WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #8542 from anhu/dual_alg_crit_ext 

Allow critical alt and basic constraints extensions
pull/8581/head
David Garske 2025-03-20 16:15:42 -07:00 committed by GitHub
parent 2c36ae268f 4967738044
commit 01910a60aa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 481 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/internal.c
View File

@ -13481,7 +13481,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
x509->isCa = dCert->isCA; x509->isCa = dCert->isCA;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
x509->basicConstCrit = dCert->extBasicConstCrit;
x509->pathLength = dCert->pathLength; x509->pathLength = dCert->pathLength;
x509->pathLengthSet = dCert->pathLengthSet;
x509->keyUsage = dCert->extKeyUsage; x509->keyUsage = dCert->extKeyUsage;
x509->CRLdistSet = dCert->extCRLdistSet; x509->CRLdistSet = dCert->extCRLdistSet;
@ -13535,7 +13537,6 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
} }
#endif #endif
x509->basicConstSet = dCert->extBasicConstSet; x509->basicConstSet = dCert->extBasicConstSet;
x509->basicConstCrit = dCert->extBasicConstCrit;
x509->basicConstPlSet = dCert->pathLengthSet; x509->basicConstPlSet = dCert->pathLengthSet;
x509->subjAltNameSet = dCert->extSubjAltNameSet; x509->subjAltNameSet = dCert->extSubjAltNameSet;
x509->subjAltNameCrit = dCert->extSubjAltNameCrit; x509->subjAltNameCrit = dCert->extSubjAltNameCrit;
@ -13648,6 +13649,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
if (x509->sapkiDer != NULL) { if (x509->sapkiDer != NULL) {
XMEMCPY(x509->sapkiDer, dCert->sapkiDer, dCert->sapkiLen); XMEMCPY(x509->sapkiDer, dCert->sapkiDer, dCert->sapkiLen);
x509->sapkiLen = dCert->sapkiLen; x509->sapkiLen = dCert->sapkiLen;
x509->sapkiCrit = dCert->extSapkiCrit;
} }
else { else {
ret = MEMORY_E; ret = MEMORY_E;
@ -13660,6 +13662,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
XMEMCPY(x509->altSigAlgDer, dCert->altSigAlgDer, XMEMCPY(x509->altSigAlgDer, dCert->altSigAlgDer,
dCert->altSigAlgLen); dCert->altSigAlgLen);
x509->altSigAlgLen = dCert->altSigAlgLen; x509->altSigAlgLen = dCert->altSigAlgLen;
x509->altSigAlgCrit = dCert->extAltSigAlgCrit;
} }
else { else {
ret = MEMORY_E; ret = MEMORY_E;
@ -13672,6 +13675,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
XMEMCPY(x509->altSigValDer, dCert->altSigValDer, XMEMCPY(x509->altSigValDer, dCert->altSigValDer,
dCert->altSigValLen); dCert->altSigValLen);
x509->altSigValLen = dCert->altSigValLen; x509->altSigValLen = dCert->altSigValLen;
x509->altSigValCrit = dCert->extAltSigValCrit;
} }
else { else {
ret = MEMORY_E; ret = MEMORY_E;

8
src/x509.c
View File

@ -10674,7 +10674,10 @@ static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
cert->sigType = wolfSSL_X509_get_signature_type(x509); cert->sigType = wolfSSL_X509_get_signature_type(x509);
cert->keyType = x509->pubKeyOID; cert->keyType = x509->pubKeyOID;
cert->isCA = wolfSSL_X509_get_isCA(x509); cert->isCA = wolfSSL_X509_get_isCA(x509);
cert->basicConstCrit = x509->basicConstCrit;
cert->basicConstSet = x509->basicConstSet; cert->basicConstSet = x509->basicConstSet;
cert->pathLen = x509->pathLength;
cert->pathLenSet = x509->pathLengthSet;
#ifdef WOLFSSL_CERT_EXT #ifdef WOLFSSL_CERT_EXT
if (x509->subjKeyIdSz <= CTC_MAX_SKID_SIZE) { if (x509->subjKeyIdSz <= CTC_MAX_SKID_SIZE) {
@ -10741,10 +10744,13 @@ static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
/* We point to instance in x509 so DON'T need to be free'd. */ /* We point to instance in x509 so DON'T need to be free'd. */
cert->sapkiDer = x509->sapkiDer; cert->sapkiDer = x509->sapkiDer;
cert->sapkiLen = x509->sapkiLen; cert->sapkiLen = x509->sapkiLen;
cert->sapkiCrit = x509->sapkiCrit;
cert->altSigAlgDer = x509->altSigAlgDer; cert->altSigAlgDer = x509->altSigAlgDer;
cert->altSigAlgLen = x509->altSigAlgLen; cert->altSigAlgLen = x509->altSigAlgLen;
cert->altSigAlgCrit = x509->altSigAlgCrit;
cert->altSigValDer = x509->altSigValDer; cert->altSigValDer = x509->altSigValDer;
cert->altSigValLen = x509->altSigValLen; cert->altSigValLen = x509->altSigValLen;
cert->altSigValCrit = x509->altSigValCrit;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
#endif /* WOLFSSL_CERT_EXT */ #endif /* WOLFSSL_CERT_EXT */

402
tests/api.c
View File

@ -1035,6 +1035,7 @@ static int do_dual_alg_root_certgen(byte **out, char *caKeyFile,
XMEMSET(scratchBuf, 0, scratchSz); XMEMSET(scratchBuf, 0, scratchSz);
ExpectIntGT(scratchSz = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz, ExpectIntGT(scratchSz = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz,
&caKey, &rng), 0); &caKey, &rng), 0);
wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0); wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
ExpectIntEQ(wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL), 0); ExpectIntEQ(wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL), 0);
@ -1230,6 +1231,400 @@ static int do_dual_alg_tls13_connection(byte *caCert, word32 caCertSz,
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
/**
* Function to generate a root certificate with dual algorithm support and
* configurable criticality for extensions and path length constraints.
*
* @param out [out] Pointer to store the generated certificate
* @param caKeyFile [in] Path to the CA key file
* @param sapkiFile [in] Path to the subject alternative public key info file
* @param altPrivFile [in] Path to the alternative private key file
* @param setCrit [in] Flag to set criticality of extensions (1=critical, 0=non-critical)
* @param setPathLen [in] Flag to set path length constraint (1=set, 0=don't set)
* @param pathLen [in] Path length value (only used if setPathLen=1)
* @return Size of the generated certificate or negative on error
*/
static int do_dual_alg_root_certgen_crit(byte **out, char *caKeyFile,
char *sapkiFile, char *altPrivFile,
int setCrit, int setPathLen, int pathLen)
{
EXPECT_DECLS;
FILE* file = NULL;
Cert newCert;
DecodedCert preTBS;
byte caKeyBuf[LARGE_TEMP_SZ];
word32 caKeySz = LARGE_TEMP_SZ;
byte sapkiBuf[LARGE_TEMP_SZ];
word32 sapkiSz = LARGE_TEMP_SZ;
byte altPrivBuf[LARGE_TEMP_SZ];
word32 altPrivSz = LARGE_TEMP_SZ;
byte altSigAlgBuf[LARGE_TEMP_SZ];
word32 altSigAlgSz = LARGE_TEMP_SZ;
byte scratchBuf[LARGE_TEMP_SZ];
word32 scratchSz = LARGE_TEMP_SZ;
byte preTbsBuf[LARGE_TEMP_SZ];
word32 preTbsSz = LARGE_TEMP_SZ;
byte altSigValBuf[LARGE_TEMP_SZ];
word32 altSigValSz = LARGE_TEMP_SZ;
byte *outBuf = NULL;
word32 outSz = LARGE_TEMP_SZ;
WC_RNG rng;
RsaKey caKey;
ecc_key altCaKey;
word32 idx = 0;
XMEMSET(&rng, 0, sizeof(WC_RNG));
XMEMSET(&caKey, 0, sizeof(RsaKey));
XMEMSET(&altCaKey, 0, sizeof(ecc_key));
ExpectNotNull(outBuf = (byte*)XMALLOC(outSz, NULL,
DYNAMIC_TYPE_TMP_BUFFER));
ExpectIntEQ(wc_InitRng(&rng), 0);
XMEMSET(caKeyBuf, 0, caKeySz);
ExpectNotNull(file = fopen(caKeyFile, "rb"));
ExpectIntGT(caKeySz = (word32)fread(caKeyBuf, 1, caKeySz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
ExpectIntEQ(wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID), 0);
idx = 0;
ExpectIntEQ(wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, caKeySz),
0);
XMEMSET(sapkiBuf, 0, sapkiSz);
ExpectNotNull(file = fopen(sapkiFile, "rb"));
ExpectIntGT(sapkiSz = (word32)fread(sapkiBuf, 1, sapkiSz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
XMEMSET(altPrivBuf, 0, altPrivSz);
ExpectNotNull(file = fopen(altPrivFile, "rb"));
ExpectIntGT(altPrivSz = (word32)fread(altPrivBuf, 1, altPrivSz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
wc_ecc_init(&altCaKey);
idx = 0;
ExpectIntEQ(wc_EccPrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
(word32)altPrivSz), 0);
XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
ExpectIntGT(altSigAlgSz = SetAlgoID(CTC_SHA256wECDSA, altSigAlgBuf,
oidSigType, 0), 0);
wc_InitCert(&newCert);
strncpy(newCert.subject.country, "US", CTC_NAME_SIZE);
strncpy(newCert.subject.state, "MT", CTC_NAME_SIZE);
strncpy(newCert.subject.locality, "Bozeman", CTC_NAME_SIZE);
strncpy(newCert.subject.org, "wolfSSL", CTC_NAME_SIZE);
strncpy(newCert.subject.unit, "Engineering", CTC_NAME_SIZE);
strncpy(newCert.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
strncpy(newCert.subject.email, "root@wolfssl.com", CTC_NAME_SIZE);
strncpy((char*)newCert.beforeDate, "\x18\x0f""20250101000000Z",
CTC_DATE_SIZE);
newCert.beforeDateSz = 17;
strncpy((char*)newCert.afterDate, "\x18\x0f""20493112115959Z",
CTC_DATE_SIZE);
newCert.afterDateSz = 17;
newCert.sigType = CTC_SHA256wRSA;
newCert.isCA = 1;
/* Set criticality of basic constraint extension if requested */
if (setCrit) {
newCert.basicConstCrit = 1;
}
/* Set pathlen if requested */
if (setPathLen) {
newCert.pathLen = pathLen;
newCert.pathLenSet = 1;
}
ExpectIntEQ(wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
(const byte *)"This is NOT a critical extension", 32), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.72", sapkiBuf,
sapkiSz), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.73",
altSigAlgBuf, altSigAlgSz), 0);
XMEMSET(scratchBuf, 0, scratchSz);
ExpectIntGT(scratchSz = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz,
&caKey, &rng), 0);
wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
ExpectIntEQ(wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL), 0);
XMEMSET(preTbsBuf, 0, preTbsSz);
ExpectIntGT(preTbsSz = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz), 0);
XMEMSET(altSigValBuf, 0, altSigValSz);
ExpectIntGT(altSigValSz = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz,
CTC_SHA256wECDSA, preTbsBuf, preTbsSz, ECC_TYPE, &altCaKey,
&rng), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.74",
altSigValBuf, altSigValSz), 0);
/* Finally, generate the new certificate. */
if (outBuf != NULL) {
XMEMSET(outBuf, 0, outSz);
ExpectIntGT(outSz = wc_MakeSelfCert(&newCert, outBuf, outSz, &caKey,
&rng), 0);
*out = outBuf;
}
else {
outSz = 0;
}
wc_FreeDecodedCert(&preTBS);
wc_ecc_free(&altCaKey);
wc_FreeRsaKey(&caKey);
wc_FreeRng(&rng);
return (int)outSz;
}
/**
* Function to generate a server certificate with dual algorithm support and
* configurable criticality for extensions and path length constraints.
*
* @param out [out] Pointer to store the generated certificate
* @param caKeyFile [in] Path to the CA key file
* @param sapkiFile [in] Path to the subject alternative public key info file
* @param altPrivFile [in] Path to the alternative private key file
* @param serverKeyFile [in] Path to the server key file
* @param caCertBuf [in] Buffer containing the CA certificate
* @param caCertSz [in] Size of the CA certificate buffer
* @param setCrit [in] Flag to set criticality of extensions (1=critical, 0=non-critical)
* @param setPathLen [in] Flag to set path length constraint (1=set, 0=don't set)
* @param pathLen [in] Path length value (only used if setPathLen=1)
* @return Size of the generated certificate or negative on error
*/
static int do_dual_alg_server_certgen_crit(byte **out, char *caKeyFile,
char *sapkiFile, char *altPrivFile,
char *serverKeyFile,
byte *caCertBuf, int caCertSz,
int setCrit)
{
EXPECT_DECLS;
FILE* file = NULL;
Cert newCert;
DecodedCert preTBS;
byte serverKeyBuf[LARGE_TEMP_SZ];
word32 serverKeySz = LARGE_TEMP_SZ;
byte caKeyBuf[LARGE_TEMP_SZ];
word32 caKeySz = LARGE_TEMP_SZ;
byte sapkiBuf[LARGE_TEMP_SZ];
word32 sapkiSz = LARGE_TEMP_SZ;
byte altPrivBuf[LARGE_TEMP_SZ];
word32 altPrivSz = LARGE_TEMP_SZ;
byte altSigAlgBuf[LARGE_TEMP_SZ];
word32 altSigAlgSz = LARGE_TEMP_SZ;
byte scratchBuf[LARGE_TEMP_SZ];
word32 scratchSz = LARGE_TEMP_SZ;
byte preTbsBuf[LARGE_TEMP_SZ];
word32 preTbsSz = LARGE_TEMP_SZ;
byte altSigValBuf[LARGE_TEMP_SZ];
word32 altSigValSz = LARGE_TEMP_SZ;
byte *outBuf = NULL;
word32 outSz = LARGE_TEMP_SZ;
WC_RNG rng;
RsaKey caKey;
RsaKey serverKey;
ecc_key altCaKey;
word32 idx = 0;
XMEMSET(&rng, 0, sizeof(WC_RNG));
XMEMSET(&caKey, 0, sizeof(RsaKey));
XMEMSET(&serverKey, 0, sizeof(RsaKey));
XMEMSET(&altCaKey, 0, sizeof(ecc_key));
ExpectNotNull(outBuf = (byte*)XMALLOC(outSz, NULL,
DYNAMIC_TYPE_TMP_BUFFER));
ExpectIntEQ(wc_InitRng(&rng), 0);
XMEMSET(serverKeyBuf, 0, serverKeySz);
ExpectNotNull(file = fopen(serverKeyFile, "rb"));
ExpectIntGT(serverKeySz = (word32)fread(serverKeyBuf, 1, serverKeySz, file),
0);
if (file) {
fclose(file);
file = NULL;
}
ExpectIntEQ(wc_InitRsaKey_ex(&serverKey, NULL, INVALID_DEVID), 0);
idx = 0;
ExpectIntEQ(wc_RsaPrivateKeyDecode(serverKeyBuf, &idx, &serverKey,
serverKeySz), 0);
XMEMSET(caKeyBuf, 0, caKeySz);
ExpectNotNull(file = fopen(caKeyFile, "rb"));
ExpectIntGT(caKeySz = (word32)fread(caKeyBuf, 1, caKeySz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
ExpectIntEQ(wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID), 0);
idx = 0;
ExpectIntEQ(wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, caKeySz), 0);
XMEMSET(sapkiBuf, 0, sapkiSz);
ExpectNotNull(file = fopen(sapkiFile, "rb"));
ExpectIntGT(sapkiSz = (word32)fread(sapkiBuf, 1, sapkiSz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
XMEMSET(altPrivBuf, 0, altPrivSz);
ExpectNotNull(file = fopen(altPrivFile, "rb"));
ExpectIntGT(altPrivSz = (word32)fread(altPrivBuf, 1, altPrivSz, file), 0);
if (file) {
fclose(file);
file = NULL;
}
wc_ecc_init(&altCaKey);
idx = 0;
ExpectIntEQ(wc_EccPrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
(word32)altPrivSz), 0);
XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
ExpectIntGT(altSigAlgSz = SetAlgoID(CTC_SHA256wECDSA, altSigAlgBuf,
oidSigType, 0), 0);
wc_InitCert(&newCert);
strncpy(newCert.subject.country, "US", CTC_NAME_SIZE);
strncpy(newCert.subject.state, "MT", CTC_NAME_SIZE);
strncpy(newCert.subject.locality, "Bozeman", CTC_NAME_SIZE);
strncpy(newCert.subject.org, "wolfSSL", CTC_NAME_SIZE);
strncpy(newCert.subject.unit, "Engineering", CTC_NAME_SIZE);
strncpy(newCert.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
strncpy(newCert.subject.email, "server@wolfssl.com", CTC_NAME_SIZE);
strncpy((char*)newCert.beforeDate, "\x18\x0f""20250101000000Z",
CTC_DATE_SIZE);
newCert.beforeDateSz = 17;
strncpy((char*)newCert.afterDate, "\x18\x0f""20493112115959Z",
CTC_DATE_SIZE);
newCert.afterDateSz = 17;
newCert.sigType = CTC_SHA256wRSA;
newCert.isCA = 0;
ExpectIntEQ(wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.72", sapkiBuf,
sapkiSz), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.73",
altSigAlgBuf, altSigAlgSz), 0);
XMEMSET(scratchBuf, 0, scratchSz);
ExpectIntGT(wc_MakeCert(&newCert, scratchBuf, scratchSz, &serverKey, NULL,
&rng), 0);
ExpectIntGT(scratchSz = wc_SignCert(newCert.bodySz, newCert.sigType,
scratchBuf, scratchSz, &caKey, NULL, &rng), 0);
wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
ExpectIntEQ(wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL), 0);
XMEMSET(preTbsBuf, 0, preTbsSz);
ExpectIntGT(preTbsSz = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz), 0);
XMEMSET(altSigValBuf, 0, altSigValSz);
ExpectIntGT(altSigValSz = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz,
CTC_SHA256wECDSA, preTbsBuf, preTbsSz, ECC_TYPE, &altCaKey,
&rng), 0);
ExpectIntEQ(wc_SetCustomExtension(&newCert, setCrit, "2.5.29.74",
altSigValBuf, altSigValSz), 0);
/* Finally, generate the new certificate. */
if (outBuf != NULL) {
XMEMSET(outBuf, 0, outSz);
ExpectIntGT(outSz = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
outSz, &caKey, NULL, &rng), 0);
*out = outBuf;
}
else {
outSz = 0;
}
wc_FreeDecodedCert(&preTBS);
wc_ecc_free(&altCaKey);
wc_FreeRsaKey(&serverKey);
wc_FreeRsaKey(&caKey);
wc_FreeRng(&rng);
return (int)outSz;
}
/**
* Test dual-alg ECDSA + ML-DSA with critical extensions and path length
* constraints:
* - keygen + certgen
*
* TLS tests not designed to pass with these extensions marked critical. No
* TLS connection.
* */
static int test_dual_alg_crit_ext_support(void)
{
EXPECT_DECLS;
/* Root CA and server keys will be the same. This is only appropriate for
* testing. */
char keyFile[] = "./certs/ca-key.der";
char sapkiFile[] = "./certs/ecc-keyPub.der";
char altPrivFile[] = "./certs/ecc-key.der";
byte *serverKey = NULL;
size_t serverKeySz = 0;
byte *root = NULL;
int rootSz = 0;
byte *server = NULL;
int serverSz = 0;
ExpectIntEQ(load_file(keyFile, &serverKey, &serverKeySz), 0);
/* Test with critical extensions and pathlen set to 1 */
if (EXPECT_SUCCESS()) {
rootSz = do_dual_alg_root_certgen_crit(&root, keyFile, sapkiFile,
altPrivFile, 1, 1, 1);
}
ExpectNotNull(root);
ExpectIntGT(rootSz, 0);
if (EXPECT_SUCCESS()) {
serverSz = do_dual_alg_server_certgen_crit(&server, keyFile, sapkiFile,
altPrivFile, keyFile, root, rootSz, 1);
}
ExpectNotNull(server);
ExpectIntGT(serverSz, 0);
XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
root = NULL;
XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);
server = NULL;
/* Test with critical extensions and pathlen set to 0 */
if (EXPECT_SUCCESS()) {
rootSz = do_dual_alg_root_certgen_crit(&root, keyFile, sapkiFile,
altPrivFile, 1, 1, 0);
}
ExpectNotNull(root);
ExpectIntGT(rootSz, 0);
if (EXPECT_SUCCESS()) {
serverSz = do_dual_alg_server_certgen_crit(&server, keyFile, sapkiFile,
altPrivFile, keyFile, root, rootSz, 1);
}
ExpectNotNull(server);
ExpectIntGT(serverSz, 0);
XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
root = NULL;
XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);
server = NULL;
/* Test with critical alt extensions and no pathlen set */
if (EXPECT_SUCCESS()) {
rootSz = do_dual_alg_root_certgen_crit(&root, keyFile, sapkiFile,
altPrivFile, 1, 0, 0);
}
ExpectNotNull(root);
ExpectIntGT(rootSz, 0);
if (EXPECT_SUCCESS()) {
serverSz = do_dual_alg_server_certgen_crit(&server, keyFile, sapkiFile,
altPrivFile, keyFile, root, rootSz, 0);
}
ExpectNotNull(server);
ExpectIntGT(serverSz, 0);
XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);
free(serverKey);
return EXPECT_RESULT();
}
static int test_dual_alg_support(void) static int test_dual_alg_support(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
@ -1309,6 +1704,12 @@ static int test_dual_alg_support(void)
{ {
return TEST_SKIPPED; return TEST_SKIPPED;
} }
static int test_dual_alg_crit_ext_support(void)
{
return TEST_SKIPPED;
}
#endif /* WOLFSSL_DUAL_ALG_CERTS && !NO_FILESYSTEM */ #endif /* WOLFSSL_DUAL_ALG_CERTS && !NO_FILESYSTEM */
/** /**
@ -89628,6 +90029,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_Init), TEST_DECL(test_wolfSSL_Init),
TEST_DECL(test_dual_alg_support), TEST_DECL(test_dual_alg_support),
TEST_DECL(test_dual_alg_crit_ext_support),
TEST_DECL(test_dual_alg_ecdsa_mldsa), TEST_DECL(test_dual_alg_ecdsa_mldsa),

54
wolfcrypt/src/asn.c
View File

@ -21509,16 +21509,19 @@ static int DecodeExtensionType(const byte* input, word32 length, word32 oid,
#ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_DUAL_ALG_CERTS
case SUBJ_ALT_PUB_KEY_INFO_OID: case SUBJ_ALT_PUB_KEY_INFO_OID:
VERIFY_AND_SET_OID(cert->extSapkiSet); VERIFY_AND_SET_OID(cert->extSapkiSet);
cert->extSapkiCrit = critical ? 1 : 0;
if (DecodeSubjAltPubKeyInfo(&input[idx], length, cert) < 0) if (DecodeSubjAltPubKeyInfo(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;
case ALT_SIG_ALG_OID: case ALT_SIG_ALG_OID:
VERIFY_AND_SET_OID(cert->extAltSigAlgSet); VERIFY_AND_SET_OID(cert->extAltSigAlgSet);
cert->extAltSigAlgCrit = critical ? 1 : 0;
if (DecodeAltSigAlg(&input[idx], length, cert) < 0) if (DecodeAltSigAlg(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;
case ALT_SIG_VAL_OID: case ALT_SIG_VAL_OID:
VERIFY_AND_SET_OID(cert->extAltSigValSet); VERIFY_AND_SET_OID(cert->extAltSigValSet);
cert->extAltSigValCrit = critical ? 1 : 0;
if (DecodeAltSigVal(&input[idx], length, cert) < 0) if (DecodeAltSigVal(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;
@ -28982,6 +28985,7 @@ static const ASNItem static_certExtsASN[] = {
/* Basic Constraints Extension - 4.2.1.9 */ /* Basic Constraints Extension - 4.2.1.9 */
/* BC_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, /* BC_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
/* BC_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 }, /* BC_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
/* BC_CRIT */ { 1, ASN_BOOLEAN, 0, 0, 0 },
/* BC_STR */ { 1, ASN_OCTET_STRING, 0, 1, 0 }, /* BC_STR */ { 1, ASN_OCTET_STRING, 0, 1, 0 },
/* BC_STR_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, /* BC_STR_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 },
/* cA */ /* cA */
@ -29030,12 +29034,15 @@ static const ASNItem static_certExtsASN[] = {
#ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_DUAL_ALG_CERTS
/* SAPKI_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, /* SAPKI_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
/* SAPKI_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 }, /* SAPKI_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
/* SAPKI_CRIT */ { 1, ASN_BOOLEAN, 0, 0, 0 },
/* SAPKI_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 }, /* SAPKI_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 },
/* ALTSIGALG_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, /* ALTSIGALG_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
/* ALTSIGALG_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 }, /* ALTSIGALG_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
/* ALTSIGALG_CRIT*/ { 1, ASN_BOOLEAN, 0, 0, 0 },
/* ALTSIGALG_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 }, /* ALTSIGALG_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 },
/* ALTSIGVAL_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, /* ALTSIGVAL_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
/* ALTSIGVAL_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 }, /* ALTSIGVAL_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
/* ALTSIGVAL_CRIT*/ { 1, ASN_BOOLEAN, 0, 0, 0 },
/* ALTSIGVAL_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 }, /* ALTSIGVAL_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 },
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
/* CUSTOM_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, /* CUSTOM_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
@ -29045,6 +29052,7 @@ static const ASNItem static_certExtsASN[] = {
enum { enum {
CERTEXTSASN_IDX_BC_SEQ = 0, CERTEXTSASN_IDX_BC_SEQ = 0,
CERTEXTSASN_IDX_BC_OID, CERTEXTSASN_IDX_BC_OID,
CERTEXTSASN_IDX_BC_CRIT,
CERTEXTSASN_IDX_BC_STR, CERTEXTSASN_IDX_BC_STR,
CERTEXTSASN_IDX_BC_STR_SEQ, CERTEXTSASN_IDX_BC_STR_SEQ,
CERTEXTSASN_IDX_BC_CA, CERTEXTSASN_IDX_BC_CA,
@ -29084,12 +29092,15 @@ enum {
#ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_DUAL_ALG_CERTS
CERTEXTSASN_IDX_SAPKI_SEQ, CERTEXTSASN_IDX_SAPKI_SEQ,
CERTEXTSASN_IDX_SAPKI_OID, CERTEXTSASN_IDX_SAPKI_OID,
CERTEXTSASN_IDX_SAPKI_CRIT,
CERTEXTSASN_IDX_SAPKI_STR, CERTEXTSASN_IDX_SAPKI_STR,
CERTEXTSASN_IDX_ALTSIGALG_SEQ, CERTEXTSASN_IDX_ALTSIGALG_SEQ,
CERTEXTSASN_IDX_ALTSIGALG_OID, CERTEXTSASN_IDX_ALTSIGALG_OID,
CERTEXTSASN_IDX_ALTSIGALG_CRIT,
CERTEXTSASN_IDX_ALTSIGALG_STR, CERTEXTSASN_IDX_ALTSIGALG_STR,
CERTEXTSASN_IDX_ALTSIGVAL_SEQ, CERTEXTSASN_IDX_ALTSIGVAL_SEQ,
CERTEXTSASN_IDX_ALTSIGVAL_OID, CERTEXTSASN_IDX_ALTSIGVAL_OID,
CERTEXTSASN_IDX_ALTSIGVAL_CRIT,
CERTEXTSASN_IDX_ALTSIGVAL_STR, CERTEXTSASN_IDX_ALTSIGVAL_STR,
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
CERTEXTSASN_IDX_CUSTOM_SEQ, CERTEXTSASN_IDX_CUSTOM_SEQ,
@ -29181,6 +29192,12 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
/* Set Basic Constraints to be a Certificate Authority. */ /* Set Basic Constraints to be a Certificate Authority. */
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 1); SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 1);
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID)); SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
if (cert->basicConstCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_BC_CRIT].noOut = 1;
}
if (cert->pathLenSet if (cert->pathLenSet
#ifdef WOLFSSL_CERT_EXT #ifdef WOLFSSL_CERT_EXT
&& ((cert->keyUsage & KEYUSE_KEY_CERT_SIGN) || (!cert->keyUsage)) && ((cert->keyUsage & KEYUSE_KEY_CERT_SIGN) || (!cert->keyUsage))
@ -29197,12 +29214,24 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
else if (cert->isCaSet) { else if (cert->isCaSet) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 0); SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 0);
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID)); SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
if (cert->basicConstCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_BC_CRIT].noOut = 1;
}
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1; dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
} }
#endif #endif
else if (cert->basicConstSet) { else if (cert->basicConstSet) {
/* Set Basic Constraints to be a non Certificate Authority. */ /* Set Basic Constraints to be a non Certificate Authority. */
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID)); SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
if (cert->basicConstCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_BC_CRIT].noOut = 1;
}
dataASN[CERTEXTSASN_IDX_BC_CA].noOut = 1; dataASN[CERTEXTSASN_IDX_BC_CA].noOut = 1;
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1; dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
} }
@ -29369,9 +29398,16 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
#ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_DUAL_ALG_CERTS
if (cert->sapkiDer != NULL) { if (cert->sapkiDer != NULL) {
/* Set subject alternative public key info OID and data. */ /* Set subject alternative public key info OID, criticality and
* data. */
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAPKI_OID], sapkiOID, SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAPKI_OID], sapkiOID,
sizeof(sapkiOID)); sizeof(sapkiOID));
if (cert->sapkiCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_SAPKI_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_SAPKI_CRIT].noOut = 1;
}
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAPKI_STR], cert->sapkiDer, SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAPKI_STR], cert->sapkiDer,
cert->sapkiLen); cert->sapkiLen);
} }
@ -29382,9 +29418,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
} }
if (cert->altSigAlgDer != NULL) { if (cert->altSigAlgDer != NULL) {
/* Set alternative signature algorithm OID and data. */ /* Set alternative signature algorithm OID, criticality and data. */
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGALG_OID], altSigAlgOID, SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGALG_OID], altSigAlgOID,
sizeof(altSigAlgOID)); sizeof(altSigAlgOID));
if (cert->altSigAlgCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_ALTSIGALG_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_ALTSIGALG_CRIT].noOut = 1;
}
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGALG_STR], SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGALG_STR],
cert->altSigAlgDer, cert->altSigAlgLen); cert->altSigAlgDer, cert->altSigAlgLen);
} }
@ -29395,9 +29437,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
} }
if (cert->altSigValDer != NULL) { if (cert->altSigValDer != NULL) {
/* Set alternative signature value OID and data. */ /* Set alternative signature value OID, criticality and data. */
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGVAL_OID], altSigValOID, SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGVAL_OID], altSigValOID,
sizeof(altSigValOID)); sizeof(altSigValOID));
if (cert->altSigValCrit) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_ALTSIGVAL_CRIT], 1);
}
else {
dataASN[CERTEXTSASN_IDX_ALTSIGVAL_CRIT].noOut = 1;
}
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGVAL_STR], SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_ALTSIGVAL_STR],
cert->altSigValDer, cert->altSigValLen); cert->altSigValDer, cert->altSigValLen);
} }

5
wolfssl/internal.h
View File

@ -5410,6 +5410,7 @@ struct WOLFSSL_X509 {
byte keyUsageCrit:1; byte keyUsageCrit:1;
byte extKeyUsageCrit:1; byte extKeyUsageCrit:1;
byte subjKeyIdSet:1; byte subjKeyIdSet:1;
byte pathLengthSet:1;
byte subjKeyIdCrit:1; byte subjKeyIdCrit:1;
byte basicConstSet:1; byte basicConstSet:1;
@ -5462,6 +5463,10 @@ struct WOLFSSL_X509 {
/* Alternative Signature Value */ /* Alternative Signature Value */
byte *altSigValDer; byte *altSigValDer;
int altSigValLen; int altSigValLen;
byte sapkiCrit:1;
byte altSigAlgCrit:1;
byte altSigValCrit:1;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
}; };

12
wolfssl/wolfcrypt/asn.h
View File

@ -2133,11 +2133,6 @@ struct DecodedCert {
#ifdef WOLFSSL_SUBJ_INFO_ACC #ifdef WOLFSSL_SUBJ_INFO_ACC
WC_BITFIELD extSubjInfoAccSet:1; WC_BITFIELD extSubjInfoAccSet:1;
#endif #endif
#ifdef WOLFSSL_DUAL_ALG_CERTS
WC_BITFIELD extSapkiSet:1;
WC_BITFIELD extAltSigAlgSet:1;
WC_BITFIELD extAltSigValSet:1;
#endif /* WOLFSSL_DUAL_ALG_CERTS */
#ifdef WOLFSSL_SEP #ifdef WOLFSSL_SEP
WC_BITFIELD extCertPolicyCrit:1; WC_BITFIELD extCertPolicyCrit:1;
#endif #endif
@ -2164,6 +2159,13 @@ struct DecodedCert {
/* Alternative Signature Value */ /* Alternative Signature Value */
byte *altSigValDer; byte *altSigValDer;
int altSigValLen; int altSigValLen;
WC_BITFIELD extSapkiSet:1;
WC_BITFIELD extAltSigAlgSet:1;
WC_BITFIELD extAltSigValSet:1;
WC_BITFIELD extSapkiCrit:1;
WC_BITFIELD extAltSigAlgCrit:1;
WC_BITFIELD extAltSigValCrit:1;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
}; };

4
wolfssl/wolfcrypt/asn_public.h
View File

@ -527,12 +527,15 @@ typedef struct Cert {
/* Subject Alternative Public Key Info */ /* Subject Alternative Public Key Info */
byte *sapkiDer; byte *sapkiDer;
int sapkiLen; int sapkiLen;
byte sapkiCrit;
/* Alternative Signature Algorithm */ /* Alternative Signature Algorithm */
byte *altSigAlgDer; byte *altSigAlgDer;
int altSigAlgLen; int altSigAlgLen;
byte altSigAlgCrit;
/* Alternative Signature Value */ /* Alternative Signature Value */
byte *altSigValDer; byte *altSigValDer;
int altSigValLen; int altSigValLen;
byte altSigValCrit;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
#ifdef WOLFSSL_CERT_REQ #ifdef WOLFSSL_CERT_REQ
char challengePw[CTC_NAME_SIZE]; char challengePw[CTC_NAME_SIZE];
@ -551,6 +554,7 @@ typedef struct Cert {
byte* der; /* Pointer to buffer of current DecodedCert cache */ byte* der; /* Pointer to buffer of current DecodedCert cache */
void* heap; /* heap hint */ void* heap; /* heap hint */
WC_BITFIELD basicConstSet:1; /* Indicator for when Basic Constraint is set */ WC_BITFIELD basicConstSet:1; /* Indicator for when Basic Constraint is set */
byte basicConstCrit; /* Indicator of criticality of Basic Constraints extension */
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE #ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
WC_BITFIELD isCaSet:1; /* Indicator for when isCA is set */ WC_BITFIELD isCaSet:1; /* Indicator for when isCA is set */
#endif #endif