Support for more cert subject OIDs and raw subject access #1734
Conversation
|
retest this please |
wolfcrypt/src/asn.c
Outdated
| @@ -4236,6 +4252,75 @@ static int GetName(DecodedCert* cert, int nameType) | |||
|
|
|||
| cert->srcIdx += strLen; | |||
| } | |||
| #ifdef WOLFSSL_CERT_EXT | |||
| else if ((0 == memcmp(&cert->source[cert->srcIdx], | |||
wolfcrypt/src/asn.c
Outdated
| else if ((0 == memcmp(&cert->source[cert->srcIdx], | ||
| "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01", 10)) && | ||
| ((cert->source[cert->srcIdx + 10] == 0x3) || | ||
| (cert->source[cert->srcIdx + 10] == 0x2))) |
There was a problem hiding this comment.
Can you add a define for these consts so its easier to understand? Including the places 0x03 and 0x02 are used in the if logic below.
wolfcrypt/src/asn.c
Outdated
| @@ -11075,6 +11172,17 @@ int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, | |||
|
|
|||
| #ifdef WOLFSSL_CERT_EXT | |||
|
|
|||
| /* Get raw subject from cert, which may contain OIDs not parsed by Decode. */ | |||
| int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert) | |||
There was a problem hiding this comment.
Can you also add some docs for this API in doc/dox_comments/header_files/asn_public.h?
wolfcrypt/src/asn.c
Outdated
| } | ||
| #else | ||
| /* Fields are not accessible */ | ||
| ret = -1; |
There was a problem hiding this comment.
In the !IGNORE_NAME_CONSTRAINT case the previous ret is overwritten even in the ParseCertRelative case.
wolfcrypt/src/asn.c
Outdated
| DecodedCert decoded[1]; | ||
| #endif | ||
|
|
||
| if (derSz < 0) { |
There was a problem hiding this comment.
Can you also add a bad arg check for sbjRaw == NULL?
wolfcrypt/test/test.c
Outdated
| @@ -389,7 +389,7 @@ static void myFipsCb(int ok, int err, const char* hash) | |||
| #ifdef BENCH_EMBEDDED | |||
| static byte gTestMemory[10000]; | |||
| #elif defined(USE_FAST_MATH) && !defined(ALT_ECC_SIZE) | |||
| static byte gTestMemory[130000]; | |||
| static byte gTestMemory[140000]; | |||
There was a problem hiding this comment.
Was this increase required even in the !WOLFSSL_CERT_EXT case? If its just for the WOLFSSL_CERT_EXT case I'd like to only increase it for that build case.
wolfssl/wolfcrypt/memory.h
Outdated
| /* default size of chunks of memory to seperate into | ||
| * having session certs enabled makes a 21k SSL struct */ | ||
| /* default size of chunks of memory to separate into | ||
| * having session certs enabled makes a 24k SSL struct */ |
There was a problem hiding this comment.
Can you describe why this increase was required? If its just for the WOLFSSL_CERT_EXT case maybe we should only increase it for that build case.
There was a problem hiding this comment.
The increased memory requirement was due to the addition of the raw subject and issuer fields in the cert structure, and the newly supported OIDs in the certName structure.
wolfcrypt/src/asn.c
Outdated
| /* Set cert raw subject from DER buffer */ | ||
| int wc_SetSubjectRaw(Cert* cert, const byte* der, int derSz) | ||
| { | ||
| return SetSubjectRawFromCert(cert->sbjRaw, der, derSz); |
There was a problem hiding this comment.
Can we add a NULL check for cert?
wolfcrypt/src/asn.c
Outdated
| { | ||
| int rc = 0; | ||
| if ((subjectRaw != NULL) && (cert != NULL)) { | ||
| *subjectRaw = cert->sbjRaw; |
There was a problem hiding this comment.
Looks like this is just returning the pointer to it. Make sure folks know this pointer only lives as long as Cert is available.
There was a problem hiding this comment.
@embhorn : Changes look great! For this to be complete I'd like to see at least API unit test for wc_SetSubjectRaw and wc_GetSubjectRaw. Also you added wolfCrypt tests for building a cert with the new business and jurisdiction fields, but can we add a test certificate for parsing these in ./certs? Thanks!
|
retest this please |
| @@ -0,0 +1,76 @@ | |||
| Certificate: | |||
There was a problem hiding this comment.
Make sure and add any new files to the include.am.
…ith email name in CSR. (Thanks to Forum post https://www.wolfssl.com/forums/post4137.html). Failed examples: ``` 145:d=5 hl=2 l= 16 prim: EOC 0000 - 69 6e 66 6f 40 77 6f 6c-66 73 73 6c 2e 63 6f 6d info@wolfssl.com ``` ``` SET { 138 23: SEQUENCE { 140 3: OBJECT IDENTIFIER objectClass (2 5 4 0) : Error: Spurious EOC in definite-length item. ``` Success Examples: ``` 140:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 151:d=5 hl=2 l= 16 prim: IA5STRING :info@wolfssl.com ``` ``` SET { 138 29: SEQUENCE { 140 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1) 151 16: IA5String 'info@wolfssl.com' ```
Cert subjects OIDs that are not supported in the parser are skipped. So in order to support copying a subject to a new cert, the
wc_SetSubjectRaw()method is added.Also adding support for the
businessCategory,jurisdiction of incorporation country, andjurisdiction of incorporation stateOIDs.