Fixes suggested by dgarske.

2021-10-15 10:51:46 -04:00 · 2021-10-15 10:51:46 -04:00 · 885db8126b
parent 46f61cc8f8
commit 885db8126b
4 changed files with 73 additions and 42 deletions
--- a/certmanager/Makefile
+++ b/certmanager/Makefile
@ -2,14 +2,16 @@ CC=gcc
 CFLAGS=-Wall
 LIBS= -lwolfssl

-all: certloadverifybuffer certverify
+all: certloadverifybuffer certverify falcon_certverify

 certloadverifybuffer: certloadverifybuffer.o
 	$(CC) -o $@ $^ $(CFLAGS) $(LIBS)
 certverify: certverify.o
 	$(CC) -o $@ $^ $(CFLAGS) $(LIBS)
+falcon_certverify: falcon_certverify.o
+	$(CC) -o $@ $^ $(CFLAGS) $(LIBS)

 .PHONY: clean

 clean:
-	rm -f *.o certverify certloadverifybuffer
+	rm -f *.o certverify certloadverifybuffer falcon_certverify
--- a/certmanager/README.md
+++ b/certmanager/README.md
@ -16,47 +16,10 @@ $ ./certverify
 The `generate_falcon_chains.sh` script will allow you to use the OQS project's
 OpenSSL in order to generate a self-signed CA certificate and entity
 certificate that use Falcon. In the OpenSSL directory, run the script to
-generate the certificates in the the /tmp/ directory.
+generate the certificates and then copy into this directory.

-Apply the following patch:
-
-```
-diff --git a/certmanager/certverify.c b/certmanager/certverify.c
-index 4b5fed7..1b29d89 100644
--- a/certmanager/certverify.c
-+++ b/certmanager/certverify.c
-@@ -25,13 +25,15 @@
- #include <wolfssl/wolfcrypt/error-crypt.h>
- #include <wolfssl/test.h>
- 
-+#undef HAVE_CRL
-+
- int main(void)
- {
-     int ret;
-     WOLFSSL_CERT_MANAGER* cm = NULL;
- 
-    const char* caCert     = "../certs/ca-cert.pem";
-    const char* verifyCert = "../certs/server-cert.pem";
-+    const char* caCert     = "/tmp/falcon1024_root_cert.pem";
-+    const char* verifyCert = "/tmp/falcon1024_entity_cert.pem";
- 
- #ifdef HAVE_CRL
-     const char* crlPem     = "../certs/crl/crl.pem";
-@@ -52,7 +54,7 @@ int main(void)
-         return -1;
-     }
- 
-    wolfSSL_CertManagerSetVerify(cm, myVerify);
-+    //wolfSSL_CertManagerSetVerify(cm, myVerify);
- 
-     ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL);
-     if (ret != SSL_SUCCESS) {
-```
-
-Then compile and run the sample:
 ```
 $ make
-$ ./certverify
+$ ./falcon_certverify
 ```

--- a/certmanager/falcon_certverify.c
+++ b/certmanager/falcon_certverify.c
@ -0,0 +1,67 @@
+/* falcon_certverify.c
+ *
+ * Copyright (C) 2021 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <stdio.h>
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/test.h>
+
+int main(void)
+{
+    int ret;
+    WOLFSSL_CERT_MANAGER* cm = NULL;
+
+    const char* caCert     = "./falcon1024_root_cert.pem";
+    const char* verifyCert = "./falcon1024_entity_cert.pem";
+
+    wolfSSL_Init();
+#ifdef DEBUG_WOLFSSL
+    wolfSSL_Debugging_ON();
+#endif
+
+    cm = wolfSSL_CertManagerNew();
+    if (cm == NULL) {
+        printf("wolfSSL_CertManagerNew() failed\n");
+        return -1;
+    }
+
+    ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL);
+    if (ret != SSL_SUCCESS) {
+        printf("wolfSSL_CertManagerLoadCA() failed (%d): %s\n",
+                ret, wolfSSL_ERR_reason_error_string(ret));
+        ret = -1; goto exit;
+    }
+
+    ret = wolfSSL_CertManagerVerify(cm, verifyCert, SSL_FILETYPE_PEM);
+    if (ret != SSL_SUCCESS) {
+        printf("wolfSSL_CertManagerVerify() failed (%d): %s\n",
+                ret, wolfSSL_ERR_reason_error_string(ret));
+        ret = -1; goto exit;
+    }
+    printf("Verification Successful!\n");
+
+exit:
+    wolfSSL_CertManagerFree(cm);
+    wolfSSL_Cleanup();
+
+    return ret;
+}
--- a/certmanager/generate_falcon_chains.sh
+++ b/certmanager/generate_falcon_chains.sh
@ -87,4 +87,3 @@ extendedKeyUsage       = critical, serverAuth,clientAuth\n" > entity.conf
 ./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon512_root_cert.pem falcon512_entity_cert.pem
 ./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon1024_root_cert.pem falcon1024_entity_cert.pem

-mv *.pem /tmp/