Skip to content

Commit a7aaa51

Browse files
committed
asn/settings/test: WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY + fail-closed cert test
1 parent 18c9684 commit a7aaa51

3 files changed

Lines changed: 316 additions & 8 deletions

File tree

wolfcrypt/src/asn.c

Lines changed: 85 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4386,9 +4386,14 @@ static int GetSignature(DecodedCert* cert);
43864386
static word32 SetAlgoIDImpl(int algoOID, byte* output, int type, int curveSz, byte absentParams);
43874387
#ifndef NO_CERTS
43884388
static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert);
4389+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
43894390
static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert);
4391+
#endif
4392+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
43904393
static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert);
4391-
#ifndef IGNORE_NAME_CONSTRAINTS
4394+
#endif
4395+
#if !defined(IGNORE_NAME_CONSTRAINTS) && \
4396+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
43924397
static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
43934398
word32 limit, byte* hasUnsupported, void* heap);
43944399
static int DecodeNameConstraints(const byte* input, word32 sz, DecodedCert* cert);
@@ -18932,6 +18937,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1893218937
}
1893318938
}
1893418939
#ifndef IGNORE_NAME_CONSTRAINTS
18940+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_DIR)
1893518941
/* GeneralName choice: directoryName */
1893618942
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
1893718943
int strLen;
@@ -18950,6 +18956,8 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1895018956
idx += (word32)len;
1895118957
}
1895218958
}
18959+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_DIR */
18960+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_EMAIL)
1895318961
/* GeneralName choice: rfc822Name */
1895418962
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
1895518963
ret = DecodeGeneralNameCheckChars(input + idx, len);
@@ -18962,6 +18970,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1896218970
idx += (word32)len;
1896318971
}
1896418972
}
18973+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_EMAIL */
1896518974
/* GeneralName choice: uniformResourceIdentifier */
1896618975
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
1896718976
ret = DecodeGeneralNameCheckChars(input + idx, len);
@@ -19039,13 +19048,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1903919048
* surface the raw octets as OCTET_STRING already (see the
1904019049
* ASN_IP_TYPE case under WOLFSSL_GEN_IPADD in src/x509.c).
1904119050
*/
19051+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_IP)
1904219052
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
1904319053
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
1904419054
ASN_IP_TYPE, &cert->altNames);
1904519055
if (ret == 0) {
1904619056
idx += (word32)len;
1904719057
}
1904819058
}
19059+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_IP */
1904919060
/* GeneralName choice: registeredID
1905019061
*
1905119062
* Always parse registeredID into cert->altNames so
@@ -19071,13 +19082,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1907119082
* - X509_print_name_entry: emits "Registered ID:<unavailable>"
1907219083
* when ridString is not generated, instead of failing the
1907319084
* whole print operation. */
19085+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_RID)
1907419086
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
1907519087
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
1907619088
ASN_RID_TYPE, &cert->altNames);
1907719089
if (ret == 0) {
1907819090
idx += (word32)len;
1907919091
}
1908019092
}
19093+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_RID */
1908119094
#endif /* IGNORE_NAME_CONSTRAINTS */
1908219095
#ifndef IGNORE_NAME_CONSTRAINTS
1908319096
/* GeneralName choice: otherName.
@@ -19366,6 +19379,7 @@ static int DecodeBasicCaConstraintInternal(const byte* input, int sz,
1936619379
}
1936719380

1936819381

19382+
#ifndef WOLFSSL_X509_TINY
1936919383
static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1937019384
{
1937119385
word32 idx = 0;
@@ -19419,6 +19433,7 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1941919433

1942019434
return 0;
1942119435
}
19436+
#endif /* !WOLFSSL_X509_TINY */
1942219437

1942319438

1942419439
/* Context-Specific value for: DistributionPoint.distributionPoint
@@ -19431,7 +19446,8 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1943119446
* From RFC3280 SS4.2.1.7, GeneralName */
1943219447
#define GENERALNAME_URI (ASN_CONTEXT_SPECIFIC | 6)
1943319448

19434-
#ifdef WOLFSSL_ASN_TEMPLATE
19449+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
19450+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP))
1943519451
/* ASN.1 template for CRL distribution points.
1943619452
* X.509: RFC 5280, 4.2.1.13 - CRL Distribution Points.
1943719453
*/
@@ -19482,6 +19498,7 @@ enum {
1948219498
* @return BUFFER_E when data in buffer is too small.
1948319499
*/
1948419500
#ifdef WOLFSSL_ASN_TEMPLATE
19501+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
1948519502
static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
1948619503
{
1948719504
DECL_ASNGETDATA(dataASN, crlDistASN_Length);
@@ -19539,8 +19556,10 @@ static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
1953919556
FREE_ASNGETDATA(dataASN, cert->heap);
1954019557
return ret;
1954119558
}
19559+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */
1954219560
#endif /* WOLFSSL_ASN_TEMPLATE */
19543-
#ifdef WOLFSSL_ASN_TEMPLATE
19561+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
19562+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA))
1954419563
/* ASN.1 template for the access description.
1954519564
* X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
1954619565
*/
@@ -19577,6 +19596,7 @@ enum {
1957719596
* @return ASN_UNKNOWN_OID_E when the OID cannot be verified.
1957819597
*/
1957919598
#ifdef WOLFSSL_ASN_TEMPLATE
19599+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
1958019600
static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
1958119601
{
1958219602
word32 idx = 0;
@@ -19645,6 +19665,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
1964519665

1964619666
return ret;
1964719667
}
19668+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */
1964819669
#endif /* WOLFSSL_ASN_TEMPLATE */
1964919670

1965019671
#ifdef WOLFSSL_ASN_TEMPLATE
@@ -19785,6 +19806,7 @@ int DecodeAuthKeyId(const byte* input, word32 sz, const byte **extAuthKeyId,
1978519806
* is invalid.
1978619807
* @return BUFFER_E when data in buffer is too small.
1978719808
*/
19809+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
1978819810
static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,
1978919811
DecodedCert* cert)
1979019812
{
@@ -19842,6 +19864,7 @@ static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,
1984219864

1984319865
return ret;
1984419866
}
19867+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */
1984519868

1984619869
/* Decode subject key id extension.
1984719870
*
@@ -19886,6 +19909,7 @@ int DecodeSubjKeyId(const byte* input, word32 sz, const byte **extSubjKeyId,
1988619909
* invalid.
1988719910
* @return MEMORY_E on dynamic memory allocation failure.
1988819911
*/
19912+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
1988919913
static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,
1989019914
DecodedCert* cert)
1989119915
{
@@ -19909,6 +19933,7 @@ static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,
1990919933

1991019934
return ret;
1991119935
}
19936+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */
1991219937

1991319938
#ifdef WOLFSSL_ASN_TEMPLATE
1991419939
/* ASN.1 template for KeyUsage.
@@ -20181,6 +20206,7 @@ static int DecodeExtKeyUsageInternal(const byte* input, word32 sz,
2018120206

2018220207
#ifndef IGNORE_NETSCAPE_CERT_TYPE
2018320208

20209+
#ifndef WOLFSSL_X509_TINY
2018420210
static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
2018520211
{
2018620212
word32 idx = 0;
@@ -20200,11 +20226,13 @@ static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
2020020226

2020120227
return 0;
2020220228
}
20229+
#endif /* !WOLFSSL_X509_TINY (DecodeNsCertType) */
2020320230
#endif
2020420231

2020520232

2020620233
#ifndef IGNORE_NAME_CONSTRAINTS
20207-
#ifdef WOLFSSL_ASN_TEMPLATE
20234+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
20235+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2020820236
/* ASN.1 template for GeneralSubtree.
2020920237
* X.509: RFC 5280, 4.2.1.10 - Name Constraints.
2021020238
*/
@@ -20228,7 +20256,8 @@ enum {
2022820256
#define subTreeASN_Length (sizeof(subTreeASN) / sizeof(ASNItem))
2022920257
#endif
2023020258

20231-
#ifdef WOLFSSL_ASN_TEMPLATE
20259+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
20260+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2023220261
/* Decode the Subtree's GeneralName.
2023320262
*
2023420263
* @param [in] input Buffer holding data.
@@ -20316,7 +20345,8 @@ static int DecodeSubtreeGeneralName(const byte* input, word32 sz, byte tag,
2031620345
* @return MEMORY_E when dynamic memory allocation fails.
2031720346
* @return ASN_PARSE_E when SEQUENCE is not found as expected.
2031820347
*/
20319-
#ifdef WOLFSSL_ASN_TEMPLATE
20348+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
20349+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2032020350
/* Decode a sub-tree of name constraints.
2032120351
*
2032220352
* @param [out] hasUnsupported Set to 1 when an entry with a GeneralName
@@ -20396,7 +20426,8 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
2039620426
return ret;
2039720427
}
2039820428
#endif /* WOLFSSL_ASN_TEMPLATE */
20399-
#ifdef WOLFSSL_ASN_TEMPLATE
20429+
#if defined(WOLFSSL_ASN_TEMPLATE) && \
20430+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2040020431
/* ASN.1 template for NameConstraints.
2040120432
* X.509: RFC 5280, 4.2.1.10 - Name Constraints.
2040220433
*/
@@ -20430,6 +20461,7 @@ enum {
2043020461
* @return MEMORY_E on dynamic memory allocation failure.
2043120462
*/
2043220463
#ifdef WOLFSSL_ASN_TEMPLATE
20464+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS)
2043320465
static int DecodeNameConstraints(const byte* input, word32 sz,
2043420466
DecodedCert* cert)
2043520467
{
@@ -20474,6 +20506,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
2047420506

2047520507
return ret;
2047620508
}
20509+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_NAME_CONSTRAINTS */
2047720510
#endif /* WOLFSSL_ASN_TEMPLATE */
2047820511
#endif /* IGNORE_NAME_CONSTRAINTS */
2047920512

@@ -21043,6 +21076,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2104321076
int ret = 0;
2104421077
word32 idx = 0;
2104521078

21079+
(void)idx; /* unused when optional extension cases are gated out (X509_TINY) */
2104621080
if (isUnknownExt != NULL)
2104721081
*isUnknownExt = 0;
2104821082

@@ -21056,6 +21090,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2105621090
}
2105721091
break;
2105821092

21093+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
2105921094
/* CRL Distribution point. */
2106021095
case CRL_DIST_OID:
2106121096
VERIFY_AND_SET_OID(cert->extCRLdistSet);
@@ -21064,7 +21099,9 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2106421099
ret = ASN_PARSE_E;
2106521100
}
2106621101
break;
21102+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */
2106721103

21104+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
2106821105
/* Authority information access. */
2106921106
case AUTH_INFO_OID:
2107021107
VERIFY_AND_SET_OID(cert->extAuthInfoSet);
@@ -21085,6 +21122,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2108521122
ret = ASN_PARSE_E;
2108621123
}
2108721124
break;
21125+
#elif defined(WOLFSSL_X509_TINY)
21126+
/* Stripped: reject critical even under ALLOW_CRIT_AIA - can't honor an
21127+
* undecoded extension (RFC 5280 4.2.2.1). No SET_OID, bit means decoded. */
21128+
case AUTH_INFO_OID:
21129+
if (critical) {
21130+
ret = ASN_CRIT_EXT_E;
21131+
}
21132+
break;
21133+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */
2108821134

2108921135
/* Subject alternative name. */
2109021136
case ALT_NAMES_OID:
@@ -21093,6 +21139,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2109321139
ret = DecodeAltNames(input, length, cert);
2109421140
break;
2109521141

21142+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
2109621143
/* Authority Key Identifier. */
2109721144
case AUTH_KEY_OID:
2109821145
VERIFY_AND_SET_OID(cert->extAuthKeyIdSet);
@@ -21113,7 +21160,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2111321160
ret = ASN_PARSE_E;
2111421161
}
2111521162
break;
21163+
#elif defined(WOLFSSL_X509_TINY)
21164+
/* Stripped: reject critical even under ALLOW_CRIT_AKID - can't honor an
21165+
* undecoded extension (RFC 5280 4.2.1.1). No SET_OID, bit means decoded. */
21166+
case AUTH_KEY_OID:
21167+
if (critical) {
21168+
ret = ASN_CRIT_EXT_E;
21169+
}
21170+
break;
21171+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */
2111621172

21173+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
2111721174
/* Subject Key Identifier. */
2111821175
case SUBJ_KEY_OID:
2111921176
VERIFY_AND_SET_OID(cert->extSubjKeyIdSet);
@@ -21135,7 +21192,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2113521192
ret = ASN_PARSE_E;
2113621193
}
2113721194
break;
21195+
#elif defined(WOLFSSL_X509_TINY)
21196+
/* Stripped: reject critical even under ALLOW_CRIT_SKID - can't honor an
21197+
* undecoded extension (RFC 5280 4.2.1.2). No SET_OID, bit means decoded. */
21198+
case SUBJ_KEY_OID:
21199+
if (critical) {
21200+
ret = ASN_CRIT_EXT_E;
21201+
}
21202+
break;
21203+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */
2113821204

21205+
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_POLICIES)
2113921206
/* Certificate policies. */
2114021207
case CERT_POLICY_OID:
2114121208
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
@@ -21162,6 +21229,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2116221229
#endif
2116321230
#endif
2116421231
break;
21232+
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_POLICIES */
2116521233

2116621234
/* Key usage. */
2116721235
case KEY_USAGE_OID:
@@ -21181,7 +21249,8 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2118121249
}
2118221250
break;
2118321251

21184-
#ifndef IGNORE_NAME_CONSTRAINTS
21252+
#if !defined(IGNORE_NAME_CONSTRAINTS) && \
21253+
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2118521254
/* Name constraints. */
2118621255
case NAME_CONS_OID:
2118721256
#ifndef WOLFSSL_NO_ASN_STRICT
@@ -21200,8 +21269,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2120021269
ret = ASN_PARSE_E;
2120121270
}
2120221271
break;
21272+
#elif !defined(IGNORE_NAME_CONSTRAINTS)
21273+
/* TINY can't enforce name constraints; fail closed rather than ignore. */
21274+
case NAME_CONS_OID:
21275+
WOLFSSL_ERROR_VERBOSE(ASN_NAME_INVALID_E);
21276+
ret = ASN_NAME_INVALID_E;
21277+
break;
2120321278
#endif /* IGNORE_NAME_CONSTRAINTS */
2120421279

21280+
#ifndef WOLFSSL_X509_TINY
2120521281
/* Inhibit anyPolicy. */
2120621282
case INHIBIT_ANY_OID:
2120721283
VERIFY_AND_SET_OID(cert->inhibitAnyOidSet);
@@ -21231,6 +21307,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2123121307
if (DecodePolicyConstraints(&input[idx], (int)length, cert) < 0)
2123221308
return ASN_PARSE_E;
2123321309
break;
21310+
#endif /* !WOLFSSL_X509_TINY (inhibitAny/netscape/ocsp-nocheck/policyConstraints) */
2123421311
#ifdef WOLFSSL_SUBJ_DIR_ATTR
2123521312
case SUBJ_DIR_ATTR_OID:
2123621313
VERIFY_AND_SET_OID(cert->extSubjDirAttrSet);

0 commit comments

Comments
 (0)