From cece2dfa19eef5df01fce7073fb6fb39c2ae18e0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Sun, 12 Aug 2018 15:45:42 -0700 Subject: [PATCH] Added cert manager load buffer example (thanks Kaleb). --- .gitignore | 2 + certmanager/Makefile | 6 +- certmanager/certloadverifybuffer.c | 166 +++++++++++++++++++++++++++++ certmanager/certverify.c | 24 +++-- 4 files changed, 187 insertions(+), 11 deletions(-) create mode 100644 certmanager/certloadverifybuffer.c diff --git a/.gitignore b/.gitignore index c19b4a98..876cc717 100644 --- a/.gitignore +++ b/.gitignore @@ -107,3 +107,5 @@ ecc/ecc-stack ecc/ecc-verify pkcs7/pkcs7-verify *.dSYM +certmanager/certloadverifybuffer +certmanager/certverify diff --git a/certmanager/Makefile b/certmanager/Makefile index 5ca66b23..d0de29c4 100644 --- a/certmanager/Makefile +++ b/certmanager/Makefile @@ -2,10 +2,14 @@ CC=gcc CFLAGS=-Wall LIBS= -lwolfssl +all: certloadverifybuffer certverify + +certloadverifybuffer: certloadverifybuffer.o + $(CC) -o $@ $^ $(CFLAGS) $(LIBS) certverify: certverify.o $(CC) -o $@ $^ $(CFLAGS) $(LIBS) .PHONY: clean clean: - rm -f *.o certverify + rm -f *.o certverify certloadverifybuffer diff --git a/certmanager/certloadverifybuffer.c b/certmanager/certloadverifybuffer.c new file mode 100644 index 00000000..5784dca2 --- /dev/null +++ b/certmanager/certloadverifybuffer.c @@ -0,0 +1,166 @@ +/* certloadverifybuffer.c + * + * Copyright (C) 2006-2018 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#include +#include +#include + +#ifdef WOLFSSL_USER_SETTINGS + #include +#else + #include +#endif +#include +#include + +/* root ca (certs/ca-ecc-cert.pem) */ +static const byte authCert[] = "\ +-----BEGIN CERTIFICATE-----\n\ +MIICizCCAjCgAwIBAgIJAP0OKSFmy0ijMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG\n\ +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G\n\ +A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3\n\ +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe\n\ +Fw0xODA0MTMxNTIzMTBaFw0yMTAxMDcxNTIzMTBaMIGXMQswCQYDVQQGEwJVUzET\n\ +MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH\n\ +d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm\n\ +c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG\n\ +SM49AgEGCCqGSM49AwEHA0IABALT2W7WAY5FyLmQMeXATOOerSk4mLoQ1ukJKoCp\n\ +LhcquYq/M4NG45UL5HdAtTtDRTMPYVN8N0TBy/yAyuhD6qejYzBhMB0GA1UdDgQW\n\ +BBRWjprD8ELeGLlFVW75k8/qw/OlITAfBgNVHSMEGDAWgBRWjprD8ELeGLlFVW75\n\ +k8/qw/OlITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO\n\ +PQQDAgNJADBGAiEA8HvMJHMZP2Fo7cgKVEq4rHnvEDKRUiw+v1CqXxjBl/UCIQDZ\n\ +S2Nnb5spqddrY5uYnzKCNtrwqfdRtJeq+vrd7+9Krg==\n\ +-----END CERTIFICATE-----\n"; + +/* chain cert, signed by authCert (above) (certs/server-ecc.pem) */ +static const byte testCert1[] = "\ +-----BEGIN CERTIFICATE-----\n\ +MIIDUDCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw\n\ +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3\n\ +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz\n\ +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAy\n\ +MDE4MTkwNloXDTI3MTAxODE4MTkwNlowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI\n\ +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj\n\ +MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG\n\ +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH\n\ +A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS\n\ +IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG\n\ ++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud\n\ +IwSBxDCBwYAUVo6aw/BC3hi5RVVu+ZPP6sPzpSGhgZ2kgZowgZcxCzAJBgNVBAYT\n\ +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD\n\ +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3\n\ +LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA\n\ +l7S9Fnj4R/IwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG\n\ +CCqGSM49BAMCA0kAMEYCIQC+uFjw5BUBH99wVHNKbEAfd6i061Iev/UNsTPKasR2\n\ +uQIhAJcI3iwowUVxtixUh5hjdqghNJCo954//AKw59MJMSfk\n\ +-----END CERTIFICATE-----\n"; + +/* This is a self-signed test cert so load in both as CA and entity cert + (certs/client-ecc-cert.pem) */ +static const byte testCert2[] = "\n\ +-----BEGIN CERTIFICATE-----\n\ +MIIDCDCCAq+gAwIBAgIJAJO/at6bQZ2tMAoGCCqGSM49BAMCMIGNMQswCQYDVQQG\n\ +EwJVUzEPMA0GA1UECAwGT3JlZ29uMQ4wDAYDVQQHDAVTYWxlbTETMBEGA1UECgwK\n\ +Q2xpZW50IEVDQzENMAsGA1UECwwERmFzdDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu\n\ +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDQxMzE1\n\ +MjMxMFoXDTIxMDEwNzE1MjMxMFowgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZP\n\ +cmVnb24xDjAMBgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0wCwYD\n\ +VQQLDARGYXN0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B\n\ +CQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARV\n\ +v/QPRFCaPc6bt/DFTfVwe9TsJI4ZgOxaTKIkA2Ism9rvojUSQ4R2FsZWlQbMAam9\n\ +9nUaQve9qbI2Il/HXX+0o4H1MIHyMB0GA1UdDgQWBBTr1EtZa5VhP1FXtgRNiUGI\n\ +RFyr8jCBwgYDVR0jBIG6MIG3gBTr1EtZa5VhP1FXtgRNiUGIRFyr8qGBk6SBkDCB\n\ +jTELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFU2FsZW0x\n\ +EzARBgNVBAoMCkNsaWVudCBFQ0MxDTALBgNVBAsMBEZhc3QxGDAWBgNVBAMMD3d3\n\ +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIJ\n\ +AJO/at6bQZ2tMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYbydTYhk\n\ +hrhxqjVZaLjuLPMjtRq5ukFQqMbDWOtYvWACIGGq67VzDQHbaY9S9XJtN0K1/ZS2\n\ +brHEJS6WlvM5sl3q\n\ +-----END CERTIFICATE-----\n"; + +int main(void) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm = NULL; + + /* CA to be used for verification, load into certmanager */ + const byte* caCert = authCert; + const byte* cert1 = testCert1; + const byte* cert2 = testCert2; + int caSz = sizeof(authCert); + int cSz1 = sizeof(testCert1); + int cSz2 = sizeof(testCert2); + + wolfSSL_Init(); +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + + if ((cm = wolfSSL_CertManagerNew()) == NULL) { + printf("cert manager new failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer(cm, caCert, caSz, SSL_FILETYPE_PEM); + if (ret != WOLFSSL_SUCCESS) { + printf("loading the ca chain failed\n"); + printf("Error: (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret)); + wolfSSL_CertManagerFree(cm); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer(cm, testCert2, cSz2, SSL_FILETYPE_PEM); + if (ret != WOLFSSL_SUCCESS) { + printf("loading the ca chain failed\n"); + printf("Error: (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret)); + wolfSSL_CertManagerFree(cm); + return -1; + } + + printf("------------------------------------------------------------\n\n"); + ret = wolfSSL_CertManagerVerifyBuffer(cm, cert1, cSz1, SSL_FILETYPE_PEM); + if (ret != WOLFSSL_SUCCESS) { + printf("could not verify certificate.\n"); + printf("Error: (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret)); + wolfSSL_CertManagerFree(cm); + return -2; + } + + printf("Verification successful on cert1!\n"); + + printf("------------------------------------------------------------\n\n"); + ret = wolfSSL_CertManagerVerifyBuffer(cm, cert2, cSz2, SSL_FILETYPE_PEM); + if (ret != WOLFSSL_SUCCESS) { + printf("could not verify certificate.\n"); + printf("Error: (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret)); + wolfSSL_CertManagerFree(cm); + return -2; + } + + printf("Verification successful on cert2!\n"); + printf("------------------------------------------------------------\n\n"); + + wolfSSL_CertManagerFree(cm); + wolfSSL_Cleanup(); + + return 0; +} diff --git a/certmanager/certverify.c b/certmanager/certverify.c index b9df5ab5..03da4d66 100644 --- a/certmanager/certverify.c +++ b/certmanager/certverify.c @@ -1,8 +1,8 @@ -/* standalone.c +/* certverify.c * - * Copyright (C) 2006-2015 wolfSSL Inc. + * Copyright (C) 2006-2018 wolfSSL Inc. * - * This file is part of wolfSSL. (formerly known as CyaSSL) + * This file is part of wolfSSL. * * wolfSSL is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ #include @@ -27,13 +27,12 @@ int main(void) { int ret; - WOLFSSL_CERT_MANAGER* cm = 0; + WOLFSSL_CERT_MANAGER* cm = NULL; const char* caCert = "../certs/ca-cert.pem"; const char* verifyCert = "../certs/server-cert.pem"; #ifdef HAVE_CRL - const char* crlPem = "../certs/crl/crl.pem"; const char* caCertDer = "../certs/ca-cert.der"; FILE* file; @@ -41,13 +40,18 @@ int main(void) int bufSz; #endif + wolfSSL_Init(); +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + cm = wolfSSL_CertManagerNew(); if (cm == NULL) { printf("wolfSSL_CertManagerNew() failed\n"); return -1; } - ret = wolfSSL_CertManagerLoadCA(cm, caCert, 0); + ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL); if (ret != SSL_SUCCESS) { printf("wolfSSL_CertManagerLoadCA() failed (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret)); @@ -98,8 +102,8 @@ int main(void) #endif exit: - if (cm) { - wolfSSL_CertManagerFree(cm); - } + wolfSSL_CertManagerFree(cm); + wolfSSL_Cleanup(); + return ret; }