mirror of https://github.com/wolfSSL/wolfssl.git
refine the SKID/AKID support
parent
aebd926472
commit
d2d25b9b83
|
@ -1219,9 +1219,9 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
|
||||||
cert->extCrlInfo = NULL;
|
cert->extCrlInfo = NULL;
|
||||||
cert->extCrlInfoSz = 0;
|
cert->extCrlInfoSz = 0;
|
||||||
XMEMSET(cert->extSubjKeyId, 0, SHA_SIZE);
|
XMEMSET(cert->extSubjKeyId, 0, SHA_SIZE);
|
||||||
cert->extSubjKeyIdSz = 0;
|
cert->extSubjKeyIdSet = 0;
|
||||||
cert->extAuthKeyId = NULL;
|
XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE);
|
||||||
cert->extAuthKeyIdSz = 0;
|
cert->extAuthKeyIdSet = 0;
|
||||||
cert->isCA = 0;
|
cert->isCA = 0;
|
||||||
#ifdef CYASSL_CERT_GEN
|
#ifdef CYASSL_CERT_GEN
|
||||||
cert->subjectSN = 0;
|
cert->subjectSN = 0;
|
||||||
|
@ -2567,8 +2567,16 @@ static void DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
cert->extAuthKeyId = input + idx;
|
if (length == SHA_SIZE) {
|
||||||
cert->extAuthKeyIdSz = length;
|
XMEMCPY(cert->extAuthKeyId, input + idx, length);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
Sha sha;
|
||||||
|
InitSha(&sha);
|
||||||
|
ShaUpdate(&sha, input + idx, length);
|
||||||
|
ShaFinal(&sha, cert->extAuthKeyId);
|
||||||
|
}
|
||||||
|
cert->extAuthKeyIdSet = 1;
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -2591,8 +2599,16 @@ static void DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
XMEMCPY(cert->extSubjKeyId, input + idx, length);
|
if (length == SIGNER_DIGEST_SIZE) {
|
||||||
cert->extSubjKeyIdSz = length;
|
XMEMCPY(cert->extSubjKeyId, input + idx, length);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
Sha sha;
|
||||||
|
InitSha(&sha);
|
||||||
|
ShaUpdate(&sha, input + idx, length);
|
||||||
|
ShaFinal(&sha, cert->extSubjKeyId);
|
||||||
|
}
|
||||||
|
cert->extSubjKeyIdSet = 1;
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -2767,21 +2783,21 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||||
return ASN_SIG_OID_E;
|
return ASN_SIG_OID_E;
|
||||||
|
|
||||||
#ifndef NO_SKID
|
#ifndef NO_SKID
|
||||||
if (cert->extSubjKeyIdSz == 0) {
|
if (cert->extSubjKeyIdSet == 0) {
|
||||||
Sha sha;
|
Sha sha;
|
||||||
InitSha(&sha);
|
InitSha(&sha);
|
||||||
ShaUpdate(&sha, cert->publicKey, cert->pubKeySize);
|
ShaUpdate(&sha, cert->publicKey, cert->pubKeySize);
|
||||||
ShaFinal(&sha, cert->extSubjKeyId);
|
ShaFinal(&sha, cert->extSubjKeyId);
|
||||||
cert->extSubjKeyIdSz = SHA_SIZE;
|
cert->extSubjKeyIdSet = 1;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (verify && type != CA_TYPE) {
|
if (verify && type != CA_TYPE) {
|
||||||
Signer* ca;
|
Signer* ca = NULL;
|
||||||
#ifndef NO_SKID
|
#ifndef NO_SKID
|
||||||
if (cert->extAuthKeyId != NULL)
|
if (cert->extAuthKeyIdSet)
|
||||||
ca = GetCA(cm, cert->extAuthKeyId);
|
ca = GetCA(cm, cert->extAuthKeyId);
|
||||||
else
|
if (ca == NULL)
|
||||||
ca = GetCAByName(cm, cert->issuerHash);
|
ca = GetCAByName(cm, cert->issuerHash);
|
||||||
#else /* NO_SKID */
|
#else /* NO_SKID */
|
||||||
ca = GetCA(cm, cert->issuerHash);
|
ca = GetCA(cm, cert->issuerHash);
|
||||||
|
@ -5192,7 +5208,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
|
||||||
{
|
{
|
||||||
int version, len;
|
int version, len;
|
||||||
word32 oid, idx = 0;
|
word32 oid, idx = 0;
|
||||||
Signer* ca;
|
Signer* ca = NULL;
|
||||||
|
|
||||||
CYASSL_MSG("ParseCRL");
|
CYASSL_MSG("ParseCRL");
|
||||||
|
|
||||||
|
@ -5257,12 +5273,12 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
#ifndef NO_SKID
|
#ifndef NO_SKID
|
||||||
if (dcrl->extAuthKeyId != NULL)
|
if (dcrl->extAuthKeyIdSet)
|
||||||
ca = GetCA(cm, dcrl->extAuthKeyId);
|
ca = GetCA(cm, dcrl->extAuthKeyId);
|
||||||
else
|
if (ca == NULL)
|
||||||
ca = GetCAByName(cm, dcrl->issuerHash);
|
ca = GetCAByName(cm, dcrl->issuerHash);
|
||||||
#else /* NO_SKID */
|
#else /* NO_SKID */
|
||||||
ca = GetCA(cm, dcrl->issuerHash);
|
ca = GetCA(cm, dcrl->issuerHash);
|
||||||
#endif /* NO_SKID */
|
#endif /* NO_SKID */
|
||||||
CYASSL_MSG("About to verify CRL signature");
|
CYASSL_MSG("About to verify CRL signature");
|
||||||
|
|
||||||
|
|
|
@ -252,9 +252,9 @@ struct DecodedCert {
|
||||||
byte* extCrlInfo; /* CRL Distribution Points */
|
byte* extCrlInfo; /* CRL Distribution Points */
|
||||||
int extCrlInfoSz; /* length of the URI */
|
int extCrlInfoSz; /* length of the URI */
|
||||||
byte extSubjKeyId[SHA_SIZE]; /* Subject Key ID */
|
byte extSubjKeyId[SHA_SIZE]; /* Subject Key ID */
|
||||||
int extSubjKeyIdSz; /* length of the ID */
|
byte extSubjKeyIdSet; /* Set when the SKID was read from cert */
|
||||||
byte* extAuthKeyId; /* Authority Key ID */
|
byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */
|
||||||
int extAuthKeyIdSz; /* length of the ID */
|
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
|
||||||
byte isCA; /* CA basic constraint true */
|
byte isCA; /* CA basic constraint true */
|
||||||
#ifdef CYASSL_CERT_GEN
|
#ifdef CYASSL_CERT_GEN
|
||||||
/* easy access to subject info for other sign */
|
/* easy access to subject info for other sign */
|
||||||
|
|
Loading…
Reference in New Issue