6013ca | 8142 | word16 encodedSz; |
wolfSSL | 13:f67a6c6013ca | 8143 | |
wolfSSL | 13:f67a6c6013ca | 8144 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 13:f67a6c6013ca | 8145 | ntruKey, &encodedSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 8146 | if (rc != NTRU_OK) |
wolfSSL | 13:f67a6c6013ca | 8147 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8148 | if (encodedSz > MAX_PUBLIC_KEY_SZ) |
wolfSSL | 13:f67a6c6013ca | 8149 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8150 | |
wolfSSL | 13:f67a6c6013ca | 8151 | rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, |
wolfSSL | 13:f67a6c6013ca | 8152 | ntruKey, &encodedSz, der->publicKey); |
wolfSSL | 13:f67a6c6013ca | 8153 | if (rc != NTRU_OK) |
wolfSSL | 13:f67a6c6013ca | 8154 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8155 | |
wolfSSL | 13:f67a6c6013ca | 8156 | der->publicKeySz = encodedSz; |
wolfSSL | 13:f67a6c6013ca | 8157 | } |
wolfSSL | 13:f67a6c6013ca | 8158 | #endif /* HAVE_NTRU */ |
wolfSSL | 13:f67a6c6013ca | 8159 | |
wolfSSL | 13:f67a6c6013ca | 8160 | der->validitySz = 0; |
wolfSSL | 13:f67a6c6013ca | 8161 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 8162 | /* date validity copy ? */ |
wolfSSL | 13:f67a6c6013ca | 8163 | if (cert->beforeDateSz && cert->afterDateSz) { |
wolfSSL | 13:f67a6c6013ca | 8164 | der->validitySz = CopyValidity(der->validity, cert); |
wolfSSL | 13:f67a6c6013ca | 8165 | if (der->validitySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8166 | return DATE_E; |
wolfSSL | 13:f67a6c6013ca | 8167 | } |
wolfSSL | 13:f67a6c6013ca | 8168 | #endif |
wolfSSL | 13:f67a6c6013ca | 8169 | |
wolfSSL | 13:f67a6c6013ca | 8170 | /* date validity */ |
wolfSSL | 13:f67a6c6013ca | 8171 | if (der->validitySz == 0) { |
wolfSSL | 13:f67a6c6013ca | 8172 | der->validitySz = SetValidity(der->validity, cert->daysValid); |
wolfSSL | 13:f67a6c6013ca | 8173 | if (der->validitySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8174 | return DATE_E; |
wolfSSL | 13:f67a6c6013ca | 8175 | } |
wolfSSL | 13:f67a6c6013ca | 8176 | |
wolfSSL | 13:f67a6c6013ca | 8177 | /* subject name */ |
wolfSSL | 13:f67a6c6013ca | 8178 | der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject); |
wolfSSL | 13:f67a6c6013ca | 8179 | if (der->subjectSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8180 | return SUBJECT_E; |
wolfSSL | 13:f67a6c6013ca | 8181 | |
wolfSSL | 13:f67a6c6013ca | 8182 | /* issuer name */ |
wolfSSL | 13:f67a6c6013ca | 8183 | der->issuerSz = SetName(der->issuer, sizeof(der->issuer), cert->selfSigned ? |
wolfSSL | 13:f67a6c6013ca | 8184 | &cert->subject : &cert->issuer); |
wolfSSL | 13:f67a6c6013ca | 8185 | if (der->issuerSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8186 | return ISSUER_E; |
wolfSSL | 13:f67a6c6013ca | 8187 | |
wolfSSL | 13:f67a6c6013ca | 8188 | /* set the extensions */ |
wolfSSL | 13:f67a6c6013ca | 8189 | der->extensionsSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8190 | |
wolfSSL | 13:f67a6c6013ca | 8191 | /* CA */ |
wolfSSL | 13:f67a6c6013ca | 8192 | if (cert->isCA) { |
wolfSSL | 13:f67a6c6013ca | 8193 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 13:f67a6c6013ca | 8194 | if (der->caSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8195 | return CA_TRUE_E; |
wolfSSL | 13:f67a6c6013ca | 8196 | |
wolfSSL | 13:f67a6c6013ca | 8197 | der->extensionsSz += der->caSz; |
wolfSSL | 13:f67a6c6013ca | 8198 | } |
wolfSSL | 13:f67a6c6013ca | 8199 | else |
wolfSSL | 13:f67a6c6013ca | 8200 | der->caSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8201 | |
wolfSSL | 13:f67a6c6013ca | 8202 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 8203 | /* Alternative Name */ |
wolfSSL | 13:f67a6c6013ca | 8204 | if (cert->altNamesSz) { |
wolfSSL | 13:f67a6c6013ca | 8205 | der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames), |
wolfSSL | 13:f67a6c6013ca | 8206 | cert->altNames, cert->altNamesSz); |
wolfSSL | 13:f67a6c6013ca | 8207 | if (der->altNamesSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8208 | return ALT_NAME_E; |
wolfSSL | 13:f67a6c6013ca | 8209 | |
wolfSSL | 13:f67a6c6013ca | 8210 | der->extensionsSz += der->altNamesSz; |
wolfSSL | 13:f67a6c6013ca | 8211 | } |
wolfSSL | 13:f67a6c6013ca | 8212 | else |
wolfSSL | 13:f67a6c6013ca | 8213 | der->altNamesSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8214 | #endif |
wolfSSL | 13:f67a6c6013ca | 8215 | |
wolfSSL | 13:f67a6c6013ca | 8216 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 8217 | /* SKID */ |
wolfSSL | 13:f67a6c6013ca | 8218 | if (cert->skidSz) { |
wolfSSL | 13:f67a6c6013ca | 8219 | /* check the provided SKID size */ |
wolfSSL | 13:f67a6c6013ca | 8220 | if (cert->skidSz > (int)sizeof(der->skid)) |
wolfSSL | 13:f67a6c6013ca | 8221 | return SKID_E; |
wolfSSL | 13:f67a6c6013ca | 8222 | |
wolfSSL | 13:f67a6c6013ca | 8223 | /* Note: different skid buffers sizes for der (MAX_KID_SZ) and |
wolfSSL | 13:f67a6c6013ca | 8224 | cert (CTC_MAX_SKID_SIZE). */ |
wolfSSL | 13:f67a6c6013ca | 8225 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 13:f67a6c6013ca | 8226 | cert->skid, cert->skidSz); |
wolfSSL | 13:f67a6c6013ca | 8227 | if (der->skidSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8228 | return SKID_E; |
wolfSSL | 13:f67a6c6013ca | 8229 | |
wolfSSL | 13:f67a6c6013ca | 8230 | der->extensionsSz += der->skidSz; |
wolfSSL | 13:f67a6c6013ca | 8231 | } |
wolfSSL | 13:f67a6c6013ca | 8232 | else |
wolfSSL | 13:f67a6c6013ca | 8233 | der->skidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8234 | |
wolfSSL | 13:f67a6c6013ca | 8235 | /* AKID */ |
wolfSSL | 13:f67a6c6013ca | 8236 | if (cert->akidSz) { |
wolfSSL | 13:f67a6c6013ca | 8237 | /* check the provided AKID size */ |
wolfSSL | 13:f67a6c6013ca | 8238 | if (cert->akidSz > (int)sizeof(der->akid)) |
wolfSSL | 13:f67a6c6013ca | 8239 | return AKID_E; |
wolfSSL | 13:f67a6c6013ca | 8240 | |
wolfSSL | 13:f67a6c6013ca | 8241 | der->akidSz = SetAKID(der->akid, sizeof(der->akid), |
wolfSSL | 13:f67a6c6013ca | 8242 | cert->akid, cert->akidSz, cert->heap); |
wolfSSL | 13:f67a6c6013ca | 8243 | if (der->akidSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8244 | return AKID_E; |
wolfSSL | 13:f67a6c6013ca | 8245 | |
wolfSSL | 13:f67a6c6013ca | 8246 | der->extensionsSz += der->akidSz; |
wolfSSL | 13:f67a6c6013ca | 8247 | } |
wolfSSL | 13:f67a6c6013ca | 8248 | else |
wolfSSL | 13:f67a6c6013ca | 8249 | der->akidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8250 | |
wolfSSL | 13:f67a6c6013ca | 8251 | /* Key Usage */ |
wolfSSL | 13:f67a6c6013ca | 8252 | if (cert->keyUsage != 0){ |
wolfSSL | 13:f67a6c6013ca | 8253 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 13:f67a6c6013ca | 8254 | cert->keyUsage); |
wolfSSL | 13:f67a6c6013ca | 8255 | if (der->keyUsageSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8256 | return KEYUSAGE_E; |
wolfSSL | 13:f67a6c6013ca | 8257 | |
wolfSSL | 13:f67a6c6013ca | 8258 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 13:f67a6c6013ca | 8259 | } |
wolfSSL | 13:f67a6c6013ca | 8260 | else |
wolfSSL | 13:f67a6c6013ca | 8261 | der->keyUsageSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8262 | |
wolfSSL | 13:f67a6c6013ca | 8263 | /* Certificate Policies */ |
wolfSSL | 13:f67a6c6013ca | 8264 | if (cert->certPoliciesNb != 0) { |
wolfSSL | 13:f67a6c6013ca | 8265 | der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, |
wolfSSL | 13:f67a6c6013ca | 8266 | sizeof(der->certPolicies), |
wolfSSL | 13:f67a6c6013ca | 8267 | cert->certPolicies, |
wolfSSL | 13:f67a6c6013ca | 8268 | cert->certPoliciesNb, |
wolfSSL | 13:f67a6c6013ca | 8269 | cert->heap); |
wolfSSL | 13:f67a6c6013ca | 8270 | if (der->certPoliciesSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8271 | return CERTPOLICIES_E; |
wolfSSL | 13:f67a6c6013ca | 8272 | |
wolfSSL | 13:f67a6c6013ca | 8273 | der->extensionsSz += der->certPoliciesSz; |
wolfSSL | 13:f67a6c6013ca | 8274 | } |
wolfSSL | 13:f67a6c6013ca | 8275 | else |
wolfSSL | 13:f67a6c6013ca | 8276 | der->certPoliciesSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8277 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 8278 | |
wolfSSL | 13:f67a6c6013ca | 8279 | /* put extensions */ |
wolfSSL | 13:f67a6c6013ca | 8280 | if (der->extensionsSz > 0) { |
wolfSSL | 13:f67a6c6013ca | 8281 | |
wolfSSL | 13:f67a6c6013ca | 8282 | /* put the start of extensions sequence (ID, Size) */ |
wolfSSL | 13:f67a6c6013ca | 8283 | der->extensionsSz = SetExtensionsHeader(der->extensions, |
wolfSSL | 13:f67a6c6013ca | 8284 | sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8285 | der->extensionsSz); |
wolfSSL | 13:f67a6c6013ca | 8286 | if (der->extensionsSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8287 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8288 | |
wolfSSL | 13:f67a6c6013ca | 8289 | /* put CA */ |
wolfSSL | 13:f67a6c6013ca | 8290 | if (der->caSz) { |
wolfSSL | 13:f67a6c6013ca | 8291 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8292 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8293 | der->ca, der->caSz); |
wolfSSL | 13:f67a6c6013ca | 8294 | if (ret == 0) |
wolfSSL | 13:f67a6c6013ca | 8295 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8296 | } |
wolfSSL | 13:f67a6c6013ca | 8297 | |
wolfSSL | 13:f67a6c6013ca | 8298 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 8299 | /* put Alternative Names */ |
wolfSSL | 13:f67a6c6013ca | 8300 | if (der->altNamesSz) { |
wolfSSL | 13:f67a6c6013ca | 8301 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8302 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8303 | der->altNames, der->altNamesSz); |
wolfSSL | 13:f67a6c6013ca | 8304 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8305 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8306 | } |
wolfSSL | 13:f67a6c6013ca | 8307 | #endif |
wolfSSL | 13:f67a6c6013ca | 8308 | |
wolfSSL | 13:f67a6c6013ca | 8309 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 8310 | /* put SKID */ |
wolfSSL | 13:f67a6c6013ca | 8311 | if (der->skidSz) { |
wolfSSL | 13:f67a6c6013ca | 8312 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8313 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8314 | der->skid, der->skidSz); |
wolfSSL | 13:f67a6c6013ca | 8315 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8316 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8317 | } |
wolfSSL | 13:f67a6c6013ca | 8318 | |
wolfSSL | 13:f67a6c6013ca | 8319 | /* put AKID */ |
wolfSSL | 13:f67a6c6013ca | 8320 | if (der->akidSz) { |
wolfSSL | 13:f67a6c6013ca | 8321 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8322 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8323 | der->akid, der->akidSz); |
wolfSSL | 13:f67a6c6013ca | 8324 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8325 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8326 | } |
wolfSSL | 13:f67a6c6013ca | 8327 | |
wolfSSL | 13:f67a6c6013ca | 8328 | /* put KeyUsage */ |
wolfSSL | 13:f67a6c6013ca | 8329 | if (der->keyUsageSz) { |
wolfSSL | 13:f67a6c6013ca | 8330 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8331 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8332 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 13:f67a6c6013ca | 8333 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8334 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8335 | } |
wolfSSL | 13:f67a6c6013ca | 8336 | |
wolfSSL | 13:f67a6c6013ca | 8337 | /* put Certificate Policies */ |
wolfSSL | 13:f67a6c6013ca | 8338 | if (der->certPoliciesSz) { |
wolfSSL | 13:f67a6c6013ca | 8339 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8340 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8341 | der->certPolicies, der->certPoliciesSz); |
wolfSSL | 13:f67a6c6013ca | 8342 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8343 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8344 | } |
wolfSSL | 13:f67a6c6013ca | 8345 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 8346 | } |
wolfSSL | 13:f67a6c6013ca | 8347 | |
wolfSSL | 13:f67a6c6013ca | 8348 | der->total = der->versionSz + der->serialSz + der->sigAlgoSz + |
wolfSSL | 13:f67a6c6013ca | 8349 | der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + |
wolfSSL | 13:f67a6c6013ca | 8350 | der->extensionsSz; |
wolfSSL | 13:f67a6c6013ca | 8351 | |
wolfSSL | 13:f67a6c6013ca | 8352 | return 0; |
wolfSSL | 13:f67a6c6013ca | 8353 | } |
wolfSSL | 13:f67a6c6013ca | 8354 | |
wolfSSL | 13:f67a6c6013ca | 8355 | |
wolfSSL | 13:f67a6c6013ca | 8356 | /* write DER encoded cert to buffer, size already checked */ |
wolfSSL | 13:f67a6c6013ca | 8357 | static int WriteCertBody(DerCert* der, byte* buffer) |
wolfSSL | 13:f67a6c6013ca | 8358 | { |
wolfSSL | 13:f67a6c6013ca | 8359 | int idx; |
wolfSSL | 13:f67a6c6013ca | 8360 | |
wolfSSL | 13:f67a6c6013ca | 8361 | /* signed part header */ |
wolfSSL | 13:f67a6c6013ca | 8362 | idx = SetSequence(der->total, buffer); |
wolfSSL | 13:f67a6c6013ca | 8363 | /* version */ |
wolfSSL | 13:f67a6c6013ca | 8364 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 13:f67a6c6013ca | 8365 | idx += der->versionSz; |
wolfSSL | 13:f67a6c6013ca | 8366 | /* serial */ |
wolfSSL | 13:f67a6c6013ca | 8367 | XMEMCPY(buffer + idx, der->serial, der->serialSz); |
wolfSSL | 13:f67a6c6013ca | 8368 | idx += der->serialSz; |
wolfSSL | 13:f67a6c6013ca | 8369 | /* sig algo */ |
wolfSSL | 13:f67a6c6013ca | 8370 | XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz); |
wolfSSL | 13:f67a6c6013ca | 8371 | idx += der->sigAlgoSz; |
wolfSSL | 13:f67a6c6013ca | 8372 | /* issuer */ |
wolfSSL | 13:f67a6c6013ca | 8373 | XMEMCPY(buffer + idx, der->issuer, der->issuerSz); |
wolfSSL | 13:f67a6c6013ca | 8374 | idx += der->issuerSz; |
wolfSSL | 13:f67a6c6013ca | 8375 | /* validity */ |
wolfSSL | 13:f67a6c6013ca | 8376 | XMEMCPY(buffer + idx, der->validity, der->validitySz); |
wolfSSL | 13:f67a6c6013ca | 8377 | idx += der->validitySz; |
wolfSSL | 13:f67a6c6013ca | 8378 | /* subject */ |
wolfSSL | 13:f67a6c6013ca | 8379 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 13:f67a6c6013ca | 8380 | idx += der->subjectSz; |
wolfSSL | 13:f67a6c6013ca | 8381 | /* public key */ |
wolfSSL | 13:f67a6c6013ca | 8382 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 13:f67a6c6013ca | 8383 | idx += der->publicKeySz; |
wolfSSL | 13:f67a6c6013ca | 8384 | if (der->extensionsSz) { |
wolfSSL | 13:f67a6c6013ca | 8385 | /* extensions */ |
wolfSSL | 13:f67a6c6013ca | 8386 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8387 | (int)sizeof(der->extensions))); |
wolfSSL | 13:f67a6c6013ca | 8388 | idx += der->extensionsSz; |
wolfSSL | 13:f67a6c6013ca | 8389 | } |
wolfSSL | 13:f67a6c6013ca | 8390 | |
wolfSSL | 13:f67a6c6013ca | 8391 | return idx; |
wolfSSL | 13:f67a6c6013ca | 8392 | } |
wolfSSL | 13:f67a6c6013ca | 8393 | |
wolfSSL | 13:f67a6c6013ca | 8394 | |
wolfSSL | 13:f67a6c6013ca | 8395 | /* Make RSA signature from buffer (sz), write to sig (sigSz) */ |
wolfSSL | 13:f67a6c6013ca | 8396 | static int MakeSignature(CertSignCtx* certSignCtx, const byte* buffer, int sz, |
wolfSSL | 13:f67a6c6013ca | 8397 | byte* sig, int sigSz, RsaKey* rsaKey, ecc_key* eccKey, |
wolfSSL | 13:f67a6c6013ca | 8398 | ed25519_key* ed25519Key, WC_RNG* rng, int sigAlgoType, void* heap) |
wolfSSL | 13:f67a6c6013ca | 8399 | { |
wolfSSL | 13:f67a6c6013ca | 8400 | int digestSz = 0, typeH = 0, ret = 0; |
wolfSSL | 13:f67a6c6013ca | 8401 | |
wolfSSL | 13:f67a6c6013ca | 8402 | (void)digestSz; |
wolfSSL | 13:f67a6c6013ca | 8403 | (void)typeH; |
wolfSSL | 13:f67a6c6013ca | 8404 | (void)buffer; |
wolfSSL | 13:f67a6c6013ca | 8405 | (void)sz; |
wolfSSL | 13:f67a6c6013ca | 8406 | (void)sig; |
wolfSSL | 13:f67a6c6013ca | 8407 | (void)sigSz; |
wolfSSL | 13:f67a6c6013ca | 8408 | (void)rsaKey; |
wolfSSL | 13:f67a6c6013ca | 8409 | (void)eccKey; |
wolfSSL | 13:f67a6c6013ca | 8410 | (void)ed25519Key; |
wolfSSL | 13:f67a6c6013ca | 8411 | (void)rng; |
wolfSSL | 13:f67a6c6013ca | 8412 | |
wolfSSL | 13:f67a6c6013ca | 8413 | switch (certSignCtx->state) { |
wolfSSL | 13:f67a6c6013ca | 8414 | case CERTSIGN_STATE_BEGIN: |
wolfSSL | 13:f67a6c6013ca | 8415 | case CERTSIGN_STATE_DIGEST: |
wolfSSL | 13:f67a6c6013ca | 8416 | |
wolfSSL | 13:f67a6c6013ca | 8417 | certSignCtx->state = CERTSIGN_STATE_DIGEST; |
wolfSSL | 13:f67a6c6013ca | 8418 | certSignCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, |
wolfSSL | 13:f67a6c6013ca | 8419 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8420 | if (certSignCtx->digest == NULL) { |
wolfSSL | 13:f67a6c6013ca | 8421 | ret = MEMORY_E; goto exit_ms; |
wolfSSL | 13:f67a6c6013ca | 8422 | } |
wolfSSL | 13:f67a6c6013ca | 8423 | |
wolfSSL | 13:f67a6c6013ca | 8424 | ret = HashForSignature(buffer, sz, sigAlgoType, certSignCtx->digest, |
wolfSSL | 13:f67a6c6013ca | 8425 | &typeH, &digestSz, 0); |
wolfSSL | 13:f67a6c6013ca | 8426 | /* set next state, since WC_PENDING rentry for these are not "call again" */ |
wolfSSL | 13:f67a6c6013ca | 8427 | certSignCtx->state = CERTSIGN_STATE_ENCODE; |
wolfSSL | 13:f67a6c6013ca | 8428 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 8429 | goto exit_ms; |
wolfSSL | 13:f67a6c6013ca | 8430 | } |
wolfSSL | 13:f67a6c6013ca | 8431 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 8432 | |
wolfSSL | 13:f67a6c6013ca | 8433 | case CERTSIGN_STATE_ENCODE: |
wolfSSL | 13:f67a6c6013ca | 8434 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 8435 | if (rsaKey) { |
wolfSSL | 13:f67a6c6013ca | 8436 | certSignCtx->encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ, heap, |
wolfSSL | 13:f67a6c6013ca | 8437 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8438 | if (certSignCtx->encSig == NULL) { |
wolfSSL | 13:f67a6c6013ca | 8439 | ret = MEMORY_E; goto exit_ms; |
wolfSSL | 13:f67a6c6013ca | 8440 | } |
wolfSSL | 13:f67a6c6013ca | 8441 | |
wolfSSL | 13:f67a6c6013ca | 8442 | /* signature */ |
wolfSSL | 13:f67a6c6013ca | 8443 | certSignCtx->encSigSz = wc_EncodeSignature(certSignCtx->encSig, |
wolfSSL | 13:f67a6c6013ca | 8444 | certSignCtx->digest, digestSz, typeH); |
wolfSSL | 13:f67a6c6013ca | 8445 | } |
wolfSSL | 13:f67a6c6013ca | 8446 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 8447 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 8448 | |
wolfSSL | 13:f67a6c6013ca | 8449 | case CERTSIGN_STATE_DO: |
wolfSSL | 13:f67a6c6013ca | 8450 | certSignCtx->state = CERTSIGN_STATE_DO; |
wolfSSL | 13:f67a6c6013ca | 8451 | ret = ALGO_ID_E; /* default to error */ |
wolfSSL | 13:f67a6c6013ca | 8452 | |
wolfSSL | 13:f67a6c6013ca | 8453 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 8454 | if (rsaKey) { |
wolfSSL | 13:f67a6c6013ca | 8455 | /* signature */ |
wolfSSL | 13:f67a6c6013ca | 8456 | ret = wc_RsaSSL_Sign(certSignCtx->encSig, certSignCtx->encSigSz, |
wolfSSL | 13:f67a6c6013ca | 8457 | sig, sigSz, rsaKey, rng); |
wolfSSL | 13:f67a6c6013ca | 8458 | } |
wolfSSL | 13:f67a6c6013ca | 8459 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 8460 | |
wolfSSL | 13:f67a6c6013ca | 8461 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 8462 | if (!rsaKey && eccKey) { |
wolfSSL | 13:f67a6c6013ca | 8463 | word32 outSz = sigSz; |
wolfSSL | 13:f67a6c6013ca | 8464 | |
wolfSSL | 13:f67a6c6013ca | 8465 | ret = wc_ecc_sign_hash(certSignCtx->digest, digestSz, |
wolfSSL | 13:f67a6c6013ca | 8466 | sig, &outSz, rng, eccKey); |
wolfSSL | 13:f67a6c6013ca | 8467 | if (ret == 0) |
wolfSSL | 13:f67a6c6013ca | 8468 | ret = outSz; |
wolfSSL | 13:f67a6c6013ca | 8469 | } |
wolfSSL | 13:f67a6c6013ca | 8470 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 8471 | |
wolfSSL | 13:f67a6c6013ca | 8472 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 8473 | if (!rsaKey && !eccKey && ed25519Key) { |
wolfSSL | 13:f67a6c6013ca | 8474 | word32 outSz = sigSz; |
wolfSSL | 13:f67a6c6013ca | 8475 | |
wolfSSL | 13:f67a6c6013ca | 8476 | ret = wc_ed25519_sign_msg(buffer, sz, sig, &outSz, ed25519Key); |
wolfSSL | 13:f67a6c6013ca | 8477 | if (ret == 0) |
wolfSSL | 13:f67a6c6013ca | 8478 | ret = outSz; |
wolfSSL | 13:f67a6c6013ca | 8479 | } |
wolfSSL | 13:f67a6c6013ca | 8480 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 8481 | break; |
wolfSSL | 13:f67a6c6013ca | 8482 | } |
wolfSSL | 13:f67a6c6013ca | 8483 | |
wolfSSL | 13:f67a6c6013ca | 8484 | exit_ms: |
wolfSSL | 13:f67a6c6013ca | 8485 | |
wolfSSL | 13:f67a6c6013ca | 8486 | if (ret == WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 8487 | return ret; |
wolfSSL | 13:f67a6c6013ca | 8488 | } |
wolfSSL | 13:f67a6c6013ca | 8489 | |
wolfSSL | 13:f67a6c6013ca | 8490 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 8491 | if (rsaKey) { |
wolfSSL | 13:f67a6c6013ca | 8492 | XFREE(certSignCtx->encSig, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8493 | } |
wolfSSL | 13:f67a6c6013ca | 8494 | #endif /* !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 8495 | |
wolfSSL | 13:f67a6c6013ca | 8496 | XFREE(certSignCtx->digest, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8497 | certSignCtx->digest = NULL; |
wolfSSL | 13:f67a6c6013ca | 8498 | |
wolfSSL | 13:f67a6c6013ca | 8499 | /* reset state */ |
wolfSSL | 13:f67a6c6013ca | 8500 | certSignCtx->state = CERTSIGN_STATE_BEGIN; |
wolfSSL | 13:f67a6c6013ca | 8501 | |
wolfSSL | 13:f67a6c6013ca | 8502 | return ret; |
wolfSSL | 13:f67a6c6013ca | 8503 | } |
wolfSSL | 13:f67a6c6013ca | 8504 | |
wolfSSL | 13:f67a6c6013ca | 8505 | |
wolfSSL | 13:f67a6c6013ca | 8506 | /* add signature to end of buffer, size of buffer assumed checked, return |
wolfSSL | 13:f67a6c6013ca | 8507 | new length */ |
wolfSSL | 13:f67a6c6013ca | 8508 | static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz, |
wolfSSL | 13:f67a6c6013ca | 8509 | int sigAlgoType) |
wolfSSL | 13:f67a6c6013ca | 8510 | { |
wolfSSL | 13:f67a6c6013ca | 8511 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8512 | int idx = bodySz, seqSz; |
wolfSSL | 13:f67a6c6013ca | 8513 | |
wolfSSL | 13:f67a6c6013ca | 8514 | /* algo */ |
wolfSSL | 13:f67a6c6013ca | 8515 | idx += SetAlgoID(sigAlgoType, buffer + idx, oidSigType, 0); |
wolfSSL | 13:f67a6c6013ca | 8516 | /* bit string */ |
wolfSSL | 13:f67a6c6013ca | 8517 | idx += SetBitString(sigSz, 0, buffer + idx); |
wolfSSL | 13:f67a6c6013ca | 8518 | /* signature */ |
wolfSSL | 13:f67a6c6013ca | 8519 | XMEMCPY(buffer + idx, sig, sigSz); |
wolfSSL | 13:f67a6c6013ca | 8520 | idx += sigSz; |
wolfSSL | 13:f67a6c6013ca | 8521 | |
wolfSSL | 13:f67a6c6013ca | 8522 | /* make room for overall header */ |
wolfSSL | 13:f67a6c6013ca | 8523 | seqSz = SetSequence(idx, seq); |
wolfSSL | 13:f67a6c6013ca | 8524 | XMEMMOVE(buffer + seqSz, buffer, idx); |
wolfSSL | 13:f67a6c6013ca | 8525 | XMEMCPY(buffer, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 8526 | |
wolfSSL | 13:f67a6c6013ca | 8527 | return idx + seqSz; |
wolfSSL | 13:f67a6c6013ca | 8528 | } |
wolfSSL | 13:f67a6c6013ca | 8529 | |
wolfSSL | 13:f67a6c6013ca | 8530 | |
wolfSSL | 13:f67a6c6013ca | 8531 | /* Make an x509 Certificate v3 any key type from cert input, write to buffer */ |
wolfSSL | 13:f67a6c6013ca | 8532 | static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 13:f67a6c6013ca | 8533 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng, |
wolfSSL | 13:f67a6c6013ca | 8534 | const byte* ntruKey, word16 ntruSz, |
wolfSSL | 13:f67a6c6013ca | 8535 | ed25519_key* ed25519Key) |
wolfSSL | 13:f67a6c6013ca | 8536 | { |
wolfSSL | 13:f67a6c6013ca | 8537 | int ret; |
wolfSSL | 13:f67a6c6013ca | 8538 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8539 | DerCert* der; |
wolfSSL | 13:f67a6c6013ca | 8540 | #else |
wolfSSL | 13:f67a6c6013ca | 8541 | DerCert der[1]; |
wolfSSL | 13:f67a6c6013ca | 8542 | #endif |
wolfSSL | 13:f67a6c6013ca | 8543 | |
wolfSSL | 13:f67a6c6013ca | 8544 | cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : |
wolfSSL | 13:f67a6c6013ca | 8545 | (ed25519Key ? ED25519_KEY : NTRU_KEY)); |
wolfSSL | 13:f67a6c6013ca | 8546 | |
wolfSSL | 13:f67a6c6013ca | 8547 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8548 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8549 | if (der == NULL) |
wolfSSL | 13:f67a6c6013ca | 8550 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 8551 | #endif |
wolfSSL | 13:f67a6c6013ca | 8552 | |
wolfSSL | 13:f67a6c6013ca | 8553 | ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz, |
wolfSSL | 13:f67a6c6013ca | 8554 | ed25519Key); |
wolfSSL | 13:f67a6c6013ca | 8555 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 8556 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 13:f67a6c6013ca | 8557 | ret = BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 8558 | else |
wolfSSL | 13:f67a6c6013ca | 8559 | ret = cert->bodySz = WriteCertBody(der, derBuffer); |
wolfSSL | 13:f67a6c6013ca | 8560 | } |
wolfSSL | 13:f67a6c6013ca | 8561 | |
wolfSSL | 13:f67a6c6013ca | 8562 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8563 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8564 | #endif |
wolfSSL | 13:f67a6c6013ca | 8565 | |
wolfSSL | 13:f67a6c6013ca | 8566 | return ret; |
wolfSSL | 13:f67a6c6013ca | 8567 | } |
wolfSSL | 13:f67a6c6013ca | 8568 | |
wolfSSL | 13:f67a6c6013ca | 8569 | |
wolfSSL | 13:f67a6c6013ca | 8570 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 13:f67a6c6013ca | 8571 | int wc_MakeCert_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType, |
wolfSSL | 13:f67a6c6013ca | 8572 | void* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 8573 | { |
wolfSSL | 13:f67a6c6013ca | 8574 | RsaKey* rsaKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 8575 | ecc_key* eccKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 8576 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 13:f67a6c6013ca | 8577 | |
wolfSSL | 13:f67a6c6013ca | 8578 | if (keyType == RSA_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8579 | rsaKey = (RsaKey*)key; |
wolfSSL | 13:f67a6c6013ca | 8580 | else if (keyType == ECC_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8581 | eccKey = (ecc_key*)key; |
wolfSSL | 13:f67a6c6013ca | 8582 | else if (keyType == ED25519_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8583 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 13:f67a6c6013ca | 8584 | |
wolfSSL | 13:f67a6c6013ca | 8585 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0, |
wolfSSL | 13:f67a6c6013ca | 8586 | ed25519Key); |
wolfSSL | 13:f67a6c6013ca | 8587 | } |
wolfSSL | 13:f67a6c6013ca | 8588 | /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ |
wolfSSL | 13:f67a6c6013ca | 8589 | int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, |
wolfSSL | 13:f67a6c6013ca | 8590 | ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 8591 | { |
wolfSSL | 13:f67a6c6013ca | 8592 | return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0, |
wolfSSL | 13:f67a6c6013ca | 8593 | NULL); |
wolfSSL | 13:f67a6c6013ca | 8594 | } |
wolfSSL | 13:f67a6c6013ca | 8595 | |
wolfSSL | 13:f67a6c6013ca | 8596 | |
wolfSSL | 13:f67a6c6013ca | 8597 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 8598 | |
wolfSSL | 13:f67a6c6013ca | 8599 | int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 13:f67a6c6013ca | 8600 | const byte* ntruKey, word16 keySz, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 8601 | { |
wolfSSL | 13:f67a6c6013ca | 8602 | return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz); |
wolfSSL | 13:f67a6c6013ca | 8603 | } |
wolfSSL | 13:f67a6c6013ca | 8604 | |
wolfSSL | 13:f67a6c6013ca | 8605 | #endif /* HAVE_NTRU */ |
wolfSSL | 13:f67a6c6013ca | 8606 | |
wolfSSL | 13:f67a6c6013ca | 8607 | |
wolfSSL | 13:f67a6c6013ca | 8608 | #ifdef WOLFSSL_CERT_REQ |
wolfSSL | 13:f67a6c6013ca | 8609 | |
wolfSSL | 13:f67a6c6013ca | 8610 | static int SetReqAttrib(byte* output, char* pw, int extSz) |
wolfSSL | 13:f67a6c6013ca | 8611 | { |
wolfSSL | 13:f67a6c6013ca | 8612 | static const byte cpOid[] = |
wolfSSL | 13:f67a6c6013ca | 8613 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 13:f67a6c6013ca | 8614 | 0x09, 0x07 }; |
wolfSSL | 13:f67a6c6013ca | 8615 | static const byte erOid[] = |
wolfSSL | 13:f67a6c6013ca | 8616 | { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
wolfSSL | 13:f67a6c6013ca | 8617 | 0x09, 0x0e }; |
wolfSSL | 13:f67a6c6013ca | 8618 | |
wolfSSL | 13:f67a6c6013ca | 8619 | int sz = 0; /* overall size */ |
wolfSSL | 13:f67a6c6013ca | 8620 | int cpSz = 0; /* Challenge Password section size */ |
wolfSSL | 13:f67a6c6013ca | 8621 | int cpSeqSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8622 | int cpSetSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8623 | int cpStrSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8624 | int pwSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8625 | int erSz = 0; /* Extension Request section size */ |
wolfSSL | 13:f67a6c6013ca | 8626 | int erSeqSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8627 | int erSetSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8628 | byte cpSeq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8629 | byte cpSet[MAX_SET_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8630 | byte cpStr[MAX_PRSTR_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8631 | byte erSeq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8632 | byte erSet[MAX_SET_SZ]; |
wolfSSL | 13:f67a6c6013ca | 8633 | |
wolfSSL | 13:f67a6c6013ca | 8634 | output[0] = 0xa0; |
wolfSSL | 13:f67a6c6013ca | 8635 | sz++; |
wolfSSL | 13:f67a6c6013ca | 8636 | |
wolfSSL | 13:f67a6c6013ca | 8637 | if (pw && pw[0]) { |
wolfSSL | 13:f67a6c6013ca | 8638 | pwSz = (int)XSTRLEN(pw); |
wolfSSL | 13:f67a6c6013ca | 8639 | cpStrSz = SetUTF8String(pwSz, cpStr); |
wolfSSL | 13:f67a6c6013ca | 8640 | cpSetSz = SetSet(cpStrSz + pwSz, cpSet); |
wolfSSL | 13:f67a6c6013ca | 8641 | cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq); |
wolfSSL | 13:f67a6c6013ca | 8642 | cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz; |
wolfSSL | 13:f67a6c6013ca | 8643 | } |
wolfSSL | 13:f67a6c6013ca | 8644 | |
wolfSSL | 13:f67a6c6013ca | 8645 | if (extSz) { |
wolfSSL | 13:f67a6c6013ca | 8646 | erSetSz = SetSet(extSz, erSet); |
wolfSSL | 13:f67a6c6013ca | 8647 | erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq); |
wolfSSL | 13:f67a6c6013ca | 8648 | erSz = extSz + erSetSz + erSeqSz + sizeof(erOid); |
wolfSSL | 13:f67a6c6013ca | 8649 | } |
wolfSSL | 13:f67a6c6013ca | 8650 | |
wolfSSL | 13:f67a6c6013ca | 8651 | /* Put the pieces together. */ |
wolfSSL | 13:f67a6c6013ca | 8652 | sz += SetLength(cpSz + erSz, &output[sz]); |
wolfSSL | 13:f67a6c6013ca | 8653 | |
wolfSSL | 13:f67a6c6013ca | 8654 | if (cpSz) { |
wolfSSL | 13:f67a6c6013ca | 8655 | XMEMCPY(&output[sz], cpSeq, cpSeqSz); |
wolfSSL | 13:f67a6c6013ca | 8656 | sz += cpSeqSz; |
wolfSSL | 13:f67a6c6013ca | 8657 | XMEMCPY(&output[sz], cpOid, sizeof(cpOid)); |
wolfSSL | 13:f67a6c6013ca | 8658 | sz += sizeof(cpOid); |
wolfSSL | 13:f67a6c6013ca | 8659 | XMEMCPY(&output[sz], cpSet, cpSetSz); |
wolfSSL | 13:f67a6c6013ca | 8660 | sz += cpSetSz; |
wolfSSL | 13:f67a6c6013ca | 8661 | XMEMCPY(&output[sz], cpStr, cpStrSz); |
wolfSSL | 13:f67a6c6013ca | 8662 | sz += cpStrSz; |
wolfSSL | 13:f67a6c6013ca | 8663 | XMEMCPY(&output[sz], pw, pwSz); |
wolfSSL | 13:f67a6c6013ca | 8664 | sz += pwSz; |
wolfSSL | 13:f67a6c6013ca | 8665 | } |
wolfSSL | 13:f67a6c6013ca | 8666 | |
wolfSSL | 13:f67a6c6013ca | 8667 | if (erSz) { |
wolfSSL | 13:f67a6c6013ca | 8668 | XMEMCPY(&output[sz], erSeq, erSeqSz); |
wolfSSL | 13:f67a6c6013ca | 8669 | sz += erSeqSz; |
wolfSSL | 13:f67a6c6013ca | 8670 | XMEMCPY(&output[sz], erOid, sizeof(erOid)); |
wolfSSL | 13:f67a6c6013ca | 8671 | sz += sizeof(erOid); |
wolfSSL | 13:f67a6c6013ca | 8672 | XMEMCPY(&output[sz], erSet, erSetSz); |
wolfSSL | 13:f67a6c6013ca | 8673 | sz += erSetSz; |
wolfSSL | 13:f67a6c6013ca | 8674 | /* The actual extension data will be tacked onto the output later. */ |
wolfSSL | 13:f67a6c6013ca | 8675 | } |
wolfSSL | 13:f67a6c6013ca | 8676 | |
wolfSSL | 13:f67a6c6013ca | 8677 | return sz; |
wolfSSL | 13:f67a6c6013ca | 8678 | } |
wolfSSL | 13:f67a6c6013ca | 8679 | |
wolfSSL | 13:f67a6c6013ca | 8680 | |
wolfSSL | 13:f67a6c6013ca | 8681 | /* encode info from cert into DER encoded format */ |
wolfSSL | 13:f67a6c6013ca | 8682 | static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey, |
wolfSSL | 13:f67a6c6013ca | 8683 | ecc_key* eccKey, ed25519_key* ed25519Key) |
wolfSSL | 13:f67a6c6013ca | 8684 | { |
wolfSSL | 13:f67a6c6013ca | 8685 | (void)eccKey; |
wolfSSL | 13:f67a6c6013ca | 8686 | (void)ed25519Key; |
wolfSSL | 13:f67a6c6013ca | 8687 | |
wolfSSL | 13:f67a6c6013ca | 8688 | if (cert == NULL || der == NULL) |
wolfSSL | 13:f67a6c6013ca | 8689 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 8690 | |
wolfSSL | 13:f67a6c6013ca | 8691 | /* init */ |
wolfSSL | 13:f67a6c6013ca | 8692 | XMEMSET(der, 0, sizeof(DerCert)); |
wolfSSL | 13:f67a6c6013ca | 8693 | |
wolfSSL | 13:f67a6c6013ca | 8694 | /* version */ |
wolfSSL | 13:f67a6c6013ca | 8695 | der->versionSz = SetMyVersion(cert->version, der->version, FALSE); |
wolfSSL | 13:f67a6c6013ca | 8696 | |
wolfSSL | 13:f67a6c6013ca | 8697 | /* subject name */ |
wolfSSL | 13:f67a6c6013ca | 8698 | der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject); |
wolfSSL | 13:f67a6c6013ca | 8699 | if (der->subjectSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8700 | return SUBJECT_E; |
wolfSSL | 13:f67a6c6013ca | 8701 | |
wolfSSL | 13:f67a6c6013ca | 8702 | /* public key */ |
wolfSSL | 13:f67a6c6013ca | 8703 | if (cert->keyType == RSA_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8704 | if (rsaKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 8705 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8706 | der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, |
wolfSSL | 13:f67a6c6013ca | 8707 | sizeof(der->publicKey), 1); |
wolfSSL | 13:f67a6c6013ca | 8708 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8709 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8710 | } |
wolfSSL | 13:f67a6c6013ca | 8711 | |
wolfSSL | 13:f67a6c6013ca | 8712 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 8713 | if (cert->keyType == ECC_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8714 | if (eccKey == NULL) |
wolfSSL | 13:f67a6c6013ca | 8715 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8716 | der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); |
wolfSSL | 13:f67a6c6013ca | 8717 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8718 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8719 | } |
wolfSSL | 13:f67a6c6013ca | 8720 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 8721 | |
wolfSSL | 13:f67a6c6013ca | 8722 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 8723 | if (cert->keyType == ED25519_KEY) { |
wolfSSL | 13:f67a6c6013ca | 8724 | if (ed25519Key == NULL) |
wolfSSL | 13:f67a6c6013ca | 8725 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8726 | der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); |
wolfSSL | 13:f67a6c6013ca | 8727 | if (der->publicKeySz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8728 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 8729 | } |
wolfSSL | 13:f67a6c6013ca | 8730 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 8731 | |
wolfSSL | 13:f67a6c6013ca | 8732 | /* set the extensions */ |
wolfSSL | 13:f67a6c6013ca | 8733 | der->extensionsSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8734 | |
wolfSSL | 13:f67a6c6013ca | 8735 | /* CA */ |
wolfSSL | 13:f67a6c6013ca | 8736 | if (cert->isCA) { |
wolfSSL | 13:f67a6c6013ca | 8737 | der->caSz = SetCa(der->ca, sizeof(der->ca)); |
wolfSSL | 13:f67a6c6013ca | 8738 | if (der->caSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8739 | return CA_TRUE_E; |
wolfSSL | 13:f67a6c6013ca | 8740 | |
wolfSSL | 13:f67a6c6013ca | 8741 | der->extensionsSz += der->caSz; |
wolfSSL | 13:f67a6c6013ca | 8742 | } |
wolfSSL | 13:f67a6c6013ca | 8743 | else |
wolfSSL | 13:f67a6c6013ca | 8744 | der->caSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8745 | |
wolfSSL | 13:f67a6c6013ca | 8746 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 8747 | /* SKID */ |
wolfSSL | 13:f67a6c6013ca | 8748 | if (cert->skidSz) { |
wolfSSL | 13:f67a6c6013ca | 8749 | /* check the provided SKID size */ |
wolfSSL | 13:f67a6c6013ca | 8750 | if (cert->skidSz > (int)sizeof(der->skid)) |
wolfSSL | 13:f67a6c6013ca | 8751 | return SKID_E; |
wolfSSL | 13:f67a6c6013ca | 8752 | |
wolfSSL | 13:f67a6c6013ca | 8753 | der->skidSz = SetSKID(der->skid, sizeof(der->skid), |
wolfSSL | 13:f67a6c6013ca | 8754 | cert->skid, cert->skidSz); |
wolfSSL | 13:f67a6c6013ca | 8755 | if (der->skidSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8756 | return SKID_E; |
wolfSSL | 13:f67a6c6013ca | 8757 | |
wolfSSL | 13:f67a6c6013ca | 8758 | der->extensionsSz += der->skidSz; |
wolfSSL | 13:f67a6c6013ca | 8759 | } |
wolfSSL | 13:f67a6c6013ca | 8760 | else |
wolfSSL | 13:f67a6c6013ca | 8761 | der->skidSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8762 | |
wolfSSL | 13:f67a6c6013ca | 8763 | /* Key Usage */ |
wolfSSL | 13:f67a6c6013ca | 8764 | if (cert->keyUsage != 0){ |
wolfSSL | 13:f67a6c6013ca | 8765 | der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage), |
wolfSSL | 13:f67a6c6013ca | 8766 | cert->keyUsage); |
wolfSSL | 13:f67a6c6013ca | 8767 | if (der->keyUsageSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8768 | return KEYUSAGE_E; |
wolfSSL | 13:f67a6c6013ca | 8769 | |
wolfSSL | 13:f67a6c6013ca | 8770 | der->extensionsSz += der->keyUsageSz; |
wolfSSL | 13:f67a6c6013ca | 8771 | } |
wolfSSL | 13:f67a6c6013ca | 8772 | else |
wolfSSL | 13:f67a6c6013ca | 8773 | der->keyUsageSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8774 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 8775 | |
wolfSSL | 13:f67a6c6013ca | 8776 | /* put extensions */ |
wolfSSL | 13:f67a6c6013ca | 8777 | if (der->extensionsSz > 0) { |
wolfSSL | 13:f67a6c6013ca | 8778 | int ret; |
wolfSSL | 13:f67a6c6013ca | 8779 | |
wolfSSL | 13:f67a6c6013ca | 8780 | /* put the start of sequence (ID, Size) */ |
wolfSSL | 13:f67a6c6013ca | 8781 | der->extensionsSz = SetSequence(der->extensionsSz, der->extensions); |
wolfSSL | 13:f67a6c6013ca | 8782 | if (der->extensionsSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8783 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8784 | |
wolfSSL | 13:f67a6c6013ca | 8785 | /* put CA */ |
wolfSSL | 13:f67a6c6013ca | 8786 | if (der->caSz) { |
wolfSSL | 13:f67a6c6013ca | 8787 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8788 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8789 | der->ca, der->caSz); |
wolfSSL | 13:f67a6c6013ca | 8790 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8791 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8792 | } |
wolfSSL | 13:f67a6c6013ca | 8793 | |
wolfSSL | 13:f67a6c6013ca | 8794 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 8795 | /* put SKID */ |
wolfSSL | 13:f67a6c6013ca | 8796 | if (der->skidSz) { |
wolfSSL | 13:f67a6c6013ca | 8797 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8798 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8799 | der->skid, der->skidSz); |
wolfSSL | 13:f67a6c6013ca | 8800 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8801 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8802 | } |
wolfSSL | 13:f67a6c6013ca | 8803 | |
wolfSSL | 13:f67a6c6013ca | 8804 | /* put AKID */ |
wolfSSL | 13:f67a6c6013ca | 8805 | if (der->akidSz) { |
wolfSSL | 13:f67a6c6013ca | 8806 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8807 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8808 | der->akid, der->akidSz); |
wolfSSL | 13:f67a6c6013ca | 8809 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8810 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8811 | } |
wolfSSL | 13:f67a6c6013ca | 8812 | |
wolfSSL | 13:f67a6c6013ca | 8813 | /* put KeyUsage */ |
wolfSSL | 13:f67a6c6013ca | 8814 | if (der->keyUsageSz) { |
wolfSSL | 13:f67a6c6013ca | 8815 | ret = SetExtensions(der->extensions, sizeof(der->extensions), |
wolfSSL | 13:f67a6c6013ca | 8816 | &der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8817 | der->keyUsage, der->keyUsageSz); |
wolfSSL | 13:f67a6c6013ca | 8818 | if (ret <= 0) |
wolfSSL | 13:f67a6c6013ca | 8819 | return EXTENSIONS_E; |
wolfSSL | 13:f67a6c6013ca | 8820 | } |
wolfSSL | 13:f67a6c6013ca | 8821 | |
wolfSSL | 13:f67a6c6013ca | 8822 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 8823 | } |
wolfSSL | 13:f67a6c6013ca | 8824 | |
wolfSSL | 13:f67a6c6013ca | 8825 | der->attribSz = SetReqAttrib(der->attrib, |
wolfSSL | 13:f67a6c6013ca | 8826 | cert->challengePw, der->extensionsSz); |
wolfSSL | 13:f67a6c6013ca | 8827 | if (der->attribSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 8828 | return REQ_ATTRIBUTE_E; |
wolfSSL | 13:f67a6c6013ca | 8829 | |
wolfSSL | 13:f67a6c6013ca | 8830 | der->total = der->versionSz + der->subjectSz + der->publicKeySz + |
wolfSSL | 13:f67a6c6013ca | 8831 | der->extensionsSz + der->attribSz; |
wolfSSL | 13:f67a6c6013ca | 8832 | |
wolfSSL | 13:f67a6c6013ca | 8833 | return 0; |
wolfSSL | 13:f67a6c6013ca | 8834 | } |
wolfSSL | 13:f67a6c6013ca | 8835 | |
wolfSSL | 13:f67a6c6013ca | 8836 | |
wolfSSL | 13:f67a6c6013ca | 8837 | /* write DER encoded cert req to buffer, size already checked */ |
wolfSSL | 13:f67a6c6013ca | 8838 | static int WriteCertReqBody(DerCert* der, byte* buffer) |
wolfSSL | 13:f67a6c6013ca | 8839 | { |
wolfSSL | 13:f67a6c6013ca | 8840 | int idx; |
wolfSSL | 13:f67a6c6013ca | 8841 | |
wolfSSL | 13:f67a6c6013ca | 8842 | /* signed part header */ |
wolfSSL | 13:f67a6c6013ca | 8843 | idx = SetSequence(der->total, buffer); |
wolfSSL | 13:f67a6c6013ca | 8844 | /* version */ |
wolfSSL | 13:f67a6c6013ca | 8845 | XMEMCPY(buffer + idx, der->version, der->versionSz); |
wolfSSL | 13:f67a6c6013ca | 8846 | idx += der->versionSz; |
wolfSSL | 13:f67a6c6013ca | 8847 | /* subject */ |
wolfSSL | 13:f67a6c6013ca | 8848 | XMEMCPY(buffer + idx, der->subject, der->subjectSz); |
wolfSSL | 13:f67a6c6013ca | 8849 | idx += der->subjectSz; |
wolfSSL | 13:f67a6c6013ca | 8850 | /* public key */ |
wolfSSL | 13:f67a6c6013ca | 8851 | XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz); |
wolfSSL | 13:f67a6c6013ca | 8852 | idx += der->publicKeySz; |
wolfSSL | 13:f67a6c6013ca | 8853 | /* attributes */ |
wolfSSL | 13:f67a6c6013ca | 8854 | XMEMCPY(buffer + idx, der->attrib, der->attribSz); |
wolfSSL | 13:f67a6c6013ca | 8855 | idx += der->attribSz; |
wolfSSL | 13:f67a6c6013ca | 8856 | /* extensions */ |
wolfSSL | 13:f67a6c6013ca | 8857 | if (der->extensionsSz) { |
wolfSSL | 13:f67a6c6013ca | 8858 | XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, |
wolfSSL | 13:f67a6c6013ca | 8859 | (int)sizeof(der->extensions))); |
wolfSSL | 13:f67a6c6013ca | 8860 | idx += der->extensionsSz; |
wolfSSL | 13:f67a6c6013ca | 8861 | } |
wolfSSL | 13:f67a6c6013ca | 8862 | |
wolfSSL | 13:f67a6c6013ca | 8863 | return idx; |
wolfSSL | 13:f67a6c6013ca | 8864 | } |
wolfSSL | 13:f67a6c6013ca | 8865 | |
wolfSSL | 13:f67a6c6013ca | 8866 | |
wolfSSL | 13:f67a6c6013ca | 8867 | static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 13:f67a6c6013ca | 8868 | RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key) |
wolfSSL | 13:f67a6c6013ca | 8869 | { |
wolfSSL | 13:f67a6c6013ca | 8870 | int ret; |
wolfSSL | 13:f67a6c6013ca | 8871 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8872 | DerCert* der; |
wolfSSL | 13:f67a6c6013ca | 8873 | #else |
wolfSSL | 13:f67a6c6013ca | 8874 | DerCert der[1]; |
wolfSSL | 13:f67a6c6013ca | 8875 | #endif |
wolfSSL | 13:f67a6c6013ca | 8876 | |
wolfSSL | 13:f67a6c6013ca | 8877 | cert->keyType = eccKey ? ECC_KEY : (ed25519Key ? ED25519_KEY : RSA_KEY); |
wolfSSL | 13:f67a6c6013ca | 8878 | |
wolfSSL | 13:f67a6c6013ca | 8879 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8880 | der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8881 | if (der == NULL) |
wolfSSL | 13:f67a6c6013ca | 8882 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 8883 | #endif |
wolfSSL | 13:f67a6c6013ca | 8884 | |
wolfSSL | 13:f67a6c6013ca | 8885 | ret = EncodeCertReq(cert, der, rsaKey, eccKey, ed25519Key); |
wolfSSL | 13:f67a6c6013ca | 8886 | |
wolfSSL | 13:f67a6c6013ca | 8887 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 8888 | if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) |
wolfSSL | 13:f67a6c6013ca | 8889 | ret = BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 8890 | else |
wolfSSL | 13:f67a6c6013ca | 8891 | ret = cert->bodySz = WriteCertReqBody(der, derBuffer); |
wolfSSL | 13:f67a6c6013ca | 8892 | } |
wolfSSL | 13:f67a6c6013ca | 8893 | |
wolfSSL | 13:f67a6c6013ca | 8894 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 8895 | XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8896 | #endif |
wolfSSL | 13:f67a6c6013ca | 8897 | |
wolfSSL | 13:f67a6c6013ca | 8898 | return ret; |
wolfSSL | 13:f67a6c6013ca | 8899 | } |
wolfSSL | 13:f67a6c6013ca | 8900 | |
wolfSSL | 13:f67a6c6013ca | 8901 | int wc_MakeCertReq_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType, |
wolfSSL | 13:f67a6c6013ca | 8902 | void* key) |
wolfSSL | 13:f67a6c6013ca | 8903 | { |
wolfSSL | 13:f67a6c6013ca | 8904 | RsaKey* rsaKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 8905 | ecc_key* eccKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 8906 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 13:f67a6c6013ca | 8907 | |
wolfSSL | 13:f67a6c6013ca | 8908 | if (keyType == RSA_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8909 | rsaKey = (RsaKey*)key; |
wolfSSL | 13:f67a6c6013ca | 8910 | else if (keyType == ECC_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8911 | eccKey = (ecc_key*)key; |
wolfSSL | 13:f67a6c6013ca | 8912 | else if (keyType == ED25519_TYPE) |
wolfSSL | 13:f67a6c6013ca | 8913 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 13:f67a6c6013ca | 8914 | |
wolfSSL | 13:f67a6c6013ca | 8915 | return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, ed25519Key); |
wolfSSL | 13:f67a6c6013ca | 8916 | } |
wolfSSL | 13:f67a6c6013ca | 8917 | |
wolfSSL | 13:f67a6c6013ca | 8918 | int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, |
wolfSSL | 13:f67a6c6013ca | 8919 | RsaKey* rsaKey, ecc_key* eccKey) |
wolfSSL | 13:f67a6c6013ca | 8920 | { |
wolfSSL | 13:f67a6c6013ca | 8921 | return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, NULL); |
wolfSSL | 13:f67a6c6013ca | 8922 | } |
wolfSSL | 13:f67a6c6013ca | 8923 | #endif /* WOLFSSL_CERT_REQ */ |
wolfSSL | 13:f67a6c6013ca | 8924 | |
wolfSSL | 13:f67a6c6013ca | 8925 | |
wolfSSL | 13:f67a6c6013ca | 8926 | static int SignCert(int requestSz, int sType, byte* buffer, word32 buffSz, |
wolfSSL | 13:f67a6c6013ca | 8927 | RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key, |
wolfSSL | 13:f67a6c6013ca | 8928 | WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 8929 | { |
wolfSSL | 13:f67a6c6013ca | 8930 | int sigSz = 0; |
wolfSSL | 13:f67a6c6013ca | 8931 | void* heap = NULL; |
wolfSSL | 13:f67a6c6013ca | 8932 | CertSignCtx* certSignCtx = NULL; |
wolfSSL | 13:f67a6c6013ca | 8933 | #ifndef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 8934 | CertSignCtx certSignCtx_lcl; |
wolfSSL | 13:f67a6c6013ca | 8935 | certSignCtx = &certSignCtx_lcl; |
wolfSSL | 13:f67a6c6013ca | 8936 | XMEMSET(certSignCtx, 0, sizeof(CertSignCtx)); |
wolfSSL | 13:f67a6c6013ca | 8937 | #endif |
wolfSSL | 13:f67a6c6013ca | 8938 | |
wolfSSL | 13:f67a6c6013ca | 8939 | if (requestSz < 0) |
wolfSSL | 13:f67a6c6013ca | 8940 | return requestSz; |
wolfSSL | 13:f67a6c6013ca | 8941 | |
wolfSSL | 13:f67a6c6013ca | 8942 | /* locate ctx */ |
wolfSSL | 13:f67a6c6013ca | 8943 | if (rsaKey) { |
wolfSSL | 13:f67a6c6013ca | 8944 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 8945 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 8946 | certSignCtx = &rsaKey->certSignCtx; |
wolfSSL | 13:f67a6c6013ca | 8947 | #endif |
wolfSSL | 13:f67a6c6013ca | 8948 | heap = rsaKey->heap; |
wolfSSL | 13:f67a6c6013ca | 8949 | #else |
wolfSSL | 13:f67a6c6013ca | 8950 | return NOT_COMPILED_IN; |
wolfSSL | 13:f67a6c6013ca | 8951 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 8952 | } |
wolfSSL | 13:f67a6c6013ca | 8953 | else if (eccKey) { |
wolfSSL | 13:f67a6c6013ca | 8954 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 8955 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 8956 | certSignCtx = &eccKey->certSignCtx; |
wolfSSL | 13:f67a6c6013ca | 8957 | #endif |
wolfSSL | 13:f67a6c6013ca | 8958 | heap = eccKey->heap; |
wolfSSL | 13:f67a6c6013ca | 8959 | #else |
wolfSSL | 13:f67a6c6013ca | 8960 | return NOT_COMPILED_IN; |
wolfSSL | 13:f67a6c6013ca | 8961 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 8962 | } |
wolfSSL | 13:f67a6c6013ca | 8963 | |
wolfSSL | 13:f67a6c6013ca | 8964 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 8965 | if (certSignCtx == NULL) { |
wolfSSL | 13:f67a6c6013ca | 8966 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 8967 | } |
wolfSSL | 13:f67a6c6013ca | 8968 | #endif |
wolfSSL | 13:f67a6c6013ca | 8969 | |
wolfSSL | 13:f67a6c6013ca | 8970 | if (certSignCtx->sig == NULL) { |
wolfSSL | 13:f67a6c6013ca | 8971 | certSignCtx->sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, heap, |
wolfSSL | 13:f67a6c6013ca | 8972 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8973 | if (certSignCtx->sig == NULL) |
wolfSSL | 13:f67a6c6013ca | 8974 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 8975 | } |
wolfSSL | 13:f67a6c6013ca | 8976 | |
wolfSSL | 13:f67a6c6013ca | 8977 | sigSz = MakeSignature(certSignCtx, buffer, requestSz, certSignCtx->sig, |
wolfSSL | 13:f67a6c6013ca | 8978 | MAX_ENCODED_SIG_SZ, rsaKey, eccKey, ed25519Key, rng, sType, heap); |
wolfSSL | 13:f67a6c6013ca | 8979 | if (sigSz == WC_PENDING_E) |
wolfSSL | 13:f67a6c6013ca | 8980 | return sigSz; |
wolfSSL | 13:f67a6c6013ca | 8981 | |
wolfSSL | 13:f67a6c6013ca | 8982 | if (sigSz >= 0) { |
wolfSSL | 13:f67a6c6013ca | 8983 | if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz) |
wolfSSL | 13:f67a6c6013ca | 8984 | sigSz = BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 8985 | else |
wolfSSL | 13:f67a6c6013ca | 8986 | sigSz = AddSignature(buffer, requestSz, certSignCtx->sig, sigSz, sType); |
wolfSSL | 13:f67a6c6013ca | 8987 | } |
wolfSSL | 13:f67a6c6013ca | 8988 | |
wolfSSL | 13:f67a6c6013ca | 8989 | XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 8990 | certSignCtx->sig = NULL; |
wolfSSL | 13:f67a6c6013ca | 8991 | |
wolfSSL | 13:f67a6c6013ca | 8992 | return sigSz; |
wolfSSL | 13:f67a6c6013ca | 8993 | } |
wolfSSL | 13:f67a6c6013ca | 8994 | |
wolfSSL | 13:f67a6c6013ca | 8995 | int wc_SignCert_ex(int requestSz, int sType, byte* buffer, word32 buffSz, |
wolfSSL | 13:f67a6c6013ca | 8996 | int keyType, void* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 8997 | { |
wolfSSL | 13:f67a6c6013ca | 8998 | RsaKey* rsaKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 8999 | ecc_key* eccKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9000 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 13:f67a6c6013ca | 9001 | |
wolfSSL | 13:f67a6c6013ca | 9002 | if (keyType == RSA_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9003 | rsaKey = (RsaKey*)key; |
wolfSSL | 13:f67a6c6013ca | 9004 | else if (keyType == ECC_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9005 | eccKey = (ecc_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9006 | else if (keyType == ED25519_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9007 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9008 | |
wolfSSL | 13:f67a6c6013ca | 9009 | return SignCert(requestSz, sType, buffer, buffSz, rsaKey, eccKey, |
wolfSSL | 13:f67a6c6013ca | 9010 | ed25519Key, rng); |
wolfSSL | 13:f67a6c6013ca | 9011 | } |
wolfSSL | 13:f67a6c6013ca | 9012 | |
wolfSSL | 13:f67a6c6013ca | 9013 | int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz, |
wolfSSL | 13:f67a6c6013ca | 9014 | RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 9015 | { |
wolfSSL | 13:f67a6c6013ca | 9016 | return SignCert(requestSz, sType, buffer, buffSz, rsaKey, eccKey, NULL, |
wolfSSL | 13:f67a6c6013ca | 9017 | rng); |
wolfSSL | 13:f67a6c6013ca | 9018 | } |
wolfSSL | 13:f67a6c6013ca | 9019 | |
wolfSSL | 13:f67a6c6013ca | 9020 | int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, |
wolfSSL | 13:f67a6c6013ca | 9021 | RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 9022 | { |
wolfSSL | 13:f67a6c6013ca | 9023 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9024 | |
wolfSSL | 13:f67a6c6013ca | 9025 | ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng); |
wolfSSL | 13:f67a6c6013ca | 9026 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 9027 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9028 | |
wolfSSL | 13:f67a6c6013ca | 9029 | return wc_SignCert(cert->bodySz, cert->sigType, |
wolfSSL | 13:f67a6c6013ca | 9030 | buffer, buffSz, key, NULL, rng); |
wolfSSL | 13:f67a6c6013ca | 9031 | } |
wolfSSL | 13:f67a6c6013ca | 9032 | |
wolfSSL | 13:f67a6c6013ca | 9033 | |
wolfSSL | 13:f67a6c6013ca | 9034 | #ifdef WOLFSSL_CERT_EXT |
wolfSSL | 13:f67a6c6013ca | 9035 | |
wolfSSL | 13:f67a6c6013ca | 9036 | /* Set KID from RSA or ECC public key */ |
wolfSSL | 13:f67a6c6013ca | 9037 | static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, |
wolfSSL | 13:f67a6c6013ca | 9038 | byte *ntruKey, word16 ntruKeySz, |
wolfSSL | 13:f67a6c6013ca | 9039 | ed25519_key* ed25519Key, int kid_type) |
wolfSSL | 13:f67a6c6013ca | 9040 | { |
wolfSSL | 13:f67a6c6013ca | 9041 | byte *buffer; |
wolfSSL | 13:f67a6c6013ca | 9042 | int bufferSz, ret; |
wolfSSL | 13:f67a6c6013ca | 9043 | |
wolfSSL | 13:f67a6c6013ca | 9044 | #ifndef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 9045 | (void)ntruKeySz; |
wolfSSL | 13:f67a6c6013ca | 9046 | #endif |
wolfSSL | 13:f67a6c6013ca | 9047 | |
wolfSSL | 13:f67a6c6013ca | 9048 | if (cert == NULL || |
wolfSSL | 13:f67a6c6013ca | 9049 | (rsakey == NULL && eckey == NULL && ntruKey == NULL && |
wolfSSL | 13:f67a6c6013ca | 9050 | ed25519Key == NULL) || |
wolfSSL | 13:f67a6c6013ca | 9051 | (rsakey != NULL && eckey != NULL) || |
wolfSSL | 13:f67a6c6013ca | 9052 | (rsakey != NULL && ntruKey != NULL) || |
wolfSSL | 13:f67a6c6013ca | 9053 | (ntruKey != NULL && eckey != NULL) || |
wolfSSL | 13:f67a6c6013ca | 9054 | (kid_type != SKID_TYPE && kid_type != AKID_TYPE)) |
wolfSSL | 13:f67a6c6013ca | 9055 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9056 | |
wolfSSL | 13:f67a6c6013ca | 9057 | buffer = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 9058 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9059 | if (buffer == NULL) |
wolfSSL | 13:f67a6c6013ca | 9060 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9061 | |
wolfSSL | 13:f67a6c6013ca | 9062 | /* RSA public key */ |
wolfSSL | 13:f67a6c6013ca | 9063 | if (rsakey != NULL) |
wolfSSL | 13:f67a6c6013ca | 9064 | bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0); |
wolfSSL | 13:f67a6c6013ca | 9065 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 9066 | /* ECC public key */ |
wolfSSL | 13:f67a6c6013ca | 9067 | else if (eckey != NULL) |
wolfSSL | 13:f67a6c6013ca | 9068 | bufferSz = SetEccPublicKey(buffer, eckey, 0); |
wolfSSL | 13:f67a6c6013ca | 9069 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 9070 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 9071 | /* NTRU public key */ |
wolfSSL | 13:f67a6c6013ca | 9072 | else if (ntruKey != NULL) { |
wolfSSL | 13:f67a6c6013ca | 9073 | bufferSz = MAX_PUBLIC_KEY_SZ; |
wolfSSL | 13:f67a6c6013ca | 9074 | ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( |
wolfSSL | 13:f67a6c6013ca | 9075 | ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer); |
wolfSSL | 13:f67a6c6013ca | 9076 | if (ret != NTRU_OK) |
wolfSSL | 13:f67a6c6013ca | 9077 | bufferSz = -1; |
wolfSSL | 13:f67a6c6013ca | 9078 | } |
wolfSSL | 13:f67a6c6013ca | 9079 | #endif |
wolfSSL | 13:f67a6c6013ca | 9080 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 9081 | /* ED25519 public key */ |
wolfSSL | 13:f67a6c6013ca | 9082 | else if (ed25519Key != NULL) |
wolfSSL | 13:f67a6c6013ca | 9083 | bufferSz = SetEd25519PublicKey(buffer, ed25519Key, 0); |
wolfSSL | 13:f67a6c6013ca | 9084 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 9085 | else |
wolfSSL | 13:f67a6c6013ca | 9086 | bufferSz = -1; |
wolfSSL | 13:f67a6c6013ca | 9087 | |
wolfSSL | 13:f67a6c6013ca | 9088 | if (bufferSz <= 0) { |
wolfSSL | 13:f67a6c6013ca | 9089 | XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9090 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9091 | } |
wolfSSL | 13:f67a6c6013ca | 9092 | |
wolfSSL | 13:f67a6c6013ca | 9093 | /* Compute SKID by hashing public key */ |
wolfSSL | 13:f67a6c6013ca | 9094 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 9095 | if (kid_type == SKID_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 9096 | ret = wc_Sha256Hash(buffer, bufferSz, cert->skid); |
wolfSSL | 13:f67a6c6013ca | 9097 | cert->skidSz = SHA256_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 9098 | } |
wolfSSL | 13:f67a6c6013ca | 9099 | else if (kid_type == AKID_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 9100 | ret = wc_Sha256Hash(buffer, bufferSz, cert->akid); |
wolfSSL | 13:f67a6c6013ca | 9101 | cert->akidSz = SHA256_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 9102 | } |
wolfSSL | 13:f67a6c6013ca | 9103 | else |
wolfSSL | 13:f67a6c6013ca | 9104 | ret = BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9105 | #else /* NO_SHA */ |
wolfSSL | 13:f67a6c6013ca | 9106 | if (kid_type == SKID_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 9107 | ret = wc_ShaHash(buffer, bufferSz, cert->skid); |
wolfSSL | 13:f67a6c6013ca | 9108 | cert->skidSz = SHA_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 9109 | } |
wolfSSL | 13:f67a6c6013ca | 9110 | else if (kid_type == AKID_TYPE) { |
wolfSSL | 13:f67a6c6013ca | 9111 | ret = wc_ShaHash(buffer, bufferSz, cert->akid); |
wolfSSL | 13:f67a6c6013ca | 9112 | cert->akidSz = SHA_DIGEST_SIZE; |
wolfSSL | 13:f67a6c6013ca | 9113 | } |
wolfSSL | 13:f67a6c6013ca | 9114 | else |
wolfSSL | 13:f67a6c6013ca | 9115 | ret = BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9116 | #endif /* NO_SHA */ |
wolfSSL | 13:f67a6c6013ca | 9117 | |
wolfSSL | 13:f67a6c6013ca | 9118 | XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9119 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9120 | } |
wolfSSL | 13:f67a6c6013ca | 9121 | |
wolfSSL | 13:f67a6c6013ca | 9122 | int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) |
wolfSSL | 13:f67a6c6013ca | 9123 | { |
wolfSSL | 13:f67a6c6013ca | 9124 | RsaKey* rsaKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9125 | ecc_key* eccKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9126 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 13:f67a6c6013ca | 9127 | |
wolfSSL | 13:f67a6c6013ca | 9128 | if (keyType == RSA_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9129 | rsaKey = (RsaKey*)key; |
wolfSSL | 13:f67a6c6013ca | 9130 | else if (keyType == ECC_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9131 | eccKey = (ecc_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9132 | else if (keyType == ED25519_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9133 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9134 | |
wolfSSL | 13:f67a6c6013ca | 9135 | return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, |
wolfSSL | 13:f67a6c6013ca | 9136 | SKID_TYPE); |
wolfSSL | 13:f67a6c6013ca | 9137 | } |
wolfSSL | 13:f67a6c6013ca | 9138 | |
wolfSSL | 13:f67a6c6013ca | 9139 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 13:f67a6c6013ca | 9140 | int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 13:f67a6c6013ca | 9141 | { |
wolfSSL | 13:f67a6c6013ca | 9142 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, SKID_TYPE); |
wolfSSL | 13:f67a6c6013ca | 9143 | } |
wolfSSL | 13:f67a6c6013ca | 9144 | |
wolfSSL | 13:f67a6c6013ca | 9145 | #ifdef HAVE_NTRU |
wolfSSL | 13:f67a6c6013ca | 9146 | /* Set SKID from NTRU public key */ |
wolfSSL | 13:f67a6c6013ca | 9147 | int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, |
wolfSSL | 13:f67a6c6013ca | 9148 | byte *ntruKey, word16 ntruKeySz) |
wolfSSL | 13:f67a6c6013ca | 9149 | { |
wolfSSL | 13:f67a6c6013ca | 9150 | return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, NULL, |
wolfSSL | 13:f67a6c6013ca | 9151 | SKID_TYPE); |
wolfSSL | 13:f67a6c6013ca | 9152 | } |
wolfSSL | 13:f67a6c6013ca | 9153 | #endif |
wolfSSL | 13:f67a6c6013ca | 9154 | |
wolfSSL | 13:f67a6c6013ca | 9155 | int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) |
wolfSSL | 13:f67a6c6013ca | 9156 | { |
wolfSSL | 13:f67a6c6013ca | 9157 | RsaKey* rsaKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9158 | ecc_key* eccKey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9159 | ed25519_key* ed25519Key = NULL; |
wolfSSL | 13:f67a6c6013ca | 9160 | |
wolfSSL | 13:f67a6c6013ca | 9161 | if (keyType == RSA_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9162 | rsaKey = (RsaKey*)key; |
wolfSSL | 13:f67a6c6013ca | 9163 | else if (keyType == ECC_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9164 | eccKey = (ecc_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9165 | else if (keyType == ED25519_TYPE) |
wolfSSL | 13:f67a6c6013ca | 9166 | ed25519Key = (ed25519_key*)key; |
wolfSSL | 13:f67a6c6013ca | 9167 | |
wolfSSL | 13:f67a6c6013ca | 9168 | return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, |
wolfSSL | 13:f67a6c6013ca | 9169 | AKID_TYPE); |
wolfSSL | 13:f67a6c6013ca | 9170 | } |
wolfSSL | 13:f67a6c6013ca | 9171 | |
wolfSSL | 13:f67a6c6013ca | 9172 | /* Set SKID from RSA or ECC public key */ |
wolfSSL | 13:f67a6c6013ca | 9173 | int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) |
wolfSSL | 13:f67a6c6013ca | 9174 | { |
wolfSSL | 13:f67a6c6013ca | 9175 | return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, AKID_TYPE); |
wolfSSL | 13:f67a6c6013ca | 9176 | } |
wolfSSL | 13:f67a6c6013ca | 9177 | |
wolfSSL | 13:f67a6c6013ca | 9178 | |
wolfSSL | 13:f67a6c6013ca | 9179 | #ifndef NO_FILESYSTEM |
wolfSSL | 13:f67a6c6013ca | 9180 | |
wolfSSL | 13:f67a6c6013ca | 9181 | /* Set SKID from public key file in PEM */ |
wolfSSL | 13:f67a6c6013ca | 9182 | int wc_SetSubjectKeyId(Cert *cert, const char* file) |
wolfSSL | 13:f67a6c6013ca | 9183 | { |
wolfSSL | 13:f67a6c6013ca | 9184 | int ret, derSz; |
wolfSSL | 13:f67a6c6013ca | 9185 | byte* der; |
wolfSSL | 13:f67a6c6013ca | 9186 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 9187 | RsaKey *rsakey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9188 | ecc_key *eckey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9189 | |
wolfSSL | 13:f67a6c6013ca | 9190 | if (cert == NULL || file == NULL) |
wolfSSL | 13:f67a6c6013ca | 9191 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9192 | |
wolfSSL | 13:f67a6c6013ca | 9193 | der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9194 | if (der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9195 | WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem"); |
wolfSSL | 13:f67a6c6013ca | 9196 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9197 | } |
wolfSSL | 13:f67a6c6013ca | 9198 | |
wolfSSL | 13:f67a6c6013ca | 9199 | derSz = wolfSSL_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ); |
wolfSSL | 13:f67a6c6013ca | 9200 | if (derSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 9201 | { |
wolfSSL | 13:f67a6c6013ca | 9202 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9203 | return derSz; |
wolfSSL | 13:f67a6c6013ca | 9204 | } |
wolfSSL | 13:f67a6c6013ca | 9205 | |
wolfSSL | 13:f67a6c6013ca | 9206 | /* Load PubKey in internal structure */ |
wolfSSL | 13:f67a6c6013ca | 9207 | rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 9208 | if (rsakey == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9209 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9210 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9211 | } |
wolfSSL | 13:f67a6c6013ca | 9212 | |
wolfSSL | 13:f67a6c6013ca | 9213 | if (wc_InitRsaKey(rsakey, cert->heap) != 0) { |
wolfSSL | 13:f67a6c6013ca | 9214 | WOLFSSL_MSG("wc_InitRsaKey failure"); |
wolfSSL | 13:f67a6c6013ca | 9215 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 9216 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9217 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9218 | } |
wolfSSL | 13:f67a6c6013ca | 9219 | |
wolfSSL | 13:f67a6c6013ca | 9220 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 9221 | ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz); |
wolfSSL | 13:f67a6c6013ca | 9222 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 9223 | WOLFSSL_MSG("wc_RsaPublicKeyDecode failed"); |
wolfSSL | 13:f67a6c6013ca | 9224 | wc_FreeRsaKey(rsakey); |
wolfSSL | 13:f67a6c6013ca | 9225 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 9226 | rsakey = NULL; |
wolfSSL | 13:f67a6c6013ca | 9227 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 9228 | /* Check to load ecc public key */ |
wolfSSL | 13:f67a6c6013ca | 9229 | eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap, |
wolfSSL | 13:f67a6c6013ca | 9230 | DYNAMIC_TYPE_ECC); |
wolfSSL | 13:f67a6c6013ca | 9231 | if (eckey == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9232 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9233 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9234 | } |
wolfSSL | 13:f67a6c6013ca | 9235 | |
wolfSSL | 13:f67a6c6013ca | 9236 | if (wc_ecc_init(eckey) != 0) { |
wolfSSL | 13:f67a6c6013ca | 9237 | WOLFSSL_MSG("wc_ecc_init failure"); |
wolfSSL | 13:f67a6c6013ca | 9238 | wc_ecc_free(eckey); |
wolfSSL | 13:f67a6c6013ca | 9239 | XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 13:f67a6c6013ca | 9240 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9241 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9242 | } |
wolfSSL | 13:f67a6c6013ca | 9243 | |
wolfSSL | 13:f67a6c6013ca | 9244 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 9245 | ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz); |
wolfSSL | 13:f67a6c6013ca | 9246 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 9247 | WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); |
wolfSSL | 13:f67a6c6013ca | 9248 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9249 | wc_ecc_free(eckey); |
wolfSSL | 13:f67a6c6013ca | 9250 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9251 | } |
wolfSSL | 13:f67a6c6013ca | 9252 | #else |
wolfSSL | 13:f67a6c6013ca | 9253 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9254 | return PUBLIC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9255 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 9256 | } |
wolfSSL | 13:f67a6c6013ca | 9257 | |
wolfSSL | 13:f67a6c6013ca | 9258 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9259 | |
wolfSSL | 13:f67a6c6013ca | 9260 | ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey); |
wolfSSL | 13:f67a6c6013ca | 9261 | |
wolfSSL | 13:f67a6c6013ca | 9262 | wc_FreeRsaKey(rsakey); |
wolfSSL | 13:f67a6c6013ca | 9263 | XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 9264 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 9265 | wc_ecc_free(eckey); |
wolfSSL | 13:f67a6c6013ca | 9266 | XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); |
wolfSSL | 13:f67a6c6013ca | 9267 | #endif |
wolfSSL | 13:f67a6c6013ca | 9268 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9269 | } |
wolfSSL | 13:f67a6c6013ca | 9270 | |
wolfSSL | 13:f67a6c6013ca | 9271 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 13:f67a6c6013ca | 9272 | |
wolfSSL | 13:f67a6c6013ca | 9273 | /* Set AKID from certificate contains in buffer (DER encoded) */ |
wolfSSL | 13:f67a6c6013ca | 9274 | int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9275 | { |
wolfSSL | 13:f67a6c6013ca | 9276 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9277 | |
wolfSSL | 13:f67a6c6013ca | 9278 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9279 | DecodedCert* decoded; |
wolfSSL | 13:f67a6c6013ca | 9280 | #else |
wolfSSL | 13:f67a6c6013ca | 9281 | DecodedCert decoded[1]; |
wolfSSL | 13:f67a6c6013ca | 9282 | #endif |
wolfSSL | 13:f67a6c6013ca | 9283 | |
wolfSSL | 13:f67a6c6013ca | 9284 | if (cert == NULL || der == NULL || derSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 9285 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9286 | |
wolfSSL | 13:f67a6c6013ca | 9287 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9288 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), |
wolfSSL | 13:f67a6c6013ca | 9289 | NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9290 | if (decoded == NULL) |
wolfSSL | 13:f67a6c6013ca | 9291 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9292 | #endif |
wolfSSL | 13:f67a6c6013ca | 9293 | |
wolfSSL | 13:f67a6c6013ca | 9294 | /* decode certificate and get SKID that will be AKID of current cert */ |
wolfSSL | 13:f67a6c6013ca | 9295 | InitDecodedCert(decoded, (byte*)der, derSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 9296 | ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0); |
wolfSSL | 13:f67a6c6013ca | 9297 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 9298 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9299 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9300 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9301 | #endif |
wolfSSL | 13:f67a6c6013ca | 9302 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9303 | } |
wolfSSL | 13:f67a6c6013ca | 9304 | |
wolfSSL | 13:f67a6c6013ca | 9305 | /* Subject Key Id not found !! */ |
wolfSSL | 13:f67a6c6013ca | 9306 | if (decoded->extSubjKeyIdSet == 0) { |
wolfSSL | 13:f67a6c6013ca | 9307 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9308 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9309 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9310 | #endif |
wolfSSL | 13:f67a6c6013ca | 9311 | return ASN_NO_SKID; |
wolfSSL | 13:f67a6c6013ca | 9312 | } |
wolfSSL | 13:f67a6c6013ca | 9313 | |
wolfSSL | 13:f67a6c6013ca | 9314 | /* SKID invalid size */ |
wolfSSL | 13:f67a6c6013ca | 9315 | if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) { |
wolfSSL | 13:f67a6c6013ca | 9316 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9317 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9318 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9319 | #endif |
wolfSSL | 13:f67a6c6013ca | 9320 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9321 | } |
wolfSSL | 13:f67a6c6013ca | 9322 | |
wolfSSL | 13:f67a6c6013ca | 9323 | /* Put the SKID of CA to AKID of certificate */ |
wolfSSL | 13:f67a6c6013ca | 9324 | XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9325 | cert->akidSz = KEYID_SIZE; |
wolfSSL | 13:f67a6c6013ca | 9326 | |
wolfSSL | 13:f67a6c6013ca | 9327 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9328 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9329 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9330 | #endif |
wolfSSL | 13:f67a6c6013ca | 9331 | |
wolfSSL | 13:f67a6c6013ca | 9332 | return 0; |
wolfSSL | 13:f67a6c6013ca | 9333 | } |
wolfSSL | 13:f67a6c6013ca | 9334 | |
wolfSSL | 13:f67a6c6013ca | 9335 | |
wolfSSL | 13:f67a6c6013ca | 9336 | #ifndef NO_FILESYSTEM |
wolfSSL | 13:f67a6c6013ca | 9337 | |
wolfSSL | 13:f67a6c6013ca | 9338 | /* Set AKID from certificate file in PEM */ |
wolfSSL | 13:f67a6c6013ca | 9339 | int wc_SetAuthKeyId(Cert *cert, const char* file) |
wolfSSL | 13:f67a6c6013ca | 9340 | { |
wolfSSL | 13:f67a6c6013ca | 9341 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9342 | int derSz; |
wolfSSL | 13:f67a6c6013ca | 9343 | byte* der; |
wolfSSL | 13:f67a6c6013ca | 9344 | |
wolfSSL | 13:f67a6c6013ca | 9345 | if (cert == NULL || file == NULL) |
wolfSSL | 13:f67a6c6013ca | 9346 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9347 | |
wolfSSL | 13:f67a6c6013ca | 9348 | der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9349 | if (der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9350 | WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem"); |
wolfSSL | 13:f67a6c6013ca | 9351 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9352 | } |
wolfSSL | 13:f67a6c6013ca | 9353 | |
wolfSSL | 13:f67a6c6013ca | 9354 | derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 13:f67a6c6013ca | 9355 | if (derSz <= 0) |
wolfSSL | 13:f67a6c6013ca | 9356 | { |
wolfSSL | 13:f67a6c6013ca | 9357 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9358 | return derSz; |
wolfSSL | 13:f67a6c6013ca | 9359 | } |
wolfSSL | 13:f67a6c6013ca | 9360 | |
wolfSSL | 13:f67a6c6013ca | 9361 | ret = wc_SetAuthKeyIdFromCert(cert, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9362 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9363 | |
wolfSSL | 13:f67a6c6013ca | 9364 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9365 | } |
wolfSSL | 13:f67a6c6013ca | 9366 | |
wolfSSL | 13:f67a6c6013ca | 9367 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 13:f67a6c6013ca | 9368 | |
wolfSSL | 13:f67a6c6013ca | 9369 | /* Set KeyUsage from human readable string */ |
wolfSSL | 13:f67a6c6013ca | 9370 | int wc_SetKeyUsage(Cert *cert, const char *value) |
wolfSSL | 13:f67a6c6013ca | 9371 | { |
wolfSSL | 13:f67a6c6013ca | 9372 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 9373 | char *token, *str, *ptr; |
wolfSSL | 13:f67a6c6013ca | 9374 | word32 len; |
wolfSSL | 13:f67a6c6013ca | 9375 | |
wolfSSL | 13:f67a6c6013ca | 9376 | if (cert == NULL || value == NULL) |
wolfSSL | 13:f67a6c6013ca | 9377 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9378 | |
wolfSSL | 13:f67a6c6013ca | 9379 | cert->keyUsage = 0; |
wolfSSL | 13:f67a6c6013ca | 9380 | |
wolfSSL | 13:f67a6c6013ca | 9381 | str = (char *)XMALLOC(XSTRLEN(value)+1, cert->heap, |
wolfSSL | 13:f67a6c6013ca | 9382 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9383 | if (str == NULL) |
wolfSSL | 13:f67a6c6013ca | 9384 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9385 | |
wolfSSL | 13:f67a6c6013ca | 9386 | XMEMSET(str, 0, XSTRLEN(value)+1); |
wolfSSL | 13:f67a6c6013ca | 9387 | XSTRNCPY(str, value, XSTRLEN(value)); |
wolfSSL | 13:f67a6c6013ca | 9388 | |
wolfSSL | 13:f67a6c6013ca | 9389 | /* parse value, and set corresponding Key Usage value */ |
wolfSSL | 13:f67a6c6013ca | 9390 | if ((token = XSTRTOK(str, ",", &ptr)) == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9391 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9392 | return KEYUSAGE_E; |
wolfSSL | 13:f67a6c6013ca | 9393 | } |
wolfSSL | 13:f67a6c6013ca | 9394 | while (token != NULL) |
wolfSSL | 13:f67a6c6013ca | 9395 | { |
wolfSSL | 13:f67a6c6013ca | 9396 | len = (word32)XSTRLEN(token); |
wolfSSL | 13:f67a6c6013ca | 9397 | |
wolfSSL | 13:f67a6c6013ca | 9398 | if (!XSTRNCASECMP(token, "digitalSignature", len)) |
wolfSSL | 13:f67a6c6013ca | 9399 | cert->keyUsage |= KEYUSE_DIGITAL_SIG; |
wolfSSL | 13:f67a6c6013ca | 9400 | else if (!XSTRNCASECMP(token, "nonRepudiation", len) || |
wolfSSL | 13:f67a6c6013ca | 9401 | !XSTRNCASECMP(token, "contentCommitment", len)) |
wolfSSL | 13:f67a6c6013ca | 9402 | cert->keyUsage |= KEYUSE_CONTENT_COMMIT; |
wolfSSL | 13:f67a6c6013ca | 9403 | else if (!XSTRNCASECMP(token, "keyEncipherment", len)) |
wolfSSL | 13:f67a6c6013ca | 9404 | cert->keyUsage |= KEYUSE_KEY_ENCIPHER; |
wolfSSL | 13:f67a6c6013ca | 9405 | else if (!XSTRNCASECMP(token, "dataEncipherment", len)) |
wolfSSL | 13:f67a6c6013ca | 9406 | cert->keyUsage |= KEYUSE_DATA_ENCIPHER; |
wolfSSL | 13:f67a6c6013ca | 9407 | else if (!XSTRNCASECMP(token, "keyAgreement", len)) |
wolfSSL | 13:f67a6c6013ca | 9408 | cert->keyUsage |= KEYUSE_KEY_AGREE; |
wolfSSL | 13:f67a6c6013ca | 9409 | else if (!XSTRNCASECMP(token, "keyCertSign", len)) |
wolfSSL | 13:f67a6c6013ca | 9410 | cert->keyUsage |= KEYUSE_KEY_CERT_SIGN; |
wolfSSL | 13:f67a6c6013ca | 9411 | else if (!XSTRNCASECMP(token, "cRLSign", len)) |
wolfSSL | 13:f67a6c6013ca | 9412 | cert->keyUsage |= KEYUSE_CRL_SIGN; |
wolfSSL | 13:f67a6c6013ca | 9413 | else if (!XSTRNCASECMP(token, "encipherOnly", len)) |
wolfSSL | 13:f67a6c6013ca | 9414 | cert->keyUsage |= KEYUSE_ENCIPHER_ONLY; |
wolfSSL | 13:f67a6c6013ca | 9415 | else if (!XSTRNCASECMP(token, "decipherOnly", len)) |
wolfSSL | 13:f67a6c6013ca | 9416 | cert->keyUsage |= KEYUSE_DECIPHER_ONLY; |
wolfSSL | 13:f67a6c6013ca | 9417 | else { |
wolfSSL | 13:f67a6c6013ca | 9418 | ret = KEYUSAGE_E; |
wolfSSL | 13:f67a6c6013ca | 9419 | break; |
wolfSSL | 13:f67a6c6013ca | 9420 | } |
wolfSSL | 13:f67a6c6013ca | 9421 | |
wolfSSL | 13:f67a6c6013ca | 9422 | token = XSTRTOK(NULL, ",", &ptr); |
wolfSSL | 13:f67a6c6013ca | 9423 | } |
wolfSSL | 13:f67a6c6013ca | 9424 | |
wolfSSL | 13:f67a6c6013ca | 9425 | XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9426 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9427 | } |
wolfSSL | 13:f67a6c6013ca | 9428 | #endif /* WOLFSSL_CERT_EXT */ |
wolfSSL | 13:f67a6c6013ca | 9429 | |
wolfSSL | 13:f67a6c6013ca | 9430 | |
wolfSSL | 13:f67a6c6013ca | 9431 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 9432 | |
wolfSSL | 13:f67a6c6013ca | 9433 | /* Set Alt Names from der cert, return 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 9434 | static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9435 | { |
wolfSSL | 13:f67a6c6013ca | 9436 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9437 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9438 | DecodedCert* decoded; |
wolfSSL | 13:f67a6c6013ca | 9439 | #else |
wolfSSL | 13:f67a6c6013ca | 9440 | DecodedCert decoded[1]; |
wolfSSL | 13:f67a6c6013ca | 9441 | #endif |
wolfSSL | 13:f67a6c6013ca | 9442 | |
wolfSSL | 13:f67a6c6013ca | 9443 | if (derSz < 0) |
wolfSSL | 13:f67a6c6013ca | 9444 | return derSz; |
wolfSSL | 13:f67a6c6013ca | 9445 | |
wolfSSL | 13:f67a6c6013ca | 9446 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9447 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 13:f67a6c6013ca | 9448 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9449 | if (decoded == NULL) |
wolfSSL | 13:f67a6c6013ca | 9450 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9451 | #endif |
wolfSSL | 13:f67a6c6013ca | 9452 | |
wolfSSL | 13:f67a6c6013ca | 9453 | InitDecodedCert(decoded, (byte*)der, derSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 9454 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 13:f67a6c6013ca | 9455 | |
wolfSSL | 13:f67a6c6013ca | 9456 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 9457 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 13:f67a6c6013ca | 9458 | } |
wolfSSL | 13:f67a6c6013ca | 9459 | else if (decoded->extensions) { |
wolfSSL | 13:f67a6c6013ca | 9460 | byte b; |
wolfSSL | 13:f67a6c6013ca | 9461 | int length; |
wolfSSL | 13:f67a6c6013ca | 9462 | word32 maxExtensionsIdx; |
wolfSSL | 13:f67a6c6013ca | 9463 | |
wolfSSL | 13:f67a6c6013ca | 9464 | decoded->srcIdx = decoded->extensionsIdx; |
wolfSSL | 13:f67a6c6013ca | 9465 | b = decoded->source[decoded->srcIdx++]; |
wolfSSL | 13:f67a6c6013ca | 9466 | |
wolfSSL | 13:f67a6c6013ca | 9467 | if (b != ASN_EXTENSIONS) { |
wolfSSL | 13:f67a6c6013ca | 9468 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9469 | } |
wolfSSL | 13:f67a6c6013ca | 9470 | else if (GetLength(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 13:f67a6c6013ca | 9471 | decoded->maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9472 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9473 | } |
wolfSSL | 13:f67a6c6013ca | 9474 | else if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 13:f67a6c6013ca | 9475 | decoded->maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9476 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9477 | } |
wolfSSL | 13:f67a6c6013ca | 9478 | else { |
wolfSSL | 13:f67a6c6013ca | 9479 | maxExtensionsIdx = decoded->srcIdx + length; |
wolfSSL | 13:f67a6c6013ca | 9480 | |
wolfSSL | 13:f67a6c6013ca | 9481 | while (decoded->srcIdx < maxExtensionsIdx) { |
wolfSSL | 13:f67a6c6013ca | 9482 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 9483 | word32 startIdx = decoded->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 9484 | word32 tmpIdx; |
wolfSSL | 13:f67a6c6013ca | 9485 | |
wolfSSL | 13:f67a6c6013ca | 9486 | if (GetSequence(decoded->source, &decoded->srcIdx, &length, |
wolfSSL | 13:f67a6c6013ca | 9487 | decoded->maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9488 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9489 | break; |
wolfSSL | 13:f67a6c6013ca | 9490 | } |
wolfSSL | 13:f67a6c6013ca | 9491 | |
wolfSSL | 13:f67a6c6013ca | 9492 | tmpIdx = decoded->srcIdx; |
wolfSSL | 13:f67a6c6013ca | 9493 | decoded->srcIdx = startIdx; |
wolfSSL | 13:f67a6c6013ca | 9494 | |
wolfSSL | 13:f67a6c6013ca | 9495 | if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid, |
wolfSSL | 13:f67a6c6013ca | 9496 | oidCertExtType, decoded->maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9497 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9498 | break; |
wolfSSL | 13:f67a6c6013ca | 9499 | } |
wolfSSL | 13:f67a6c6013ca | 9500 | |
wolfSSL | 13:f67a6c6013ca | 9501 | if (oid == ALT_NAMES_OID) { |
wolfSSL | 13:f67a6c6013ca | 9502 | cert->altNamesSz = length + (tmpIdx - startIdx); |
wolfSSL | 13:f67a6c6013ca | 9503 | |
wolfSSL | 13:f67a6c6013ca | 9504 | if (cert->altNamesSz < (int)sizeof(cert->altNames)) |
wolfSSL | 13:f67a6c6013ca | 9505 | XMEMCPY(cert->altNames, &decoded->source[startIdx], |
wolfSSL | 13:f67a6c6013ca | 9506 | cert->altNamesSz); |
wolfSSL | 13:f67a6c6013ca | 9507 | else { |
wolfSSL | 13:f67a6c6013ca | 9508 | cert->altNamesSz = 0; |
wolfSSL | 13:f67a6c6013ca | 9509 | WOLFSSL_MSG("AltNames extensions too big"); |
wolfSSL | 13:f67a6c6013ca | 9510 | ret = ALT_NAME_E; |
wolfSSL | 13:f67a6c6013ca | 9511 | break; |
wolfSSL | 13:f67a6c6013ca | 9512 | } |
wolfSSL | 13:f67a6c6013ca | 9513 | } |
wolfSSL | 13:f67a6c6013ca | 9514 | decoded->srcIdx = tmpIdx + length; |
wolfSSL | 13:f67a6c6013ca | 9515 | } |
wolfSSL | 13:f67a6c6013ca | 9516 | } |
wolfSSL | 13:f67a6c6013ca | 9517 | } |
wolfSSL | 13:f67a6c6013ca | 9518 | |
wolfSSL | 13:f67a6c6013ca | 9519 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9520 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9521 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9522 | #endif |
wolfSSL | 13:f67a6c6013ca | 9523 | |
wolfSSL | 13:f67a6c6013ca | 9524 | return ret < 0 ? ret : 0; |
wolfSSL | 13:f67a6c6013ca | 9525 | } |
wolfSSL | 13:f67a6c6013ca | 9526 | |
wolfSSL | 13:f67a6c6013ca | 9527 | |
wolfSSL | 13:f67a6c6013ca | 9528 | /* Set Dates from der cert, return 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 9529 | static int SetDatesFromCert(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9530 | { |
wolfSSL | 13:f67a6c6013ca | 9531 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9532 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9533 | DecodedCert* decoded; |
wolfSSL | 13:f67a6c6013ca | 9534 | #else |
wolfSSL | 13:f67a6c6013ca | 9535 | DecodedCert decoded[1]; |
wolfSSL | 13:f67a6c6013ca | 9536 | #endif |
wolfSSL | 13:f67a6c6013ca | 9537 | |
wolfSSL | 13:f67a6c6013ca | 9538 | WOLFSSL_ENTER("SetDatesFromCert"); |
wolfSSL | 13:f67a6c6013ca | 9539 | if (derSz < 0) |
wolfSSL | 13:f67a6c6013ca | 9540 | return derSz; |
wolfSSL | 13:f67a6c6013ca | 9541 | |
wolfSSL | 13:f67a6c6013ca | 9542 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9543 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 13:f67a6c6013ca | 9544 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9545 | if (decoded == NULL) |
wolfSSL | 13:f67a6c6013ca | 9546 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9547 | #endif |
wolfSSL | 13:f67a6c6013ca | 9548 | |
wolfSSL | 13:f67a6c6013ca | 9549 | InitDecodedCert(decoded, (byte*)der, derSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 9550 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 13:f67a6c6013ca | 9551 | |
wolfSSL | 13:f67a6c6013ca | 9552 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 9553 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 13:f67a6c6013ca | 9554 | } |
wolfSSL | 13:f67a6c6013ca | 9555 | else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9556 | WOLFSSL_MSG("Couldn't extract dates"); |
wolfSSL | 13:f67a6c6013ca | 9557 | ret = -1; |
wolfSSL | 13:f67a6c6013ca | 9558 | } |
wolfSSL | 13:f67a6c6013ca | 9559 | else if (decoded->beforeDateLen > MAX_DATE_SIZE || |
wolfSSL | 13:f67a6c6013ca | 9560 | decoded->afterDateLen > MAX_DATE_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 9561 | WOLFSSL_MSG("Bad date size"); |
wolfSSL | 13:f67a6c6013ca | 9562 | ret = -1; |
wolfSSL | 13:f67a6c6013ca | 9563 | } |
wolfSSL | 13:f67a6c6013ca | 9564 | else { |
wolfSSL | 13:f67a6c6013ca | 9565 | XMEMCPY(cert->beforeDate, decoded->beforeDate, decoded->beforeDateLen); |
wolfSSL | 13:f67a6c6013ca | 9566 | XMEMCPY(cert->afterDate, decoded->afterDate, decoded->afterDateLen); |
wolfSSL | 13:f67a6c6013ca | 9567 | |
wolfSSL | 13:f67a6c6013ca | 9568 | cert->beforeDateSz = decoded->beforeDateLen; |
wolfSSL | 13:f67a6c6013ca | 9569 | cert->afterDateSz = decoded->afterDateLen; |
wolfSSL | 13:f67a6c6013ca | 9570 | } |
wolfSSL | 13:f67a6c6013ca | 9571 | |
wolfSSL | 13:f67a6c6013ca | 9572 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9573 | |
wolfSSL | 13:f67a6c6013ca | 9574 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9575 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9576 | #endif |
wolfSSL | 13:f67a6c6013ca | 9577 | |
wolfSSL | 13:f67a6c6013ca | 9578 | return ret < 0 ? ret : 0; |
wolfSSL | 13:f67a6c6013ca | 9579 | } |
wolfSSL | 13:f67a6c6013ca | 9580 | |
wolfSSL | 13:f67a6c6013ca | 9581 | |
wolfSSL | 13:f67a6c6013ca | 9582 | #endif /* WOLFSSL_ALT_NAMES && !NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 9583 | |
wolfSSL | 13:f67a6c6013ca | 9584 | |
wolfSSL | 13:f67a6c6013ca | 9585 | /* Set cn name from der buffer, return 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 9586 | static int SetNameFromCert(CertName* cn, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9587 | { |
wolfSSL | 13:f67a6c6013ca | 9588 | int ret, sz; |
wolfSSL | 13:f67a6c6013ca | 9589 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9590 | DecodedCert* decoded; |
wolfSSL | 13:f67a6c6013ca | 9591 | #else |
wolfSSL | 13:f67a6c6013ca | 9592 | DecodedCert decoded[1]; |
wolfSSL | 13:f67a6c6013ca | 9593 | #endif |
wolfSSL | 13:f67a6c6013ca | 9594 | |
wolfSSL | 13:f67a6c6013ca | 9595 | if (derSz < 0) |
wolfSSL | 13:f67a6c6013ca | 9596 | return derSz; |
wolfSSL | 13:f67a6c6013ca | 9597 | |
wolfSSL | 13:f67a6c6013ca | 9598 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9599 | decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, |
wolfSSL | 13:f67a6c6013ca | 9600 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9601 | if (decoded == NULL) |
wolfSSL | 13:f67a6c6013ca | 9602 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9603 | #endif |
wolfSSL | 13:f67a6c6013ca | 9604 | |
wolfSSL | 13:f67a6c6013ca | 9605 | InitDecodedCert(decoded, (byte*)der, derSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 9606 | ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); |
wolfSSL | 13:f67a6c6013ca | 9607 | |
wolfSSL | 13:f67a6c6013ca | 9608 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 9609 | WOLFSSL_MSG("ParseCertRelative error"); |
wolfSSL | 13:f67a6c6013ca | 9610 | } |
wolfSSL | 13:f67a6c6013ca | 9611 | else { |
wolfSSL | 13:f67a6c6013ca | 9612 | if (decoded->subjectCN) { |
wolfSSL | 13:f67a6c6013ca | 9613 | sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen |
wolfSSL | 13:f67a6c6013ca | 9614 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9615 | strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9616 | cn->commonName[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9617 | cn->commonNameEnc = decoded->subjectCNEnc; |
wolfSSL | 13:f67a6c6013ca | 9618 | } |
wolfSSL | 13:f67a6c6013ca | 9619 | if (decoded->subjectC) { |
wolfSSL | 13:f67a6c6013ca | 9620 | sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen |
wolfSSL | 13:f67a6c6013ca | 9621 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9622 | strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9623 | cn->country[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9624 | cn->countryEnc = decoded->subjectCEnc; |
wolfSSL | 13:f67a6c6013ca | 9625 | } |
wolfSSL | 13:f67a6c6013ca | 9626 | if (decoded->subjectST) { |
wolfSSL | 13:f67a6c6013ca | 9627 | sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen |
wolfSSL | 13:f67a6c6013ca | 9628 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9629 | strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9630 | cn->state[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9631 | cn->stateEnc = decoded->subjectSTEnc; |
wolfSSL | 13:f67a6c6013ca | 9632 | } |
wolfSSL | 13:f67a6c6013ca | 9633 | if (decoded->subjectL) { |
wolfSSL | 13:f67a6c6013ca | 9634 | sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen |
wolfSSL | 13:f67a6c6013ca | 9635 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9636 | strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9637 | cn->locality[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9638 | cn->localityEnc = decoded->subjectLEnc; |
wolfSSL | 13:f67a6c6013ca | 9639 | } |
wolfSSL | 13:f67a6c6013ca | 9640 | if (decoded->subjectO) { |
wolfSSL | 13:f67a6c6013ca | 9641 | sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen |
wolfSSL | 13:f67a6c6013ca | 9642 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9643 | strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9644 | cn->org[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9645 | cn->orgEnc = decoded->subjectOEnc; |
wolfSSL | 13:f67a6c6013ca | 9646 | } |
wolfSSL | 13:f67a6c6013ca | 9647 | if (decoded->subjectOU) { |
wolfSSL | 13:f67a6c6013ca | 9648 | sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen |
wolfSSL | 13:f67a6c6013ca | 9649 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9650 | strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9651 | cn->unit[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9652 | cn->unitEnc = decoded->subjectOUEnc; |
wolfSSL | 13:f67a6c6013ca | 9653 | } |
wolfSSL | 13:f67a6c6013ca | 9654 | if (decoded->subjectSN) { |
wolfSSL | 13:f67a6c6013ca | 9655 | sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen |
wolfSSL | 13:f67a6c6013ca | 9656 | : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9657 | strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9658 | cn->sur[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9659 | cn->surEnc = decoded->subjectSNEnc; |
wolfSSL | 13:f67a6c6013ca | 9660 | } |
wolfSSL | 13:f67a6c6013ca | 9661 | if (decoded->subjectEmail) { |
wolfSSL | 13:f67a6c6013ca | 9662 | sz = (decoded->subjectEmailLen < CTC_NAME_SIZE) |
wolfSSL | 13:f67a6c6013ca | 9663 | ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1; |
wolfSSL | 13:f67a6c6013ca | 9664 | strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE); |
wolfSSL | 13:f67a6c6013ca | 9665 | cn->email[sz] = 0; |
wolfSSL | 13:f67a6c6013ca | 9666 | } |
wolfSSL | 13:f67a6c6013ca | 9667 | } |
wolfSSL | 13:f67a6c6013ca | 9668 | |
wolfSSL | 13:f67a6c6013ca | 9669 | FreeDecodedCert(decoded); |
wolfSSL | 13:f67a6c6013ca | 9670 | |
wolfSSL | 13:f67a6c6013ca | 9671 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9672 | XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9673 | #endif |
wolfSSL | 13:f67a6c6013ca | 9674 | |
wolfSSL | 13:f67a6c6013ca | 9675 | return ret < 0 ? ret : 0; |
wolfSSL | 13:f67a6c6013ca | 9676 | } |
wolfSSL | 13:f67a6c6013ca | 9677 | |
wolfSSL | 13:f67a6c6013ca | 9678 | |
wolfSSL | 13:f67a6c6013ca | 9679 | #ifndef NO_FILESYSTEM |
wolfSSL | 13:f67a6c6013ca | 9680 | |
wolfSSL | 13:f67a6c6013ca | 9681 | /* Set cert issuer from issuerFile in PEM */ |
wolfSSL | 13:f67a6c6013ca | 9682 | int wc_SetIssuer(Cert* cert, const char* issuerFile) |
wolfSSL | 13:f67a6c6013ca | 9683 | { |
wolfSSL | 13:f67a6c6013ca | 9684 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9685 | int derSz; |
wolfSSL | 13:f67a6c6013ca | 9686 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9687 | |
wolfSSL | 13:f67a6c6013ca | 9688 | if (der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9689 | WOLFSSL_MSG("wc_SetIssuer OOF Problem"); |
wolfSSL | 13:f67a6c6013ca | 9690 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9691 | } |
wolfSSL | 13:f67a6c6013ca | 9692 | derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF); |
wolfSSL | 13:f67a6c6013ca | 9693 | cert->selfSigned = 0; |
wolfSSL | 13:f67a6c6013ca | 9694 | ret = SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9695 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9696 | |
wolfSSL | 13:f67a6c6013ca | 9697 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9698 | } |
wolfSSL | 13:f67a6c6013ca | 9699 | |
wolfSSL | 13:f67a6c6013ca | 9700 | |
wolfSSL | 13:f67a6c6013ca | 9701 | /* Set cert subject from subjectFile in PEM */ |
wolfSSL | 13:f67a6c6013ca | 9702 | int wc_SetSubject(Cert* cert, const char* subjectFile) |
wolfSSL | 13:f67a6c6013ca | 9703 | { |
wolfSSL | 13:f67a6c6013ca | 9704 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9705 | int derSz; |
wolfSSL | 13:f67a6c6013ca | 9706 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9707 | |
wolfSSL | 13:f67a6c6013ca | 9708 | if (der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9709 | WOLFSSL_MSG("wc_SetSubject OOF Problem"); |
wolfSSL | 13:f67a6c6013ca | 9710 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9711 | } |
wolfSSL | 13:f67a6c6013ca | 9712 | derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF); |
wolfSSL | 13:f67a6c6013ca | 9713 | ret = SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9714 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9715 | |
wolfSSL | 13:f67a6c6013ca | 9716 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9717 | } |
wolfSSL | 13:f67a6c6013ca | 9718 | |
wolfSSL | 13:f67a6c6013ca | 9719 | |
wolfSSL | 13:f67a6c6013ca | 9720 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 9721 | |
wolfSSL | 13:f67a6c6013ca | 9722 | /* Set atl names from file in PEM */ |
wolfSSL | 13:f67a6c6013ca | 9723 | int wc_SetAltNames(Cert* cert, const char* file) |
wolfSSL | 13:f67a6c6013ca | 9724 | { |
wolfSSL | 13:f67a6c6013ca | 9725 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9726 | int derSz; |
wolfSSL | 13:f67a6c6013ca | 9727 | byte* der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9728 | |
wolfSSL | 13:f67a6c6013ca | 9729 | if (der == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9730 | WOLFSSL_MSG("wc_SetAltNames OOF Problem"); |
wolfSSL | 13:f67a6c6013ca | 9731 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9732 | } |
wolfSSL | 13:f67a6c6013ca | 9733 | derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF); |
wolfSSL | 13:f67a6c6013ca | 9734 | ret = SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9735 | XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); |
wolfSSL | 13:f67a6c6013ca | 9736 | |
wolfSSL | 13:f67a6c6013ca | 9737 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9738 | } |
wolfSSL | 13:f67a6c6013ca | 9739 | |
wolfSSL | 13:f67a6c6013ca | 9740 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 13:f67a6c6013ca | 9741 | |
wolfSSL | 13:f67a6c6013ca | 9742 | #endif /* NO_FILESYSTEM */ |
wolfSSL | 13:f67a6c6013ca | 9743 | |
wolfSSL | 13:f67a6c6013ca | 9744 | /* Set cert issuer from DER buffer */ |
wolfSSL | 13:f67a6c6013ca | 9745 | int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9746 | { |
wolfSSL | 13:f67a6c6013ca | 9747 | cert->selfSigned = 0; |
wolfSSL | 13:f67a6c6013ca | 9748 | return SetNameFromCert(&cert->issuer, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9749 | } |
wolfSSL | 13:f67a6c6013ca | 9750 | |
wolfSSL | 13:f67a6c6013ca | 9751 | |
wolfSSL | 13:f67a6c6013ca | 9752 | /* Set cert subject from DER buffer */ |
wolfSSL | 13:f67a6c6013ca | 9753 | int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9754 | { |
wolfSSL | 13:f67a6c6013ca | 9755 | return SetNameFromCert(&cert->subject, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9756 | } |
wolfSSL | 13:f67a6c6013ca | 9757 | |
wolfSSL | 13:f67a6c6013ca | 9758 | |
wolfSSL | 13:f67a6c6013ca | 9759 | #ifdef WOLFSSL_ALT_NAMES |
wolfSSL | 13:f67a6c6013ca | 9760 | |
wolfSSL | 13:f67a6c6013ca | 9761 | /* Set cert alt names from DER buffer */ |
wolfSSL | 13:f67a6c6013ca | 9762 | int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9763 | { |
wolfSSL | 13:f67a6c6013ca | 9764 | return SetAltNamesFromCert(cert, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9765 | } |
wolfSSL | 13:f67a6c6013ca | 9766 | |
wolfSSL | 13:f67a6c6013ca | 9767 | /* Set cert dates from DER buffer */ |
wolfSSL | 13:f67a6c6013ca | 9768 | int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz) |
wolfSSL | 13:f67a6c6013ca | 9769 | { |
wolfSSL | 13:f67a6c6013ca | 9770 | return SetDatesFromCert(cert, der, derSz); |
wolfSSL | 13:f67a6c6013ca | 9771 | } |
wolfSSL | 13:f67a6c6013ca | 9772 | |
wolfSSL | 13:f67a6c6013ca | 9773 | #endif /* WOLFSSL_ALT_NAMES */ |
wolfSSL | 13:f67a6c6013ca | 9774 | |
wolfSSL | 13:f67a6c6013ca | 9775 | #endif /* WOLFSSL_CERT_GEN */ |
wolfSSL | 13:f67a6c6013ca | 9776 | |
wolfSSL | 13:f67a6c6013ca | 9777 | |
wolfSSL | 13:f67a6c6013ca | 9778 | #ifdef HAVE_ECC |
wolfSSL | 13:f67a6c6013ca | 9779 | |
wolfSSL | 13:f67a6c6013ca | 9780 | /* Der Encode r & s ints into out, outLen is (in/out) size */ |
wolfSSL | 13:f67a6c6013ca | 9781 | int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) |
wolfSSL | 13:f67a6c6013ca | 9782 | { |
wolfSSL | 13:f67a6c6013ca | 9783 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 9784 | int rSz; /* encoding size */ |
wolfSSL | 13:f67a6c6013ca | 9785 | int sSz; |
wolfSSL | 13:f67a6c6013ca | 9786 | word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ |
wolfSSL | 13:f67a6c6013ca | 9787 | |
wolfSSL | 13:f67a6c6013ca | 9788 | /* If the leading bit on the INTEGER is a 1, add a leading zero */ |
wolfSSL | 13:f67a6c6013ca | 9789 | int rLeadingZero = mp_leading_bit(r); |
wolfSSL | 13:f67a6c6013ca | 9790 | int sLeadingZero = mp_leading_bit(s); |
wolfSSL | 13:f67a6c6013ca | 9791 | int rLen = mp_unsigned_bin_size(r); /* big int size */ |
wolfSSL | 13:f67a6c6013ca | 9792 | int sLen = mp_unsigned_bin_size(s); |
wolfSSL | 13:f67a6c6013ca | 9793 | |
wolfSSL | 13:f67a6c6013ca | 9794 | if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero + |
wolfSSL | 13:f67a6c6013ca | 9795 | headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */ |
wolfSSL | 13:f67a6c6013ca | 9796 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 9797 | |
wolfSSL | 13:f67a6c6013ca | 9798 | idx = SetSequence(rLen + rLeadingZero + sLen+sLeadingZero + headerSz, out); |
wolfSSL | 13:f67a6c6013ca | 9799 | |
wolfSSL | 13:f67a6c6013ca | 9800 | /* store r */ |
wolfSSL | 13:f67a6c6013ca | 9801 | rSz = SetASNIntMP(r, -1, &out[idx]); |
wolfSSL | 13:f67a6c6013ca | 9802 | if (rSz < 0) |
wolfSSL | 13:f67a6c6013ca | 9803 | return rSz; |
wolfSSL | 13:f67a6c6013ca | 9804 | idx += rSz; |
wolfSSL | 13:f67a6c6013ca | 9805 | |
wolfSSL | 13:f67a6c6013ca | 9806 | /* store s */ |
wolfSSL | 13:f67a6c6013ca | 9807 | sSz = SetASNIntMP(s, -1, &out[idx]); |
wolfSSL | 13:f67a6c6013ca | 9808 | if (sSz < 0) |
wolfSSL | 13:f67a6c6013ca | 9809 | return sSz; |
wolfSSL | 13:f67a6c6013ca | 9810 | idx += sSz; |
wolfSSL | 13:f67a6c6013ca | 9811 | |
wolfSSL | 13:f67a6c6013ca | 9812 | *outLen = idx; |
wolfSSL | 13:f67a6c6013ca | 9813 | |
wolfSSL | 13:f67a6c6013ca | 9814 | return 0; |
wolfSSL | 13:f67a6c6013ca | 9815 | } |
wolfSSL | 13:f67a6c6013ca | 9816 | |
wolfSSL | 13:f67a6c6013ca | 9817 | |
wolfSSL | 13:f67a6c6013ca | 9818 | /* Der Decode ECC-DSA Signature, r & s stored as big ints */ |
wolfSSL | 13:f67a6c6013ca | 9819 | int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s) |
wolfSSL | 13:f67a6c6013ca | 9820 | { |
wolfSSL | 13:f67a6c6013ca | 9821 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 9822 | int len = 0; |
wolfSSL | 13:f67a6c6013ca | 9823 | |
wolfSSL | 13:f67a6c6013ca | 9824 | if (GetSequence(sig, &idx, &len, sigLen) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9825 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9826 | } |
wolfSSL | 13:f67a6c6013ca | 9827 | |
wolfSSL | 13:f67a6c6013ca | 9828 | if ((word32)len > (sigLen - idx)) { |
wolfSSL | 13:f67a6c6013ca | 9829 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9830 | } |
wolfSSL | 13:f67a6c6013ca | 9831 | |
wolfSSL | 13:f67a6c6013ca | 9832 | if (GetInt(r, sig, &idx, sigLen) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9833 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9834 | } |
wolfSSL | 13:f67a6c6013ca | 9835 | |
wolfSSL | 13:f67a6c6013ca | 9836 | if (GetInt(s, sig, &idx, sigLen) < 0) { |
wolfSSL | 13:f67a6c6013ca | 9837 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9838 | } |
wolfSSL | 13:f67a6c6013ca | 9839 | |
wolfSSL | 13:f67a6c6013ca | 9840 | return 0; |
wolfSSL | 13:f67a6c6013ca | 9841 | } |
wolfSSL | 13:f67a6c6013ca | 9842 | |
wolfSSL | 13:f67a6c6013ca | 9843 | |
wolfSSL | 13:f67a6c6013ca | 9844 | int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, |
wolfSSL | 13:f67a6c6013ca | 9845 | word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 9846 | { |
wolfSSL | 13:f67a6c6013ca | 9847 | word32 oidSum; |
wolfSSL | 13:f67a6c6013ca | 9848 | int version, length; |
wolfSSL | 13:f67a6c6013ca | 9849 | int privSz, pubSz = 0; |
wolfSSL | 13:f67a6c6013ca | 9850 | byte b; |
wolfSSL | 13:f67a6c6013ca | 9851 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 9852 | int curve_id = ECC_CURVE_DEF; |
wolfSSL | 13:f67a6c6013ca | 9853 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9854 | byte* priv; |
wolfSSL | 13:f67a6c6013ca | 9855 | byte* pub; |
wolfSSL | 13:f67a6c6013ca | 9856 | #else |
wolfSSL | 13:f67a6c6013ca | 9857 | byte priv[ECC_MAXSIZE+1]; |
wolfSSL | 13:f67a6c6013ca | 9858 | byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */ |
wolfSSL | 13:f67a6c6013ca | 9859 | #endif |
wolfSSL | 13:f67a6c6013ca | 9860 | byte* pubData = NULL; |
wolfSSL | 13:f67a6c6013ca | 9861 | |
wolfSSL | 13:f67a6c6013ca | 9862 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 13:f67a6c6013ca | 9863 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9864 | |
wolfSSL | 13:f67a6c6013ca | 9865 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 9866 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9867 | |
wolfSSL | 13:f67a6c6013ca | 9868 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 9869 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9870 | |
wolfSSL | 13:f67a6c6013ca | 9871 | b = input[*inOutIdx]; |
wolfSSL | 13:f67a6c6013ca | 9872 | *inOutIdx += 1; |
wolfSSL | 13:f67a6c6013ca | 9873 | |
wolfSSL | 13:f67a6c6013ca | 9874 | /* priv type */ |
wolfSSL | 13:f67a6c6013ca | 9875 | if (b != 4 && b != 6 && b != 7) |
wolfSSL | 13:f67a6c6013ca | 9876 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9877 | |
wolfSSL | 13:f67a6c6013ca | 9878 | if (GetLength(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 9879 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9880 | |
wolfSSL | 13:f67a6c6013ca | 9881 | if (length > ECC_MAXSIZE) |
wolfSSL | 13:f67a6c6013ca | 9882 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 9883 | |
wolfSSL | 13:f67a6c6013ca | 9884 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9885 | priv = (byte*)XMALLOC(ECC_MAXSIZE+1, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9886 | if (priv == NULL) |
wolfSSL | 13:f67a6c6013ca | 9887 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9888 | |
wolfSSL | 13:f67a6c6013ca | 9889 | pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9890 | if (pub == NULL) { |
wolfSSL | 13:f67a6c6013ca | 9891 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9892 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 9893 | } |
wolfSSL | 13:f67a6c6013ca | 9894 | #endif |
wolfSSL | 13:f67a6c6013ca | 9895 | |
wolfSSL | 13:f67a6c6013ca | 9896 | /* priv key */ |
wolfSSL | 13:f67a6c6013ca | 9897 | privSz = length; |
wolfSSL | 13:f67a6c6013ca | 9898 | XMEMCPY(priv, &input[*inOutIdx], privSz); |
wolfSSL | 13:f67a6c6013ca | 9899 | *inOutIdx += length; |
wolfSSL | 13:f67a6c6013ca | 9900 | |
wolfSSL | 13:f67a6c6013ca | 9901 | if (ret == 0 && (*inOutIdx + 1) < inSz) { |
wolfSSL | 13:f67a6c6013ca | 9902 | /* prefix 0, may have */ |
wolfSSL | 13:f67a6c6013ca | 9903 | b = input[*inOutIdx]; |
wolfSSL | 13:f67a6c6013ca | 9904 | if (b == ECC_PREFIX_0) { |
wolfSSL | 13:f67a6c6013ca | 9905 | *inOutIdx += 1; |
wolfSSL | 13:f67a6c6013ca | 9906 | |
wolfSSL | 13:f67a6c6013ca | 9907 | if (GetLength(input, inOutIdx, &length, inSz) <= 0) |
wolfSSL | 13:f67a6c6013ca | 9908 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9909 | else { |
wolfSSL | 13:f67a6c6013ca | 9910 | ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, |
wolfSSL | 13:f67a6c6013ca | 9911 | inSz); |
wolfSSL | 13:f67a6c6013ca | 9912 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 9913 | if ((ret = CheckCurve(oidSum)) < 0) |
wolfSSL | 13:f67a6c6013ca | 9914 | ret = ECC_CURVE_OID_E; |
wolfSSL | 13:f67a6c6013ca | 9915 | else { |
wolfSSL | 13:f67a6c6013ca | 9916 | curve_id = ret; |
wolfSSL | 13:f67a6c6013ca | 9917 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 9918 | } |
wolfSSL | 13:f67a6c6013ca | 9919 | } |
wolfSSL | 13:f67a6c6013ca | 9920 | } |
wolfSSL | 13:f67a6c6013ca | 9921 | } |
wolfSSL | 13:f67a6c6013ca | 9922 | } |
wolfSSL | 13:f67a6c6013ca | 9923 | |
wolfSSL | 13:f67a6c6013ca | 9924 | if (ret == 0 && (*inOutIdx + 1) < inSz) { |
wolfSSL | 13:f67a6c6013ca | 9925 | /* prefix 1 */ |
wolfSSL | 13:f67a6c6013ca | 9926 | b = input[*inOutIdx]; |
wolfSSL | 13:f67a6c6013ca | 9927 | *inOutIdx += 1; |
wolfSSL | 13:f67a6c6013ca | 9928 | |
wolfSSL | 13:f67a6c6013ca | 9929 | if (b != ECC_PREFIX_1) { |
wolfSSL | 13:f67a6c6013ca | 9930 | ret = ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 9931 | } |
wolfSSL | 13:f67a6c6013ca | 9932 | else if (GetLength(input, inOutIdx, &length, inSz) <= 0) { |
wolfSSL | 13:f67a6c6013ca | 9933 | ret = ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9934 | } |
wolfSSL | 13:f67a6c6013ca | 9935 | else { |
wolfSSL | 13:f67a6c6013ca | 9936 | /* key header */ |
wolfSSL | 13:f67a6c6013ca | 9937 | ret = CheckBitString(input, inOutIdx, &length, inSz, 0, NULL); |
wolfSSL | 13:f67a6c6013ca | 9938 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 9939 | /* pub key */ |
wolfSSL | 13:f67a6c6013ca | 9940 | pubSz = length; |
wolfSSL | 13:f67a6c6013ca | 9941 | if (pubSz < 2*(ECC_MAXSIZE+1)) { |
wolfSSL | 13:f67a6c6013ca | 9942 | XMEMCPY(pub, &input[*inOutIdx], pubSz); |
wolfSSL | 13:f67a6c6013ca | 9943 | *inOutIdx += length; |
wolfSSL | 13:f67a6c6013ca | 9944 | pubData = pub; |
wolfSSL | 13:f67a6c6013ca | 9945 | } |
wolfSSL | 13:f67a6c6013ca | 9946 | else |
wolfSSL | 13:f67a6c6013ca | 9947 | ret = BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 9948 | } |
wolfSSL | 13:f67a6c6013ca | 9949 | } |
wolfSSL | 13:f67a6c6013ca | 9950 | } |
wolfSSL | 13:f67a6c6013ca | 9951 | |
wolfSSL | 13:f67a6c6013ca | 9952 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 9953 | ret = wc_ecc_import_private_key_ex(priv, privSz, pubData, pubSz, key, |
wolfSSL | 13:f67a6c6013ca | 9954 | curve_id); |
wolfSSL | 13:f67a6c6013ca | 9955 | } |
wolfSSL | 13:f67a6c6013ca | 9956 | |
wolfSSL | 13:f67a6c6013ca | 9957 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 9958 | XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9959 | XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 9960 | #endif |
wolfSSL | 13:f67a6c6013ca | 9961 | |
wolfSSL | 13:f67a6c6013ca | 9962 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9963 | } |
wolfSSL | 13:f67a6c6013ca | 9964 | |
wolfSSL | 13:f67a6c6013ca | 9965 | |
wolfSSL | 13:f67a6c6013ca | 9966 | int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 13:f67a6c6013ca | 9967 | ecc_key* key, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 9968 | { |
wolfSSL | 13:f67a6c6013ca | 9969 | int length; |
wolfSSL | 13:f67a6c6013ca | 9970 | int ret; |
wolfSSL | 13:f67a6c6013ca | 9971 | #ifdef ECC_CHECK_PUBLIC_KEY_OID |
wolfSSL | 13:f67a6c6013ca | 9972 | word32 oidSum; |
wolfSSL | 13:f67a6c6013ca | 9973 | #endif |
wolfSSL | 13:f67a6c6013ca | 9974 | |
wolfSSL | 13:f67a6c6013ca | 9975 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 13:f67a6c6013ca | 9976 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 9977 | |
wolfSSL | 13:f67a6c6013ca | 9978 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 9979 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9980 | |
wolfSSL | 13:f67a6c6013ca | 9981 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 9982 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 9983 | |
wolfSSL | 13:f67a6c6013ca | 9984 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 13:f67a6c6013ca | 9985 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 9986 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9987 | |
wolfSSL | 13:f67a6c6013ca | 9988 | /* ecc params information */ |
wolfSSL | 13:f67a6c6013ca | 9989 | #ifdef ECC_CHECK_PUBLIC_KEY_OID |
wolfSSL | 13:f67a6c6013ca | 9990 | ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, inSz); |
wolfSSL | 13:f67a6c6013ca | 9991 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 9992 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9993 | if (CheckCurve(oidSum) < 0) |
wolfSSL | 13:f67a6c6013ca | 9994 | return ECC_CURVE_OID_E; |
wolfSSL | 13:f67a6c6013ca | 9995 | #else |
wolfSSL | 13:f67a6c6013ca | 9996 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 13:f67a6c6013ca | 9997 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 9998 | return ret; |
wolfSSL | 13:f67a6c6013ca | 9999 | #endif |
wolfSSL | 13:f67a6c6013ca | 10000 | |
wolfSSL | 13:f67a6c6013ca | 10001 | /* key header */ |
wolfSSL | 13:f67a6c6013ca | 10002 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 10003 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10004 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10005 | |
wolfSSL | 13:f67a6c6013ca | 10006 | /* This is the raw point data compressed or uncompressed. */ |
wolfSSL | 13:f67a6c6013ca | 10007 | if (wc_ecc_import_x963(input + *inOutIdx, inSz - *inOutIdx, key) != 0) |
wolfSSL | 13:f67a6c6013ca | 10008 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 10009 | |
wolfSSL | 13:f67a6c6013ca | 10010 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10011 | } |
wolfSSL | 13:f67a6c6013ca | 10012 | |
wolfSSL | 13:f67a6c6013ca | 10013 | |
wolfSSL | 13:f67a6c6013ca | 10014 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 13:f67a6c6013ca | 10015 | |
wolfSSL | 13:f67a6c6013ca | 10016 | /* build DER formatted ECC key, include optional public key if requested, |
wolfSSL | 13:f67a6c6013ca | 10017 | * return length on success, negative on error */ |
wolfSSL | 13:f67a6c6013ca | 10018 | static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen, |
wolfSSL | 13:f67a6c6013ca | 10019 | int pubIn) |
wolfSSL | 13:f67a6c6013ca | 10020 | { |
wolfSSL | 13:f67a6c6013ca | 10021 | byte curve[MAX_ALGO_SZ+2]; |
wolfSSL | 13:f67a6c6013ca | 10022 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10023 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10024 | byte *prv = NULL, *pub = NULL; |
wolfSSL | 13:f67a6c6013ca | 10025 | int ret, totalSz, curveSz, verSz; |
wolfSSL | 13:f67a6c6013ca | 10026 | int privHdrSz = ASN_ECC_HEADER_SZ; |
wolfSSL | 13:f67a6c6013ca | 10027 | int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ; |
wolfSSL | 13:f67a6c6013ca | 10028 | |
wolfSSL | 13:f67a6c6013ca | 10029 | word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0; |
wolfSSL | 13:f67a6c6013ca | 10030 | word32 seqSz, privSz, pubSz = ECC_BUFSIZE; |
wolfSSL | 13:f67a6c6013ca | 10031 | |
wolfSSL | 13:f67a6c6013ca | 10032 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 13:f67a6c6013ca | 10033 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10034 | |
wolfSSL | 13:f67a6c6013ca | 10035 | /* curve */ |
wolfSSL | 13:f67a6c6013ca | 10036 | curve[curveidx++] = ECC_PREFIX_0; |
wolfSSL | 13:f67a6c6013ca | 10037 | curveidx++ /* to put the size after computation */; |
wolfSSL | 13:f67a6c6013ca | 10038 | curveSz = SetCurve(key, curve+curveidx); |
wolfSSL | 13:f67a6c6013ca | 10039 | if (curveSz < 0) |
wolfSSL | 13:f67a6c6013ca | 10040 | return curveSz; |
wolfSSL | 13:f67a6c6013ca | 10041 | /* set computed size */ |
wolfSSL | 13:f67a6c6013ca | 10042 | curve[1] = (byte)curveSz; |
wolfSSL | 13:f67a6c6013ca | 10043 | curveidx += curveSz; |
wolfSSL | 13:f67a6c6013ca | 10044 | |
wolfSSL | 13:f67a6c6013ca | 10045 | /* private */ |
wolfSSL | 13:f67a6c6013ca | 10046 | privSz = key->dp->size; |
wolfSSL | 13:f67a6c6013ca | 10047 | prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ, |
wolfSSL | 13:f67a6c6013ca | 10048 | key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10049 | if (prv == NULL) { |
wolfSSL | 13:f67a6c6013ca | 10050 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 10051 | } |
wolfSSL | 13:f67a6c6013ca | 10052 | prvidx += SetOctetString8Bit(key->dp->size, &prv[prvidx]); |
wolfSSL | 13:f67a6c6013ca | 10053 | ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz); |
wolfSSL | 13:f67a6c6013ca | 10054 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 10055 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10056 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10057 | } |
wolfSSL | 13:f67a6c6013ca | 10058 | prvidx += privSz; |
wolfSSL | 13:f67a6c6013ca | 10059 | |
wolfSSL | 13:f67a6c6013ca | 10060 | /* pubIn */ |
wolfSSL | 13:f67a6c6013ca | 10061 | if (pubIn) { |
wolfSSL | 13:f67a6c6013ca | 10062 | ret = wc_ecc_export_x963(key, NULL, &pubSz); |
wolfSSL | 13:f67a6c6013ca | 10063 | if (ret != LENGTH_ONLY_E) { |
wolfSSL | 13:f67a6c6013ca | 10064 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10065 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10066 | } |
wolfSSL | 13:f67a6c6013ca | 10067 | |
wolfSSL | 13:f67a6c6013ca | 10068 | pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ, |
wolfSSL | 13:f67a6c6013ca | 10069 | key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10070 | if (pub == NULL) { |
wolfSSL | 13:f67a6c6013ca | 10071 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10072 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 10073 | } |
wolfSSL | 13:f67a6c6013ca | 10074 | |
wolfSSL | 13:f67a6c6013ca | 10075 | pub[pubidx++] = ECC_PREFIX_1; |
wolfSSL | 13:f67a6c6013ca | 10076 | if (pubSz > 128) /* leading zero + extra size byte */ |
wolfSSL | 13:f67a6c6013ca | 10077 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx); |
wolfSSL | 13:f67a6c6013ca | 10078 | else /* leading zero */ |
wolfSSL | 13:f67a6c6013ca | 10079 | pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx); |
wolfSSL | 13:f67a6c6013ca | 10080 | |
wolfSSL | 13:f67a6c6013ca | 10081 | /* SetBitString adds leading zero */ |
wolfSSL | 13:f67a6c6013ca | 10082 | pubidx += SetBitString(pubSz, 0, pub + pubidx); |
wolfSSL | 13:f67a6c6013ca | 10083 | ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz); |
wolfSSL | 13:f67a6c6013ca | 10084 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 10085 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10086 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10087 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10088 | } |
wolfSSL | 13:f67a6c6013ca | 10089 | pubidx += pubSz; |
wolfSSL | 13:f67a6c6013ca | 10090 | } |
wolfSSL | 13:f67a6c6013ca | 10091 | |
wolfSSL | 13:f67a6c6013ca | 10092 | /* make headers */ |
wolfSSL | 13:f67a6c6013ca | 10093 | verSz = SetMyVersion(1, ver, FALSE); |
wolfSSL | 13:f67a6c6013ca | 10094 | seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq); |
wolfSSL | 13:f67a6c6013ca | 10095 | |
wolfSSL | 13:f67a6c6013ca | 10096 | totalSz = prvidx + pubidx + curveidx + verSz + seqSz; |
wolfSSL | 13:f67a6c6013ca | 10097 | if (totalSz > (int)inLen) { |
wolfSSL | 13:f67a6c6013ca | 10098 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10099 | if (pubIn) { |
wolfSSL | 13:f67a6c6013ca | 10100 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10101 | } |
wolfSSL | 13:f67a6c6013ca | 10102 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10103 | } |
wolfSSL | 13:f67a6c6013ca | 10104 | |
wolfSSL | 13:f67a6c6013ca | 10105 | /* write out */ |
wolfSSL | 13:f67a6c6013ca | 10106 | /* seq */ |
wolfSSL | 13:f67a6c6013ca | 10107 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 10108 | idx = seqSz; |
wolfSSL | 13:f67a6c6013ca | 10109 | |
wolfSSL | 13:f67a6c6013ca | 10110 | /* ver */ |
wolfSSL | 13:f67a6c6013ca | 10111 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 13:f67a6c6013ca | 10112 | idx += verSz; |
wolfSSL | 13:f67a6c6013ca | 10113 | |
wolfSSL | 13:f67a6c6013ca | 10114 | /* private */ |
wolfSSL | 13:f67a6c6013ca | 10115 | XMEMCPY(output + idx, prv, prvidx); |
wolfSSL | 13:f67a6c6013ca | 10116 | idx += prvidx; |
wolfSSL | 13:f67a6c6013ca | 10117 | XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10118 | |
wolfSSL | 13:f67a6c6013ca | 10119 | /* curve */ |
wolfSSL | 13:f67a6c6013ca | 10120 | XMEMCPY(output + idx, curve, curveidx); |
wolfSSL | 13:f67a6c6013ca | 10121 | idx += curveidx; |
wolfSSL | 13:f67a6c6013ca | 10122 | |
wolfSSL | 13:f67a6c6013ca | 10123 | /* pubIn */ |
wolfSSL | 13:f67a6c6013ca | 10124 | if (pubIn) { |
wolfSSL | 13:f67a6c6013ca | 10125 | XMEMCPY(output + idx, pub, pubidx); |
wolfSSL | 13:f67a6c6013ca | 10126 | /* idx += pubidx; not used after write, if more data remove comment */ |
wolfSSL | 13:f67a6c6013ca | 10127 | XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 10128 | } |
wolfSSL | 13:f67a6c6013ca | 10129 | |
wolfSSL | 13:f67a6c6013ca | 10130 | return totalSz; |
wolfSSL | 13:f67a6c6013ca | 10131 | } |
wolfSSL | 13:f67a6c6013ca | 10132 | |
wolfSSL | 13:f67a6c6013ca | 10133 | |
wolfSSL | 13:f67a6c6013ca | 10134 | /* Write a Private ecc key, including public to DER format, |
wolfSSL | 13:f67a6c6013ca | 10135 | * length on success else < 0 */ |
wolfSSL | 13:f67a6c6013ca | 10136 | int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 10137 | { |
wolfSSL | 13:f67a6c6013ca | 10138 | return wc_BuildEccKeyDer(key, output, inLen, 1); |
wolfSSL | 13:f67a6c6013ca | 10139 | } |
wolfSSL | 13:f67a6c6013ca | 10140 | |
wolfSSL | 13:f67a6c6013ca | 10141 | |
wolfSSL | 13:f67a6c6013ca | 10142 | /* Write only private ecc key to DER format, |
wolfSSL | 13:f67a6c6013ca | 10143 | * length on success else < 0 */ |
wolfSSL | 13:f67a6c6013ca | 10144 | int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 10145 | { |
wolfSSL | 13:f67a6c6013ca | 10146 | return wc_BuildEccKeyDer(key, output, inLen, 0); |
wolfSSL | 13:f67a6c6013ca | 10147 | } |
wolfSSL | 13:f67a6c6013ca | 10148 | |
wolfSSL | 13:f67a6c6013ca | 10149 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 13:f67a6c6013ca | 10150 | |
wolfSSL | 13:f67a6c6013ca | 10151 | #endif /* HAVE_ECC */ |
wolfSSL | 13:f67a6c6013ca | 10152 | |
wolfSSL | 13:f67a6c6013ca | 10153 | |
wolfSSL | 13:f67a6c6013ca | 10154 | #ifdef HAVE_ED25519 |
wolfSSL | 13:f67a6c6013ca | 10155 | |
wolfSSL | 13:f67a6c6013ca | 10156 | int wc_Ed25519PrivateKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 13:f67a6c6013ca | 10157 | ed25519_key* key, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 10158 | { |
wolfSSL | 13:f67a6c6013ca | 10159 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 10160 | int ret, version, length, endKeyIdx, privSz, pubSz; |
wolfSSL | 13:f67a6c6013ca | 10161 | const byte* priv; |
wolfSSL | 13:f67a6c6013ca | 10162 | const byte* pub; |
wolfSSL | 13:f67a6c6013ca | 10163 | |
wolfSSL | 13:f67a6c6013ca | 10164 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 13:f67a6c6013ca | 10165 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10166 | |
wolfSSL | 13:f67a6c6013ca | 10167 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10168 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10169 | endKeyIdx = *inOutIdx + length; |
wolfSSL | 13:f67a6c6013ca | 10170 | |
wolfSSL | 13:f67a6c6013ca | 10171 | if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10172 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10173 | if (version != 0) { |
wolfSSL | 13:f67a6c6013ca | 10174 | WOLFSSL_MSG("Unrecognized version of ED25519 private key"); |
wolfSSL | 13:f67a6c6013ca | 10175 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10176 | } |
wolfSSL | 13:f67a6c6013ca | 10177 | |
wolfSSL | 13:f67a6c6013ca | 10178 | if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10179 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10180 | if (oid != ED25519k) |
wolfSSL | 13:f67a6c6013ca | 10181 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10182 | |
wolfSSL | 13:f67a6c6013ca | 10183 | if (GetOctetString(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10184 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10185 | |
wolfSSL | 13:f67a6c6013ca | 10186 | if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10187 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10188 | priv = input + *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 10189 | *inOutIdx += privSz; |
wolfSSL | 13:f67a6c6013ca | 10190 | |
wolfSSL | 13:f67a6c6013ca | 10191 | if (endKeyIdx == (int)*inOutIdx) { |
wolfSSL | 13:f67a6c6013ca | 10192 | ret = wc_ed25519_import_private_only(priv, privSz, key); |
wolfSSL | 13:f67a6c6013ca | 10193 | } |
wolfSSL | 13:f67a6c6013ca | 10194 | else { |
wolfSSL | 13:f67a6c6013ca | 10195 | if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1, |
wolfSSL | 13:f67a6c6013ca | 10196 | inOutIdx, &length, inSz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 10197 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10198 | } |
wolfSSL | 13:f67a6c6013ca | 10199 | if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10200 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10201 | pub = input + *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 10202 | *inOutIdx += pubSz; |
wolfSSL | 13:f67a6c6013ca | 10203 | |
wolfSSL | 13:f67a6c6013ca | 10204 | ret = wc_ed25519_import_private_key(priv, privSz, pub, pubSz, key); |
wolfSSL | 13:f67a6c6013ca | 10205 | } |
wolfSSL | 13:f67a6c6013ca | 10206 | if (ret == 0 && endKeyIdx != (int)*inOutIdx) |
wolfSSL | 13:f67a6c6013ca | 10207 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10208 | |
wolfSSL | 13:f67a6c6013ca | 10209 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10210 | } |
wolfSSL | 13:f67a6c6013ca | 10211 | |
wolfSSL | 13:f67a6c6013ca | 10212 | |
wolfSSL | 13:f67a6c6013ca | 10213 | int wc_Ed25519PublicKeyDecode(const byte* input, word32* inOutIdx, |
wolfSSL | 13:f67a6c6013ca | 10214 | ed25519_key* key, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 10215 | { |
wolfSSL | 13:f67a6c6013ca | 10216 | int length; |
wolfSSL | 13:f67a6c6013ca | 10217 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10218 | #ifdef ECC_CHECK_PUBLIC_KEY_OID |
wolfSSL | 13:f67a6c6013ca | 10219 | word32 oidSum; |
wolfSSL | 13:f67a6c6013ca | 10220 | #endif |
wolfSSL | 13:f67a6c6013ca | 10221 | |
wolfSSL | 13:f67a6c6013ca | 10222 | if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) |
wolfSSL | 13:f67a6c6013ca | 10223 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10224 | |
wolfSSL | 13:f67a6c6013ca | 10225 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10226 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10227 | |
wolfSSL | 13:f67a6c6013ca | 10228 | if (GetSequence(input, inOutIdx, &length, inSz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10229 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10230 | |
wolfSSL | 13:f67a6c6013ca | 10231 | ret = SkipObjectId(input, inOutIdx, inSz); |
wolfSSL | 13:f67a6c6013ca | 10232 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10233 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10234 | |
wolfSSL | 13:f67a6c6013ca | 10235 | /* key header */ |
wolfSSL | 13:f67a6c6013ca | 10236 | ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 10237 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10238 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10239 | |
wolfSSL | 13:f67a6c6013ca | 10240 | /* This is the raw point data compressed or uncompressed. */ |
wolfSSL | 13:f67a6c6013ca | 10241 | if (wc_ed25519_import_public(input + *inOutIdx, inSz - *inOutIdx, key) != 0) |
wolfSSL | 13:f67a6c6013ca | 10242 | return ASN_ECC_KEY_E; |
wolfSSL | 13:f67a6c6013ca | 10243 | |
wolfSSL | 13:f67a6c6013ca | 10244 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10245 | } |
wolfSSL | 13:f67a6c6013ca | 10246 | |
wolfSSL | 13:f67a6c6013ca | 10247 | |
wolfSSL | 13:f67a6c6013ca | 10248 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 13:f67a6c6013ca | 10249 | |
wolfSSL | 13:f67a6c6013ca | 10250 | /* build DER formatted ED25519 key, |
wolfSSL | 13:f67a6c6013ca | 10251 | * return length on success, negative on error */ |
wolfSSL | 13:f67a6c6013ca | 10252 | static int wc_BuildEd25519KeyDer(ed25519_key* key, byte* output, word32 inLen, |
wolfSSL | 13:f67a6c6013ca | 10253 | int pubOut) |
wolfSSL | 13:f67a6c6013ca | 10254 | { |
wolfSSL | 13:f67a6c6013ca | 10255 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10256 | byte ver[MAX_VERSION_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10257 | byte seq[MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10258 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10259 | word32 idx = 0, seqSz, verSz, algoSz, privSz, pubSz = 0; |
wolfSSL | 13:f67a6c6013ca | 10260 | |
wolfSSL | 13:f67a6c6013ca | 10261 | if (key == NULL || output == NULL || inLen == 0) |
wolfSSL | 13:f67a6c6013ca | 10262 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10263 | |
wolfSSL | 13:f67a6c6013ca | 10264 | if (pubOut) |
wolfSSL | 13:f67a6c6013ca | 10265 | pubSz = 2 + 2 + ED25519_PUB_KEY_SIZE; |
wolfSSL | 13:f67a6c6013ca | 10266 | privSz = 2 + 2 + ED25519_KEY_SIZE; |
wolfSSL | 13:f67a6c6013ca | 10267 | algoSz = SetAlgoID(ED25519k, algoArray, oidKeyType, 0); |
wolfSSL | 13:f67a6c6013ca | 10268 | verSz = SetMyVersion(0, ver, FALSE); |
wolfSSL | 13:f67a6c6013ca | 10269 | seqSz = SetSequence(verSz + algoSz + privSz + pubSz, seq); |
wolfSSL | 13:f67a6c6013ca | 10270 | |
wolfSSL | 13:f67a6c6013ca | 10271 | if (seqSz + verSz + algoSz + privSz + pubSz > inLen) |
wolfSSL | 13:f67a6c6013ca | 10272 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10273 | |
wolfSSL | 13:f67a6c6013ca | 10274 | /* write out */ |
wolfSSL | 13:f67a6c6013ca | 10275 | /* seq */ |
wolfSSL | 13:f67a6c6013ca | 10276 | XMEMCPY(output + idx, seq, seqSz); |
wolfSSL | 13:f67a6c6013ca | 10277 | idx = seqSz; |
wolfSSL | 13:f67a6c6013ca | 10278 | /* ver */ |
wolfSSL | 13:f67a6c6013ca | 10279 | XMEMCPY(output + idx, ver, verSz); |
wolfSSL | 13:f67a6c6013ca | 10280 | idx += verSz; |
wolfSSL | 13:f67a6c6013ca | 10281 | /* algo */ |
wolfSSL | 13:f67a6c6013ca | 10282 | XMEMCPY(output + idx, algoArray, algoSz); |
wolfSSL | 13:f67a6c6013ca | 10283 | idx += algoSz; |
wolfSSL | 13:f67a6c6013ca | 10284 | /* privKey */ |
wolfSSL | 13:f67a6c6013ca | 10285 | idx += SetOctetString(2 + ED25519_KEY_SIZE, output + idx); |
wolfSSL | 13:f67a6c6013ca | 10286 | idx += SetOctetString(ED25519_KEY_SIZE, output + idx); |
wolfSSL | 13:f67a6c6013ca | 10287 | ret = wc_ed25519_export_private_only(key, output + idx, &privSz); |
wolfSSL | 13:f67a6c6013ca | 10288 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10289 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10290 | idx += privSz; |
wolfSSL | 13:f67a6c6013ca | 10291 | /* pubKey */ |
wolfSSL | 13:f67a6c6013ca | 10292 | if (pubOut) { |
wolfSSL | 13:f67a6c6013ca | 10293 | idx += SetExplicit(1, 2 + ED25519_PUB_KEY_SIZE, output + idx); |
wolfSSL | 13:f67a6c6013ca | 10294 | idx += SetOctetString(ED25519_KEY_SIZE, output + idx); |
wolfSSL | 13:f67a6c6013ca | 10295 | ret = wc_ed25519_export_public(key, output + idx, &pubSz); |
wolfSSL | 13:f67a6c6013ca | 10296 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10297 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10298 | idx += pubSz; |
wolfSSL | 13:f67a6c6013ca | 10299 | } |
wolfSSL | 13:f67a6c6013ca | 10300 | |
wolfSSL | 13:f67a6c6013ca | 10301 | return idx; |
wolfSSL | 13:f67a6c6013ca | 10302 | } |
wolfSSL | 13:f67a6c6013ca | 10303 | |
wolfSSL | 13:f67a6c6013ca | 10304 | /* Write a Private ecc key, including public to DER format, |
wolfSSL | 13:f67a6c6013ca | 10305 | * length on success else < 0 */ |
wolfSSL | 13:f67a6c6013ca | 10306 | int wc_Ed25519KeyToDer(ed25519_key* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 10307 | { |
wolfSSL | 13:f67a6c6013ca | 10308 | return wc_BuildEd25519KeyDer(key, output, inLen, 1); |
wolfSSL | 13:f67a6c6013ca | 10309 | } |
wolfSSL | 13:f67a6c6013ca | 10310 | |
wolfSSL | 13:f67a6c6013ca | 10311 | |
wolfSSL | 13:f67a6c6013ca | 10312 | |
wolfSSL | 13:f67a6c6013ca | 10313 | /* Write only private ecc key to DER format, |
wolfSSL | 13:f67a6c6013ca | 10314 | * length on success else < 0 */ |
wolfSSL | 13:f67a6c6013ca | 10315 | int wc_Ed25519PrivateKeyToDer(ed25519_key* key, byte* output, word32 inLen) |
wolfSSL | 13:f67a6c6013ca | 10316 | { |
wolfSSL | 13:f67a6c6013ca | 10317 | return wc_BuildEd25519KeyDer(key, output, inLen, 0); |
wolfSSL | 13:f67a6c6013ca | 10318 | } |
wolfSSL | 13:f67a6c6013ca | 10319 | |
wolfSSL | 13:f67a6c6013ca | 10320 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 13:f67a6c6013ca | 10321 | |
wolfSSL | 13:f67a6c6013ca | 10322 | #endif /* HAVE_ED25519 */ |
wolfSSL | 13:f67a6c6013ca | 10323 | |
wolfSSL | 13:f67a6c6013ca | 10324 | |
wolfSSL | 13:f67a6c6013ca | 10325 | #if defined(HAVE_OCSP) || defined(HAVE_CRL) |
wolfSSL | 13:f67a6c6013ca | 10326 | |
wolfSSL | 13:f67a6c6013ca | 10327 | /* Get raw Date only, no processing, 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 10328 | static int GetBasicDate(const byte* source, word32* idx, byte* date, |
wolfSSL | 13:f67a6c6013ca | 10329 | byte* format, int maxIdx) |
wolfSSL | 13:f67a6c6013ca | 10330 | { |
wolfSSL | 13:f67a6c6013ca | 10331 | int length; |
wolfSSL | 13:f67a6c6013ca | 10332 | |
wolfSSL | 13:f67a6c6013ca | 10333 | WOLFSSL_ENTER("GetBasicDate"); |
wolfSSL | 13:f67a6c6013ca | 10334 | |
wolfSSL | 13:f67a6c6013ca | 10335 | *format = source[*idx]; |
wolfSSL | 13:f67a6c6013ca | 10336 | *idx += 1; |
wolfSSL | 13:f67a6c6013ca | 10337 | if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME) |
wolfSSL | 13:f67a6c6013ca | 10338 | return ASN_TIME_E; |
wolfSSL | 13:f67a6c6013ca | 10339 | |
wolfSSL | 13:f67a6c6013ca | 10340 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 10341 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10342 | |
wolfSSL | 13:f67a6c6013ca | 10343 | if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) |
wolfSSL | 13:f67a6c6013ca | 10344 | return ASN_DATE_SZ_E; |
wolfSSL | 13:f67a6c6013ca | 10345 | |
wolfSSL | 13:f67a6c6013ca | 10346 | XMEMCPY(date, &source[*idx], length); |
wolfSSL | 13:f67a6c6013ca | 10347 | *idx += length; |
wolfSSL | 13:f67a6c6013ca | 10348 | |
wolfSSL | 13:f67a6c6013ca | 10349 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10350 | } |
wolfSSL | 13:f67a6c6013ca | 10351 | |
wolfSSL | 13:f67a6c6013ca | 10352 | #endif |
wolfSSL | 13:f67a6c6013ca | 10353 | |
wolfSSL | 13:f67a6c6013ca | 10354 | |
wolfSSL | 13:f67a6c6013ca | 10355 | #ifdef HAVE_OCSP |
wolfSSL | 13:f67a6c6013ca | 10356 | |
wolfSSL | 13:f67a6c6013ca | 10357 | static int GetEnumerated(const byte* input, word32* inOutIdx, int *value) |
wolfSSL | 13:f67a6c6013ca | 10358 | { |
wolfSSL | 13:f67a6c6013ca | 10359 | word32 idx = *inOutIdx; |
wolfSSL | 13:f67a6c6013ca | 10360 | word32 len; |
wolfSSL | 13:f67a6c6013ca | 10361 | |
wolfSSL | 13:f67a6c6013ca | 10362 | WOLFSSL_ENTER("GetEnumerated"); |
wolfSSL | 13:f67a6c6013ca | 10363 | |
wolfSSL | 13:f67a6c6013ca | 10364 | *value = 0; |
wolfSSL | 13:f67a6c6013ca | 10365 | |
wolfSSL | 13:f67a6c6013ca | 10366 | if (input[idx++] != ASN_ENUMERATED) |
wolfSSL | 13:f67a6c6013ca | 10367 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10368 | |
wolfSSL | 13:f67a6c6013ca | 10369 | len = input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 10370 | if (len > 4) |
wolfSSL | 13:f67a6c6013ca | 10371 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10372 | |
wolfSSL | 13:f67a6c6013ca | 10373 | while (len--) { |
wolfSSL | 13:f67a6c6013ca | 10374 | *value = *value << 8 | input[idx++]; |
wolfSSL | 13:f67a6c6013ca | 10375 | } |
wolfSSL | 13:f67a6c6013ca | 10376 | |
wolfSSL | 13:f67a6c6013ca | 10377 | *inOutIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 10378 | |
wolfSSL | 13:f67a6c6013ca | 10379 | return *value; |
wolfSSL | 13:f67a6c6013ca | 10380 | } |
wolfSSL | 13:f67a6c6013ca | 10381 | |
wolfSSL | 13:f67a6c6013ca | 10382 | |
wolfSSL | 13:f67a6c6013ca | 10383 | static int DecodeSingleResponse(byte* source, |
wolfSSL | 13:f67a6c6013ca | 10384 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 13:f67a6c6013ca | 10385 | { |
wolfSSL | 13:f67a6c6013ca | 10386 | word32 idx = *ioIndex, prevIndex, oid; |
wolfSSL | 13:f67a6c6013ca | 10387 | int length, wrapperSz; |
wolfSSL | 13:f67a6c6013ca | 10388 | CertStatus* cs = resp->status; |
wolfSSL | 13:f67a6c6013ca | 10389 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10390 | |
wolfSSL | 13:f67a6c6013ca | 10391 | WOLFSSL_ENTER("DecodeSingleResponse"); |
wolfSSL | 13:f67a6c6013ca | 10392 | |
wolfSSL | 13:f67a6c6013ca | 10393 | /* Outer wrapper of the SEQUENCE OF Single Responses. */ |
wolfSSL | 13:f67a6c6013ca | 10394 | if (GetSequence(source, &idx, &wrapperSz, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10395 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10396 | |
wolfSSL | 13:f67a6c6013ca | 10397 | prevIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10398 | |
wolfSSL | 13:f67a6c6013ca | 10399 | /* When making a request, we only request one status on one certificate |
wolfSSL | 13:f67a6c6013ca | 10400 | * at a time. There should only be one SingleResponse */ |
wolfSSL | 13:f67a6c6013ca | 10401 | |
wolfSSL | 13:f67a6c6013ca | 10402 | /* Wrapper around the Single Response */ |
wolfSSL | 13:f67a6c6013ca | 10403 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10404 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10405 | |
wolfSSL | 13:f67a6c6013ca | 10406 | /* Wrapper around the CertID */ |
wolfSSL | 13:f67a6c6013ca | 10407 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10408 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10409 | /* Skip the hash algorithm */ |
wolfSSL | 13:f67a6c6013ca | 10410 | if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10411 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10412 | /* Save reference to the hash of CN */ |
wolfSSL | 13:f67a6c6013ca | 10413 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 13:f67a6c6013ca | 10414 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10415 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10416 | resp->issuerHash = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10417 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10418 | /* Save reference to the hash of the issuer public key */ |
wolfSSL | 13:f67a6c6013ca | 10419 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 13:f67a6c6013ca | 10420 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10421 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10422 | resp->issuerKeyHash = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10423 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10424 | |
wolfSSL | 13:f67a6c6013ca | 10425 | /* Get serial number */ |
wolfSSL | 13:f67a6c6013ca | 10426 | if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10427 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10428 | |
wolfSSL | 13:f67a6c6013ca | 10429 | /* CertStatus */ |
wolfSSL | 13:f67a6c6013ca | 10430 | switch (source[idx++]) |
wolfSSL | 13:f67a6c6013ca | 10431 | { |
wolfSSL | 13:f67a6c6013ca | 10432 | case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): |
wolfSSL | 13:f67a6c6013ca | 10433 | cs->status = CERT_GOOD; |
wolfSSL | 13:f67a6c6013ca | 10434 | idx++; |
wolfSSL | 13:f67a6c6013ca | 10435 | break; |
wolfSSL | 13:f67a6c6013ca | 10436 | case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): |
wolfSSL | 13:f67a6c6013ca | 10437 | cs->status = CERT_REVOKED; |
wolfSSL | 13:f67a6c6013ca | 10438 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10439 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10440 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10441 | break; |
wolfSSL | 13:f67a6c6013ca | 10442 | case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): |
wolfSSL | 13:f67a6c6013ca | 10443 | cs->status = CERT_UNKNOWN; |
wolfSSL | 13:f67a6c6013ca | 10444 | idx++; |
wolfSSL | 13:f67a6c6013ca | 10445 | break; |
wolfSSL | 13:f67a6c6013ca | 10446 | default: |
wolfSSL | 13:f67a6c6013ca | 10447 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10448 | } |
wolfSSL | 13:f67a6c6013ca | 10449 | |
wolfSSL | 13:f67a6c6013ca | 10450 | #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 13:f67a6c6013ca | 10451 | cs->thisDateAsn = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10452 | #endif |
wolfSSL | 13:f67a6c6013ca | 10453 | if (GetBasicDate(source, &idx, cs->thisDate, |
wolfSSL | 13:f67a6c6013ca | 10454 | &cs->thisDateFormat, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10455 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10456 | |
wolfSSL | 13:f67a6c6013ca | 10457 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 10458 | if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) |
wolfSSL | 13:f67a6c6013ca | 10459 | return ASN_BEFORE_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 10460 | #endif |
wolfSSL | 13:f67a6c6013ca | 10461 | |
wolfSSL | 13:f67a6c6013ca | 10462 | /* The following items are optional. Only check for them if there is more |
wolfSSL | 13:f67a6c6013ca | 10463 | * unprocessed data in the singleResponse wrapper. */ |
wolfSSL | 13:f67a6c6013ca | 10464 | |
wolfSSL | 13:f67a6c6013ca | 10465 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 13:f67a6c6013ca | 10466 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))) |
wolfSSL | 13:f67a6c6013ca | 10467 | { |
wolfSSL | 13:f67a6c6013ca | 10468 | idx++; |
wolfSSL | 13:f67a6c6013ca | 10469 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10470 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10471 | #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 13:f67a6c6013ca | 10472 | cs->nextDateAsn = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10473 | #endif |
wolfSSL | 13:f67a6c6013ca | 10474 | if (GetBasicDate(source, &idx, cs->nextDate, |
wolfSSL | 13:f67a6c6013ca | 10475 | &cs->nextDateFormat, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10476 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10477 | |
wolfSSL | 13:f67a6c6013ca | 10478 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 10479 | if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) |
wolfSSL | 13:f67a6c6013ca | 10480 | return ASN_AFTER_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 10481 | #endif |
wolfSSL | 13:f67a6c6013ca | 10482 | } |
wolfSSL | 13:f67a6c6013ca | 10483 | if (((int)(idx - prevIndex) < wrapperSz) && |
wolfSSL | 13:f67a6c6013ca | 10484 | (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) |
wolfSSL | 13:f67a6c6013ca | 10485 | { |
wolfSSL | 13:f67a6c6013ca | 10486 | idx++; |
wolfSSL | 13:f67a6c6013ca | 10487 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10488 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10489 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10490 | } |
wolfSSL | 13:f67a6c6013ca | 10491 | |
wolfSSL | 13:f67a6c6013ca | 10492 | *ioIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10493 | |
wolfSSL | 13:f67a6c6013ca | 10494 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10495 | } |
wolfSSL | 13:f67a6c6013ca | 10496 | |
wolfSSL | 13:f67a6c6013ca | 10497 | static int DecodeOcspRespExtensions(byte* source, |
wolfSSL | 13:f67a6c6013ca | 10498 | word32* ioIndex, OcspResponse* resp, word32 sz) |
wolfSSL | 13:f67a6c6013ca | 10499 | { |
wolfSSL | 13:f67a6c6013ca | 10500 | word32 idx = *ioIndex; |
wolfSSL | 13:f67a6c6013ca | 10501 | int length; |
wolfSSL | 13:f67a6c6013ca | 10502 | int ext_bound; /* boundary index for the sequence of extensions */ |
wolfSSL | 13:f67a6c6013ca | 10503 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 10504 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10505 | |
wolfSSL | 13:f67a6c6013ca | 10506 | WOLFSSL_ENTER("DecodeOcspRespExtensions"); |
wolfSSL | 13:f67a6c6013ca | 10507 | |
wolfSSL | 13:f67a6c6013ca | 10508 | if ((idx + 1) > sz) |
wolfSSL | 13:f67a6c6013ca | 10509 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 10510 | |
wolfSSL | 13:f67a6c6013ca | 10511 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) |
wolfSSL | 13:f67a6c6013ca | 10512 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10513 | |
wolfSSL | 13:f67a6c6013ca | 10514 | if (GetLength(source, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10515 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10516 | |
wolfSSL | 13:f67a6c6013ca | 10517 | if (GetSequence(source, &idx, &length, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 10518 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10519 | |
wolfSSL | 13:f67a6c6013ca | 10520 | ext_bound = idx + length; |
wolfSSL | 13:f67a6c6013ca | 10521 | |
wolfSSL | 13:f67a6c6013ca | 10522 | while (idx < (word32)ext_bound) { |
wolfSSL | 13:f67a6c6013ca | 10523 | if (GetSequence(source, &idx, &length, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 10524 | WOLFSSL_MSG("\tfail: should be a SEQUENCE"); |
wolfSSL | 13:f67a6c6013ca | 10525 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10526 | } |
wolfSSL | 13:f67a6c6013ca | 10527 | |
wolfSSL | 13:f67a6c6013ca | 10528 | oid = 0; |
wolfSSL | 13:f67a6c6013ca | 10529 | if (GetObjectId(source, &idx, &oid, oidOcspType, sz) < 0) { |
wolfSSL | 13:f67a6c6013ca | 10530 | WOLFSSL_MSG("\tfail: OBJECT ID"); |
wolfSSL | 13:f67a6c6013ca | 10531 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10532 | } |
wolfSSL | 13:f67a6c6013ca | 10533 | |
wolfSSL | 13:f67a6c6013ca | 10534 | /* check for critical flag */ |
wolfSSL | 13:f67a6c6013ca | 10535 | if (source[idx] == ASN_BOOLEAN) { |
wolfSSL | 13:f67a6c6013ca | 10536 | WOLFSSL_MSG("\tfound optional critical flag, moving past"); |
wolfSSL | 13:f67a6c6013ca | 10537 | ret = GetBoolean(source, &idx, sz); |
wolfSSL | 13:f67a6c6013ca | 10538 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10539 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10540 | } |
wolfSSL | 13:f67a6c6013ca | 10541 | |
wolfSSL | 13:f67a6c6013ca | 10542 | ret = GetOctetString(source, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 10543 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10544 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10545 | |
wolfSSL | 13:f67a6c6013ca | 10546 | if (oid == OCSP_NONCE_OID) { |
wolfSSL | 13:f67a6c6013ca | 10547 | /* get data inside extra OCTET_STRING */ |
wolfSSL | 13:f67a6c6013ca | 10548 | ret = GetOctetString(source, &idx, &length, sz); |
wolfSSL | 13:f67a6c6013ca | 10549 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10550 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10551 | |
wolfSSL | 13:f67a6c6013ca | 10552 | resp->nonce = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10553 | resp->nonceSz = length; |
wolfSSL | 13:f67a6c6013ca | 10554 | } |
wolfSSL | 13:f67a6c6013ca | 10555 | |
wolfSSL | 13:f67a6c6013ca | 10556 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10557 | } |
wolfSSL | 13:f67a6c6013ca | 10558 | |
wolfSSL | 13:f67a6c6013ca | 10559 | *ioIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10560 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10561 | } |
wolfSSL | 13:f67a6c6013ca | 10562 | |
wolfSSL | 13:f67a6c6013ca | 10563 | |
wolfSSL | 13:f67a6c6013ca | 10564 | static int DecodeResponseData(byte* source, |
wolfSSL | 13:f67a6c6013ca | 10565 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 13:f67a6c6013ca | 10566 | { |
wolfSSL | 13:f67a6c6013ca | 10567 | word32 idx = *ioIndex, prev_idx; |
wolfSSL | 13:f67a6c6013ca | 10568 | int length; |
wolfSSL | 13:f67a6c6013ca | 10569 | int version; |
wolfSSL | 13:f67a6c6013ca | 10570 | word32 responderId = 0; |
wolfSSL | 13:f67a6c6013ca | 10571 | |
wolfSSL | 13:f67a6c6013ca | 10572 | WOLFSSL_ENTER("DecodeResponseData"); |
wolfSSL | 13:f67a6c6013ca | 10573 | |
wolfSSL | 13:f67a6c6013ca | 10574 | resp->response = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10575 | prev_idx = idx; |
wolfSSL | 13:f67a6c6013ca | 10576 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10577 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10578 | resp->responseSz = length + idx - prev_idx; |
wolfSSL | 13:f67a6c6013ca | 10579 | |
wolfSSL | 13:f67a6c6013ca | 10580 | /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this |
wolfSSL | 13:f67a6c6013ca | 10581 | * item isn't an EXPLICIT[0], then set version to zero and move |
wolfSSL | 13:f67a6c6013ca | 10582 | * onto the next item. |
wolfSSL | 13:f67a6c6013ca | 10583 | */ |
wolfSSL | 13:f67a6c6013ca | 10584 | if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) |
wolfSSL | 13:f67a6c6013ca | 10585 | { |
wolfSSL | 13:f67a6c6013ca | 10586 | idx += 2; /* Eat the value and length */ |
wolfSSL | 13:f67a6c6013ca | 10587 | if (GetMyVersion(source, &idx, &version, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10588 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10589 | } else |
wolfSSL | 13:f67a6c6013ca | 10590 | version = 0; |
wolfSSL | 13:f67a6c6013ca | 10591 | |
wolfSSL | 13:f67a6c6013ca | 10592 | responderId = source[idx++]; |
wolfSSL | 13:f67a6c6013ca | 10593 | if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) || |
wolfSSL | 13:f67a6c6013ca | 10594 | (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2))) |
wolfSSL | 13:f67a6c6013ca | 10595 | { |
wolfSSL | 13:f67a6c6013ca | 10596 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10597 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10598 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10599 | } |
wolfSSL | 13:f67a6c6013ca | 10600 | else |
wolfSSL | 13:f67a6c6013ca | 10601 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10602 | |
wolfSSL | 13:f67a6c6013ca | 10603 | /* save pointer to the producedAt time */ |
wolfSSL | 13:f67a6c6013ca | 10604 | if (GetBasicDate(source, &idx, resp->producedDate, |
wolfSSL | 13:f67a6c6013ca | 10605 | &resp->producedDateFormat, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10606 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10607 | |
wolfSSL | 13:f67a6c6013ca | 10608 | if (DecodeSingleResponse(source, &idx, resp, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10609 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10610 | |
wolfSSL | 13:f67a6c6013ca | 10611 | /* |
wolfSSL | 13:f67a6c6013ca | 10612 | * Check the length of the ResponseData against the current index to |
wolfSSL | 13:f67a6c6013ca | 10613 | * see if there are extensions, they are optional. |
wolfSSL | 13:f67a6c6013ca | 10614 | */ |
wolfSSL | 13:f67a6c6013ca | 10615 | if (idx - prev_idx < resp->responseSz) |
wolfSSL | 13:f67a6c6013ca | 10616 | if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10617 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10618 | |
wolfSSL | 13:f67a6c6013ca | 10619 | *ioIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10620 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10621 | } |
wolfSSL | 13:f67a6c6013ca | 10622 | |
wolfSSL | 13:f67a6c6013ca | 10623 | |
wolfSSL | 13:f67a6c6013ca | 10624 | #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS |
wolfSSL | 13:f67a6c6013ca | 10625 | |
wolfSSL | 13:f67a6c6013ca | 10626 | static int DecodeCerts(byte* source, |
wolfSSL | 13:f67a6c6013ca | 10627 | word32* ioIndex, OcspResponse* resp, word32 size) |
wolfSSL | 13:f67a6c6013ca | 10628 | { |
wolfSSL | 13:f67a6c6013ca | 10629 | word32 idx = *ioIndex; |
wolfSSL | 13:f67a6c6013ca | 10630 | |
wolfSSL | 13:f67a6c6013ca | 10631 | WOLFSSL_ENTER("DecodeCerts"); |
wolfSSL | 13:f67a6c6013ca | 10632 | |
wolfSSL | 13:f67a6c6013ca | 10633 | if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 13:f67a6c6013ca | 10634 | { |
wolfSSL | 13:f67a6c6013ca | 10635 | int length; |
wolfSSL | 13:f67a6c6013ca | 10636 | |
wolfSSL | 13:f67a6c6013ca | 10637 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10638 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10639 | |
wolfSSL | 13:f67a6c6013ca | 10640 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10641 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10642 | |
wolfSSL | 13:f67a6c6013ca | 10643 | resp->cert = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10644 | resp->certSz = length; |
wolfSSL | 13:f67a6c6013ca | 10645 | |
wolfSSL | 13:f67a6c6013ca | 10646 | idx += length; |
wolfSSL | 13:f67a6c6013ca | 10647 | } |
wolfSSL | 13:f67a6c6013ca | 10648 | *ioIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10649 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10650 | } |
wolfSSL | 13:f67a6c6013ca | 10651 | |
wolfSSL | 13:f67a6c6013ca | 10652 | #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ |
wolfSSL | 13:f67a6c6013ca | 10653 | |
wolfSSL | 13:f67a6c6013ca | 10654 | |
wolfSSL | 13:f67a6c6013ca | 10655 | static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, |
wolfSSL | 13:f67a6c6013ca | 10656 | OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify) |
wolfSSL | 13:f67a6c6013ca | 10657 | { |
wolfSSL | 13:f67a6c6013ca | 10658 | int length; |
wolfSSL | 13:f67a6c6013ca | 10659 | word32 idx = *ioIndex; |
wolfSSL | 13:f67a6c6013ca | 10660 | word32 end_index; |
wolfSSL | 13:f67a6c6013ca | 10661 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10662 | int sigLength; |
wolfSSL | 13:f67a6c6013ca | 10663 | |
wolfSSL | 13:f67a6c6013ca | 10664 | WOLFSSL_ENTER("DecodeBasicOcspResponse"); |
wolfSSL | 13:f67a6c6013ca | 10665 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 10666 | |
wolfSSL | 13:f67a6c6013ca | 10667 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10668 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10669 | |
wolfSSL | 13:f67a6c6013ca | 10670 | if (idx + length > size) |
wolfSSL | 13:f67a6c6013ca | 10671 | return ASN_INPUT_E; |
wolfSSL | 13:f67a6c6013ca | 10672 | end_index = idx + length; |
wolfSSL | 13:f67a6c6013ca | 10673 | |
wolfSSL | 13:f67a6c6013ca | 10674 | if (DecodeResponseData(source, &idx, resp, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10675 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10676 | |
wolfSSL | 13:f67a6c6013ca | 10677 | /* Get the signature algorithm */ |
wolfSSL | 13:f67a6c6013ca | 10678 | if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10679 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10680 | |
wolfSSL | 13:f67a6c6013ca | 10681 | ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 10682 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 10683 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10684 | |
wolfSSL | 13:f67a6c6013ca | 10685 | resp->sigSz = sigLength; |
wolfSSL | 13:f67a6c6013ca | 10686 | resp->sig = source + idx; |
wolfSSL | 13:f67a6c6013ca | 10687 | idx += sigLength; |
wolfSSL | 13:f67a6c6013ca | 10688 | |
wolfSSL | 13:f67a6c6013ca | 10689 | /* |
wolfSSL | 13:f67a6c6013ca | 10690 | * Check the length of the BasicOcspResponse against the current index to |
wolfSSL | 13:f67a6c6013ca | 10691 | * see if there are certificates, they are optional. |
wolfSSL | 13:f67a6c6013ca | 10692 | */ |
wolfSSL | 13:f67a6c6013ca | 10693 | #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS |
wolfSSL | 13:f67a6c6013ca | 10694 | if (idx < end_index) |
wolfSSL | 13:f67a6c6013ca | 10695 | { |
wolfSSL | 13:f67a6c6013ca | 10696 | DecodedCert cert; |
wolfSSL | 13:f67a6c6013ca | 10697 | |
wolfSSL | 13:f67a6c6013ca | 10698 | if (DecodeCerts(source, &idx, resp, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10699 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10700 | |
wolfSSL | 13:f67a6c6013ca | 10701 | InitDecodedCert(&cert, resp->cert, resp->certSz, heap); |
wolfSSL | 13:f67a6c6013ca | 10702 | |
wolfSSL | 13:f67a6c6013ca | 10703 | /* Don't verify if we don't have access to Cert Manager. */ |
wolfSSL | 13:f67a6c6013ca | 10704 | ret = ParseCertRelative(&cert, CERT_TYPE, |
wolfSSL | 13:f67a6c6013ca | 10705 | noVerify ? NO_VERIFY : VERIFY_OCSP, cm); |
wolfSSL | 13:f67a6c6013ca | 10706 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 10707 | WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); |
wolfSSL | 13:f67a6c6013ca | 10708 | FreeDecodedCert(&cert); |
wolfSSL | 13:f67a6c6013ca | 10709 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10710 | } |
wolfSSL | 13:f67a6c6013ca | 10711 | |
wolfSSL | 13:f67a6c6013ca | 10712 | #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK |
wolfSSL | 13:f67a6c6013ca | 10713 | if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { |
wolfSSL | 13:f67a6c6013ca | 10714 | if (XMEMCMP(cert.subjectHash, |
wolfSSL | 13:f67a6c6013ca | 10715 | resp->issuerHash, KEYID_SIZE) == 0) { |
wolfSSL | 13:f67a6c6013ca | 10716 | WOLFSSL_MSG("\tOCSP Response signed by issuer"); |
wolfSSL | 13:f67a6c6013ca | 10717 | } |
wolfSSL | 13:f67a6c6013ca | 10718 | else { |
wolfSSL | 13:f67a6c6013ca | 10719 | WOLFSSL_MSG("\tOCSP Responder key usage check failed"); |
wolfSSL | 13:f67a6c6013ca | 10720 | |
wolfSSL | 13:f67a6c6013ca | 10721 | FreeDecodedCert(&cert); |
wolfSSL | 13:f67a6c6013ca | 10722 | return BAD_OCSP_RESPONDER; |
wolfSSL | 13:f67a6c6013ca | 10723 | } |
wolfSSL | 13:f67a6c6013ca | 10724 | } |
wolfSSL | 13:f67a6c6013ca | 10725 | #endif |
wolfSSL | 13:f67a6c6013ca | 10726 | |
wolfSSL | 13:f67a6c6013ca | 10727 | /* ConfirmSignature is blocking here */ |
wolfSSL | 13:f67a6c6013ca | 10728 | ret = ConfirmSignature(&cert.sigCtx, |
wolfSSL | 13:f67a6c6013ca | 10729 | resp->response, resp->responseSz, |
wolfSSL | 13:f67a6c6013ca | 10730 | cert.publicKey, cert.pubKeySize, cert.keyOID, |
wolfSSL | 13:f67a6c6013ca | 10731 | resp->sig, resp->sigSz, resp->sigOID); |
wolfSSL | 13:f67a6c6013ca | 10732 | FreeDecodedCert(&cert); |
wolfSSL | 13:f67a6c6013ca | 10733 | |
wolfSSL | 13:f67a6c6013ca | 10734 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 10735 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 13:f67a6c6013ca | 10736 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 10737 | } |
wolfSSL | 13:f67a6c6013ca | 10738 | } |
wolfSSL | 13:f67a6c6013ca | 10739 | else |
wolfSSL | 13:f67a6c6013ca | 10740 | #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ |
wolfSSL | 13:f67a6c6013ca | 10741 | { |
wolfSSL | 13:f67a6c6013ca | 10742 | Signer* ca = NULL; |
wolfSSL | 13:f67a6c6013ca | 10743 | int sigValid = -1; |
wolfSSL | 13:f67a6c6013ca | 10744 | |
wolfSSL | 13:f67a6c6013ca | 10745 | #ifndef NO_SKID |
wolfSSL | 13:f67a6c6013ca | 10746 | ca = GetCA(cm, resp->issuerKeyHash); |
wolfSSL | 13:f67a6c6013ca | 10747 | #else |
wolfSSL | 13:f67a6c6013ca | 10748 | ca = GetCA(cm, resp->issuerHash); |
wolfSSL | 13:f67a6c6013ca | 10749 | #endif |
wolfSSL | 13:f67a6c6013ca | 10750 | |
wolfSSL | 13:f67a6c6013ca | 10751 | if (ca) { |
wolfSSL | 13:f67a6c6013ca | 10752 | SignatureCtx sigCtx; |
wolfSSL | 13:f67a6c6013ca | 10753 | InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); |
wolfSSL | 13:f67a6c6013ca | 10754 | |
wolfSSL | 13:f67a6c6013ca | 10755 | /* ConfirmSignature is blocking here */ |
wolfSSL | 13:f67a6c6013ca | 10756 | sigValid = ConfirmSignature(&sigCtx, resp->response, |
wolfSSL | 13:f67a6c6013ca | 10757 | resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, |
wolfSSL | 13:f67a6c6013ca | 10758 | resp->sig, resp->sigSz, resp->sigOID); |
wolfSSL | 13:f67a6c6013ca | 10759 | } |
wolfSSL | 13:f67a6c6013ca | 10760 | if (ca == NULL || sigValid != 0) { |
wolfSSL | 13:f67a6c6013ca | 10761 | WOLFSSL_MSG("\tOCSP Confirm signature failed"); |
wolfSSL | 13:f67a6c6013ca | 10762 | return ASN_OCSP_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 10763 | } |
wolfSSL | 13:f67a6c6013ca | 10764 | |
wolfSSL | 13:f67a6c6013ca | 10765 | (void)noVerify; |
wolfSSL | 13:f67a6c6013ca | 10766 | } |
wolfSSL | 13:f67a6c6013ca | 10767 | |
wolfSSL | 13:f67a6c6013ca | 10768 | *ioIndex = idx; |
wolfSSL | 13:f67a6c6013ca | 10769 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10770 | } |
wolfSSL | 13:f67a6c6013ca | 10771 | |
wolfSSL | 13:f67a6c6013ca | 10772 | |
wolfSSL | 13:f67a6c6013ca | 10773 | void InitOcspResponse(OcspResponse* resp, CertStatus* status, |
wolfSSL | 13:f67a6c6013ca | 10774 | byte* source, word32 inSz) |
wolfSSL | 13:f67a6c6013ca | 10775 | { |
wolfSSL | 13:f67a6c6013ca | 10776 | WOLFSSL_ENTER("InitOcspResponse"); |
wolfSSL | 13:f67a6c6013ca | 10777 | |
wolfSSL | 13:f67a6c6013ca | 10778 | XMEMSET(status, 0, sizeof(CertStatus)); |
wolfSSL | 13:f67a6c6013ca | 10779 | XMEMSET(resp, 0, sizeof(OcspResponse)); |
wolfSSL | 13:f67a6c6013ca | 10780 | |
wolfSSL | 13:f67a6c6013ca | 10781 | resp->responseStatus = -1; |
wolfSSL | 13:f67a6c6013ca | 10782 | resp->status = status; |
wolfSSL | 13:f67a6c6013ca | 10783 | resp->source = source; |
wolfSSL | 13:f67a6c6013ca | 10784 | resp->maxIdx = inSz; |
wolfSSL | 13:f67a6c6013ca | 10785 | } |
wolfSSL | 13:f67a6c6013ca | 10786 | |
wolfSSL | 13:f67a6c6013ca | 10787 | |
wolfSSL | 13:f67a6c6013ca | 10788 | int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) |
wolfSSL | 13:f67a6c6013ca | 10789 | { |
wolfSSL | 13:f67a6c6013ca | 10790 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10791 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 10792 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 10793 | byte* source = resp->source; |
wolfSSL | 13:f67a6c6013ca | 10794 | word32 size = resp->maxIdx; |
wolfSSL | 13:f67a6c6013ca | 10795 | word32 oid; |
wolfSSL | 13:f67a6c6013ca | 10796 | |
wolfSSL | 13:f67a6c6013ca | 10797 | WOLFSSL_ENTER("OcspResponseDecode"); |
wolfSSL | 13:f67a6c6013ca | 10798 | |
wolfSSL | 13:f67a6c6013ca | 10799 | /* peel the outer SEQUENCE wrapper */ |
wolfSSL | 13:f67a6c6013ca | 10800 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10801 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10802 | |
wolfSSL | 13:f67a6c6013ca | 10803 | /* First get the responseStatus, an ENUMERATED */ |
wolfSSL | 13:f67a6c6013ca | 10804 | if (GetEnumerated(source, &idx, &resp->responseStatus) < 0) |
wolfSSL | 13:f67a6c6013ca | 10805 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10806 | |
wolfSSL | 13:f67a6c6013ca | 10807 | if (resp->responseStatus != OCSP_SUCCESSFUL) |
wolfSSL | 13:f67a6c6013ca | 10808 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10809 | |
wolfSSL | 13:f67a6c6013ca | 10810 | /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */ |
wolfSSL | 13:f67a6c6013ca | 10811 | if (idx >= size) |
wolfSSL | 13:f67a6c6013ca | 10812 | return ASN_INPUT_E; |
wolfSSL | 13:f67a6c6013ca | 10813 | if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) |
wolfSSL | 13:f67a6c6013ca | 10814 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10815 | if (GetLength(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10816 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10817 | |
wolfSSL | 13:f67a6c6013ca | 10818 | /* Get the responseBytes SEQUENCE */ |
wolfSSL | 13:f67a6c6013ca | 10819 | if (GetSequence(source, &idx, &length, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10820 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10821 | |
wolfSSL | 13:f67a6c6013ca | 10822 | /* Check ObjectID for the resposeBytes */ |
wolfSSL | 13:f67a6c6013ca | 10823 | if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0) |
wolfSSL | 13:f67a6c6013ca | 10824 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10825 | if (oid != OCSP_BASIC_OID) |
wolfSSL | 13:f67a6c6013ca | 10826 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 10827 | ret = GetOctetString(source, &idx, &length, size); |
wolfSSL | 13:f67a6c6013ca | 10828 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10829 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10830 | |
wolfSSL | 13:f67a6c6013ca | 10831 | ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify); |
wolfSSL | 13:f67a6c6013ca | 10832 | if (ret < 0) |
wolfSSL | 13:f67a6c6013ca | 10833 | return ret; |
wolfSSL | 13:f67a6c6013ca | 10834 | |
wolfSSL | 13:f67a6c6013ca | 10835 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10836 | } |
wolfSSL | 13:f67a6c6013ca | 10837 | |
wolfSSL | 13:f67a6c6013ca | 10838 | |
wolfSSL | 13:f67a6c6013ca | 10839 | word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 13:f67a6c6013ca | 10840 | { |
wolfSSL | 13:f67a6c6013ca | 10841 | static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, |
wolfSSL | 13:f67a6c6013ca | 10842 | 0x30, 0x01, 0x02 }; |
wolfSSL | 13:f67a6c6013ca | 10843 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10844 | word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId); |
wolfSSL | 13:f67a6c6013ca | 10845 | |
wolfSSL | 13:f67a6c6013ca | 10846 | WOLFSSL_ENTER("SetOcspReqExtensions"); |
wolfSSL | 13:f67a6c6013ca | 10847 | |
wolfSSL | 13:f67a6c6013ca | 10848 | if (!req || !output || !req->nonceSz) |
wolfSSL | 13:f67a6c6013ca | 10849 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10850 | |
wolfSSL | 13:f67a6c6013ca | 10851 | totalSz += req->nonceSz; |
wolfSSL | 13:f67a6c6013ca | 10852 | totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]); |
wolfSSL | 13:f67a6c6013ca | 10853 | totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]); |
wolfSSL | 13:f67a6c6013ca | 10854 | totalSz += seqSz[2] = SetObjectId(sizeof(NonceObjId), seqArray[2]); |
wolfSSL | 13:f67a6c6013ca | 10855 | totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); |
wolfSSL | 13:f67a6c6013ca | 10856 | totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); |
wolfSSL | 13:f67a6c6013ca | 10857 | |
wolfSSL | 13:f67a6c6013ca | 10858 | if (totalSz > size) |
wolfSSL | 13:f67a6c6013ca | 10859 | return 0; |
wolfSSL | 13:f67a6c6013ca | 10860 | |
wolfSSL | 13:f67a6c6013ca | 10861 | totalSz = 0; |
wolfSSL | 13:f67a6c6013ca | 10862 | |
wolfSSL | 13:f67a6c6013ca | 10863 | XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); |
wolfSSL | 13:f67a6c6013ca | 10864 | totalSz += seqSz[4]; |
wolfSSL | 13:f67a6c6013ca | 10865 | |
wolfSSL | 13:f67a6c6013ca | 10866 | XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); |
wolfSSL | 13:f67a6c6013ca | 10867 | totalSz += seqSz[3]; |
wolfSSL | 13:f67a6c6013ca | 10868 | |
wolfSSL | 13:f67a6c6013ca | 10869 | XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); |
wolfSSL | 13:f67a6c6013ca | 10870 | totalSz += seqSz[2]; |
wolfSSL | 13:f67a6c6013ca | 10871 | |
wolfSSL | 13:f67a6c6013ca | 10872 | XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); |
wolfSSL | 13:f67a6c6013ca | 10873 | totalSz += (word32)sizeof(NonceObjId); |
wolfSSL | 13:f67a6c6013ca | 10874 | |
wolfSSL | 13:f67a6c6013ca | 10875 | XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); |
wolfSSL | 13:f67a6c6013ca | 10876 | totalSz += seqSz[1]; |
wolfSSL | 13:f67a6c6013ca | 10877 | |
wolfSSL | 13:f67a6c6013ca | 10878 | XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); |
wolfSSL | 13:f67a6c6013ca | 10879 | totalSz += seqSz[0]; |
wolfSSL | 13:f67a6c6013ca | 10880 | |
wolfSSL | 13:f67a6c6013ca | 10881 | XMEMCPY(output + totalSz, req->nonce, req->nonceSz); |
wolfSSL | 13:f67a6c6013ca | 10882 | totalSz += req->nonceSz; |
wolfSSL | 13:f67a6c6013ca | 10883 | |
wolfSSL | 13:f67a6c6013ca | 10884 | return totalSz; |
wolfSSL | 13:f67a6c6013ca | 10885 | } |
wolfSSL | 13:f67a6c6013ca | 10886 | |
wolfSSL | 13:f67a6c6013ca | 10887 | |
wolfSSL | 13:f67a6c6013ca | 10888 | int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) |
wolfSSL | 13:f67a6c6013ca | 10889 | { |
wolfSSL | 13:f67a6c6013ca | 10890 | byte seqArray[5][MAX_SEQ_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10891 | /* The ASN.1 of the OCSP Request is an onion of sequences */ |
wolfSSL | 13:f67a6c6013ca | 10892 | byte algoArray[MAX_ALGO_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10893 | byte issuerArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10894 | byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10895 | byte snArray[MAX_SN_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10896 | byte extArray[MAX_OCSP_EXT_SZ]; |
wolfSSL | 13:f67a6c6013ca | 10897 | word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; |
wolfSSL | 13:f67a6c6013ca | 10898 | int i; |
wolfSSL | 13:f67a6c6013ca | 10899 | |
wolfSSL | 13:f67a6c6013ca | 10900 | WOLFSSL_ENTER("EncodeOcspRequest"); |
wolfSSL | 13:f67a6c6013ca | 10901 | |
wolfSSL | 13:f67a6c6013ca | 10902 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 10903 | algoSz = SetAlgoID(SHA256h, algoArray, oidHashType, 0); |
wolfSSL | 13:f67a6c6013ca | 10904 | #else |
wolfSSL | 13:f67a6c6013ca | 10905 | algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0); |
wolfSSL | 13:f67a6c6013ca | 10906 | #endif |
wolfSSL | 13:f67a6c6013ca | 10907 | |
wolfSSL | 13:f67a6c6013ca | 10908 | issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); |
wolfSSL | 13:f67a6c6013ca | 10909 | issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); |
wolfSSL | 13:f67a6c6013ca | 10910 | snSz = SetSerialNumber(req->serial, req->serialSz, snArray); |
wolfSSL | 13:f67a6c6013ca | 10911 | extSz = 0; |
wolfSSL | 13:f67a6c6013ca | 10912 | |
wolfSSL | 13:f67a6c6013ca | 10913 | if (req->nonceSz) { |
wolfSSL | 13:f67a6c6013ca | 10914 | /* TLS Extensions use this function too - put extensions after |
wolfSSL | 13:f67a6c6013ca | 10915 | * ASN.1: Context Specific [2]. |
wolfSSL | 13:f67a6c6013ca | 10916 | */ |
wolfSSL | 13:f67a6c6013ca | 10917 | extSz = EncodeOcspRequestExtensions(req, extArray + 2, |
wolfSSL | 13:f67a6c6013ca | 10918 | OCSP_NONCE_EXT_SZ); |
wolfSSL | 13:f67a6c6013ca | 10919 | extSz += SetExplicit(2, extSz, extArray); |
wolfSSL | 13:f67a6c6013ca | 10920 | } |
wolfSSL | 13:f67a6c6013ca | 10921 | |
wolfSSL | 13:f67a6c6013ca | 10922 | totalSz = algoSz + issuerSz + issuerKeySz + snSz; |
wolfSSL | 13:f67a6c6013ca | 10923 | for (i = 4; i >= 0; i--) { |
wolfSSL | 13:f67a6c6013ca | 10924 | seqSz[i] = SetSequence(totalSz, seqArray[i]); |
wolfSSL | 13:f67a6c6013ca | 10925 | totalSz += seqSz[i]; |
wolfSSL | 13:f67a6c6013ca | 10926 | if (i == 2) totalSz += extSz; |
wolfSSL | 13:f67a6c6013ca | 10927 | } |
wolfSSL | 13:f67a6c6013ca | 10928 | |
wolfSSL | 13:f67a6c6013ca | 10929 | if (output == NULL) |
wolfSSL | 13:f67a6c6013ca | 10930 | return totalSz; |
wolfSSL | 13:f67a6c6013ca | 10931 | if (totalSz > size) |
wolfSSL | 13:f67a6c6013ca | 10932 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 10933 | |
wolfSSL | 13:f67a6c6013ca | 10934 | totalSz = 0; |
wolfSSL | 13:f67a6c6013ca | 10935 | for (i = 0; i < 5; i++) { |
wolfSSL | 13:f67a6c6013ca | 10936 | XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); |
wolfSSL | 13:f67a6c6013ca | 10937 | totalSz += seqSz[i]; |
wolfSSL | 13:f67a6c6013ca | 10938 | } |
wolfSSL | 13:f67a6c6013ca | 10939 | |
wolfSSL | 13:f67a6c6013ca | 10940 | XMEMCPY(output + totalSz, algoArray, algoSz); |
wolfSSL | 13:f67a6c6013ca | 10941 | totalSz += algoSz; |
wolfSSL | 13:f67a6c6013ca | 10942 | |
wolfSSL | 13:f67a6c6013ca | 10943 | XMEMCPY(output + totalSz, issuerArray, issuerSz); |
wolfSSL | 13:f67a6c6013ca | 10944 | totalSz += issuerSz; |
wolfSSL | 13:f67a6c6013ca | 10945 | |
wolfSSL | 13:f67a6c6013ca | 10946 | XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); |
wolfSSL | 13:f67a6c6013ca | 10947 | totalSz += issuerKeySz; |
wolfSSL | 13:f67a6c6013ca | 10948 | |
wolfSSL | 13:f67a6c6013ca | 10949 | XMEMCPY(output + totalSz, snArray, snSz); |
wolfSSL | 13:f67a6c6013ca | 10950 | totalSz += snSz; |
wolfSSL | 13:f67a6c6013ca | 10951 | |
wolfSSL | 13:f67a6c6013ca | 10952 | if (extSz != 0) { |
wolfSSL | 13:f67a6c6013ca | 10953 | XMEMCPY(output + totalSz, extArray, extSz); |
wolfSSL | 13:f67a6c6013ca | 10954 | totalSz += extSz; |
wolfSSL | 13:f67a6c6013ca | 10955 | } |
wolfSSL | 13:f67a6c6013ca | 10956 | |
wolfSSL | 13:f67a6c6013ca | 10957 | return totalSz; |
wolfSSL | 13:f67a6c6013ca | 10958 | } |
wolfSSL | 13:f67a6c6013ca | 10959 | |
wolfSSL | 13:f67a6c6013ca | 10960 | |
wolfSSL | 13:f67a6c6013ca | 10961 | int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, |
wolfSSL | 13:f67a6c6013ca | 10962 | void* heap) |
wolfSSL | 13:f67a6c6013ca | 10963 | { |
wolfSSL | 13:f67a6c6013ca | 10964 | int ret; |
wolfSSL | 13:f67a6c6013ca | 10965 | |
wolfSSL | 13:f67a6c6013ca | 10966 | WOLFSSL_ENTER("InitOcspRequest"); |
wolfSSL | 13:f67a6c6013ca | 10967 | |
wolfSSL | 13:f67a6c6013ca | 10968 | if (req == NULL) |
wolfSSL | 13:f67a6c6013ca | 10969 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 10970 | |
wolfSSL | 13:f67a6c6013ca | 10971 | ForceZero(req, sizeof(OcspRequest)); |
wolfSSL | 13:f67a6c6013ca | 10972 | req->heap = heap; |
wolfSSL | 13:f67a6c6013ca | 10973 | |
wolfSSL | 13:f67a6c6013ca | 10974 | if (cert) { |
wolfSSL | 13:f67a6c6013ca | 10975 | XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 10976 | XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 10977 | |
wolfSSL | 13:f67a6c6013ca | 10978 | req->serial = (byte*)XMALLOC(cert->serialSz, req->heap, |
wolfSSL | 13:f67a6c6013ca | 10979 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 10980 | if (req->serial == NULL) |
wolfSSL | 13:f67a6c6013ca | 10981 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 10982 | |
wolfSSL | 13:f67a6c6013ca | 10983 | XMEMCPY(req->serial, cert->serial, cert->serialSz); |
wolfSSL | 13:f67a6c6013ca | 10984 | req->serialSz = cert->serialSz; |
wolfSSL | 13:f67a6c6013ca | 10985 | |
wolfSSL | 13:f67a6c6013ca | 10986 | if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { |
wolfSSL | 13:f67a6c6013ca | 10987 | req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap, |
wolfSSL | 13:f67a6c6013ca | 10988 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 10989 | if (req->url == NULL) { |
wolfSSL | 13:f67a6c6013ca | 10990 | XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP); |
wolfSSL | 13:f67a6c6013ca | 10991 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 10992 | } |
wolfSSL | 13:f67a6c6013ca | 10993 | |
wolfSSL | 13:f67a6c6013ca | 10994 | XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); |
wolfSSL | 13:f67a6c6013ca | 10995 | req->urlSz = cert->extAuthInfoSz; |
wolfSSL | 13:f67a6c6013ca | 10996 | } |
wolfSSL | 13:f67a6c6013ca | 10997 | } |
wolfSSL | 13:f67a6c6013ca | 10998 | |
wolfSSL | 13:f67a6c6013ca | 10999 | if (useNonce) { |
wolfSSL | 13:f67a6c6013ca | 11000 | WC_RNG rng; |
wolfSSL | 13:f67a6c6013ca | 11001 | |
wolfSSL | 13:f67a6c6013ca | 11002 | #ifndef HAVE_FIPS |
wolfSSL | 13:f67a6c6013ca | 11003 | ret = wc_InitRng_ex(&rng, req->heap, INVALID_DEVID); |
wolfSSL | 13:f67a6c6013ca | 11004 | #else |
wolfSSL | 13:f67a6c6013ca | 11005 | ret = wc_InitRng(&rng); |
wolfSSL | 13:f67a6c6013ca | 11006 | #endif |
wolfSSL | 13:f67a6c6013ca | 11007 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 11008 | WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); |
wolfSSL | 13:f67a6c6013ca | 11009 | } else { |
wolfSSL | 13:f67a6c6013ca | 11010 | if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) |
wolfSSL | 13:f67a6c6013ca | 11011 | WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); |
wolfSSL | 13:f67a6c6013ca | 11012 | else |
wolfSSL | 13:f67a6c6013ca | 11013 | req->nonceSz = MAX_OCSP_NONCE_SZ; |
wolfSSL | 13:f67a6c6013ca | 11014 | |
wolfSSL | 13:f67a6c6013ca | 11015 | wc_FreeRng(&rng); |
wolfSSL | 13:f67a6c6013ca | 11016 | } |
wolfSSL | 13:f67a6c6013ca | 11017 | } |
wolfSSL | 13:f67a6c6013ca | 11018 | |
wolfSSL | 13:f67a6c6013ca | 11019 | return 0; |
wolfSSL | 13:f67a6c6013ca | 11020 | } |
wolfSSL | 13:f67a6c6013ca | 11021 | |
wolfSSL | 13:f67a6c6013ca | 11022 | void FreeOcspRequest(OcspRequest* req) |
wolfSSL | 13:f67a6c6013ca | 11023 | { |
wolfSSL | 13:f67a6c6013ca | 11024 | WOLFSSL_ENTER("FreeOcspRequest"); |
wolfSSL | 13:f67a6c6013ca | 11025 | |
wolfSSL | 13:f67a6c6013ca | 11026 | if (req) { |
wolfSSL | 13:f67a6c6013ca | 11027 | if (req->serial) |
wolfSSL | 13:f67a6c6013ca | 11028 | XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 11029 | |
wolfSSL | 13:f67a6c6013ca | 11030 | if (req->url) |
wolfSSL | 13:f67a6c6013ca | 11031 | XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 11032 | } |
wolfSSL | 13:f67a6c6013ca | 11033 | } |
wolfSSL | 13:f67a6c6013ca | 11034 | |
wolfSSL | 13:f67a6c6013ca | 11035 | |
wolfSSL | 13:f67a6c6013ca | 11036 | int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) |
wolfSSL | 13:f67a6c6013ca | 11037 | { |
wolfSSL | 13:f67a6c6013ca | 11038 | int cmp; |
wolfSSL | 13:f67a6c6013ca | 11039 | |
wolfSSL | 13:f67a6c6013ca | 11040 | WOLFSSL_ENTER("CompareOcspReqResp"); |
wolfSSL | 13:f67a6c6013ca | 11041 | |
wolfSSL | 13:f67a6c6013ca | 11042 | if (req == NULL) |
wolfSSL | 13:f67a6c6013ca | 11043 | { |
wolfSSL | 13:f67a6c6013ca | 11044 | WOLFSSL_MSG("\tReq missing"); |
wolfSSL | 13:f67a6c6013ca | 11045 | return -1; |
wolfSSL | 13:f67a6c6013ca | 11046 | } |
wolfSSL | 13:f67a6c6013ca | 11047 | |
wolfSSL | 13:f67a6c6013ca | 11048 | if (resp == NULL) |
wolfSSL | 13:f67a6c6013ca | 11049 | { |
wolfSSL | 13:f67a6c6013ca | 11050 | WOLFSSL_MSG("\tResp missing"); |
wolfSSL | 13:f67a6c6013ca | 11051 | return 1; |
wolfSSL | 13:f67a6c6013ca | 11052 | } |
wolfSSL | 13:f67a6c6013ca | 11053 | |
wolfSSL | 13:f67a6c6013ca | 11054 | /* Nonces are not critical. The responder may not necessarily add |
wolfSSL | 13:f67a6c6013ca | 11055 | * the nonce to the response. */ |
wolfSSL | 13:f67a6c6013ca | 11056 | if (resp->nonceSz != 0) { |
wolfSSL | 13:f67a6c6013ca | 11057 | cmp = req->nonceSz - resp->nonceSz; |
wolfSSL | 13:f67a6c6013ca | 11058 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11059 | { |
wolfSSL | 13:f67a6c6013ca | 11060 | WOLFSSL_MSG("\tnonceSz mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11061 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11062 | } |
wolfSSL | 13:f67a6c6013ca | 11063 | |
wolfSSL | 13:f67a6c6013ca | 11064 | cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); |
wolfSSL | 13:f67a6c6013ca | 11065 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11066 | { |
wolfSSL | 13:f67a6c6013ca | 11067 | WOLFSSL_MSG("\tnonce mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11068 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11069 | } |
wolfSSL | 13:f67a6c6013ca | 11070 | } |
wolfSSL | 13:f67a6c6013ca | 11071 | |
wolfSSL | 13:f67a6c6013ca | 11072 | cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 11073 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11074 | { |
wolfSSL | 13:f67a6c6013ca | 11075 | WOLFSSL_MSG("\tissuerHash mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11076 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11077 | } |
wolfSSL | 13:f67a6c6013ca | 11078 | |
wolfSSL | 13:f67a6c6013ca | 11079 | cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); |
wolfSSL | 13:f67a6c6013ca | 11080 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11081 | { |
wolfSSL | 13:f67a6c6013ca | 11082 | WOLFSSL_MSG("\tissuerKeyHash mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11083 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11084 | } |
wolfSSL | 13:f67a6c6013ca | 11085 | |
wolfSSL | 13:f67a6c6013ca | 11086 | cmp = req->serialSz - resp->status->serialSz; |
wolfSSL | 13:f67a6c6013ca | 11087 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11088 | { |
wolfSSL | 13:f67a6c6013ca | 11089 | WOLFSSL_MSG("\tserialSz mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11090 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11091 | } |
wolfSSL | 13:f67a6c6013ca | 11092 | |
wolfSSL | 13:f67a6c6013ca | 11093 | cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); |
wolfSSL | 13:f67a6c6013ca | 11094 | if (cmp != 0) |
wolfSSL | 13:f67a6c6013ca | 11095 | { |
wolfSSL | 13:f67a6c6013ca | 11096 | WOLFSSL_MSG("\tserial mismatch"); |
wolfSSL | 13:f67a6c6013ca | 11097 | return cmp; |
wolfSSL | 13:f67a6c6013ca | 11098 | } |
wolfSSL | 13:f67a6c6013ca | 11099 | |
wolfSSL | 13:f67a6c6013ca | 11100 | return 0; |
wolfSSL | 13:f67a6c6013ca | 11101 | } |
wolfSSL | 13:f67a6c6013ca | 11102 | |
wolfSSL | 13:f67a6c6013ca | 11103 | #endif |
wolfSSL | 13:f67a6c6013ca | 11104 | |
wolfSSL | 13:f67a6c6013ca | 11105 | |
wolfSSL | 13:f67a6c6013ca | 11106 | /* store SHA hash of NAME */ |
wolfSSL | 13:f67a6c6013ca | 11107 | WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, |
wolfSSL | 13:f67a6c6013ca | 11108 | int maxIdx) |
wolfSSL | 13:f67a6c6013ca | 11109 | { |
wolfSSL | 13:f67a6c6013ca | 11110 | int length; /* length of all distinguished names */ |
wolfSSL | 13:f67a6c6013ca | 11111 | int ret; |
wolfSSL | 13:f67a6c6013ca | 11112 | word32 dummy; |
wolfSSL | 13:f67a6c6013ca | 11113 | |
wolfSSL | 13:f67a6c6013ca | 11114 | WOLFSSL_ENTER("GetNameHash"); |
wolfSSL | 13:f67a6c6013ca | 11115 | |
wolfSSL | 13:f67a6c6013ca | 11116 | if (source[*idx] == ASN_OBJECT_ID) { |
wolfSSL | 13:f67a6c6013ca | 11117 | WOLFSSL_MSG("Trying optional prefix..."); |
wolfSSL | 13:f67a6c6013ca | 11118 | |
wolfSSL | 13:f67a6c6013ca | 11119 | if (GetLength(source, idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 11120 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11121 | |
wolfSSL | 13:f67a6c6013ca | 11122 | *idx += length; |
wolfSSL | 13:f67a6c6013ca | 11123 | WOLFSSL_MSG("Got optional prefix"); |
wolfSSL | 13:f67a6c6013ca | 11124 | } |
wolfSSL | 13:f67a6c6013ca | 11125 | |
wolfSSL | 13:f67a6c6013ca | 11126 | /* For OCSP, RFC2560 section 4.1.1 states the issuer hash should be |
wolfSSL | 13:f67a6c6013ca | 11127 | * calculated over the entire DER encoding of the Name field, including |
wolfSSL | 13:f67a6c6013ca | 11128 | * the tag and length. */ |
wolfSSL | 13:f67a6c6013ca | 11129 | dummy = *idx; |
wolfSSL | 13:f67a6c6013ca | 11130 | if (GetSequence(source, idx, &length, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 11131 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11132 | |
wolfSSL | 13:f67a6c6013ca | 11133 | #ifdef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 11134 | ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 13:f67a6c6013ca | 11135 | #else |
wolfSSL | 13:f67a6c6013ca | 11136 | ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash); |
wolfSSL | 13:f67a6c6013ca | 11137 | #endif |
wolfSSL | 13:f67a6c6013ca | 11138 | |
wolfSSL | 13:f67a6c6013ca | 11139 | *idx += length; |
wolfSSL | 13:f67a6c6013ca | 11140 | |
wolfSSL | 13:f67a6c6013ca | 11141 | return ret; |
wolfSSL | 13:f67a6c6013ca | 11142 | } |
wolfSSL | 13:f67a6c6013ca | 11143 | |
wolfSSL | 13:f67a6c6013ca | 11144 | |
wolfSSL | 13:f67a6c6013ca | 11145 | #ifdef HAVE_CRL |
wolfSSL | 13:f67a6c6013ca | 11146 | |
wolfSSL | 13:f67a6c6013ca | 11147 | /* initialize decoded CRL */ |
wolfSSL | 13:f67a6c6013ca | 11148 | void InitDecodedCRL(DecodedCRL* dcrl, void* heap) |
wolfSSL | 13:f67a6c6013ca | 11149 | { |
wolfSSL | 13:f67a6c6013ca | 11150 | WOLFSSL_MSG("InitDecodedCRL"); |
wolfSSL | 13:f67a6c6013ca | 11151 | |
wolfSSL | 13:f67a6c6013ca | 11152 | dcrl->certBegin = 0; |
wolfSSL | 13:f67a6c6013ca | 11153 | dcrl->sigIndex = 0; |
wolfSSL | 13:f67a6c6013ca | 11154 | dcrl->sigLength = 0; |
wolfSSL | 13:f67a6c6013ca | 11155 | dcrl->signatureOID = 0; |
wolfSSL | 13:f67a6c6013ca | 11156 | dcrl->certs = NULL; |
wolfSSL | 13:f67a6c6013ca | 11157 | dcrl->totalCerts = 0; |
wolfSSL | 13:f67a6c6013ca | 11158 | dcrl->heap = heap; |
wolfSSL | 13:f67a6c6013ca | 11159 | #ifdef WOLFSSL_HEAP_TEST |
wolfSSL | 13:f67a6c6013ca | 11160 | dcrl->heap = (void*)WOLFSSL_HEAP_TEST; |
wolfSSL | 13:f67a6c6013ca | 11161 | #endif |
wolfSSL | 13:f67a6c6013ca | 11162 | } |
wolfSSL | 13:f67a6c6013ca | 11163 | |
wolfSSL | 13:f67a6c6013ca | 11164 | |
wolfSSL | 13:f67a6c6013ca | 11165 | /* free decoded CRL resources */ |
wolfSSL | 13:f67a6c6013ca | 11166 | void FreeDecodedCRL(DecodedCRL* dcrl) |
wolfSSL | 13:f67a6c6013ca | 11167 | { |
wolfSSL | 13:f67a6c6013ca | 11168 | RevokedCert* tmp = dcrl->certs; |
wolfSSL | 13:f67a6c6013ca | 11169 | |
wolfSSL | 13:f67a6c6013ca | 11170 | WOLFSSL_MSG("FreeDecodedCRL"); |
wolfSSL | 13:f67a6c6013ca | 11171 | |
wolfSSL | 13:f67a6c6013ca | 11172 | while(tmp) { |
wolfSSL | 13:f67a6c6013ca | 11173 | RevokedCert* next = tmp->next; |
wolfSSL | 13:f67a6c6013ca | 11174 | XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 13:f67a6c6013ca | 11175 | tmp = next; |
wolfSSL | 13:f67a6c6013ca | 11176 | } |
wolfSSL | 13:f67a6c6013ca | 11177 | } |
wolfSSL | 13:f67a6c6013ca | 11178 | |
wolfSSL | 13:f67a6c6013ca | 11179 | |
wolfSSL | 13:f67a6c6013ca | 11180 | /* Get Revoked Cert list, 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 11181 | static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 13:f67a6c6013ca | 11182 | int maxIdx) |
wolfSSL | 13:f67a6c6013ca | 11183 | { |
wolfSSL | 13:f67a6c6013ca | 11184 | int len; |
wolfSSL | 13:f67a6c6013ca | 11185 | word32 end; |
wolfSSL | 13:f67a6c6013ca | 11186 | byte b; |
wolfSSL | 13:f67a6c6013ca | 11187 | RevokedCert* rc; |
wolfSSL | 13:f67a6c6013ca | 11188 | |
wolfSSL | 13:f67a6c6013ca | 11189 | WOLFSSL_ENTER("GetRevoked"); |
wolfSSL | 13:f67a6c6013ca | 11190 | |
wolfSSL | 13:f67a6c6013ca | 11191 | if (GetSequence(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 11192 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11193 | |
wolfSSL | 13:f67a6c6013ca | 11194 | end = *idx + len; |
wolfSSL | 13:f67a6c6013ca | 11195 | |
wolfSSL | 13:f67a6c6013ca | 11196 | rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap, |
wolfSSL | 13:f67a6c6013ca | 11197 | DYNAMIC_TYPE_REVOKED); |
wolfSSL | 13:f67a6c6013ca | 11198 | if (rc == NULL) { |
wolfSSL | 13:f67a6c6013ca | 11199 | WOLFSSL_MSG("Alloc Revoked Cert failed"); |
wolfSSL | 13:f67a6c6013ca | 11200 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 11201 | } |
wolfSSL | 13:f67a6c6013ca | 11202 | |
wolfSSL | 13:f67a6c6013ca | 11203 | if (GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz, |
wolfSSL | 13:f67a6c6013ca | 11204 | maxIdx) < 0) { |
wolfSSL | 13:f67a6c6013ca | 11205 | XFREE(rc, dcrl->heap, DYNAMIC_TYPE_REVOKED); |
wolfSSL | 13:f67a6c6013ca | 11206 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11207 | } |
wolfSSL | 13:f67a6c6013ca | 11208 | |
wolfSSL | 13:f67a6c6013ca | 11209 | /* add to list */ |
wolfSSL | 13:f67a6c6013ca | 11210 | rc->next = dcrl->certs; |
wolfSSL | 13:f67a6c6013ca | 11211 | dcrl->certs = rc; |
wolfSSL | 13:f67a6c6013ca | 11212 | dcrl->totalCerts++; |
wolfSSL | 13:f67a6c6013ca | 11213 | |
wolfSSL | 13:f67a6c6013ca | 11214 | |
wolfSSL | 13:f67a6c6013ca | 11215 | /* get date */ |
wolfSSL | 13:f67a6c6013ca | 11216 | b = buff[*idx]; |
wolfSSL | 13:f67a6c6013ca | 11217 | *idx += 1; |
wolfSSL | 13:f67a6c6013ca | 11218 | |
wolfSSL | 13:f67a6c6013ca | 11219 | if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) { |
wolfSSL | 13:f67a6c6013ca | 11220 | WOLFSSL_MSG("Expecting Date"); |
wolfSSL | 13:f67a6c6013ca | 11221 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11222 | } |
wolfSSL | 13:f67a6c6013ca | 11223 | |
wolfSSL | 13:f67a6c6013ca | 11224 | if (GetLength(buff, idx, &len, maxIdx) < 0) |
wolfSSL | 13:f67a6c6013ca | 11225 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11226 | |
wolfSSL | 13:f67a6c6013ca | 11227 | /* skip for now */ |
wolfSSL | 13:f67a6c6013ca | 11228 | *idx += len; |
wolfSSL | 13:f67a6c6013ca | 11229 | |
wolfSSL | 13:f67a6c6013ca | 11230 | if (*idx != end) /* skip extensions */ |
wolfSSL | 13:f67a6c6013ca | 11231 | *idx = end; |
wolfSSL | 13:f67a6c6013ca | 11232 | |
wolfSSL | 13:f67a6c6013ca | 11233 | return 0; |
wolfSSL | 13:f67a6c6013ca | 11234 | } |
wolfSSL | 13:f67a6c6013ca | 11235 | |
wolfSSL | 13:f67a6c6013ca | 11236 | |
wolfSSL | 13:f67a6c6013ca | 11237 | /* Get CRL Signature, 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 11238 | static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, |
wolfSSL | 13:f67a6c6013ca | 11239 | int maxIdx) |
wolfSSL | 13:f67a6c6013ca | 11240 | { |
wolfSSL | 13:f67a6c6013ca | 11241 | int length; |
wolfSSL | 13:f67a6c6013ca | 11242 | int ret; |
wolfSSL | 13:f67a6c6013ca | 11243 | |
wolfSSL | 13:f67a6c6013ca | 11244 | WOLFSSL_ENTER("GetCRL_Signature"); |
wolfSSL | 13:f67a6c6013ca | 11245 | |
wolfSSL | 13:f67a6c6013ca | 11246 | ret = CheckBitString(source, idx, &length, maxIdx, 1, NULL); |
wolfSSL | 13:f67a6c6013ca | 11247 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 11248 | return ret; |
wolfSSL | 13:f67a6c6013ca | 11249 | dcrl->sigLength = length; |
wolfSSL | 13:f67a6c6013ca | 11250 | |
wolfSSL | 13:f67a6c6013ca | 11251 | dcrl->signature = (byte*)&source[*idx]; |
wolfSSL | 13:f67a6c6013ca | 11252 | *idx += dcrl->sigLength; |
wolfSSL | 13:f67a6c6013ca | 11253 | |
wolfSSL | 13:f67a6c6013ca | 11254 | return 0; |
wolfSSL | 13:f67a6c6013ca | 11255 | } |
wolfSSL | 13:f67a6c6013ca | 11256 | |
wolfSSL | 13:f67a6c6013ca | 11257 | int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, |
wolfSSL | 13:f67a6c6013ca | 11258 | word32 tbsSz, const byte* signature, word32 sigSz, |
wolfSSL | 13:f67a6c6013ca | 11259 | word32 signatureOID, Signer *ca, void* heap) |
wolfSSL | 13:f67a6c6013ca | 11260 | { |
wolfSSL | 13:f67a6c6013ca | 11261 | /* try to confirm/verify signature */ |
wolfSSL | 13:f67a6c6013ca | 11262 | #ifndef IGNORE_KEY_EXTENSIONS |
wolfSSL | 13:f67a6c6013ca | 11263 | if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) { |
wolfSSL | 13:f67a6c6013ca | 11264 | WOLFSSL_MSG("CA cannot sign CRLs"); |
wolfSSL | 13:f67a6c6013ca | 11265 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 13:f67a6c6013ca | 11266 | } |
wolfSSL | 13:f67a6c6013ca | 11267 | #endif /* IGNORE_KEY_EXTENSIONS */ |
wolfSSL | 13:f67a6c6013ca | 11268 | |
wolfSSL | 13:f67a6c6013ca | 11269 | InitSignatureCtx(sigCtx, heap, INVALID_DEVID); |
wolfSSL | 13:f67a6c6013ca | 11270 | if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, |
wolfSSL | 13:f67a6c6013ca | 11271 | ca->pubKeySize, ca->keyOID, signature, sigSz, |
wolfSSL | 13:f67a6c6013ca | 11272 | signatureOID) != 0) { |
wolfSSL | 13:f67a6c6013ca | 11273 | WOLFSSL_MSG("CRL Confirm signature failed"); |
wolfSSL | 13:f67a6c6013ca | 11274 | return ASN_CRL_CONFIRM_E; |
wolfSSL | 13:f67a6c6013ca | 11275 | } |
wolfSSL | 13:f67a6c6013ca | 11276 | |
wolfSSL | 13:f67a6c6013ca | 11277 | return 0; |
wolfSSL | 13:f67a6c6013ca | 11278 | } |
wolfSSL | 13:f67a6c6013ca | 11279 | |
wolfSSL | 13:f67a6c6013ca | 11280 | /* prase crl buffer into decoded state, 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 11281 | int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) |
wolfSSL | 13:f67a6c6013ca | 11282 | { |
wolfSSL | 13:f67a6c6013ca | 11283 | int version, len, doNextDate = 1; |
wolfSSL | 13:f67a6c6013ca | 11284 | word32 oid, idx = 0, dateIdx; |
wolfSSL | 13:f67a6c6013ca | 11285 | Signer* ca = NULL; |
wolfSSL | 13:f67a6c6013ca | 11286 | SignatureCtx sigCtx; |
wolfSSL | 13:f67a6c6013ca | 11287 | |
wolfSSL | 13:f67a6c6013ca | 11288 | WOLFSSL_MSG("ParseCRL"); |
wolfSSL | 13:f67a6c6013ca | 11289 | |
wolfSSL | 13:f67a6c6013ca | 11290 | /* raw crl hash */ |
wolfSSL | 13:f67a6c6013ca | 11291 | /* hash here if needed for optimized comparisons |
wolfSSL | 13:f67a6c6013ca | 11292 | * Sha sha; |
wolfSSL | 13:f67a6c6013ca | 11293 | * wc_InitSha(&sha); |
wolfSSL | 13:f67a6c6013ca | 11294 | * wc_ShaUpdate(&sha, buff, sz); |
wolfSSL | 13:f67a6c6013ca | 11295 | * wc_ShaFinal(&sha, dcrl->crlHash); */ |
wolfSSL | 13:f67a6c6013ca | 11296 | |
wolfSSL | 13:f67a6c6013ca | 11297 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11298 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11299 | |
wolfSSL | 13:f67a6c6013ca | 11300 | dcrl->certBegin = idx; |
wolfSSL | 13:f67a6c6013ca | 11301 | |
wolfSSL | 13:f67a6c6013ca | 11302 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11303 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11304 | dcrl->sigIndex = len + idx; |
wolfSSL | 13:f67a6c6013ca | 11305 | |
wolfSSL | 13:f67a6c6013ca | 11306 | /* may have version */ |
wolfSSL | 13:f67a6c6013ca | 11307 | if (buff[idx] == ASN_INTEGER) { |
wolfSSL | 13:f67a6c6013ca | 11308 | if (GetMyVersion(buff, &idx, &version, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11309 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11310 | } |
wolfSSL | 13:f67a6c6013ca | 11311 | |
wolfSSL | 13:f67a6c6013ca | 11312 | if (GetAlgoId(buff, &idx, &oid, oidIgnoreType, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11313 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11314 | |
wolfSSL | 13:f67a6c6013ca | 11315 | if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11316 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11317 | |
wolfSSL | 13:f67a6c6013ca | 11318 | if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11319 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11320 | |
wolfSSL | 13:f67a6c6013ca | 11321 | dateIdx = idx; |
wolfSSL | 13:f67a6c6013ca | 11322 | |
wolfSSL | 13:f67a6c6013ca | 11323 | if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11324 | { |
wolfSSL | 13:f67a6c6013ca | 11325 | #ifndef WOLFSSL_NO_CRL_NEXT_DATE |
wolfSSL | 13:f67a6c6013ca | 11326 | (void)dateIdx; |
wolfSSL | 13:f67a6c6013ca | 11327 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11328 | #else |
wolfSSL | 13:f67a6c6013ca | 11329 | dcrl->nextDateFormat = ASN_OTHER_TYPE; /* skip flag */ |
wolfSSL | 13:f67a6c6013ca | 11330 | doNextDate = 0; |
wolfSSL | 13:f67a6c6013ca | 11331 | idx = dateIdx; |
wolfSSL | 13:f67a6c6013ca | 11332 | #endif |
wolfSSL | 13:f67a6c6013ca | 11333 | } |
wolfSSL | 13:f67a6c6013ca | 11334 | |
wolfSSL | 13:f67a6c6013ca | 11335 | if (doNextDate) { |
wolfSSL | 13:f67a6c6013ca | 11336 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 11337 | if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { |
wolfSSL | 13:f67a6c6013ca | 11338 | WOLFSSL_MSG("CRL after date is no longer valid"); |
wolfSSL | 13:f67a6c6013ca | 11339 | return ASN_AFTER_DATE_E; |
wolfSSL | 13:f67a6c6013ca | 11340 | } |
wolfSSL | 13:f67a6c6013ca | 11341 | #endif |
wolfSSL | 13:f67a6c6013ca | 11342 | } |
wolfSSL | 13:f67a6c6013ca | 11343 | |
wolfSSL | 13:f67a6c6013ca | 11344 | if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { |
wolfSSL | 13:f67a6c6013ca | 11345 | if (GetSequence(buff, &idx, &len, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11346 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11347 | |
wolfSSL | 13:f67a6c6013ca | 11348 | len += idx; |
wolfSSL | 13:f67a6c6013ca | 11349 | |
wolfSSL | 13:f67a6c6013ca | 11350 | while (idx < (word32)len) { |
wolfSSL | 13:f67a6c6013ca | 11351 | if (GetRevoked(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11352 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11353 | } |
wolfSSL | 13:f67a6c6013ca | 11354 | } |
wolfSSL | 13:f67a6c6013ca | 11355 | |
wolfSSL | 13:f67a6c6013ca | 11356 | if (idx != dcrl->sigIndex) |
wolfSSL | 13:f67a6c6013ca | 11357 | idx = dcrl->sigIndex; /* skip extensions */ |
wolfSSL | 13:f67a6c6013ca | 11358 | |
wolfSSL | 13:f67a6c6013ca | 11359 | if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11360 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11361 | |
wolfSSL | 13:f67a6c6013ca | 11362 | if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) |
wolfSSL | 13:f67a6c6013ca | 11363 | return ASN_PARSE_E; |
wolfSSL | 13:f67a6c6013ca | 11364 | |
wolfSSL | 13:f67a6c6013ca | 11365 | /* openssl doesn't add skid by default for CRLs cause firefox chokes |
wolfSSL | 13:f67a6c6013ca | 11366 | we're not assuming it's available yet */ |
wolfSSL | 13:f67a6c6013ca | 11367 | #if !defined(NO_SKID) && defined(CRL_SKID_READY) |
wolfSSL | 13:f67a6c6013ca | 11368 | if (dcrl->extAuthKeyIdSet) |
wolfSSL | 13:f67a6c6013ca | 11369 | ca = GetCA(cm, dcrl->extAuthKeyId); |
wolfSSL | 13:f67a6c6013ca | 11370 | if (ca == NULL) |
wolfSSL | 13:f67a6c6013ca | 11371 | ca = GetCAByName(cm, dcrl->issuerHash); |
wolfSSL | 13:f67a6c6013ca | 11372 | #else |
wolfSSL | 13:f67a6c6013ca | 11373 | ca = GetCA(cm, dcrl->issuerHash); |
wolfSSL | 13:f67a6c6013ca | 11374 | #endif /* !NO_SKID && CRL_SKID_READY */ |
wolfSSL | 13:f67a6c6013ca | 11375 | WOLFSSL_MSG("About to verify CRL signature"); |
wolfSSL | 13:f67a6c6013ca | 11376 | |
wolfSSL | 13:f67a6c6013ca | 11377 | if (ca == NULL) { |
wolfSSL | 13:f67a6c6013ca | 11378 | WOLFSSL_MSG("Did NOT find CRL issuer CA"); |
wolfSSL | 13:f67a6c6013ca | 11379 | return ASN_CRL_NO_SIGNER_E; |
wolfSSL | 13:f67a6c6013ca | 11380 | } |
wolfSSL | 13:f67a6c6013ca | 11381 | |
wolfSSL | 13:f67a6c6013ca | 11382 | WOLFSSL_MSG("Found CRL issuer CA"); |
wolfSSL | 13:f67a6c6013ca | 11383 | return VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, |
wolfSSL | 13:f67a6c6013ca | 11384 | dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, |
wolfSSL | 13:f67a6c6013ca | 11385 | dcrl->signatureOID, ca, dcrl->heap); |
wolfSSL | 13:f67a6c6013ca | 11386 | } |
wolfSSL | 13:f67a6c6013ca | 11387 | |
wolfSSL | 13:f67a6c6013ca | 11388 | #endif /* HAVE_CRL */ |
wolfSSL | 13:f67a6c6013ca | 11389 | |
wolfSSL | 13:f67a6c6013ca | 11390 | #undef ERROR_OUT |
wolfSSL | 13:f67a6c6013ca | 11391 | |
wolfSSL | 13:f67a6c6013ca | 11392 | #endif /* !NO_ASN */ |
wolfSSL | 13:f67a6c6013ca | 11393 | |
wolfSSL | 13:f67a6c6013ca | 11394 | #ifdef WOLFSSL_SEP |
wolfSSL | 13:f67a6c6013ca | 11395 | |
wolfSSL | 13:f67a6c6013ca | 11396 | |
wolfSSL | 13:f67a6c6013ca | 11397 | #endif /* WOLFSSL_SEP */ |
wolfSSL | 13:f67a6c6013ca | 11398 |