Skip to content

Commit

Permalink
Improve wolfSSL_X509_get_ext_d2i compatibility
Browse files Browse the repository at this point in the history 
* When dealing with authority key id extension, conform to
  RFC3280/RFC5280 and populate the keyid field with an ASN1 string
  containing the key id.
* When dealing with subject key id extension, return an ASN1 string
  containing the key id instead of an extension stack, to mimic OpenSSL
  behavior.
  • Loading branch information
@dclaisse
dclaisse committed Jun 14, 2024
1 parent a120b83 commit 58d36ff
Showing 1 changed file with 48 additions and 27 deletions.
75 changes: 48 additions & 27 deletions src/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2171,9 +2171,9 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos)
* nid : Extension OID to be found.
* idx : if NULL return first extension found match, otherwise start search at
* idx location and set idx to the location of extension returned.
* returns NULL or a pointer to an WOLFSSL_ASN1_BIT_STRING (for KEY_USAGE_OID)
* or WOLFSSL_STACK (for other)
* holding extension structure
* returns NULL or a pointer to an WOLFSSL_ASN1_STRING (for KEY_USAGE_OID and
* SUBJ_KEY_OID) or a pointer to an WOLFSSL_AUTHORITY_KEYID (for AUTH_KEY_OID)
* or WOLFSSL_STACK (for other) holding extension structure.
*
* NOTE code for decoding extensions is in asn.c DecodeCertExtensions --
* use already decoded extension in this function to avoid decoding twice.
Expand Down Expand Up @@ -2403,54 +2403,75 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
break;

case AUTH_KEY_OID:
{
WOLFSSL_AUTHORITY_KEYID* akey = NULL;
if (x509->authKeyIdSet) {
WOLFSSL_AUTHORITY_KEYID* akey = wolfSSL_AUTHORITY_KEYID_new();
if (c != NULL) {
*c = x509->authKeyIdCrit;
}

akey = wolfSSL_AUTHORITY_KEYID_new();
if (!akey) {
WOLFSSL_MSG("Issue creating WOLFSSL_AUTHORITY_KEYID struct");
return NULL;
}

if (c != NULL) {
*c = x509->authKeyIdCrit;
akey->keyid = wolfSSL_ASN1_STRING_new();
if (akey->keyid == NULL) {
WOLFSSL_MSG("ASN1_STRING_new() failed");
wolfSSL_AUTHORITY_KEYID_free(akey);
return NULL;
}
obj = wolfSSL_ASN1_OBJECT_new();
if (obj == NULL) {
WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct");

if (wolfSSL_ASN1_STRING_set(akey->keyid, x509->authKeyId,
x509->authKeyIdSz) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_ASN1_STRING_set error");
wolfSSL_ASN1_STRING_free(akey->keyid);
wolfSSL_AUTHORITY_KEYID_free(akey);
return NULL;
}
obj->type = AUTH_KEY_OID;
obj->grp = oidCertExtType;
obj->obj = x509->authKeyId;
obj->objSz = x509->authKeyIdSz;
akey->issuer = obj;
return akey;

/* For now, set issuer and serial to NULL. This may need to be
updated for future use */
akey->issuer = NULL;
akey->serial = NULL;

akey->keyid->type = AUTH_KEY_OID;
}
else {
WOLFSSL_MSG("No Auth Key set");
}
break;

return akey;
}
case SUBJ_KEY_OID:
if (x509->subjKeyIdSet) {
{
WOLFSSL_ASN1_STRING* asn1str = NULL;
if (x509->subjKeyIdSet) {
if (c != NULL) {
*c = x509->subjKeyIdCrit;
}
obj = wolfSSL_ASN1_OBJECT_new();
if (obj == NULL) {
WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct");

asn1str = wolfSSL_ASN1_STRING_new();
if (asn1str == NULL) {
WOLFSSL_MSG("Failed to malloc ASN1_STRING");
return NULL;
}
obj->type = SUBJ_KEY_OID;
obj->grp = oidCertExtType;
obj->obj = x509->subjKeyId;
obj->objSz = x509->subjKeyIdSz;

if (wolfSSL_ASN1_STRING_set(asn1str, x509->subjKeyId,
x509->subjKeyIdSz) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_ASN1_STRING_set error");
wolfSSL_ASN1_STRING_free(asn1str);
return NULL;
}

asn1str->type = SUBJ_KEY_OID;
}
else {
WOLFSSL_MSG("No Subject Key set");
}
break;

/* don't add stack of and return bit string directly */
return asn1str;
}
case CERT_POLICY_OID:
{
#ifdef WOLFSSL_CERT_EXT
Expand Down

0 comments on commit 58d36ff

Please sign in to comment.