diff --git a/src/ssl.c b/src/ssl.c index 47ff87855..5db86f8b1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -23163,6 +23163,8 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) } #endif +#endif /* OPENSSL_EXTRA */ + #endif /* !NO_CERTS */ #ifdef OPENSSL_EXTRA @@ -39739,7 +39741,7 @@ cleanup: * WOLFSSL_X509 with the newly signed buffer. * returns size of signed buffer on success and negative values on fail */ - static int wolfSSL_X509_resign_cert(WOLFSSL_X509* x509, + static int wolfSSL_X509_resign_cert(WOLFSSL_X509* x509, int req, unsigned char* der, int derSz, int certBodySz, WOLFSSL_EVP_MD* md, WOLFSSL_EVP_PKEY* pkey) { @@ -39818,6 +39820,20 @@ cleanup: XMEMCPY(x509->sig.buffer, der + idx, len); x509->sig.length = len; } + + /* Put in the new certificate encoding into the x509 object. */ + FreeDer(&x509->derCert); + type = CERT_TYPE; + #ifdef WOLFSSL_CERT_REQ + if (req) { + type = CERTREQ_TYPE; + } + #endif + if (AllocDer(&x509->derCert, derSz, type, NULL) != 0) + return WOLFSSL_FATAL_ERROR; + XMEMCPY(x509->derCert->buffer, der, derSz); + x509->derCert->length = derSz; + return ret; } @@ -41102,30 +41118,7 @@ err: WOLFSSL_MSG("loc entry not found"); return NULL; } - - if (loc <= DN_NAMES_MAX + name->fullName.dcNum) { - XMEMMOVE(&name->fullName.loc[loc], &name->fullName.loc[loc+1], - DN_NAMES_MAX + name->fullName.dcNum - loc - 1); - if (name->fullName.dcNum > 0) - name->fullName.dcNum--; - } - else if (name->fullName.dcMode) { - if (name->fullName.fullName != NULL) { - if (loc == name->fullName.dcNum) { - name->fullName.dcNum = 0; - } - else { - name->fullName.dcIdx[loc] = -1; - } - } - } - else if (loc == name->fullName.cnIdx && name->x509 != NULL) { - name->fullName.cnIdx = -1; - } - else { - WOLFSSL_MSG("Couldn't find name entry"); - } - + name->entry[loc].set = 0; return ret; } #endif /* !NO_CERTS */ @@ -42013,37 +42006,7 @@ err: if (name->entry[loc].set) { return &name->entry[loc]; } - /* DC component */ - if (name->fullName.dcMode) { - if (name->fullName.fullName != NULL){ - if (loc == name->fullName.dcNum){ - name->cnEntry.data.data - = &name->fullName.fullName[name->fullName.cIdx]; - name->cnEntry.data.length = name->fullName.cLen; - name->cnEntry.nid = ASN_COUNTRY_NAME; - } - else if (name->fullName.dcIdx[loc] >= 0) { - name->cnEntry.data.data - = &name->fullName.fullName[name->fullName.dcIdx[loc]]; - name->cnEntry.data.length = name->fullName.dcLen[loc]; - name->cnEntry.nid = ASN_DOMAIN_COMPONENT; - } - else { - WOLFSSL_MSG("loc passed in is not in range of parsed DN's"); - return NULL; - } - } - name->cnEntry.data.type = CTC_UTF8; - /* common name index case */ - } else if (loc == name->fullName.cnIdx && name->x509 != NULL) { - /* get CN shortcut from x509 since it has null terminator */ - name->cnEntry.data.data = name->x509->subjectCN; - name->cnEntry.data.length = name->fullName.cnLen; - name->cnEntry.data.type = CTC_UTF8; - name->cnEntry.nid = ASN_COMMON_NAME; - name->cnEntry.set = 1; - } else { - WOLFSSL_MSG("loc passed in is not in range of parsed DN's"); + else { return NULL; } } @@ -46340,38 +46303,6 @@ WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *ssl) #endif /* NO_SESSION_CACHE */ -int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername) -{ - int ret; - DecodedCert dCert; - - WOLFSSL_ENTER("wolfSSL_X509_check_host"); - - /* flags and peername not needed for Nginx. */ - (void)flags; - (void)peername; - - if (flags == WOLFSSL_NO_WILDCARDS) { - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); - return WOLFSSL_FAILURE; - } - - InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); - if (ret != 0) { - FreeDecodedCert(&dCert); - return WOLFSSL_FAILURE; - } - - ret = CheckHostName(&dCert, (char *)chk, chklen); - FreeDecodedCert(&dCert); - if (ret != 0) - return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} - -#ifndef NO_BIO int wolfSSL_a2i_ASN1_INTEGER(WOLFSSL_BIO *bio, WOLFSSL_ASN1_INTEGER *asn1, char *buf, int size) { @@ -51361,7 +51292,7 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, return WOLFSSL_FAILURE; } - if (wolfSSL_X509_resign_cert(req, der, sizeof(der), derSz, + if (wolfSSL_X509_resign_cert(req, 1, der, sizeof(der), derSz, (WOLFSSL_EVP_MD*)md, pkey) <= 0) { return WOLFSSL_FAILURE; } diff --git a/tests/api.c b/tests/api.c index 24278065c..0687d3369 100644 --- a/tests/api.c +++ b/tests/api.c @@ -38827,12 +38827,12 @@ static void test_wolfSSL_ASN1_get_object(void) /* Read a couple TLV triplets and make sure they match the expected values */ AssertIntEQ(ASN1_get_object(&derBuf, &asnLen, &tag, &class, len) & 0x80, 0); - AssertIntEQ(asnLen, 831); + AssertIntEQ(asnLen, 863); AssertIntEQ(tag, 0x10); AssertIntEQ(class, 0); AssertIntEQ(ASN1_get_object(&derBuf, &asnLen, &tag, &class, asnLen) & 0x80, 0); - AssertIntEQ(asnLen, 741); + AssertIntEQ(asnLen, 772); AssertIntEQ(tag, 0x10); AssertIntEQ(class, 0); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 0b097c1ca..faa2abf73 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -411,6 +411,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_get_ext_by_NID wolfSSL_X509_get_ext_by_NID #define X509_get_issuer_name wolfSSL_X509_get_issuer_name #define X509_issuer_name_hash wolfSSL_X509_issuer_name_hash +#define X509_subject_name_hash wolfSSL_X509_subject_name_hash #define X509_get_subject_name wolfSSL_X509_get_subject_name #define X509_REQ_get_subject_name wolfSSL_X509_get_subject_name #define X509_get_pubkey wolfSSL_X509_get_pubkey