Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial rewrite of X509 STORE to replicate openssl behavior #8087

Merged
merged 17 commits into from
Oct 23, 2024
Merged

Initial rewrite of X509 STORE to replicate openssl behavior #8087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
17c9e92
Initial rewrite of X509 STORE to replicate openssl behavior
ColtonWilley Oct 16, 2024
38c7de1
Fixes for CI build errors
ColtonWilley Oct 16, 2024
12f4f69
Allow intermediate CA certs without keycertsign when added through X5…
ColtonWilley Oct 17, 2024
f7bfa71
Implement support for verify flag X509_V_FLAG_PARTIAL_CHAIN
ColtonWilley Oct 18, 2024
98eb6b3
Fix for windows builds
ColtonWilley Oct 18, 2024
f0fae65
Fix windows warnings
ColtonWilley Oct 18, 2024
6607314
Address code comments, rewrite get issuer internals, use better inter…
ColtonWilley Oct 18, 2024
1afbf55
Fix new build error after refactor
ColtonWilley Oct 18, 2024
87ce965
Changes for various failing build configs
ColtonWilley Oct 18, 2024
1ddb2ce
Properly implement set flags for X509_V_FLAG_PARTIAL_CHAIN
ColtonWilley Oct 21, 2024
3fc3a84
Move X509_STORE_CTX_set_flags under OPENSSL_EXTRA
ColtonWilley Oct 21, 2024
4c63668
Small changes per review comments
ColtonWilley Oct 22, 2024
96138e7
Restore proper error code handling for self signed CA in non-trusted …
ColtonWilley Oct 22, 2024
95f8d74
Fix loop to decrement
ColtonWilley Oct 22, 2024
ee4e1b6
Properly omit self signed CA from untrusted intermediates, handle mem…
ColtonWilley Oct 23, 2024
6f0bcac
Address review comments, rename WOLFSSL_INTER_CA, use up_ref for get …
ColtonWilley Oct 23, 2024
cab20fb
add and use WOLFSSL_PARTIAL_CHAIN as native bitmask macro for compat …
douzzer Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions src/ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5535,13 +5535,15 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
}
}

if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA &&
type != WOLFSSL_TEMP_CA) {
WOLFSSL_MSG("\tCan't add as CA if not actually one");
ret = NOT_CA_ERROR;
}
#ifndef ALLOW_INVALID_CERTSIGN
else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA &&
!cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
type != WOLFSSL_TEMP_CA && !cert->selfSigned &&
(cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
/* Intermediate CA certs are required to have the keyCertSign
* extension set. User loaded root certs are not. */
WOLFSSL_MSG("\tDoesn't have key usage certificate signing");
Expand Down
23 changes: 20 additions & 3 deletions src/ssl_certman.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,11 +455,12 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
return ret;
}

int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm)
static int wolfSSL_CertManagerUnloadIntermediateCertsEx(
WOLFSSL_CERT_MANAGER* cm, byte type)
{
int ret = WOLFSSL_SUCCESS;

WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts");
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCertsEx");

/* Validate parameter. */
if (cm == NULL) {
Expand All @@ -471,7 +472,7 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm)
}
if (ret == WOLFSSL_SUCCESS) {
/* Dispose of CA table. */
FreeSignerTableType(cm->caTable, CA_TABLE_SIZE, WOLFSSL_CHAIN_CA,
FreeSignerTableType(cm->caTable, CA_TABLE_SIZE, type,
cm->heap);

/* Unlock CA table. */
Expand All @@ -481,6 +482,22 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm)
return ret;
}

#if defined(OPENSSL_EXTRA)
static int wolfSSL_CertManagerUnloadTempIntermediateCerts(
WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTempIntermediateCerts");
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_TEMP_CA);
}
#endif

int wolfSSL_CertManagerUnloadIntermediateCerts(
WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts");
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_CHAIN_CA);
}

#ifdef WOLFSSL_TRUST_PEER_CERT
/* Unload the trusted peers table.
*
Expand Down
16 changes: 8 additions & 8 deletions src/x509.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5559,7 +5559,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509)
* size of this subset and its memory usage */
#endif /* OPENSSL_EXTRA_X509_SMALL || KEEP_PEER_CERT || SESSION_CERTS */

#if defined(OPENSSL_ALL)
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
/*
* Converts a and b to DER and then does an XMEMCMP to check if they match.
* Returns 0 when certificates match and WOLFSSL_FATAL_ERROR when they don't.
Expand Down Expand Up @@ -7536,7 +7536,6 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
byte* pem = NULL;
byte* curr = NULL;
byte* prev = NULL;
WOLFSSL_X509* x509;
const char* header = NULL;
const char* footer = NULL;

Expand Down Expand Up @@ -7597,12 +7596,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
}
else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 &&
XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) {
x509 = wolfSSL_X509_load_certificate_buffer(curr, (int)sz,
WOLFSSL_FILETYPE_PEM);
if (x509 == NULL)
goto end;
ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509);
wolfSSL_X509_free(x509);
ret = X509StoreLoadCertBuffer(lookup->store, curr,
(word32)sz, WOLFSSL_FILETYPE_PEM);
if (ret != WOLFSSL_SUCCESS)
goto end;
curr = (byte*)XSTRNSTR((char*)curr, footer, (unsigned int)sz);
Expand Down Expand Up @@ -14210,6 +14205,9 @@ int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *name,

#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
#if defined(OPENSSL_EXTRA) && \
((defined(SESSION_CERTS) && !defined(WOLFSSL_QT)) || \
defined(WOLFSSL_SIGNER_DER_CERT))

/**
* Find the issuing cert of the input cert. On a self-signed cert this
Expand Down Expand Up @@ -14280,6 +14278,8 @@ static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm,

return WOLFSSL_SUCCESS;
}
#endif /* if defined(OPENSSL_EXTRA) && (defined(SESSION_CERTS) || \
defined(WOLFSSL_SIGNER_DER_CERT)) */

void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk)
{
Expand Down
Loading
Loading