mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

X.509 cert validity for CertFromX509() and EncodeCert() shouldn't be protected by WOLFSSL_ALT_NAMES

This commit is contained in:
Chris Conlon 2022-05-19 16:46:41 -06:00
parent 4a3ff40eb3
commit 6a26dab73a
4 changed files with 34 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/x509.c
View File

@ -8171,7 +8171,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
}
#endif /* WOLFSSL_CERT_REQ */
#ifdef WOLFSSL_ALT_NAMES
/* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on
* success */
static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t)
@ -8189,7 +8188,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
}
return t->length + sz;
}
#endif /* WOLFSSL_ALT_NAMES */
/* convert a WOLFSSL_X509 to a Cert structure for writing out */
static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
@ -8209,7 +8207,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
cert->version = (int)wolfSSL_X509_get_version(x509);
#ifdef WOLFSSL_ALT_NAMES
if (x509->notBefore.length > 0) {
cert->beforeDateSz = CertDateFromX509(cert->beforeDate,
CTC_DATE_SIZE, &x509->notBefore);
@ -8234,6 +8231,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
cert->afterDateSz = 0;
}
#ifdef WOLFSSL_ALT_NAMES
cert->altNamesSz = FlattenAltNames(cert->altNames,
sizeof(cert->altNames), x509->altNames);
#endif /* WOLFSSL_ALT_NAMES */

56
tests/api.c
View File

@ -38533,7 +38533,12 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
BIO* input;
BIO* output;
X509* x509 = NULL;
X509* x509a = NULL;
X509* x509b = NULL;
ASN1_TIME* notBeforeA = NULL;
ASN1_TIME* notAfterA = NULL;
ASN1_TIME* notBeforeB = NULL;
ASN1_TIME* notAfterB = NULL;
int expectedLen;
printf(testingFmt, "wolfSSL_PEM_write_bio_X509()");
@ -38542,51 +38547,50 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
"certs/test/cert-ext-multiple.pem", "rb"));
AssertIntEQ(wolfSSL_BIO_get_len(input), 2000);
/* read PEM into X509 struct, get notBefore / notAfter to verify against */
AssertNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
AssertNotNull(notBeforeA = X509_get_notBefore(x509a));
AssertNotNull(notAfterA = X509_get_notAfter(x509a));
/* write X509 back to PEM BIO */
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL));
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ALT_NAMES
/* Here we copy the validity struct from the original */
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
/* compare length against expected */
expectedLen = 2000;
#else
/* Only difference is that we generate the validity in generalized
* time. Generating UTCTime vs Generalized time should be fixed in
* the future */
expectedLen = 2004;
#endif
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
/* read exported X509 PEM back into struct, sanity check on export,
* make sure notBefore/notAfter are the same. */
AssertNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
AssertNotNull(notBeforeB = X509_get_notBefore(x509b));
AssertNotNull(notAfterB = X509_get_notAfter(x509b));
AssertIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0);
AssertIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0);
X509_free(x509b);
/* Reset output buffer */
BIO_free(output);
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
/* Test forcing the AKID to be generated just from KeyIdentifier */
if (x509->authKeyIdSrc != NULL) {
XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz);
x509->authKeyId = x509->authKeyIdSrc;
x509->authKeyIdSrc = NULL;
x509->authKeyIdSrcSz = 0;
if (x509a->authKeyIdSrc != NULL) {
XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz);
x509a->authKeyId = x509a->authKeyIdSrc;
x509a->authKeyIdSrc = NULL;
x509a->authKeyIdSrcSz = 0;
}
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
/* Check that we generate a smaller output since the AKID will
* only contain the KeyIdentifier without any additional
* information */
#ifdef WOLFSSL_ALT_NAMES
/* Here we copy the validity struct from the original */
expectedLen = 1688;
#else
/* UTCTime vs Generalized time */
expectedLen = 1692;
#endif
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
X509_free(x509);
X509_free(x509a);
BIO_free(input);
BIO_free(output);

8
wolfcrypt/src/asn.c
View File

@ -21772,7 +21772,6 @@ static void SetTime(struct tm* date, byte* output)
}
#endif
#ifdef WOLFSSL_ALT_NAMES
#ifndef WOLFSSL_ASN_TEMPLATE
/* Copy Dates from cert, return bytes written */
@ -21793,7 +21792,6 @@ static int CopyValidity(byte* output, Cert* cert)
}
#endif /* !WOLFSSL_ASN_TEMPLATE */
#endif
/* Simple name OID size. */
@ -24017,16 +24015,14 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
return PUBLIC_KEY_E;
der->validitySz = 0;
#ifdef WOLFSSL_ALT_NAMES
/* date validity copy ? */
/* copy date validity if already set in cert struct */
if (cert->beforeDateSz && cert->afterDateSz) {
der->validitySz = CopyValidity(der->validity, cert);
if (der->validitySz <= 0)
return DATE_E;
}
#endif
/* date validity */
/* set date validity using daysValid if not set already */
if (der->validitySz == 0) {
der->validitySz = SetValidity(der->validity, cert->daysValid);
if (der->validitySz <= 0)

2
wolfssl/wolfcrypt/asn_public.h
View File

@ -390,11 +390,11 @@ typedef struct Cert {
#ifdef WOLFSSL_ALT_NAMES
byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */
int altNamesSz; /* altNames size in bytes */
#endif
byte beforeDate[CTC_DATE_SIZE]; /* before date copy */
int beforeDateSz; /* size of copy */
byte afterDate[CTC_DATE_SIZE]; /* after date copy */
int afterDateSz; /* size of copy */
#endif
#ifdef WOLFSSL_CERT_EXT
byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */
int skidSz; /* SKID size in bytes */