New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for more cert subject OIDs and raw subject access #1734
Conversation
retest this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@embhorn : Just a few minor things. Great work!
wolfcrypt/src/asn.c
Outdated
@@ -4236,6 +4252,75 @@ static int GetName(DecodedCert* cert, int nameType) | |||
|
|||
cert->srcIdx += strLen; | |||
} | |||
#ifdef WOLFSSL_CERT_EXT | |||
else if ((0 == memcmp(&cert->source[cert->srcIdx], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use XMEMCMP
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/src/asn.c
Outdated
else if ((0 == memcmp(&cert->source[cert->srcIdx], | ||
"\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01", 10)) && | ||
((cert->source[cert->srcIdx + 10] == 0x3) || | ||
(cert->source[cert->srcIdx + 10] == 0x2))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a define for these consts so its easier to understand? Including the places 0x03 and 0x02 are used in the if logic below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/src/asn.c
Outdated
@@ -11075,6 +11172,17 @@ int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, | |||
|
|||
#ifdef WOLFSSL_CERT_EXT | |||
|
|||
/* Get raw subject from cert, which may contain OIDs not parsed by Decode. */ | |||
int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add some docs for this API in doc/dox_comments/header_files/asn_public.h
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/src/asn.c
Outdated
} | ||
#else | ||
/* Fields are not accessible */ | ||
ret = -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the !IGNORE_NAME_CONSTRAINT
case the previous ret
is overwritten even in the ParseCertRelative case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/src/asn.c
Outdated
DecodedCert decoded[1]; | ||
#endif | ||
|
||
if (derSz < 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add a bad arg check for sbjRaw == NULL
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/test/test.c
Outdated
@@ -389,7 +389,7 @@ static void myFipsCb(int ok, int err, const char* hash) | |||
#ifdef BENCH_EMBEDDED | |||
static byte gTestMemory[10000]; | |||
#elif defined(USE_FAST_MATH) && !defined(ALT_ECC_SIZE) | |||
static byte gTestMemory[130000]; | |||
static byte gTestMemory[140000]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this increase required even in the !WOLFSSL_CERT_EXT case? If its just for the WOLFSSL_CERT_EXT
case I'd like to only increase it for that build case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfssl/wolfcrypt/memory.h
Outdated
/* default size of chunks of memory to seperate into | ||
* having session certs enabled makes a 21k SSL struct */ | ||
/* default size of chunks of memory to separate into | ||
* having session certs enabled makes a 24k SSL struct */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you describe why this increase was required? If its just for the WOLFSSL_CERT_EXT
case maybe we should only increase it for that build case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The increased memory requirement was due to the addition of the raw subject and issuer fields in the cert structure, and the newly supported OIDs in the certName structure.
wolfcrypt/src/asn.c
Outdated
/* Set cert raw subject from DER buffer */ | ||
int wc_SetSubjectRaw(Cert* cert, const byte* der, int derSz) | ||
{ | ||
return SetSubjectRawFromCert(cert->sbjRaw, der, derSz); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a NULL check for cert
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
wolfcrypt/src/asn.c
Outdated
{ | ||
int rc = 0; | ||
if ((subjectRaw != NULL) && (cert != NULL)) { | ||
*subjectRaw = cert->sbjRaw; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is just returning the pointer to it. Make sure folks know this pointer only lives as long as Cert
is available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@embhorn : Changes look great! For this to be complete I'd like to see at least API unit test for wc_SetSubjectRaw
and wc_GetSubjectRaw
. Also you added wolfCrypt tests for building a cert with the new business and jurisdiction fields, but can we add a test certificate for parsing these in ./certs? Thanks!
retest this please |
@@ -0,0 +1,76 @@ | |||
Certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sure and add any new files to the include.am.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Eric! Great addition!
…ith email name in CSR. (Thanks to Forum post https://www.wolfssl.com/forums/post4137.html). Failed examples: ``` 145:d=5 hl=2 l= 16 prim: EOC 0000 - 69 6e 66 6f 40 77 6f 6c-66 73 73 6c 2e 63 6f 6d info@wolfssl.com ``` ``` SET { 138 23: SEQUENCE { 140 3: OBJECT IDENTIFIER objectClass (2 5 4 0) : Error: Spurious EOC in definite-length item. ``` Success Examples: ``` 140:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 151:d=5 hl=2 l= 16 prim: IA5STRING :info@wolfssl.com ``` ``` SET { 138 29: SEQUENCE { 140 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1) 151 16: IA5String 'info@wolfssl.com' ```
Cert subjects OIDs that are not supported in the parser are skipped. So in order to support copying a subject to a new cert, the
wc_SetSubjectRaw()
method is added.Also adding support for the
businessCategory
,jurisdiction of incorporation country
, andjurisdiction of incorporation state
OIDs.