mirror of https://github.com/wolfSSL/wolfssl
Merge pull request #5164 from cconlon/x509date
Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
This commit is contained in:
commit
74cbd08ff5
|
@ -8171,7 +8171,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||
}
|
||||
#endif /* WOLFSSL_CERT_REQ */
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
/* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on
|
||||
* success */
|
||||
static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t)
|
||||
|
@ -8189,7 +8188,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||
}
|
||||
return t->length + sz;
|
||||
}
|
||||
#endif /* WOLFSSL_ALT_NAMES */
|
||||
|
||||
/* convert a WOLFSSL_X509 to a Cert structure for writing out */
|
||||
static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
|
||||
|
@ -8209,7 +8207,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||
|
||||
cert->version = (int)wolfSSL_X509_get_version(x509);
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
if (x509->notBefore.length > 0) {
|
||||
cert->beforeDateSz = CertDateFromX509(cert->beforeDate,
|
||||
CTC_DATE_SIZE, &x509->notBefore);
|
||||
|
@ -8234,6 +8231,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||
cert->afterDateSz = 0;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
cert->altNamesSz = FlattenAltNames(cert->altNames,
|
||||
sizeof(cert->altNames), x509->altNames);
|
||||
#endif /* WOLFSSL_ALT_NAMES */
|
||||
|
|
56
tests/api.c
56
tests/api.c
|
@ -38533,7 +38533,12 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
|
|||
|
||||
BIO* input;
|
||||
BIO* output;
|
||||
X509* x509 = NULL;
|
||||
X509* x509a = NULL;
|
||||
X509* x509b = NULL;
|
||||
ASN1_TIME* notBeforeA = NULL;
|
||||
ASN1_TIME* notAfterA = NULL;
|
||||
ASN1_TIME* notBeforeB = NULL;
|
||||
ASN1_TIME* notAfterB = NULL;
|
||||
int expectedLen;
|
||||
|
||||
printf(testingFmt, "wolfSSL_PEM_write_bio_X509()");
|
||||
|
@ -38542,51 +38547,50 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
|
|||
"certs/test/cert-ext-multiple.pem", "rb"));
|
||||
AssertIntEQ(wolfSSL_BIO_get_len(input), 2000);
|
||||
|
||||
/* read PEM into X509 struct, get notBefore / notAfter to verify against */
|
||||
AssertNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
|
||||
AssertNotNull(notBeforeA = X509_get_notBefore(x509a));
|
||||
AssertNotNull(notAfterA = X509_get_notAfter(x509a));
|
||||
|
||||
/* write X509 back to PEM BIO */
|
||||
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
||||
|
||||
AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL));
|
||||
|
||||
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
/* Here we copy the validity struct from the original */
|
||||
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
|
||||
/* compare length against expected */
|
||||
expectedLen = 2000;
|
||||
#else
|
||||
/* Only difference is that we generate the validity in generalized
|
||||
* time. Generating UTCTime vs Generalized time should be fixed in
|
||||
* the future */
|
||||
expectedLen = 2004;
|
||||
#endif
|
||||
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
||||
|
||||
/* read exported X509 PEM back into struct, sanity check on export,
|
||||
* make sure notBefore/notAfter are the same. */
|
||||
AssertNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
|
||||
AssertNotNull(notBeforeB = X509_get_notBefore(x509b));
|
||||
AssertNotNull(notAfterB = X509_get_notAfter(x509b));
|
||||
AssertIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0);
|
||||
AssertIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0);
|
||||
X509_free(x509b);
|
||||
|
||||
/* Reset output buffer */
|
||||
BIO_free(output);
|
||||
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
||||
|
||||
/* Test forcing the AKID to be generated just from KeyIdentifier */
|
||||
if (x509->authKeyIdSrc != NULL) {
|
||||
XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz);
|
||||
x509->authKeyId = x509->authKeyIdSrc;
|
||||
x509->authKeyIdSrc = NULL;
|
||||
x509->authKeyIdSrcSz = 0;
|
||||
if (x509a->authKeyIdSrc != NULL) {
|
||||
XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz);
|
||||
x509a->authKeyId = x509a->authKeyIdSrc;
|
||||
x509a->authKeyIdSrc = NULL;
|
||||
x509a->authKeyIdSrcSz = 0;
|
||||
}
|
||||
|
||||
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
|
||||
|
||||
/* Check that we generate a smaller output since the AKID will
|
||||
* only contain the KeyIdentifier without any additional
|
||||
* information */
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
/* Here we copy the validity struct from the original */
|
||||
expectedLen = 1688;
|
||||
#else
|
||||
/* UTCTime vs Generalized time */
|
||||
expectedLen = 1692;
|
||||
#endif
|
||||
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
||||
|
||||
X509_free(x509);
|
||||
X509_free(x509a);
|
||||
BIO_free(input);
|
||||
BIO_free(output);
|
||||
|
||||
|
|
|
@ -21752,7 +21752,6 @@ static void SetTime(struct tm* date, byte* output)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
#ifndef WOLFSSL_ASN_TEMPLATE
|
||||
|
||||
/* Copy Dates from cert, return bytes written */
|
||||
|
@ -21773,7 +21772,6 @@ static int CopyValidity(byte* output, Cert* cert)
|
|||
}
|
||||
|
||||
#endif /* !WOLFSSL_ASN_TEMPLATE */
|
||||
#endif
|
||||
|
||||
|
||||
/* Simple name OID size. */
|
||||
|
@ -23997,16 +23995,14 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
|
|||
return PUBLIC_KEY_E;
|
||||
|
||||
der->validitySz = 0;
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
/* date validity copy ? */
|
||||
/* copy date validity if already set in cert struct */
|
||||
if (cert->beforeDateSz && cert->afterDateSz) {
|
||||
der->validitySz = CopyValidity(der->validity, cert);
|
||||
if (der->validitySz <= 0)
|
||||
return DATE_E;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* date validity */
|
||||
/* set date validity using daysValid if not set already */
|
||||
if (der->validitySz == 0) {
|
||||
der->validitySz = SetValidity(der->validity, cert->daysValid);
|
||||
if (der->validitySz <= 0)
|
||||
|
|
|
@ -390,11 +390,11 @@ typedef struct Cert {
|
|||
#ifdef WOLFSSL_ALT_NAMES
|
||||
byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */
|
||||
int altNamesSz; /* altNames size in bytes */
|
||||
#endif
|
||||
byte beforeDate[CTC_DATE_SIZE]; /* before date copy */
|
||||
int beforeDateSz; /* size of copy */
|
||||
byte afterDate[CTC_DATE_SIZE]; /* after date copy */
|
||||
int afterDateSz; /* size of copy */
|
||||
#endif
|
||||
#ifdef WOLFSSL_CERT_EXT
|
||||
byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */
|
||||
int skidSz; /* SKID size in bytes */
|
||||
|
|
Loading…
Reference in New Issue