mirror of https://github.com/wolfSSL/wolfssl
Added check to enforce RFC 5280 Sec 4.2.1.10 rule: "The name constraints extension, which MUST be used only in a CA certificate". Added new define `WOLFSSL_NO_ASN_STRICT` to restore old behavior for compatability. Fix wc_port time `HAVE_RTP_SYS` (noticed it was missed during ASN time move to wc_port).
This commit is contained in:
parent
e1c246f918
commit
f4ad808d12
|
@ -34,6 +34,8 @@ ASN Options:
|
|||
* ASN_DUMP_OID: Allows dump of OID information for debugging.
|
||||
* RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
|
||||
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
|
||||
* WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to
|
||||
restore 3.13.0 behavior.
|
||||
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
|
||||
must still be trusted)
|
||||
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
|
||||
|
@ -48,11 +50,6 @@ ASN Options:
|
|||
|
||||
#ifndef NO_ASN
|
||||
|
||||
#ifdef HAVE_RTP_SYS
|
||||
#include "os.h" /* dc_rtc_api needs */
|
||||
#include "dc_rtc_api.h" /* to get current time */
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/asn.h>
|
||||
#include <wolfssl/wolfcrypt/coding.h>
|
||||
#include <wolfssl/wolfcrypt/md2.h>
|
||||
|
@ -6337,6 +6334,12 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
|||
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
case NAME_CONS_OID:
|
||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||
if (!cert->ca) {
|
||||
WOLFSSL_MSG("Name constraints allowed only for CA certs");
|
||||
return ASN_NAME_INVALID_E;
|
||||
}
|
||||
#endif
|
||||
cert->extNameConstraintSet = 1;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extNameConstraintCrit = critical;
|
||||
|
|
|
@ -38,11 +38,11 @@
|
|||
|
||||
/* IPP header files for library initialization */
|
||||
#ifdef HAVE_FAST_RSA
|
||||
#include <ipp.h>
|
||||
#include <ippcp.h>
|
||||
#include <ipp.h>
|
||||
#include <ippcp.h>
|
||||
#endif
|
||||
|
||||
#if defined(FREESCALE_LTC_TFM)
|
||||
#ifdef FREESCALE_LTC_TFM
|
||||
#include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
|
||||
#endif
|
||||
|
||||
|
|
|
@ -357,6 +357,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
|
|||
#define NEED_TMP_TIME
|
||||
|
||||
#elif defined(HAVE_RTP_SYS)
|
||||
#include "os.h" /* dc_rtc_api needs */
|
||||
#include "dc_rtc_api.h" /* to get current time */
|
||||
|
||||
/* uses parital <time.h> structures */
|
||||
#define XTIME(tl) (0)
|
||||
#define XGMTIME(c, t) rtpsys_gmtime((c))
|
||||
|
|
Loading…
Reference in New Issue