Add support for raw-public-key#6544
Merged
JacobBarthelmeh merged 1 commit intowolfSSL:masterfrom Aug 17, 2023
Merged
Conversation
TakayukiMatsuo
force-pushed
the
rpk
branch
5 times, most recently
from
7e8dbab to
8ef2808
Compare
Member
|
Assigning to @JacobBarthelmeh and @SparkiDev for reviews as well. |
SparkiDev
requested changes
Jul 24, 2023
JacobBarthelmeh
requested changes
Jul 25, 2023
TakayukiMatsuo
force-pushed
the
rpk
branch
2 times, most recently
from
4266318 to
ba2e485
Compare
Contributor
Author
|
Jenkins retest this please |
geonnave
reviewed
Aug 8, 2023
There was a problem hiding this comment.
@TakayukiMatsuo should this be cert->isRPK ?
I was testing the RPK feature in RIOT-OS and I got the following error: wolfssl/wolfcrypt/src/asn.c:15205:13: error: 'cert' is a pointer; did you mean to use '->'?
There was a problem hiding this comment.
In fact, even after changing . to ->, I realized that the RPK configuration does not work unless WOLFSSL_ASN_TEMPLATE is defined:
# to reproduce, make sure WOLFSSL_ASN_TEMPLATE is undefined
$ make && ./tests/unit.test -test_tls13_rpk_handshake
...
processing certificate
wolfSSL Entering DoTls13Certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
Parsing 0 bytes of cert extensions
Put another cert into chain
Verifying Peer's cert
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId
wolfSSL Entering GetObjectId
Parsed Past Key
Buffer too small for ASN tag
Got Peer cert ASN PARSE_E, BUFFER E, MEMORY_E
wolfSSL Leaving ProcessPeerCerts, return -140
wolfSSL Leaving DoTls13Certificate, return -140
wolfSSL Leaving DoTls13HandShakeMsgType(), return -140
wolfSSL Leaving DoTls13HandShakeMsg, return -140
wolfSSL error occurred, error = -140
wolfSSL error occurred, error = -140
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -140
failed ( 0.00419)
ERROR - tests/api.c line 65599 failed with:
expected: Test failed
result: ret 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
FAILURES:
816: test_tls13_rpk_handshake
End API Tests
Contributor
Author
There was a problem hiding this comment.
Hi @geonnave, thank you for heads-up. Fixed what you pointed out and addressed the case when WOLFSSL_ASN_TEMPLATE is not defined.
TakayukiMatsuo
assigned
wolfSSL-Bot and unassigned
cconlon,
JacobBarthelmeh and
SparkiDev
JacobBarthelmeh
approved these changes
Aug 16, 2023
SparkiDev
approved these changes
Aug 16, 2023
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR intend to add support for raw public key(rfc7250) and includes following features:
- Introduced a macro definition "HAVE_RPK" to show RPK support.
- Introduced APIs for setting user preference to client(server)_certificate_type extensions.
- Introduced APIs for getting negotiated client(server)_certificate_type extensions.
- Added Raw-Public-Key-certs in to certs/rpk for testing.
- Extended existing APIs for loading own RPK certificate to accept RPK cert in buffer.
- Added unit test cases for added APIs.
The peer RPK cert received is accepted without any verification. If users want to add their own verification, build with WOLFSSL_ALWAYS_VERIFY_CB macro and set verify callback via wolfSSL_CTX_set_verify.
Testing
Checklist