diff --git a/certs/crl/crl2.pem b/certs/crl/crl2.pem new file mode 100644 index 000000000..e357de068 --- /dev/null +++ b/certs/crl/crl2.pem @@ -0,0 +1,80 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Aug 11 20:07:38 2016 GMT + Next Update: May 8 20:07:38 2019 GMT + CRL extensions: + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 02 + Revocation Date: Aug 11 20:07:38 2016 GMT + Signature Algorithm: sha256WithRSAEncryption + 35:c6:7f:57:9a:e5:86:5a:15:1a:e2:e5:2b:9f:54:79:2a:58: + 51:a2:12:0c:4e:53:58:eb:99:e3:c2:ee:2b:d7:23:e4:3c:4d: + 0a:ab:ae:71:9b:ce:b1:c1:75:a1:b6:e5:32:5f:10:b0:72:28: + 2e:74:b1:99:dd:47:53:20:f6:9a:83:5c:bd:20:b0:aa:df:32: + f6:95:54:98:9e:59:96:55:7b:0a:74:be:94:66:44:b7:32:82: + f0:eb:16:f8:30:86:16:9f:73:43:98:82:b5:5e:ad:58:c0:c8: + 79:da:ad:b1:b4:d7:fb:34:c1:cc:3a:67:af:a4:56:5a:70:5c: + 2d:1f:73:16:78:92:01:06:e3:2c:fb:f1:ba:d5:8f:f9:be:dd: + e1:4a:ce:de:ca:e6:2d:96:09:24:06:40:9e:10:15:2e:f2:cd: + 85:d6:84:88:db:9c:4a:7b:75:7a:06:0e:40:02:20:60:7e:91: + f7:92:53:1e:34:7a:ea:ee:df:e7:cd:a8:9e:a6:61:b4:56:50: + 4d:dc:b1:78:0d:86:cf:45:c3:a6:0a:b9:88:2c:56:a7:b1:d3: + d3:0d:44:aa:93:a4:05:4d:ce:9f:01:b0:c6:1e:e4:ea:6b:92: + 6f:93:dd:98:cf:fb:1d:06:72:ac:d4:99:e7:f2:b4:11:57:bd: + 9d:63:e5:dc +-----BEGIN X509 CRL----- +MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV +BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro +MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE2MDgxMTIwMDczOFoX +DTE5MDUwODIwMDczOFowFDASAgECFw0xNjA4MTEyMDA3MzhaoA4wDDAKBgNVHRQE +AwIBATANBgkqhkiG9w0BAQsFAAOCAQEANcZ/V5rlhloVGuLlK59UeSpYUaISDE5T +WOuZ48LuK9cj5DxNCquucZvOscF1obblMl8QsHIoLnSxmd1HUyD2moNcvSCwqt8y +9pVUmJ5ZllV7CnS+lGZEtzKC8OsW+DCGFp9zQ5iCtV6tWMDIedqtsbTX+zTBzDpn +r6RWWnBcLR9zFniSAQbjLPvxutWP+b7d4UrO3srmLZYJJAZAnhAVLvLNhdaEiNuc +Snt1egYOQAIgYH6R95JTHjR66u7f582onqZhtFZQTdyxeA2Gz0XDpgq5iCxWp7HT +0w1EqpOkBU3OnwGwxh7k6muSb5PdmM/7HQZyrNSZ5/K0EVe9nWPl3A== +-----END X509 CRL----- +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Aug 11 20:07:38 2016 GMT + Next Update: May 8 20:07:38 2019 GMT + CRL extensions: + X509v3 CRL Number: + 3 +No Revoked Certificates. + Signature Algorithm: sha256WithRSAEncryption + 14:85:d5:c8:db:62:74:48:94:5e:dc:52:0f:5e:43:8b:29:83: + 32:e0:7a:4c:5c:76:e3:7e:c1:87:74:40:b2:6f:f8:33:4c:2c: + 32:08:f0:5f:d9:85:b3:20:05:34:5d:15:4d:ba:45:bc:2d:9c: + ae:40:d0:d8:9a:b3:a1:4f:0b:94:ce:c4:23:c6:bf:a2:f8:a6: + 02:4c:6d:ad:5a:59:b3:83:55:dd:37:91:f6:75:d4:6f:83:5f: + 1c:29:94:cd:01:09:dc:38:d8:6c:c0:9f:1e:76:9d:f9:8f:70: + 0d:48:e5:99:82:90:3a:36:f1:33:17:69:73:8a:ee:a7:22:4c: + 58:93:a1:dc:59:b9:44:8f:88:99:0b:c4:d3:74:aa:02:9a:84: + 36:48:d8:a0:05:73:bc:14:32:1e:76:23:85:c5:94:56:b2:2c: + 61:3b:07:d7:bd:0c:27:f7:d7:23:40:bd:0c:6c:c7:e0:f7:28: + 74:67:98:20:93:72:16:b6:6e:67:3f:9e:c9:34:c5:64:09:bf: + b1:ab:87:0c:80:b6:1f:89:d8:0e:67:c2:c7:19:df:ee:9f:b2: + e6:fb:64:3d:82:7a:47:e2:8d:a3:93:1d:29:f6:94:db:83:2f: + b6:0a:a0:da:77:e3:56:ec:d7:d2:22:3c:88:4d:4a:87:de:b5: + 1c:eb:7b:08 +-----BEGIN X509 CRL----- +MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV +BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf +MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv +bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0xNjA4 +MTEyMDA3MzhaFw0xOTA1MDgyMDA3MzhaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG +9w0BAQsFAAOCAQEAFIXVyNtidEiUXtxSD15DiymDMuB6TFx2437Bh3RAsm/4M0ws +MgjwX9mFsyAFNF0VTbpFvC2crkDQ2JqzoU8LlM7EI8a/ovimAkxtrVpZs4NV3TeR +9nXUb4NfHCmUzQEJ3DjYbMCfHnad+Y9wDUjlmYKQOjbxMxdpc4rupyJMWJOh3Fm5 +RI+ImQvE03SqApqENkjYoAVzvBQyHnYjhcWUVrIsYTsH170MJ/fXI0C9DGzH4Pco +dGeYIJNyFrZuZz+eyTTFZAm/sauHDIC2H4nYDmfCxxnf7p+y5vtkPYJ6R+KNo5Md +KfaU24Mvtgqg2nfjVuzX0iI8iE1Kh961HOt7CA== +-----END X509 CRL----- diff --git a/certs/crl/include.am b/certs/crl/include.am index 7adca3225..47f0d5a25 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -6,7 +6,8 @@ EXTRA_DIST += \ certs/crl/crl.pem \ certs/crl/cliCrl.pem \ certs/crl/eccSrvCRL.pem \ - certs/crl/eccCliCRL.pem + certs/crl/eccCliCRL.pem \ + certs/crl/crl2.pem EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/certs/include.am b/certs/include.am index 092c253e5..caf842465 100644 --- a/certs/include.am +++ b/certs/include.am @@ -53,7 +53,7 @@ EXTRA_DIST += \ certs/server-ecc-comp.der \ certs/server-ecc.der \ certs/server-ecc-rsa.der \ - certs/server-cert-chain.der + certs/server-cert-chain.der dist_doc_DATA+= certs/taoCert.txt diff --git a/src/crl.c b/src/crl.c index bedf9718b..c27e7ca0c 100755 --- a/src/crl.c +++ b/src/crl.c @@ -293,7 +293,8 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl) /* Load CRL File of type, SSL_SUCCESS on ok */ -int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) +int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, + int noVerify) { int ret = SSL_SUCCESS; const byte* myBuffer = buff; /* if DER ok, otherwise switch */ @@ -336,7 +337,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) InitDecodedCRL(dcrl, crl->heap); ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm); - if (ret != 0) { + if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) { WOLFSSL_MSG("ParseCRL error"); } else { diff --git a/src/io.c b/src/io.c index 5b7196011..8b9a9b960 100644 --- a/src/io.c +++ b/src/io.c @@ -1226,7 +1226,7 @@ int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf, result = wolfIO_HttpProcessResponse(sfd, "application/pkix-crl", &respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap); if (result >= 0) { - result = BufferLoadCRL(crl, respBuf, result, SSL_FILETYPE_ASN1); + result = BufferLoadCRL(crl, respBuf, result, SSL_FILETYPE_ASN1, 0); } XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL); diff --git a/src/ssl.c b/src/ssl.c index 6ca8a7da7..da5a0d04c 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -4833,7 +4833,7 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, NULL) == 0) { WOLFSSL_MSG(" Proccessed a CRL"); wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, - der->length,SSL_FILETYPE_ASN1); + der->length,SSL_FILETYPE_ASN1, 0); FreeDer(&der); used += info.consumed; continue; @@ -4937,7 +4937,7 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm, } } - return BufferLoadCRL(cm->crl, buff, sz, type); + return BufferLoadCRL(cm->crl, buff, sz, type, 0); } @@ -5428,7 +5428,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl); #ifdef HAVE_CRL else if (type == CRL_TYPE) - ret = BufferLoadCRL(crl, myBuffer, sz, format); + ret = BufferLoadCRL(crl, myBuffer, sz, format, 0); #endif else ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL, @@ -14704,6 +14704,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, XFILE fp; long sz; byte* pem = NULL; + byte* curr = NULL; + byte* prev = NULL; WOLFSSL_X509* x509; if (type != X509_FILETYPE_PEM) @@ -14726,23 +14728,51 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, goto end; } - /* Read in file which may be a CRL or certificate. */ + /* Read in file which may be CRLs or certificates. */ if (XFREAD(pem, (size_t)sz, 1, fp) != 1) goto end; - if (XSTRNSTR((char*)pem, BEGIN_X509_CRL, (unsigned int)sz) != NULL) { + prev = curr = pem; + do { + if (XSTRNSTR((char*)curr, BEGIN_X509_CRL, (unsigned int)sz) != NULL) { #ifdef HAVE_CRL - ret = wolfSSL_CertManagerLoadCRLBuffer(lookup->store->cm, pem, sz, - SSL_FILETYPE_PEM); + WOLFSSL_CERT_MANAGER* cm = lookup->store->cm; + + if (cm->crl == NULL) { + if (wolfSSL_CertManagerEnableCRL(cm, 0) != SSL_SUCCESS) { + WOLFSSL_MSG("Enable CRL failed"); + goto end; + } + } + + ret = BufferLoadCRL(cm->crl, curr, sz, SSL_FILETYPE_PEM, 1); + if (ret != SSL_SUCCESS) + goto end; #endif + curr = (byte*)XSTRNSTR((char*)curr, END_X509_CRL, (unsigned int)sz); + } + else if (XSTRNSTR((char*)curr, BEGIN_CERT, (unsigned int)sz) != NULL) { + x509 = wolfSSL_X509_load_certificate_buffer(curr, (int)sz, + SSL_FILETYPE_PEM); + if (x509 == NULL) + goto end; + ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); + wolfSSL_X509_free(x509); + if (ret != SSL_SUCCESS) + goto end; + curr = (byte*)XSTRNSTR((char*)curr, END_CERT, (unsigned int)sz); + } + else + goto end; + + if (curr == NULL) + goto end; + + curr++; + sz -= curr - prev; + prev = curr; } - else { - x509 = wolfSSL_X509_load_certificate_buffer(pem, (int)sz, - SSL_FILETYPE_PEM); - if (x509 == NULL) - goto end; - ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); - } + while (ret == SSL_SUCCESS); end: if (pem != NULL) diff --git a/tests/api.c b/tests/api.c index 56226c40b..89f31c2c3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2752,6 +2752,26 @@ static void test_wolfSSL_X509_STORE_set_flags(void) !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ } +static void test_wolfSSL_X509_LOOKUP_load_file(void) +{ + #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + WOLFSSL_X509_STORE* store; + WOLFSSL_X509_LOOKUP* lookup; + + printf(testingFmt, "wolfSSL_X509_LOOKUP_load_file()"); + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem", + X509_FILETYPE_PEM), 1); + wolfSSL_X509_STORE_free(store); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + static void test_wolfSSL_BN(void) { @@ -2837,7 +2857,6 @@ static void test_wolfSSL_set_options(void) !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ } - static void test_wolfSSL_PEM_read_bio(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ @@ -3426,6 +3445,7 @@ void ApiTest(void) test_wolfSSL_CTX_add_extra_chain_cert(); test_wolfSSL_ERR_peek_last_error_line(); test_wolfSSL_X509_STORE_set_flags(); + test_wolfSSL_X509_LOOKUP_load_file(); test_wolfSSL_BN(); test_wolfSSL_set_options(); test_wolfSSL_PEM_read_bio(); diff --git a/wolfssl/crl.h b/wolfssl/crl.h index 9f20cc309..88e0f1098 100644 --- a/wolfssl/crl.h +++ b/wolfssl/crl.h @@ -38,7 +38,7 @@ WOLFSSL_LOCAL int InitCRL(WOLFSSL_CRL*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeCRL(WOLFSSL_CRL*, int dynamic); WOLFSSL_LOCAL int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int mon); -WOLFSSL_LOCAL int BufferLoadCRL(WOLFSSL_CRL*, const byte*, long, int); +WOLFSSL_LOCAL int BufferLoadCRL(WOLFSSL_CRL*, const byte*, long, int, int); WOLFSSL_LOCAL int CheckCertCRL(WOLFSSL_CRL*, DecodedCert*);