mirror of https://github.com/wolfSSL/wolfssl.git
X.509
1. Added stubs for the Extended Key Usage and Inhibit anyPolicy extensions. 2. Key Usage extension is decoded normally. 3. Certificate Policy extension is noted normally.pull/1/head
John Safranek
parent
4ac70de055
commit
bcd7f03495
|
|
@ -1280,6 +1280,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
|
||||||
cert->extSubjKeyIdSet = 0;
|
cert->extSubjKeyIdSet = 0;
|
||||||
XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE);
|
XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE);
|
||||||
cert->extAuthKeyIdSet = 0;
|
cert->extAuthKeyIdSet = 0;
|
||||||
|
cert->extKeyUsageSet = 0;
|
||||||
|
cert->extKeyUsage = 0;
|
||||||
cert->isCA = 0;
|
cert->isCA = 0;
|
||||||
#ifdef HAVE_PKCS7
|
#ifdef HAVE_PKCS7
|
||||||
cert->issuerRaw = NULL;
|
cert->issuerRaw = NULL;
|
||||||
|
|
@ -1316,9 +1318,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
|
||||||
cert->extSubjAltNameCrit = 0;
|
cert->extSubjAltNameCrit = 0;
|
||||||
cert->extAuthKeyIdCrit = 0;
|
cert->extAuthKeyIdCrit = 0;
|
||||||
cert->extSubjKeyIdCrit = 0;
|
cert->extSubjKeyIdCrit = 0;
|
||||||
cert->extKeyUsageSet = 0;
|
|
||||||
cert->extKeyUsageCrit = 0;
|
cert->extKeyUsageCrit = 0;
|
||||||
cert->extKeyUsage = 0;
|
|
||||||
cert->extAuthKeyIdSrc = NULL;
|
cert->extAuthKeyIdSrc = NULL;
|
||||||
cert->extAuthKeyIdSz = 0;
|
cert->extAuthKeyIdSz = 0;
|
||||||
cert->extSubjKeyIdSrc = NULL;
|
cert->extSubjKeyIdSrc = NULL;
|
||||||
|
|
@ -2950,11 +2950,13 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
|
||||||
int length = 0;
|
int length = 0;
|
||||||
|
|
||||||
CYASSL_ENTER("DecodeBasicCaConstraint");
|
CYASSL_ENTER("DecodeBasicCaConstraint");
|
||||||
if (GetSequence(input, &idx, &length, sz) < 0)
|
if (GetSequence(input, &idx, &length, sz) < 0) {
|
||||||
|
CYASSL_MSG("\tfail: bad SEQUENCE");
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
}
|
||||||
|
|
||||||
if (length == 0)
|
if (length == 0)
|
||||||
return ASN_PARSE_E;
|
return 0;
|
||||||
|
|
||||||
/* If the basic ca constraint is false, this extension may be named, but
|
/* If the basic ca constraint is false, this extension may be named, but
|
||||||
* left empty. So, if the length is 0, just return. */
|
* left empty. So, if the length is 0, just return. */
|
||||||
|
|
@ -3205,37 +3207,35 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#ifdef OPENSSL_EXTRA
|
static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
|
||||||
static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
|
{
|
||||||
{
|
word32 idx = 0;
|
||||||
word32 idx = 0;
|
int length;
|
||||||
int length;
|
byte unusedBits;
|
||||||
byte unusedBits;
|
CYASSL_ENTER("DecodeKeyUsage");
|
||||||
CYASSL_ENTER("DecodeKeyUsage");
|
|
||||||
|
|
||||||
if (input[idx++] != ASN_BIT_STRING) {
|
if (input[idx++] != ASN_BIT_STRING) {
|
||||||
CYASSL_MSG("\tfail: key usage expected bit string");
|
CYASSL_MSG("\tfail: key usage expected bit string");
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
}
|
|
||||||
|
|
||||||
if (GetLength(input, &idx, &length, sz) < 0) {
|
|
||||||
CYASSL_MSG("\tfail: key usage bad length");
|
|
||||||
return ASN_PARSE_E;
|
|
||||||
}
|
|
||||||
|
|
||||||
unusedBits = input[idx++];
|
|
||||||
length--;
|
|
||||||
|
|
||||||
if (length == 2) {
|
|
||||||
cert->extKeyUsage = (word16)((input[idx] << 8) | input[idx+1]);
|
|
||||||
cert->extKeyUsage >>= unusedBits;
|
|
||||||
}
|
|
||||||
else if (length == 1)
|
|
||||||
cert->extKeyUsage = (word16)(input[idx] << 1);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
#endif /* OPENSSL_EXTRA */
|
|
||||||
|
if (GetLength(input, &idx, &length, sz) < 0) {
|
||||||
|
CYASSL_MSG("\tfail: key usage bad length");
|
||||||
|
return ASN_PARSE_E;
|
||||||
|
}
|
||||||
|
|
||||||
|
unusedBits = input[idx++];
|
||||||
|
length--;
|
||||||
|
|
||||||
|
if (length == 2) {
|
||||||
|
cert->extKeyUsage = (word16)((input[idx] << 8) | input[idx+1]);
|
||||||
|
cert->extKeyUsage >>= unusedBits;
|
||||||
|
}
|
||||||
|
else if (length == 1)
|
||||||
|
cert->extKeyUsage = (word16)(input[idx] << 1);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
#ifdef CYASSL_SEP
|
#ifdef CYASSL_SEP
|
||||||
|
|
@ -3394,25 +3394,34 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef CYASSL_SEP
|
|
||||||
case CERT_POLICY_OID:
|
case CERT_POLICY_OID:
|
||||||
#ifdef OPENSSL_EXTRA
|
CYASSL_MSG("Certificate Policy extension not supported yet.");
|
||||||
cert->extCertPolicySet = 1;
|
#ifdef CYASSL_SEP
|
||||||
cert->extCertPolicyCrit = critical;
|
#ifdef OPENSSL_EXTRA
|
||||||
|
cert->extCertPolicySet = 1;
|
||||||
|
cert->extCertPolicyCrit = critical;
|
||||||
|
#endif
|
||||||
|
if (DecodeCertPolicy(&input[idx], length, cert) < 0)
|
||||||
|
return ASN_PARSE_E;
|
||||||
#endif
|
#endif
|
||||||
if (DecodeCertPolicy(&input[idx], length, cert) < 0)
|
|
||||||
return ASN_PARSE_E;
|
|
||||||
break;
|
break;
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef OPENSSL_EXTRA
|
|
||||||
case KEY_USAGE_OID:
|
case KEY_USAGE_OID:
|
||||||
cert->extKeyUsageSet = 1;
|
cert->extKeyUsageSet = 1;
|
||||||
cert->extKeyUsageCrit = critical;
|
#ifdef OPENSSL_EXTRA
|
||||||
|
cert->extKeyUsageCrit = critical;
|
||||||
|
#endif
|
||||||
if (DecodeKeyUsage(&input[idx], length, cert) < 0)
|
if (DecodeKeyUsage(&input[idx], length, cert) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
break;
|
break;
|
||||||
#endif
|
|
||||||
|
case EXT_KEY_USAGE_OID:
|
||||||
|
CYASSL_MSG("Extended Key Usage extension not supported yet.");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case INHIBIT_ANY_OID:
|
||||||
|
CYASSL_MSG("Inhibit anyPolicy extension not supported yet.");
|
||||||
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
/* While it is a failure to not support critical extensions,
|
/* While it is a failure to not support critical extensions,
|
||||||
|
|
|
||||||
|
|
@ -216,7 +216,9 @@ enum Extensions_Sum {
|
||||||
AUTH_KEY_OID = 149,
|
AUTH_KEY_OID = 149,
|
||||||
SUBJ_KEY_OID = 128,
|
SUBJ_KEY_OID = 128,
|
||||||
CERT_POLICY_OID = 146,
|
CERT_POLICY_OID = 146,
|
||||||
KEY_USAGE_OID = 129 /* 2.5.29.15 */
|
KEY_USAGE_OID = 129, /* 2.5.29.15 */
|
||||||
|
INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
|
||||||
|
EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
|
||||||
};
|
};
|
||||||
|
|
||||||
enum CertificatePolicy_Sum {
|
enum CertificatePolicy_Sum {
|
||||||
|
|
@ -332,6 +334,8 @@ struct DecodedCert {
|
||||||
byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */
|
byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */
|
||||||
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
|
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
|
||||||
byte isCA; /* CA basic constraint true */
|
byte isCA; /* CA basic constraint true */
|
||||||
|
byte extKeyUsageSet;
|
||||||
|
word16 extKeyUsage; /* Key usage bitfield */
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
byte extBasicConstSet;
|
byte extBasicConstSet;
|
||||||
byte extBasicConstCrit;
|
byte extBasicConstCrit;
|
||||||
|
|
@ -341,9 +345,7 @@ struct DecodedCert {
|
||||||
byte extSubjAltNameCrit;
|
byte extSubjAltNameCrit;
|
||||||
byte extAuthKeyIdCrit;
|
byte extAuthKeyIdCrit;
|
||||||
byte extSubjKeyIdCrit;
|
byte extSubjKeyIdCrit;
|
||||||
byte extKeyUsageSet;
|
|
||||||
byte extKeyUsageCrit;
|
byte extKeyUsageCrit;
|
||||||
word16 extKeyUsage; /* Key usage bitfield */
|
|
||||||
byte* extAuthKeyIdSrc;
|
byte* extAuthKeyIdSrc;
|
||||||
word32 extAuthKeyIdSz;
|
word32 extAuthKeyIdSz;
|
||||||
byte* extSubjKeyIdSrc;
|
byte* extSubjKeyIdSrc;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue