mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1549 from JacobBarthelmeh/Cert-Report1

Browse Source 
fix for relative URI detection
This commit is contained in:
toddouska 2018-05-23 17:05:35 -07:00 committed by GitHub
commit d38a0039ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 281 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
certs/client-relative-uri.pem Normal file
View File

@ -0,0 +1,90 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9930516258332383263 (0x89d047ec3e24981f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Validity
Not Before: May 14 20:24:06 2018 GMT
Not After : Feb 7 20:24:06 2021 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d:
68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b:
ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf:
65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5:
b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6:
13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b:
0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e:
bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14:
c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83:
ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19:
cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d:
3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9:
54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71:
d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86:
2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1:
ba:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
X509v3 Authority Key Identifier:
keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=RELATIVE_URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:89:D0:47:EC:3E:24:98:1F
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
URI:../relative/page.html
Signature Algorithm: sha256WithRSAEncryption
29:cb:c0:50:61:da:51:c5:da:50:15:b7:bd:c3:f4:9b:c5:b8:
2a:9b:6c:c7:91:7a:26:e3:eb:48:d2:40:fa:e3:ab:f9:b7:e2:
4a:37:9b:b6:03:ad:9c:f4:f2:5d:12:eb:5c:c6:97:c4:3a:18:
99:70:47:49:93:f3:a5:32:ab:aa:22:71:6f:5c:36:1c:42:2f:
d4:19:da:64:73:84:d3:1e:a8:5f:af:8a:58:e7:64:18:38:79:
69:f2:08:d4:f2:be:b0:9c:18:d8:f1:a5:eb:b6:9c:67:21:0f:
ba:bf:95:68:e9:d2:23:56:84:cf:87:7c:a4:2a:3a:0d:c1:72:
3a:43:da:53:bb:6c:f0:b5:f1:03:3c:ff:b6:0a:1f:54:c5:1b:
d5:40:80:24:74:e2:f6:4c:41:88:f1:df:a3:36:64:78:e9:c2:
0e:c3:0f:f3:5f:19:e6:44:85:79:e1:6a:ee:78:39:9b:58:e3:
c4:39:27:d7:05:1a:b9:7c:21:75:61:7a:71:53:fd:fc:7f:57:
ef:3a:19:be:69:c6:cb:73:49:bd:72:7d:2b:eb:68:52:8e:0f:
d7:47:d3:90:86:5a:14:03:0d:dc:6b:07:10:57:2b:e0:b6:d2:
a0:49:2d:63:88:d0:17:b3:b2:50:c4:60:15:1e:b6:ce:13:14:
0d:ec:45:eb
-----BEGIN CERTIFICATE-----
MIIE3TCCA8WgAwIBAgIJAInQR+w+JJgfMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
A1UECgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNV
BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
LmNvbTAeFw0xODA1MTQyMDI0MDZaFw0yMTAyMDcyMDI0MDZaMIGaMQswCQYDVQQG
EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UE
CgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNVBAMM
D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQr
Knx0mr2qKlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N
+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxA
nEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42G
wohAmTaDuh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz
2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuh
utMCAwEAAaOCASIwggEeMB0GA1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCB
zwYDVR0jBIHHMIHEgBQz2EVm12iHGH5UDXAnkccm14VlwKGBoKSBnTCBmjELMAkG
A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
BgNVBAoMDHdvbGZTU0xfMjA0ODEVMBMGA1UECwwMUkVMQVRJVkVfVVJJMRgwFgYD
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
bC5jb22CCQCJ0EfsPiSYHzAJBgNVHRMEAjAAMCAGA1UdEQQZMBeGFS4uL3JlbGF0
aXZlL3BhZ2UuaHRtbDANBgkqhkiG9w0BAQsFAAOCAQEAKcvAUGHaUcXaUBW3vcP0
m8W4Kptsx5F6JuPrSNJA+uOr+bfiSjebtgOtnPTyXRLrXMaXxDoYmXBHSZPzpTKr
qiJxb1w2HEIv1BnaZHOE0x6oX6+KWOdkGDh5afII1PK+sJwY2PGl67acZyEPur+V
aOnSI1aEz4d8pCo6DcFyOkPaU7ts8LXxAzz/tgofVMUb1UCAJHTi9kxBiPHfozZk
eOnCDsMP818Z5kSFeeFq7ng5m1jjxDkn1wUauXwhdWF6cVP9/H9X7zoZvmnGy3NJ
vXJ9K+toUo4P10fTkIZaFAMN3GsHEFcr4LbSoEktY4jQF7OyUMRgFR62zhMUDexF
6w==
-----END CERTIFICATE-----

89
certs/client-uri-cert.pem Normal file
View File

@ -0,0 +1,89 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9402123678722384441 (0x827b0dabd4896239)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Validity
Not Before: May 8 21:54:16 2018 GMT
Not After : Feb 1 21:54:16 2021 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d:
68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b:
ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf:
65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5:
b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6:
13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b:
0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e:
bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14:
c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83:
ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19:
cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d:
3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9:
54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71:
d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86:
2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1:
ba:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
X509v3 Authority Key Identifier:
keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:82:7B:0D:AB:D4:89:62:39
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
URI:https://www.wolfssl.com
Signature Algorithm: sha256WithRSAEncryption
18:bb:46:7a:13:a5:32:c2:aa:1c:60:cf:d1:b7:59:f3:86:fd:
b4:db:62:6e:40:4d:d3:cb:b5:8f:0a:45:43:9f:0b:50:7b:ac:
41:ed:27:32:a5:b3:fb:6a:a5:9c:36:00:f2:88:da:dd:80:b5:
49:29:6c:4d:1c:22:24:07:5b:7b:9a:88:8b:21:a0:62:43:1c:
14:23:d2:08:a8:27:cc:f2:d5:4f:e2:5c:b1:f8:3c:f5:7c:b2:
ef:b1:ad:1e:fe:a9:92:5f:00:26:fb:f3:8d:e2:c7:38:8a:9a:
e4:a8:4a:29:61:44:f6:80:61:09:5d:49:9b:1c:10:e0:1e:27:
03:26:e2:46:01:83:49:6a:1d:5f:6e:71:c8:1e:61:44:32:2a:
84:cd:5a:45:d3:9f:a4:ec:76:4b:1a:6c:26:ca:55:d7:c3:ad:
94:57:7b:8b:d4:9f:be:25:3d:e2:30:08:d5:fb:18:9a:aa:ee:
c1:ce:bb:ea:de:5d:a7:77:40:c2:b1:57:aa:11:43:41:69:73:
0c:bd:87:0e:b9:8d:ba:f9:cc:ac:38:60:8a:62:32:2a:c0:0d:
1c:88:d3:d3:92:d6:f1:2e:82:67:8e:f5:42:b9:e4:28:b3:fd:
fb:7c:9a:16:5f:fe:20:da:37:5f:c2:5e:74:9b:99:f3:de:35:
45:8d:49:28
-----BEGIN CERTIFICATE-----
MIIExDCCA6ygAwIBAgIJAIJ7DavUiWI5MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
A1UECgwMd29sZlNTTF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53
b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0x
ODA1MDgyMTU0MTZaFw0yMTAyMDEyMTU0MTZaMIGRMQswCQYDVQQGEwJVUzEQMA4G
A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNT
TF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Q
uml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRp
pugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk
4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOw
zu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx
04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOCARswggEXMB0G
A1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCBxgYDVR0jBIG+MIG7gBQz2EVm
12iHGH5UDXAnkccm14VlwKGBl6SBlDCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfMjA0
ODEMMAoGA1UECwwDVVJJMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCCew2r1IliOTAJBgNVHRMEAjAA
MCIGA1UdEQQbMBmGF2h0dHBzOi8vd3d3LndvbGZzc2wuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQAYu0Z6E6UywqocYM/Rt1nzhv2022JuQE3Ty7WPCkVDnwtQe6xB7Scy
pbP7aqWcNgDyiNrdgLVJKWxNHCIkB1t7moiLIaBiQxwUI9IIqCfM8tVP4lyx+Dz1
fLLvsa0e/qmSXwAm+/ON4sc4iprkqEopYUT2gGEJXUmbHBDgHicDJuJGAYNJah1f
bnHIHmFEMiqEzVpF05+k7HZLGmwmylXXw62UV3uL1J++JT3iMAjV+xiaqu7Bzrvq
3l2nd0DCsVeqEUNBaXMMvYcOuY26+cysOGCKYjIqwA0ciNPTktbxLoJnjvVCueQo
s/37fJoWX/4g2jdfwl50m5nz3jVFjUko
-----END CERTIFICATE-----

32
certs/renewcerts.sh
View File

@ -22,6 +22,8 @@
# client-ca.pem
# test/digsigku.pem
# ecc-privOnlyCert.pem
# client-uri-cert.pem
# client-relative-uri.pem
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
@ -45,6 +47,36 @@ function run_renewcerts(){
# To generate these all in sha1 add the flag "-sha1" on appropriate lines
# That is all lines beginning with: "openssl req"
############################################################
#### update the self-signed (2048-bit) client-uri-cert.pem #
############################################################
echo "Updating 2048-bit client-uri-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
rm client-cert.csr
openssl x509 -in client-uri-cert.pem -text > tmp.pem
mv tmp.pem client-uri-cert.pem
############################################################
#### update the self-signed (2048-bit) client-relative-uri.pem
############################################################
echo "Updating 2048-bit client-relative-uri.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
rm client-cert.csr
openssl x509 -in client-relative-uri.pem -text > tmp.pem
mv tmp.pem client-relative-uri.pem
############################################################
#### update the self-signed (2048-bit) client-cert.pem #####
############################################################

14
certs/renewcerts/wolfssl.cnf
View File

@ -220,6 +220,20 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=serverAuth
nsCertType=server
# test parsing URI
[ uri ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:false
subjectAltName=URI:https://www.wolfssl.com
# test parsing relative URI
[ relative_uri ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:false
subjectAltName=URI:../relative/page.html
#tsa default
[ tsa ]
default_tsa = tsa_config1

29
tests/api.c
View File

@ -2990,6 +2990,34 @@ static void test_wolfSSL_PKCS5(void)
#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SHA) */
}
/* test parsing URI from certificate */
static void test_wolfSSL_URI(void)
{
#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \
&& (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
WOLFSSL_X509* x509;
const char uri[] = "./certs/client-uri-cert.pem";
const char badUri[] = "./certs/client-relative-uri.pem";
printf(testingFmt, "wolfSSL URI parse");
x509 = wolfSSL_X509_load_certificate_file(uri, WOLFSSL_FILETYPE_PEM);
AssertNotNull(x509);
wolfSSL_FreeX509(x509);
x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM);
#ifndef IGNORE_NAME_CONSTRAINTS
AssertNull(x509);
#else
AssertNotNull(x509);
#endif
printf(resultFmt, passed);
#endif
}
/* Testing function wolfSSL_CTX_SetMinVersion; sets the minimum downgrade
* version allowed.
* POST: 1 on success.
@ -18857,6 +18885,7 @@ void ApiTest(void)
test_wolfSSL_PKCS12();
test_wolfSSL_PKCS8();
test_wolfSSL_PKCS5();
test_wolfSSL_URI();
/*OCSP Stapling. */
AssertIntEQ(test_wolfSSL_UseOCSPStapling(), WOLFSSL_SUCCESS);

30
wolfcrypt/src/asn.c
View File

@ -5759,13 +5759,37 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
}
length -= (idx - lenStartIdx);
/* check that strLen at index is not past input buffer */
if (strLen + (int)idx > sz) {
return BUFFER_E;
}
#ifndef WOLFSSL_NO_ASN_STRICT
/* Verify RFC 5280 Sec 4.2.1.6 rule:
"The name MUST NOT be a relative URI" */
if (XSTRNCMP((const char*)&input[idx], "://", strLen + 1) != 0) {
WOLFSSL_MSG("\tAlt Name must be absolute URI");
return ASN_ALT_NAME_E;
{
int i;
/* skip past scheme (i.e http,ftp,...) finding first ':' char */
for (i = 0; i < strLen; i++) {
if (input[idx + i] == ':') {
break;
}
if (input[idx + i] == '/') {
i = strLen; /* error, found relative path since '/' was
* encountered before ':'. Returning error
* value in next if statement. */
}
}
/* test if no ':' char was found and test that the next two
* chars are // to match the pattern "://" */
if (i >= strLen - 2 || (input[idx + i + 1] != '/' ||
input[idx + i + 2] != '/')) {
WOLFSSL_MSG("\tAlt Name must be absolute URI");
return ASN_ALT_NAME_E;
}
}
#endif