x509 attribute cert support #7926
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
philljj
force-pushed
the
x509_acert_support
branch
from
00ea9f3 to
4a213d4
Compare
douzzer
requested changes
Sep 12, 2024
There was a problem hiding this comment.
most of the defects discovered using
ENABLE_ALL_TEST_FLAGS='--enable-all --enable-testcert --enable-acert' ../testing/git-hooks/wolfssl-multi-test.sh --keep-going --max-check-try-count=2 --enable-bwrap --verbose-analyzers --enable-text-styles --report-cumulative-times --no-result-cache --no-git-refresh --test-uncommitted super-quick-check
| (word32)pubKeyOID, sig, sigSz, sigOID, | ||
| sigParams, sigParamsSz, NULL); | ||
|
|
||
| if (ret == ASN_SIG_CONFIRM_E) { |
There was a problem hiding this comment.
ASN_SIG_CONFIRM_E needs a WC_NO_ERR_TRACE() wrapper here.
| * @return MEMORY_E when dynamic memory allocation fails. | ||
| */ | ||
| static int DecodeAcertGeneralName(const byte* input, word32* inOutIdx, byte tag, | ||
| int len, DecodedAcert* acert, DNS_entry** entries) |
|
|
||
| /* GeneralName choice: dnsName */ | ||
| if (tag == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) { | ||
| ret = SetDNSEntry(acert->heap, (const char*)(input + idx), len, ASN_DNS_TYPE, |
| } | ||
| #endif | ||
|
|
||
| ret = SetDNSEntry(acert->heap, (const char*)(input + idx), len, ASN_URI_TYPE, entries); |
| defined(WOLFSSL_IP_ALT_NAME) | ||
| /* GeneralName choice: iPAddress */ | ||
| else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) { | ||
| ret = SetDNSEntry(acert->heap, (const char*)(input + idx), len, ASN_IP_TYPE, entries); |
| int badDate = 0; | ||
| byte version = 0; | ||
| (void) verify; | ||
| word32 serialSz = EXTERNAL_SERIAL_SIZE; |
There was a problem hiding this comment.
ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
40809 | word32 serialSz = EXTERNAL_SERIAL_SIZE;
| ^~~~~~
| if (dataASN[ACERT_IDX_ACINFO_ALGOID_OID].data.oid.sum | ||
| != dataASN[ACERT_IDX_SIGALGO_OID].data.oid.sum) { | ||
| WOLFSSL_MSG("error: VerifyX509Acert: sig OID mismatch"); | ||
| FREE_ASNGETDATA(dataASN, acert->heap); |
There was a problem hiding this comment.
error: request for member ‘heap’ in something not a structure or union
41123 | FREE_ASNGETDATA(dataASN, acert->heap);
| ^~
|
|
||
| if (acinfo == NULL || acinfoSz == 0) { | ||
| WOLFSSL_MSG("error: VerifyX509Acert: empty acinfo"); | ||
| FREE_ASNGETDATA(dataASN, acert->heap); |
There was a problem hiding this comment.
error: request for member ‘heap’ in something not a structure or union
41123 | FREE_ASNGETDATA(dataASN, acert->heap);
| ^~
|
|
||
| if (ret != 0) { | ||
| WOLFSSL_MSG("error: VerifyX509Acert: GetASN_Items failed"); | ||
| FREE_ASNGETDATA(dataASN, acert->heap); |
There was a problem hiding this comment.
error: request for member ‘heap’ in something not a structure or union
41123 | FREE_ASNGETDATA(dataASN, acert->heap);
| ^~
| heap); | ||
| } | ||
|
|
||
| FREE_ASNGETDATA(dataASN, acert->heap); |
There was a problem hiding this comment.
error: request for member ‘heap’ in something not a structure or union
41123 | FREE_ASNGETDATA(dataASN, acert->heap);
| ^~
philljj
force-pushed
the
x509_acert_support
branch
from
e276b54 to
7faed6c
Compare
|
Retest this please |
douzzer
approved these changes
Sep 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Initial support for rfc5755 x509 attribute certificates (acerts). Enabled with
--enable-acert.Supports reading, printing, verifying.
No support for signing or generating yet though.
The Attributes field is not parsed, but can be accessed through the API
wolfSSL_X509_ACERT_get_attr_buf(). To facilitate user parsing of the attributes field, the ASN functionsGetLength()andGetASNTag()were changed toWOLFSSL_ASN_API.Testing
Tested with unit tests in this example repo:
Added new tests to tests/api.c:
Added new rsa and rsa_pss acerts to
certs/acert/. These were signed with https://github.com/philljj/acert-test.Tests require this build config:
Examples
Added acert example to wolfssl-examples: