Example for parsing of custom extensions in X.509 certificates.

2022-02-28 16:38:05 -05:00 · 2022-02-28 16:38:05 -05:00 · d7db324862
parent aff3a81940
commit d7db324862
2 changed files with 145 additions and 2 deletions
--- a/certgen/Makefile
+++ b/certgen/Makefile
@ -13,7 +13,7 @@ CFLAGS=-I$(WOLF_INSTALL_DIR)/include -Wall
 LIBS=-L$(WOLF_INSTALL_DIR)/lib -lwolfssl


-all:certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb
+all:certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext_callback`

 certgen_example:certgen_example.o
 	$(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS)
@ -30,8 +30,11 @@ csr_sign:csr_sign.o
 csr_cryptocb:csr_cryptocb.o
 	$(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS)

+custom_ext_callback:custom_ext_callback.o
+	$(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS)
+
 .PHONY: clean all

 clean:
-	rm -f *.o certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb
+	rm -f *.o certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext_callback
 	rm -f newCert.*
--- a/certgen/custom_ext_callback.c
+++ b/certgen/custom_ext_callback.c
@ -0,0 +1,140 @@
+/*
+ * custom_ext_callback.c
+ *
+ * Copyright (C) 2006-2022 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* This is based off of ecc-key-decode.c */
+
+#include <wolfssl/options.h>
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/ecc.h>
+#include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <stdio.h>
+
+#if defined(WOLFSSL_ASN_TEMPLATE) && defined(WOLFSSL_CERT_REQ) && \
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_TEST_CERT) && \
+    defined(HAVE_OID_DECODING) && defined(WOLFSSL_CUSTOM_OID) && \
+    defined(WOLFSSL_CERT_EXT)
+
+static int myCustomExtCallback(const word16* oid, word32 oidSz, int crit,
+                               const unsigned char* der, word32 derSz) {
+    word32 i;
+
+    printf("Custom Extension found!\n");
+    printf("(");
+    for (i = 0; i < oidSz; i ++) {
+        printf("%d", oid[i]);
+        if (i < oidSz - 1) {
+            printf(".");
+        }
+    }
+    printf(") : ");
+
+    if (crit) {
+        printf("CRITICAL");
+    } else {
+        printf("NOT CRITICAL");
+    }
+    printf(" : ");
+
+    for (i = 0; i < derSz; i ++) {
+        printf("%x ", der[i]);
+    }
+    printf("\n");
+
+    /* NOTE: by returning zero, you are accepting this extension and informing
+     *       wolfSSL that it is acceptable. If you find an extension that you
+     *       do not find acceptable, you should return an error. The standard 
+     *       behavior upon encountering an unknown extension with the critical
+     *       flag set is to return ASN_CRIT_EXT_E. For the sake of brevity,
+     *       this example is always accepting every extension. */
+    return 0;
+}
+
+static void check_ret(char*, int);
+
+int main(void)
+{
+    DecodedCert decodedCert;
+    FILE* file;
+    byte derBuffer[4096];
+    size_t bytes;
+    int ret;
+
+#ifdef DEBUG_WOLFSSL
+    wolfSSL_Debugging_ON();
+#endif
+
+    wolfCrypt_Init();
+
+    /* TODO: change this once we start generating our own. */ 
+    file = fopen("/home/anthony/alias_nonce_cert.der", "rb");
+    if (!file) {
+        printf("Failed to open file\n");
+        exit(-99);
+    }
+
+    bytes = fread(derBuffer, 1, 4096, file);
+    fclose(file);
+
+    printf("read bytes = %d\n", (int) bytes);
+    if (bytes <= 0) {
+        return -1;
+    }
+
+    InitDecodedCert(&decodedCert, derBuffer, (word32) bytes, 0);
+
+    SetUnknownExtCallback(&decodedCert, myCustomExtCallback);
+
+    ret = ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL);
+    check_ret("ParseCert", ret);
+
+    FreeDecodedCert(&decodedCert);
+
+    wolfCrypt_Cleanup();
+
+    printf("Success\n");
+
+    return 0;
+}
+
+static void check_ret(char* call, int ret)
+{
+    if (ret != 0) {
+        printf("call: %s\n", call);
+        printf("ret = %d\n", ret);
+        exit(-99);
+    }
+    return;
+}
+
+#else
+
+int main(void)
+{
+    printf("Not compiled in: Build wolfSSL using ./configure --enable-asn=template  --enable-certreq --enable-certgen CFLAGS=\"-DWOLFSSL_TEST_CERT -DHAVE_OID_DECODING -DWOLFSSL_CUSTOM_OID -DWOLFSSL_CERT_EXT\"\n");
+    return 0;
+}
+
+#endif
+