Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 85 additions & 8 deletions wolfcrypt/src/asn.c
Original file line number Diff line number Diff line change
Expand Up @@ -4386,9 +4386,14 @@ static int GetSignature(DecodedCert* cert);
static word32 SetAlgoIDImpl(int algoOID, byte* output, int type, int curveSz, byte absentParams);
#ifndef NO_CERTS
static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert);
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert);
#endif
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert);
#ifndef IGNORE_NAME_CONSTRAINTS
#endif
#if !defined(IGNORE_NAME_CONSTRAINTS) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
word32 limit, byte* hasUnsupported, void* heap);
static int DecodeNameConstraints(const byte* input, word32 sz, DecodedCert* cert);
Expand Down Expand Up @@ -18932,6 +18937,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
}
}
#ifndef IGNORE_NAME_CONSTRAINTS
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_DIR)
/* GeneralName choice: directoryName */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
int strLen;
Expand All @@ -18950,6 +18956,8 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
idx += (word32)len;
}
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_DIR */
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_EMAIL)
/* GeneralName choice: rfc822Name */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
ret = DecodeGeneralNameCheckChars(input + idx, len);
Expand All @@ -18962,6 +18970,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
idx += (word32)len;
}
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_EMAIL */
/* GeneralName choice: uniformResourceIdentifier */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
ret = DecodeGeneralNameCheckChars(input + idx, len);
Expand Down Expand Up @@ -19039,13 +19048,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
* surface the raw octets as OCTET_STRING already (see the
* ASN_IP_TYPE case under WOLFSSL_GEN_IPADD in src/x509.c).
*/
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_IP)
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
ASN_IP_TYPE, &cert->altNames);
if (ret == 0) {
idx += (word32)len;
}
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_IP */
/* GeneralName choice: registeredID
*
* Always parse registeredID into cert->altNames so
Expand All @@ -19071,13 +19082,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
* - X509_print_name_entry: emits "Registered ID:<unavailable>"
* when ridString is not generated, instead of failing the
* whole print operation. */
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_RID)
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
ASN_RID_TYPE, &cert->altNames);
if (ret == 0) {
idx += (word32)len;
}
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_RID */
#endif /* IGNORE_NAME_CONSTRAINTS */
#ifndef IGNORE_NAME_CONSTRAINTS
/* GeneralName choice: otherName.
Expand Down Expand Up @@ -19366,6 +19379,7 @@ static int DecodeBasicCaConstraintInternal(const byte* input, int sz,
}


#ifndef WOLFSSL_X509_TINY
static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
Expand Down Expand Up @@ -19419,6 +19433,7 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)

return 0;
}
#endif /* !WOLFSSL_X509_TINY */


/* Context-Specific value for: DistributionPoint.distributionPoint
Expand All @@ -19431,7 +19446,8 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
* From RFC3280 SS4.2.1.7, GeneralName */
#define GENERALNAME_URI (ASN_CONTEXT_SPECIFIC | 6)

#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP))
/* ASN.1 template for CRL distribution points.
* X.509: RFC 5280, 4.2.1.13 - CRL Distribution Points.
*/
Expand Down Expand Up @@ -19482,6 +19498,7 @@ enum {
* @return BUFFER_E when data in buffer is too small.
*/
#ifdef WOLFSSL_ASN_TEMPLATE
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
{
DECL_ASNGETDATA(dataASN, crlDistASN_Length);
Expand Down Expand Up @@ -19539,8 +19556,10 @@ static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
FREE_ASNGETDATA(dataASN, cert->heap);
return ret;
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */
#endif /* WOLFSSL_ASN_TEMPLATE */
#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA))
/* ASN.1 template for the access description.
* X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
*/
Expand Down Expand Up @@ -19577,6 +19596,7 @@ enum {
* @return ASN_UNKNOWN_OID_E when the OID cannot be verified.
*/
#ifdef WOLFSSL_ASN_TEMPLATE
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
{
word32 idx = 0;
Expand Down Expand Up @@ -19645,6 +19665,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)

return ret;
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */
#endif /* WOLFSSL_ASN_TEMPLATE */

#ifdef WOLFSSL_ASN_TEMPLATE
Expand Down Expand Up @@ -19785,6 +19806,7 @@ int DecodeAuthKeyId(const byte* input, word32 sz, const byte **extAuthKeyId,
* is invalid.
* @return BUFFER_E when data in buffer is too small.
*/
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,
DecodedCert* cert)
{
Expand Down Expand Up @@ -19842,6 +19864,7 @@ static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,

return ret;
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */

/* Decode subject key id extension.
*
Expand Down Expand Up @@ -19886,6 +19909,7 @@ int DecodeSubjKeyId(const byte* input, word32 sz, const byte **extSubjKeyId,
* invalid.
* @return MEMORY_E on dynamic memory allocation failure.
*/
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,
DecodedCert* cert)
{
Expand All @@ -19909,6 +19933,7 @@ static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,

return ret;
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */

#ifdef WOLFSSL_ASN_TEMPLATE
/* ASN.1 template for KeyUsage.
Expand Down Expand Up @@ -20181,6 +20206,7 @@ static int DecodeExtKeyUsageInternal(const byte* input, word32 sz,

#ifndef IGNORE_NETSCAPE_CERT_TYPE

#ifndef WOLFSSL_X509_TINY
static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
Expand All @@ -20200,11 +20226,13 @@ static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)

return 0;
}
#endif /* !WOLFSSL_X509_TINY (DecodeNsCertType) */
#endif


#ifndef IGNORE_NAME_CONSTRAINTS
#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
/* ASN.1 template for GeneralSubtree.
* X.509: RFC 5280, 4.2.1.10 - Name Constraints.
*/
Expand All @@ -20228,7 +20256,8 @@ enum {
#define subTreeASN_Length (sizeof(subTreeASN) / sizeof(ASNItem))
#endif

#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
/* Decode the Subtree's GeneralName.
*
* @param [in] input Buffer holding data.
Expand Down Expand Up @@ -20316,7 +20345,8 @@ static int DecodeSubtreeGeneralName(const byte* input, word32 sz, byte tag,
* @return MEMORY_E when dynamic memory allocation fails.
* @return ASN_PARSE_E when SEQUENCE is not found as expected.
*/
#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
/* Decode a sub-tree of name constraints.
*
* @param [out] hasUnsupported Set to 1 when an entry with a GeneralName
Expand Down Expand Up @@ -20396,7 +20426,8 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
return ret;
}
#endif /* WOLFSSL_ASN_TEMPLATE */
#ifdef WOLFSSL_ASN_TEMPLATE
#if defined(WOLFSSL_ASN_TEMPLATE) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
/* ASN.1 template for NameConstraints.
* X.509: RFC 5280, 4.2.1.10 - Name Constraints.
*/
Expand Down Expand Up @@ -20430,6 +20461,7 @@ enum {
* @return MEMORY_E on dynamic memory allocation failure.
*/
#ifdef WOLFSSL_ASN_TEMPLATE
#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS)
static int DecodeNameConstraints(const byte* input, word32 sz,
DecodedCert* cert)
{
Expand Down Expand Up @@ -20474,6 +20506,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,

return ret;
}
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_NAME_CONSTRAINTS */
#endif /* WOLFSSL_ASN_TEMPLATE */
#endif /* IGNORE_NAME_CONSTRAINTS */

Expand Down Expand Up @@ -21043,6 +21076,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
int ret = 0;
word32 idx = 0;

(void)idx; /* unused when optional extension cases are gated out (X509_TINY) */
if (isUnknownExt != NULL)
*isUnknownExt = 0;

Expand All @@ -21056,6 +21090,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
}
break;

#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
/* CRL Distribution point. */
case CRL_DIST_OID:
VERIFY_AND_SET_OID(cert->extCRLdistSet);
Expand All @@ -21064,7 +21099,9 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = ASN_PARSE_E;
}
break;
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */

#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
/* Authority information access. */
case AUTH_INFO_OID:
VERIFY_AND_SET_OID(cert->extAuthInfoSet);
Expand All @@ -21085,6 +21122,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = ASN_PARSE_E;
}
break;
#elif defined(WOLFSSL_X509_TINY)
/* Stripped: reject critical even under ALLOW_CRIT_AIA - can't honor an
* undecoded extension (RFC 5280 4.2.2.1). No SET_OID, bit means decoded. */
case AUTH_INFO_OID:
if (critical) {
ret = ASN_CRIT_EXT_E;
}
break;
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */

/* Subject alternative name. */
case ALT_NAMES_OID:
Expand All @@ -21093,6 +21139,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = DecodeAltNames(input, length, cert);
break;

#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
/* Authority Key Identifier. */
case AUTH_KEY_OID:
VERIFY_AND_SET_OID(cert->extAuthKeyIdSet);
Expand All @@ -21113,7 +21160,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = ASN_PARSE_E;
}
break;
#elif defined(WOLFSSL_X509_TINY)
/* Stripped: reject critical even under ALLOW_CRIT_AKID - can't honor an
* undecoded extension (RFC 5280 4.2.1.1). No SET_OID, bit means decoded. */
case AUTH_KEY_OID:
if (critical) {
ret = ASN_CRIT_EXT_E;
}
break;
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */

#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
/* Subject Key Identifier. */
case SUBJ_KEY_OID:
VERIFY_AND_SET_OID(cert->extSubjKeyIdSet);
Expand All @@ -21135,7 +21192,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = ASN_PARSE_E;
}
break;
#elif defined(WOLFSSL_X509_TINY)
/* Stripped: reject critical even under ALLOW_CRIT_SKID - can't honor an
* undecoded extension (RFC 5280 4.2.1.2). No SET_OID, bit means decoded. */
case SUBJ_KEY_OID:
if (critical) {
ret = ASN_CRIT_EXT_E;
}
break;
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */

#if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_POLICIES)
/* Certificate policies. */
case CERT_POLICY_OID:
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
Expand All @@ -21162,6 +21229,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
#endif
#endif
break;
#endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_POLICIES */

/* Key usage. */
case KEY_USAGE_OID:
Expand All @@ -21181,7 +21249,8 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
}
break;

#ifndef IGNORE_NAME_CONSTRAINTS
#if !defined(IGNORE_NAME_CONSTRAINTS) && \
(!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
/* Name constraints. */
case NAME_CONS_OID:
#ifndef WOLFSSL_NO_ASN_STRICT
Expand All @@ -21200,8 +21269,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
ret = ASN_PARSE_E;
}
break;
#elif !defined(IGNORE_NAME_CONSTRAINTS)
/* TINY can't enforce name constraints; fail closed rather than ignore. */
case NAME_CONS_OID:
WOLFSSL_ERROR_VERBOSE(ASN_NAME_INVALID_E);
ret = ASN_NAME_INVALID_E;
break;
#endif /* IGNORE_NAME_CONSTRAINTS */

#ifndef WOLFSSL_X509_TINY
/* Inhibit anyPolicy. */
case INHIBIT_ANY_OID:
VERIFY_AND_SET_OID(cert->inhibitAnyOidSet);
Expand Down Expand Up @@ -21231,6 +21307,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
if (DecodePolicyConstraints(&input[idx], (int)length, cert) < 0)
return ASN_PARSE_E;
break;
#endif /* !WOLFSSL_X509_TINY (inhibitAny/netscape/ocsp-nocheck/policyConstraints) */
#ifdef WOLFSSL_SUBJ_DIR_ATTR
case SUBJ_DIR_ATTR_OID:
VERIFY_AND_SET_OID(cert->extSubjDirAttrSet);
Expand Down
Loading
Loading