Trusted peer certificate use
This commit is contained in:
Jacob Barthelmeh
parent
7c63ac4f6a
commit
7df22ee210
@ -685,6 +685,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
|
||||
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
|
||||
err_sys("can't load ca file, Please run from wolfSSL home dir");
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx,
|
||||
"./certs/client-cert.pem", SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
|
||||
err_sys("can't load trusted peer cert file");
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
309
src/ssl.c
309
src/ssl.c
@ -1705,6 +1705,14 @@ WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void)
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
if (InitMutex(&cm->tpLock) != 0) {
|
||||
WOLFSSL_MSG("Bad mutex init");
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
return cm;
|
||||
@ -1731,6 +1739,12 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
|
||||
#endif
|
||||
FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL);
|
||||
FreeMutex(&cm->caLock);
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, NULL);
|
||||
FreeMutex(&cm->tpLock);
|
||||
#endif
|
||||
|
||||
XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER);
|
||||
}
|
||||
|
||||
@ -1757,6 +1771,27 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
|
||||
}
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerUnload_trust_peers");
|
||||
|
||||
if (cm == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (LockMutex(&cm->tpLock) != 0)
|
||||
return BAD_MUTEX_E;
|
||||
|
||||
FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, NULL);
|
||||
|
||||
UnLockMutex(&cm->tpLock);
|
||||
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
/* Return bytes written to buff or < 0 for error */
|
||||
int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
|
||||
unsigned char* buff, int buffSz, int type)
|
||||
@ -2179,6 +2214,95 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash)
|
||||
}
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* does trusted peer already exist on signer list */
|
||||
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash)
|
||||
{
|
||||
TrustedPeerCert* tp;
|
||||
int ret = 0;
|
||||
word32 row = HashSigner(hash);
|
||||
|
||||
if (LockMutex(&cm->tpLock) != 0)
|
||||
return ret;
|
||||
tp = cm->tpTable[row];
|
||||
while (tp) {
|
||||
byte* subjectHash;
|
||||
#ifndef NO_SKID
|
||||
subjectHash = tp->subjectKeyIdHash;
|
||||
#else
|
||||
subjectHash = tp->subjectNameHash;
|
||||
#endif
|
||||
if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
|
||||
ret = 1;
|
||||
break;
|
||||
}
|
||||
tp = tp->next;
|
||||
}
|
||||
UnLockMutex(&cm->tpLock);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/* return Trusted Peer if found, otherwise NULL */
|
||||
TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash)
|
||||
{
|
||||
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
|
||||
TrustedPeerCert* ret = NULL;
|
||||
TrustedPeerCert* tp = NULL;
|
||||
word32 row;
|
||||
|
||||
if (cm == NULL || hash == NULL)
|
||||
return NULL;
|
||||
|
||||
row = HashSigner(hash);
|
||||
|
||||
if (LockMutex(&cm->tpLock) != 0)
|
||||
return ret;
|
||||
|
||||
tp = cm->tpTable[row];
|
||||
while (tp) {
|
||||
byte* subjectHash;
|
||||
#ifndef NO_SKID
|
||||
subjectHash = tp->subjectKeyIdHash;
|
||||
#else
|
||||
subjectHash = tp->subjectNameHash;
|
||||
#endif
|
||||
if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
|
||||
ret = tp;
|
||||
break;
|
||||
}
|
||||
tp = tp->next;
|
||||
}
|
||||
UnLockMutex(&cm->tpLock);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int MatchTrustedPeer(TrustedPeerCert* tp, DecodedCert* cert)
|
||||
{
|
||||
if (tp == NULL || cert == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
/* subject key id or subject hash has been compared when searching
|
||||
tpTable for the cert from function GetTrustedPeer */
|
||||
|
||||
/* compare signatures */
|
||||
if (tp->sigLen == cert->sigLength) {
|
||||
/* compare first four before comparing all */
|
||||
if (XMEMCMP(tp->sig, cert->signature, cert->sigLength)) {
|
||||
return SSL_FAILURE;
|
||||
}
|
||||
}
|
||||
else {
|
||||
return SSL_FAILURE;
|
||||
}
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
/* return CA if found, otherwise NULL */
|
||||
Signer* GetCA(void* vp, byte* hash)
|
||||
{
|
||||
@ -2245,6 +2369,123 @@ Signer* GetCAByName(void* vp, byte* hash)
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* add a trusted peer cert to linked list */
|
||||
int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify)
|
||||
{
|
||||
int ret, row;
|
||||
TrustedPeerCert* peerCert;
|
||||
DecodedCert* cert = NULL;
|
||||
byte* subjectHash = NULL;
|
||||
|
||||
WOLFSSL_MSG("Adding a Trusted Peer Cert");
|
||||
|
||||
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
||||
DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (cert == NULL)
|
||||
return MEMORY_E;
|
||||
|
||||
InitDecodedCert(cert, der->buffer, der->length, cm->heap);
|
||||
if ((ret = ParseCert(cert, TRUSTED_PEER_TYPE, verify, cm)) != 0) {
|
||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
return ret;
|
||||
}
|
||||
WOLFSSL_MSG(" Parsed new trusted peer cert");
|
||||
|
||||
peerCert = (TrustedPeerCert*)XMALLOC(sizeof(TrustedPeerCert), NULL,
|
||||
DYNAMIC_TYPE_CERT);
|
||||
if (peerCert == NULL) {
|
||||
FreeDecodedCert(cert);
|
||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
return MEMORY_E;
|
||||
}
|
||||
XMEMSET(peerCert, 0, sizeof(TrustedPeerCert));
|
||||
|
||||
#ifndef NO_SKID
|
||||
subjectHash = cert->extSubjKeyId;
|
||||
#else
|
||||
subjectHash = cert->subjectHash;
|
||||
#endif
|
||||
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
if (peerCert->permittedNames)
|
||||
FreeNameSubtrees(peerCert->permittedNames, cm->heap);
|
||||
if (peerCert->excludedNames)
|
||||
FreeNameSubtrees(peerCert->excludedNames, cm->heap);
|
||||
#endif
|
||||
|
||||
if (AlreadyTrustedPeer(cm, subjectHash)) {
|
||||
WOLFSSL_MSG(" Already have this CA, not adding again");
|
||||
(void)ret;
|
||||
}
|
||||
else {
|
||||
/* add trusted peer signature */
|
||||
peerCert->sigLen = cert->sigLength;
|
||||
peerCert->sig = XMALLOC(cert->sigLength, cm->heap,
|
||||
DYNAMIC_TYPE_SIGNATURE);
|
||||
if (peerCert->sig == NULL) {
|
||||
FreeDecodedCert(cert);
|
||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
FreeTrustedPeer(peerCert, cm->heap);
|
||||
return MEMORY_E;
|
||||
}
|
||||
XMEMCPY(peerCert->sig, cert->signature, cert->sigLength);
|
||||
|
||||
/* add trusted peer name */
|
||||
peerCert->nameLen = cert->subjectCNLen;
|
||||
peerCert->name = cert->subjectCN;
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
peerCert->permittedNames = cert->permittedNames;
|
||||
peerCert->excludedNames = cert->excludedNames;
|
||||
#endif
|
||||
|
||||
/* add SKID when available and hash of name */
|
||||
#ifndef NO_SKID
|
||||
XMEMCPY(peerCert->subjectKeyIdHash, cert->extSubjKeyId,
|
||||
SIGNER_DIGEST_SIZE);
|
||||
#endif
|
||||
XMEMCPY(peerCert->subjectNameHash, cert->subjectHash,
|
||||
SIGNER_DIGEST_SIZE);
|
||||
peerCert->next = NULL; /* If Key Usage not set, all uses valid. */
|
||||
cert->subjectCN = 0;
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
cert->permittedNames = NULL;
|
||||
cert->excludedNames = NULL;
|
||||
#endif
|
||||
|
||||
#ifndef NO_SKID
|
||||
row = HashSigner(peerCert->subjectKeyIdHash);
|
||||
#else
|
||||
row = HashSigner(peerCert->subjectNameHash);
|
||||
#endif
|
||||
|
||||
if (LockMutex(&cm->tpLock) == 0) {
|
||||
peerCert->next = cm->tpTable[row];
|
||||
cm->tpTable[row] = peerCert; /* takes ownership */
|
||||
UnLockMutex(&cm->tpLock);
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG(" Trusted Peer Cert Mutex Lock failed");
|
||||
FreeDecodedCert(cert);
|
||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
FreeTrustedPeer(peerCert, cm->heap);
|
||||
return BAD_MUTEX_E;
|
||||
}
|
||||
}
|
||||
|
||||
WOLFSSL_MSG(" Freeing parsed trusted peer cert");
|
||||
FreeDecodedCert(cert);
|
||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
WOLFSSL_MSG(" Freeing der trusted peer cert");
|
||||
FreeDer(der);
|
||||
WOLFSSL_MSG(" OK Freeing der trusted peer cert");
|
||||
WOLFSSL_LEAVE("AddTrustedPeer", ret);
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
/* owns der, internal now uses too */
|
||||
/* type flag ids from user or from chain received during verify
|
||||
don't allow chain ones to be added w/o isCA extension */
|
||||
@ -2647,6 +2888,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
||||
|
||||
switch (type) {
|
||||
case CA_TYPE: /* same as below */
|
||||
case TRUSTED_PEER_TYPE:
|
||||
case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break;
|
||||
case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; break;
|
||||
case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; break;
|
||||
@ -3085,6 +3327,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
||||
/* verify CA unless user set to no verify */
|
||||
return AddCA(ctx->cm, &der, WOLFSSL_USER_CA, !ctx->verifyNone);
|
||||
}
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
else if (type == TRUSTED_PEER_TYPE) {
|
||||
if (ctx == NULL) {
|
||||
WOLFSSL_MSG("Need context for trusted peer cert load");
|
||||
XFREE(der.buffer, heap, dynamicType);
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
/* add trusted peer cert */
|
||||
return AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone);
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
else if (type == CERT_TYPE) {
|
||||
if (ssl) {
|
||||
/* Make sure previous is free'd */
|
||||
@ -3817,7 +4070,8 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
|
||||
if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0)
|
||||
ret = SSL_BAD_FILE;
|
||||
else {
|
||||
if (type == CA_TYPE && format == SSL_FILETYPE_PEM)
|
||||
if ((type == CA_TYPE || type == TRUSTED_PEER_TYPE)
|
||||
&& format == SSL_FILETYPE_PEM)
|
||||
ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl);
|
||||
#ifdef HAVE_CRL
|
||||
else if (type == CRL_TYPE)
|
||||
@ -3947,6 +4201,31 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
|
||||
}
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* Used to specify a peer cert to match when connecting
|
||||
ctx : the ctx structure to load in peer cert
|
||||
file: the string name of cert file
|
||||
type: type of format such as PEM/DER
|
||||
*/
|
||||
int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
|
||||
{
|
||||
int ret;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert");
|
||||
|
||||
if (ctx == NULL || file == NULL) {
|
||||
return SSL_FAILURE;
|
||||
}
|
||||
|
||||
if ((ret = ProcessFile(ctx, file, type, TRUSTED_PEER_TYPE, NULL, 0, NULL))
|
||||
== SSL_SUCCESS) {
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
/* Verify the certificate, SSL_SUCCESS for ok, < 0 for error */
|
||||
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
|
||||
int format)
|
||||
@ -7364,6 +7643,22 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
}
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx,
|
||||
const unsigned char* in,
|
||||
long sz, int format)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer");
|
||||
if (format == SSL_FILETYPE_PEM)
|
||||
return ProcessChainBuffer(ctx, in, sz, format,
|
||||
TRUSTED_PEER_TYPE, NULL);
|
||||
else
|
||||
return ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE,
|
||||
NULL,NULL,0);
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
|
||||
const unsigned char* in, long sz, int format)
|
||||
{
|
||||
@ -7548,6 +7843,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
return wolfSSL_CertManagerUnloadCAs(ctx->cm);
|
||||
}
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CTX_Unload_trust_peers");
|
||||
|
||||
if (ctx == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
return wolfSSL_CertManagerUnload_trust_peers(ctx->cm);
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
/* old NO_FILESYSTEM end */
|
||||
#endif /* !NO_CERTS */
|
||||
|
||||
|
||||
@ -4905,6 +4905,10 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
|
||||
extern "C" {
|
||||
#endif
|
||||
WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* signers, byte* hash);
|
||||
WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp, DecodedCert* cert);
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
#ifndef NO_SKID
|
||||
WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
|
||||
#endif
|
||||
@ -4999,7 +5003,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (verify && type != CA_TYPE) {
|
||||
if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
|
||||
Signer* ca = NULL;
|
||||
#ifndef NO_SKID
|
||||
if (cert->extAuthKeyIdSet)
|
||||
@ -5011,6 +5015,36 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
#endif /* NO SKID */
|
||||
WOLFSSL_MSG("About to verify certificate signature");
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* check for trusted peer cert */
|
||||
{
|
||||
TrustedPeerCert* tp = NULL;
|
||||
#ifndef NO_SKID
|
||||
if (cert->extAuthKeyIdSet)
|
||||
tp = GetTrustedPeer(cm, cert->extAuthKeyId);
|
||||
#else /* NO_SKID */
|
||||
tp = GetTrustedPeer(cm, cert->issuerHash);
|
||||
#endif /* NO SKID */
|
||||
WOLFSSL_MSG("Checking for trusted peer cert");
|
||||
|
||||
if (tp == NULL) {
|
||||
/* no trusted peer cert */
|
||||
WOLFSSL_MSG("No matching trusted peer cert checking CAs");
|
||||
} else if (MatchTrustedPeer(tp, cert)){
|
||||
WOLFSSL_MSG("Found matching trusted peer cert");
|
||||
if (badDate != 0)
|
||||
return badDate;
|
||||
|
||||
if (criticalExt != 0)
|
||||
return criticalExt;
|
||||
|
||||
return 0;
|
||||
} else {
|
||||
WOLFSSL_MSG("No matching trusted peer cert");
|
||||
}
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
if (ca) {
|
||||
#ifdef HAVE_OCSP
|
||||
/* Need the ca's public key hash for OCSP */
|
||||
@ -5115,6 +5149,48 @@ void FreeSignerTable(Signer** table, int rows, void* heap)
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* Free an individual trusted peer cert */
|
||||
void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
|
||||
{
|
||||
if (tp == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (tp->name) {
|
||||
XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
|
||||
}
|
||||
|
||||
if (tp->sig) {
|
||||
XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
|
||||
}
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
if (tp->permittedNames)
|
||||
FreeNameSubtrees(tp->permittedNames, heap);
|
||||
if (tp->excludedNames)
|
||||
FreeNameSubtrees(tp->excludedNames, heap);
|
||||
#endif
|
||||
XFREE(tp, heap, DYNAMIC_TYPE_CERT);
|
||||
|
||||
(void)heap;
|
||||
}
|
||||
|
||||
/* Free the whole Trusted Peer linked list */
|
||||
void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < rows; i++) {
|
||||
TrustedPeerCert* tp = table[i];
|
||||
while (tp) {
|
||||
TrustedPeerCert* next = tp->next;
|
||||
FreeTrustedPeer(tp, heap);
|
||||
tp = next;
|
||||
}
|
||||
table[i] = NULL;
|
||||
}
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
|
||||
{
|
||||
|
||||
@ -1435,17 +1435,27 @@ struct WOLFSSL_CRL {
|
||||
|
||||
#ifdef NO_ASN
|
||||
typedef struct Signer Signer;
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
typedef struct TrustedPeerCert TrustedPeerCert;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef CA_TABLE_SIZE
|
||||
#define CA_TABLE_SIZE 11
|
||||
#endif
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
#define TP_TABLE_SIZE 11
|
||||
#endif
|
||||
|
||||
/* wolfSSL Certificate Manager */
|
||||
struct WOLFSSL_CERT_MANAGER {
|
||||
Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */
|
||||
void* heap; /* heap helper */
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
TrustedPeerCert* tpTable[TP_TABLE_SIZE]; /* table of trusted peer certs */
|
||||
wolfSSL_Mutex tpLock; /* trusted peer list lock */
|
||||
#endif
|
||||
WOLFSSL_CRL* crl; /* CRL checker */
|
||||
WOLFSSL_OCSP* ocsp; /* OCSP checker */
|
||||
#if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|
||||
@ -1934,6 +1944,12 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify);
|
||||
WOLFSSL_LOCAL
|
||||
int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_LOCAL
|
||||
int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify);
|
||||
WOLFSSL_LOCAL
|
||||
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* All cipher suite related info */
|
||||
@ -2820,6 +2836,11 @@ WOLFSSL_LOCAL int VerifyClientSuite(WOLFSSL* ssl);
|
||||
const byte* plain, word32 plainSz,
|
||||
RsaKey* key);
|
||||
#endif
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash);
|
||||
WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp,
|
||||
DecodedCert* cert);
|
||||
#endif
|
||||
WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash);
|
||||
#ifndef NO_SKID
|
||||
WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);
|
||||
|
||||
@ -229,6 +229,9 @@ WOLFSSL_API int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX*, const char*, int)
|
||||
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int);
|
||||
WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*,
|
||||
const char*);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_API int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX*, const char*, int);
|
||||
#endif
|
||||
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX *,
|
||||
const char *file);
|
||||
WOLFSSL_API int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, int);
|
||||
@ -968,6 +971,11 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
|
||||
#ifndef NO_CERTS
|
||||
/* SSL_CTX versions */
|
||||
WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX*);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX*);
|
||||
WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX*,
|
||||
const unsigned char*, long, int);
|
||||
#endif
|
||||
WOLFSSL_API int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX*,
|
||||
const unsigned char*, long, int);
|
||||
WOLFSSL_API int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX*,
|
||||
@ -1247,6 +1255,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER*,
|
||||
const unsigned char* in, long sz, int format);
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm);
|
||||
#endif
|
||||
WOLFSSL_API int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER*, const char* f,
|
||||
int format);
|
||||
WOLFSSL_API int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm,
|
||||
|
||||
@ -365,6 +365,9 @@ struct DecodedName {
|
||||
typedef struct DecodedCert DecodedCert;
|
||||
typedef struct DecodedName DecodedName;
|
||||
typedef struct Signer Signer;
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
typedef struct TrustedPeerCert TrustedPeerCert;
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
struct DecodedCert {
|
||||
@ -554,6 +557,28 @@ struct Signer {
|
||||
};
|
||||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* used for having trusted peer certs rather then CA */
|
||||
struct TrustedPeerCert {
|
||||
int nameLen;
|
||||
char* name; /* common name */
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
Base_entry* permittedNames;
|
||||
Base_entry* excludedNames;
|
||||
#endif /* IGNORE_NAME_CONSTRAINTS */
|
||||
byte subjectNameHash[SIGNER_DIGEST_SIZE];
|
||||
/* sha hash of names in certificate */
|
||||
#ifndef NO_SKID
|
||||
byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
|
||||
/* sha hash of names in certificate */
|
||||
#endif
|
||||
word32 sigLen;
|
||||
byte* sig;
|
||||
struct TrustedPeerCert* next;
|
||||
};
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
|
||||
/* not for public consumption but may use for testing sometimes */
|
||||
#ifdef WOLFSSL_TEST_CERT
|
||||
#define WOLFSSL_TEST_API WOLFSSL_API
|
||||
@ -575,7 +600,10 @@ WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
|
||||
WOLFSSL_LOCAL Signer* MakeSigner(void*);
|
||||
WOLFSSL_LOCAL void FreeSigner(Signer*, void*);
|
||||
WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*);
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*);
|
||||
WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*);
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length);
|
||||
WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int);
|
||||
|
||||
@ -50,7 +50,8 @@ enum CertType {
|
||||
RSA_TYPE,
|
||||
PUBLICKEY_TYPE,
|
||||
RSA_PUBLICKEY_TYPE,
|
||||
ECC_PUBLICKEY_TYPE
|
||||
ECC_PUBLICKEY_TYPE,
|
||||
TRUSTED_PEER_TYPE
|
||||
};
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user