|
| 1 | +/* test_x509.c |
| 2 | + * |
| 3 | + * Copyright (C) 2006-2025 wolfSSL Inc. |
| 4 | + * |
| 5 | + * This file is part of wolfSSL. |
| 6 | + * |
| 7 | + * wolfSSL is free software; you can redistribute it and/or modify |
| 8 | + * it under the terms of the GNU General Public License as published by |
| 9 | + * the Free Software Foundation; either version 2 of the License, or |
| 10 | + * (at your option) any later version. |
| 11 | + * |
| 12 | + * wolfSSL is distributed in the hope that it will be useful, |
| 13 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | + * GNU General Public License for more details. |
| 16 | + * |
| 17 | + * You should have received a copy of the GNU General Public License |
| 18 | + * along with this program; if not, write to the Free Software |
| 19 | + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| 20 | + */ |
| 21 | + |
| 22 | +#include <tests/unit.h> |
| 23 | + |
| 24 | +#ifdef NO_INLINE |
| 25 | + #include <wolfssl/wolfcrypt/misc.h> |
| 26 | +#else |
| 27 | + #define WOLFSSL_MISC_INCLUDED |
| 28 | + #include <wolfcrypt/src/misc.c> |
| 29 | +#endif |
| 30 | + |
| 31 | +#include <wolfssl/wolfcrypt/types.h> |
| 32 | +#include <tests/api/api.h> |
| 33 | +#include <tests/api/test_x509.h> |
| 34 | +#include <tests/utils.h> |
| 35 | +#include <wolfssl/openssl/ssl.h> |
| 36 | +#include <wolfssl/openssl/x509.h> |
| 37 | +#include <wolfssl/openssl/x509v3.h> |
| 38 | + |
| 39 | +#if defined(OPENSSL_ALL) |
| 40 | +#define HAVE_TEST_X509_RFC2818_VERIFICATION_CALLBACK |
| 41 | +/* callback taken and simplified from |
| 42 | + * include/boost/asio/ssl/impl/rfc2818_verification.ipp |
| 43 | + * version: boost-1.84.0 */ |
| 44 | +static int rfc2818_verification_callback(int preverify, |
| 45 | + WOLFSSL_X509_STORE_CTX* store) |
| 46 | +{ |
| 47 | + EXPECT_DECLS; |
| 48 | + int depth; |
| 49 | + X509* cert; |
| 50 | + GENERAL_NAMES* gens; |
| 51 | + byte address_bytes[] = { 127, 0, 0, 1 }; |
| 52 | + X509_NAME* name; |
| 53 | + int i; |
| 54 | + ASN1_STRING* common_name = 0; |
| 55 | + int matches = 0; |
| 56 | + |
| 57 | + /* Don't bother looking at certificates that have |
| 58 | + * failed pre-verification. */ |
| 59 | + if (!preverify) |
| 60 | + return 0; |
| 61 | + |
| 62 | + /* We're only interested in checking the certificate at |
| 63 | + * the end of the chain. */ |
| 64 | + depth = X509_STORE_CTX_get_error_depth(store); |
| 65 | + if (depth > 0) |
| 66 | + return 1; |
| 67 | + |
| 68 | + /* Try converting the host name to an address. If it is an address then we |
| 69 | + * need to look for an IP address in the certificate rather than a |
| 70 | + * host name. */ |
| 71 | + |
| 72 | + cert = X509_STORE_CTX_get_current_cert(store); |
| 73 | + |
| 74 | + /* Go through the alternate names in the certificate looking for matching |
| 75 | + * DNS or IP address entries. */ |
| 76 | + gens = (GENERAL_NAMES*)X509_get_ext_d2i( |
| 77 | + cert, NID_subject_alt_name, NULL, NULL); |
| 78 | + for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i) { |
| 79 | + GENERAL_NAME* gen = sk_GENERAL_NAME_value(gens, i); |
| 80 | + if (gen->type == GEN_DNS) { |
| 81 | + ASN1_IA5STRING* domain = gen->d.dNSName; |
| 82 | + if (domain->type == V_ASN1_IA5STRING && domain->data && |
| 83 | + domain->length && |
| 84 | + XSTRCMP(domain->data, "example.com") == 0) |
| 85 | + matches++; |
| 86 | + } |
| 87 | + else if (gen->type == GEN_IPADD) |
| 88 | + { |
| 89 | + ASN1_OCTET_STRING* ip_address = gen->d.iPAddress; |
| 90 | + if (ip_address->type == V_ASN1_OCTET_STRING && ip_address->data && |
| 91 | + ip_address->length == sizeof(address_bytes) && |
| 92 | + XMEMCMP(address_bytes, ip_address->data, 4) == 0) |
| 93 | + matches++; |
| 94 | + } |
| 95 | + } |
| 96 | + GENERAL_NAMES_free(gens); |
| 97 | + |
| 98 | + /* No match in the alternate names, so try the common names. We should only |
| 99 | + * use the "most specific" common name, which is the last one in |
| 100 | + * the list. */ |
| 101 | + name = X509_get_subject_name(cert); |
| 102 | + i = -1; |
| 103 | + while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0) |
| 104 | + { |
| 105 | + X509_NAME_ENTRY* name_entry = X509_NAME_get_entry(name, i); |
| 106 | + common_name = X509_NAME_ENTRY_get_data(name_entry); |
| 107 | + } |
| 108 | + if (common_name && common_name->data && common_name->length) |
| 109 | + { |
| 110 | + if (XSTRCMP(common_name->data, "www.wolfssl.com") == 0) |
| 111 | + matches++; |
| 112 | + } |
| 113 | + |
| 114 | + ExpectIntEQ(matches, 3); |
| 115 | + return matches == 3; |
| 116 | +} |
| 117 | +#endif |
| 118 | + |
| 119 | +int test_x509_rfc2818_verification_callback(void) |
| 120 | +{ |
| 121 | + EXPECT_DECLS; |
| 122 | +#ifdef HAVE_TEST_X509_RFC2818_VERIFICATION_CALLBACK |
| 123 | + struct test_memio_ctx test_ctx; |
| 124 | + WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; |
| 125 | + WOLFSSL *ssl_c = NULL, *ssl_s = NULL; |
| 126 | + |
| 127 | + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); |
| 128 | + |
| 129 | + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, |
| 130 | + wolfTLS_client_method, wolfTLS_server_method), 0); |
| 131 | + |
| 132 | + ExpectIntEQ(wolfSSL_use_certificate_file(ssl_c, cliCertFile, |
| 133 | + WOLFSSL_FILETYPE_PEM), 1); |
| 134 | + ExpectIntEQ(wolfSSL_use_PrivateKey_file(ssl_c, cliKeyFile, |
| 135 | + WOLFSSL_FILETYPE_PEM), 1); |
| 136 | + |
| 137 | + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s, cliCertFile, NULL), 1); |
| 138 | + wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_PEER, |
| 139 | + rfc2818_verification_callback); |
| 140 | + |
| 141 | + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); |
| 142 | + |
| 143 | + wolfSSL_free(ssl_s); |
| 144 | + wolfSSL_free(ssl_c); |
| 145 | + wolfSSL_CTX_free(ctx_s); |
| 146 | + wolfSSL_CTX_free(ctx_c); |
| 147 | +#endif |
| 148 | + return EXPECT_RESULT(); |
| 149 | +} |
0 commit comments