Skip to content

Commit

Permalink
x509 AIA: store the first OCSP and CA Issuer URI's
Browse files Browse the repository at this point in the history
Solves ZD17033
  • Loading branch information
julek-wolfssl committed Nov 27, 2023
1 parent 008d495 commit 8ac891d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 17 deletions.
28 changes: 12 additions & 16 deletions wolfcrypt/src/asn.c
Original file line number Diff line number Diff line change
Expand Up @@ -18961,7 +18961,6 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
#ifndef WOLFSSL_ASN_TEMPLATE
word32 idx = 0;
int length = 0;
int count = 0;
byte b = 0;
word32 oid;

Expand All @@ -18971,7 +18970,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;

while ((idx < (word32)sz) && (count < MAX_AIA_SZ)) {
while ((idx < (word32)sz)) {
/* Unwrap a single AIA */
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
Expand All @@ -18989,23 +18988,22 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
return ASN_PARSE_E;

/* Set ocsp entry */
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID)
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID &&
cert->extAuthInfo == NULL)
{
cert->extAuthInfoSz = length;
cert->extAuthInfo = input + idx;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
count++;
#else
#if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT)
break;
#endif
}
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
/* Set CaIssuers entry */
else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID)
else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID &&
cert->extAuthInfoCaIssuer == NULL)
{
cert->extAuthInfoCaIssuerSz = length;
cert->extAuthInfoCaIssuer = input + idx;
count++;
}
#endif
idx += (word32)length;
Expand All @@ -19015,7 +19013,6 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
#else
word32 idx = 0;
int length = 0;
int count = 0;
int ret = 0;

WOLFSSL_ENTER("DecodeAuthInfo");
Expand All @@ -19025,7 +19022,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
ret = ASN_PARSE_E;
}

while ((ret == 0) && (idx < (word32)sz) && (count < MAX_AIA_SZ)) {
while ((ret == 0) && (idx < (word32)sz)) {
ASNGetData dataASN[accessDescASN_Length];

/* Clear dynamic data and retrieve OID and name. */
Expand All @@ -19040,27 +19037,26 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)

/* Check we have OCSP and URI. */
if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) &&
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI)) {
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
(cert->extAuthInfo == NULL)) {
/* Store URI for OCSP lookup. */
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
&cert->extAuthInfo, &sz32);
cert->extAuthInfoSz = (int)sz32;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
count++;
#else
#if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT)
break;
#endif
}
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
/* Check we have CA Issuer and URI. */
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
AIA_CA_ISSUER_OID) &&
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI)) {
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
(cert->extAuthInfoCaIssuer == NULL)) {
/* Set CaIssuers entry */
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
&cert->extAuthInfoCaIssuer, &sz32);
cert->extAuthInfoCaIssuerSz = (int)sz32;
count++;
}
#endif
/* Otherwise skip. */
Expand Down
1 change: 0 additions & 1 deletion wolfssl/wolfcrypt/asn.h
Original file line number Diff line number Diff line change
Expand Up @@ -1004,7 +1004,6 @@ enum Misc_ASN {
MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
#endif
MAX_AIA_SZ = 2, /* Max Authority Info Access extension size*/
OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
Expand Down

0 comments on commit 8ac891d

Please sign in to comment.