mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added support for building with certificate parsing only. ./configure --enable-asn=nocrypt. Added new API for parsing PIV format certificates wc_ParseCertPIV with WOLFSSL_CERT_PIV build option. Added wc_DeCompress_ex with ability to decompress GZIP. Moved the ZLIB error codes into wolfCrypt.

Browse Source
This commit is contained in:
David Garske 2018-09-25 12:16:59 -07:00
parent 4ca7460735
commit 680a863054
13 changed files with 215 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configure.ac
View File

@ -1826,6 +1826,11 @@ else
then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT"
ENABLED_ASN=no
else
if test "$ENABLED_ASN" = "nocrypt"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT"
fi
fi
fi

9
src/internal.c
View File

@ -15414,15 +15414,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case NTRU_DECRYPT_ERROR:
return "NTRU decrypt error";
case ZLIB_INIT_ERROR:
return "zlib init error";
case ZLIB_COMPRESS_ERROR:
return "zlib compress error";
case ZLIB_DECOMPRESS_ERROR:
return "zlib decompress error";
case GETTIME_ERROR:
return "gettimeofday() error";

117
wolfcrypt/src/asn.c
View File

@ -2336,7 +2336,7 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
return BAD_FUNC_ARG;
}
#if !defined(NO_RSA)
#if !defined(NO_RSA) && !defined(NO_ASN_CRYPT)
/* test if RSA key */
if (der->keyOID == RSAk) {
#ifdef WOLFSSL_SMALL_STACK
@ -2404,9 +2404,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
#endif
}
else
#endif /* NO_RSA */
#endif /* !NO_RSA && !NO_ASN_CRYPT */
#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT)
if (der->keyOID == ECDSAk) {
#ifdef WOLFSSL_SMALL_STACK
ecc_key* key_pair = NULL;
@ -2469,9 +2469,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
#endif
}
else
#endif /* HAVE_ECC */
#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */
#ifdef HAVE_ED25519
#if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT)
if (der->keyOID == ED25519k) {
#ifdef WOLFSSL_SMALL_STACK
ed25519_key* key_pair = NULL;
@ -2512,7 +2512,7 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
#endif
}
else
#endif
#endif /* HAVE_ED25519 && !NO_ASN_CRYPT */
{
ret = 0;
}
@ -2624,7 +2624,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
*algoID = 0;
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(NO_ASN_CRYPT)
{
RsaKey rsa;
@ -2637,8 +2637,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
}
wc_FreeRsaKey(&rsa);
}
#endif /* NO_RSA */
#ifdef HAVE_ECC
#endif /* !NO_RSA && !NO_ASN_CRYPT */
#if defined(HAVE_ECC) && !defined(NO_ASN_CRYPT)
if (*algoID == 0) {
ecc_key ecc;
@ -2659,8 +2659,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
}
wc_ecc_free(&ecc);
}
#endif /* HAVE_ECC */
#ifdef HAVE_ED25519
#endif /* HAVE_ECC && !NO_ASN_CRYPT */
#if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT)
if (*algoID != RSAk && *algoID != ECDSAk) {
ed25519_key ed25519;
@ -2679,7 +2679,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
WOLFSSL_MSG("GetKeyOID wc_ed25519_init failed");
}
}
#endif
#endif /* HAVE_ED25519 && !NO_ASN_CRYPT */
/* if flag is not set then is neither RSA or ECC key that could be
* found */
@ -5382,6 +5382,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx)
sigCtx->plain = NULL;
}
#endif
#ifndef NO_ASN_CRYPT
if (sigCtx->key.ptr) {
switch (sigCtx->keyOID) {
#ifndef NO_RSA
@ -5407,11 +5408,13 @@ void FreeSignatureCtx(SignatureCtx* sigCtx)
} /* switch (keyOID) */
sigCtx->key.ptr = NULL;
}
#endif
/* reset state, we are done */
sigCtx->state = SIG_STATE_BEGIN;
}
#ifndef NO_ASN_CRYPT
static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
byte* digest, int* typeH, int* digestSz, int verify)
{
@ -5498,6 +5501,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
return ret;
}
#endif /* !NO_ASN_CRYPT */
/* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
static int ConfirmSignature(SignatureCtx* sigCtx,
@ -5519,6 +5523,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
WOLFSSL_ENTER("ConfirmSignature");
#ifndef NO_ASN_CRYPT
switch (sigCtx->state) {
case SIG_STATE_BEGIN:
{
@ -5796,6 +5801,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
exit_cs:
#endif /* !NO_ASN_CRYPT */
WOLFSSL_LEAVE("ConfirmSignature", ret);
if (ret != WC_PENDING_E) {
@ -9348,7 +9355,7 @@ static word32 SetUTF8String(word32 len, byte* output)
#endif /* WOLFSSL_CERT_REQ */
#endif /*WOLFSSL_CERT_GEN */
#endif /* WOLFSSL_CERT_GEN */
#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
@ -9482,7 +9489,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
return SetEccPublicKey(output, key, with_AlgCurve);
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */
#if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \
defined(WOLFSSL_KEY_GEN))
@ -11769,7 +11776,7 @@ int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
}
#ifndef NO_FILESYSTEM
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN_CRYPT)
/* Set SKID from public key file in PEM */
int wc_SetSubjectKeyId(Cert *cert, const char* file)
@ -11869,7 +11876,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
return ret;
}
#endif /* NO_FILESYSTEM */
#endif /* !NO_FILESYSTEM && !NO_ASN_CRYPT */
/* Set AKID from certificate contains in buffer (DER encoded) */
int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
@ -13015,7 +13022,7 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
return 0;
}
#if defined(HAVE_ECC_KEY_EXPORT)
#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT)
/* build DER formatted ECC key, include optional public key if requested,
* return length on success, negative on error */
static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
@ -13133,7 +13140,7 @@ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
return totalSz;
}
#ifndef NO_ASN_CRYPT
/* Write a Private ecc key, including public to DER format,
* length on success else < 0 */
int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
@ -13148,6 +13155,7 @@ int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen)
{
return wc_BuildEccKeyDer(key, output, inLen, 0);
}
#endif /* !NO_ASN_CRYPT */
/* Write only private ecc key to unencrypted PKCS#8 format.
*
@ -14451,6 +14459,79 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
#endif /* HAVE_CRL */
#ifdef WOLFSSL_CERT_PIV
int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz)
{
int length = 0;
word32 idx = 0;
WOLFSSL_ENTER("wc_ParseCertPIV");
if (piv == NULL || buf == NULL || totalSz == 0)
return BAD_FUNC_ARG;
XMEMSET(piv, 0, sizeof(wc_CertPIV));
/* Certificate - Total Length (0A 82 05FA) */
if (GetASNHeader(buf, ASN_PIV_CERT, &idx, &length, totalSz) >= 0) {
/* Certificate Buffer (53 82 05F6) */
if (GetASNHeader(buf, ASN_APPLICATION | ASN_PRINTABLE_STRING, &idx,
&length, totalSz) < 0) {
return ASN_PARSE_E;
}
/* PIV Certificate (70 82 05ED) */
if (GetASNHeader(buf, ASN_PIV_TAG_CERT, &idx, &length,
totalSz) < 0) {
return ASN_PARSE_E;
}
/* Capture certificate buffer pointer and length */
piv->cert = &buf[idx];
piv->certSz = length;
idx += length;
/* PIV Certificate Info (71 01 00) */
if (GetASNHeader(buf, ASN_PIV_TAG_CERT_INFO, &idx, &length,
totalSz) >= 0) {
if (length >= 1) {
piv->compression = (buf[idx] & ASN_PIV_CERT_INFO_COMPRESSED);
piv->isX509 = (buf[idx] & ASN_PIV_CERT_INFO_ISX509);
}
idx += length;
}
/* PIV Error Detection (FE 00) */
if (GetASNHeader(buf, ASN_PIV_TAG_ERR_DET, &idx, &length,
totalSz) >= 0) {
piv->certErrDet = &buf[idx];
piv->certErrDetSz = length;
idx += length;
}
}
/* Nonce (0B 14) */
if (GetASNHeader(buf, ASN_PIV_NONCE, &idx, &length, totalSz) >= 0) {
piv->nonce = &buf[idx];
piv->nonceSz = length;
idx += length;
}
/* Signed Nonce (0C 82 0100) */
if (GetASNHeader(buf, ASN_PIV_SIGNED_NONCE, &idx, &length, totalSz) >= 0) {
piv->signedNonce = &buf[idx];
piv->signedNonceSz = length;
idx += length;
}
return 0;
}
#endif /* WOLFSSL_CERT_PIV */
#undef ERROR_OUT
#endif /* !NO_ASN */

28
wolfcrypt/src/compress.c
View File

@ -121,13 +121,26 @@ int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 fla
}
int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
/* windowBits:
* deflateInit() and inflateInit(), as well as deflateInit2() and inflateInit2()
with windowBits in 0..15 all process zlib-wrapped deflate data.
(See RFC 1950 and RFC 1951.)
* deflateInit2() and inflateInit2() with negative windowBits in -1..-15 process
raw deflate data with no header or trailer.
* deflateInit2() and inflateInit2() with windowBits in 16..31, i.e. 16
added to 0..15, process gzip-wrapped deflate data (RFC 1952).
* inflateInit2() with windowBits in 32..47 (32 added to 0..15) will
automatically detect either a gzip or zlib header (but not raw deflate
data), and decompress accordingly.
*/
int wc_DeCompress_ex(byte* out, word32 outSz, const byte* in, word32 inSz,
int windowBits)
/*
* out - pointer to destination buffer
* outSz - size of destination buffer
* in - pointer to source buffer to compress
* inSz - size of source to compress
* flags - flags to control how compress operates
* windowBits - flags to control how decompress operates
*
* return:
* negative - error code
@ -150,10 +163,11 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
stream.zfree = (free_func)myFree;
stream.opaque = (voidpf)0;
if (inflateInit2(&stream, DEFLATE_DEFAULT_WINDOWBITS) != Z_OK)
if (inflateInit2(&stream, windowBits) != Z_OK)
return DECOMPRESS_INIT_E;
if (inflate(&stream, Z_FINISH) != Z_STREAM_END) {
result = inflate(&stream, Z_FINISH);
if (result != Z_STREAM_END) {
inflateEnd(&stream);
return DECOMPRESS_E;
}
@ -167,5 +181,11 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
}
int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
{
return wc_DeCompress_ex(out, outSz, in, inSz, DEFLATE_DEFAULT_WINDOWBITS);
}
#endif /* HAVE_LIBZ */

9
wolfcrypt/src/cryptodev.c
View File

@ -330,4 +330,13 @@ int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out,
}
#endif /* !NO_AES && HAVE_AESGCM */
/* call to support callback for entire buffer hash */
int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash)
{
(void)data;
(void)len;
(void)hash;
return NOT_COMPILED_IN;
}
#endif /* WOLF_CRYPTO_DEV */

13
wolfcrypt/src/error.c
View File

@ -483,10 +483,19 @@ const char* wc_GetErrorString(int error)
return "DH Check Private Key failure";
case WC_AFALG_SOCK_E:
return "AF_ALG socket error";
return "AF_ALG socket error";
case WC_DEVCRYPTO_E:
return "Error with /dev/crypto";
return "Error with /dev/crypto";
case ZLIB_INIT_ERROR:
return "zlib init error";
case ZLIB_COMPRESS_ERROR:
return "zlib compress error";
case ZLIB_DECOMPRESS_ERROR:
return "zlib decompress error";
default:
return "unknown error number";

2
wolfcrypt/src/tfm.c
View File

@ -2324,7 +2324,7 @@ int fp_to_unsigned_bin(fp_int *a, unsigned char *b)
#ifdef WOLFSSL_SMALL_STACK
XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return FP_OKAY;
return FP_OKAY;
}
int fp_unsigned_bin_size(fp_int *a)

3
wolfssl/error-ssl.h
View File

@ -66,9 +66,6 @@ enum wolfSSL_ErrorCodes {
CLIENT_ID_ERROR = -331, /* psk client identity error */
SERVER_HINT_ERROR = -332, /* psk server hint error */
PSK_KEY_ERROR = -333, /* psk key error */
ZLIB_INIT_ERROR = -334, /* zlib init error */
ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */
ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */
GETTIME_ERROR = -337, /* gettimeofday failed ??? */
GETITIMER_ERROR = -338, /* getitimer failed ??? */

39
wolfssl/wolfcrypt/asn.h
View File

@ -58,6 +58,9 @@
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/asn_public.h> /* public interface */
#if defined(NO_SHA) && defined(NO_SHA256)
#define WC_SHA256_DIGEST_SIZE 32
#endif
#ifdef __cplusplus
extern "C" {
@ -85,6 +88,7 @@ enum ASN_Tags {
ASN_UTF8STRING = 0x0c,
ASN_SEQUENCE = 0x10,
ASN_SET = 0x11,
ASN_PRINTABLE_STRING = 0x13,
ASN_UTC_TIME = 0x17,
ASN_OTHER_TYPE = 0x00,
ASN_RFC822_TYPE = 0x01,
@ -99,6 +103,7 @@ enum ASN_Tags {
/* ASN_Flags - Bitmask */
ASN_CONSTRUCTED = 0x20,
ASN_APPLICATION = 0x40,
ASN_CONTEXT_SPECIFIC = 0x80,
};
@ -137,7 +142,7 @@ enum DN_Tags {
#define WOLFSSL_BUS_CAT "/businessCategory="
#define WOLFSSL_JOI_C "/jurisdictionC="
#define WOLFSSL_JOI_ST "/jurisdictionST="
#define WOLFSSL_EMAIL_ADDR "/emailAddress="
#define WOLFSSL_EMAIL_ADDR "/emailAddress="
/* NIDs */
enum
@ -186,6 +191,24 @@ enum ECC_TYPES
ECC_PREFIX_1 = 161
};
#ifdef WOLFSSL_CERT_PIV
enum PIV_Tags {
ASN_PIV_CERT = 0x0A,
ASN_PIV_NONCE = 0x0B,
ASN_PIV_SIGNED_NONCE = 0x0C,
ASN_PIV_TAG_CERT = 0x70,
ASN_PIV_TAG_CERT_INFO = 0x71,
ASN_PIV_TAG_MSCUID = 0x72,
ASN_PIV_TAG_ERR_DET = 0xFE,
/* certificate info masks */
ASN_PIV_CERT_INFO_COMPRESSED = 0x03,
ASN_PIV_CERT_INFO_ISX509 = 0x04,
};
#endif /* WOLFSSL_CERT_PIV */
#define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01"
#define ASN_JOI_C 0x3
#define ASN_JOI_ST 0x2
@ -896,11 +919,17 @@ struct TrustedPeerCert {
#define WOLFSSL_ASN_API WOLFSSL_LOCAL
#endif
#ifdef NO_SHA
#define CalcHashId(data, len, hash) wc_Sha256Hash(data, len, hash)
/* Macro for calculating hashId */
#if defined(NO_SHA) && defined(NO_SHA256)
#ifdef WOLF_CRYPTO_DEV
#define CalcHashId(data, len, hash) wc_CryptoDevSha256Hash(data, len, hash)
#else
#define CalcHashId(data, len, hash) NOT_COMPILED_IN
#endif
#elif defined(NO_SHA)
#define CalcHashId(data, len, hash) wc_Sha256Hash(data, len, hash)
#else
#define CalcHashId(data, len, hash) wc_ShaHash(data, len, hash)
#define CalcHashId(data, len, hash) wc_ShaHash(data, len, hash)
#endif

21
wolfssl/wolfcrypt/asn_public.h
View File

@ -479,6 +479,27 @@ WOLFSSL_API int wc_GetTime(void* timePtr, word32 timeSize);
#endif
#ifdef WOLFSSL_CERT_PIV
typedef struct _wc_CertPIV {
const byte* cert;
word32 certSz;
const byte* certErrDet;
word32 certErrDetSz;
const byte* nonce;
word32 nonceSz;
const byte* signedNonce;
word32 signedNonceSz;
/* flags */
word16 compression:2;
word16 isX509:1;
} wc_CertPIV;
WOLFSSL_API int wc_ParseCertPIV(wc_CertPIV* cert, const byte* buf, word32 totalSz);
#endif /* WOLFSSL_CERT_PIV */
#ifdef __cplusplus
} /* extern "C" */
#endif

5
wolfssl/wolfcrypt/compress.h
View File

@ -38,10 +38,13 @@
#define COMPRESS_FIXED 1
#define LIBZ_WINBITS_GZIP 16
WOLFSSL_API int wc_Compress(byte*, word32, const byte*, word32, word32);
WOLFSSL_API int wc_DeCompress(byte*, word32, const byte*, word32);
WOLFSSL_API int wc_DeCompress_ex(byte* out, word32 outSz, const byte* in,
word32 inSz, int windowBits);
#ifdef __cplusplus
} /* extern "C" */

2
wolfssl/wolfcrypt/cryptodev.h
View File

@ -175,6 +175,8 @@ WOLFSSL_LOCAL int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out,
#endif /* !NO_AES && HAVE_AESGCM */
WOLFSSL_LOCAL int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash);
#endif /* WOLF_CRYPTO_DEV */
#ifdef __cplusplus

6
wolfssl/wolfcrypt/error-crypt.h
View File

@ -216,7 +216,11 @@ enum {
WC_AFALG_SOCK_E = -264, /* AF_ALG socket error */
WC_DEVCRYPTO_E = -265, /* /dev/crypto error */
WC_LAST_E = -265, /* Update this to indicate last error */
ZLIB_INIT_ERROR = -266, /* zlib init error */
ZLIB_COMPRESS_ERROR = -267, /* zlib compression error */
ZLIB_DECOMPRESS_ERROR = -268, /* zlib decompression error */
WC_LAST_E = -268, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes